Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Release-1.24] - /var/lib/rancher/k3s/storage should not be world-readable. #7471

Closed
dereknola opened this issue May 9, 2023 · 1 comment
Closed

[Release-1.24] - /var/lib/rancher/k3s/storage should not be world-readable. #7471

dereknola opened this issue May 9, 2023 · 1 comment
Assignees
@dereknola @fmoral2
Milestone
v1.24.14+k3s1

Comments

@dereknola
Copy link
Member

Backport fix for /var/lib/rancher/k3s/storage should not be world-readable.
@dereknola dereknola self-assigned this May 9, 2023
@dereknola dereknola mentioned this issue May 9, 2023
Merged
@dereknola dereknola moved this from New to Peer Review in K3s Development May 9, 2023
@dereknola dereknola added this to the v1.24.14+k3s1 milestone May 9, 2023
@rancher-max rancher-max moved this from Peer Review to To Test in K3s Development May 18, 2023
@fmoral2
Copy link
Contributor

fmoral2 commented May 22, 2023
edited
Loading

Validated on Version:

- k3s version v1.24.14-rc1+k3s1 (313a3b99)

Environment Details

Infrastructure
Cloud EC2 instance

Node(s) CPU architecture, OS, and Version:
Ubuntu

Cluster Configuration:
1 node

Config.yaml:

token: secret
write-kubeconfig-mode: 644
selinux: true
cluster-init: true

Steps to validate the fix

  1. Install k3s in commit version
  2. Deploy a pod with a volume in local-path
  3. Create create awx instance ( please follow: https://awstip.com/deploy-ansible-awx-into-a-k3s-single-node-cluster-794c023c514b)
  4. Check if the pod is running
  5. Check if the volume is created
  6. Validate the /var/lib/rancher/k3s/storage/ folder is not world-readable
  7. Validate stat -c %a /var/lib/rancher/k3s/storage/: is 700
  8. Check if the pod can read from the volume

Validation Results:

~$ k3s -v
k3s version v1.24.14-rc1+k3s1 (313a3b99)
go version go1.19.9

~$ mkdir  /var/lib/rancher/k3s/storage/test/
mkdir: cannot create directory ‘/var/lib/rancher/k3s/storage/test/’: Permission denied


~$ ls -la /var/lib/rancher/k3s/storage/
ls: cannot open directory '/var/lib/rancher/k3s/storage/': Permission denied


~$ sudo ls -la /var/lib/rancher/k3s/storage/
total 12
drwx------ 3 root root 4096 May 22 16:52 .
drwxr-xr-x 6 root root 4096 May 22 16:52 ..
drwxrwxrwx 2 root root 4096 May 22 16:57 pvc-8627c6b1-a27a-4e94-b0b9-4e39fe09df10_default_local-path-pvc




~$  stat -c %a /var/lib/rancher/k3s/storage/
700



~$  stat -c %a  /var/lib/rancher/k3s/storage/pvc-8627c6b1-a27a-4e94-b0b9-4e39fe09df10_default_local-path-pvc
stat: cannot statx '/var/lib/rancher/k3s/storage/pvc-8627c6b1-a27a-4e94-b0b9-4e39fe09df10_default_local-path-pvc': Permission denied

~$ sudo stat -c %a  /var/lib/rancher/k3s/storage/pvc-8627c6b1-a27a-4e94-b0b9-4e39fe09df10_default_local-path-pvc
777


~$ cd /var/lib/rancher/k3s/storage/pvc-8627c6b1-a27a-4e94-b0b9-4e39fe09df10_default_local-path-pvc
-bash: cd: /var/lib/rancher/k3s/storage/pvc-8627c6b1-a27a-4e94-b0b9-4e39fe09df10_default_local-path-pvc: Permission denied






~$ get pods -A
NAMESPACE     NAME                                               READY   STATUS      RESTARTS   AGE
awx           awx-operator-controller-manager-5fc6df55df-hkqbx   1/2     Running     0          18s
default       volume-test                                        1/1     Running     0          40s
kube-system   coredns-74448699cf-57fx5                           1/1     Running     0          38m
kube-system   helm-install-traefik-crd-fpjdm                     0/1     Completed   0          38m
kube-system   helm-install-traefik-jgm9d                         0/1     Completed   1          38m
kube-system   local-path-provisioner-597bc7dccd-v9zft            1/1     Running     0          38m
kube-system   metrics-server-667586758d-zx985                    1/1     Running     0          38m
kube-system   svclb-traefik-5c2f7027-qkcp5                       2/2     Running     0          38m
kube-system   traefik-7467b667d9-m4mkk                           1/1     Running     0          38m


~$ kubectl get pv,pvc -A
NAME                                                        CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM                    STORAGECLASS   REASON   AGE
persistentvolume/pvc-8627c6b1-a27a-4e94-b0b9-4e39fe09df10   500Mi      RWO            Delete           Bound    default/local-path-pvc   local-path              4m30s

NAMESPACE   NAME                                   STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
default     persistentvolumeclaim/local-path-pvc   Bound    pvc-8627c6b1-a27a-4e94-b0b9-4e39fe09df10   500Mi      RWO            local-path     4m35s




~$ kubectl get pod volume-test -n default
NAME          READY   STATUS    RESTARTS   AGE
volume-test   1/1     Running   0          5m28s

~$ kubectl get pods -o=name -l app=local-path-provisioner --field-selector=status.phase=Running -n kube-system
pod/local-path-provisioner-597bc7dccd-v9zft

~$ kubectl exec volume-test -n default -- sh -c 'echo local-path-test > /data/test'

~$ kubectl exec volume-test -n default -- cat /data/test
local-path-test

@fmoral2 fmoral2 closed this as completed May 22, 2023
@github-project-automation github-project-automation bot moved this from To Test to Done Issue in K3s Development May 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dereknola dereknola

@fmoral2 fmoral2

Labels
None yet
Projects
K3s Development
Archived in project
Milestone
v1.24.14+k3s1
Development

No branches or pull requests
2 participants
@dereknola @fmoral2