Do not error on trying to write IMA xattr as rootless #5741
Conversation
|
I don't know if testing this is particularly possible in CI, as it would require the file to be set up as root, and then an integration test run as a non-root user to verify the functionality. Could be done by including the test file in the VM images, maybe? |
|
LGTM |
|
For testing purposes only, feel free to use Please do not merge with those VM images, they are old. I will be happy to build new ones if such is desired. |
mheon
force-pushed
the
fix_podman_18543
branch
from
9a4b3b8
to
412b48f
Compare
|
@edsantiago The Podman package is installed in the test VMs, right? That should have dragged in catatonit, which we know has IMA xattrs we can test on. @nalind Are any of the existing integration tests run rootless? |
|
@mheon please see my comment above. TL;DR we have a kludge workaround in test VMs, where we strip IMA. Without that, we would have no CI. The test images I mention in my comment above are built without that workaround, so you can use them in your testing. |
Yes, there are rootless test jobs. |
mheon
force-pushed
the
fix_podman_18543
branch
from
412b48f
to
5d73b93
Compare
|
@edsantiago Mind taking a look at the test I added? |
There was a problem hiding this comment.
LGTM with a few questions and nits. Suggestion:
@test "bud with ADD with file with IMA xattr" {
_prefetch alpine
local catatonit=/usr/libexec/catatonit/catatonit
if [[ ! -e $catatonit ]]; then
skip "Catatonit path $catatonit not found"
fi
run getfattr -d -n security.ima $catatonit
echo "getfattr $catatonit -> '$output'"
if [[ $status -ne 0 ]]; then
skip "pointless: $catatonit does not have the desired xattr"
fi
local contextdir=${TEST_SCRATCH_DIR}/add-ima
mkdir -p $contextdir
cat > $contextdir/Dockerfile <<EOF
FROM alpine
ADD $catatonit /bin/catatonit
EOF
# We do not care if the attribute was actually added, as rootless is allowed to discard it.
# Only that the file builds successfully.
run_buildah build $contextdir
}Do we know if the attr package is installed in CI VMs?
tests/bud.bats
Outdated
|
|
||
| # Verify that /usr/libexec/catatonit/catatonit both exists and has an IMA xattr | ||
| if getfattr -d -m 'security.ima' /usr/libexec/catatonit/catatonit | grep -q ima; then | ||
| skip "catatonit does not exist or does not have an appropriate xattr" |
There was a problem hiding this comment.
I'm not a big fan of ambiguous skips or test failures. If I were looking at this skip, I'd want to know more.
tests/bud.bats
Outdated
| EOF | ||
|
|
||
| # Verify that /usr/libexec/catatonit/catatonit both exists and has an IMA xattr | ||
| if getfattr -d -m 'security.ima' /usr/libexec/catatonit/catatonit | grep -q ima; then |
There was a problem hiding this comment.
Did you mean to use -m (match)? Not the tighter -n (name)?
tests/bud.bats
Outdated
|
|
||
| # We do not care if the attribute was actually added, as rootless is allowed to discard it. | ||
| # Only that the file builds successfully. | ||
| run_buildah build -f $contextdir/Dockerfile $contextdir |
There was a problem hiding this comment.
Can probably ditch the -f Dockerfile and save some duplication
|
Welp. (1) Buildah CI doesn't test on rawhide; (2) Debian doesn't have |
|
The current iteration of the test doesn't ensure that there's a |
|
@nalind Can't copy it, that strips the xattr. I'll rework to use |
mheon
force-pushed
the
fix_podman_18543
branch
from
5d73b93
to
9b2cfce
Compare
|
/lgtm |
|
I'm inclined to just let those error for now - we've never heard of a case where that has actually happened. |
|
/cherry-pick v1.37 |
|
@mheon: once the present PR merges, I will cherry-pick it on top of v1.37 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/approve |
|
@nalind: once the present PR merges, I will cherry-pick it on top of release-1.37 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: edsantiago, mheon, nalind The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tests/add.bats
Outdated
| @@ -321,3 +321,16 @@ stuff/mystuff" | |||
| run_buildah 125 add --retry-delay=0.142857s --retry=14 --cert-dir ${TEST_SCRATCH_DIR} $cid https://localhost:${HTTP_SERVER_PORT}/randomfile | |||
| assert "$output" =~ "retrying in 142.*ms .*14/14.*" | |||
| } | |||
|
|
|||
| @test "add file with IMA xattr" { | |||
| if getfattr -d -n 'security.ima' /usr/libexec/catatonit/catatonit | grep -q ima; then | |||
There was a problem hiding this comment.
| if getfattr -d -n 'security.ima' /usr/libexec/catatonit/catatonit | grep -q ima; then | |
| if ! getfattr -d -n 'security.ima' /usr/libexec/catatonit/catatonit | grep -q ima; then |
There was a problem hiding this comment.
Also note that this will not be tested in podman CI, because that only runs bud.bats. When this is vendored into podman, a new test will be required.
Rootless users cannot set the `security.ima` xattr on files (presumably for security reasons, they get an EPERM on trying to do so). We will normally try and preserve that xattr, so when trying to add a file with an IMA xattr to a build on a Buildah without this patch, you get an error. With this patch, the error is downgraded to a warning, as it's better to successfully build with a missing xattr than blocking all builds which want to include the offending file. The urgency on this has become somewhat higher as it seems like F41/Rawhide are installing rpm-plugin-ima by default, which is setting IMA xattrs on some files that Podman relies on - for example, the catatonit binary we use for pid pause images. Without this patch, building the pause image as rootless will always fail on a system with rpm-plugin-ima installed. Fixes: containers/podman#18543 Signed-off-by: Matt Heon <[email protected]>
mheon
force-pushed
the
fix_podman_18543
branch
from
9b2cfce
to
5e82f27
Compare
|
/lgtm |
|
@mheon: cannot checkout In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@nalind: #5741 failed to apply on top of branch "release-1.37": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@edsantiago We should consider new VM builds once this lands in Podman. Not super urgent though. |
Rootless users cannot set the
security.imaxattr on files (presumably for security reasons, they get an EPERM on trying to do so). We will normally try and preserve that xattr, so when trying to add a file with an IMA xattr to a build on a Buildah without this patch, you get an error. With this patch, the error is downgraded to a warning, as it's better to successfully build with a missing xattr than blocking all builds which want to include the offending file.The urgency on this has become somewhat higher as it seems like F41/Rawhide are installing rpm-plugin-ima by default, which is setting IMA xattrs on some files that Podman relies on - for example, the catatonit binary we use for pid pause images. Without this patch, building the pause image as rootless will always fail on a system with rpm-plugin-ima installed.
Fixes: containers/podman#18543
What type of PR is this?
/kind bug
What this PR does / why we need it:
How to verify it
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?