Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨Propagate capabilities to correct processes #4225

Merged
merged 8 commits into from
May 11, 2023
Merged

✨Propagate capabilities to correct processes #4225

merged 8 commits into from
May 11, 2023

Conversation

GitHK
Copy link
Contributor

@GitHK GitHK commented May 11, 2023
edited
Loading

What do these changes do?

In theory capabilities appear to be very simple at a first glance. They do hide some awkward interactions.

Why were capabilities not being propagated before?

  • the main docker process which has the capabilities when starting is switched out via gosu which drops them
  • how to add them back? we grant them to the python executable

We can see the CapPrm fields containing only the given capability for the python interpreter started processes and subprocesses.

root@7d326212c50e:/home/scu# ps awx
    PID TTY      STAT   TIME COMMAND
      1 ?        Ss     0:00 /sbin/docker-init -- /bin/sh services/dynamic-sidecar/docker/entrypoint.sh /bin/sh services/dynamic-sidecar/docker/boot.sh
      7 ?        Sl     0:05 /home/scu/.venv/bin/python /home/scu/.venv/bin/uvicorn simcore_service_dynamic_sidecar.main:the_app --host 0.0.0.0 --log-level debug
    764 ?        Sl     0:00 /home/scu/.venv/bin/python /home/scu/.venv/bin/uvicorn simcore_service_dynamic_sidecar.main:the_app --host 0.0.0.0 --log-level debug
    766 ?        Sl     0:00 /home/scu/.venv/bin/python /home/scu/.venv/bin/uvicorn simcore_service_dynamic_sidecar.main:the_app --host 0.0.0.0 --log-level debug
    797 pts/0    Ss     0:00 bash
   1122 pts/0    R+     0:00 ps awx
root@7d326212c50e:/home/scu# cat /proc/1/status | grep Cap
CapInh:	0000000000000000
CapPrm:	00000000a80427fb
CapEff:	00000000a80427fb
CapBnd:	00000000a80427fb
CapAmb:	0000000000000000
root@7d326212c50e:/home/scu# cat /proc/7/status | grep Cap
CapInh:	0000000000000000
CapPrm:	0000000000000200
CapEff:	0000000000000200
CapBnd:	00000000a80427fb
CapAmb:	0000000000000000
root@7d326212c50e:/home/scu# cat /proc/766/status | grep Cap
CapInh:	0000000000000000
CapPrm:	0000000000000200
CapEff:	0000000000000200
CapBnd:	00000000a80427fb
CapAmb:	0000000000000000
root@7d326212c50e:/home/scu# cat /proc/764/status | grep Cap
CapInh:	0000000000000000
CapPrm:	0000000000000200
CapEff:	0000000000000200
CapBnd:	00000000a80427fb
CapAmb:	0000000000000000
root@7d326212c50e:/home/scu# cat /proc/797/status | grep Cap
CapInh:	0000000000000000
CapPrm:	00000000a80427fb
CapEff:	00000000a80427fb
CapBnd:	00000000a80427fb
CapAmb:	0000000000000000

Reference material:

Related issue/s

How to test

DevOps Checklist

@GitHK GitHK self-assigned this May 11, 2023
@GitHK GitHK added the a:dynamic-sidecar dynamic-sidecar service label May 11, 2023
@GitHK GitHK added this to the Pastel de Nata milestone May 11, 2023
@GitHK GitHK changed the title ✨Propagate capabilities to different users ✨Propagate capabilities to correct processes May 11, 2023
@GitHK GitHK marked this pull request as ready for review May 11, 2023 10:56
@GitHK GitHK requested review from sanderegg and pcrespov as code owners May 11, 2023 10:56
@GitHK GitHK requested review from mguidon and matusdrobuliak66 May 11, 2023 10:56
@codecov
Copy link

codecov bot commented May 11, 2023
edited
Loading

Codecov Report

Merging #4225 (f05f124) into master (d9fd2da) will increase coverage by 1.1%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff            @@
##           master   #4225      +/-   ##
=========================================
+ Coverage    84.9%   86.0%    +1.1%     
=========================================
  Files         940     152     -788     
  Lines       41064    8265   -32799     
  Branches      953       0     -953     
=========================================
- Hits        34882    7112   -27770     
+ Misses       5978    1153    -4825     
+ Partials      204       0     -204
Flag Coverage Δ
integrationtests ?
unittests 86.0% <ø> (+3.3%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
...es/dynamic_sidecar/docker_service_specs/sidecar.py 79.1% <ø> (-8.4%) ⬇️

... and 815 files with indirect coverage changes

sanderegg
sanderegg approved these changes May 11, 2023
View reviewed changes
Copy link
Member

@sanderegg sanderegg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if possible remove the hard-coded 3.10

services/dynamic-sidecar/docker/entrypoint.sh Outdated Show resolved Hide resolved
services/dynamic-sidecar/docker/entrypoint.sh Outdated Show resolved Hide resolved
@GitHK GitHK enabled auto-merge (squash) May 11, 2023 12:08
@codeclimate
Copy link

codeclimate bot commented May 11, 2023

Code Climate has analyzed commit f05f124 and detected 0 issues on this pull request.

View more on Code Climate.

@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.1% 0.1% Duplication

@GitHK GitHK mentioned this pull request May 11, 2023
Closed
@GitHK GitHK merged commit 75141d1 into ITISFoundation:master May 11, 2023
@GitHK GitHK deleted the pr-osparc-docker-exec-cap-add branch May 12, 2023 13:53
@matusdrobuliak66 matusdrobuliak66 mentioned this pull request May 16, 2023
Closed
15 tasks
@matusdrobuliak66 matusdrobuliak66 mentioned this pull request May 30, 2023
Closed
24 tasks
@GitHK GitHK mentioned this pull request Jun 1, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matusdrobuliak66 matusdrobuliak66 matusdrobuliak66 approved these changes

@sanderegg sanderegg sanderegg approved these changes

@pcrespov pcrespov pcrespov approved these changes

@mguidon mguidon Awaiting requested review from mguidon

Assignees

@GitHK GitHK

Labels
a:dynamic-sidecar dynamic-sidecar service
Projects
None yet
Milestone
Pastel de Nata
Development

Successfully merging this pull request may close these issues.
4 participants
@GitHK @pcrespov @sanderegg @matusdrobuliak66