Allow devs to set labels in container images for default capabilities. #5206
Conversation
openshift-ci-robot
added
approved
rhatdan
force-pushed
the
capabilities
branch
from
75c75c0 to
b5db8b7
Compare
|
@vrothberg This is what we talked about and I covered in my talk in BRNO. |
| @@ -409,6 +409,16 @@ millions of trillions. | |||
|
|
|||
| Add metadata to a container (e.g., --label com.example.key=value) | |||
|
|
|||
| Users can set a special label **io.containers.capabilities=CAP1,CAP2,CAP3** that | |||
There was a problem hiding this comment.
I feel like this belongs elsewhere. We don't expect people to set this at podman run time, right? Instead we want them to load it from the image.
Should we instead be setting io.containers.capabilities at container creation time based on the capabilities we put in the spec, so that it will be there when we commit images?
There was a problem hiding this comment.
No the goal here is to override the defaults with something more secure.
There was a problem hiding this comment.
But rather than trying to get people to add the label themselves, we can make it for them from what they entered in --cap-add and --cap-drop. We know the final capabilities the container was created with, so it's pretty trivial to make the label from that.
There was a problem hiding this comment.
But that is not natural behaviour for Building container images. Most people, if they are going to use this feature are going to do it via a Dockerfile. We could add the label as a side effect of --cap-add and --cap-drop, but I am not sure that would be expected by users.
There was a problem hiding this comment.
I agree that most people will be using a Dockerfile - I'm mostly confused as to why people would ever want to set it directly at podman run time, instead of using --cap-add and --cap-drop.
There was a problem hiding this comment.
Sure, but do you just want me to not document that you can do this?
|
|
||
| ``` | ||
|
|
||
| $ podman run -d --label=io.containers.capabilities=setuid,setgid fedora /usr/bin/server |
There was a problem hiding this comment.
Why do I do this instead of --cap-add and --cap-drop? I don't know if this makes much sense outside of loading from images.
There was a problem hiding this comment.
The idea is to get this data into the container image. And maybe I should add the data to Docker build.
The real goal is to get people to add
LABEL io.containers.capabilities=setuid,setgid
In their Containerfile/Dockerfile.
Then users of their container image will get this new more secure behaviour.
rhatdan
force-pushed
the
capabilities
branch
from
b5db8b7 to
00eceef
Compare
|
Updated to add more information to podman build. |
There was a problem hiding this comment.
A couple of nits:
- Let's first get Undocker part 1) #5209 in. This adds a
pkg/capabilitieswhere we can put the label as a constant as we do in the newpkg/seccomppackage. The comparison with the default capabilities could be moved into this package as well. - Please prepare and push an image to
quay.io/libpodas we do for the seccomp-policy tests.
pkg/spec/spec.go
Outdated
| @@ -315,6 +315,14 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM | |||
| } | |||
| configSpec := g.Config | |||
|
|
|||
| var capRequired []string | |||
| for key, val := range config.Labels { | |||
| if key == "io.containers.capabilities" { | |||
There was a problem hiding this comment.
This should really be a constant.
There was a problem hiding this comment.
I would love the constant to be in pkg/capabilities as we do for the seccomp policies now in pkg/seccomp.
There was a problem hiding this comment.
Will have to move this to containers/common since pkg/capabilities is in there now, Also I think this should be a list. since it might change in the future if this got standardized and they picked a different name.
| @@ -123,6 +125,25 @@ func (c *SecurityConfig) ConfigureGenerator(g *generate.Generator, user *UserCon | |||
| return err | |||
| } | |||
|
|
|||
| privCapRequired := []string{} | |||
|
|
|||
| if !c.Privileged && len(c.CapRequired) > 0 { | |||
There was a problem hiding this comment.
I think we should always set CapRequired. If it's not set via the CLI or by the image, we should use the default ones.
There was a problem hiding this comment.
We can talk about this, but this could be a problem. I was thinking CapRequired was something that the user or the image had specified as the capabilies required to run the application. As opposed to the caplist, which is the "default capabilities + CapADD - CapDrop). If we set CapRequired == CapDefault and only overrode it when the label was set, then we would not be able to tell when the user specified at capability outside of the "default" list of capabilities.
There was a problem hiding this comment.
Maybe we can have a quick bluejeans later? I want to show the pkg/seccomp package that we can extend for these needs.
| @@ -272,6 +272,16 @@ BUILDAH\_ISOLATION environment variable. `export BUILDAH_ISOLATION=oci` | |||
|
|
|||
| Add an image *label* (e.g. label=*value*) to the image metadata. Can be used multiple times. | |||
|
|
|||
| Users can set a special label **io.containers.capabilities=CAP1,CAP2,CAP3** that | |||
| indicates the default list of Linux capabilities required for the container to | |||
| run properly. Setting this label in a container or a container image tells podman | |||
| with just the specified capabilties, as long as this list of capabilities is a | ||
| subset of the default list. | ||
|
|
||
| If the user or image specified capabilities that are not in the default set, the container |
There was a problem hiding this comment.
I find "user or image" to be a bit confusing. Could we just drop that? "If the specified capabilities..."
There was a problem hiding this comment.
ooops, if dropped, the following "that" doesn't work. "If the specified capabilities are not in the default set, ..."
| @@ -86,6 +86,11 @@ $ podman commit -q --pause=false containerID image-committed | |||
| e3ce4d93051ceea088d1c242624d659be32cf1667ef62f1d16d6b60193e2c7a8 | |||
| ``` | |||
|
|
|||
| ``` | |||
| $ podman commit -q --change LABEL=io.containers.capabilities=setuid,setgid epic_nobel privimage | |||
There was a problem hiding this comment.
You don't have the verbiage from build in here, should you?
There was a problem hiding this comment.
I don't think so. I add data to build about the label. I just wanted to throw this in to show it as an example. We don't document other labels for commit.
There was a problem hiding this comment.
This is badly formatted; should be --change 'LABEL io.containers.capabilities=setuid,setgid'
There was a problem hiding this comment.
Their might be a bug in the parser, but my syntax works, and yours does not. This is also documented two lines higher.
$ podman commit --change "LABEL foo=bar" myweb dan1
Error: invalid syntax for --change: LABEL foo=bar
$ podman commit --change "LABEL=foo=bar" myweb dan1
Getting image source signatures
Copying blob 195be5f8be1d skipped: already exists
Copying blob 5f70bf18a086 [--------------------------------------] 0.0b / 0.0b
Copying config e87256c3fc done
Writing manifest to image destination
Storing signatures
e87256c3fcda3881112f19dbfda9a733bee0472354269dc62c2c5c7e81c69e1f
|
☔ The latest upstream changes (presumably #5203) made this pull request unmergeable. Please resolve the merge conflicts. |
openshift-ci-robot
added
the
needs-rebase
rhatdan
force-pushed
the
capabilities
branch
from
00eceef to
2fc7dc7
Compare
openshift-ci-robot
removed
the
needs-rebase
rhatdan
changed the title
openshift-ci-robot
added
do-not-merge/work-in-progress
rhatdan
force-pushed
the
capabilities
branch
2 times, most recently
from
181e734 to
76606eb
Compare
|
LGTM, but definitely want a @mheon head nod |
|
I'm still iffy about documenting this in run and create - it seems like extra confusion since we already have ways to do this. Might want to talk about it at scrum. |
rhatdan
force-pushed
the
capabilities
branch
from
76606eb to
473fa2b
Compare
|
☔ The latest upstream changes (presumably #5297) made this pull request unmergeable. Please resolve the merge conflicts. |
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
@mheon @vrothberg @giuseppe @baude PTAL |
rhatdan
force-pushed
the
capabilities
branch
from
a7b1e25 to
797380b
Compare
rhatdan
force-pushed
the
capabilities
branch
2 times, most recently
from
ffadc9c to
7d31e5d
Compare
|
@mheon @vrothberg @giuseppe @baude PTAL |
|
☔ The latest upstream changes (presumably #5338) made this pull request unmergeable. Please resolve the merge conflicts. |
openshift-ci-robot
added
the
needs-rebase
rhatdan
force-pushed
the
capabilities
branch
from
7d31e5d to
a5e5884
Compare
openshift-ci-robot
removed
the
needs-rebase
|
As @TomSweeneyRedHat would say, Happy Green Buttons. Can I get this reviewed? |
|
|
||
| ``` | ||
|
|
||
| $ podman run -d --label=io.containers.capabilities=setuid,setgid fedora /usr/bin/server |
There was a problem hiding this comment.
| $ podman run -d --label=io.containers.capabilities=setuid,setgid fedora /usr/bin/server | |
| $ podman create -d --label=io.containers.capabilities=setuid,setgid fedora /usr/bin/server |
| @@ -1000,6 +1000,14 @@ can override the working directory by using the **-w** option. | |||
| $ podman create alpine ls | |||
| ``` | |||
|
|
|||
| ### Run a container with just the SETUID and SETGID Capabilities | |||
There was a problem hiding this comment.
| ### Run a container with just the SETUID and SETGID Capabilities | |
| ### Create a container with just the SETUID and SETGID Capabilities |
There was a problem hiding this comment.
Removing line.
We don't want to document this label in podman run or create.
|
I am loving the new GitHub feature to suggest changes in the reviews. |
|
@vrothberg Sadly our Gating blocks it. |
This patch allows users to specify the list of capabilities required to run their container image. Setting a image/container label "io.containers.capabilities=setuid,setgid" tells podman that the contained image should work fine with just these two capabilties, instead of running with the default capabilities, podman will launch the container with just these capabilties. If the user or image specified capabilities that are not in the default set, the container will print an error message and will continue to run with the default capabilities. Signed-off-by: Daniel J Walsh <[email protected]>
Signed-off-by: Valentin Rothberg <[email protected]> Signed-off-by: Daniel J Walsh <[email protected]>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
github-actions
bot
added
the
locked - please file new issue/PR
This patch allows users to specify the list of capabilities required
to run their container image.
Setting a image/container label "io.containers.capabilities=setuid,setgid"
tells podman that the contained image should work fine with just these two
capabilties, instead of running with the default capabilities, podman will
launch the container with just these capabilties.
If the user or image specified capabilities that are not in the default set,
the container will print an error message and will continue to run with the
default capabilities.
Signed-off-by: Daniel J Walsh [email protected]