Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix ownership of containerd/docker sysext files #2266

Merged
merged 3 commits into from
Sep 2, 2024
Merged

fix ownership of containerd/docker sysext files #2266

merged 3 commits into from
Sep 2, 2024

Conversation

jepio
Copy link
Member

@jepio jepio commented Aug 30, 2024

fix ownership of containerd/docker sysext files

Systemd units shipped with the sysext were accidentally owned by the sdk user because we were telling cp to preserve ownership, and the files come from the cloned repo which is owned by the sdk user. Fix the cp invocation and add a check for wrong files before the sysext is created.

See: flatcar/Flatcar#1525

How to use

[ describe what reviewers need to do in order to validate this PR ]

Testing done

[Describe the testing you have done before submitting this PR. Please include both the commands you issued as well as the output you got.]

  • Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)
  • Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.

jepio added 2 commits August 30, 2024 09:16
@jepio
build_library: Don't preserve file ownership when copying sysext files
ff6279a 
The docker and containerd copy files from the repository, which are owned by
the sdk user. This ownership leaks into the final image, which means the first
created user could edit systemd files. This is bad.

Modify the cp invocation to copy files without preserving ownership. The
sysext-mangle script is called by build_sysext, which is executed using sudo.

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
@jepio
build_sysext: Add check for invalid file permissions in sysext
247fcc2 
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
@jepio jepio requested a review from a team August 30, 2024 07:51
@jepio
changelog: Add entry for sysext file ownership bugfix
412298c 
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 30, 2024
edited
Loading

Build action triggered: https://github.com/flatcar/scripts/actions/runs/10664680809

@jepio jepio merged commit a7464f7 into main Sep 2, 2024
7 checks passed
jepio added a commit that referenced this pull request Sep 2, 2024
@jepio
Merge pull request #2266 from flatcar/scripts
0230ae0 
fix ownership of containerd/docker sysext files

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
jepio added a commit that referenced this pull request Sep 2, 2024
@jepio
Merge pull request #2266 from flatcar/scripts
669bc72 
fix ownership of containerd/docker sysext files

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
jepio added a commit that referenced this pull request Sep 2, 2024
@jepio
Merge pull request #2266 from flatcar/scripts
27a34c1 
fix ownership of containerd/docker sysext files

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
@jepio jepio removed the lts label Sep 2, 2024
@jepio jepio deleted the jepio/fix-sysext-ownership branch September 2, 2024 09:02
@jepio
Copy link
Member Author

jepio commented Sep 2, 2024

Cherry-picked to stable/beta/alpha, lts doesn't have sysext docker/containerd yet.
Checked the image produced in GHA:

NAME="Flatcar Container Linux by Kinvolk"
ID=flatcar
ID_LIKE=coreos
VERSION=4077.0.0+nightly-20240829-2100-3-g412298cd39
VERSION_ID=4077.0.0
BUILD_ID=nightly-20240829-2100-3-g412298cd39
SYSEXT_LEVEL=1.0
PRETTY_NAME="Flatcar Container Linux by Kinvolk 4077.0.0+nightly-20240829-2100-3-g412298cd39 (Oklo)"
ANSI_COLOR="38;5;75"
HOME_URL="https://flatcar.org/"
BUG_REPORT_URL="https://issues.flatcar.org"
FLATCAR_BOARD="amd64-usr"
CPE_NAME="cpe:2.3:o:flatcar-linux:flatcar_linux:4077.0.0+nightly-20240829-2100-3-g412298cd39:*:*:*:*:*:*:*"
core@localhost /etc/extensions $ sudo mount containerd-flatcar.raw /mnt/
core@localhost /etc/extensions $ ls -laR /mnt/usr/lib/systemd/system/
/mnt/usr/lib/systemd/system/:
total 2
drwxr-xr-x. 4 root root  99 Aug 30 09:36 .
drwxr-xr-x. 3 root root  29 Aug 30 07:57 ..
-rw-r--r--. 1 root root 667 Aug 30 07:57 containerd.service
drwxr-xr-x. 2 root root  49 Aug 30 09:36 multi-user.target.d
drwxr-xr-x. 2 root root  41 Aug 30 07:57 multi-user.target.wants

/mnt/usr/lib/systemd/system/multi-user.target.d:
total 1
drwxr-xr-x. 2 root root 49 Aug 30 09:36 .
drwxr-xr-x. 4 root root 99 Aug 30 09:36 ..
-rw-r--r--. 1 root root 34 Aug 30 09:36 10-containerd-service.conf

/mnt/usr/lib/systemd/system/multi-user.target.wants:
total 1
drwxr-xr-x. 2 root root 41 Aug 30 07:57 .
drwxr-xr-x. 4 root root 99 Aug 30 09:36 ..
lrwxrwxrwx. 1 root root 21 Aug 30 07:57 containerd.service -> ../containerd.service
core@localhost /etc/extensions $ sudo umount /mnt/
core@localhost /etc/extensions $ sudo mount docker-flatcar.raw /mnt/
core@localhost /etc/extensions $ ls -laR /mnt/usr/lib/systemd/system/
/mnt/usr/lib/systemd/system/:
total 3
drwxr-xr-x. 3 root root   82 Aug 30 09:36 .
drwxr-xr-x. 4 root root   44 Aug 30 07:57 ..
-rw-r--r--. 1 root root 1474 Aug 30 07:57 docker.service
-rw-r--r--. 1 root root  198 Aug 30 07:57 docker.socket
drwxr-xr-x. 2 root root   44 Aug 30 09:36 sockets.target.d

/mnt/usr/lib/systemd/system/sockets.target.d:
total 1
drwxr-xr-x. 2 root root 44 Aug 30 09:36 .
drwxr-xr-x. 3 root root 82 Aug 30 09:36 ..
-rw-r--r--. 1 root root 29 Aug 30 09:36 10-docker-socket.conf

@github-actions github-actions bot mentioned this pull request Sep 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chewi chewi chewi approved these changes

Assignees
No one assigned
Labels
alpha beta main stable
Projects
Flatcar tactical, release planning, and roadmap
Status: Implemented
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jepio @chewi @dongsupark