Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

provide settings for creating paths on the host #1208

Closed
bcressey opened this issue Nov 12, 2020 · 4 comments
Closed

provide settings for creating paths on the host #1208

bcressey opened this issue Nov 12, 2020 · 4 comments
Assignees
@arnaldo2792
Labels
type/enhancement New feature or request
Milestone
v1.1.2

Comments

@bcressey
Copy link
Contributor

What I'd like:
I'd like the ability to create paths on the host, with specific permissions and an SELinux label. This will help scenarios where a single container needs to be able to write to a directory while many containers need to read from it.

Any alternatives you've considered:
This can be worked around in general with a daemonset pod that mounts host volumes, creates the required directories, sets the permissions, and then sleeps forever. But this is somewhat clunky compared to the alternative on other distros, where that can be handled via cloud-init as a one-time step on startup.
@bcressey bcressey added the type/enhancement New feature or request label Nov 12, 2020
@bcressey
Copy link
Contributor Author

bcressey commented Nov 12, 2020
edited
Loading

Here's the design I have in mind for this.

Create /local/host-paths/example1 with specific permissions and label:

[settings.host-paths.example1]
uid = 0
gid = 0
mode = 755
label = "system_u:object_r:local_t:s0"

Create /local/host-paths/example2 with default permissions and specific label:

[settings.host-paths.example2]
label = "system_u:object_r:any_t:s0"

Create /local/host-paths/example3 with default permissions and label:

[settings.host-paths.example3]

The main constraint is that the parent path is fixed, and the directories can't be nested. This simplifies the implementation since we won't end up with intermediate paths with ambiguous permissions, and we won't need to worry about the paths that come in via settings conflicting with paths that system services use, which may have other restrictions for security reasons.

@bcressey bcressey mentioned this issue Nov 12, 2020
Closed
@jhaynes jhaynes assigned jhaynes and arnaldo2792 and unassigned jhaynes Jan 12, 2021
@bcressey
Copy link
Contributor Author

This could intersect with #1209 by also allowing host-paths to indicate a storage device:

[settings.host-paths.example4]
storage-device = "ephemeral-0"

The above snippet would create the directory and a symlink:

/local/ephemeral-disks/by-index/0/host-paths/example1
/local/host-paths/example1 -> /local/ephemeral-disks/by-index/0/host-paths/example1

@bcressey
Copy link
Contributor Author

bcressey commented Feb 5, 2021

We decided not to allow creating host paths on ephemeral storage devices. It introduces a lot of complexity since we have to account for the device being added or removed out of sync with directory creation. It's also inherently ambiguous since we don't control enumeration order for devices, and can't guarantee where the path will be created.

@bcressey bcressey mentioned this issue Feb 10, 2021
Closed
@gregdek gregdek assigned bcressey and unassigned arnaldo2792 Mar 3, 2021
@bcressey bcressey mentioned this issue Mar 15, 2021
Closed
@jhaynes jhaynes added this to the next+1 milestone Mar 31, 2021
@jhaynes
Copy link
Contributor

jhaynes commented May 12, 2021

Bootstrap containers can be used to accomplish this as of Bottlerocket version 1.0.8. We've documented an example in the discussions here.

@jhaynes jhaynes closed this as completed May 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arnaldo2792 arnaldo2792

Labels
type/enhancement New feature or request
Projects
None yet
Milestone
v1.1.2
Development

No branches or pull requests
4 participants
@bcressey @gregdek @jhaynes @arnaldo2792