Bug 1916897: narrow scope of rhsm transient bind mount #206
Conversation
|
@gabemontero: This pull request references Bugzilla bug 1916897, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
bugzilla/severity-medium
|
Would we get the same effect by removing the code block the patch is modifying, and adding the spec to |
pkg/build/builder/daemonless.go
Outdated
| // Add a bind of /run/secrets/rhsm, to pass along anything that the | ||
| // runtime mounted from the node into our /run/secrets/rhsm. | ||
| log.V(0).Infof("Adding transient rw bind mount for /run/secrets/rhsm") | ||
| transientMounts = append(transientMounts, "/run/secrets/rhsm:/run/secrets/rhsm:rw,nodev,noexec,nosuid") |
There was a problem hiding this comment.
@nalind with this approach will writes to /run/secrets/rhsm from within the build container propagate to /run/secrets/rhsm in the build pod? (we do not want that)
There was a problem hiding this comment.
The bind mount will let it modify content in the build container. Unless I'm misreading things, the node's /usr/share/containers/mounts.conf includes /usr/share/rhel/secrets:/run/secrets on a 4.6.6 cluster, so cri-o creates a copy of the contents of /usr/share/rhel/secrets and bind mounts it for each container that it creates. While modifying the /run/secrets in the build container would modify its copy of the content, each container in the build pod has its own copy.
There was a problem hiding this comment.
i don't think we want to allow any actions in the build container to affect content in the build pod containers.
There was a problem hiding this comment.
Right, the other containers in the pod have their own copies of that content.
There was a problem hiding this comment.
OK we have all green tests with this current form. Given the discussion above, and @nalind 's #206 (comment) do we want to try a separate commit where I remove this piece of code and re-introduce a master branch version of https://github.com/openshift/builder/blob/release-4.6/imagecontent/etc/containers/mounts.conf where we change /run/secrets to /run/secrets/rhsm ?
I'm also curious on seeing the ls -R /run dump from the new test in openshift/origin#25810 to make sure there is nothing else we need to consider
There was a problem hiding this comment.
The logic that controls where the copy of the secrets goes is currently hard-coded in buildah, so the patch would at least include a change there. Changing it in a way that required any changes in openshift/builder would also require similar changes in podman and in any other consumers of the library to keep the behavior consistent between them, so my inclination would be to keep the decision making around that as an implementation detail in buildah.
There was a problem hiding this comment.
I think i need to take back what i said earlier about it being ok if each RUN/layer gets a fresh copy of /run/secrets/rhsm, because the way people use that dir is probably:
COPY somesecret /run/secrets/rhsm
RUN yum install something-that-needs-the-above-secret
so either we fix buildah to persist the writes between layers (even when using using the layer optimization mode) or we add logic that copies the content to a new location before invoking buildah, and then bindmounts it.
There was a problem hiding this comment.
I think i need to take back what i said earlier about it being ok if each RUN/layer gets a fresh copy of /run/secrets/rhsm, because the way people use that dir is probably:
COPY somesecret /run/secrets/rhsm
RUN yum install something-that-needs-the-above-secretso either we fix buildah to persist the writes between layers (even when using using the layer optimization mode)
so does @bparees 's comment ^^ lead you to modifying your comment at #206 (comment) @nalind ?
or we add logic that copies the content to a new location before invoking buildah, and then bindmounts it.
So if possible @bparees I'd like to get a little more specific on how ^^ would be done to make sure we have a common understanding.
I'm going to attempt a mixture of real code and pseudo code to get a good detail vs. length mix.
startingDir := "/tmp" // or some other location we agree upon
tmpDir, err := ioutil.TempDir(startingDir, "rhsm-creds")
if err != nil {
...
}
// logic to do recursive copy of /run/secrets/rhsm to tmpDir
...
// reintroduce transient mounts path
...
transientMounts = append(transientMounts, fmt.Sprintf("%s:/run/secrets/rhsm:rw,nodev,noexec,nosuid", tmpDir))
how far off is that ?
There was a problem hiding this comment.
that looks pretty close to what i had in mind.
There was a problem hiding this comment.
OK @bparees @nalind @xiuwang I've dropped the re-introduction of mounts.conf and pushed a new commit that does the tmpdir/compy/transient mount @bparees and I just discussed
Let's see how the e2e's go.
I'll try to run dptp's BC against a cluster-bot cluster with this PR (hopefully I have better luck with cluster-bot today), but if you get cycles @xiuwang by all means give it a go as well
@adambkaplan FYI (to the whole PR :-) )
openshift-ci-robot
added
the
needs-rebase
gabemontero
force-pushed
the
fix-run-secrets-mount
branch
from
cd80fc3 to
145e651
Compare
openshift-ci-robot
removed
the
needs-rebase
|
OK @nalind @bparees I've pushed in a separate commit the alternate approach of removing the code in daemonless.go and re-introducing the mounts.conf file, but using /run/secrets/rhsm I'm still trying to get a cluster with these change to try the DPTP Dockerfile with the chmod's ( a couple of clusterbot attempts have failed) |
| @@ -0,0 +1 @@ | |||
| /run/secrets/rhsm:/run/secrets/rhsm No newline at end of file | |||
There was a problem hiding this comment.
i think my concern that this results in writing changes through to the build pod's container remains.
|
Launched cluster from this cluster, and trigger build from DPTP bc http://file.rdu.redhat.com/~hongkliu/dptp2021/bz1916897/content-mirror/app.ci.bc.content-mirror.yaml. Build content-mirror-2 go to complete without /run/secret read only error. Build httpd-ex-2 with source secret go to complete too. |
thanks for the confirmation @xiuwang ... I had trouble either launching or updating clusters yesterday and was unable to do this @nalind @bparees and I now just need to get consensus on the correct way to apply this fix. |
|
sig-api-machinery flakes in latest e2e-aws /test e2e-aws |
gabemontero
force-pushed
the
fix-run-secrets-mount
branch
from
145e651 to
8b3db1b
Compare
gabemontero
force-pushed
the
fix-run-secrets-mount
branch
from
8b3db1b to
b66b684
Compare
pkg/build/builder/daemonless.go
Outdated
| return defaultProcessLimits | ||
| } | ||
|
|
||
| func copyRHSMData(source, destination string) error { |
There was a problem hiding this comment.
We have similar "copy directory contents" in https://github.com/openshift/builder/blob/master/cmd/main.go#L74-L126. Can we consolidate into a utility package?
There was a problem hiding this comment.
We have similar "copy directory contents" in https://github.com/openshift/builder/blob/master/cmd/main.go#L74-L126. Can we consolidate into a utility package?
update for this ^^ pushed @adambkaplan
There was a problem hiding this comment.
Do we test this with directories that contain symlinks to directories? I think ioutil.ReadDir() uses lstat(), which would return os.FileInfos that returns false from IsDir().
There was a problem hiding this comment.
Yeah this aspect came up when researching golang recursive copy, but I stopped short of adding that complexity since /run/secret/rhsm does not have symlinks based on my testing, so I stopped short of changing this existing code path.
But I'll defer to you @nalind and @adambkaplan on if we want to add this in just in case.
gabemontero
force-pushed
the
fix-run-secrets-mount
branch
from
b66b684 to
6a34d69
Compare
|
api server connection refused on image eco /test e2e-aws-image-ecosystem |
|
OK tests are passing, and I was able to verifiy DPTP's BC using an image build from this commit There is the one remaining discussion thread on the copy and symlinks, and then squashing the commits |
|
I've pushed a separate commit for symlinks @nalind @adambkaplan ... used https://stackoverflow.com/questions/51779243/copy-a-folder-in-go as a ref |
|
sig-network failures e2e-aws /test e2e-aws |
|
sig-network flakes in e2e-aws /retest |
|
/retest |
|
/assign @adambkaplan I'll defer to @bparees if he wants to now be unassigned |
adambkaplan
left a comment
adambkaplan
left a comment
There was a problem hiding this comment.
Something else to consider - we already have a "copy files & directories" library within source-to-image. Do we use that instead?
The default implementation copies symlinks by following the link and preserving the content.
pkg/build/builder/util.go
Outdated
| // If the source directory does not exist, no error is returned. | ||
| // If the destination directory exists, any contents with matching file names | ||
| // will be overwritten. | ||
| func CopyDirIfExists(src, dst string) error { |
There was a problem hiding this comment.
Please add unit tests for this function, covering in particular:
- Source directory not existing
- Destination already existing (confirm files overwritten
- Regular files copied
- Symlinks copied.
pkg/build/builder/util.go
Outdated
|
|
||
| // CopySymLink preserves symlinks as the form of copy | ||
| func CopySymLink(src, dst string) error { | ||
| link, err := os.Readlink(src) |
There was a problem hiding this comment.
What if the symlink refers to an absolute path, instead of a relative path? Do we keep as is?
pkg/build/builder/util.go
Outdated
|
|
||
| // CopyFileIfExists copies the source file to the given destination, if the source file exists. | ||
| // If the destination file exists, it will be overwritten and will not copy file attributes. | ||
| func CopyFileIfExists(src, dst string) error { |
There was a problem hiding this comment.
Please add a unit test for this function.
…for cases where data can persist
gabemontero
force-pushed
the
fix-run-secrets-mount
branch
from
ecfe662 to
7901cb3
Compare
|
PR updated @adambkaplan to using s2i libs ... also went ahead and squashed commits - thanks! |
|
All green tests on our readonly /run PR @adambkaplan Reminder: follow up e2e's in openshift/origin#25810 once this merges |
|
/test e2e-aws-proxy Want to make sure we didn't break the proxy CA generation, which I believe is utilized by git clone. |
|
e2e-aws-proxy succeeded @adambkaplan |
adambkaplan
left a comment
adambkaplan
left a comment
There was a problem hiding this comment.
/lgtm
Once this merges we can verify with openshift/origin#25810
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adambkaplan, gabemontero The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
@gabemontero: Some pull requests linked via external trackers have merged: The following pull requests linked via external trackers have not merged:
These pull request must merge or be unlinked from the Bugzilla bug in order for it to move to the next state. Once unlinked, request a bug refresh with Bugzilla bug 1916897 has not been moved to the MODIFIED state. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherrypick release-4.6 |
|
@gabemontero: new pull request created: #211 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/bugzilla refresh |
|
@gabemontero: Bugzilla bug 1916897 is in an unrecognized state (VERIFIED) and will not be moved to the MODIFIED state. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
8 participants
/assign @bparees
@nalind @smarterclayton