Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

host-ctr: build masked paths list dynamically #2637

Merged
merged 1 commit into from
Dec 7, 2022
Merged

host-ctr: build masked paths list dynamically #2637

merged 1 commit into from
Dec 7, 2022

Conversation

jpculp
Copy link
Member

@jpculp jpculp commented Dec 6, 2022

Description of changes:

Replaces the hardcoded masked paths list (introduced in #2573) with a generated one.

Testing done:

Built and launched an aarch64 k8s variant on a c6g.large and ran lscpu from the control container.

Architecture:           aarch64
  CPU op-mode(s):       32-bit, 64-bit
  Byte Order:           Little Endian
CPU(s):                 2
  On-line CPU(s) list:  0,1
Vendor ID:              ARM
  Model name:           Neoverse-N1
    Model:              1
    Thread(s) per core: 1
    Core(s) per socket: 2
    Socket(s):          1
    Stepping:           r3p1
    BogoMIPS:           243.75
    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp ssbs

/.bottlerocket/rootfs/run/host-containerd/runc/default/control/state.json:

    "mask_paths": [
      "/proc/acpi",
      "/proc/asound",
      "/proc/kcore",
      "/proc/keys",
      "/proc/latency_stats",
      "/proc/timer_list",
      "/proc/timer_stats",
      "/proc/sched_debug",
      "/proc/scsi"
    ],

/.bottlerocket/rootfs/run/host-containerd/runc/default/admin/state.json:

    "mask_paths": null,

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@jpculp
Copy link
Member Author

jpculp commented Dec 6, 2022

Just tweaking some wording for clarity.

arnaldo2792
arnaldo2792 reviewed Dec 6, 2022
View reviewed changes
sources/host-ctr/cmd/host-ctr/main.go Outdated Show resolved Hide resolved
sources/host-ctr/cmd/host-ctr/main.go Outdated
"/proc/scsi",
}),
// Pass an alternate list of masked paths
withMaskedPaths(),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉 nice!

sources/host-ctr/cmd/host-ctr/main.go Outdated Show resolved Hide resolved
@jpculp
host-ctr: build masked paths list dynamically
6a3acb3 
Replaces the hardcoded masked paths list with the generated one, less
the paths provided
@jpculp
Copy link
Member Author

jpculp commented Dec 6, 2022

  • Replaced direct dependency on k8s.io/utils/strings/slices with a similar function.
  • Replaced withMaskedPaths to withUnmaskedPaths, which now takes a slice of paths.
  • Added in-code comment as to why we want to unmask /sys/firmware.

jpmcb
jpmcb approved these changes Dec 7, 2022
View reviewed changes
Copy link
Contributor

@jpmcb jpmcb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😷 👍🏼

sources/host-ctr/cmd/host-ctr/main.go Show resolved Hide resolved
@jpculp jpculp merged commit 4f9ff7f into bottlerocket-os:develop Dec 7, 2022
@jpculp jpculp deleted the dynamic-masked-paths branch December 7, 2022 22:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jpmcb jpmcb jpmcb approved these changes

@yeazelm yeazelm yeazelm approved these changes

@arnaldo2792 arnaldo2792 arnaldo2792 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jpculp @arnaldo2792 @jpmcb @yeazelm