Add User Namespace support to libcontainer. #23
Conversation
|
I'm not the maintainer (IANTM), but this seems too docker-specific IMO. Isn't libcontainer supposed to just expose the primitives, essentially? |
|
@tianon Fair enough. I will make some changes to make it more generic. |
|
I think it's probably still worth waiting for a maintainer to confirm |
|
Would it be possible to include unit tests? I know libcontainer is light on unit tests, but... |
|
@vmarmol @crosbymichael review please :) I think I can take out docker specific terminology and use more generic terms. |
|
I think we should just expose this via generic uid and gid mappings don't you? |
|
@crosbymichael Agree on the general case.
|
|
@mrunalp why would the root -> "docker" root usecase be any different from the generic uid/gid mappings? Wouldn't it just be one entry for the mapping? |
|
@crosbymichael There is the mapping and then there is the user that you are going to run as and that's what the DockerRootUid DockerRootGid (which will be renamed) are for. Do we want to use those variables or should be use the User field? From your response, I take it that we want to make the user supply the mappings for this case as well and I think it makes sense. |
|
Well since libcontainer is the low level part we can have the user specify the exact mapping that they want. Docker can provide the root -> docker-root abstraction |
|
I agree with @crosbymichael and @tianon. We should really be exposing a mapping: |
|
Yup. Kernel represents it somewhat more concisely as a triplet (hostUid, containerUid, size): https://github.com/dotcloud/docker/pull/4572/files#diff-679e6137274897a7bfcc7688f0c6f089R361 Using same format saves a few lines of code here and there. |
|
@dineshs-altiscale lets go with that :) |
|
@dineshs-altiscale @vmarmol @crosbymichael Thanks for the feedback. I will incorporate the changes and update the PR. |
|
@crosbymichael @vmarmol I have updated the PR. |
|
Here is how this could be used from docker -- mrunalp/docker@6218272 |
| @@ -66,6 +66,18 @@ type Container struct { | |||
|
|
|||
| // The device nodes that should be automatically created within the container upon container start. Note, make sure that the node is marked as allowed in the cgroup as well! | |||
| DeviceNodes []*devices.Device `json:"device_nodes,omitempty"` | |||
|
|
|||
| // UserNsUid specifies the uid to run as when user namespace mappings are specified | |||
| UserNsUid int `json:"user_ns_uid,omitempty"` | |||
There was a problem hiding this comment.
I do want us to start making a distinction between runtime config and container config. Runtime config are the things that we can change if we were to run another process in the container. This is one example of that. I don't think it affects your PR, but it is something for @rjnagal, @crosbymichael, and me to think about :)
|
@crosbymichael @vmarmol You guys had a chance to review? |
| HostUid int `json:"host_uid,omitempty"` | ||
| ContainerUid int `json:"container_uid,omitempty"` | ||
| Size int `json:"size,omitempty"` | ||
| } |
There was a problem hiding this comment.
UIDs are 32 bit unsigned: https://github.com/dotcloud/docker/pull/6602/files#diff-2fb7c74bdba3137445a0c8ca02bba557R124
There was a problem hiding this comment.
Making that change.
|
This is missing key things like dropping capabilities and clearing KEEP_CAPS. |
|
@dineshs-altiscale Good point. What capabilities do we want to retain in the user namespace? We should be able to retain more than what we do in the non-user namespace case. |
|
@dineshs-altiscale capabilities could be dropped in the parent to match non-user namespace case, but I think it makes sense to allow full capabilities in the child which is the point of user ns anyway, right? Please let me know if that is a wrong assumption. From whatever I have read the capabilities are only appicable to the new child user ns. If there are any capabilities that could allow the child process to escalate onto host then we could drop those. |
|
We should begin with the same list used for non user namespace case as a conservative starting point and defer a closer audit of capabilities for a later PR. Also, it's good to keep the same model ( In general, reusing |
|
+1 to using the same caps for now |
| @@ -95,17 +102,155 @@ func Init(container *libcontainer.Container, uncleanRootfs, consolePath string, | |||
| return fmt.Errorf("get parent death signal %s", err) | |||
| } | |||
|
|
|||
| if err := FinalizeNamespace(container); err != nil { | |||
| return fmt.Errorf("finalize namespace %s", err) | |||
| userNsMode := len(container.UidMappings) > 0 || len(container.GidMappings) > 0 | |||
There was a problem hiding this comment.
More than this, we should check if a new NS_USER was specifed.
|
@dineshs-altiscale -u user refers to a user inside the container whereas the options added here are for the host uid/host gid. Also, we cannot really use FinalizeNamespace or any other golang function in the child after making a raw syscall to CLONE. There was a discussion around this on #docker-dev. |
|
@vmarmol @dineshs-altiscale @crosbymichael As far as capabilities in user ns go -- first paragraph here -- http://lwn.net/Articles/528117/ :) Of course, there are/will be vulnerabilities, but they will be fixed sooner the more people try out full caps in a container and report them. Also, this could be started off as an experimental feature in docker. |
| } | ||
| } | ||
|
|
||
| syscall.ForkLock.Lock() |
There was a problem hiding this comment.
Wondering whether we should do all this in C. We're gonna have to migrate it there anyways. WDYT?
There was a problem hiding this comment.
@vmarmol I agree that this is much easier to do in C as we are working around go here. Question is where are the bits so I can contribute :) and also when is it expected to be released?
There was a problem hiding this comment.
This is starting slowly. The first thing is to nail down the API and then start the merge. If we use cgo for now, it'll be a drop-in replacement when the time comes.
There was a problem hiding this comment.
Yeah if you're not too against it (and sorry for the extra work!) but can we write this in C? @crosbymichael let me know if you disagree :)
|
Pushed change to use uint32 for UIDs/GIDs and use NEWUSER as a flag in init.go |
|
Specifying container user is intuitive and aligns with non user namespace usage model. Implementation difficulty with raw syscalls cannot really be a reason for artificially adding new config to container.go and making the usage harder. +1 that these things are much easier to do in C when Go is not changing stack under you. But for now, since you know the mappings, you could convert |
| @@ -95,17 +102,155 @@ func Init(container *libcontainer.Container, uncleanRootfs, consolePath string, | |||
| return fmt.Errorf("get parent death signal %s", err) | |||
| } | |||
|
|
|||
| if err := FinalizeNamespace(container); err != nil { | |||
| return fmt.Errorf("finalize namespace %s", err) | |||
| userNsMode := container.Namespaces["NEWUSER"] | |||
|
Need to close FDs in the child as well -- there could be some FDs not marked close-on-exec that should not get through to the child. Forklock only takes care of the ones that are marked close-on-exec. With |
|
@dineshs-altiscale I would argue that using uid/gid is more apt in libcontainer since there need not even be a user created on the host to be able to use this feature :) (and that was the driving reason behind using that as I went back and forth on it). |
|
Not sure I follow that, but I don't think |
|
@vmarmol @crosbymichael Rebased the PR and made modifications to address feedback except the -u flag. I think overloading the meaning of -u to lookup users on host or within a container namespace depending on userns/non-userns case isn't a good idea. |
|
@mrunalp do you have a If not you can just copy the |
|
@crosbymichael I have been maintaining changes to docker to test this. Need to modify create.go and driver.go -- mrunalp/docker@37dcb1a Here is a sample container.json -- https://gist.github.com/mrunalp/833decb50fc9ae443106 |
| return fmt.Errorf("finalize namespace %s", err) | ||
| userNsEnabled := container.Namespaces["NEWUSER"] | ||
|
|
||
| if userNsEnabled { |
There was a problem hiding this comment.
Can you break this into two separate functions just for readability?
|
@crosbymichael Pushed changes to address all of your comments. |
Docker-DCO-1.1-Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp)
|
I think we can close this one because #53 looks much better and I don't want to split the conversation. |
I have split the libcontainer changes from this PR moby/moby#6111 into this PR.
This PR depends upon this change -- moby/moby#6417
I want to get feedback on the implementation and the UI. For using this see moby/moby#6111 changes to the docker side.
The changes allow one to specify UID/GID Mappings and also the user on host that will be mapped to root within the container. The UI can be tweaked on feedback.
Docker-DCO-1.1-Signed-off-by: Mrunal Patel mrunalp@gmail.com (github: mrunalp)