From 14c40d8a3a7865a57152bb5c8e62c1eb2994f13d Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Tue, 14 May 2024 14:44:28 -0400 Subject: [PATCH] server: support ping_group_range if in a userns ping_group_range sysctl requires the upper bound be within the range of IDs the user has access to. ping_group_range is often set to the max allowable range "0 2147483647", but this will break for every usernamespace pod. Instead, hack around it by updating the max GID to be the largest one we find in the IDMappings Signed-off-by: Peter Hunt --- server/sandbox_run_linux.go | 42 ++++++++++++++++++++++++++++++++++--- test/network_ping.bats | 3 --- 2 files changed, 39 insertions(+), 6 deletions(-) diff --git a/server/sandbox_run_linux.go b/server/sandbox_run_linux.go index 8f04d84bb0a..1d3b681db05 100644 --- a/server/sandbox_run_linux.go +++ b/server/sandbox_run_linux.go @@ -739,7 +739,7 @@ func (s *Server) runPodSandbox(ctx context.Context, req *types.RunPodSandboxRequ } // Add default sysctls given in crio.conf - sysctls := s.configureGeneratorForSysctls(ctx, g, hostNetwork, hostIPC, req.Config.Linux.Sysctls) + sysctls := s.configureGeneratorForSysctls(ctx, g, hostNetwork, hostIPC, sandboxIDMappings, req.Config.Linux.Sysctls) // set up namespaces s.resourceStore.SetStageForResource(ctx, sbox.Name(), "sandbox namespace creation") @@ -1065,7 +1065,7 @@ func populateSandboxLabels(labels map[string]string, kubeName, kubePodUID, names return labels } -func (s *Server) configureGeneratorForSysctls(ctx context.Context, g *generate.Generator, hostNetwork, hostIPC bool, sysctls map[string]string) map[string]string { +func (s *Server) configureGeneratorForSysctls(ctx context.Context, g *generate.Generator, hostNetwork, hostIPC bool, sandboxIDMappings *idtools.IDMappings, sysctls map[string]string) map[string]string { ctx, span := log.StartSpan(ctx) defer span.End() sysctlsToReturn := make(map[string]string) @@ -1094,7 +1094,43 @@ func (s *Server) configureGeneratorForSysctls(ctx context.Context, g *generate.G g.AddLinuxSysctl(key, value) sysctlsToReturn[key] = value } - return sysctlsToReturn + return configurePingGroupRangeGivenIDMappings(ctx, g, sandboxIDMappings, sysctlsToReturn) +} + +func configurePingGroupRangeGivenIDMappings(ctx context.Context, g *generate.Generator, sandboxIDMappings *idtools.IDMappings, sysctls map[string]string) map[string]string { + // We have to manually fuss with this specific sysctl. + // It's commonly set to the max range by default "0 2147483647". + // However, a pod with GIDMappings may not actually have the upper range set, + // which means attempting to set this sysctl will fail with EINVAL + // Instead, update the max of the group range to be the largest group value in the IDMappings. + const ( + pingGroupRangeKey = "net.ipv4.ping_group_range" + pingGroupFullRangeBottom = "0" + pingGroupFullRangeTop = "2147483647" + ) + val, ok := sysctls[pingGroupRangeKey] + if !ok || sandboxIDMappings == nil { + return sysctls + } + // Only do this if the value is `0 2147483647` + currentRange := strings.Fields(val) + if len(currentRange) != 2 || currentRange[0] != pingGroupFullRangeBottom || currentRange[1] != pingGroupFullRangeTop { + return sysctls + } + + maxID := 0 + for _, mapping := range sandboxIDMappings.GIDs() { + topOfRange := mapping.ContainerID + mapping.Size - 1 + if maxID < topOfRange { + maxID = topOfRange + } + } + newRange := "0 " + strconv.Itoa(maxID) + + log.Debugf(ctx, "Mutating %s sysctl to %s", pingGroupRangeKey, newRange) + g.AddLinuxSysctl(pingGroupRangeKey, newRange) + sysctls[pingGroupRangeKey] = newRange + return sysctls } // configureGeneratorForSandboxNamespaces set the linux namespaces for the generator, based on whether the pod is sharing namespaces with the host, diff --git a/test/network_ping.bats b/test/network_ping.bats index 3096e47bf20..353b47eb808 100644 --- a/test/network_ping.bats +++ b/test/network_ping.bats @@ -3,9 +3,6 @@ load helpers function setup() { - if test -n "$CONTAINER_UID_MAPPINGS"; then - skip "FIXME: can't set ping_group_range inside the container" - fi setup_test CONTAINER_DEFAULT_SYSCTLS='net.ipv4.ping_group_range=0 2147483647' start_crio }