Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow running without securityContext.procMount=Unmasked (BuildKit v0.4) #221

Merged
merged 4 commits into from
Apr 2, 2019
Merged

allow running without securityContext.procMount=Unmasked (BuildKit v0.4) #221

merged 4 commits into from
Apr 2, 2019

Conversation

AkihiroSuda
Copy link
Collaborator

When /proc is not mountable, img now automatically disables process sandbox (PID namespace isolation).

Note that this allows build containers to kill(2) (and potentially ptrace(2) when seccomp is unavailable) the img process.

To run img in a Docker container, you no longer need to specify --privileged, but you still need to specify --security-opt seccomp=unconfined --security-opt apparmor=unconfined (which are unconfined on Kubernetes by default).

@AkihiroSuda
vendor BuildKit v0.4.0
36da034 
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
@AkihiroSuda
Dockerfile: remove extra runc binary
014f3f7 
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
@AkihiroSuda
Copy link
Collaborator Author

@jessfraz @tonistiigi

@AkihiroSuda AkihiroSuda mentioned this pull request Mar 15, 2019
Open
AkihiroSuda
AkihiroSuda commented Mar 15, 2019
View reviewed changes
client/workeropt.go Outdated Show resolved Hide resolved
@AkihiroSuda
allow running without securityContext.procMount=Unmasked
e77acd2 
When `/proc` is not mountable, img now automatically disables process
sandbox (PID namespace isolation).

Note that this allows build containers to `kill(2)` (and potentially `ptrace(2)`
when seccomp is unavailable) the `img` process.

To run `img` in a Docker container, you no longer need to specify
`--privileged`, but you still need to specify `--security-opt seccomp=unconfined
 --security-opt apparmor=unconfined` (which are unconfined on Kubernetes by default).

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
@AkihiroSuda
e2e: suppress log output
40ef0d9 
So as to avoid Travis quota

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
@codecov
Copy link

codecov bot commented Mar 15, 2019
edited
Loading

Codecov Report

Merging #221 into master will not change coverage.
The diff coverage is 0%.

Impacted file tree graph

@@          Coverage Diff          @@
##           master   #221   +/-   ##
=====================================
  Coverage       0%     0%           
=====================================
  Files          14     14           
  Lines         768    777    +9     
=====================================
- Misses        768    777    +9
Impacted Files Coverage Δ
login.go 0% <0%> (ø) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2e8ff3a...40ef0d9. Read the comment docs.

@AkihiroSuda
Copy link
Collaborator Author

@jessfraz could you take a look?

@jessfraz jessfraz merged commit 3d1a167 into genuinetools:master Apr 2, 2019
@jessfraz
Copy link
Collaborator

jessfraz commented Apr 2, 2019

Thanks!!!

@AkihiroSuda AkihiroSuda mentioned this pull request Apr 3, 2019
Closed
AkihiroSuda added a commit to AkihiroSuda/kaniko that referenced this pull request Apr 13, 2019
@AkihiroSuda
README.md: update BuildKit/img comparison
5ed5c2b 
Latest BuildKit/img no longer necessarily requires procMount to be unmasked, by
 not unsharing PID namespaces.

The current drawback of BuildKit/img compared to kaniko is that BuildKit/img
requires seccomp and AppArmor to be disabled so as to create nested containers.

moby/buildkit#768
genuinetools/img#221

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
@AkihiroSuda AkihiroSuda mentioned this pull request Apr 13, 2019
Merged
AkihiroSuda added a commit to AkihiroSuda/makisu that referenced this pull request Apr 13, 2019
@AkihiroSuda
README.md: update BuildKit/img comparison
a9261dd 
Latest BuildKit/img no longer necessarily requires procMount to be unmasked, by
not unsharing PID namespaces.

The current drawback of BuildKit/img compared to makisu is that BuildKit/img
requires seccomp and AppArmor to be disabled so as to create nested containers.

moby/buildkit#768
genuinetools/img#221

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
@AkihiroSuda AkihiroSuda mentioned this pull request Apr 13, 2019
Merged
yiranwang52 pushed a commit to uber-archive/makisu that referenced this pull request Apr 13, 2019
@AkihiroSuda @yiranwang52
README.md: update BuildKit/img comparison (#205)
faa0366 
Latest BuildKit/img no longer necessarily requires procMount to be unmasked, by
not unsharing PID namespaces.

The current drawback of BuildKit/img compared to makisu is that BuildKit/img
requires seccomp and AppArmor to be disabled so as to create nested containers.

moby/buildkit#768
genuinetools/img#221

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
sharifelgamal pushed a commit to GoogleContainerTools/kaniko that referenced this pull request Apr 25, 2019
@AkihiroSuda @sharifelgamal
README.md: update BuildKit/img comparison (#642)
404af20 
Latest BuildKit/img no longer necessarily requires procMount to be unmasked, by
 not unsharing PID namespaces.

The current drawback of BuildKit/img compared to kaniko is that BuildKit/img
requires seccomp and AppArmor to be disabled so as to create nested containers.

moby/buildkit#768
genuinetools/img#221

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AkihiroSuda @jessfraz