From 1ef740361c4ee4e00cadc29fe2228ac5712afefd Mon Sep 17 00:00:00 2001 From: Stepan Blyshchak <38952541+stepanblyschak@users.noreply.github.com> Date: Wed, 26 Feb 2020 10:56:54 +0200 Subject: [PATCH] [docker_image_ctl.j2] Share UTS namespace with host OS (#4169) Instead of updating hostname manualy on Config DB hostname change, simply share containers UTS namespace with host OS. Ideally, instead of setting `--uts=host` for every container in SONiC, this setting can be set per container if feature requires. One behaviour change is introduced in this commit, when `--privileged` or `--cap-add=CAP_SYS_ADMIN` and `--uts=host` are combined, container has privilege to change host OS and every other container hostname. Such privilege should be fixed by limiting containers capabilities. Signed-off-by: Stepan Blyschak --- files/build_templates/docker_image_ctl.j2 | 48 ++------------------- files/image_config/hostcfgd/hostcfgd | 51 +---------------------- 2 files changed, 5 insertions(+), 94 deletions(-) diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2 index 2777a26c8edf..c8137b9f574c 100644 --- a/files/build_templates/docker_image_ctl.j2 +++ b/files/build_templates/docker_image_ctl.j2 @@ -1,7 +1,7 @@ #!/bin/bash # single instance containers are still supported (even though it might not look like it) -# if no instance number is passed to this script, $DEV will simply be unset, resulting in docker +# if no instance number is passed to this script, $DEV will simply be unset, resulting in docker # commands being sent to the base container name. E.g. `docker start database$DEV` simply starts # the container `database` if no instance number is passed since `$DEV` is not defined @@ -31,32 +31,6 @@ function getMountPoint() echo $1 | python -c "import sys, json, os; mnts = [x for x in json.load(sys.stdin)[0]['Mounts'] if x['Destination'] == '/usr/share/sonic/hwsku']; print '' if len(mnts) == 0 else os.path.basename(mnts[0]['Source'])" 2>/dev/null } -function updateHostName() -{ - HOSTS=/etc/hosts - HOSTS_TMP=/etc/hosts.tmp - - EXEC="docker exec -i {{docker_container_name}}$DEV bash -c" - - NEW_HOSTNAME="$1" - HOSTNAME=`$EXEC "hostname"` - if ! [[ $HOSTNAME =~ ^[a-zA-Z0-9.\-]*$ ]]; then - HOSTNAME=`hostname` - fi - - # copy HOSTS to HOSTS_TMP - $EXEC "cp $HOSTS $HOSTS_TMP" - # remove entry with hostname - $EXEC "sed -i \"/$HOSTNAME$/d\" $HOSTS_TMP" - # add entry with new hostname - $EXEC "echo -e \"127.0.0.1\t$NEW_HOSTNAME\" >> $HOSTS_TMP" - - echo "Set hostname in {{docker_container_name}}$DEV container" - $EXEC "hostname '$NEW_HOSTNAME'" - $EXEC "cat $HOSTS_TMP > $HOSTS" - $EXEC "rm -f $HOSTS_TMP" -} - function getBootType() { # same code snippet in files/scripts/syncd.sh @@ -161,11 +135,7 @@ start() { {%- else %} # Obtain our HWSKU as we will mount directories with these names in each docker HWSKU=`sonic-cfggen -d -v 'DEVICE_METADATA["localhost"]["hwsku"]'` - HOSTNAME=`sonic-cfggen -d -v 'DEVICE_METADATA["localhost"]["hostname"]'` {%- endif %} - if [ -z "$HOSTNAME" ] || ! [[ $HOSTNAME =~ ^[a-zA-Z0-9.\-]*$ ]]; then - HOSTNAME=`hostname` - fi DOCKERCHECK=`docker inspect --type container {{docker_container_name}}$DEV 2>/dev/null` if [ "$?" -eq "0" ]; then @@ -183,11 +153,6 @@ start() { preStartAction docker start {{docker_container_name}}$DEV postStartAction - CURRENT_HOSTNAME="$(docker exec {{docker_container_name}}$DEV hostname)" - if [ x"$HOSTNAME" != x"$CURRENT_HOSTNAME" ]; then - updateHostName "$HOSTNAME" - fi - updateHostName "$HOSTNAME" exit $? fi @@ -210,7 +175,7 @@ start() { if [ -z "$DEV" ]; then NET="host" else - {%- if docker_container_name == "database" %} + {%- if docker_container_name == "database" %} NET="bridge" {%- else %} NET="container:database$DEV" @@ -222,6 +187,7 @@ start() { {%- endif %} docker create {{docker_image_run_opt}} \ --net=$NET \ + --uts=host \{# W/A: this should be set per-docker, for those dockers which really need host's UTS namespace #} {%- if install_debug_image == "y" %} -v /src:/src:ro -v /debug:/debug:rw \ {%- endif %} @@ -258,7 +224,6 @@ start() { preStartAction docker start {{docker_container_name}} postStartAction - updateHostName "$HOSTNAME" } wait() { @@ -280,13 +245,8 @@ case "$1" in start|wait|stop) $1 ;; - updateHostName) - cmd=$1 - shift 2 - $cmd $@ - ;; *) - echo "Usage: $0 {start namespace(optional)|wait namespace(optional)|stop namespace(optional)|updateHostName namespace(optional) new_hostname}" + echo "Usage: $0 {start namespace(optional)|wait namespace(optional)|stop namespace(optional)}" exit 1 ;; esac diff --git a/files/image_config/hostcfgd/hostcfgd b/files/image_config/hostcfgd/hostcfgd index e10288c0dd37..4ac3be83d06e 100755 --- a/files/image_config/hostcfgd/hostcfgd +++ b/files/image_config/hostcfgd/hostcfgd @@ -2,7 +2,6 @@ # -*- coding: utf-8 -*- import os -import re import sys import subprocess import syslog @@ -24,13 +23,6 @@ TACPLUS_SERVER_TIMEOUT_DEFAULT = "5" TACPLUS_SERVER_AUTH_TYPE_DEFAULT = "pap" -def is_valid_hostname(hostname): - if hostname[-1] == "." or len(hostname) > 253: - return False - allowed = re.compile("(?!-)[A-Z\d-]{1,63}(?