[FEATURE REQUEST]: oci hook for RUN instruction #4068

lukasmrtvy · 2022-06-21T16:17:15Z

I am not familiar with the exact relation between the build phase and runc/crun, but I believe We are missing some custom oci hook stage for RUN instruction which will help us trigger for example custom iptable rules.

This one is useful with a combination of already implemented --userns=auto parameter #4060.

Use case:

limit outbound traffic via iptables to internal networks
for building arbitrary code in "sensitive" environment

Snippet:

cat << EOF > /etc/containers/restrict-outbound-access
#!/bin/sh
/usr/sbin/iptables-nft -A OUTPUT -d 192.168.0.0/16,172.16.0.0/12,10.0.0.0/8 -j DROP
EOF

cat << EOF > /etc/containers/oci/hooks.d/restrict-outbound-access.json
{
  "version": "1.0.0",
  "hook": {
    "path": "/etc/containers/restrict-outbound-access"
  },
  "when": {
    "annotations": {
      "restrict-outbound-access": "true"
    }
  },
  "stages": ["buildContainer"]  <---- buildContainer stage does not exist
}
EOF

podman build --annotation "restrict-outbound-access=true" ...

Possible workaround:

id=<random>

cat << EOF > Dockerfile
FROM busybox
RUN echo "foo"
EOF

tar -czvf "context_$id.tar.gz" Dockerfile

mkdir -p "./builds/dir_$id/"

mv "context_$id.tar.gz" "./builds/dir_$id/"

podman run --userns=auto --annotation "restrict-outbound-access=true" --rm -it -v "./builds/dir_$id/:/build/" buildah:latest ... --output "/build/image_$id.tar"

podman load "./builds/dir_$id/image_$id.tar" "$prefix/image_$id"

rm "./builds/dir_$id/image_$id.tar"

podman push "$prefix/image_$id"

, but it comes with an additional performance and time penalty ( load image to local registry )

Thanks

The text was updated successfully, but these errors were encountered:

flouthoc · 2022-06-22T06:57:07Z

Hi @lukasmrtvy , Thanks for creating the issue i'll take a look at this.

flouthoc · 2022-06-22T07:12:43Z

Upon checking this again the stage which you requested buildContainer would be a new stage and runtime-spec has no description or guidelines for it. ~~Would it make sense to get specs for this new stage to get accepted by runtime-spec first ?~~

What would be the use-case of this new stage if its meant to be executed in runtime namespace is anything stopping from executing restrict-outbound-access manually before starting the buildah build ?

So

Edit: or do you want equivalent to prestart hook which gets triggerd only for build containers created by buildah so this would be buildah only feature.

lukasmrtvy · 2022-06-22T10:48:15Z

@flouthoc hey, thanks

Lets say that I want to restrict outbound connections from build to private ranges defined by RFC ( except local DNS server ofc ). Should be doable to create a bridge ( and set iptables rules for this interface ) and use this bridge for container builds, but still, all builds are not isolated between themselves. It's the same case as --userns=auto, this one applies to networking.

And yes, for running container, I am using containerCreate stage which exists, but it would make a sense to have a specific stage for containerBuild

Does it make sense ? Thanks

Following PR adds support for OCI hooks attached to each of ephemeral build contains which are created by `RUN` step invoked during `buildah build` command. Following PR also adds `--hooks-dir` flag to `buildah build` option which allows end-users to specify one or more configuration directories for OCI-hooks. Note: Following PR migrates `pkg/hooks` from `podman` to `buildah` so buildah could implement this feature and once merged `podman` can start using `buildah/pkg/hooks`. For usage see man-page and example test-case. See: https://github.com/opencontainers/runtime-spec/blob/main/config.md#posix-platform-hooks Closes: containers#4068 Signed-off-by: Aditya R <[email protected]>

flouthoc · 2022-06-22T11:04:52Z

@flouthoc hey, thanks

Lets say that I want to restrict outbound connections from build to private ranges defined by RFC ( except local DNS server ofc ). Should be doable to create a bridge ( and set iptables rules for this interface ) and use this bridge for container builds, but still, all builds are not isolated between themselves. It's the same case as --userns=auto, this one applies to networking.

And yes, for running container, I am using containerCreate stage which exists, but it would make a sense to have a specific stage for containerBuild

Does it make sense ? Thanks

@lukasmrtvy Added above feature in #4071 but instead of adding a new stage I think we can keep using existing stages for buildah and you can further restrict usage using annotation. The reason i am not in favor of adding a new stage is because it does not states the behavior of the hook i.e when will it get executed and why was this stage crated if stages for all possible points already exists like createContainer prestart, poststart etc see https://github.com/opencontainers/runtime-spec/blob/main/config.md#posix-platform-hooks since we support --hooks-dir so while building you can do buildah build --hooks-dir=/my/build/hooks -t <test> -f Containerfile and apply all the hooks instead of using stage like containerBuild also default hooks dir is getting deprecated as per in-code warnings so i'd recommend using --hooks-dir with stages which are already there.

An example test in #4071 should help.

But i'm also fine to introduce a new stage if maintainers agree with it :)

Thanks

Following PR adds support for OCI hooks attached to each of ephemeral build contains which are created by `RUN` step invoked during `buildah build` command. Following PR also adds `--hooks-dir` flag to `buildah build` option which allows end-users to specify one or more configuration directories for OCI-hooks. Note: Following PR migrates `pkg/hooks` from `podman` to `buildah` so buildah could implement this feature and once merged `podman` can start using `buildah/pkg/hooks`. For usage see man-page and example test-case. See: https://github.com/opencontainers/runtime-spec/blob/main/config.md#posix-platform-hooks Closes: containers#4068 Signed-off-by: Aditya R <[email protected]>

rhatdan · 2022-06-22T13:28:59Z

This should work through the OCI specification, not a buildah only requirement.

flouthoc · 2022-06-22T14:45:04Z

@rhatdan as of now buildah does not support hooks with regular OCI specs as well, there is a PR for that here #4071 should we re-open issue till this is merged upstream.

rhatdan · 2022-06-22T15:43:49Z

I read this request as asking for a new option. We should support standard OCI Hooks though.

Following PR adds support for OCI hooks attached to each of ephemeral build contains which are created by `RUN` step invoked during `buildah build` command. Following PR also adds `--hooks-dir` flag to `buildah build` option which allows end-users to specify one or more configuration directories for OCI-hooks. Note: Following PR migrates `pkg/hooks` from `podman` to `buildah` so buildah could implement this feature and once merged `podman` can start using `buildah/pkg/hooks`. For usage see man-page and example test-case. See: https://github.com/opencontainers/runtime-spec/blob/main/config.md#posix-platform-hooks Closes: containers#4068 Signed-off-by: Aditya R <[email protected]>

lukasmrtvy · 2022-08-24T17:49:27Z

I am trying this implementation in Podman 4.2.0. Seems its working via CLI, but API call does not work.

Dockerfile

cat << EOF > Dockerfile
FROM alpine
RUN ping 8.8.8.8
EOF

OCI hook ( script )

cat << EOF > /etc/containers/restrict-outbound-access
#!/bin/sh
/usr/sbin/iptables-nft -A OUTPUT -d 8.8.8.8/32 -j DROP
EOF

OCI hook

cat << EOF > /etc/containers/oci/hooks.d/restrict-outbound-access.json
{
  "version": "1.0.0",
  "hook": {
    "path": "/etc/containers/restrict-outbound-access"
  },
  "when": {
    "annotations": {
      "restrict-outbound-access": "true"
    }
  },
  "stages": ["createContainer"] 
}
EOF

Works correctly via CLI

podman build --annotation "restrict-outbound-access=true" -t test .

Does not work via CLI

tar -czf context.tar.gz Dockerfile
curl -s --unix-socket /run/podman/podman.sock -X POST  -H "Content-Type:application/tar"  --data-binary "@context.tar.gz"  'http://d/v4.2.0/libpod/build?annotations=%5B%22restrict-outbound-access%3Dtrue%22%5D'

flouthoc · 2022-08-24T17:57:05Z

@lukasmrtvy ackd i'll check this.

flouthoc · 2022-08-25T03:19:02Z

@lukasmrtvy This is not implemented for remote, since files hook access is present on the host, so client invoking this cannot expect podman (server) to invoke file from client machine. I can see test is also skipped for podman-remote use-case https://github.com/containers/podman/blob/main/test/buildah-bud/apply-podman-deltas#L235

One thing which can be done is that client expects that hook script is present on host then we can wire on API end and make ii work ( if that is what you want ) ?

lukasmrtvy · 2022-08-25T06:06:58Z

@flouthoc Thanks, Yes, I would expect the same behavior as for create container endpoint ( which is working with hook file present on host ).

Even userns support ( for create container endpoint ) requires by default subuid and subgid files present on host, same should apply for #4060 I guess..

flouthoc · 2022-08-29T02:45:01Z

@lukasmrtvy SGTM, this looks like a feature instead of a bug and following PR should close it containers/podman#15522

flouthoc mentioned this issue Jun 22, 2022

build: support OCI-hooks for ephemeral build containers #4071

Merged

rhatdan closed this as completed Jun 22, 2022

flouthoc mentioned this issue Aug 29, 2022

api: support build --hooks-dir for API containers/podman#15522

Closed

github-actions bot added the locked - please file new issue/PR label Aug 30, 2023

github-actions bot locked as resolved and limited conversation to collaborators Aug 30, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[FEATURE REQUEST]: oci hook for RUN instruction #4068

[FEATURE REQUEST]: oci hook for RUN instruction #4068

lukasmrtvy commented Jun 21, 2022 •

edited

Loading

flouthoc commented Jun 22, 2022

flouthoc commented Jun 22, 2022 •

edited

Loading

lukasmrtvy commented Jun 22, 2022

flouthoc commented Jun 22, 2022

rhatdan commented Jun 22, 2022

flouthoc commented Jun 22, 2022

rhatdan commented Jun 22, 2022

lukasmrtvy commented Aug 24, 2022

flouthoc commented Aug 24, 2022

flouthoc commented Aug 25, 2022

lukasmrtvy commented Aug 25, 2022 •

edited

Loading

flouthoc commented Aug 29, 2022

[FEATURE REQUEST]: oci hook for RUN instruction #4068

[FEATURE REQUEST]: oci hook for RUN instruction #4068

Comments

lukasmrtvy commented Jun 21, 2022 • edited Loading

flouthoc commented Jun 22, 2022

flouthoc commented Jun 22, 2022 • edited Loading

lukasmrtvy commented Jun 22, 2022

flouthoc commented Jun 22, 2022

rhatdan commented Jun 22, 2022

flouthoc commented Jun 22, 2022

rhatdan commented Jun 22, 2022

lukasmrtvy commented Aug 24, 2022

flouthoc commented Aug 24, 2022

flouthoc commented Aug 25, 2022

lukasmrtvy commented Aug 25, 2022 • edited Loading

flouthoc commented Aug 29, 2022

lukasmrtvy commented Jun 21, 2022 •

edited

Loading

flouthoc commented Jun 22, 2022 •

edited

Loading

lukasmrtvy commented Aug 25, 2022 •

edited

Loading