Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[23.0 backport] Do not drop effective&permitted set #46222

Merged
merged 5 commits into from
Aug 29, 2023
Merged

[23.0 backport] Do not drop effective&permitted set #46222

merged 5 commits into from
Aug 29, 2023

Commits on Aug 13, 2023

  1. daemon: modernize oci_linux_test.go 

    Switch to using t.TempDir() instead of rolling our own.

Clean up mounts leaked by the tests as otherwise the tests fail due to
the leaked mounts because unlike the old cleanup code, t.TempDir()
cleanup does not ignore errors from os.RemoveAll.

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit 9ff169c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
    @corhere @thaJeztah
    corhere authored and thaJeztah committed Aug 13, 2023
    Configuration menu
    Copy the full SHA
    f178c2a View commit details
    Browse the repository at this point in the history

  2. daemon: stop setting container resources to zero 

    Many of the fields in LinuxResources struct are pointers to scalars for
some reason, presumably to differentiate between set-to-zero and unset
when unmarshaling from JSON, despite zero being outside the acceptable
range for the corresponding kernel tunables. When creating the OCI spec
for a container, the daemon sets the container's OCI spec CPUShares and
BlkioWeight parameters to zero when the corresponding Docker container
configuration values are zero, signifying unset, despite the minimum
acceptable value for CPUShares being two, and BlkioWeight ten. This has
gone unnoticed as runC does not distingiush set-to-zero from unset as it
also uses zero internally to represent unset for those fields. However,
kata-containers v3.2.0-alpha.3 tries to apply the explicit-zero resource
parameters to the container, exactly as instructed, and fails loudly.
The OCI runtime-spec is silent on how the runtime should handle the case
when those parameters are explicitly set to out-of-range values and
kata's behaviour is not unreasonable, so the daemon must therefore be in
the wrong.

Translate unset values in the Docker container's resources HostConfig to
omit the corresponding fields in the container's OCI spec when starting
and updating a container in order to maximize compatibility with
runtimes.

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit dea870f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
    @corhere @thaJeztah
    corhere authored and thaJeztah committed Aug 13, 2023
    Configuration menu
    Copy the full SHA
    4949db7 View commit details
    Browse the repository at this point in the history

  3. daemon: ensure OCI options play nicely together 

    Audit the OCI spec options used for Linux containers to ensure they are
less order-dependent. Ensure they don't assume that any pointer fields
are non-nil and that they don't unintentionally clobber mutations to the
spec applied by other options.

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit 8a094fe)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
    @corhere @thaJeztah
    corhere authored and thaJeztah committed Aug 13, 2023
    Configuration menu
    Copy the full SHA
    5cc1736 View commit details
    Browse the repository at this point in the history

  4. Do not drop effective&permitted set 

    Currently moby drops ep sets before the entrypoint is executed.
This does mean that with combination of no-new-privileges the
file capabilities stops working with non-root containers.
This is undesired as the usability of such containers is harmed
comparing to running root containers.

This commit therefore sets the effective/permitted set in order
to allow use of file capabilities or libcap(3)/prctl(2) respectively
with combination of no-new-privileges and without respectively.

For no-new-privileges the container will be able to obtain capabilities
that are requested.

Signed-off-by: Luboslav Pivarc <lpivarc@redhat.com>
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
(cherry picked from commit 3aef732)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
    @xpivarc @thaJeztah
    xpivarc authored and thaJeztah committed Aug 13, 2023
    Configuration menu
    Copy the full SHA
    09b65e0 View commit details
    Browse the repository at this point in the history

  5. Integration test for capabilities 

    Verify non-root containers are able to use file
capabilities.

Signed-off-by: Luboslav Pivarc <lpivarc@redhat.com>
Co-authored-by: Cory Snider <csnider@mirantis.com>
Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit 42fa7a1)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
    @xpivarc @corhere @thaJeztah
    2 people authored and thaJeztah committed Aug 13, 2023
    Configuration menu
    Copy the full SHA
    89a7310 View commit details
    Browse the repository at this point in the history