Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libcontainer: relax validation for absolute paths #3004

Merged
merged 2 commits into from
Jun 10, 2021
Merged

libcontainer: relax validation for absolute paths #3004

merged 2 commits into from
Jun 10, 2021

Conversation

thaJeztah
Copy link
Member

Commits 1f1e91b and 2192670 (#2917) added validation for mountpoints to be an absolute path, to match the OCI specs.

Unfortunately, the old behavior (accepting the path to be a relative path) has been around for a long time, and although "not according to the spec", various higher level runtimes rely on this behavior.

While higher level runtime have been updated to address this requirement, there will be a transition period before all runtimes are updated to carry these fixes.

This patch relaxes the validation, to generate a WARNING instead of failing, allowing runtimes to update (but allowing them to update runc to the current version, which includes security fixes).

We can remove this exception in a future patch release.

relates to #2928, containerd/containerd#5547

@thaJeztah
Copy link
Member Author

@kolyshkin @AkihiroSuda PTAL. Let me know if this is acceptable for v1.0.0 (we can remove it in a patch release after that)

@AkihiroSuda
Copy link
Member

AFAIK, only Docker Swarm-mode was known to have depended on the old behavior, and that was fixed in Docker 20.10.7: moby/moby@afbb127

Is there any other project that depends on the old behavior?

@thaJeztah
Copy link
Member Author

thaJeztah commented Jun 7, 2021
edited
Loading

BuildKit also needed changes, and (I think) for the swarmkit case at least, it's possible that existing services will break after updating (as they would have to be recreated for the new paths to be set); I'm wondering if there would be other situations where this could happen.

@AkihiroSuda
Copy link
Member

BuildKit also needed changes,

Do we have an issue ticket?
BuildKit CI does not seem hitting the issue (for the master branch, at least) moby/buildkit#2143

@thaJeztah
Copy link
Member Author

A fix was merged on master moby/buildkit#2123, and back ported to the v0.8 branch (but no tagged release exists with that fix)

thaJeztah
thaJeztah commented Jun 7, 2021
View reviewed changes
libcontainer/specconv/spec_linux.go Outdated
// Relax validation for backward compatibility
oldDest := m.Destination
var err error
m.Destination, err = filepath.Abs(m.Destination)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can probably simplify this to filepath.Join("/", ...) (like on BuildKit); let me do so

This was referenced Jun 7, 2021
Closed
Merged
@thaJeztah thaJeztah force-pushed the relax_validation branch 3 times, most recently from dbcf967 to 21aaece Compare June 7, 2021 22:34
@dims
Copy link
Contributor

dims commented Jun 8, 2021

I like this approach. thanks @thaJeztah

AkihiroSuda
AkihiroSuda reviewed Jun 8, 2021
View reviewed changes
libcontainer/specconv/spec_linux.go Outdated
// Relax validation for backward compatibility
// TODO (runc 1.2.0): replace a warning below with
// return nil, fmt.Errorf("mount destination %s not absolute", m.Destination)
logrus.Warnf("mount destination %s not absolute (this won't be supported past runc 1.2.0)", m.Destination)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are still not sure how our post-v1 version scheme will look like.
So "late 2021" might be better than "1.2.0"?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Think we should make it more "generic"?

Suggested change
logrus.Warnf("mount destination %s not absolute (this won't be supported past runc 1.2.0)", m.Destination)
logrus.Warnf("mount destination %s not absolute (this will no longer be supported in a future release)", m.Destination)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the description and TODO

@AkihiroSuda AkihiroSuda added this to the 1.0.0 milestone Jun 8, 2021
cyphar
cyphar requested changes Jun 9, 2021
View reviewed changes
Copy link
Member

@cyphar cyphar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to disable (t.Skip is fine, with a link to this PR or the linked issue) the TestValidateMounts test.

thaJeztah added 2 commits June 9, 2021 13:15
@thaJeztah
configs/validator: move cgroup validation to the list of checks
dbb3541 
Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah
libcontainer: relax validation for absolute paths
b31a934 
Commits 1f1e91b and 2192670
added validation for mountpoints to be an absolute path, to match the OCI
specs.

Unfortunately, the old behavior (accepting the path to be a relative path)
has been around for a long time, and although "not according to the spec",
various higher level runtimes rely on this behavior.

While higher level runtime have been updated to address this requirement,
there will be a transition period before all runtimes are updated to carry
these fixes.

This patch relaxes the validation, to generate a WARNING instead of failing,
allowing runtimes to update (but allowing them to update runc to the current
version, which includes security fixes).

We can remove this exception in a future patch release.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah
Copy link
Member Author

You need to disable (t.Skip is fine, with a link to this PR or the linked issue) the TestValidateMounts test.

Arf. My mistake; fixed!

kolyshkin
kolyshkin approved these changes Jun 9, 2021
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

cyphar
cyphar approved these changes Jun 10, 2021
View reviewed changes
Copy link
Member

@cyphar cyphar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@cyphar cyphar closed this in f454bb1 Jun 10, 2021
@cyphar cyphar merged commit f454bb1 into opencontainers:master Jun 10, 2021
@thaJeztah thaJeztah deleted the relax_validation branch June 10, 2021 15:27
@thaJeztah thaJeztah mentioned this pull request Jun 10, 2021
Closed
@thaJeztah
Copy link
Member Author

Thanks! I opened #3020 to track removal of this.

@sbesson sbesson mentioned this pull request Jun 16, 2021
Merged
@cortiz cortiz mentioned this pull request Jun 22, 2021
Closed
This was referenced Jul 21, 2021
Closed
Closed
@mmguero mmguero mentioned this pull request Feb 9, 2022
Closed
@cpuguy83 cpuguy83 mentioned this pull request Jul 27, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda left review comments

@cyphar cyphar cyphar approved these changes

@kolyshkin kolyshkin kolyshkin approved these changes

Assignees
No one assigned
Labels
impact/changelog
Projects
None yet
Milestone
1.0.0
Development

Successfully merging this pull request may close these issues.
5 participants
@thaJeztah @AkihiroSuda @dims @cyphar @kolyshkin