Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: set "readonly_rootfs" and "privileged" in the right places in tests #2992

Closed
wants to merge 1 commit into from
Closed

WIP: set "readonly_rootfs" and "privileged" in the right places in tests #2992

wants to merge 1 commit into from

Conversation

nalind
Copy link
Collaborator

@nalind nalind commented Nov 25, 2019

The readonly_rootfs and privileged options are part of Linux-specific security context information (definition). Setting them anywhere else doesn't appear to have any effect.

@nalind
Set "readonly_rootfs" and "privileged" in the right places
cc483bd 
The "readonly_rootfs" and "privileged" options are part of
Linux-specific security context information.  Setting them anywhere else
doesn't have any effect.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@openshift-ci-robot openshift-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Nov 25, 2019
@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: nalind
To complete the pull request process, please assign giuseppe
You can assign the PR to them by writing /assign @giuseppe in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 25, 2019
@openshift-ci-robot
Copy link

Hi @nalind. Thanks for your PR.

I'm waiting for a cri-o member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

1 similar comment
@openshift-ci-robot
Copy link

Hi @nalind. Thanks for your PR.

I'm waiting for a cri-o member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@codecov
Copy link

codecov bot commented Nov 25, 2019

Codecov Report

Merging #2992 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #2992   +/-   ##
=======================================
  Coverage   47.08%   47.08%           
=======================================
  Files          88       88           
  Lines        7155     7155           
=======================================
  Hits         3369     3369           
  Misses       3496     3496           
  Partials      290      290

@haircommander
Copy link
Member

/ok-to-test

@openshift-ci-robot openshift-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Nov 26, 2019
@haircommander
Copy link
Member

/retest

@openshift-ci-robot
Copy link

@nalind: The following tests failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/openshift-jenkins/integration_rhel cc483bd link /test integration_rhel
ci/openshift-jenkins/integration_fedora cc483bd link /test integration_fedora
ci/kata-jenkins cc483bd link /test kata-containers
ci/openshift-jenkins/integration_crun cc483bd link /test integration_crun

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@rhatdan
Copy link
Contributor

rhatdan commented Mar 7, 2020

@nalind @haircommander Is this still being worked on? Still something we want?

haircommander
haircommander reviewed Mar 9, 2020
View reviewed changes
test/testdata/container_config.json
@@ -58,6 +57,7 @@
"pid": 1
},
"readonly_rootfs": false,
"privileged": true,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should drop this one, and see which containers fail from not having priv

haircommander
haircommander reviewed Mar 9, 2020
View reviewed changes
test/testdata/container_config_logging.json
@@ -57,6 +55,8 @@
"namespace_options": {
"pid": 1
},
"readonly_rootfs": true,
"privileged": true,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same here, no priv needed methinks

@haircommander
Copy link
Member

I started a review, but thinking about it, each of these should have no privilege, with the exception of container_config_privileged.json. All the readonly_rootfs should be moved to make sure we're testing that as expected.

Thanks for the patch @nalind this is very much needed.

@haircommander
Copy link
Member

(btw, the ci errors are:
# time="2019-12-04T19:14:40Z" level=fatal msg="Creating container failed: rpc error: code = Unknown desc = no privileged container allowed in sandbox"
which is from the container asking for priv when the sandbox wasn't specified to have it

@haircommander haircommander mentioned this pull request Mar 9, 2020
Merged
@haircommander
Copy link
Member

I am taking this over here

@nalind nalind deleted the privileged-tests branch March 9, 2020 18:22
@rhatdan
Copy link
Contributor

rhatdan commented Mar 20, 2020

@haircommander You pointed at your self?

@haircommander
Copy link
Member

lol here **

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haircommander haircommander haircommander left review comments

@mrunalp mrunalp Awaiting requested review from mrunalp

@runcom runcom Awaiting requested review from runcom

@sameo sameo Awaiting requested review from sameo

@saschagrunert saschagrunert Awaiting requested review from saschagrunert

Assignees
No one assigned
Labels
dco-signoff: yes Indicates the PR's author has DCO signed all their commits. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@nalind @openshift-ci-robot @haircommander @rhatdan