[docker_image_ctl.j2] Share UTS namespace with host OS #4169

stepanblyschak · 2020-02-19T16:20:35Z

Instead of updating hostname manualy on Config DB hostname change,
simply share containers UTS namespace with host OS.
Ideally, instead of setting --uts=host for every container in SONiC,
this setting can be set per container if feature requires.
One behaviour change is introduced in this commit, when --privileged
or --cap-add=CAP_SYS_ADMIN and --uts=host are combined, container
has privilege to change host OS and every other container hostname.
Such privilege should be fixed by limiting containers capabilities.

Signed-off-by: Stepan Blyschak stepanb@mellanox.com

- What I did

- How I did it

- How to verify it

admin@arc-switch1004:~$ hostname
arc-switch1004
admin@arc-switch1004:~$ docker exec -it swss hostname
arc-switch1004
admin@arc-switch1004:~$ sudo hostname sonic
admin@arc-switch1004:~$ hostname
sonic
admin@arc-switch1004:~$ docker exec -it swss hostname
sonic

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

Instead of updating hostname manualy on Config DB hostname change, simply share containers UTS namespace with host OS. Ideally, instead of setting `--uts=host` for every container in SONiC, this setting can be set per container if feature requires. One behaviour change is introduced in this commit, when `--privileged` or `--cap-add=CAP_SYS_ADMIN` and `--uts=host` are combined, container has privilege to change host OS and every other container hostname. Such privilege should be fixed by limiting containers capabilities. Signed-off-by: Stepan Blyschak <stepanb@mellanox.com>

mykolaf

qiluo-msft

Thanks for this contribution!

jleveque · 2020-02-19T20:05:12Z

Retest vsimage please

jleveque · 2020-02-19T20:09:16Z

Thanks, @stepanblyschak!

I think we could also safely cherry-pick this into the 201911 branch. Any objections?

stepanblyschak · 2020-02-20T08:31:13Z

@jleveque Sure, it should be in 201911

mykolaf · 2020-02-20T09:07:53Z

retest vsimage please

jleveque · 2020-02-20T23:01:01Z

Retest vsimage please

stepanblyschak · 2020-02-25T08:40:30Z

retest vsimage please

lguohan · 2020-02-25T17:42:43Z

retest vsimage please

Instead of updating hostname manualy on Config DB hostname change, simply share containers UTS namespace with host OS. Ideally, instead of setting `--uts=host` for every container in SONiC, this setting can be set per container if feature requires. One behaviour change is introduced in this commit, when `--privileged` or `--cap-add=CAP_SYS_ADMIN` and `--uts=host` are combined, container has privilege to change host OS and every other container hostname. Such privilege should be fixed by limiting containers capabilities. Signed-off-by: Stepan Blyschak <stepanb@mellanox.com> Signed-off-by: Stepan Blyschak <stepanb@mellanox.com> Conflicts: files/build_templates/docker_image_ctl.j2

This reverts commit 1ef7403.

qiluo-msft · 2020-03-02T19:28:14Z

Should we also cherry-pick to 201811 branch? Are you aware of any dependencies, such as docker engine's version?

stepanblyschak · 2020-03-03T21:43:53Z

@qiluo-msft docker engine in 201811 supports this feature. Why do we need to cherry-pick this PR into 201811? The idea behind this PR was to replace updateHostName functionality with simpler approach, but 201811 does not update hostname inside containers.

Instead of updating hostname manualy on Config DB hostname change, simply share containers UTS namespace with host OS. Ideally, instead of setting `--uts=host` for every container in SONiC, this setting can be set per container if feature requires. One behaviour change is introduced in this commit, when `--privileged` or `--cap-add=CAP_SYS_ADMIN` and `--uts=host` are combined, container has privilege to change host OS and every other container hostname. Such privilege should be fixed by limiting containers capabilities. Signed-off-by: Stepan Blyschak <stepanb@mellanox.com>

qiluo-msft · 2020-03-04T00:23:23Z

I notice this PR could not directly cherry-pick, so submit a new one #4219.
The --uts feature is useful to keep host/container hostnames in sync.

rlhui · 2020-03-15T01:30:11Z

@jleveque , based on Qi's last comment, is this PR still needed in 201911? If so, please remove the label and please confirm. Thanks.

jleveque · 2020-03-16T15:41:28Z

@rlhui: Qi's comment is regarding the 201811 branch. This PR still needs to be cherry-picked into 201911.

Instead of updating hostname manualy on Config DB hostname change, simply share containers UTS namespace with host OS. Ideally, instead of setting `--uts=host` for every container in SONiC, this setting can be set per container if feature requires. One behaviour change is introduced in this commit, when `--privileged` or `--cap-add=CAP_SYS_ADMIN` and `--uts=host` are combined, container has privilege to change host OS and every other container hostname. Such privilege should be fixed by limiting containers capabilities. Signed-off-by: Stepan Blyschak <stepanb@mellanox.com>

stepanblyschak requested review from SuvarnaMeenakshi, jleveque, alguadam, lguohan and qiluo-msft and removed request for alguadam February 19, 2020 16:20

nazariig approved these changes Feb 19, 2020

View reviewed changes

mykolaf approved these changes Feb 19, 2020

View reviewed changes

msosyak approved these changes Feb 19, 2020

View reviewed changes

qiluo-msft approved these changes Feb 19, 2020

View reviewed changes

jleveque approved these changes Feb 19, 2020

View reviewed changes

SuvarnaMeenakshi closed this Feb 19, 2020

SuvarnaMeenakshi reopened this Feb 19, 2020

jleveque added Cleanup 💧 Enhancement ➕ Request for 201911 Branch labels Feb 20, 2020

liat-grozovik merged commit 1ef7403 into sonic-net:master Feb 26, 2020

lguohan added a commit that referenced this pull request Feb 28, 2020

Revert "[docker_image_ctl.j2] Share UTS namespace with host OS (#4169)"

e20c26c

This reverts commit 1ef7403.

lguohan mentioned this pull request Feb 28, 2020

Revert "[docker_image_ctl.j2] Share UTS namespace with host OS" #4203

Closed

rlhui added the Included in 201911 Branch label Mar 23, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[docker_image_ctl.j2] Share UTS namespace with host OS #4169

[docker_image_ctl.j2] Share UTS namespace with host OS #4169

stepanblyschak commented Feb 19, 2020

mykolaf left a comment

qiluo-msft left a comment

jleveque commented Feb 19, 2020

jleveque commented Feb 19, 2020

stepanblyschak commented Feb 20, 2020

mykolaf commented Feb 20, 2020

jleveque commented Feb 20, 2020

stepanblyschak commented Feb 25, 2020

lguohan commented Feb 25, 2020

qiluo-msft commented Mar 2, 2020

stepanblyschak commented Mar 3, 2020

qiluo-msft commented Mar 4, 2020

rlhui commented Mar 15, 2020

jleveque commented Mar 16, 2020

[docker_image_ctl.j2] Share UTS namespace with host OS #4169

[docker_image_ctl.j2] Share UTS namespace with host OS #4169

Conversation

stepanblyschak commented Feb 19, 2020

mykolaf left a comment

Choose a reason for hiding this comment

qiluo-msft left a comment

Choose a reason for hiding this comment

jleveque commented Feb 19, 2020

jleveque commented Feb 19, 2020

stepanblyschak commented Feb 20, 2020

mykolaf commented Feb 20, 2020

jleveque commented Feb 20, 2020

stepanblyschak commented Feb 25, 2020

lguohan commented Feb 25, 2020

qiluo-msft commented Mar 2, 2020

stepanblyschak commented Mar 3, 2020

qiluo-msft commented Mar 4, 2020

rlhui commented Mar 15, 2020

jleveque commented Mar 16, 2020