New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for --pid=container:<id> #22481
Conversation
ab8b67f
to
a51da5f
Compare
For reference, it'll Closes: #10163 |
This is ready to test/review. |
Maintainers (from today's review session) agree with the design, so moving to code review. |
@tiborvass Thanks for the update! We need to get docker/engine-api#218 reviewed/merged as well. |
@mrunalp its merged 😄 👍 |
@thaJeztah yeah, now waiting for the vendor PR #22538 :) |
@mrunalp done as well \o/ |
@thaJeztah Thanks! I have rebased this PR to pick up the engine-api update. |
LGTM |
Ping @mlaventure! |
return nil, err | ||
} | ||
|
||
return label.DupSecOpt(c.ProcessLabel), nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we have both ipcMode.IsContainer()
and pidMode.IsContainer()
are true and they both point to different containers with different labels we will never apply the second container labels.
I'm no selinux expert, but shouldn't those be merged somehow?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can't join two namespaces of two different containers unless transitively they have the same label.
Cc: @rhatdan
Sent from my iPhone
On May 11, 2016, at 8:32 PM, Kenfe-Mickaël Laventure notifications@github.com wrote:
In daemon/create.go:
@@ -150,6 +150,14 @@ func (daemon *Daemon) generateSecurityOpt(ipcMode containertypes.IpcMode, pidMod
return label.DupSecOpt(c.ProcessLabel), nil }
- if pidContainer := pidMode.Container(); pidContainer != "" {
c, err := daemon.GetContainer(pidContainer)
if err != nil {
return nil, err
}
If we have both ipcMode.IsContainer() and pidMode.IsContainer() are true and they both point to different containers with different labels we will never apply the second container labels.return label.DupSecOpt(c.ProcessLabel), nil
I'm no selinux expert, but shouldn't those be merged somehow?
—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In order for two containers to share the same PID or same IPC Namespace, they have to run with the same SELinux label. Otherwise SELinux will break when a process in container1 tries to look at the processes in container2, or a process in container 1 tries to use an IPC created in container2. This is why when the second container is created it switches to the first containers labels. By merging the containers namespaces, you are saying that they share the same security structure, from an SELinux point of view.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is ipc=<container-A>
, pid=<container-B>
a valid configuration, or should that produce an error?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's valid if they have the same selinux configuration it seems. Which
should check for this or prohibit it entirely to avoid runtime error later
on I'd say.
On Thu, May 12, 2016, 5:19 AM Sebastiaan van Stijn notifications@github.com
wrote:
In daemon/create.go
#22481 (comment):@@ -150,6 +150,14 @@ func (daemon *Daemon) generateSecurityOpt(ipcMode containertypes.IpcMode, pidMod
return label.DupSecOpt(c.ProcessLabel), nil }
- if pidContainer := pidMode.Container(); pidContainer != "" {
c, err := daemon.GetContainer(pidContainer)
if err != nil {
return nil, err
}
return label.DupSecOpt(c.ProcessLabel), nil
is ipc=, pid= a valid configuration, or should
that produce an error?—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
https://github.com/docker/docker/pull/22481/files/0c5d257326331f2bcaf03a4b3147d3225acf09c7#r63009686
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be bad to keep it simple for now, and require them to be the same container? (as in "no is temporary, yes is forever")?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could release note it. Not sure if their would be other problems. Combining containers together without combining their security attributes could lead to some weird errors. Right now we keep seccomp, apparmor and capabiltiies separate, but you could figure out ways where weird bugs or priv escalations can happen. Basically one process with limited privs in one container causing a process in a different container through IPC or shared pid to do something more privileged.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Prohibiting joining ipc and pid from 2 different containers works for me as long as it's well documented.
We can extend it later to allow this case if both containers are using the same selinux configuration.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have pushed an update that compares the pid and ipc labels for the use case and allows them only if they are same.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This also works for this example as the labels are the same transitively.
start container A
container B joins --ipc:container:A
container C joins --ipc:container:B --pid:container:A
2f3566c
to
4772a40
Compare
|
||
if pidLabel != nil && ipcLabel != nil { | ||
for i := 0; i < len(pidLabel); i++ { | ||
if pidLabel[i] != ipcLabel[i] { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if the labels are identical but not in the same order?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you clarify your question? If the labels are the same, then all the strings in the label array will match up.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So we can't have a scenario where
ipcLabel[0] = "label1" ; ipcLabel[1] = "label2"
pidLabel[0] = "label2" ; pidLabel[1] = "label1"
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mlaventure No, that can't happen.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, LGTM then! (IANAM)
On Fri, May 13, 2016, 8:33 PM Mrunal Patel notifications@github.com wrote:
In daemon/create.go
#22481 (comment):
return label.DupSecOpt(c.ProcessLabel), nil
pidLabel = label.DupSecOpt(c.ProcessLabel)
if ipcContainer == "" {
return pidLabel, err
}
- }
- if pidLabel != nil && ipcLabel != nil {
for i := 0; i < len(pidLabel); i++ {
if pidLabel[i] != ipcLabel[i] {
@mlaventure https://github.com/mlaventure No, that can't happen.
—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
https://github.com/docker/docker/pull/22481/files/4772a40138e8f88e77f04049c1c2dc4865508dc7#r63270556
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This works for me.
@thaJeztah ping. who else needs to review this? :) Also looks like janky failure is a test environment issue that should go away on restart. |
ping @LK4D4 @crosbymichael PTAL for the latest changes, let's get this merged 👍 |
actually; this needs changes to the documentation, so please move it to "docs review" if it LGTY @mrunalp The documentation needs to be updated to show this is now possible; preferably Man pages;
Also, the completion scripts need to be updated; let me know if you want to try |
/sub @Random-Liu |
LGTM |
moving to docs review with a LGTM from @mlaventure and @LK4D4 |
This is all green! |
LGTM 🐸 |
Docker added support for sharing PID namespaces with other containers since version 1.12 (see moby/moby#22481). Signed-off-by: Stepan Stipl <stepan@stipl.net>
Docker added support for sharing PID namespaces with other containers since version 1.12 (see moby/moby#22481). Signed-off-by: Stepan Stipl <stepan@stipl.net>
Docker added support for sharing PID namespaces with other containers since version 1.12 (see moby/moby#22481). Signed-off-by: Stepan Stipl <stepan@stipl.net>
Backported from: moby#22481 Signed-off-by: Mrunal Patel <mrunalp@gmail.com> Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Add support for --pid=container:<id> Backported from: moby#22481 Signed-off-by: Mrunal Patel <mrunalp@gmail.com> Signed-off-by: Qiang Huang <h.huangqiang@huawei.com> See merge request docker/docker!147
Docker added support for sharing PID namespaces with other containers since version 1.12 (see moby/moby#22481). Signed-off-by: Stepan Stipl <stepan@stipl.net>
Docker added support for sharing PID namespaces with other containers since version 1.12 (see moby/moby#22481). Signed-off-by: Stepan Stipl <stepan@stipl.net>
Docker added support for sharing PID namespaces with other containers since version 1.12 (see moby/moby#22481). Signed-off-by: Stepan Stipl <stepan@stipl.net>
This is for #22479
I will take out the engine-api code once docker/engine-api#218 is merged.
Signed-off-by: Mrunal Patel mrunalp@gmail.com