Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

api: add MaskedPaths and ReadonlyPaths options #36644

Merged
merged 1 commit into from Jun 7, 2018
Merged

Conversation

@jessfraz
Copy link
Contributor

@jessfraz jessfraz commented Mar 20, 2018

This adds a RawAccess option to HostConfig for containers so that a user
can pass in an array of paths to not be set as masked or readonly.

closes #36597

- What I did

Added new API options for Masked Paths and ReadonlyPaths to the container HostConfig

- How I did it

Added it to the API and oci package.

- How to verify it

I wrote a test.

- Description for the changelog
RawAccess allows a set of paths to be not set as masked or readonly

- A picture of a cute animal (not mandatory but encouraged)
blizzardslide2

@AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Mar 21, 2018

As discussed in opencontainers/runc#1658 (comment) ,
I think we (and runc/runtime-spec maintainers) should consider allowing mount /path even when /path/a is masked, as (IIUC) an alternative to this PR.

Loading

@jessfraz
Copy link
Contributor Author

@jessfraz jessfraz commented Mar 21, 2018

Still would have the problem with read-only though

Loading

for i, p := range s.Linux.MaskedPaths {
matched, err := filepath.Match(rawpath, p)
if err != nil {
return fmt.Errorf("masked paths: checking if %s matches %s failed: %v", rawpath, p, err)
Copy link
Member

@boaz0 boaz0 Mar 21, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small nitpick/suggestion: maybe errors.Wrapf instead of fmt.Errorf?

Loading


// SetRawAccess removes the given raw access paths from the specs MaskedPaths and ReadonlyPaths.
func SetRawAccess(s *specs.Spec, rawaccess []string) error {
// Iterate over the rawaccess paths.
Copy link
Member

@boaz0 boaz0 Mar 21, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small nitpick/suggestion: IMHO, this comment is a redundancy.

Loading

)

// SetRawAccess removes the given raw access paths from the specs MaskedPaths and ReadonlyPaths.
func SetRawAccess(s *specs.Spec, rawaccess []string) error {
Copy link
Member

@boaz0 boaz0 Mar 21, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small nitpick/suggestion: can you change from rawaccess to rawAccessPaths?

Loading

@boaz0
Copy link
Member

@boaz0 boaz0 commented Mar 21, 2018

It looks like the CI failures aren't related to the change:

  • powerpc failed due to timeout
  • janky failed due to hack/generate-swagger-api.sh. Although, no changes to the API were made:
18:04:17 The result of hack/generate-swagger-api.sh differs
18:04:17 
18:04:17 diff --git a/api/types/container/container_wait.go b/api/types/container/container_wait.go
18:04:17 index 9e3910a6b..06b0f0207 100644
18:04:17 --- a/api/types/container/container_wait.go
18:04:17 +++ b/api/types/container/container_wait.go
18:04:17 @@ -7,14 +7,6 @@ package container
18:04:17  // See hack/generate-swagger-api.sh
18:04:17  // ----------------------------------------------------------------------------
18:04:17  
18:04:17 -// ContainerWaitOKBodyError container waiting error, if any
18:04:17 -// swagger:model ContainerWaitOKBodyError
18:04:17 -type ContainerWaitOKBodyError struct {
18:04:17 -
18:04:17 -	// Details of an error
18:04:17 -	Message string `json:"Message,omitempty"`
18:04:17 -}
18:04:17 -
18:04:17  // ContainerWaitOKBody OK response to ContainerWait operation
18:04:17  // swagger:model ContainerWaitOKBody
18:04:17  type ContainerWaitOKBody struct {
18:04:17 @@ -27,3 +19,11 @@ type ContainerWaitOKBody struct {
18:04:17  	// Required: true
18:04:17  	StatusCode int64 `json:"StatusCode"`
18:04:17  }
18:04:17 +
18:04:17 +// ContainerWaitOKBodyError container waiting error, if any
18:04:17 +// swagger:model ContainerWaitOKBodyError
18:04:17 +type ContainerWaitOKBodyError struct {
18:04:17 +
18:04:17 +	// Details of an error
18:04:17 +	Message string `json:"Message,omitempty"`
18:04:17 +}
18:04:17 
18:04:17 Please update api/swagger.yaml with any api changes, then 
18:04:17 run `hack/generate-swagger-api.sh`.
``

Loading

@AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Mar 21, 2018

ok, design SGTM

Loading

@thaJeztah thaJeztah added this to backlog in maintainers-session Mar 22, 2018
@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Mar 22, 2018

Discussing in the maintainers meeting, and generally looks like we're okay with the functionality. There's still some discussion on design, and possible alternatives

Some concerns that were brought up:

  • If this will be exposed through the CLI, we need to look closely at the UX, as it may not be as clear as (say) --cap-add SYS_ADMIN that you're giving more privileged to the container, so we should print a warning there (assuming this is gonna be added to the CLI)
  • Another thing brought up is that we should error if someone tries to "unmask" a path that wasn't masked ?

Alternative approaches being discussed:

  • instead of providing what paths to exclude from the defaults, should we have an option to set which paths to mask (i.e., fully override the defaults)?
  • @AkihiroSuda's suggestion to use the mounts API was also discussed; wondering if this would work (inconclusive 😅)

Loading

@jessfraz
Copy link
Contributor Author

@jessfraz jessfraz commented Mar 22, 2018

agree with documenting it to make sure its clear.

I am okay with any design you all want so I'll update accordingly when it's decided :)

Loading

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Mar 22, 2018

Thanks! Yes, I'll pester some people to see if we can come to a decision asap 😂

Loading

@jessfraz
Copy link
Contributor Author

@jessfraz jessfraz commented Mar 22, 2018

Loading

@justincormack
Copy link
Contributor

@justincormack justincormack commented Mar 22, 2018

I dont think it makes sense to error if unmasking a path thats not masked, they vary by docker version quite a it so its better to be able to over specify.

Loading

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Apr 19, 2018

Brought this up in a maintainers meeting again to see if I could get things moving. Looks like generally people were in favor of;

Instead of providing what paths to exclude from the defaults, provide al list of paths to mask (i.e., fully override the defaults)

Also; for the time being; make this an API-only change (no option on the CLI yet to configure this)

@justincormack let me know if you agree with the above ^^

Loading

@jessfraz
Copy link
Contributor Author

@jessfraz jessfraz commented Apr 20, 2018

Also; for the time being; make this an API-only change (no option on the CLI yet to configure this)

oh cool, i will just wait on confirmation, thanks so much for moving this along :) you all are the dopest

Loading

@AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented May 1, 2018

@justincormack SGTY? ^^

Loading

@justincormack
Copy link
Contributor

@justincormack justincormack commented May 1, 2018

Yes an override list (possibly empty) seems cleanest. That way you dont need to know which ones to remove. SGTM.

Loading

@jessfraz
Copy link
Contributor Author

@jessfraz jessfraz commented May 11, 2018

updated and added integration tests

Loading

@jessfraz
Copy link
Contributor Author

@jessfraz jessfraz commented May 12, 2018

janky is mad at me, its like he doesn't remember who his mom is

Loading

@cpuguy83
Copy link
Member

@cpuguy83 cpuguy83 commented May 12, 2018

Janky, that's your mommy! Be nice!

Loading

@@ -113,3 +115,134 @@ func (s *DockerSuite) TestAPICreateWithInvalidHealthcheckParams(c *check.C) {
expected = fmt.Sprintf("StartPeriod in Healthcheck cannot be less than %s", container.MinimumDuration)
c.Assert(getErrorMessage(c, buf), checker.Contains, expected)
}

func (s *DockerSuite) TestAPICreateWithCustomMaskedPaths(c *check.C) {
Copy link
Member

@cpuguy83 cpuguy83 May 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you move these to integration/container?

Loading

Copy link
Contributor Author

@jessfraz jessfraz May 24, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah so I had them there and they weren't working but will try again

Loading

Copy link
Contributor Author

@jessfraz jessfraz May 31, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok updated!

Loading

@jessfraz
Copy link
Contributor Author

@jessfraz jessfraz commented Jun 6, 2018

ok should be good now :)

Loading

Copy link
Member

@vdemeester vdemeester left a comment

LGTM 🔥

Loading

@boaz0
Copy link
Member

@boaz0 boaz0 commented Jun 6, 2018

LGTM 💯

Loading

Copy link
Member

@thaJeztah thaJeztah left a comment

LGTM, thanks!

Loading

@thaJeztah thaJeztah dismissed cpuguy83’s stale review Jun 7, 2018

Tests were moved

@thaJeztah thaJeztah merged commit 1fe0e49 into moby:master Jun 7, 2018
7 of 8 checks passed
Loading
@jessfraz jessfraz deleted the rawaccess branch Jun 7, 2018
@AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Jul 20, 2018

Any update about docker cli? ^^

Loading

@jessfraz
Copy link
Contributor Author

@jessfraz jessfraz commented Jul 29, 2018

oh will do, sorry been busy with other work things, i promise it is on the list :) probably will open a proposal next week

Loading

jessfraz added a commit to jessfraz/kubernetes that referenced this issue Jul 29, 2018
This vendor change was purely for the changes in docker to allow for
setting the Masked and Read-only paths.

See: moby/moby#36644

But because of the docker dep update it also needed cadvisor to be
updated and winterm due to changes in pkg/tlsconfig in docker

See: google/cadvisor#1967

Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
jessfraz added a commit to jessfraz/kubernetes that referenced this issue Aug 20, 2018
This vendor change was purely for the changes in docker to allow for
setting the Masked and Read-only paths.

See: moby/moby#36644

But because of the docker dep update it also needed cadvisor to be
updated and winterm due to changes in pkg/tlsconfig in docker

See: google/cadvisor#1967

Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
jessfraz added a commit to jessfraz/kubernetes that referenced this issue Aug 22, 2018
This vendor change was purely for the changes in docker to allow for
setting the Masked and Read-only paths.

See: moby/moby#36644

But because of the docker dep update it also needed cadvisor to be
updated and winterm due to changes in pkg/tlsconfig in docker

See: google/cadvisor#1967

Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
jessfraz added a commit to jessfraz/kubernetes that referenced this issue Aug 26, 2018
This vendor change was purely for the changes in docker to allow for
setting the Masked and Read-only paths.

See: moby/moby#36644

But because of the docker dep update it also needed cadvisor to be
updated and winterm due to changes in pkg/tlsconfig in docker

See: google/cadvisor#1967

Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
jessfraz added a commit to jessfraz/kubernetes that referenced this issue Aug 27, 2018
This vendor change was purely for the changes in docker to allow for
setting the Masked and Read-only paths.

See: moby/moby#36644

But because of the docker dep update it also needed cadvisor to be
updated and winterm due to changes in pkg/tlsconfig in docker

See: google/cadvisor#1967

Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
jessfraz added a commit to jessfraz/kubernetes that referenced this issue Aug 30, 2018
This vendor change was purely for the changes in docker to allow for
setting the Masked and Read-only paths.

See: moby/moby#36644

But because of the docker dep update it also needed cadvisor to be
updated and winterm due to changes in pkg/tlsconfig in docker

See: google/cadvisor#1967

Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment