fix: provide only available capabilities to insecure environment #2394
Conversation
|
One more idea is that we could find intersection of what is available and desired set of capabilities, so that build environment doesn't have more capabilities than the fixed list. |
|
Not sure if this is desired. We should provide a consistent environment between different machines and installations. If an app uses a capability in one system it should always work on another as well. And fail if the installation isn't capable of providing such an environment. |
I fully agree with this, but I don't know at the same time how to combine that with potentially reduced capabilities. Some background: in the last version of Talos we introduced a security feature to drop some of the capabilities from all processed but PID 1. The idea was that Talos should be able to use I don't know if the idea of keeping set of capabilities as it was before this change minus those which are not available right now would make more sense (so that job might have less capabilities, but not more). |
|
Also related, similar issue in dockerd moby/moby#42906 By the way, privileged pods launched with Kubernetes/containerd correctly handle reduced capability set: launched pods have maximum available capabilities, but it correctly workarounds not allowed capabilities. |
|
Generally, the solution for this should be to define more specific constraint like Feels hacky but I think I would even be more willing to just do an exception for kexec/sys_boot as it does feel a bit special case. I'd like to avoid case where someone implements something that doesn't have |
|
I would rather see the list of capabilities being dynamic to some extent, as in Talos we dropped Also looks like current list of capabilities in buildkit is not complete (kernel has more caps now), so what are we going to do with that in the future? add more or keep the list fixed? |
Maybe we should just print a warning (or error out) when cap.Current() lacks SYS_ADMIN ? |
|
And third option is to print a warning if some capability is not available, but skip it to avoid failures? So that one can see that build environment is not exactly same (some caps missing), but at least proceed with the build? |
smira
force-pushed
the
insecure-capabilities
branch
from
00b68ad
to
6424d90
Compare
|
Updated the PR to skip caps (with warning) which are not available right now. |
This could be like We don't currently have a good method for sending warnings to client progress. There are many use cases for it though if somebody is willing to spend some time on it. |
smira
force-pushed
the
insecure-capabilities
branch
from
6424d90
to
305fc73
Compare
|
FWIW, I also opened a PR for consideration in runc (opencontainers/runc#3240), to make it match the runtime spec (opencontainers/runc#2854) |
|
I'm looking at opencontainers/runc#3240 can provide a better solution for unavailable caps. We might still want to expand capability list, but that would be way easier |
smira
force-pushed
the
insecure-capabilities
branch
from
305fc73
to
b217726
Compare
The problem this change is trying to fix are the environments where some capabilities are already dropped, so they can't be granted to the job with `--security=insecure`. I know that probably fixed set of capabilities was implemented to provide a stable build environment, but at the same time this breaks environments with reduced capabilities. Signed-off-by: Andrey Smirnov <[email protected]>
smira
force-pushed
the
insecure-capabilities
branch
from
b217726
to
a5d1cfc
Compare
|
@tonistiigi I updated the PR, fixed all the tests. |
The problem this change is trying to fix are the environments where some
capabilities are already dropped, so they can't be granted to the
job with
--security=insecure.I know that probably fixed set of capabilities was implemented to
provide a stable build environment, but at the same time this breaks
environments with reduced capabilities.
Signed-off-by: Andrey Smirnov [email protected]