stage0: set journal permissions/ACLs to allow access to rkt group #1877

iaguis · 2015-12-15T16:14:58Z

Mimicking my host's /var/log/journal permissions, set pod's
/var/log/journal to:

    # file: journal
    # owner: root
    # group: root
    # flags: -s
    user::rwx
    group::r-x
    group:rkt:r-x
    mask::r-x
    other::r-x
    default:user::rwx
    default:group::r-x
    default:group:rkt:r-x
    default:mask::r-x
    default:other::r-x

Fixes #1755

krnowak · 2015-12-15T16:49:22Z

stage0/run.go

I have no clue about Posix ACL, but this line looks like you are duplicating the chmod call above.

Yeah, it seems "g:%d:r-x,m:r-x" is enough

krnowak · 2015-12-15T17:28:47Z

stage0/run.go

Should we care about /run/log/journal?

Don't think so, if systemd sees /var/log/journal it uses that.

jonboulle · 2015-12-16T14:39:40Z

stage0/run.go

Shouldn't we only try this if the previous one does not error?

iaguis · 2015-12-16T14:42:00Z

I'm trying https://github.com/joshlf/go-acl which looks a bit better and is statically linked by default.

jonboulle · 2015-12-16T14:44:39Z

Approach seems good to me!

iaguis · 2015-12-16T15:18:23Z

Variable expansion for cgo was not added until go 1.5, hence the build error.

jonboulle · 2015-12-16T16:36:50Z

Hmm it would be nice if we can get godep sorted and just drop 1.4 support
soon.

On Wed, Dec 16, 2015 at 4:18 PM, Iago López Galeiras <
[email protected]> wrote:

Variable expansion for cgo was not added until go 1.5
golang/go@1317581,
hence the build error.

—
Reply to this email directly or view it on GitHub
#1877 (comment).

iaguis · 2016-01-05T12:32:15Z

Ready for review.

krnowak · 2016-01-06T13:09:44Z

This requires updating the docs about new build dependency (development headers for libacl) and probably a configure check.

Also, how do I test it? What I did is:

in first tab
- sudo ./build-rkt-0.14.0+git/bin/rkt run coreos.com/etcd:v2.0.10
in second tab
- machinectl
  - got the rkt-c9129371-0c48-4f12-a67a-a0ac8e8f32cd id
- journalctl -M rkt-c9129371-0c48-4f12-a67a-a0ac8e8f32cd
  - No journal files were opened due to insufficient permissions.

iaguis · 2016-01-06T13:37:48Z

Are you in the rkt group?

On Wed, Jan 6, 2016, 14:09 Krzesimir Nowak [email protected] wrote:

This requires updating the docs about new build dependency (development
headers for libacl) and probably a configure check.

Also, how do I test it? What I did is:

in first tab

sudo ./build-rkt-0.14.0+git/bin/rkt run coreos.com/etcd:v2.0.10

in second tab

machinectl

got the rkt-c9129371-0c48-4f12-a67a-a0ac8e8f32cd id

journalctl -M rkt-c9129371-0c48-4f12-a67a-a0ac8e8f32cd

No journal files were opened due to insufficient permissions.

—
Reply to this email directly or view it on GitHub
#1877 (comment).

krnowak · 2016-01-07T09:00:48Z

It worked after adding myself to rkt group and running rkt install. Does it need some documentation update?

krnowak · 2016-01-07T09:01:47Z

~~Otherwise LFAD.~~ I take it back, docs update and configure check are still TODO>

iaguis · 2016-01-07T09:35:21Z

docs update and configure check are still TODO>

added those

iaguis · 2016-01-07T09:56:57Z

Travis fails on go1.4 because some go tools were migrated from golang.org/x/ to the standard package and golang.org/x/tools/cmd is not versioned:

https://groups.google.com/forum/#!topic/golang-nuts/nZLhcbaa3wQ
https://groups.google.com/forum/#!topic/golang-nuts/wpUlkRdyomo

krnowak · 2016-01-07T09:56:59Z

Ok, so go 1.4 is becoming problematic (or annoying) to support - https://groups.google.com/forum/#!topic/golang-nuts/wpUlkRdyomo

Otherwise LFAD.

iaguis · 2016-01-07T10:49:20Z

I'll rebase when #1941 gets merged.

Mimicking my host's `/var/log/journal` permissions, set pod's `/var/log/journal` to: ``` user::rwx group::r-x group:rkt:r-x mask::r-x other::r-x default:user::rwx default:group::r-x default:group:rkt:r-x default:mask::r-x default:other::r-x ```

iaguis · 2016-01-07T11:02:34Z

Updated.

stage0: set journal permissions/ACLs to allow access to rkt group

alban · 2016-01-07T12:21:53Z

Does it work fine with user namespaces?

iaguis · 2016-01-07T12:26:06Z

Yes.

On Thu, 7 Jan 2016 at 13:22 Alban Crequy [email protected] wrote:

Does it work fine with user namespaces?

—
Reply to this email directly or view it on GitHub
#1877 (comment).

jonboulle · 2016-01-07T13:06:15Z

👍

iaguis added component/stage0 priority/P1 technology/systemd area/security do not merge labels Dec 15, 2015

iaguis added this to the v0.14.0 milestone Dec 15, 2015

iaguis mentioned this pull request Dec 15, 2015

Get the logs of apps with non-root? #1755

Closed

iaguis force-pushed the iaguis/rkt-journal branch from 0360517 to 47f64e3 Compare December 15, 2015 16:34

krnowak reviewed Dec 15, 2015
View reviewed changes

iaguis force-pushed the iaguis/rkt-journal branch 2 times, most recently from 81bbacd to 2349d6a Compare December 15, 2015 16:57

krnowak reviewed Dec 15, 2015
View reviewed changes

iaguis force-pushed the iaguis/rkt-journal branch from 2349d6a to ac16b1e Compare December 16, 2015 09:49

jonboulle reviewed Dec 16, 2015
View reviewed changes

iaguis force-pushed the iaguis/rkt-journal branch from ac16b1e to d7ddae9 Compare December 16, 2015 14:55

iaguis force-pushed the iaguis/rkt-journal branch from d7ddae9 to cd771fc Compare December 16, 2015 15:37

iaguis force-pushed the iaguis/rkt-journal branch 3 times, most recently from 0d81b2e to b788a66 Compare December 17, 2015 12:48

alban modified the milestones: v0.15.0, v0.14.0 Dec 18, 2015

iaguis force-pushed the iaguis/rkt-journal branch from b788a66 to de0ef4c Compare January 5, 2016 12:08

iaguis added needs/review and removed do not merge labels Jan 5, 2016

iaguis changed the title ~~[WIP] stage0: set journal permissions/ACLs to allow access to rkt group~~ stage0: set journal permissions/ACLs to allow access to rkt group Jan 5, 2016

krnowak added needs/some-changes and removed needs/review labels Jan 7, 2016

iaguis added 5 commits January 7, 2016 12:02

tests: add libacl1-dev dep to Travis and Semaphore

c41bdbf

Godeps: add naegelejd/go-acl

e5a231b

Documentation: add libacl-dev dep and document non-root journalctl

c37dec8

build: require libacl-dev

807f614

iaguis force-pushed the iaguis/rkt-journal branch from db7d01f to 807f614 Compare January 7, 2016 11:02

iaguis added a commit that referenced this pull request Jan 7, 2016

Merge pull request #1877 from kinvolk/iaguis/rkt-journal

8dae5a0

stage0: set journal permissions/ACLs to allow access to rkt group

iaguis merged commit 8dae5a0 into rkt:master Jan 7, 2016

iaguis mentioned this pull request Jan 7, 2016

travis: Work around problems with go vet on go 1.4 #1941

Merged

alban mentioned this pull request Jan 12, 2016

rkt 0.15.0 fails on coreos 835.9.0 #1961

Closed

Uh oh!

stage0: set journal permissions/ACLs to allow access to rkt group #1877

stage0: set journal permissions/ACLs to allow access to rkt group #1877

Uh oh!

Conversation

iaguis commented Dec 15, 2015

Uh oh!

krnowak Dec 15, 2015

Choose a reason for hiding this comment

Uh oh!

iaguis Dec 15, 2015

Choose a reason for hiding this comment

Uh oh!

krnowak Dec 15, 2015

Choose a reason for hiding this comment

Uh oh!

iaguis Dec 15, 2015

Choose a reason for hiding this comment

Uh oh!

jonboulle Dec 16, 2015

Choose a reason for hiding this comment

Uh oh!

iaguis Dec 16, 2015

Choose a reason for hiding this comment

Uh oh!

iaguis commented Dec 16, 2015

Uh oh!

jonboulle commented Dec 16, 2015

Uh oh!

iaguis commented Dec 16, 2015

Uh oh!

jonboulle commented Dec 16, 2015

Uh oh!

iaguis commented Jan 5, 2016

Uh oh!

krnowak commented Jan 6, 2016

Uh oh!

iaguis commented Jan 6, 2016

Uh oh!

krnowak commented Jan 7, 2016

Uh oh!

krnowak commented Jan 7, 2016

Uh oh!

iaguis commented Jan 7, 2016

Uh oh!

iaguis commented Jan 7, 2016

Uh oh!

krnowak commented Jan 7, 2016

Uh oh!

iaguis commented Jan 7, 2016

Uh oh!

iaguis commented Jan 7, 2016

Uh oh!

alban commented Jan 7, 2016

Uh oh!

iaguis commented Jan 7, 2016

Uh oh!

jonboulle commented Jan 7, 2016

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants