Make capabilities an option in crio.conf #1546
Conversation
|
Let us add an integration test that uses this configuration. |
lib/config.go
Outdated
| "NET_BIND_SERVICE", | ||
| "SYS_CHROOT", | ||
| "KILL", | ||
| "AUDIT_WRITE", |
There was a problem hiding this comment.
I propose we remove AUDIT_WRITE from defaults.
/* Allow writing the audit log via unicast netlink socket */
This allows an application to send a message to the audit log system, I think this should be blocked by default.
lib/config.go
Outdated
| "NET_RAW", | ||
| "SETGID", | ||
| "SETUID", | ||
| "SETFCAP", |
There was a problem hiding this comment.
I propose we remove SETFCAP from defaults, this is only used for installation software, like rpm. The ability to create a setuid or file cap file should be blocked by default.
lib/config.go
Outdated
| "DAC_OVERRIDE", | ||
| "FSETID", | ||
| "FOWNER", | ||
| "MKNOD", |
There was a problem hiding this comment.
I propose we remove MKNOD from default. This will block the ability for apps to create device nodes. I don't believe that containers should have this by default. This is needed for installation not for running containers in production. The one potential problem with this would be applications creating something like a loopback device.
cmd/crio/config.go
Outdated
| cgroup_manager = "{{ .CgroupManager }}" | ||
| # capabilities is the list of capabilities to add and can be modified here. | ||
| # If capabilities below is commented out, the default list of capabilites defined in the |
|
I think there should be a --default-capabilities flag for CRI-O so distros can specify the list of capabilities to add by default |
0e7672d to
1d7dfd9
Compare
412c344 to
7f2e159
Compare
test/ctr.bats
Outdated
| } | ||
|
|
||
| @test "ctr with list of capabilities given by user in crio.conf" { | ||
| start_crio "" "" "" "--default-capabilities CHOWN --default-capabilities KILL" "" |
There was a problem hiding this comment.
I think we should do --default-capabilities=CHOWN,KILL instead of one argument per capability.
| fi | ||
|
|
||
| if [[ -n "$4" ]]; then | ||
| capabilities="$4" |
There was a problem hiding this comment.
I think this might just gobble the first in the list as is. Try with set -x.
02fd63c to
5b70294
Compare
|
We need to set the default capabilities for the sandbox infra container as well. |
f696cd8 to
4441f22
Compare
|
/test all |
|
@mrunalp Does this mean we need to update the AMI? |
|
/test all |
|
/test critest_fedora |
|
/test integration_fedora |
|
/test critest_rhel |
|
/test integration_rhel |
|
/test integration_fedora |
1 similar comment
|
/test integration_fedora |
|
/test all |
|
/test kata-containers |
|
LGTM |
test/helpers.bash
Outdated
| "$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=quay.io/crio/busybox:latest --import-from=dir:"$ARTIFACTS_PATH"/busybox-image --signature-policy="$INTEGRATION_ROOT"/policy.json | ||
| "$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=quay.io/crio/stderr-test:latest --import-from=dir:"$ARTIFACTS_PATH"/stderr-test --signature-policy="$INTEGRATION_ROOT"/policy.json | ||
| "$CRIO_BINARY" ${DEFAULT_MOUNTS_OPTS} ${HOOKS_OPTS} --conmon "$CONMON_BINARY" --listen "$CRIO_SOCKET" --cgroup-manager "$CGROUP_MANAGER" --default-mounts-file "$TESTDIR/containers/mounts.conf" --registry "quay.io" --runtime "$RUNTIME_BINARY" --root "$TESTDIR/crio" --runroot "$TESTDIR/crio-run" $STORAGE_OPTIONS --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$CRIO_CNI_CONFIG" --cni-plugin-dir "$CRIO_CNI_PLUGIN" --signature-policy "$INTEGRATION_ROOT"/policy.json --image-volumes "$IMAGE_VOLUMES" --pids-limit "$PIDS_LIMIT" --log-size-max "$LOG_SIZE_MAX_LIMIT" --config /dev/null config >$CRIO_CONFIG | ||
| "$CRIO_BINARY" ${DEFAULT_MOUNTS_OPTS} ${HOOKS_OPTS} --default-capabilities "$capabilities" --conmon "$CONMON_BINARY" --listen "$CRIO_SOCKET" --cgroup-manager "$CGROUP_MANAGER" --default-mounts-file "$TESTDIR/containers/mounts.conf" --registry "quay.io" --runtime "$RUNTIME_BINARY" --root "$TESTDIR/crio" --runroot "$TESTDIR/crio-run" $STORAGE_OPTIONS --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$CRIO_CNI_CONFIG" --cni-plugin-dir "$CRIO_CNI_PLUGIN" --signature-policy "$INTEGRATION_ROOT"/policy.json --image-volumes "$IMAGE_VOLUMES" --pids-limit "$PIDS_LIMIT" --log-size-max "$LOG_SIZE_MAX_LIMIT" --config /dev/null config >$CRIO_CONFIG |
There was a problem hiding this comment.
I think the easiest approach to "for a handful of tests I want to set this option" is to use an ADDITIONAL_CRIO_OPTIONS environment variable. For an example, see here and here in the otherwise unrelated #1280. Passing these in as positional arguments seems more brittle than:
ADDITIONAL_CRIO_OPTIONS='--default-capabilities "CHOWN,DAC_OVERRIDE,FSETID,FOWNER,NET_RAW,SETGID,SETUID"' start_crioThere was a problem hiding this comment.
The default capabilities needs to be set for all the tests as we are getting rid of some of the capabilities given by the default spec. There is just one test where I change the capabilities to test out that when the user updates the list of capabilities, cri-o uses the new list.
|
@umohnani8 Sadly this needs a rebase, also could you check to make sure the seccomp handling is done correctly. IE Seccomp rules are supposed to reflect the current settings in the capabilities list. |
Change the configs under testdata to default to not share the pid namespace unless required to. Signed-off-by: umohnani8 <[email protected]>
|
rebased. |
|
/test all |
|
/test e2e_rhel |
The list of capabilities to be added can be defined in /etc/crio/crio.conf. Signed-off-by: umohnani8 <[email protected]>
|
/test all |
|
LGTM |
The list of capabilities to be added can be defined in
/etc/crio/crio.conf.
Fixes #1536
Signed-off-by: umohnani8 [email protected]