From 28f74c99f628747c2dd3180e9e767bfaa46f4246 Mon Sep 17 00:00:00 2001 From: Maxime Daniel Date: Thu, 25 Feb 2021 11:15:02 +0200 Subject: [PATCH] container: allow elevated privileged container for specific flist (#1188) * container: enable elevated privileges for specific containers When starting a container with a specific flist url (need to be changed), enable a special 'elevated' flag. Elevated container are started with CAP_SYS_ADMIN and /dev/fuse device availaible, to allow FUSE working properly inside the container. This needs to be enabled only for trusted flist, since theses container have extra privileges. * container: add const explaination * provisiond: make elevated url matching repository based --- pkg/container.go | 2 ++ pkg/container/container.go | 10 ++++++++++ pkg/provision/primitives/container.go | 13 +++++++++++++ 3 files changed, 25 insertions(+) diff --git a/pkg/container.go b/pkg/container.go index 759a5088e..34a4dcb29 100644 --- a/pkg/container.go +++ b/pkg/container.go @@ -55,6 +55,8 @@ type Container struct { Logs []logger.Logs // Stats container metrics backend Stats []stats.Stats + // Elevated privileges (to use fuse inside) + Elevated bool } // ContainerModule defines rpc interface to containerd diff --git a/pkg/container/container.go b/pkg/container/container.go index fd7f7cdfb..b8da60dc4 100644 --- a/pkg/container/container.go +++ b/pkg/container/container.go @@ -186,6 +186,16 @@ func (c *Module) Run(ns string, data pkg.Container) (id pkg.ContainerID, err err WithCPUCount(data.CPU), } + if data.Elevated { + log.Warn().Msg("elevated container requested") + + opts = append( + opts, + oci.WithAddedCapabilities([]string{"CAP_SYS_ADMIN"}), + oci.WithLinuxDevice("/dev/fuse", "rwm"), + ) + } + if data.WorkingDir != "" { opts = append(opts, oci.WithProcessCwd(data.WorkingDir)) } diff --git a/pkg/provision/primitives/container.go b/pkg/provision/primitives/container.go index 3b82de4a8..83228692d 100644 --- a/pkg/provision/primitives/container.go +++ b/pkg/provision/primitives/container.go @@ -7,6 +7,7 @@ import ( "net" "os" "path" + "strings" "time" "github.com/cenkalti/backoff/v3" @@ -105,6 +106,9 @@ type ContainerCapacity struct { DiskSize uint64 `json:"disk_size"` } +// FListElevated url of privileged container +const FListElevated = "https://hub.grid.tf/tf-elevated/" + func (p *Provisioner) containerProvision(ctx context.Context, reservation *provision.Reservation) (interface{}, error) { return p.containerProvisionImpl(ctx, reservation) } @@ -239,6 +243,7 @@ func (p *Provisioner) containerProvisionImpl(ctx context.Context, reservation *p ReadOnly: false, Type: config.Capacity.DiskType, } + if rootfsMntOpt.Limit == 0 || rootfsMntOpt.Type == "" { rootfsMntOpt = pkg.DefaultMountOptions } @@ -249,6 +254,13 @@ func (p *Provisioner) containerProvisionImpl(ctx context.Context, reservation *p return ContainerResult{}, err } + var elevated = false + + if strings.HasPrefix(config.FList, FListElevated) { + // Enable fuse access to this specific flist + elevated = true + } + // prepare mount info for volumes var mounts []pkg.MountInfo for _, mount := range config.Mounts { @@ -302,6 +314,7 @@ func (p *Provisioner) containerProvisionImpl(ctx context.Context, reservation *p Memory: config.Capacity.Memory * mib, Logs: logs, Stats: config.Stats, + Elevated: elevated, }, ) if err != nil {