From dd1945966b54e39235d8c87ab1412bc7c8d0cac9 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Thu, 27 Jan 2022 13:43:16 -0500 Subject: [PATCH 1/2] server: skip sysctls that would affect the host Signed-off-by: Peter Hunt --- pkg/config/sysctl.go | 4 ++++ server/sandbox_run_linux.go | 7 ++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/pkg/config/sysctl.go b/pkg/config/sysctl.go index 6f7c1a31875..1c76e82a128 100644 --- a/pkg/config/sysctl.go +++ b/pkg/config/sysctl.go @@ -6,6 +6,10 @@ import ( "github.com/pkg/errors" ) +func NewSysctl(key, value string) *Sysctl { + return &Sysctl{key, value} +} + // Sysctl is a generic abstraction over key value based sysctls type Sysctl struct { key, value string diff --git a/server/sandbox_run_linux.go b/server/sandbox_run_linux.go index d61180f235b..5b756c2ced0 100644 --- a/server/sandbox_run_linux.go +++ b/server/sandbox_run_linux.go @@ -1001,7 +1001,7 @@ func (s *Server) configureGeneratorForSysctls(ctx context.Context, g *generate.G for _, sysctl := range defaultSysctls { if err := sysctl.Validate(hostNetwork, hostIPC); err != nil { - log.Warnf(ctx, "skipping invalid sysctl %s: %v", sysctl, err) + log.Warnf(ctx, "Skipping invalid sysctl specified by config %s: %v", sysctl, err) continue } g.AddLinuxSysctl(sysctl.Key(), sysctl.Value()) @@ -1011,6 +1011,11 @@ func (s *Server) configureGeneratorForSysctls(ctx context.Context, g *generate.G // extract linux sysctls from annotations and pass down to oci runtime // Will override any duplicate default systcl from crio.conf for key, value := range sysctls { + sysctl := libconfig.NewSysctl(key, value) + if err := sysctl.Validate(hostNetwork, hostIPC); err != nil { + log.Warnf(ctx, "Skipping invalid sysctl specified over CRI %s: %v", sysctl, err) + continue + } g.AddLinuxSysctl(key, value) sysctlsToReturn[key] = value } From 1cb18d889211a6bfa06cb13a8ccec8821b75f169 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Thu, 27 Jan 2022 13:59:16 -0500 Subject: [PATCH 2/2] test: add test for skipped sysctls Signed-off-by: Peter Hunt --- test/pod.bats | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/test/pod.bats b/test/pod.bats index 3bb1bf3a0a1..bc22dc551e0 100644 --- a/test/pod.bats +++ b/test/pod.bats @@ -156,6 +156,39 @@ function teardown() { [[ "$output" == *"net.ipv4.ip_forward = 1"* ]] } +@test "skip pod sysctls to runtime if host" { + if test -n "$CONTAINER_UID_MAPPINGS"; then + skip "userNS enabled" + fi + CONTAINER_DEFAULT_SYSCTLS="net.ipv4.ip_forward=0" start_crio + + jq ' .linux.security_context.namespace_options = { + network: 2, + ipc: 2 + } | + .linux.sysctls = { + "kernel.shm_rmid_forced": "1", + "net.ipv4.ip_local_port_range": "2048 65000", + "kernel.msgmax": "16384" + }' "$TESTDATA"/sandbox_config.json > "$TESTDIR"/sandbox.json + + pod_id=$(crictl runp "$TESTDIR"/sandbox.json) + ctr_id=$(crictl create "$pod_id" "$TESTDATA"/container_redis.json "$TESTDIR"/sandbox.json) + crictl start "$ctr_id" + + output=$(crictl exec --sync "$ctr_id" sysctl kernel.shm_rmid_forced) + [[ "$output" != *"kernel.shm_rmid_forced = 1"* ]] + + output=$(crictl exec --sync "$ctr_id" sysctl kernel.msgmax) + [[ "$output" != *"kernel.msgmax = 16384"* ]] + + output=$(crictl exec --sync "$ctr_id" sysctl net.ipv4.ip_local_port_range) + [[ "$output" != *"net.ipv4.ip_local_port_range = 2048 65000"* ]] + + output=$(crictl exec --sync "$ctr_id" sysctl net.ipv4.ip_forward) + [[ "$output" != *"net.ipv4.ip_forward = 0"* ]] +} + @test "pod stop idempotent" { start_crio pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json)