go.mod: experimental integration of gomodjail (library sandbox) #4012
Conversation
AkihiroSuda
force-pushed
the
gomodjail
branch
2 times, most recently
from
3ec186f to
295ee0f
Compare
AkihiroSuda
force-pushed
the
gomodjail
branch
11 times, most recently
from
98c3108 to
8587b52
Compare
| @@ -296,9 +313,10 @@ jobs: | |||
| fi | |||
| echo "WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622}" >> "$GITHUB_ENV" | |||
| - name: "Test (network driver=slirp4netns, port driver=builtin)" | |||
| run: docker run -t --rm --privileged -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622} ${TEST_TARGET} /test-integration-rootless.sh ./hack/test-integration.sh -test.only-flaky=false | |||
| run: docker run -t --rm --privileged -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622} -e NERDCTL=${NERDCTL} ${TEST_TARGET} /test-integration-rootless.sh ./hack/test-integration.sh -test.only-flaky=false | |||
There was a problem hiding this comment.
(This is not working because test-integration-rootless.sh does not propagate the env var across the SSH session)
|
@AkihiroSuda in the |
Eventually we may have fine-grained policies, but practically just having "confined" and "unconfined" might be enough to avoid complicating it |
https://github.com/AkihiroSuda/gomodjail gomodjail imposes syscall restrictions on a specific set of Go modules (excepts ones that use unsafe pointers, reflections, etc.), so as to mitigate their potential vulnerabilities and supply chain attack vectors. Usage: ``` gomodjail run --go-mod=./go.mod -- nerdctl run hello-world ``` or ``` gomodjail pack --go-mod=./go.mod /usr/local/bin/nerdctl ./nerdctl.gomodjail run hello-world ``` Hint: use `git diff --word-diff` for reviewing the changes in this commit Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
| @@ -231,6 +236,24 @@ RUN ROOTLESSKIT_VERSION=${ROOTLESSKIT_VERSION/@BINARY}; \ | |||
| tar xzf "${fname}" -C /out/bin && \ | |||
| rm -f "${fname}" /out/bin/rootlesskit-docker-proxy && \ | |||
| echo "- RootlessKit: ${ROOTLESSKIT_VERSION}" >> /out/share/doc/nerdctl-full/README.md | |||
| # makeself is needed by `gomodjail pack`. | |||
| # TODO: remove dependency on makeself https://github.com/AkihiroSuda/gomodjail/issues/31 | |||
There was a problem hiding this comment.
Seems to be a blocker 😞
$ ./nerdctl.gomodjail --namespace=nerdctl-test info
Unrecognized flag : --namespace=nerdctl-test
There was a problem hiding this comment.
Is there a reason to keep Alpine? https://github.com/containerd/nerdctl/blob/main/Dockerfile#L120-L123
Why not just use the build-base-debian everywhere? https://github.com/containerd/nerdctl/blob/main/Dockerfile#L56
There was a problem hiding this comment.
IIRC static linking didn't work well with glibc, at least in the past.
Basically we should rather try to use Alpine (musl) for building the binaries
There was a problem hiding this comment.
We do not build with CGO at all on alpine, though - (and whatever needs CGO is built on Debian - containerd and the rest, because they do need glibc anyhow).
So, the choice of libc is not relevant to make binaries and should not impact static in any way?
(also, you can build against musl on debian as well).
Anyhow, different discussion (can happen in #4021).
Will look into gomodjail and see if I can help with getting rid of makeself.
There was a problem hiding this comment.
Thanks, left an idea in
(The blocker is about the arg parser of makeself, not about any Alpine stuff)
https://github.com/AkihiroSuda/gomodjail
gomodjail imposes syscall restrictions on a specific set of Go modules (excepts ones that use unsafe pointers, reflections, etc.), so as to mitigate their potential vulnerabilities and supply chain attack vectors.
Usage:
or
Hint: use
git diff --word-difffor reviewing the changes in this commit