Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-4.13] OCPBUGS-14850: Allow userfaultfd syscall to be used by unprivileged users #3743

Merged
merged 1 commit into from Jun 13, 2023
Merged

[release-4.13] OCPBUGS-14850: Allow userfaultfd syscall to be used by unprivileged users #3743

merged 1 commit into from Jun 13, 2023

Conversation

openshift-cherrypick-robot
Copy link

This is an automated cherry-pick of #3724

/assign sinnykumari

@iholder101
Allow userfaultfd syscall to be used by unprivileged users
80eba2c 
To implement post-copy migrations in OpenShift Virtualization
(CNV), QEMU uses the userfaultfd system call. lately this syscall
was blocked by the kernel by default [1]. This effectively broke
post-copy migrations.

Instead, there are three ways to grant permission to use userfaultfd[1]:
* By allowing unprivileged users to use it explicitly via sysctl
* By granting `CAP_SYS_PTRACE` capability to a process / container
* By exposing the `/dev/userfaultfd` to a container

This basically leaves us with two options:
1. Expose `/dev/userfaultfd` by writing a Kubernetes device plugin.
This way every pod can ask for such device.
2. Allow the use of the syscall by toggling sysctl, and use seccomp
to allow only VM pods (a.k.a. virt-launcher pods) to use it.

After some discussions, we think that the second option is better in
terms of security. The main problem with a device plugin is that every
pod on the system can ask to use it and potentially compromise the
system. With the second option, only VM pods can use the syscall which
narrows down the attack surface. In addition, a device plugin is much
more visible to Kubernetes users than a seccomp profile, which is likely
to be hidden from most users.

Since the syscall was available to use by anyone in previous versions
(before the kernel blocked it), we feel that by allowing it we won't
make things worse than what we had in the past, but rather make things
more secure since we will now at least use seccomp profiles to deny it
from non-VM pods.

Seccomp profiles that disallow the usage of `userfaultfd` syscall is already in place.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2d5de004e009add27db76c5cdc9f1f7f7dc087e7

Signed-off-by: Itamar Holder <iholder@redhat.com>
@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Jun 12, 2023
Merged
@openshift-ci-robot
Copy link
Contributor

@openshift-cherrypick-robot: Jira Issue OCPBUGS-14793 has been cloned as Jira Issue OCPBUGS-14850. Will retitle bug to link to clone.
/retitle [release-4.13] OCPBUGS-14850: Allow userfaultfd syscall to be used by unprivileged users

In response to this:

This is an automated cherry-pick of #3724

/assign sinnykumari

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot changed the title [release-4.13] OCPBUGS-14793: Allow userfaultfd syscall to be used by unprivileged users [release-4.13] OCPBUGS-14850: Allow userfaultfd syscall to be used by unprivileged users Jun 12, 2023
@openshift-ci-robot openshift-ci-robot added jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jun 12, 2023
@openshift-ci-robot
Copy link
Contributor

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-14850, which is valid. The bug has been moved to the POST state.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.13.z) matches configured target version for branch (4.13.z)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
  • dependent bug Jira Issue OCPBUGS-14793 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE))
  • dependent Jira Issue OCPBUGS-14793 targets the "4.14.0" version, which is one of the valid target versions: 4.14.0
  • bug has dependents

Requesting review from QA contact:
/cc @sergiordlr

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This is an automated cherry-pick of #3724

/assign sinnykumari

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@sinnykumari
Copy link
Contributor

Clean backport
/approve
/lgtm
/label backport-risk-assessed
/cc @iholder101

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 12, 2023

@sinnykumari: GitHub didn't allow me to request PR reviews from the following users: iholder101.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

Clean backport
/approve
/lgtm
/label backport-risk-assessed
/cc @iholder101

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Jun 12, 2023
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jun 12, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 12, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: openshift-cherrypick-robot, sinnykumari

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 12, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 12, 2023

@openshift-cherrypick-robot: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-rt 80eba2c link false /test e2e-gcp-rt

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@sergiordlr
Copy link

/label cherry-pick-approved

@openshift-ci openshift-ci bot added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Jun 13, 2023
@openshift-merge-robot openshift-merge-robot merged commit ba507b3 into openshift:release-4.13 Jun 13, 2023
14 of 15 checks passed
@openshift-ci-robot
Copy link
Contributor

@openshift-cherrypick-robot: Jira Issue OCPBUGS-14850: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-14850 has been moved to the MODIFIED state.

In response to this:

This is an automated cherry-pick of #3724

/assign sinnykumari

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sergiordlr sergiordlr Awaiting requested review from sergiordlr

@cheesesashimi cheesesashimi Awaiting requested review from cheesesashimi

@jkyros jkyros Awaiting requested review from jkyros

Assignees

@rbbratta rbbratta

@sinnykumari sinnykumari

@eurijon eurijon

@mburman5 mburman5

@reihl reihl

@anuragthehatter anuragthehatter

@sergiordlr sergiordlr

@rlobillo rlobillo

@rioliu-rh rioliu-rh

@mhanss mhanss

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet