[build_templates] [hostcfgd] Keep containers hostname up to date #2924

msosyak · 2019-05-20T14:08:16Z

- What I did
Implemented logic to keep containers hostname up to date

- How I did it

Added updateHostName function to docker_image_ctl.j2
Added hostname specification on container creating step
Added listener for hostname changes in hostcfgd which call updateHostName for all running containers if an appropriate script(generated from docker_image_ctl.j2) exist in /usr/bin

- How to verify it
Change hostname in config_db.json
Load new configuration
Check hostname in containers

- Description for the changelog
Added logic to keep containers hostname up to date

@akokhan @pyadvichuk @vsenchyshyn @qiluo-msft @jleveque @lguohan

msftclas · 2019-05-20T14:08:30Z

All CLA requirements met.

files/image_config/hostcfgd/hostcfgd

files/build_templates/docker_image_ctl.j2

qiluo-msft · 2019-05-22T01:09:12Z

files/build_templates/docker_image_ctl.j2

@@ -153,6 +180,7 @@ start() {
 {%- endif %}
        --tmpfs /tmp \
        --tmpfs /var/tmp \
+        --hostname $HOSTNAME \


$HOSTNAME [](start = 19, length = 9)

Possible input injection #Closed

Still possible. For example:
sonichost"; rm -rf /; echo "

In reply to: 286279985 [](ancestors = 286279985)

Bash did not process metacharacters from variables only metacharacters directly present in a script or interpreter line.
It is easy to check by the next commands:

print_args() { while (( "$#" )); do echo $1 shift done } X="hostName" Y='sonic"; echo injection; echo "' print_args --hostname "$X" --name cname #output >>> --hostname hostName --name cname print_args --hostname "$Y" --name cname #output >>> --hostname sonic"; echo injection; echo " --name cname

I thought that CVE-2016-0634 can be exploited there. But sonic use bash 4.4

So, for any case added validation for allowed characters in a hostname. #Closed

@qiluo-msft Could we close this conversation?

Nice comments! Really appreciate the clarification and reference.

In reply to: 286898693 [](ancestors = 286898693)

qiluo-msft

As comments

myronsosyak · 2019-05-22T11:34:34Z

Review comments fixed

mykolaf · 2019-05-23T12:18:39Z

Please use a standard commit message format:

[component/folder touched]: Description intent of your changes

[List of changes]

Signed-off-by: Your Name your@email.com

e.g. [image config] Keep containers hostname up to date

* Add updateHostName function to docker_image_ctl.j2 * Add hostname specification on container creating step * Add listener for hostname changes in hostcfgd Signed-off-by: Myron Sosyak <msosyak@barefootnetworks.com>

files/build_templates/docker_image_ctl.j2

jleveque

Please fix typo in log message per comment above.

files/image_config/hostcfgd/hostcfgd

Signed-off-by: Myron Sosyak <msosyak@barefootnetworks.com>

akokhan · 2019-06-04T08:42:39Z

@jleveque , @lguohan ,
as I see, all review comments are resolved now. Is there anything else that blocks us from merging this PR?

jleveque · 2019-06-04T16:17:27Z

Retest this please

…lly (#16785) #### Why I did it src/sonic-swss ``` * b9313df0 - (HEAD -> master, origin/master, origin/HEAD) Reducing the severity of oper fec attribute get failure (#2924) (89 minutes ago) [Sudharsan Dhamal Gopalarathnam] * cb98893f - Add support for SEND_TO_INGRESS port table. (#2816) (19 hours ago) [Yilan Ji] * 966c5bb0 - [Dash] Fix wrong table name for acl_out_table (#2911) (2 days ago) [Ze Gan] * 35996350 - [FEC]Auto FEC initial changes (#2893) (8 days ago) [Sudharsan Dhamal Gopalarathnam] ``` #### How I did it #### How to verify it #### Description for the changelog

jleveque requested review from lguohan and qiluo-msft May 22, 2019 00:34