Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add cli integration for unconfined systempaths #1808

Merged
merged 1 commit into from
Apr 16, 2019
Merged

add cli integration for unconfined systempaths #1808

merged 1 commit into from
Apr 16, 2019

Conversation

martencassel
Copy link
Contributor

@martencassel martencassel commented Apr 4, 2019

- What I did
I've implemented the proposed changes in #1347 (comment).
- Description for the changelog
Added --security-opt systempaths=unconfined support.

@codecov-io
Copy link

Codecov Report

Merging #1808 into master will decrease coverage by <.01%.
The diff coverage is 47.05%.

@@            Coverage Diff             @@
##           master    #1808      +/-   ##
==========================================
- Coverage   56.31%   56.31%   -0.01%     
==========================================
  Files         308      308              
  Lines       21391    21408      +17     
==========================================
+ Hits        12047    12055       +8     
- Misses       8465     8472       +7     
- Partials      879      881       +2

@codecov-io
Copy link

codecov-io commented Apr 4, 2019

Codecov Report

Merging #1808 into master will increase coverage by 0.02%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #1808      +/-   ##
==========================================
+ Coverage   56.31%   56.34%   +0.02%     
==========================================
  Files         308      308              
  Lines       21391    21403      +12     
==========================================
+ Hits        12047    12059      +12     
  Misses       8465     8465              
  Partials      879      879

Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this! I left some comments and suggestions inline.

@@ -825,6 +832,23 @@ func parseSecurityOpts(securityOpts []string) ([]string, error) {
return securityOpts, nil
}

func parseSystemPaths(securityOpts []string) ([]string, []string, []string, error) {
var maskedPaths []string
var readonlyPaths []string
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: could be;

Suggested change
var readonlyPaths []string
var maskedPaths , readonlyPaths []string

filtered := securityOpts[:0]
for _, opt := range securityOpts {
con := strings.SplitN(opt, "=", 2)
if con[0] == "systempaths" && con[1] == "unconfined" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like we don't need the split (and don't strip whitespace etc) at this point, so this could be simplified to

Suggested change
if con[0] == "systempaths" && con[1] == "unconfined" {
if opt == "systempaths=unconfined" {

@@ -485,6 +485,11 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
return nil, err
}

securityOpts, maskedPaths, readonlyPaths, err := parseSystemPaths(securityOpts)
if err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see we never return an error; although it's good practice to keep this signature, this function is not exported, so I think it's ok to drop the error return for now, and remove this error-handling

@@ -825,6 +832,23 @@ func parseSecurityOpts(securityOpts []string) ([]string, error) {
return securityOpts, nil
}

func parseSystemPaths(securityOpts []string) ([]string, []string, []string, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I realise this function is not exported, but it might be important to document what it does (especially because it filters the securityOpts; perhaps add a short GoDoc; something along the line of:

Suggested change
func parseSystemPaths(securityOpts []string) ([]string, []string, []string, error) {
// parseSystemPaths checks if `systempaths=unconfined` security option is set,
// and returns the `MaskedPaths` and `ReadonlyPaths` accordingly. An updated
// list of security options is returned with this option removed, because the
// `unconfined` option is handled client-side, and should not be sent to the
// daemon.
func parseSystemPaths(securityOpts []string) ([]string, []string, []string, error) {

(suggestions for better wording welcome! 😂)

Although I'm generally not a fan of named return variables, I'm a bit on the fence if we should use them here (for readability), as three []string returns might be difficult to read/grasp;

Suggested change
func parseSystemPaths(securityOpts []string) ([]string, []string, []string, error) {
func parseSystemPaths(securityOpts []string) (filtered, maskedPaths, readonlyPaths []string) {

I'd love to get feedback from others in that as well though 😅

@@ -800,3 +800,37 @@ func TestValidateDevice(t *testing.T) {
}
}
}

func TestParseSystemPaths(t *testing.T) {
valids := []string{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be good to test other combinations (i.e., make sure if doesn't touch other values if not set, and that invalid/unknown options are ignored; quick write-up for that;

func TestParseSystemPaths(t *testing.T) {
	tests := []struct {
		doc                       string
		in, out, masked, readonly []string
	}{
		{
			doc: "not set",
			in:  []string{},
			out: []string{},
		},
		{
			doc: "not set, preserve other options",
			in: []string{
				"seccomp=unconfined",
				"apparmor=unconfined",
				"label=user:USER",
				"foo=bar",
			},
			out: []string{
				"seccomp=unconfined",
				"apparmor=unconfined",
				"label=user:USER",
				"foo=bar",
			},
		},
		{
			doc:      "unconfined",
			in:       []string{"systempaths=unconfined"},
			out:      []string{},
			masked:   []string{},
			readonly: []string{},
		},
		{
			doc:      "unconfined and other options",
			in:       []string{"foo=bar", "systempaths=unconfined", "bar=baz"},
			out:      []string{"foo=bar", "bar=baz"},
			masked:   []string{},
			readonly: []string{},
		},
		{
			doc: "unknown option",
			in:  []string{"foo=bar", "systempaths=unkown", "bar=baz"},
			out: []string{"foo=bar", "systempaths=unkown", "bar=baz"},
		},
	}

	for _, tc := range tests {
		securityOpts, maskedPaths, readonlyPaths, err := parseSystemPaths(tc.in)
		assert.NilError(t, err)
		assert.DeepEqual(t, securityOpts, tc.out)
		assert.DeepEqual(t, maskedPaths, tc.masked)
		assert.DeepEqual(t, readonlyPaths, tc.readonly)
	}
}

@thaJeztah
Copy link
Member

ping @tiborvass @jessfraz PTAL 🤗

@martencassel
Copy link
Contributor Author

martencassel commented Apr 5, 2019

I've implemented your suggested changes. I will change unkown to unknown, linting failed on that.

@thaJeztah
Copy link
Member

Oh! The linter detected my typo 😂

@thaJeztah
Copy link
Member

Oh! when you're updating, could you fix your sign-off to use your real name (instead of your github handle)?

martencassel <marten.cassel@gmail.com>

Guessing it's Marten Cassel, so should then be:

Marten Cassel <marten.cassel@gmail.com>

Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks! LGTM after the sign-off is updated 😅

…ent suggested changes

Signed-off-by: Mårten Cassel <marten.cassel@gmail.com>
@martencassel
Copy link
Contributor Author

martencassel commented Apr 5, 2019

Updated commit sign-off.

Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

After this, we'll have to update the (reference) docs to mention the new option, and check if the compose-file format needs changes to accommodate (swarm services not yet support this option, so for docker-compose standalone)

@AkihiroSuda
Copy link
Collaborator

ping @tiborvass @jessfraz

@PhilippWendler
Copy link

PhilippWendler commented Oct 14, 2022

It seems the documentation / https://docs.docker.com/reference/cli/docker/container/run/#security-opt was forgotten to be updated and this option remains undocumented. Could this be added to the docs?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants