New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Make vtpm run as a non-root user #3060
base: master
Are you sure you want to change the base?
Conversation
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
@@ -70,6 +70,17 @@ FROM scratch | |||
|
|||
COPY --from=build /out/ / | |||
COPY init.sh /usr/bin/ | |||
|
|||
# HACK BEGIN |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@deitch do you have an example of Linuxkit containers running with a particular user and group id?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ping @deitch
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't you configure it in the json file? - https://github.com/linuxkit/linuxkit/blob/master/pkg/init/cmd/service/prepare.go#L35
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@christoph-zededa looks like that is to use/create a user namespace, and not a user. Let me ping @deitch offline.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will take a look. Sorry for not responding earlier; GitHub alert overload makes me miss a few things.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was some logic we added a while back to collect containerd logs, in case it is containerd itself that is having an issue. That often scrolls by on console without a chance to see it. I will see if I can find it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, yes, here it is. vtpm
is under services:
and not onboot:
, right? So containerd is running it.
See if this helps, build an image with modified containerd logging and see if that gives anything.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I moved it up to the onboot
, now eve just freeze trying to execute it (without any onscreen log), I'm not acquainted with linuxkit, but tried to export it and load in docker and this happens:
make IMAGE=lfedge/eve-vtpm:8979f64dd03931c6a6453b7b30ba61e2ad69ef28-dirty-95d5ec3 cache-export-docker-load
docker run -it lfedge/eve-vtpm:8979f64dd03931c6a6453b7b30ba61e2ad69ef28-dirty-95d5ec3
and :
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
37af2d2fb908 lfedge/eve-vtpm:8979f64dd03931c6a6453b7b30ba61e2ad69ef28-dirty-95d5ec3 "/usr/bin/init.sh" About a minute ago Up About a minute blissful_newton
f859888a7475 moby/buildkit:v0.11.0-rc2 "buildkitd --allow-i…" 10 days ago Up 10 days linuxkit-builder
then :
docker exec -it lfedge/eve-vtpm:8979f64dd03931c6a6453b7b30ba61e2ad69ef28-dirty-95d5ec3 /bin/sh
Error response from daemon: No such container: lfedge/eve-vtpm:8979f64dd03931c6a6453b7b30ba61e2ad69ef28-dirty-95d5ec3
I'm out of ideas.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's your image. Your container ID is 37af2d2fb908
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you try the containerd logging?
@eriknordmark yes I would like to have both DAC and MAC properly in place, I will try once more and then ask Avi if unsuccessful. |
I'm trying to make vtpm run with a non-root user, I have tried the USER configuration in docker file and also in the docker-compose file, but for some reason unknown to me it is not respected, and no matter what it gets executed as root user in run-time.
This is a hacky way to make it run as a non-root user and be functional.
any alternative solution?