The podman driver should not be run as root

Use sudo for the podman commands instead Wrap the docker commands with env prefix
kubernetes · Apr 13, 2020 · 9d087f8 · 9d087f8
1 parent 20dab3b
commit 9d087f8
Show file tree

Hide file tree

Showing 16 changed files with 86 additions and 77 deletions.
diff --git a/cmd/minikube/cmd/delete.go b/cmd/minikube/cmd/delete.go
@@ -90,17 +90,17 @@ func init() {
 
 func deleteContainersAndVolumes() {
 	delLabel := fmt.Sprintf("%s=%s", oci.CreatedByLabelKey, "true")
-	errs := oci.DeleteContainersByLabel(oci.Docker, delLabel)
+	errs := oci.DeleteContainersByLabel("env", oci.Docker, delLabel)
 	if len(errs) > 0 { // it will error if there is no container to delete
 		glog.Infof("error delete containers by label %q (might be okay): %+v", delLabel, errs)
 	}
 
-	errs = oci.DeleteAllVolumesByLabel(oci.Docker, delLabel)
+	errs = oci.DeleteAllVolumesByLabel("env", oci.Docker, delLabel)
 	if len(errs) > 0 { // it will not error if there is nothing to delete
 		glog.Warningf("error delete volumes by label %q (might be okay): %+v", delLabel, errs)
 	}
 
-	errs = oci.PruneAllVolumesByLabel(oci.Docker, delLabel)
+	errs = oci.PruneAllVolumesByLabel("env", oci.Docker, delLabel)
 	if len(errs) > 0 { // it will not error if there is nothing to delete
 		glog.Warningf("error pruning volumes by label %q (might be okay): %+v", delLabel, errs)
 	}
@@ -191,16 +191,16 @@ func DeleteProfiles(profiles []*config.Profile) []error {
 
 func deleteProfileContainersAndVolumes(name string) {
 	delLabel := fmt.Sprintf("%s=%s", oci.ProfileLabelKey, name)
-	errs := oci.DeleteContainersByLabel(oci.Docker, delLabel)
+	errs := oci.DeleteContainersByLabel("env", oci.Docker, delLabel)
 	if errs != nil { // it will error if there is no container to delete
 		glog.Infof("error deleting containers for %s (might be okay):\n%v", name, errs)
 	}
-	errs = oci.DeleteAllVolumesByLabel(oci.Docker, delLabel)
+	errs = oci.DeleteAllVolumesByLabel("env", oci.Docker, delLabel)
 	if errs != nil { // it will not error if there is nothing to delete
 		glog.Warningf("error deleting volumes (might be okay).\nTo see the list of volumes run: 'docker volume ls'\n:%v", errs)
 	}
 
-	errs = oci.PruneAllVolumesByLabel(oci.Docker, delLabel)
+	errs = oci.PruneAllVolumesByLabel("env", oci.Docker, delLabel)
 	if len(errs) > 0 { // it will not error if there is nothing to delete
 		glog.Warningf("error pruning volume (might be okay):\n%v", errs)
 	}

diff --git a/hack/jenkins/linux_integration_tests_podman.sh b/hack/jenkins/linux_integration_tests_podman.sh
@@ -31,7 +31,6 @@ JOB_NAME="Podman_Linux"
 
 mkdir -p cron && gsutil -qm rsync "gs://minikube-builds/${MINIKUBE_LOCATION}/cron" cron || echo "FAILED TO GET CRON FILES"
 sudo install cron/cleanup_and_reboot_Linux.sh /etc/cron.hourly/cleanup_and_reboot || echo "FAILED TO INSTALL CLEANUP"
-SUDO_PREFIX="sudo -E "
 
 EXTRA_ARGS="--container-runtime=containerd"
 

diff --git a/hack/preload-images/generate.go b/hack/preload-images/generate.go
@@ -44,6 +44,7 @@ func generateTarball(kubernetesVersion, containerRuntime, tarballFilename string
 	driver := kic.NewDriver(kic.Config{
 		KubernetesVersion: kubernetesVersion,
 		ContainerRuntime:  driver.Docker,
+		OCIPrefix:         "env",
 		OCIBinary:         oci.Docker,
 		MachineName:       profile,
 		ImageDigest:       kic.BaseImage,

diff --git a/pkg/drivers/kic/kic.go b/pkg/drivers/kic/kic.go
@@ -48,6 +48,7 @@ type Driver struct {
 	URL        string
 	exec       command.Runner
 	NodeConfig Config
+	OCIPrefix  string // env, sudo
 	OCIBinary  string // docker,podman
 }
 
@@ -58,8 +59,9 @@ func NewDriver(c Config) *Driver {
 			MachineName: c.MachineName,
 			StorePath:   c.StorePath,
 		},
-		exec:       command.NewKICRunner(c.MachineName, c.OCIBinary),
+		exec:       command.NewKICRunner(c.MachineName, c.OCIPrefix, c.OCIBinary),
 		NodeConfig: c,
+		OCIPrefix:  c.OCIPrefix,
 		OCIBinary:  c.OCIBinary,
 	}
 	return d
@@ -95,15 +97,15 @@ func (d *Driver) Create() error {
 		},
 	)
 
-	exists, err := oci.ContainerExists(d.OCIBinary, params.Name)
+	exists, err := oci.ContainerExists(d.OCIPrefix, d.OCIBinary, params.Name)
 	if err != nil {
 		glog.Warningf("failed to check if container already exists: %v", err)
 	}
 	if exists {
 		// if container was created by minikube it is safe to delete and recreate it.
-		if oci.IsCreatedByMinikube(d.OCIBinary, params.Name) {
+		if oci.IsCreatedByMinikube(d.OCIPrefix, d.OCIBinary, params.Name) {
 			glog.Info("Found already existing abandoned minikube container, will try to delete.")
-			if err := oci.DeleteContainer(d.OCIBinary, params.Name); err != nil {
+			if err := oci.DeleteContainer(d.OCIPrefix, d.OCIBinary, params.Name); err != nil {
 				glog.Errorf("Failed to delete a conflicting minikube container %s. You might need to restart your %s daemon and delete it manually and try again: %v", params.Name, params.OCIBinary, err)
 			}
 		} else {
@@ -155,7 +157,7 @@ func (d *Driver) prepareSSH() error {
 		return errors.Wrap(err, "generate ssh key")
 	}
 
-	cmder := command.NewKICRunner(d.NodeConfig.MachineName, d.NodeConfig.OCIBinary)
+	cmder := command.NewKICRunner(d.NodeConfig.MachineName, d.NodeConfig.OCIPrefix, d.NodeConfig.OCIBinary)
 	f, err := assets.NewFileAsset(d.GetSSHKeyPath()+".pub", "/home/docker/.ssh/", "authorized_keys", "0644")
 	if err != nil {
 		return errors.Wrap(err, "create pubkey assetfile ")
@@ -230,7 +232,7 @@ func (d *Driver) GetURL() (string, error) {
 
 // GetState returns the state that the host is in (running, stopped, etc)
 func (d *Driver) GetState() (state.State, error) {
-	out, err := oci.WarnIfSlow(d.NodeConfig.OCIBinary, "inspect", "-f", "{{.State.Status}}", d.MachineName)
+	out, err := oci.WarnIfSlow(d.NodeConfig.OCIPrefix, d.NodeConfig.OCIBinary, "inspect", "-f", "{{.State.Status}}", d.MachineName)
 	if err != nil {
 		return state.Error, err
 	}
@@ -255,11 +257,11 @@ func (d *Driver) GetState() (state.State, error) {
 // Kill stops a host forcefully, including any containers that we are managing.
 func (d *Driver) Kill() error {
 	// on init this doesn't get filled when called from cmd
-	d.exec = command.NewKICRunner(d.MachineName, d.OCIBinary)
+	d.exec = command.NewKICRunner(d.MachineName, d.OCIPrefix, d.OCIBinary)
 	if err := sysinit.New(d.exec).ForceStop("kubelet"); err != nil {
 		glog.Warningf("couldn't force stop kubelet. will continue with kill anyways: %v", err)
 	}
-	cmd := exec.Command(d.NodeConfig.OCIBinary, "kill", d.MachineName)
+	cmd := exec.Command(d.NodeConfig.OCIPrefix, d.NodeConfig.OCIBinary, "kill", d.MachineName)
 	if err := cmd.Run(); err != nil {
 		return errors.Wrapf(err, "killing kic node %s", d.MachineName)
 	}
@@ -268,10 +270,10 @@ func (d *Driver) Kill() error {
 
 // Remove will delete the Kic Node Container
 func (d *Driver) Remove() error {
-	if _, err := oci.ContainerID(d.OCIBinary, d.MachineName); err != nil {
+	if _, err := oci.ContainerID(d.OCIPrefix, d.OCIBinary, d.MachineName); err != nil {
 		log.Warnf("could not find the container %s to remove it.", d.MachineName)
 	}
-	cmd := exec.Command(d.NodeConfig.OCIBinary, "rm", "-f", "-v", d.MachineName)
+	cmd := exec.Command(d.NodeConfig.OCIPrefix, d.NodeConfig.OCIBinary, "rm", "-f", "-v", d.MachineName)
 	o, err := cmd.CombinedOutput()
 	out := strings.TrimSpace(string(o))
 	if err != nil {
@@ -313,7 +315,7 @@ func (d *Driver) Start() error {
 		return errors.Wrap(err, "get kic state")
 	}
 	if s == state.Stopped {
-		cmd := exec.Command(d.NodeConfig.OCIBinary, "start", d.MachineName)
+		cmd := exec.Command(d.NodeConfig.OCIPrefix, d.NodeConfig.OCIBinary, "start", d.MachineName)
 		if err := cmd.Run(); err != nil {
 			return errors.Wrapf(err, "starting a stopped kic node %s", d.MachineName)
 		}
@@ -326,7 +328,7 @@ func (d *Driver) Start() error {
 // Stop a host gracefully, including any containers that we are managing.
 func (d *Driver) Stop() error {
 	// on init this doesn't get filled when called from cmd
-	d.exec = command.NewKICRunner(d.MachineName, d.OCIBinary)
+	d.exec = command.NewKICRunner(d.MachineName, d.OCIPrefix, d.OCIBinary)
 	// docker does not send right SIG for systemd to know to stop the systemd.
 	// to avoid bind address be taken on an upgrade. more info https://github.com/kubernetes/minikube/issues/7171
 	if err := sysinit.New(d.exec).Stop("kubelet"); err != nil {
@@ -361,7 +363,7 @@ func (d *Driver) Stop() error {
 		glog.Warningf("couldn't stop kube-apiserver proc: %v", err)
 	}
 
-	cmd := exec.Command(d.NodeConfig.OCIBinary, "stop", d.MachineName)
+	cmd := exec.Command(d.NodeConfig.OCIPrefix, d.NodeConfig.OCIBinary, "stop", d.MachineName)
 	if err := cmd.Run(); err != nil {
 		return errors.Wrapf(err, "stopping %s", d.MachineName)
 	}

diff --git a/pkg/drivers/kic/oci/info.go b/pkg/drivers/kic/oci/info.go
@@ -234,7 +234,7 @@ func dockerSystemInfo() (dockerSysInfo, error) {
 // podmanSysInfo returns podman system info --format '{{json .}}'
 func podmanSystemInfo() (podmanSysInfo, error) {
 	var ps podmanSysInfo
-	cmd := exec.Command(Podman, "system", "info", "--format", "'{{json .}}'")
+	cmd := exec.Command("sudo", Podman, "system", "info", "--format", "'{{json .}}'")
 	out, err := cmd.CombinedOutput()
 	if err != nil {
 		return ps, errors.Wrap(err, "get podman system info")

diff --git a/pkg/drivers/kic/oci/network.go b/pkg/drivers/kic/oci/network.go
@@ -66,7 +66,7 @@ func dockerGatewayIP() (net.IP, error) {
 	}
 
 	bridgeID := strings.TrimSpace(string(out))
-	cmd = exec.Command(Docker, "inspect",
+	cmd = exec.Command("env", Docker, "inspect",
 		"--format", "{{(index .IPAM.Config 0).Gateway}}", bridgeID)
 	out, err = cmd.CombinedOutput()
 
@@ -90,13 +90,13 @@ func ForwardedPort(ociBinary string, ociID string, contPort int) (int, error) {
 
 	if ociBinary == Podman {
 		//podman inspect -f "{{range .NetworkSettings.Ports}}{{if eq .ContainerPort "80"}}{{.HostPort}}{{end}}{{end}}"
-		cmd := exec.Command(ociBinary, "inspect", "-f", fmt.Sprintf("{{range .NetworkSettings.Ports}}{{if eq .ContainerPort %s}}{{.HostPort}}{{end}}{{end}}", fmt.Sprint(contPort)), ociID)
+		cmd := exec.Command("sudo", ociBinary, "inspect", "-f", fmt.Sprintf("{{range .NetworkSettings.Ports}}{{if eq .ContainerPort %s}}{{.HostPort}}{{end}}{{end}}", fmt.Sprint(contPort)), ociID)
 		out, err = cmd.CombinedOutput()
 		if err != nil {
 			return 0, errors.Wrapf(err, "get host-bind port %d for %q, output %s", contPort, ociID, out)
 		}
 	} else {
-		cmd := exec.Command(ociBinary, "inspect", "-f", fmt.Sprintf("'{{(index (index .NetworkSettings.Ports \"%d/tcp\") 0).HostPort}}'", contPort), ociID)
+		cmd := exec.Command("env", ociBinary, "inspect", "-f", fmt.Sprintf("'{{(index (index .NetworkSettings.Ports \"%d/tcp\") 0).HostPort}}'", contPort), ociID)
 		out, err = cmd.CombinedOutput()
 		if err != nil {
 			return 0, errors.Wrapf(err, "get host-bind port %d for %q, output %s", contPort, ociID, out)
@@ -141,7 +141,7 @@ func podmanConttainerIP(name string) (string, string, error) {
 // dockerContainerIP returns ipv4, ipv6 of container or error
 func dockerContainerIP(name string) (string, string, error) {
 	// retrieve the IP address of the node using docker inspect
-	lines, err := inspect(Docker, name, "{{range .NetworkSettings.Networks}}{{.IPAddress}},{{.GlobalIPv6Address}}{{end}}")
+	lines, err := inspect("env", Docker, name, "{{range .NetworkSettings.Networks}}{{.IPAddress}},{{.GlobalIPv6Address}}{{end}}")
 	if err != nil {
 		return "", "", errors.Wrap(err, "inspecting NetworkSettings.Networks")
 	}