Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

plugincontainer: Support plugins in rootless runtime with nonroot user #107

Merged
merged 16 commits into from
Nov 20, 2023

Conversation

tomhjp
Copy link
Contributor

@tomhjp tomhjp commented Oct 27, 2023

Support running as non-root container users under rootless container runtimes.

  • Adds a new configuration option Config.Rootless, which should be used when both the runtime and the container user are running as non-root. It sets up default ACLs on the host socket directory, and gives the container the DAC_OVERRIDE capability to ensure each side can write to the shared Unix socket and folder despite each being owned by one side and the other side being a different user on the host.
  • Pulls in Support muxing gRPC broker connections over a single net.Conn go-plugin#288 and uses the new GRPCBrokerMultiplexing option to eliminate host-side sockets and reduce the --host-uds flag from all to create, which means no Unix domain sockets from the host will ever be available inside gVisor containers.
  • Stop skipping rootless + nonroot matrix compatibility tests for gVisor
  • Drop podman tests for now - they are different enough to be a pain but we don't currently have strong requirements to support podman. It could still get re-added at a later date though.

@tomhjp
Copy link
Contributor Author

tomhjp commented Oct 30, 2023

Note: After some offline feedback, this is still a bit of a work in progress. @mickael-hc pointed out the 0o777 folder could be taken over, so I tried to fix that by ensuring it's inside a more limited folder in ce76700, but for some reason that broke the rootless mlock tests.

@tomhjp
Copy link
Contributor Author

tomhjp commented Nov 2, 2023

Just pushed some updates that switch from a 0o777 folder to using the DAC_OVERRIDE capability instead. I don't think I'd want to support that for runc, because runc will require that rootlesskit on the host has the capability itself (and it's a very powerful capability), but it seems more reasonable for runsc which doesn't need that because AFAIU it has its own userspace implementation instead of relying on the real underlying kernel.

Copy link
Contributor

@swenson swenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

plugincontainer/compatibility_matrix_test.go Show resolved Hide resolved
@tomhjp
Copy link
Contributor Author

tomhjp commented Nov 20, 2023

Thanks! It took me a while to fully convince myself of the need for GroupAdd and Rootless together. For reference, this paper (attached for posterity) had the most thorough explanation I could find for putting the full picture together.

POSIX Access Control Lists on Linux, Andreas Grunbacher.pdf

@tomhjp tomhjp merged commit 0268c17 into main Nov 20, 2023
17 checks passed
@tomhjp tomhjp deleted the support-rootless-nonroot-user-plugins branch November 20, 2023 22:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants