BUILD-433: Run builds in user namespaces without seccomp if BUILD_PRIVILEGED=false

pkg/build/controller/build/build_controller.go

@@ -1321,7 +1321,7 @@ func (bc *BuildController) createBuildPod(build *buildv1.Build) (*buildUpdate, e
 			return update, fmt.Errorf("could not find registry config for build: %v", err)
 		}
 		if !hasRegistryConf {
-			// Create the registry config ConfigMap to mount the regsitry config to the existing build pod
+			// Create the registry config ConfigMap to mount the registry config to the existing build pod
 			update, err = bc.createBuildSystemConfConfigMap(build, existingPod, update)
 			if err != nil {
 				return update, err

pkg/build/controller/strategy/custom.go

@@ -88,7 +88,7 @@ func (bs *CustomBuildStrategy) CreateBuildPod(build *buildv1.Build, additionalCA
 		serviceAccount = buildutil.BuilderServiceAccountName
 	}
 
-	privileged := true
+	securityContext := securityContextForBuild(strategy.Env)
 	pod := &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      buildutil.GetBuildPodName(build),
@@ -99,13 +99,10 @@ func (bs *CustomBuildStrategy) CreateBuildPod(build *buildv1.Build, additionalCA
 			ServiceAccountName: serviceAccount,
 			Containers: []corev1.Container{
 				{
-					Name:  CustomBuild,
-					Image: strategy.From.Name,
-					Env:   containerEnv,
-					// TODO: run unprivileged https://github.com/openshift/origin/issues/662
-					SecurityContext: &corev1.SecurityContext{
-						Privileged: &privileged,
-					},
+					Name:                     CustomBuild,
+					Image:                    strategy.From.Name,
+					Env:                      containerEnv,
+					SecurityContext:          securityContext,
 					TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
 				},
 			},
@@ -138,6 +135,10 @@ func (bs *CustomBuildStrategy) CreateBuildPod(build *buildv1.Build, additionalCA
 	setupAdditionalSecrets(pod, &pod.Spec.Containers[0], build.Spec.Strategy.CustomStrategy.Secrets)
 	setupContainersConfigs(build, pod)
 	setupBuildCAs(build, pod, additionalCAs, internalRegistryHost)
-	setupContainersStorage(pod, &pod.Spec.Containers[0]) // for unprivileged builds
+	setupContainersStorage(pod, &pod.Spec.Containers[0])
+	if securityContext == nil || securityContext.Privileged == nil || !*securityContext.Privileged {
+		setupBuilderAutonsUser(build, strategy.Env, pod)
+		setupBuilderDeviceFUSE(pod)
+	}
 	return pod, nil
 }

pkg/build/controller/strategy/custom_test.go

@@ -65,9 +65,10 @@ func TestCustomCreateBuildPod(t *testing.T) {
 	// build-system-configmap
 	// certificate authorities
 	// container storage
+	// container run
 	// global CA injection configmap
-	if len(container.VolumeMounts) != 8 {
-		t.Fatalf("Expected 8 volumes in container, got %d", len(container.VolumeMounts))
+	if len(container.VolumeMounts) != 9 {
+		t.Fatalf("Expected 9 volumes in container, got %d", len(container.VolumeMounts))
 	}
 	expectedMounts := []string{"/var/run/docker.sock",
 		DockerPushSecretMountPath,
@@ -76,7 +77,8 @@ func TestCustomCreateBuildPod(t *testing.T) {
 		ConfigMapBuildSystemConfigsMountPath,
 		ConfigMapCertsMountPath,
 		ConfigMapBuildGlobalCAMountPath,
-		"/var/lib/containers/storage",
+		"/var/lib/containers",
+		"/var/run/containers",
 	}
 	for i, expected := range expectedMounts {
 		if container.VolumeMounts[i].MountPath != expected {
@@ -94,8 +96,8 @@ func TestCustomCreateBuildPod(t *testing.T) {
 	if !kapihelper.Semantic.DeepEqual(container.Resources, build.Spec.Resources) {
 		t.Fatalf("Expected actual=expected, %v != %v", container.Resources, build.Spec.Resources)
 	}
-	if len(actual.Spec.Volumes) != 8 {
-		t.Fatalf("Expected 8 volumes in Build pod, got %d", len(actual.Spec.Volumes))
+	if len(actual.Spec.Volumes) != 9 {
+		t.Fatalf("Expected 9 volumes in Build pod, got %d", len(actual.Spec.Volumes))
 	}
 	buildJSON, _ := runtime.Encode(customBuildEncodingCodecFactory.LegacyCodec(buildv1.GroupVersion), build)
 	errorCases := map[int][]string{
@@ -267,3 +269,15 @@ func mockCustomBuild(forcePull, emptySource bool) *buildv1.Build {
 		},
 	}
 }
+
+func TestCustomCreateBuildPodAutonsUser(t *testing.T) {
+	strategy := CustomBuildStrategy{}
+
+	build := mockCustomBuild(false, false)
+
+	testCreateBuildPodAutonsUser(t, build, &strategy,
+		func(build *buildv1.Build, env corev1.EnvVar) {
+			build.Spec.Strategy.CustomStrategy.Env = append(build.Spec.Strategy.CustomStrategy.Env, env)
+		},
+	)
+}

pkg/build/controller/strategy/docker.go

@@ -38,8 +38,8 @@ func (bs *DockerBuildStrategy) CreateBuildPod(build *buildv1.Build, additionalCA
 		return nil, fmt.Errorf("failed to encode the build: %v", err)
 	}
 
-	privileged := true
 	strategy := build.Spec.Strategy.DockerStrategy
+	securityContext := securityContextForBuild(strategy.Env)
 	hostPathFile := v1.HostPathFile
 
 	containerEnv := []v1.EnvVar{
@@ -69,14 +69,11 @@ func (bs *DockerBuildStrategy) CreateBuildPod(build *buildv1.Build, additionalCA
 			ServiceAccountName: serviceAccount,
 			Containers: []v1.Container{
 				{
-					Name:  DockerBuild,
-					Image: bs.Image,
-					Args:  []string{"openshift-docker-build"},
-					Env:   copyEnvVarSlice(containerEnv),
-					// TODO: run unprivileged https://github.com/openshift/origin/issues/662
-					SecurityContext: &v1.SecurityContext{
-						Privileged: &privileged,
-					},
+					Name:                     DockerBuild,
+					Image:                    bs.Image,
+					Args:                     []string{"openshift-docker-build"},
+					Env:                      copyEnvVarSlice(containerEnv),
+					SecurityContext:          securityContext,
 					TerminationMessagePolicy: v1.TerminationMessageFallbackToLogsOnError,
 					VolumeMounts: []v1.VolumeMount{
 						{
@@ -133,6 +130,7 @@ func (bs *DockerBuildStrategy) CreateBuildPod(build *buildv1.Build, additionalCA
 			Image:                    bs.Image,
 			Args:                     []string{"openshift-git-clone"},
 			Env:                      copyEnvVarSlice(containerEnv),
+			SecurityContext:          securityContext,
 			TerminationMessagePolicy: v1.TerminationMessageFallbackToLogsOnError,
 			VolumeMounts: []v1.VolumeMount{
 				{
@@ -152,14 +150,11 @@ func (bs *DockerBuildStrategy) CreateBuildPod(build *buildv1.Build, additionalCA
 	}
 	if len(build.Spec.Source.Images) > 0 {
 		extractImageContentContainer := v1.Container{
-			Name:  ExtractImageContentContainer,
-			Image: bs.Image,
-			Args:  []string{"openshift-extract-image-content"},
-			Env:   copyEnvVarSlice(containerEnv),
-			// TODO: run unprivileged https://github.com/openshift/origin/issues/662
-			SecurityContext: &v1.SecurityContext{
-				Privileged: &privileged,
-			},
+			Name:                     ExtractImageContentContainer,
+			Image:                    bs.Image,
+			Args:                     []string{"openshift-extract-image-content"},
+			Env:                      copyEnvVarSlice(containerEnv),
+			SecurityContext:          securityContext,
 			TerminationMessagePolicy: v1.TerminationMessageFallbackToLogsOnError,
 			VolumeMounts: []v1.VolumeMount{
 				{
@@ -188,6 +183,7 @@ func (bs *DockerBuildStrategy) CreateBuildPod(build *buildv1.Build, additionalCA
 			Image:                    bs.Image,
 			Args:                     []string{"openshift-manage-dockerfile"},
 			Env:                      copyEnvVarSlice(containerEnv),
+			SecurityContext:          securityContext,
 			TerminationMessagePolicy: v1.TerminationMessageFallbackToLogsOnError,
 			VolumeMounts: []v1.VolumeMount{
 				{
@@ -212,8 +208,11 @@ func (bs *DockerBuildStrategy) CreateBuildPod(build *buildv1.Build, additionalCA
 	setupInputConfigMaps(pod, &pod.Spec.Containers[0], build.Spec.Source.ConfigMaps)
 	setupContainersConfigs(build, pod)
 	setupBuildCAs(build, pod, additionalCAs, internalRegistryHost)
-	setupContainersStorage(pod, &pod.Spec.Containers[0]) // for unprivileged builds
-	// setupContainersNodeStorage(pod, &pod.Spec.Containers[0]) // for privileged builds
+	setupContainersStorage(pod, &pod.Spec.Containers[0])
+	if securityContext == nil || securityContext.Privileged == nil || !*securityContext.Privileged {
+		setupBuilderAutonsUser(build, strategy.Env, pod)
+		setupBuilderDeviceFUSE(pod)
+	}
 	setupBlobCache(pod)
 	if err := setupBuildVolumes(pod, build.Spec.Strategy.DockerStrategy.Volumes, bs.BuildCSIVolumesEnabled); err != nil {
 		return pod, err

pkg/build/controller/strategy/docker_test.go

@@ -65,7 +65,6 @@ func TestDockerCreateBuildPod(t *testing.T) {
 		"BUILD_REGISTRIES_DIR_PATH":   "",
 		"BUILD_SIGNATURE_POLICY_PATH": "",
 		"BUILD_STORAGE_CONF_PATH":     "",
-		"BUILD_STORAGE_DRIVER":        "",
 		"BUILD_BLOBCACHE_DIR":         "",
 		"BUILD_MOUNT_ETC_PKI_CATRUST": "",
 	}
@@ -87,11 +86,12 @@ func TestDockerCreateBuildPod(t *testing.T) {
 	// build-system-config
 	// certificate authorities
 	// container storage
+	// container run
 	// blobs content cache
 	// global CA injection configmap
 	// node pull secrets
-	if len(container.VolumeMounts) != 12 {
-		t.Fatalf("Expected 12 volumes in container, got %d", len(container.VolumeMounts))
+	if len(container.VolumeMounts) != 13 {
+		t.Fatalf("Expected 13 volumes in container, got %d", len(container.VolumeMounts))
 	}
 	if *actual.Spec.ActiveDeadlineSeconds != 60 {
 		t.Errorf("Expected ActiveDeadlineSeconds 60, got %d", *actual.Spec.ActiveDeadlineSeconds)
@@ -106,7 +106,8 @@ func TestDockerCreateBuildPod(t *testing.T) {
 		ConfigMapBuildSystemConfigsMountPath,
 		ConfigMapCertsMountPath,
 		ConfigMapBuildGlobalCAMountPath,
-		"/var/lib/containers/storage",
+		"/var/lib/containers",
+		"/var/run/containers",
 		buildutil.BuildBlobsContentCache,
 	}
 	for i, expected := range expectedMounts {
@@ -115,8 +116,8 @@ func TestDockerCreateBuildPod(t *testing.T) {
 		}
 	}
 	// build pod has an extra volume: the git clone source secret
-	if len(actual.Spec.Volumes) != 13 {
-		t.Fatalf("Expected 13 volumes in Build pod, got %d", len(actual.Spec.Volumes))
+	if len(actual.Spec.Volumes) != 14 {
+		t.Fatalf("Expected 14 volumes in Build pod, got %d", len(actual.Spec.Volumes))
 	}
 	if !kapihelper.Semantic.DeepEqual(container.Resources, build.Spec.Resources) {
 		t.Fatalf("Expected actual=expected, %v != %v", container.Resources, build.Spec.Resources)
@@ -238,3 +239,17 @@ func mockDockerBuild() *buildv1.Build {
 		},
 	}
 }
+
+func TestDockerCreateBuildPodAutonsUser(t *testing.T) {
+	strategy := DockerBuildStrategy{
+		Image: "docker-test-image",
+	}
+
+	build := mockDockerBuild()
+
+	testCreateBuildPodAutonsUser(t, build, &strategy,
+		func(build *buildv1.Build, env corev1.EnvVar) {
+			build.Spec.Strategy.DockerStrategy.Env = append(build.Spec.Strategy.DockerStrategy.Env, env)
+		},
+	)
+}

pkg/build/controller/strategy/sti.go

@@ -68,7 +68,7 @@ func (bs *SourceBuildStrategy) CreateBuildPod(build *buildv1.Build, additionalCA
 	}
 
 	hostPathFile := corev1.HostPathFile
-	privileged := true
+	securityContext := securityContextForBuild(strategy.Env)
 	pod := &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      buildutil.GetBuildPodName(build),
@@ -79,14 +79,11 @@ func (bs *SourceBuildStrategy) CreateBuildPod(build *buildv1.Build, additionalCA
 			ServiceAccountName: serviceAccount,
 			Containers: []corev1.Container{
 				{
-					Name:  StiBuild,
-					Image: bs.Image,
-					Args:  []string{"openshift-sti-build"},
-					Env:   copyEnvVarSlice(containerEnv),
-					// TODO: run unprivileged https://github.com/openshift/origin/issues/662
-					SecurityContext: &corev1.SecurityContext{
-						Privileged: &privileged,
-					},
+					Name:                     StiBuild,
+					Image:                    bs.Image,
+					Args:                     []string{"openshift-sti-build"},
+					Env:                      copyEnvVarSlice(containerEnv),
+					SecurityContext:          securityContext,
 					TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
 					VolumeMounts: []corev1.VolumeMount{
 						{
@@ -140,6 +137,7 @@ func (bs *SourceBuildStrategy) CreateBuildPod(build *buildv1.Build, additionalCA
 			Image:                    bs.Image,
 			Args:                     []string{"openshift-git-clone"},
 			Env:                      copyEnvVarSlice(containerEnv),
+			SecurityContext:          securityContext,
 			TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
 			VolumeMounts: []corev1.VolumeMount{
 				{
@@ -159,14 +157,11 @@ func (bs *SourceBuildStrategy) CreateBuildPod(build *buildv1.Build, additionalCA
 	}
 	if len(build.Spec.Source.Images) > 0 {
 		extractImageContentContainer := corev1.Container{
-			Name:  ExtractImageContentContainer,
-			Image: bs.Image,
-			Args:  []string{"openshift-extract-image-content"},
-			Env:   copyEnvVarSlice(containerEnv),
-			// TODO: run unprivileged https://github.com/openshift/origin/issues/662
-			SecurityContext: &corev1.SecurityContext{
-				Privileged: &privileged,
-			},
+			Name:                     ExtractImageContentContainer,
+			Image:                    bs.Image,
+			Args:                     []string{"openshift-extract-image-content"},
+			Env:                      copyEnvVarSlice(containerEnv),
+			SecurityContext:          securityContext,
 			TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
 			VolumeMounts: []corev1.VolumeMount{
 				{
@@ -195,6 +190,7 @@ func (bs *SourceBuildStrategy) CreateBuildPod(build *buildv1.Build, additionalCA
 			Image:                    bs.Image,
 			Args:                     []string{"openshift-manage-dockerfile"},
 			Env:                      copyEnvVarSlice(containerEnv),
+			SecurityContext:          securityContext,
 			TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
 			VolumeMounts: []corev1.VolumeMount{
 				{
@@ -219,8 +215,11 @@ func (bs *SourceBuildStrategy) CreateBuildPod(build *buildv1.Build, additionalCA
 	setupInputConfigMaps(pod, &pod.Spec.Containers[0], build.Spec.Source.ConfigMaps)
 	setupContainersConfigs(build, pod)
 	setupBuildCAs(build, pod, additionalCAs, internalRegistryHost)
-	setupContainersStorage(pod, &pod.Spec.Containers[0]) // for unprivileged builds
-	// setupContainersNodeStorage(pod, &pod.Spec.Containers[0]) // for privileged builds
+	setupContainersStorage(pod, &pod.Spec.Containers[0])
+	if securityContext == nil || securityContext.Privileged == nil || !*securityContext.Privileged {
+		setupBuilderAutonsUser(build, strategy.Env, pod)
+		setupBuilderDeviceFUSE(pod)
+	}
 	setupBlobCache(pod)
 	if err := setupBuildVolumes(pod, build.Spec.Strategy.SourceStrategy.Volumes, bs.BuildCSIVolumeseEnabled); err != nil {
 		return pod, err

pkg/build/controller/strategy/sti_test.go

@@ -101,7 +101,6 @@ func testSTICreateBuildPod(t *testing.T, rootAllowed bool) {
 		"BUILD_REGISTRIES_DIR_PATH":   "",
 		"BUILD_SIGNATURE_POLICY_PATH": "",
 		"BUILD_STORAGE_CONF_PATH":     "",
-		"BUILD_STORAGE_DRIVER":        "",
 		"BUILD_BLOBCACHE_DIR":         "",
 		"BUILD_MOUNT_ETC_PKI_CATRUST": "",
 	}
@@ -128,10 +127,11 @@ func testSTICreateBuildPod(t *testing.T, rootAllowed bool) {
 	// build-system-configmap
 	// certificate authorities
 	// container storage
+	// container run
 	// blobs content cache
 	// global CA injection configmap
-	if len(container.VolumeMounts) != 12 {
-		t.Fatalf("Expected 12 volumes in container, got %d %v", len(container.VolumeMounts), container.VolumeMounts)
+	if len(container.VolumeMounts) != 13 {
+		t.Fatalf("Expected 13 volumes in container, got %d %v", len(container.VolumeMounts), container.VolumeMounts)
 	}
 	expectedMounts := []string{buildutil.NodePullSecretsPath,
 		buildutil.BuildWorkDirMount,
@@ -143,7 +143,8 @@ func testSTICreateBuildPod(t *testing.T, rootAllowed bool) {
 		ConfigMapBuildSystemConfigsMountPath,
 		ConfigMapCertsMountPath,
 		ConfigMapBuildGlobalCAMountPath,
-		"/var/lib/containers/storage",
+		"/var/lib/containers",
+		"/var/run/containers",
 		buildutil.BuildBlobsContentCache,
 	}
 	for i, expected := range expectedMounts {
@@ -152,8 +153,8 @@ func testSTICreateBuildPod(t *testing.T, rootAllowed bool) {
 		}
 	}
 	// build pod has an extra volume: the git clone source secret
-	if len(actual.Spec.Volumes) != 13 {
-		t.Fatalf("Expected 13 volumes in Build pod, got %d", len(actual.Spec.Volumes))
+	if len(actual.Spec.Volumes) != 14 {
+		t.Fatalf("Expected 14 volumes in Build pod, got %d", len(actual.Spec.Volumes))
 	}
 	if *actual.Spec.ActiveDeadlineSeconds != 60 {
 		t.Errorf("Expected ActiveDeadlineSeconds 60, got %d", *actual.Spec.ActiveDeadlineSeconds)
@@ -303,3 +304,18 @@ func mockSTIBuild() *buildv1.Build {
 		},
 	}
 }
+
+func TestS2ICreateBuildPodAutonsUser(t *testing.T) {
+	strategy := SourceBuildStrategy{
+		Image:          "sti-test-image",
+		SecurityClient: newFakeSecurityClient(true),
+	}
+
+	build := mockSTIBuild()
+
+	testCreateBuildPodAutonsUser(t, build, &strategy,
+		func(build *buildv1.Build, env corev1.EnvVar) {
+			build.Spec.Strategy.SourceStrategy.Env = append(build.Spec.Strategy.SourceStrategy.Env, env)
+		},
+	)
+}