starter: introduce possibility to keep capability NET_BIND_SERVICE #650
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mhofstetter
force-pushed
the
pr/mhofstetter/cap-keep-netbindservice
branch
2 times, most recently
from
9140ddf
to
4ce0a7b
Compare
jrajahalme
reviewed
Mar 18, 2024
mhofstetter
commented
Mar 18, 2024
mhofstetter
force-pushed
the
pr/mhofstetter/cap-keep-netbindservice
branch
2 times, most recently
from
46ab5fa
to
79fe198
Compare
jrajahalme
requested changes
Apr 5, 2024
3 tasks
mhofstetter
force-pushed
the
pr/mhofstetter/cap-keep-netbindservice
branch
from
79fe198
to
dc15efd
Compare
Thanks Jarno! i incorporated your feedback. |
mhofstetter
force-pushed
the
pr/mhofstetter/cap-keep-netbindservice
branch
from
dc15efd
to
5518409
Compare
|
rebased to |
mhofstetter
force-pushed
the
pr/mhofstetter/cap-keep-netbindservice
branch
3 times, most recently
from
e9d992b
to
242b9fc
Compare
Currently, the "starter" drops all capabilities before starting the Envoy process itself. This is mainly to prevent the Envoy process from having the capabilities `NET_ADMIN`, `SYS_ADMIN` etc. But this change also comes with the drawback that it prevents Envoy from binding to privileged ports - because the capability `NET_BIND_SERVICE` gets dropped as well. Therefore, this commit introduces a new flag `--keep-cap-net-bind-service` to the starter. If this flag is present, the capability `NET_BIND_SERVICE` is kept in the privileged and effective set for the Envoy process. Signed-off-by: Marco Hofstetter <[email protected]>
With this commit, the end of the arguments for the starter need to be signaled with `--`. It is followed by the actual arguments for the Envoy process. For backwards compatibility reasons, all arguments are handled as Envoys if the separator `--` isn't passed to the starter. Signed-off-by: Marco Hofstetter <[email protected]>
mhofstetter
force-pushed
the
pr/mhofstetter/cap-keep-netbindservice
branch
from
242b9fc
to
7076e6f
Compare
jrajahalme
approved these changes
Apr 23, 2024
mhofstetter
added a commit
to mhofstetter/cilium
that referenced
this pull request
Apr 24, 2024
This commit updates Envoy (Cilium Proxy) to the latest version from (`ciilum/proxy` - `main`) that includes support to keep the capability `NET_BIND_SERVICE`. Relates to: cilium/proxy#650 Signed-off-by: Marco Hofstetter <[email protected]>
mhofstetter
added a commit
to mhofstetter/proxy
that referenced
this pull request
Apr 25, 2024
Currently, in case of not passing the argument delimiter `--`, the arguments are added before the actual program name. This results in errors starting up Envoy. This commit fixes this by inserting the arguments at the end. Fixes: cilium#650 Signed-off-by: Marco Hofstetter <[email protected]>
mhofstetter
added a commit
to mhofstetter/cilium
that referenced
this pull request
Apr 25, 2024
This commit updates Envoy (Cilium Proxy) to the latest version from (`ciilum/proxy` - `main`) that includes support to keep the capability `NET_BIND_SERVICE`. Relates to: cilium/proxy#650 Signed-off-by: Marco Hofstetter <[email protected]>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Apr 25, 2024
Currently, in case of not passing the argument delimiter `--`, the arguments are added before the actual program name. This results in errors starting up Envoy. This commit fixes this by inserting the arguments at the end. Fixes: #650 Signed-off-by: Marco Hofstetter <[email protected]>
mhofstetter
added a commit
to mhofstetter/cilium
that referenced
this pull request
Apr 25, 2024
This commit updates Envoy (Cilium Proxy) to the latest version from (`ciilum/proxy` - `main`) that includes support to keep the capability `NET_BIND_SERVICE`. Relates to: cilium/proxy#650 Signed-off-by: Marco Hofstetter <[email protected]>
github-merge-queue bot
pushed a commit
to cilium/cilium
that referenced
this pull request
Apr 29, 2024
This commit updates Envoy (Cilium Proxy) to the latest version from (`ciilum/proxy` - `main`) that includes support to keep the capability `NET_BIND_SERVICE`. Relates to: cilium/proxy#650 Signed-off-by: Marco Hofstetter <[email protected]>
jrajahalme
pushed a commit
that referenced
this pull request
May 3, 2024
Currently, in case of not passing the argument delimiter `--`, the arguments are added before the actual program name. This results in errors starting up Envoy. This commit fixes this by inserting the arguments at the end. Fixes: #650 Signed-off-by: Marco Hofstetter <[email protected]>
jrajahalme
pushed a commit
that referenced
this pull request
May 3, 2024
[ upstream commit 174c6af ] Currently, in case of not passing the argument delimiter `--`, the arguments are added before the actual program name. This results in errors starting up Envoy. This commit fixes this by inserting the arguments at the end. Fixes: #650 Signed-off-by: Marco Hofstetter <[email protected]>
jrajahalme
pushed a commit
that referenced
this pull request
May 3, 2024
[ upstream commit 174c6af ] Currently, in case of not passing the argument delimiter `--`, the arguments are added before the actual program name. This results in errors starting up Envoy. This commit fixes this by inserting the arguments at the end. Fixes: #650 Signed-off-by: Marco Hofstetter <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, the "starter" drops all capabilities before starting the Envoy process itself. This is mainly to prevent the Envoy process from having the capabilities
NET_ADMIN,SYS_ADMINetc.But this change also comes with the drawback that it prevents Envoy from binding to privileged ports - because the capability
NET_BIND_SERVICEgets dropped as well.Therefore, this commit introduces a new flag
--keep-cap-net-bind-serviceto the starter. If this flag is present, the capabilityNET_BIND_SERVICEis kept in the privileged and effective set for the Envoy process.