Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

generated policy mismatch for layers containing non-ASCII symbolic links #624

Closed
burgerdev opened this issue Jun 24, 2024 · 1 comment · Fixed by #619 or #621
Closed

generated policy mismatch for layers containing non-ASCII symbolic links #624

burgerdev opened this issue Jun 24, 2024 · 1 comment · Fixed by #619 or #621
Labels
bug Something isn't working as intended

Comments

@burgerdev
Copy link
Contributor

burgerdev commented Jun 24, 2024
edited by katexochen
Loading

Contrast release v0.7.0 contains a bug that prevents starting containers that contain non-ASCII symbolic link names.

Symptom

The symptom for this is that pods are crashlooping with the following message (indicating a failed policy check):

Error: failed to create containerd task: failed to create shim task: "CreateContainerRequest is blocked by policy [...]

Root Cause

The container image layer tarballs are directly mounted as block devices to the guest VM with the tardev-snapshotter. These devices are verified with a dm-verity checksum that's precalculated by contrast generate (specifically, by the embedded genpolicy tool). The precalculation also involves creating an index over the files in the tarball, which mirrors the index created by the snapshotter.

Microsoft's genpolicy tool contains a fix for long link names, which also happens to be triggered by UTF-8 symlink names due to some canonicalization step. The resulting index is different from what the tardev-snapshotter produces, and thus the dm-verity hashes do not match.

Example Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: bad-layer
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: bad-layer
  template:
    metadata:
      labels:
        app.kubernetes.io/name: bad-layer
    spec:
      containers:
      - image: docker.io/library/httpd:2.4.59-bookworm@sha256:10182d88d7fbc5161ae0f6f758cba7adc56d4aae2dc950e51d72c0cf68967cea
        name: bad-layer
        resources:
          limits:
            memory: 50Mi
          requests:
            memory: 50Mi
      runtimeClassName: contrast-cc

Problematic symlink:

$ docker run -it --rm docker.io/library/httpd:2.4.59-bookworm ls -l /etc/ssl/certs
[...]
lrwxrwxrwx 1 root root     48 Jun 13 18:28  988a38cb.0 -> 'NetLock_Arany_=Class_Gold=_F'$'\305\221''tan'$'\303\272''s'$'\303\255''tv'$'\303\241''ny.pem'
[...]
lrwxrwxrwx 1 root root     83 Jun 13 18:28 
'NetLock_Arany_=Class_Gold=_F'$'\305\221''tan'$'\303\272''s'$'\303\255''tv'$'\303\241''ny.pem' -> '/usr/share/ca-certificates/mozilla/NetLock_Arany_=Class_Gold=_F'$'\305\221''tan'$'\303\272''s'$'\303\255''tv'$'\303\241''ny.crt'
[...]
@katexochen katexochen added the bug Something isn't working as intended label Jun 24, 2024
This was referenced Jun 24, 2024
Merged
Merged
@katexochen katexochen linked a pull request Jun 24, 2024 that will close this issue
[release/v0.7]: genpolicy-msft: revert problematic tarindex commit #621
Merged
@katexochen
Copy link
Member

Fix was released with https://github.com/edgelesssys/contrast/releases/tag/v0.7.1

@katexochen katexochen mentioned this issue Jul 3, 2024
Merged
@edgelessci edgelessci mentioned this issue Jul 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working as intended
Projects
None yet
Milestone
No milestone
2 participants
@burgerdev @katexochen