Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

create links for ephemeral storage devices #1173

Merged
merged 2 commits into from
Oct 23, 2020
Merged

create links for ephemeral storage devices #1173

merged 2 commits into from
Oct 23, 2020

Conversation

bcressey
Copy link
Contributor

Issue number:
#1088

Description of changes:
Populate /dev/disk/ephemeral with links to ephemeral storage devices.

Update security guidance to reflect the risks of mapping a block device into an untrusted container.

Testing done:

Verified that the two ephemeral disks were linked on an m5ad.4xlarge:

# ls -latr /dev/disk/ephemeral/

lrwxrwxrwx. 1 root root  13 Oct 18 04:11 nvme-Amazon_EC2_NVMe_Instance_Storage_AWS27A87D8ECFBD312B5 -> ../../nvme3n1
lrwxrwxrwx. 1 root root  13 Oct 18 04:11 nvme-Amazon_EC2_NVMe_Instance_Storage_AWS220C24D1769700C7B -> ../../nvme2n1

Verified that other disks were classified as "system":

# ghostdog scan /dev/nvme0n1
BOTTLEROCKET_DEVICE_TYPE=system

# ghostdog scan /dev/nvme1n1
BOTTLEROCKET_DEVICE_TYPE=system

# ghostdog scan /dev/nvme2n1
BOTTLEROCKET_DEVICE_TYPE=ephemeral

# ghostdog scan /dev/nvme3n1
BOTTLEROCKET_DEVICE_TYPE=ephemeral

Verified that the external static provisioner could discover the ephemeral disks:

$ kubectl describe pv local-pv-eddb9f1f
...
Source:
    Type:  LocalVolume (a persistent volume backed by local storage on a node)
    Path:  /dev/disk/ephemeral/nvme-Amazon_EC2_NVMe_Instance_Storage_AWS220C24D1769700C7B
Events:    <none>

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@bcressey bcressey added this to the v1.0.3 milestone Oct 19, 2020
tjkirch
tjkirch approved these changes Oct 19, 2020
View reviewed changes
packages/os/ephemeral-storage.rules Show resolved Hide resolved
sources/ghostdog/src/main.rs Outdated Show resolved Hide resolved
@bcressey
create links for ephemeral storage devices
fb61f64 
Some EC2 instance types come with disks that are physically connected
to the host. Kubernetes can use these as local persistent volumes in
conjunction with an external static provisioner.

To make it easier to configure the static provisioner, we now create
symlinks to known ephemeral disk devices in /dev/disk/ephemeral.

Incorrectly identifying a device as an ephemeral when it is not could
cause irrecoverable data loss. Hence we take an "allowlist" approach
where only specific device types are included, and check for known
partition types as an additional safeguard.
@bcressey
docs: mention block devices in SECURITY_GUIDANCE.md
26856c6 
Warn about giving containers access to block devices, since this can
lead to host compromise even if the system disks are not exposed.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
webern
webern approved these changes Oct 20, 2020
View reviewed changes
Copy link
Contributor

@webern webern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💾

GLOSSARY.md Show resolved Hide resolved
zmrow
zmrow approved these changes Oct 21, 2020
View reviewed changes
Copy link
Contributor

@zmrow zmrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! 🚜

sources/ghostdog/src/main.rs Show resolved Hide resolved
@bcressey bcressey mentioned this pull request Oct 23, 2020
Closed
@bcressey bcressey merged commit 9436cea into bottlerocket-os:develop Oct 23, 2020
@bcressey bcressey deleted the ephemeral-links branch October 23, 2020 22:19
@bcressey bcressey mentioned this pull request Jan 11, 2021
Closed
@stevehipwell stevehipwell mentioned this pull request Dec 16, 2022
Closed
@stevehipwell stevehipwell mentioned this pull request Feb 15, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webern webern webern approved these changes

@zmrow zmrow zmrow approved these changes

@samuelkarp samuelkarp samuelkarp approved these changes

@tjkirch tjkirch tjkirch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.0.3
Development

Successfully merging this pull request may close these issues.
5 participants
@bcressey @tjkirch @samuelkarp @zmrow @webern