Proxy: Socket file 'other' permission changes to support ACRN Hypervisor#193
Proxy: Socket file 'other' permission changes to support ACRN Hypervisor#193vijaydhanraj wants to merge 6 commits intokata-containers:masterfrom
Conversation
Codecov Report
@@ Coverage Diff @@
## master #193 +/- ##
==========================================
- Coverage 36.56% 35.63% -0.94%
==========================================
Files 2 2
Lines 268 275 +7
==========================================
Hits 98 98
- Misses 159 166 +7
Partials 11 11 |
|
Related to: kata-containers/runtime#1779 |
proxy.go
Outdated
| other := int(fileInfo.Mode().Perm()) & otherMask | ||
| err := os.Chmod(agentLogsAddr, os.FileMode(other)) | ||
| if err != nil { | ||
| logger().Infof("Cannot change socket permissions for 'other' %d", err) |
There was a problem hiding this comment.
use WithField and Error
logger().WithField("error", err).Error("Cannot change socket permissions for 'other'")There was a problem hiding this comment.
done. used WithError instead of WithField as discussed.
proxy.go
Outdated
| if err != nil { | ||
| logger().Infof("Cannot change socket permissions for 'other' %d", err) | ||
| } else { | ||
| logger().Infof("Chaning socket permissions to %4.4o", other) |
There was a problem hiding this comment.
please move this log before os.Chmod and use WithField instead of %4.4o
proxy.go
Outdated
| other := int(fileInfo.Mode().Perm()) & otherMask | ||
| if other != 0 { | ||
| return fmt.Errorf("All socket permissions for 'other' should be disabled, got %3.3o", other) | ||
| logger().Infof("All socket permissions for 'other' should be disabled, got %4.4o", int(fileInfo.Mode().Perm())) |
|
/test |
Version bump no changes Signed-off-by: katacontainersbot <katacontainersbot@gmail.com>
proxy.go
Outdated
| if other != 0 { | ||
| return fmt.Errorf("All socket permissions for 'other' should be disabled, got %3.3o", other) | ||
| logger().WithField("socket permissions", fmt.Sprintf("%4.4o", fileInfo.Mode().Perm())). | ||
| Infof("All socket permissions for 'other' should be disabled") |
There was a problem hiding this comment.
Nit: This can now be Info() as you don't have any formats to expand in the string.
proxy.go
Outdated
| Infof("All socket permissions for 'other' should be disabled") | ||
|
|
||
| // Setting permissions socket for "other" to 0. | ||
| otherMask := 0770 |
There was a problem hiding this comment.
This is actually not a declaration. I was trying to reassign a new value to the previously declared variable.
PS: I have now changed this from a declaration to an assignment.
proxy.go
Outdated
| // Setting permissions socket for "other" to 0. | ||
| otherMask := 0770 | ||
| other := int(fileInfo.Mode().Perm()) & otherMask | ||
| logger().WithField("other", fmt.Sprintf("%4.4o", other)).Infof("Chaning socket permissions of 'other'") |
There was a problem hiding this comment.
Nits:
- typo: "Changing".
- You can also use
Info()here rather thanInfof().
When binding the socket with the file path, the socket file permission is changed to 755. The reason being the following, Bind system call sets the socket file permission(mode) based on, socket FD permission and umask bits set. Socket FD by default is set to 777 and umask by default is set to 022. This results in 755. ACRN doesn't plan to have an API to update the umask so added the workaround in kata proxy, where if the ‘other’ permission is not disabled, then kata proxy can override and disable it. v1->v2: Changed formatting for logging proxy trace. Fixes: kata-containers#191 Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
|
@GWhaley: Can you please help me reproduce the PR-check failure? |
…branch-bump # Kata Containers 1.8.0-alpha1
|
Hi @vijaydhanraj Looks like we need to re-trigger the CIs as you updated the PR, so first we: and then, it looks like the PR-check CI had some sort of system failure, so let's re-trigger that as well: and then we see how that goes in a couple of hours... |
|
@grahamwhaley Looks like the zuul checks are still failing here, can you take a look? I dont see any logs on the build site. |
|
/zuul-recheck Anyway, it looks like this PR (#193 - that is the clue to finding the relevant items for this PR in the log/job list on the above link) shows we hit another NODE_FAILURE. One more time, with gusto then.... |
|
/zuul-recheck |
|
Doh, @vijaydhanraj @amshinde - heh, that is the PR-check we are looking at - that is the WIP Zuul CI check we have that does not currently pass ( see #154 ) - so, don't expect that to pass. The other two Zuul CIs have passed (WIP and SOB) - so, we are good to push the merge maybe... |
Version bump no changes Signed-off-by: Peng Tao <bergwolf@hyper.sh>
…nch-bump # Kata Containers 1.8.0-alpha2
|
Any other comments on this patch? If not, can this be merged? |
|
ok - ARM CI failure is known, so let's just get this merged... |
Proxy: Socket file 'other' permission changes to support ACRN Hypervisor
|
... which we cannot do as the branch has conflicts. Could you update please @vijaydhanraj ? |
|
@jodh-intel I didn't close the issue, just pushed my changes after rebase. Please let me know anything else is needed. |
|
@jodh-intel @vijaydhanraj Looks like this got merged manually vs the github UI. |
|
@amshinde - I tried to merge from the UI, got the green "confirm merge" button and clicked it, but then got an error saying the branch was conflicted. However, I checked by grabbing a copy of the PR locally and it merged correctly so this may have been a "github gremlin" 👽 I left the PR in an open state so not sure what happened subsequently. |
8 participants
When binding the socket with the file path, the socket file permission
is changed to 755. The reason being the following,
Bind system call sets the socket file permission(mode) based on,
socket FD permission and umask bits set. Socket FD by default is
set to 777 and umask by default is set to 022. This results in 755.
ACRN doesn't plan to have an API to update the umask so added
the workaround in kata proxy, where if the ‘other’ permission
is not disabled, then kata proxy can override and disable it.
Fixes: #191
Signed-off-by: Vijay Dhanraj vijay.dhanraj@intel.com