[WIP] Make vtpm run as a non-root user #3060
Conversation
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
| @@ -70,6 +70,17 @@ FROM scratch | |||
|
|
|||
| COPY --from=build /out/ / | |||
| COPY init.sh /usr/bin/ | |||
|
|
|||
| # HACK BEGIN | |||
There was a problem hiding this comment.
@deitch do you have an example of Linuxkit containers running with a particular user and group id?
There was a problem hiding this comment.
Can't you configure it in the json file? - https://github.com/linuxkit/linuxkit/blob/master/pkg/init/cmd/service/prepare.go#L35
There was a problem hiding this comment.
@christoph-zededa looks like that is to use/create a user namespace, and not a user. Let me ping @deitch offline.
There was a problem hiding this comment.
I will take a look. Sorry for not responding earlier; GitHub alert overload makes me miss a few things.
There was a problem hiding this comment.
There was some logic we added a while back to collect containerd logs, in case it is containerd itself that is having an issue. That often scrolls by on console without a chance to see it. I will see if I can find it.
There was a problem hiding this comment.
Ah, yes, here it is. vtpm is under services: and not onboot:, right? So containerd is running it.
See if this helps, build an image with modified containerd logging and see if that gives anything.
There was a problem hiding this comment.
I moved it up to the onboot, now eve just freeze trying to execute it (without any onscreen log), I'm not acquainted with linuxkit, but tried to export it and load in docker and this happens:
make IMAGE=lfedge/eve-vtpm:8979f64dd03931c6a6453b7b30ba61e2ad69ef28-dirty-95d5ec3 cache-export-docker-load
docker run -it lfedge/eve-vtpm:8979f64dd03931c6a6453b7b30ba61e2ad69ef28-dirty-95d5ec3
and :
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
37af2d2fb908 lfedge/eve-vtpm:8979f64dd03931c6a6453b7b30ba61e2ad69ef28-dirty-95d5ec3 "/usr/bin/init.sh" About a minute ago Up About a minute blissful_newton
f859888a7475 moby/buildkit:v0.11.0-rc2 "buildkitd --allow-i…" 10 days ago Up 10 days linuxkit-builder
then :
docker exec -it lfedge/eve-vtpm:8979f64dd03931c6a6453b7b30ba61e2ad69ef28-dirty-95d5ec3 /bin/sh
Error response from daemon: No such container: lfedge/eve-vtpm:8979f64dd03931c6a6453b7b30ba61e2ad69ef28-dirty-95d5ec3
I'm out of ideas.
There was a problem hiding this comment.
That's your image. Your container ID is 37af2d2fb908
There was a problem hiding this comment.
Did you try the containerd logging?
|
@eriknordmark yes I would like to have both DAC and MAC properly in place, I will try once more and then ask Avi if unsuccessful. |
I'm trying to make vtpm run with a non-root user, I have tried the USER configuration in docker file and also in the docker-compose file, but for some reason unknown to me it is not respected, and no matter what it gets executed as root user in run-time.
This is a hacky way to make it run as a non-root user and be functional.
any alternative solution?