-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support user namespaces in partition check (1.2.1) #444
Conversation
Hi @markdumay and thanks for the PR. I like the solution but I don't think it will fix the problem, e.g if Example:
We would pass the test but flood the
|
hi @konstruktoid, thanks for your quick reply! You're right in pointing out For example, let's run
On my server, this returns:
My suggestion is to test for partitions rather than mount points. In below example, all files and folders belong to the partition The revised test function could look something like this:
|
Perhaps adding
|
I'm not sure I follow what you mean? If |
This is correct, but I see you added |
It’s a bit of a hypothetical situation, but in theory, you could have mounted the docker root directory to the boot partition. That’s not something you would normally do, but it’s definitely not a scenario you would like to flag as passed either.
However, it seems we’re not fully aligned on the suggested solution yet. Is there something that I’ve missed?
… On 28 Sep 2020, at 15:02, Thomas Sjögren ***@***.***> wrote:
This is correct, but I see you added boot_partition and if [ "$boot_partition" != "$docker_partition" ] which isn't relevant to the issue.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
The CIS test asks a quite simple question: Is the Docker data directory placed on a separate partition? I personally don't care which solution we use as long as it shows the correct result. After you opened this PR, and with the following discussion, I just thought we all might be over-complicating things. |
It definitely makes sense to keep things simple! Stripping the namespace should work too. I have a slight preference to check for partitions instead of mount points to make it a bit more robust, but in the end, it’s up to you as repository owner. I’d be very happy to pass the test with support for user namespaces in any case. ;-)
… On 28 Sep 2020, at 16:05, Thomas Sjögren ***@***.***> wrote:
The CIS test asks a quite simple question: Is the Docker data directory placed on a separate partition?
However, when using user namespaces things get a bit more complicated.
I personally don't care which solution we use as long as it shows the correct result.
After you opened this PR, and with the following discussion, I just thought we all might be over-complicating things.
Why not just remove the added user namespaces directory and just test the non-namespace directory?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
What about the following code example?
|
Yeah, that looks good. Want to update your PR? |
OK, the PR has been updated with the proposed code change. |
Thanks @markdumay! |
Great, thanks for your support!
… On 29 Sep 2020, at 13:24, Thomas Sjögren ***@***.***> wrote:
Thanks @markdumay!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
The current partition check (1.2.1) does not adequately support user namespaces (see e.g. #332). When user namespaces are enabled, Docker creates a subfolder in the Docker root directory (defaults to
/var/lib/docker
). This subfolder is based on theuser ID
andgroup ID
of the user dockermap. The current check withmountpoint -- "$(docker info -f '{{ .DockerRootDir }}')"
fails in this case, as the Docker Root Dir returns both the root directory and the subfolder, e.g./var/lib/docker/165536.165536/
instead of/var/lib/docker/
.The suggested code change identifies the partition the Docker Root Dir belongs to, using
df
instead ofmountpoint
. If this partition differs from the system's partition (identified by/
), the test passes.