Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vendor c/common@main #16610

Closed
wants to merge 1 commit into from
Closed

vendor c/common@main #16610

wants to merge 1 commit into from

Conversation

vrothberg
Copy link
Member

Adjust the capabilities e2e tests since some have recently been dropped.

Signed-off-by: Valentin Rothberg [email protected]

Does this PR introduce a user-facing change?

None

@vrothberg vrothberg added the bloat_approved Approve a PR in which binary file size grows by over 50k label Nov 24, 2022
@openshift-ci openshift-ci bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note-none labels Nov 24, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 24, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vrothberg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 24, 2022
@vrothberg vrothberg mentioned this pull request Nov 24, 2022
Merged
@vrothberg vrothberg marked this pull request as ready for review November 24, 2022 13:23
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 24, 2022
@vrothberg
Copy link
Member Author

@flouthoc @giuseppe @Luap99 PTAL

flouthoc
flouthoc reviewed Nov 24, 2022
View reviewed changes
Copy link
Collaborator

@flouthoc flouthoc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests are blowing up.

vrothberg
vrothberg commented Nov 24, 2022
View reviewed changes
test/e2e/inspect_test.go Outdated
Expect(data[0].HostConfig.CapDrop[0]).To(Equal("CAP_AUDIT_WRITE"))
Expect(data[0].HostConfig.CapDrop[1]).To(Equal("CAP_MKNOD"))
Expect(data[0].HostConfig.CapDrop[2]).To(Equal("CAP_NET_RAW"))
// FIXME: Why is sys_chroot dropped?
Expect(data[0].HostConfig.CapDrop[3]).To(Equal("CAP_SYS_CHROOT"))
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rhatdan PTAL

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A bug in computing the dropped caps? Need to figure that out before 4.4.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was changed in containers/common#1240

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But why are they listed as dropped? There are over 30 capabilities and other ones we don't enable by default aren't listed as dropped.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah I see what you mean, looks like inspect uses not the container.conf default but rather the oci runtime spec default:

podman/libpod/container_inspect_linux.go

Lines 129 to 177 in 34cc61d

// Cap add and cap drop.
// We need a default set of capabilities to compare against.
// The OCI generate package has one, and is commonly used, so we'll
// use it.
// Problem: there are 5 sets of capabilities.
// Use the bounding set for this computation, it's the most encompassing
// (but still not perfect).
capAdd := []string{}
capDrop := []string{}
// No point in continuing if we got a spec without a Process block...
if ctrSpec.Process != nil {
// Max an O(1) lookup table for default bounding caps.
boundingCaps := make(map[string]bool)
g, err := generate.New("linux")
if err != nil {
return err
}
if !hostConfig.Privileged {
for _, cap := range g.Config.Process.Capabilities.Bounding {
boundingCaps[cap] = true
}
} else {
// If we are privileged, use all caps.
for _, cap := range capability.List() {
if g.HostSpecific && cap > validate.LastCap() {
continue
}
boundingCaps[fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))] = true
}
}
// Iterate through spec caps.
// If it's not in default bounding caps, it was added.
// If it is, delete from the default set. Whatever remains after
// we finish are the dropped caps.
for _, cap := range ctrSpec.Process.Capabilities.Bounding {
if _, ok := boundingCaps[cap]; ok {
delete(boundingCaps, cap)
} else {
capAdd = append(capAdd, cap)
}
}
for cap := range boundingCaps {
capDrop = append(capDrop, cap)
}
// Sort CapDrop so it displays in consistent order (GH #9490)
sort.Strings(capDrop)
}
hostConfig.CapAdd = capAdd
hostConfig.CapDrop = capDrop

Luap99
Luap99 reviewed Nov 24, 2022
View reviewed changes
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vrothberg
Copy link
Member Author

I'll clean up tomorrow. I am sure we can get inspect right, thanks @Luap99

@vrothberg
vendor c/common@main
68d2bc3 
Adjust the capabilities e2e tests since some have recently been dropped.

Signed-off-by: Valentin Rothberg <[email protected]>
@vrothberg
Copy link
Member Author

It looks like NET_RAW is needed for some tests to pass using ping etc. At that point, I think its best to revert the change in c/common to unblock ongoing work.

vrothberg added a commit to vrothberg/common that referenced this pull request Nov 25, 2022
@vrothberg
Revert "Rework default list of capabilities to minimal"
45b76f1 
This reverts commit f39f2a3.
As shown in containers/podman/pull/16610 the changes require a number of
changes in Podman's CI.  While many issues have been fixed in that PR,
there are some potentially controversial changes such as dropping
NET_RAW.

Let's revert the commit to unblock ongoing work.  For the next
iteration, Podman CI must be green before merging.

Signed-off-by: Valentin Rothberg <[email protected]>
@vrothberg vrothberg mentioned this pull request Nov 25, 2022
Merged
@vrothberg vrothberg closed this Nov 25, 2022
@vrothberg
Copy link
Member Author

containers/common#1245 reverts the caps changes.

@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 20, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 20, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Luap99 Luap99 Luap99 left review comments

@flouthoc flouthoc flouthoc left review comments

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bloat_approved Approve a PR in which binary file size grows by over 50k locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. release-note-none
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vrothberg @flouthoc @Luap99