Skip to content

Fix build tools image so make test in ztunnel can work without root#3207

Merged
istio-testing merged 1 commit intoistio:masterfrom
krinkinmu:fix-ztunnel-non-root-tests
May 28, 2025
Merged

Fix build tools image so make test in ztunnel can work without root#3207
istio-testing merged 1 commit intoistio:masterfrom
krinkinmu:fix-ztunnel-non-root-tests

Conversation

@krinkinmu
Copy link
Copy Markdown
Contributor

@krinkinmu krinkinmu commented May 16, 2025
edited
Loading

There were a few issues that prevented me from being able to successfully run make test in ztunnel code:

  1. Cargo directories are owned by root, while the make test runs cargo as non root; there was an attempt to give cargo directories in the build tools image broad enough permissions, so that user does not matter anymore (see Permissions on mount points need to be expanded #249) but when cargo directories were added on top of that we should have applied chmod recursively for this to work;
  2. /var/run/netns directory just does not exist in the container
  3. AppArmor transfer process to a restricted profile when it creates a new user namespace and the restrictions break the test.

This change addresses issues 1 and 2. To test that the change works I worked around the issue 3 by running this:

echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns

And once I did that, I was able to run make test in ztunnel repo successfully with the locally built build-tools image.

+cc @keithmattix @Stevenjin8 @jaellio

@krinkinmu
Fix build tools image so make test in ztunnel can work without root
6a9febe 
There were a few issues that prevented me from being able to
successfully run `make test` in ztunnel code:

1. Cargo directories are owned by root, while the `make test` runs cargo
   as non root; there was an attempt to give cargo directories in the
   build tools image broad enough permissions, so that user does not
   matter anymore (see istio#249) but when cargo directories were added on
   top of that we should have applied chmod recursively for this to
   work;
2. /var/run/netns directory just does not exist in the container
3. AppArmor transfer process to a restricted profile when it creates a
   new user namespace and the restrictions breaks the test.

This change addresses issues 1 and 2. To test that the change works I
worked around the issue 3 by running this:

```
echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
```

And once I did that, I was able to run `make test` in ztunnel repo
successfully with the locally built build-tools image.

Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
@krinkinmu krinkinmu requested a review from a team as a code owner May 16, 2025 21:03
@istio-policy-bot
Copy link
Copy Markdown

istio-policy-bot commented May 16, 2025

😊 Welcome @krinkinmu! This is either your first contribution to the Istio tools repo, or it's been
a while since you've been here.

You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

@linux-foundation-easycla
Copy link
Copy Markdown

linux-foundation-easycla bot commented May 16, 2025
edited
Loading

CLA Signed


The committers listed above are authorized under a signed CLA.

@istio-testing istio-testing added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label May 16, 2025
@istio-testing
Copy link
Copy Markdown
Contributor

istio-testing commented May 16, 2025

Hi @krinkinmu. Thanks for your PR.

I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@keithmattix
Copy link
Copy Markdown
Contributor

keithmattix commented May 16, 2025

/ok-to-test

@istio-testing istio-testing added ok-to-test Set this label allow normal testing to take place for a PR not submitted by an Istio org member. and removed needs-ok-to-test labels May 16, 2025
@istio-testing istio-testing merged commit 8d2a100 into istio:master May 28, 2025
8 checks passed
krinkinmu added a commit to krinkinmu/community that referenced this pull request Jul 16, 2025
@krinkinmu
Add krinkinmu as a member to Istio org
eda3e74 
Here is some of the contributions to Istio project so far:

* istio/tools#3207
* istio/ztunnel#1565 and istio/ztunnel#1555

Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
@krinkinmu krinkinmu mentioned this pull request Jul 16, 2025
Merged
6 tasks
istio-testing pushed a commit to istio/community that referenced this pull request Jul 16, 2025
@krinkinmu
Add krinkinmu as a member to Istio org (#1641)
ad6f52f 
Here is some of the contributions to Istio project so far:

* istio/tools#3207
* istio/ztunnel#1565 and istio/ztunnel#1555

Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kfaseela kfaseela kfaseela approved these changes

@jaellio jaellio jaellio approved these changes

Assignees

No one assigned

Labels

ok-to-test Set this label allow normal testing to take place for a PR not submitted by an Istio org member. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@krinkinmu @istio-policy-bot @istio-testing @keithmattix @kfaseela @jaellio