Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

seccomp: always allow name_to_handle_at #8752

Merged
merged 1 commit into from
Jun 28, 2023
Merged

seccomp: always allow name_to_handle_at #8752

merged 1 commit into from
Jun 28, 2023

Conversation

neersighted
Copy link
Contributor

This syscall is used by systemd to request unique internal names for paths in the cgroup hierarchy from the kernel, and is overall innocuous.

Due to previous mistakes in moby/moby, it ended up attached to CAP_SYS_ADMIN; however, it should not be filtered at all.

An in-depth analysis is available at moby/moby.

@k8s-ci-robot
Copy link

Hi @neersighted. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@neersighted
Copy link
Contributor Author

/cc @thaJeztah @dmcgowan @AkihiroSuda @bartier

@k8s-ci-robot
Copy link

@neersighted: GitHub didn't allow me to request PR reviews from the following users: bartier.

Note that only containerd members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/cc @thaJeztah @dmcgowan @AkihiroSuda @bartier

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

This was referenced Jun 27, 2023
Merged
Merged
Merged
@AkihiroSuda
Copy link
Member

/ok-to-test

dcantah
dcantah approved these changes Jun 28, 2023
View reviewed changes
Copy link
Member

@dcantah dcantah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fantastic write up on the moby/moby thread, was fun to read :)

thaJeztah
thaJeztah approved these changes Jun 28, 2023
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@neersighted neersighted marked this pull request as draft June 28, 2023 11:35
@neersighted @bartier
seccomp: always allow name_to_handle_at
9a202e3 
This syscall is used by systemd to request unique internal names for
paths in the cgroup hierarchy from the kernel, and is overall innocuous.

Due to [previous][1] [mistakes][2] in moby/moby, it ended up attached to
`CAP_SYS_ADMIN`; however, it should not be filtered at all.

An in-depth analysis is available [at moby/moby][3].

  [1]: moby/moby@a01c4dc#diff-6c0d906dbef148d2060ed71a7461907e5601fea78866e4183835c60e5d2ff01aR1627-R1639
  [2]: moby/moby@c1ca124
  [3]: moby/moby#45766 (review)

Co-authored-by: Vitor Anjos <bartier@users.noreply.github.com>
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
@neersighted neersighted marked this pull request as ready for review June 28, 2023 11:52
@neersighted neersighted requested a review from thaJeztah June 28, 2023 11:52
thaJeztah
thaJeztah approved these changes Jun 28, 2023
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah
Copy link
Member

Pretty much unrelated, but I keep seeing those deprecation warnings; do we know if someone has spent time working on those? (I must admit I'm not a proficient user of Ginkgo)

critest version: 1.27.0
You're using deprecated Ginkgo functionality:
=============================================
  --ginkgo.slow-spec-threshold is deprecated --slow-spec-threshold has been deprecated and will be removed in a future version of Ginkgo.  This feature has proved to be more noisy than useful.  You can use --poll-progress-after, instead, to get more actionable feedback about potentially slow specs and understand where they might be getting stuck.

To silence deprecations that can be silenced set the following environment variable:
  ACK_GINKGO_DEPRECATIONS=2.9.2

@djdongjin
Copy link
Member

Pretty much unrelated, but I keep seeing those deprecation warnings; do we know if someone has spent time working on those? (I must admit I'm not a proficient user of Ginkgo)

I saw Ginkgo is only used in containerd for cri-tools test. We use cri-tools v1.27.0, which uses Ginkgo v2.9.2 (removed that deprecation). So we should be safe to update Ginkgo to the version used by cri-tools. Opened #8758 and the warning disappeared :) https://github.com/containerd/containerd/actions/runs/5401559918/jobs/9811676884

@djdongjin djdongjin mentioned this pull request Jun 28, 2023
Merged
@kzys kzys merged commit a3c9ed7 into containerd:main Jun 28, 2023
@neersighted neersighted deleted the name_to_handle_at branch June 28, 2023 15:25
@neersighted
Copy link
Contributor Author

Thanks! Backports to 1.7 and 1.6 are open at #8753 and #8754.

@yodatak yodatak mentioned this pull request Jul 31, 2023
Closed
kiashok added a commit to kiashok/containerd-containerd that referenced this pull request Oct 23, 2024
@kiashok
Merged PR 8369437: Update fork-external/main with upstream containerd…
6b2c041 
…/main

Merge upstream containerd/main at commit 5d1ab01 into ado fork-external/main

Related work items: containerd#7944, containerd#8174, containerd#8334, containerd#8362, containerd#8572, containerd#8582, containerd#8588, containerd#8605, containerd#8606, containerd#8617, containerd#8619, containerd#8626, containerd#8627, containerd#8633, containerd#8637, containerd#8641, containerd#8643, containerd#8645, containerd#8652, containerd#8667, containerd#8672, containerd#8673, containerd#8676, containerd#8680, containerd#8684, containerd#8685, containerd#8692, containerd#8696, containerd#8697, containerd#8701, containerd#8708, containerd#8717, containerd#8726, containerd#8728, containerd#8729, containerd#8731, containerd#8732, containerd#8740, containerd#8752, containerd#8758, containerd#8762, containerd#8764
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dcantah dcantah dcantah approved these changes

@bartier bartier bartier approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@thaJeztah thaJeztah thaJeztah approved these changes

@kzys kzys kzys approved these changes

@dmcgowan dmcgowan Awaiting requested review from dmcgowan

Assignees
No one assigned
Labels
ok-to-test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@neersighted @k8s-ci-robot @AkihiroSuda @thaJeztah @djdongjin @kzys @bartier @dcantah