Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support mlock and custom tmpdir for containerized plugins #23215

Merged
merged 5 commits into from
Sep 22, 2023
Merged

Support mlock and custom tmpdir for containerized plugins #23215

merged 5 commits into from
Sep 22, 2023

Conversation

tomhjp
Copy link
Contributor

@tomhjp tomhjp commented Sep 21, 2023
edited
Loading

When running containerised plugins within the context of our default systemd unit file (from the rpm repositories), I found a couple of issues I hadn't stumbled on previously:

  • Plugins need a capability to mlock if Vault is configured with mlock - previously they always inherited this from Vault as a sub-process, but now we need to explicitly set it for containers. It boils down to adding the IPC_LOCK capability to the container. Without it, we get an error on plugin startup because the mlock syscall fails. Library PR: plugincontainer: Support mlock go-secure-stdlib#94
  • If running with systemd's PrivateTmp setting, the container cannot see Vault's view of /tmp, so we need the ability to negotiate a separate directory that both sides can see. We could just use TMPDIR, but then that ruins the whole point of the setting. Instead, we introduce a new environment variable to use a different tmp dir in one very narrow use-case. Library PR: Add TempDir option to UnixSocketConfig go-plugin#282

@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Sep 21, 2023
@tomhjp tomhjp added this to the 1.15.0 milestone Sep 21, 2023
@tomhjp tomhjp marked this pull request as ready for review September 21, 2023 15:46
@github-actions
Copy link

Build Results:
All builds succeeded! ✅

@github-actions
Copy link

CI Results:
All Go tests succeeded! ✅

@tomhjp tomhjp mentioned this pull request Sep 21, 2023
Merged
tomhjp
tomhjp commented Sep 21, 2023
View reviewed changes
sdk/helper/pluginutil/run_config.go
@@ -139,7 +143,8 @@ func (rc runConfig) makeConfig(ctx context.Context) (*plugin.ClientConfig, error
clientConfig.SkipHostEnv = true
clientConfig.RunnerFunc = containerCfg.NewContainerRunner
clientConfig.UnixSocketConfig = &plugin.UnixSocketConfig{
Group: strconv.Itoa(containerCfg.GroupAdd),
Group: strconv.Itoa(containerCfg.GroupAdd),
TempDir: os.Getenv("VAULT_PLUGIN_TMPDIR"),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe this should be settable with both an env var and a config file option?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice, but not strictly necessary I think.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 I think I'll aim to add a config option for 1.15.1 given where we are in the release cycle.

@tomhjp
Copy link
Contributor Author

tomhjp commented Sep 21, 2023

Note: I'm planning to merge the library PRs and tag them once all 3 have been reviewed, so once this PR is stable there will be a couple of go.mod changes to use tagged versions of the deps.

swenson
swenson approved these changes Sep 21, 2023
View reviewed changes
Copy link
Contributor

@swenson swenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

sdk/helper/pluginutil/run_config.go
@@ -139,7 +143,8 @@ func (rc runConfig) makeConfig(ctx context.Context) (*plugin.ClientConfig, error
clientConfig.SkipHostEnv = true
clientConfig.RunnerFunc = containerCfg.NewContainerRunner
clientConfig.UnixSocketConfig = &plugin.UnixSocketConfig{
Group: strconv.Itoa(containerCfg.GroupAdd),
Group: strconv.Itoa(containerCfg.GroupAdd),
TempDir: os.Getenv("VAULT_PLUGIN_TMPDIR"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice, but not strictly necessary I think.

@tomhjp tomhjp added bug Used to indicate a potential bug core/plugin backport/1.15.x labels Sep 22, 2023
@tomhjp
Copy link
Contributor Author

tomhjp commented Sep 22, 2023

Thanks!

@tomhjp tomhjp merged commit a074bf9 into main Sep 22, 2023
106 checks passed
@tomhjp tomhjp deleted the vault-18185/containerized-plugins-support-mlock-and-custom-tmpdir branch September 22, 2023 11:14
Closed
tomhjp added a commit that referenced this pull request Sep 22, 2023
@tomhjp
Support mlock and custom tmpdir for containerized plugins (#23215)
8e61b00
@tomhjp tomhjp mentioned this pull request Sep 22, 2023
Merged
tomhjp added a commit that referenced this pull request Sep 22, 2023
@tomhjp
backport: Support mlock and custom tmpdir for containerized plugins (#…
6fafd52 
…23215) (#23242)
@tomhjp tomhjp mentioned this pull request Jan 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@swenson swenson swenson approved these changes

@jefferai jefferai Awaiting requested review from jefferai

@fairclothjm fairclothjm Awaiting requested review from fairclothjm

Assignees
No one assigned
Labels
bug Used to indicate a potential bug core/plugin hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
1.15.0
Development

Successfully merging this pull request may close these issues.
2 participants
@tomhjp @swenson