Merged
Conversation
smoser
force-pushed
the
feature/fuse-maybe
branch
2 times, most recently
from
ca00ac9 to
2eef625
Compare
smoser
force-pushed
the
feature/fuse-maybe
branch
4 times, most recently
from
012aee5 to
b287f83
Compare
Contributor
|
Would squash it once done. |
Contributor
Author
I think it is done. I'd prefer to leave it as 4 commits. it is 4 units of work. |
smoser
force-pushed
the
feature/fuse-maybe
branch
from
b287f83 to
20bfc35
Compare
hallyn
approved these changes
Nov 30, 2022
smoser
commented
Nov 30, 2022
added 4 commits
December 1, 2022 07:03
The functionality added here is to add 'usernsexec' and 'nsexec' subcommands to lxc-wrapper. The 'usernsexec' performs as it did before. 'nsexec' should perform the same as usernsexec but not use a user namespace. The code changes are mostly un-thoughtfully taken from an example in user_namespaces(7). usernsexec will put you into user (CLONE_NEWUSER) namespace. Both usernsexec and nsexec will put the command into its own private mount (MS_PRIVATE and CLONE_NEWNS) and pid (CLONE_NEWPID) namespace. Using mount and pid namespaces allow for being "sloppy" in leaving subprocesses or mounts open. The kernel will clean them all up. Note, the reason for 'nsexec' is mainly to support 'sudo' builds. If 'sudo stacker' immediately jumped into a root namespace, then it ends up being unable to write to many of the user-owned (SUDO_UID) files or directories. Using nsexec, root retains all its permissions but still puts itself into a pid and mount namespace. Generally speaking, when someone types 'sudo <something>', they expect that that something will have *elevated* privledges. Having stacker immediately drop into root's user namespace meant it really had no additional privs. Signed-off-by: Scott Moser <scmoser@cisco.com>
2 things here: * Add functionality to call lxc-wrapper 'usernsnexec' or 'nsexec' based upon whether or not the caller is uid 0. * Track whether or not we have entered a namespace by referencing/adding STACKER_REAL_UID environment variable. If that variable is found, then MayberunInNamespace will simply execute the command without changing a namespace. 'stacker internal-go cp' is used internally by 'stacker grab'. It is run inside a container. Previosly it avoided being put in a namespace simply because the Geteuid() was 0. But now we put root in a namespace also, so that won't work. The change here (cmd/main.go) is to make 'stacker internal-go cp' be identified as something that should not be run in a namespace. Last, change the name MayberunInUserns to MaybeRunInNamespace to reflect the fact that it won't sometimes it runs in a namespace that is not a usernamespace. Signed-off-by: Scott Moser <scmoser@cisco.com>
Install squashfuse during github workflow. Signed-off-by: Scott Moser <scmoser@cisco.com>
Use squashfuse to mount a squash filesystem rather than extracting it with unsquashfs. This is nice because : * don't need unsquashfs binary (but we do need squashfuse) * unsquashfs running unprivledged will error and behave differently in different versions. Such an example is when extracting device nodes. * faster use than extracting. Given a mountpoint of 'path/to/my/mountpoint', the squashfuse debug output is logged to 'path/to/my/.mountpoint-squashfs.log'. Note that we are nto currently cleaning up any squashfuse processes, but rather relying on the fact that we should be executing in a pid and mount namespace, so the kernel will clean them all up. Note we could support a "real root" option here to mount via kernel mount rather than squashfuse. Signed-off-by: Scott Moser <scmoser@cisco.com>
smoser
force-pushed
the
feature/fuse-maybe
branch
from
20bfc35 to
4743235
Compare
Contributor
Author
|
I guess one thing that I'd really like to have added.... but I'm not wanting to do it right now, is a test case like shown in #319. These changes fix that test case (as I commented in the issue). Basically, before this commit, we could not do "squashfs only" builds either privileged or unprivileged without starting |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Lots of debug here.
definitely work in progress. locally it passes a few small tests for me.