container: allow elevated privileged container for specific flist (#1188

) * container: enable elevated privileges for specific containers When starting a container with a specific flist url (need to be changed), enable a special 'elevated' flag. Elevated container are started with CAP_SYS_ADMIN and /dev/fuse device availaible, to allow FUSE working properly inside the container. This needs to be enabled only for trusted flist, since theses container have extra privileges. * container: add const explaination * provisiond: make elevated url matching repository based
threefoldtech · Feb 25, 2021 · 28f74c9 · 28f74c9
1 parent f88493d
commit 28f74c9
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 0 deletions.
diff --git a/pkg/container.go b/pkg/container.go
@@ -55,6 +55,8 @@ type Container struct {
 	Logs []logger.Logs
 	// Stats container metrics backend
 	Stats []stats.Stats
+	// Elevated privileges (to use fuse inside)
+	Elevated bool
 }
 
 // ContainerModule defines rpc interface to containerd

diff --git a/pkg/container/container.go b/pkg/container/container.go
@@ -186,6 +186,16 @@ func (c *Module) Run(ns string, data pkg.Container) (id pkg.ContainerID, err err
 		WithCPUCount(data.CPU),
 	}
 
+	if data.Elevated {
+		log.Warn().Msg("elevated container requested")
+
+		opts = append(
+			opts,
+			oci.WithAddedCapabilities([]string{"CAP_SYS_ADMIN"}),
+			oci.WithLinuxDevice("/dev/fuse", "rwm"),
+		)
+	}
+
 	if data.WorkingDir != "" {
 		opts = append(opts, oci.WithProcessCwd(data.WorkingDir))
 	}

diff --git a/pkg/provision/primitives/container.go b/pkg/provision/primitives/container.go
@@ -7,6 +7,7 @@ import (
 	"net"
 	"os"
 	"path"
+	"strings"
 	"time"
 
 	"github.com/cenkalti/backoff/v3"
@@ -105,6 +106,9 @@ type ContainerCapacity struct {
 	DiskSize uint64 `json:"disk_size"`
 }
 
+// FListElevated url of privileged container
+const FListElevated = "https://hub.grid.tf/tf-elevated/"
+
 func (p *Provisioner) containerProvision(ctx context.Context, reservation *provision.Reservation) (interface{}, error) {
 	return p.containerProvisionImpl(ctx, reservation)
 }
@@ -239,6 +243,7 @@ func (p *Provisioner) containerProvisionImpl(ctx context.Context, reservation *p
 		ReadOnly: false,
 		Type:     config.Capacity.DiskType,
 	}
+
 	if rootfsMntOpt.Limit == 0 || rootfsMntOpt.Type == "" {
 		rootfsMntOpt = pkg.DefaultMountOptions
 	}
@@ -249,6 +254,13 @@ func (p *Provisioner) containerProvisionImpl(ctx context.Context, reservation *p
 		return ContainerResult{}, err
 	}
 
+	var elevated = false
+
+	if strings.HasPrefix(config.FList, FListElevated) {
+		// Enable fuse access to this specific flist
+		elevated = true
+	}
+
 	// prepare mount info for volumes
 	var mounts []pkg.MountInfo
 	for _, mount := range config.Mounts {
@@ -302,6 +314,7 @@ func (p *Provisioner) containerProvisionImpl(ctx context.Context, reservation *p
 			Memory:      config.Capacity.Memory * mib,
 			Logs:        logs,
 			Stats:       config.Stats,
+			Elevated:    elevated,
 		},
 	)
 	if err != nil {