Skip to content
This repository has been archived by the owner on Aug 5, 2020. It is now read-only.

Commit

Permalink
Merge pull request #185 from phylake/r2-remediations
Browse files Browse the repository at this point in the history
R2 remediations
  • Loading branch information
phylake authored Jan 25, 2018
2 parents f2685dc + 98bf74f commit 2eb2eb8
Show file tree
Hide file tree
Showing 15 changed files with 64 additions and 20 deletions.
9 changes: 7 additions & 2 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
`porter` is [semantically versioned](http://semver.org/spec/v2.0.0.html)

### v5.0.0

- build porter with Go 1.9.2
- default to `--pids-limit=4096`

### v4.9.0

- HAProxy `maxconn` is configurable
Expand Down Expand Up @@ -56,7 +61,7 @@

- HAProxy stats endpoint auth is now randomized
- re-enabled keep-alive between HAProxy and containers
- building on go 1.8
- build porter with Go 1.8
- added STANDARD_IA to secrets and CFN template uploads

### v4.1.1
Expand Down Expand Up @@ -105,7 +110,7 @@

- additional UPDATE steady states allow ASG matching
- any UPDATE in progress state causes hot swap to fail
- mac binaries are now built with Go 1.7.3
- build porter with Go 1.7.3
- match currently promoted stack's ASG size for provisioning and hot swap

### v3.0.1
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile.godep
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
FROM golang:1.8.1
FROM golang:1.9.2

RUN go get github.com/tools/godep
2 changes: 1 addition & 1 deletion Dockerfile.linux
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.8.1
FROM golang:1.9.2

ADD . /go/src/github.com/adobe-platform/porter
WORKDIR /go/src/github.com/adobe-platform/porter
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile.test
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.8.1
FROM golang:1.9.2

RUN go get github.com/onsi/ginkgo/ginkgo
RUN go get github.com/onsi/gomega
Expand Down
6 changes: 6 additions & 0 deletions MIGRATING.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,12 @@ Migration

Read the [release notes](RELEASE_NOTES.md) for context on these changes.

v4 to v5
--------

No migration steps are needed unless you hit
[`pids_limit`](docs/detailed_design/config-reference.md#pids_limit)

v3 to v4
--------

Expand Down
13 changes: 13 additions & 0 deletions RELEASE_NOTES.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,19 @@ See the [CHANGELOG](CHANGELOG.md) for a complete list of changes.

`porter` is [semantically versioned](http://semver.org/spec/v2.0.0.html)

v5.0
====

`docker run` now includes a default `--pids-limit=4096` to protect against fork
bombs

This shouldn't be a breaking change for normal applications but it's possible
which is why there's a major version bump.

`--pids-limit` can't be disabled but can be increased from the default by
defining [`pids_limit`](docs/detailed_design/config-reference.md#pids_limit)
on the `container`

v4.9
====

Expand Down
6 changes: 3 additions & 3 deletions commands/build/promote.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,15 +59,15 @@ func (recv *PromoteCmd) SubCommands() []cli.Command {
}

func (recv *PromoteCmd) Execute(args []string) bool {
var provisionOutputPath, elbType string
var provisionOutputPath, elbTag string

if len(args) == 1 && args[0] == "--help" {
return false
}

flagSet := flag.NewFlagSet("", flag.ContinueOnError)
flagSet.StringVar(&provisionOutputPath, "provision-output", "", "")
flagSet.StringVar(&elbType, "elb", "", "")
flagSet.StringVar(&elbTag, "elb", "", "")
flagSet.Parse(args)

if provisionOutputPath == "" {
Expand All @@ -94,7 +94,7 @@ func (recv *PromoteCmd) Execute(args []string) bool {
return true
}

if !doPromote(log, stack, elbType) {
if !doPromote(log, stack, elbTag) {
os.Exit(1)
}

Expand Down
3 changes: 3 additions & 0 deletions commands/host/docker.go
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,9 @@ func startContainers(environmentStr, regionStr string) {

"--net", "porter",

// prevent fork bombs
"--pids-limit", strconv.Itoa(container.PidsLimit),

// Read in additional variables written during bootstrap
"--env-file", constants.EnvFile,

Expand Down
5 changes: 5 additions & 0 deletions conf/conf.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ type (
DockerfileBuild string `yaml:"dockerfile_build"`
HealthCheck *HealthCheck `yaml:"health_check"`
SrcEnvFile *SrcEnvFile `yaml:"src_env_file"`
PidsLimit int `yaml:"pids_limit"`
}

SrcEnvFile struct {
Expand Down Expand Up @@ -365,6 +366,10 @@ func (recv *Config) SetDefaults() {
container.DockerfileBuild = "Dockerfile.build"
}

if container.PidsLimit == 0 {
container.PidsLimit = 4096
}

if container.Topology == Topology_Inet {

if container.HealthCheck == nil {
Expand Down
17 changes: 9 additions & 8 deletions conf/environment.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,25 +17,26 @@ import (
"time"
)

func (recv *Environment) GetELBForRegion(reg string, elb string) (string, error) {
func (recv *Environment) GetELBForRegion(reg string, elbTag string) (string, error) {
region, err := recv.GetRegion(reg)
if err != nil {
return "", err
}

// always return this if defined. it supersedes the old scheme
if region.ELB != "" {
return region.ELB, nil
}

// backward compatibility with old scheme
for _, loadBalancer := range region.ELBs {
if loadBalancer.ELBTag == elb {
if loadBalancer.ELBTag == elbTag {
return loadBalancer.Name, nil
}
}

return "", fmt.Errorf("ELB tagged %s doesn't exist in the config for region %s", elb, reg)
// elbTag will most often be "" so fall through
// to untagged single ELB if defined
if region.ELB != "" {
return region.ELB, nil
}

return "", fmt.Errorf("ELB tagged %s doesn't exist in the config for region %s", elbTag, reg)
}

func (recv *Environment) GetRegion(regionName string) (*Region, error) {
Expand Down
4 changes: 4 additions & 0 deletions conf/validate.go
Original file line number Diff line number Diff line change
Expand Up @@ -334,6 +334,10 @@ func (recv *Region) ValidateContainers() error {
}
}

if container.PidsLimit < 1 {
return errors.New("pids_limit must be greater than or equal to 1")
}

if containerCount > 1 && !containerNameRegex.MatchString(container.Name) {
return errors.New("Invalid container name")
}
Expand Down
7 changes: 7 additions & 0 deletions docs/detailed_design/config-reference.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ For each field the following notation is used
- [read_only](#read_only) (==1?)
- [health_check](#health_check) (==1?)
- [src_env_file](#src_env_file) (==1?)
- [pids_limit](#pids_limit) (==1?)
- [hooks](#hooks) (==1?)
- pre_pack (==1?)
- [repo](#repo) (==1!)
Expand Down Expand Up @@ -720,6 +721,12 @@ health_check:
See the docs on [container config](container-config.md) for more info on this
field
### pids_limit
Set `--pids-limit` on the container.
The default is 4096.
### hooks
Read more about [deployment hooks](deployment-hooks.md)
Expand Down
4 changes: 2 additions & 2 deletions promote/promote.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ const (
pollDuration = 10 * time.Minute
)

func Promote(log log15.Logger, config *conf.Config, stack *provision_state.Stack, elb string) (success bool) {
func Promote(log log15.Logger, config *conf.Config, stack *provision_state.Stack, elbTag string) (success bool) {

successChan := make(chan bool)

Expand All @@ -38,7 +38,7 @@ func Promote(log log15.Logger, config *conf.Config, stack *provision_state.Stack
go func(regionName string, regionState *provision_state.Region) {

successChan <- promoteService(log, stack.Environment, regionName,
regionState, config, elb)
regionState, config, elbTag)

}(regionName, regionState)
}
Expand Down
2 changes: 1 addition & 1 deletion sample_project/Dockerfile.build
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.8.1
FROM golang:1.9.2

ADD . /go/src/github.com/adobe-platform/sample_project
WORKDIR /go/src/github.com/adobe-platform/sample_project
Expand Down
2 changes: 1 addition & 1 deletion testintegration/Dockerfile.inet.build
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.8.1
FROM golang:1.9.2

ADD . /go/src/github.com/adobe-platform/porter_test
WORKDIR /go/src/github.com/adobe-platform/porter_test
Expand Down

0 comments on commit 2eb2eb8

Please sign in to comment.