Skip to content

Feature/fuse maybe#329

Merged
hallyn merged 4 commits intoproject-stacker:mainfrom
smoser:feature/fuse-maybe
Dec 1, 2022
Merged

Feature/fuse maybe#329
hallyn merged 4 commits intoproject-stacker:mainfrom
smoser:feature/fuse-maybe

Conversation

@smoser
Copy link
Contributor

@smoser smoser commented Nov 22, 2022

Lots of debug here.
definitely work in progress. locally it passes a few small tests for me.

@smoser smoser force-pushed the feature/fuse-maybe branch 2 times, most recently from ca00ac9 to 2eef625 Compare November 29, 2022 21:37
@smoser smoser force-pushed the feature/fuse-maybe branch 4 times, most recently from 012aee5 to b287f83 Compare November 30, 2022 21:16
@smoser smoser marked this pull request as ready for review November 30, 2022 21:16
@rchincha
Copy link
Contributor

Would squash it once done.

@smoser
Copy link
Contributor Author

smoser commented Nov 30, 2022

Would squash it once done.

I think it is done. I'd prefer to leave it as 4 commits. it is 4 units of work.

@smoser smoser force-pushed the feature/fuse-maybe branch from b287f83 to 20bfc35 Compare November 30, 2022 22:21
Scott Moser added 4 commits December 1, 2022 07:03
The functionality added here is to add 'usernsexec' and 'nsexec'
subcommands to lxc-wrapper.  The 'usernsexec' performs as it
did before.  'nsexec' should perform the same as usernsexec
but not use a user namespace.

The code changes are mostly un-thoughtfully taken from an example
in user_namespaces(7).

usernsexec will put you into user (CLONE_NEWUSER) namespace.
Both usernsexec and nsexec will put the command into its own
private mount (MS_PRIVATE and CLONE_NEWNS) and pid (CLONE_NEWPID)
namespace.

Using mount and pid namespaces allow for being "sloppy" in leaving
subprocesses or mounts open.  The kernel will clean them all up.

Note, the reason for 'nsexec' is mainly to support 'sudo' builds.
If 'sudo stacker' immediately jumped into a root namespace, then
it ends up being unable to write to many of the user-owned (SUDO_UID)
files or directories.  Using nsexec, root retains all its permissions
but still puts itself into a pid and mount namespace.

Generally speaking, when someone types 'sudo <something>', they
expect that that something will have *elevated* privledges.  Having
stacker immediately drop into root's user namespace meant it really
had no additional privs.

Signed-off-by: Scott Moser <scmoser@cisco.com>
2 things here:
 * Add functionality to call lxc-wrapper 'usernsnexec' or 'nsexec'
   based upon whether or not the caller is uid 0.
 * Track whether or not we have entered a namespace
   by referencing/adding STACKER_REAL_UID environment variable.
   If that variable is found, then MayberunInNamespace will
   simply execute the command without changing a namespace.

'stacker internal-go cp' is used internally by 'stacker grab'.
It is run inside a container. Previosly it avoided being put in
a namespace simply because the Geteuid() was 0.  But now we put
root in a namespace also, so that won't work.  The change here
(cmd/main.go) is to make 'stacker internal-go cp' be identified as
something that should not be run in a namespace.

Last, change the name MayberunInUserns to MaybeRunInNamespace
to reflect the fact that it won't sometimes it runs in
a namespace that is not a usernamespace.

Signed-off-by: Scott Moser <scmoser@cisco.com>
Install squashfuse during github workflow.

Signed-off-by: Scott Moser <scmoser@cisco.com>
Use squashfuse to mount a squash filesystem rather than extracting
it with unsquashfs.  This is nice because :
 * don't need unsquashfs binary (but we do need squashfuse)
 * unsquashfs running unprivledged will error and behave differently
   in different versions.  Such an example is when extracting device
   nodes.
 * faster use than extracting.

Given a mountpoint of 'path/to/my/mountpoint', the squashfuse debug
output is logged to 'path/to/my/.mountpoint-squashfs.log'.

Note that we are nto currently cleaning up any squashfuse processes,
but rather relying on the fact that we should be executing in a pid
and mount namespace, so the kernel will clean them all up.

Note we could support a "real root" option here to mount
via kernel mount rather than squashfuse.

Signed-off-by: Scott Moser <scmoser@cisco.com>
@smoser smoser force-pushed the feature/fuse-maybe branch from 20bfc35 to 4743235 Compare December 1, 2022 15:03
@smoser
Copy link
Contributor Author

smoser commented Dec 1, 2022

I guess one thing that I'd really like to have added.... but I'm not wanting to do it right now, is a test case like shown in #319.

These changes fix that test case (as I commented in the issue).

Basically, before this commit, we could not do "squashfs only" builds either privileged or unprivileged without starting
from a type: docker url that referenced tar content.

@hallyn hallyn merged commit 5bfae89 into project-stacker:main Dec 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants

Comments