kvm: Add support for capabilities limitation #2222
Conversation
Cherry pick for tests purposses. It should be merged in pull request rkt#2222 By default kvm flavor has got enabled every capability inside pod. This is normal systemd behavior, when its running as a init process inside VM. Coreos pod is started by systemd-nspawn, which apply some initial capabilities by default. This patch add support for restricted set of capabilities inside rkt-kvm pod
Cherry pick for tests purposses. It should be merged in pull request rkt#2222 By default kvm flavor has got enabled every capability inside pod. This is normal systemd behavior, when its running as a init process inside VM. Coreos pod is started by systemd-nspawn, which apply some initial capabilities by default. This patch add support for restricted set of capabilities inside rkt-kvm pod
Cherry pick for tests purposses. It should be merged in pull request rkt#2222 By default kvm flavor has got enabled every capability inside pod. This is normal systemd behavior, when its running as a init process inside VM. Coreos pod is started by systemd-nspawn, which apply some initial capabilities by default. This patch add support for restricted set of capabilities inside rkt-kvm pod
|
is this ready for rereview? |
|
I haven't replied on @woodbor review yet. It's on my roadmap in next 6 work days, so I will refactor this code tomorrow |
Cherry pick for tests purposses. It should be merged in pull request rkt#2222 By default kvm flavor has got enabled every capability inside pod. This is normal systemd behavior, when its running as a init process inside VM. Coreos pod is started by systemd-nspawn, which apply some initial capabilities by default. This patch add support for restricted set of capabilities inside rkt-kvm pod
Cherry pick for tests purposses. It should be merged in pull request rkt#2222 By default kvm flavor has got enabled every capability inside pod. This is normal systemd behavior, when its running as a init process inside VM. Coreos pod is started by systemd-nspawn, which apply some initial capabilities by default. This patch add support for restricted set of capabilities inside rkt-kvm pod
Cherry pick for tests purposses. It should be merged in pull request rkt#2222 By default kvm flavor has got enabled every capability inside pod. This is normal systemd behavior, when its running as a init process inside VM. Coreos pod is started by systemd-nspawn, which apply some initial capabilities by default. This patch add support for restricted set of capabilities inside rkt-kvm pod
Cherry pick for tests purposses. It should be merged in pull request rkt#2222 By default kvm flavor has got enabled every capability inside pod. This is normal systemd behavior, when its running as a init process inside VM. Coreos pod is started by systemd-nspawn, which apply some initial capabilities by default. This patch add support for restricted set of capabilities inside rkt-kvm pod
Cherry pick for tests purposses. It should be merged in pull request rkt#2222 By default kvm flavor has got enabled every capability inside pod. This is normal systemd behavior, when its running as a init process inside VM. Coreos pod is started by systemd-nspawn, which apply some initial capabilities by default. This patch add support for restricted set of capabilities inside rkt-kvm pod
0a325f8 to
ac2102c
Compare
|
Review request |
stage1/init/kvm/resources.go
Outdated
| var caps []types.LinuxCapability | ||
|
|
||
| for _, isolator := range app.Isolators { | ||
| switch capSet := isolator.Value().(type) { |
There was a problem hiding this comment.
if there is only one case, if could be better solution than switch- a few lines less
There was a problem hiding this comment.
Go compiler requires switch:
build-rkt-1.0.0+git/gopath/src/github.com/coreos/rkt/stage1/init/kvm/resources.go:77: use of .(type) outside type switch
There was a problem hiding this comment.
Just one line less.
if capSet, ok := isolator.Value().(types.LinuxCapabilitiesSet); ok {
...
}|
LGTM |
ac2102c to
169f391
Compare
Cherry pick for tests purposses. It should be merged in pull request rkt#2222 By default kvm flavor has got enabled every capability inside pod. This is normal systemd behavior, when its running as a init process inside VM. Coreos pod is started by systemd-nspawn, which apply some initial capabilities by default. This patch add support for restricted set of capabilities inside rkt-kvm pod
|
Review request |
stage1/init/common/pod.go
Outdated
|
|
||
| if flavor == "kvm" { | ||
| capabilities := kvm.GetAppCapabilities(app) | ||
| capabilities = append(capabilities, stdCapabilities...) |
There was a problem hiding this comment.
I don't actually understand this. This is the list of capabilities that we're applying to a particular app within the pod right? Why would this be any different for the KVM case than for the non-KVM case? And where does nspawn come into it once we're inside the pod?
There was a problem hiding this comment.
nspawn is starting with pre-defined capabilities (as an isolation from host). Kvm is starting whole VM with full systemd (which has got every capability and You cannot(and really, You won't ;)) change them). This patch delivers standard capabilities for applications inside pod (so Your pod environment has got every single capability, but Your application don't).
There was a problem hiding this comment.
So are you just trying to preserve parity with the fact that a process launched by a systemd-launched-by-systemd-nspawn will have different default capabilities to one launched by systemd-launched-by-lkvm?
If so, wouldn't the better approach be to change the systemd config for the lkvm variant? e.g. https://www.freedesktop.org/software/systemd/man/systemd-system.conf.html#CapabilityBoundingSet=
There was a problem hiding this comment.
If we use the option systemd-system.conf#CapabilityBoundingSet=, it needs to contain the union of stdCapabilities with the union of caps of each app, because systemd-pid1 would only be able to give the caps from its CapabilityBoundingSet, not more.
rkt does that for systemd-nspawn: it adds --capbility= for each app, as it iterates over the apps and their caps:
https://github.com/coreos/rkt/blob/master/stage1/init/common/pod.go#L706
But I don't know if we need to keep parity between the nspawn and lkvm flavors?
There was a problem hiding this comment.
If we want to have the exact same behavior as the nspawn flavor, we should add these capabilities (standard plus the apps') to systemd-system.conf#CapabilityBoundingSet=
There was a problem hiding this comment.
Well this configuration file is great, but AFAIK each app inside pod could has got own capabilities configuration, so setting one common file for every app won't work.
There was a problem hiding this comment.
@mstachowski Right, but what we're talking about here is the outer bounding set of the pod environment. Then within that, we apply per-app capabilities to each app.
but... @iaguis @alban do we not actually do this part today?!?
There was a problem hiding this comment.
There's no "outer bounding set", if apps request capabilities we just give them to them.
There was a problem hiding this comment.
Per OOB it seems a bug that we don't set per-app ones - can someone chase that up?
Cherry pick for tests purposses. It should be merged in pull request rkt#2222 By default kvm flavor has got enabled every capability inside pod. This is normal systemd behavior, when its running as a init process inside VM. Coreos pod is started by systemd-nspawn, which apply some initial capabilities by default. This patch add support for restricted set of capabilities inside rkt-kvm pod
Cherry pick for tests purposses. It should be merged in pull request rkt#2222 By default kvm flavor has got enabled every capability inside pod. This is normal systemd behavior, when its running as a init process inside VM. Coreos pod is started by systemd-nspawn, which apply some initial capabilities by default. This patch add support for restricted set of capabilities inside rkt-kvm pod
|
Is this ready for review again? |
b181b88 to
3bc66c1
Compare
|
@jonboulle yes, it is |
stage1/init/common/pod.go
Outdated
| "HOME": "/root", | ||
| } | ||
|
|
||
| // List of default capabilities inside systemd-nspawn pod is available |
|
Some nits but after those LGTM |
3bc66c1 to
ee2ea7a
Compare
|
@iaguis done |
stage1/init/common/pod.go
Outdated
| // GetAppCapabilities is a filter which returns a string slice of valid Linux capabilities | ||
| // It requires list of available isolators | ||
| func GetAppCapabilities(isolators types.Isolators) []string { | ||
|
|
ee2ea7a to
d7e2254
Compare
stage1/init/common/pod.go
Outdated
| return caps | ||
| } | ||
|
|
||
| // parseLinuxCapabilitySetToString parses a LinuxCapabilitiesSet into string slice |
There was a problem hiding this comment.
Last thing, outdated docstring :D
There was a problem hiding this comment.
The test passed before updating the docstring so we can merge it right-away once it's updated.
|
LGTM |
d7e2254 to
d66fa61
Compare
By default kvm flavor has got enabled every capability inside pod. This is normal systemd behavior, when its running as a init process inside VM. Coreos pod is started by systemd-nspawn, which apply some initial capabilities by default. This patch add support for restricted set of capabilities inside rkt-kvm pod
By default kvm flavor has got enabled every capability inside pod.
This is normal systemd behavior, when its running as a init process
inside VM. Coreos pod is started by systemd-nspawn, which apply some
initial capabilities by default.
This patch add support for restricted set of capabilities inside rkt-kvm
pod