Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[docker-fpm-frr] limit privileged flag for bgp container #14932

Merged
merged 1 commit into from
Jul 14, 2023

Conversation

maipbui
Copy link
Contributor

@maipbui maipbui commented May 3, 2023

Why I did it

HLD implementation: Container Hardening (sonic-net/SONiC#1364)

Work item tracking
  • Microsoft ADO (number only): 14807420

How I did it

Reduce linux capabilities in privileged flag, retain NET_ADMIN and SYS_ADMIN capabilities

How to verify it

Install new image to DUT, verify bgp container is up
Run bgp sonic-mgmt kvmtest

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111
  • 202205
  • 202211

Tested branch (Please provide the tested image version)

  • SONiC.frr.0-dirty-20230503.212500

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

@maipbui maipbui marked this pull request as ready for review May 4, 2023 16:47
@qiluo-msft qiluo-msft marked this pull request as draft May 4, 2023 17:39
@maipbui
Copy link
Contributor Author

maipbui commented Jun 6, 2023

/azpw run Azure.sonic-buildimage

@mssonicbld
Copy link
Collaborator

/AzurePipelines run Azure.sonic-buildimage

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@maipbui
Copy link
Contributor Author

maipbui commented Jun 21, 2023

/azpw run Azure.sonic-buildimage

@mssonicbld
Copy link
Collaborator

/AzurePipelines run Azure.sonic-buildimage

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@maipbui maipbui marked this pull request as ready for review June 23, 2023 20:05
@@ -28,7 +28,7 @@ SONIC_DOCKER_IMAGES += $(DOCKER_FPM_FRR)
SONIC_DOCKER_DBG_IMAGES += $(DOCKER_FPM_FRR_DBG)

$(DOCKER_FPM_FRR)_CONTAINER_NAME = bgp
$(DOCKER_FPM_FRR)_RUN_OPT += --privileged -t
$(DOCKER_FPM_FRR)_RUN_OPT += -t --cap-add=NET_ADMIN --cap-add=SYS_ADMIN
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is sys_admin required here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

zebra will unexpectedly exited due to missing the required capabilities.

May  2 22:36:14.048947 str-s6000-acs-10 INFO bgp#supervisord: zebra privs_init: initial cap_set_proc failed: Operation not permitted
May  2 22:36:14.049851 str-s6000-acs-10 INFO bgp#supervisord: zebra Wanted caps: cap_net_admin,cap_net_raw,cap_sys_admin=p
May  2 22:36:14.050687 str-s6000-acs-10 INFO bgp#supervisord: zebra Have   caps: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=p
May  2 22:36:14.064956 str-s6000-acs-10 INFO bgp#supervisord 2023-05-02 22:36:14,061 INFO exited: zebra (exit status 1; not expected)

@maipbui maipbui requested a review from Yarden-Z July 6, 2023 20:31
@maipbui
Copy link
Contributor Author

maipbui commented Jul 10, 2023

@StormLiangMS @Yarden-Z could you help review this PR? Thanks.

Copy link

@Yarden-Z Yarden-Z left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

Copy link
Contributor

@StormLiangMS StormLiangMS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@StormLiangMS StormLiangMS merged commit d549787 into sonic-net:master Jul 14, 2023
@maipbui maipbui deleted the bgp_priv branch July 14, 2023 14:33
maipbui added a commit to sonic-net/sonic-mgmt that referenced this pull request Jul 21, 2023
Description of PR
HLD implementation: Container Hardening (sonic-net/SONiC#1364)
Dependency: sonic-net/sonic-buildimage#14932
#### What is the motivation for this PR?
Check bgp container has access to /dev/sda* or /dev/vda* after limiting privileged flag to less Linux capabilities.
#### How did you do it?
#### How did you verify/test it?
```
container_hardening/test_container_hardening.py::test_bgp_dev PASSED                                                                            [100%]
```
Signed-off-by: Mai Bui <[email protected]>
sonic-otn pushed a commit to sonic-otn/sonic-buildimage that referenced this pull request Sep 20, 2023
Why I did it
HLD implementation: Container Hardening (sonic-net/SONiC#1364)

Work item tracking
Microsoft ADO (number only): 14807420
How I did it
Reduce linux capabilities in privileged flag, retain NET_ADMIN and SYS_ADMIN capabilities

How to verify it
Install new image to DUT, verify bgp container is up
Run bgp sonic-mgmt kvmtest
AharonMalkin pushed a commit to AharonMalkin/sonic-mgmt that referenced this pull request Jan 25, 2024
Description of PR
HLD implementation: Container Hardening (sonic-net/SONiC#1364)
Dependency: sonic-net/sonic-buildimage#14932
#### What is the motivation for this PR?
Check bgp container has access to /dev/sda* or /dev/vda* after limiting privileged flag to less Linux capabilities.
#### How did you do it?
#### How did you verify/test it?
```
container_hardening/test_container_hardening.py::test_bgp_dev PASSED                                                                            [100%]
```
Signed-off-by: Mai Bui <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants