Skip to content

pinns: write sysctls in correct process when userns #8149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 8, 2024
Merged

pinns: write sysctls in correct process when userns #8149

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions contrib/test/ci/vars.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,7 @@ kata_skip_network_tests:
- 'test "Clean up network if pod sandbox gets killed"'
kata_skip_pod_tests:
- 'test "pass pod sysctls to runtime"'
- 'test "pass pod sysctls to runtime when in userns"'
Copy link
Member

@sohankunkerkar sohankunkerkar May 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we create an issue for this to track the failure?

Copy link
Member Author

@haircommander haircommander May 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we could though userns isn't super meaningful in a kata context because the IDs are already separated from the host through virtualization

- 'test "skip pod sysctls to runtime if host"'
- 'test "restart crio and still get pod status"'
- 'test "systemd cgroup_parent correctly set"'
Expand Down
2 changes: 2 additions & 0 deletions internal/config/nsmgr/nsmgr_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,8 @@ func (mgr *NamespaceManager) NewPodNamespaces(cfg *PodNamespacesConfig) ([]Names
return nil, fmt.Errorf("failed to pin namespaces %v: %s %w", cfg.Namespaces, output, err)
}

logrus.Debugf("Got output from pinns: %s", output)

returnedNamespaces := make([]Namespace, 0, len(cfg.Namespaces))
for _, ns := range cfg.Namespaces {
ns, err := GetNamespace(ns.Path, ns.Type)
Expand Down
12 changes: 8 additions & 4 deletions pinns/src/pinns.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,10 @@ int main(int argc, char **argv) {
if (unshare(unshare_flags) < 0) {
pexit("Failed to unshare namespaces");
}

if (sysctls_count != 0 && configure_sysctls(sysctls, sysctls_count) < 0) {
pexit("Failed to configure sysctls after unshare");
}
} else {
/* if we create a user or mount namespace, we need a new process. */
if (socketpair(AF_UNIX, SOCK_SEQPACKET | SOCK_CLOEXEC, 0, p))
Expand Down Expand Up @@ -204,6 +208,10 @@ int main(int argc, char **argv) {
if (unshare(unshare_flags & ~CLONE_NEWUSER) < 0)
pexit("Failed to unshare namespaces");

if (sysctls_count != 0 && configure_sysctls(sysctls, sysctls_count) < 0) {
pexit("Failed to configure sysctls after unshare");
}

/* Notify that the namespaces are created. */
if (TEMP_FAILURE_RETRY(write(p[1], "0", 1)) < 0)
pexit("Failed to write on sync pipe");
Expand Down Expand Up @@ -245,10 +253,6 @@ int main(int argc, char **argv) {
close(p[0]);
}

if (sysctls_count != 0 && configure_sysctls(sysctls, sysctls_count) < 0) {
pexit("Failed to configure sysctls after unshare");
}

if (bind_user) {
if (bind_ns(pin_path, filename, "user", pid) < 0) {
return EXIT_FAILURE;
Expand Down
35 changes: 35 additions & 0 deletions test/pod.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,41 @@ function teardown() {
[[ "$output" == *"net.ipv4.ip_forward = 1"* ]]
}

@test "pass pod sysctls to runtime when in userns" {
if test -n "$CONTAINER_UID_MAPPINGS"; then
skip "userNS enabled"
fi
CONTAINER_DEFAULT_SYSCTLS="net.ipv4.ip_forward=1" start_crio

# TODO: kernel* ones fail with permission denied.
jq ' .linux.sysctls = {
"net.ipv4.ip_local_port_range": "1024 65000",
} |
.linux.security_context.namespace_options.userns_options = {
"mode": 0,
"uids": [{
"host_id": 100000,
"container_id": 0,
"length": 65355
}],
"gids": [{
"host_id": 100000,
"container_id": 0,
"length": 65355
}]
}' "$TESTDATA"/sandbox_config.json > "$TESTDIR"/sandbox.json

pod_id=$(crictl runp "$TESTDIR"/sandbox.json)
ctr_id=$(crictl create "$pod_id" "$TESTDATA"/container_redis.json "$TESTDIR"/sandbox.json)
crictl start "$ctr_id"

output=$(crictl exec --sync "$ctr_id" sysctl net.ipv4.ip_local_port_range)
[[ "$output" == *"net.ipv4.ip_local_port_range = 1024 65000"* ]]

output=$(crictl exec --sync "$ctr_id" sysctl net.ipv4.ip_forward)
[[ "$output" == *"net.ipv4.ip_forward = 1"* ]]
}

@test "disable crypto.fips_enabled when FIPS_DISABLE is set" {
# Check if /proc/sys/crypto exists and skip the test if it does not.
if [ ! -d "/proc/sys/crypto" ]; then
Expand Down