Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix the wrong localhost seccomp path of CRI #55450

Merged
merged 3 commits into from
Nov 23, 2017
Merged

Fix the wrong localhost seccomp path of CRI #55450

merged 3 commits into from
Nov 23, 2017

Conversation

feiskyer
Copy link
Member

@feiskyer feiskyer commented Nov 10, 2017
edited
Loading

What this PR does / why we need it:

Fix the wrong seccomp path comment.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #55359

Special notes for your reviewer:

Release note:

Fix CRI localhost seccomp path in format localhost//profileRoot/profileName.

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Nov 10, 2017
@feiskyer
Copy link
Member Author

/assign @yujuhong

@feiskyer
Copy link
Member Author

/retest

1 similar comment
@feiskyer
Copy link
Member Author

/retest

mtaufen
mtaufen reviewed Nov 13, 2017
View reviewed changes
pkg/kubelet/dockershim/helpers_linux.go
@@ -62,7 +62,8 @@ func getSeccompDockerOpts(seccompProfile string) ([]dockerOpt, error) {
return nil, fmt.Errorf("unknown seccomp profile option: %s", seccompProfile)
}

fname := strings.TrimPrefix(seccompProfile, "localhost/") // by pod annotation validation, name is a valid subpath
// get the full path of seccomp profile when prefixed with 'localhost/'.
fname := strings.TrimPrefix(seccompProfile, "localhost/")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure you end up with an absolute path here. TrimPrefix will cut the / too, and you're left with a path that has no leading /. From what I can tell, filepath.FromSlash does not add a leading /. https://play.golang.org/p/_A6DBoSG1V

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mtaufen yep, it doesn't add a leading '/'. And there are indeed issues about seccomp path.

localhost/ is missing because of following code:

kubernetes/pkg/kubelet/kuberuntime/helpers.go

Lines 278 to 282 in 72a2b0b

if strings.HasPrefix(profile, "localhost/") {
name := strings.TrimPrefix(profile, "localhost/")
fname := filepath.Join(m.seccompProfileRoot, filepath.FromSlash(name))
return fname
}

will add a new commit to fix this.

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Nov 13, 2017
@feiskyer feiskyer changed the title Fix the wrong seccomp path comment Fix the wrong localhost seccomp path Nov 13, 2017
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Nov 13, 2017
@feiskyer feiskyer changed the title Fix the wrong localhost seccomp path Fix the wrong localhost seccomp path of CRI Nov 13, 2017
@feiskyer
Copy link
Member Author

@yujuhong @mtaufen Added a new commit to fix CRI localhost seccomp path in format localhost//profileRoot/profileName.

@k8s-cherrypick-bot
Copy link

Removing label cherrypick-candidate because no release milestone was set. This is an invalid state and thus this PR is not being considered for cherry-pick to any release branch. Please add an appropriate release milestone and then re-add the label.

mtaufen
mtaufen reviewed Nov 14, 2017
View reviewed changes
pkg/kubelet/dockershim/helpers_linux.go Outdated
@@ -62,7 +62,8 @@ func getSeccompDockerOpts(seccompProfile string) ([]dockerOpt, error) {
return nil, fmt.Errorf("unknown seccomp profile option: %s", seccompProfile)
}

fname := strings.TrimPrefix(seccompProfile, "localhost/") // by pod annotation validation, name is a valid subpath
// get the full path of seccomp profile when prefixed with 'localhost/'.
fname := strings.TrimPrefix(seccompProfile, "localhost/")
file, err := ioutil.ReadFile(filepath.FromSlash(fname))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we also add validation that fname is absolute, and return an error if it is not?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

something like this

import "path/filepath"
if !filepath.IsAbs(fname) {
    return nil, fmt.Errorf("seccomp profile path must be absolute, but got relative path %q", fname)
}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mtaufen Good catch. Will add.

@feiskyer feiskyer force-pushed the seccomp-path branch 3 times, most recently from f2d58e8 to d03629a Compare November 14, 2017 08:40
@feiskyer
Copy link
Member Author

/retest

1 similar comment
@feiskyer
Copy link
Member Author

/retest

@feiskyer feiskyer added the kind/bug Categorizes issue or PR as related to a bug. label Nov 17, 2017
@yujuhong
Copy link
Contributor

@feiskyer what's the expected format of the annotation value? Is it localhost/<full path to profile>, e.g., localhost//foo/bar/profile? Or is it localhost/foo/bar/profile?

@feiskyer
Copy link
Member Author

@yujuhong The path in the kubernetes annotation is a relative path, and root directory is set by kubelet's --seccomp-profile-root option (default to "/var/lib/kubelet/seccomp"). We converted it to absolute path in CRI.

@feiskyer
Copy link
Member Author

/retest

yujuhong
yujuhong reviewed Nov 21, 2017
View reviewed changes
pkg/kubelet/dockershim/helpers_linux_test.go Outdated
@@ -55,26 +58,26 @@ func TestGetSeccompSecurityOpts(t *testing.T) {
}

func TestLoadSeccompLocalhostProfiles(t *testing.T) {
tmpdir, err := ioutil.TempDir("", "seccomp-local-profile-test")
assert.NoError(t, err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/assert/require

assert is not fatal and the test will continue.

pkg/kubelet/dockershim/helpers_linux_test.go Outdated
defer os.RemoveAll(tmpdir)
testProfile := `{"foo": "bar"}`
err = ioutil.WriteFile(filepath.Join(tmpdir, "test"), []byte(testProfile), 0644)
assert.NoError(t, err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/assert/require

pkg/kubelet/dockershim/helpers_linux_test.go Outdated
seccompProfile: "localhost/fixtures/seccomp/sub/subtest",
expectedOpts: []string{`seccomp={"abc":"def"}`},
expectErr: false,
msg: "Non-exist profile should return error",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: s/Non-exist/Non-existent

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ack

pkg/kubelet/kuberuntime/helpers_test.go Outdated

func TestGetSeccompProfileFromAnnotations(t *testing.T) {
_, _, m, err := createTestRuntimeManager()
assert.NoError(t, err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/assert/require

@tallclair
Copy link
Member

/unassign
defer to yuju & michael

@feiskyer
Copy link
Member Author

@yujuhong Addressed comments. PTAL

@yujuhong
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 22, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: feiskyer, yujuhong

Associated issue: 55359

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 22, 2017
@jberkus
Copy link

jberkus commented Nov 22, 2017

/priority critical-urgent

/remove-priority important-soon

adjusting priorities for code freeze

@k8s-ci-robot k8s-ci-robot added priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. and removed priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Nov 22, 2017
@k8s-github-robot
Copy link

[MILESTONENOTIFIER] Milestone Pull Request Current

@Random-Liu @feiskyer @yujuhong

Note: This pull request is marked as priority/critical-urgent, and must be updated every 1 day during code freeze.

Example update:

ACK.  In progress
ETA: DD/MM/YYYY
Risks: Complicated fix required
Pull Request Labels
  • sig/node: Pull Request will be escalated to these SIGs if needed.
  • priority/critical-urgent: Never automatically move pull request out of a release milestone; continually escalate to contributor and SIG through all available channels.
  • kind/bug: Fixes a bug discovered during the current release.
Help

@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 55952, 49112, 55450, 56178, 56151). If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit 1fdc688 into kubernetes:master Nov 23, 2017
@feiskyer feiskyer deleted the seccomp-path branch November 23, 2017 06:38
@feiskyer feiskyer mentioned this pull request Nov 23, 2017
Merged
k8s-github-robot pushed a commit that referenced this pull request Nov 28, 2017
Merge pull request #56279 from feiskyer/automated-cherry-pick-of-#554…
11e65bc 
…50-upstream-release-1.8

Automatic merge from submit-queue.

Automated cherry pick of #55450

Cherry pick of #55450 on release-1.8.

#55450: Fix incorrect localhost seccomp profile path
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yujuhong yujuhong yujuhong left review comments

@mtaufen mtaufen mtaufen left review comments

Assignees

@Random-Liu Random-Liu

@yujuhong yujuhong

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/node Categorizes an issue or PR as relevant to SIG Node. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.9
Development

Successfully merging this pull request may close these issues.

Dockershim doesn't consider seccomp profile root?