Skip to content

server: support ping_group_range if in a userns #8174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 14, 2024
Merged

server: support ping_group_range if in a userns #8174

merged 1 commit into from
May 14, 2024

Conversation

@haircommander
Copy link
Member

What type of PR is this?

/kind bug

What this PR does / why we need it:

ping_group_range sysctl requires the upper bound be within the range of IDs the user has access to. ping_group_range is often set to the max allowable range "0 2147483647", but this will break for every usernamespace pod.

Instead, hack around it by updating the max GID to be the largest one we find in the IDMappings

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

fix a bug where a pod with a userns would fail to be created when `ping_group_range` sysctl was specified for it (and the max of that range was outside of the pods user namespace)

@openshift-ci openshift-ci bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels May 14, 2024
@openshift-ci
Copy link
Contributor

openshift-ci bot commented May 14, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/bug Categorizes issue or PR as related to a bug. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels May 14, 2024
@haircommander
server: support ping_group_range if in a userns
64b991b 
ping_group_range sysctl requires the upper bound be within the range of IDs
the user has access to. ping_group_range is often set to the max allowable range
"0 2147483647", but this will break for every usernamespace pod.

Instead, hack around it by updating the max GID to be the largest one we find
in the IDMappings

Signed-off-by: Peter Hunt <[email protected]>
giuseppe
giuseppe approved these changes May 14, 2024
View reviewed changes
Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label May 14, 2024
@openshift-ci
Copy link
Contributor

openshift-ci bot commented May 14, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe, haircommander

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [giuseppe,haircommander]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@haircommander haircommander marked this pull request as ready for review May 14, 2024 19:33
@haircommander haircommander requested a review from mrunalp as a code owner May 14, 2024 19:33
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 14, 2024
@openshift-ci openshift-ci bot requested review from klihub and wgahnagl May 14, 2024 19:34
@openshift-merge-bot openshift-merge-bot bot merged commit c5f709c into cri-o:main May 14, 2024
kwilczynski
kwilczynski reviewed May 15, 2024
View reviewed changes
server/sandbox_run_linux.go

func configurePingGroupRangeGivenIDMappings(ctx context.Context, g *generate.Generator, sandboxIDMappings *idtools.IDMappings, sysctls map[string]string) map[string]string {
// We have to manually fuss with this specific sysctl.
// It's commonly set to the max range by default "0 2147483647".
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For posterity:

This value, for the upper limit, is the same as 2^31-1.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, a fun fact:

kwilczynski
kwilczynski reviewed May 15, 2024
View reviewed changes
server/sandbox_run_linux.go
Comment on lines +1118 to +1124
maxID := 0
for _, mapping := range sandboxIDMappings.GIDs() {
topOfRange := mapping.ContainerID + mapping.Size - 1
if maxID < topOfRange {
maxID = topOfRange
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The recent Go version has the max() built-in:

	var maxID int
	for _, mapping := range sandboxIDMappings.GIDs() {
		maxID = max(maxID, mapping.ContainerID + mapping.Size - 1)
	}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added a follow up #8184

@haircommander
Copy link
Member Author

/cherry-pick release-1.29

@openshift-cherrypick-robot
Copy link

@haircommander: new pull request created: #8185

In response to this:

/cherry-pick release-1.29

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request May 15, 2024
Merged
@haircommander
Copy link
Member Author

/cherry-pick release-1.30

@openshift-cherrypick-robot
Copy link

@haircommander: new pull request created: #8186

In response to this:

/cherry-pick release-1.30

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request May 15, 2024
Merged
@github-actions github-actions bot mentioned this pull request Sep 25, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@giuseppe giuseppe giuseppe approved these changes

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@klihub klihub Awaiting requested review from klihub

@wgahnagl wgahnagl Awaiting requested review from wgahnagl

+1 more reviewer

@kwilczynski kwilczynski kwilczynski left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@giuseppe giuseppe

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@haircommander @openshift-cherrypick-robot @giuseppe @kwilczynski