Skip NATS firewall creation when cgroupv2 enabled #332
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
beyhan
requested review from
a team,
ystros and
lnguyen
and removed request for
a team
|
currenly the test will not work as we don't test it on a stemcell. |
|
For testing, if we are relying on the CFF Concourse instances, we may need to wait for a cgroups v2 stemcell to become available and for Concourse to be able to consume it for the cgroup part. Unsure about |
|
We talked in the FIWG meeting about having the tests conditional on the cgroups currently enabled. So for now, in the bosh-agent pipelines, the cgroupsv2 code path wouldn't actually get tested. But as soon as we start shipping Noble and add a job for the pipeline, the cgroupsv2 tests would be active when running against Noble. |
|
@ramonskie did you have a chance to take a look at ^ |
|
Once CI is green again @ramonskie is gonna look at this (as discussed during working group meeting). |
|
Hey @ramonskie and @rkoster, some of the new tests are still failing because they're trying to call Since the unit tests are running on jammy, they're not using the nftables branch. We'd probably need to either delete that test, or inject enough dependencies in the unit tests to prevent them from actually doing anything. But larger question, can we just delete all this code? The firewall rules are designed to prevent workloads from talking to NATs because the NATs creds used to be accessible from the IaaS metadata endpoints. But we've switched to using temporary NATs creds, so that's no longer an attack vector. This does provide an additional layer of security, but it's a LOT of complexity to maintain for a "second fence". We should discuss at the FIWG meeting tomorrow. |
|
The decision was made to not implement this logic in Nobel because it doesn't bring more value from security perspective. |
… bit size from to a lower bit size type uint16 without an upper bound check
…d nftables support We believe the ephemeral NATS creds are a better solution to this problem and eventually removing this firewall code will simplify the agent codebase
jpalermo
changed the title
|
Updated the PR to skip firewall creation when using cgroups v2. The commits adding nftables support are still there in case we want them as a reference in the future. |
|
@beyhan, I added you as a reviewer because you said you were going to check if you all had any security concerns with this. |
|
@a-hassanin , just assigning you to check if you have any security concerns about this. |
|
The following patch should resolve the linter error: diff --git a/platform/net/firewall_provider_linux.go b/platform/net/firewall_provider_linux.go
index 306d8938..9298d665 100644
--- a/platform/net/firewall_provider_linux.go
+++ b/platform/net/firewall_provider_linux.go
@@ -6,17 +6,15 @@ package net
import (
"errors"
"fmt"
- bosherr "github.com/cloudfoundry/bosh-utils/errors"
"net"
gonetURL "net/url"
"os"
"strings"
- // NOTE: "cgroups is only intended to be used/compiled on linux based system"
- // see: https://github.com/containerd/cgroups/issues/19
- "github.com/containerd/cgroups"
- "github.com/opencontainers/runtime-spec/specs-go"
+ bosherr "github.com/cloudfoundry/bosh-utils/errors"
+ "github.com/containerd/cgroups" // NOTE: linux only; see: https://github.com/containerd/cgroups/issues/19
"github.com/coreos/go-iptables/iptables"
+ "github.com/opencontainers/runtime-spec/specs-go"
)
const ( |
|
@beyhan any news on the security front? |
|
I'm waiting for feedback here. |
|
Mentioning the feature PR cloudfoundry/bosh#2417 as it is relevant for the decision here. |
|
It looks Ok from our side we can merge it. We will need to revisit this from SAP side when we want to use Noble bec. as I saw we need a PoC to make sure it will not pose a security risk on AliCloud. But this we will plan later. |
this will add the following nftables rules
when cgroupv2 are enabled on a linux system