libct/cg/sd: fix SkipDevices for systemd #2958
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cyphar
reviewed
May 23, 2021
Commit 108ee85 adds SkipDevices flag, which is used by kubernetes to create cgroups for pods. Unfortunately the above commit falls short, and systemd DevicePolicy and DeviceAllow properties are still set, which requires kubernetes to set "allow everything" rule. This commit fixes this: if SkipDevices flag is set, we return Device* properties to allow all devices. Fixes: 108ee85 Signed-off-by: Kir Kolyshkin <[email protected]>
kolyshkin
force-pushed
the
cgroup-skip-devices
branch
from
fb538d6
to
752e7a8
Compare
|
Would it be possible to have some tests? |
I started working on something that mimics the kubelet behavior... |
kolyshkin
force-pushed
the
cgroup-skip-devices
branch
3 times, most recently
from
99fde82
to
b9347d1
Compare
|
CentOS failure seems legit -- SELinux? |
|
Once this is merged I will send out the v1.0.0 vote (it would be nice to do the release -- as @h-vetinari suggested -- on the 3rd of June since that's the 5-year anniversary of 1.0.0-rc1). |
The idea is to mimic what kubelet is doing, with minimum amount of code. First, create a slice with SkipDevices=true. It should have access to all devices. Next, create a scope within the above slice, allowing access to /dev/full only. Check that within that scope we can only access /dev/full and not other devices (such as /dev/null). Repeat the test with SkipDevices=false, make sure we can not access any devices (as they are disallowed by a parent cgroup). This is done only to assess the test correctness. NOTE that cgroup v1 and v2 behave differently for SkipDevices=false case, and thus the check is different. Cgroup v1 returns EPERM on writing to devices.allow, so cgroup manager's Set() fails, and we check for a particular error from m.Set(). Cgroup v2 allows to create a child cgroup, but denies access to any device (despite access being enabled) -- so we check the error from the shell script running in that cgroup. Again, this is only about SkipDevices=false case. Signed-off-by: Kir Kolyshkin <[email protected]>
kolyshkin
force-pushed
the
cgroup-skip-devices
branch
from
b9347d1
to
0e16e7c
Compare
|
Test case fixed, PR description updated. |
mrunalp
approved these changes
May 26, 2021
AkihiroSuda
approved these changes
May 27, 2021
cyphar
approved these changes
May 28, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
libct/cg/sd: fix SkipDevices for systemd
Commit 108ee85 (PR libct/cgroups: add SkipDevices to Resources #2490) adds
SkipDevicesflag, which is used by kubernetesto create cgroups for pods.
Unfortunately the above commit falls short, and systemd
DevicePolicyandDeviceAllowproperties are still set, which requires kubernetes to set"allow everything" rule.
This commit fixes this: if
SkipDevicesflag is set, we returnDevice*properties to allow all devices.libct/cg/sd: add SkipDevices unit test
The idea is to mimic what kubelet is doing, with minimum amount of code.
First, create a slice with
SkipDevices=true. It should have access toall devices.
Next, create a scope within the above slice, allowing access to
/dev/fullonly.
Check that within that scope we can only access
/dev/fulland not otherdevices (such as
/dev/null).Repeat the test with
SkipDevices=false, make sure we can not access anydevices (as they are disallowed by a parent cgroup). This is done only
to assess the test correctness.
NOTE that cgroup v1 and v2 behave differently for
SkipDevices=falsecase, and thus the check is different. Cgroup v1 returns
EPERMonwriting to
devices.allow, so cgroup manager'sSet()fails, and we checkfor a particular error from
m.Set(). Cgroup v2 allows to create a childcgroup, but denies access to any device (despite access being enabled)
-- so we check the error from the shell script running in that cgroup.
Again, this is only about
SkipDevices=falsecase.Previous discussions on topic: #2490 (comment), kubernetes/kubernetes#92862 (comment)
Fixes: 108ee85