add cli integration for masked and readonly paths #1347
Conversation
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
| @@ -183,6 +187,8 @@ func addFlags(flags *pflag.FlagSet) *containerOptions { | |||
| flags.StringVarP(&copts.user, "user", "u", "", "Username or UID (format: <name|uid>[:<group|gid>])") | |||
| flags.StringVarP(&copts.workingDir, "workdir", "w", "", "Working directory inside the container") | |||
| flags.BoolVar(&copts.autoRemove, "rm", false, "Automatically remove the container when it exits") | |||
| flags.Var(&copts.maskedPaths, "masked-paths", "Denote the paths to be masked for the container, empty implies none") | |||
There was a problem hiding this comment.
empty implies default, not "none"?
There was a problem hiding this comment.
It implies none, of "paths to be masked for the containers"
| @@ -50,6 +50,19 @@ func TestRunWithContentTrust(t *testing.T) { | |||
| }) | |||
| } | |||
|
|
|||
| func TestRunMaskedPaths(t *testing.T) { | |||
There was a problem hiding this comment.
Especially we need to make sure nil and []string{} are treated differently
There was a problem hiding this comment.
yeah was about to add tests but waited also im confused as to if the tests from docker/docker will be moved here too?
There was a problem hiding this comment.
@jessfraz new tests from docker/docker should only test the API — or be unit tests 😝). Any tests using the cli should indeed be there.
| for _, p := range paths { | ||
| if p == "none" { | ||
| if len(paths) > 1 { | ||
| return nil, errors.New("Passing 'none' and other paths is not allowed") |
There was a problem hiding this comment.
nit: error string should not be capitalized
|
Any update on this and if it'll get merged? |
|
Can we also have |
|
@jessfraz @AkihiroSuda @vdemeester So I know this may be controversial but what do you think of putting these behind I know it's ugly because in the API it's not a security opt, but the rationale for this suggestion is that it's not necessarily obvious for users that this may have a security implication as defaults are overridden. If we agree on this, we could have the API accept either security opts or regular run options. Let me know what you think! |
|
FYI: it turned out that |
|
Maybe:
|
Wondering if the API must reflect the UX, I don't think that's strictly required.
@AkihiroSuda wondering how that option would work in conjunction with the other options; should we error (conflicting options)? I recall the original discussion on the API side of things that we preferred explicit over implicit, so providing your own set of "masked" and/or "read only" paths. That was of course from the API perspective, so UX can differentiate from that. If we use |
|
I'm okay with any of the options listed above :) |
I don't think you can actually do |
|
@tonistiigi If it's |
|
@tiborvass There is no other value. If we want then |
|
@tonistiigi how is this going? I am exited to see this working |
Does anyone have objections to this? I'm good with any of them. @thaJeztah Might be good to add this to maintainer session today. |
UX-wise, I like that option, so (name to be discussed); Would send the equivalent of Concern:
I think it's important when dealing with security configuration to make "doing the right thing" easier than "doing the wrong thing". So; do we also want to provide a more fine-grained approach on the CLI; an option to manually provide exactly which paths to mask/mark readonly? If yes: that would raise the question #1347 (comment)
Approach could then be; Implement a
When creating a container;
@justincormack @jessfraz I know you're better at security than I am, so wondering what you think, or what suggestions you have 😅 Adding this to next week's maintainers meeting as well (this week didn't happen, due to many people travelling or at KubeCon) |
|
I don't think setting the defaults makes sense, it is too confusing for different people to have different defaults. A security option to remove them all seems ok, and an API option to set them, and maybe a security option eg |
|
Any update ? |
|
when in this expected to be released? |
|
Let's roll with |
|
Hi @jessfraz, https://github.com/genuinetools/img#running-with-docker led me here. While this PR is still pending, is there a way to take your fix here and test img build in a unprivileged container in Kubernetes? |
OK, so;
Correct? |
|
@thaJeztah yes. cc @justincormack |
|
Needs a rebase 😅 |
Also needs an actual implementation of the proposed changes #1347 (comment) @tiborvass were you planning on making those? |
|
ah okay is this on me? I can do that |
|
@jessfraz I was about to do it but feel free! |
|
@tiborvass @jessfraz I see @martencassel started working on the implementation; see #1808 |
|
Thank you!!
…On Fri, Apr 5, 2019 at 7:52 AM Sebastiaan van Stijn < ***@***.***> wrote:
@tiborvass <https://github.com/tiborvass> @jessfraz
<https://github.com/jessfraz> I see @martencassel
<https://github.com/martencassel> started working on the implementation;
see #1808 <#1808>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1347 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABYNbI0BBWxwEA_cZ68cw-XZNcav0tEKks5vdzjkgaJpZM4WdGEv>
.
--
Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu <http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3>
|
|
#1808 is merged |
|
Thank you @jessfraz and @martencassel ! |
I wanted to make sure this design was okay before going any further.
This adds flags --masked-paths and --readonly-paths to the cli as a follow up from moby/moby#36644 cc @AkihiroSuda
Happy to change the design in any way you want then will add docs and tests.