From 6292b1579390788e1734c7ca6ab0bf1cb7701b0f Mon Sep 17 00:00:00 2001 From: Lugossy Zoltan Date: Mon, 8 Aug 2022 18:25:35 +0200 Subject: [PATCH 1/2] CAP_DAC_OVERRIDE no longer needed by non-root to interact with NSM Since NSM v1.5 CAP_DAC_OVERRIDE capability is no longer required to interact with the nsm-sock mounted as hostPath volume. https://github.com/networkservicemesh/cmd-nsmgr/issues/510 Affected images: proxy, load-balancer, TAPA, NSC (The official NSM cmd-nsc image can be used again. No need for a custom Dockerfile, unless e.g. ping is required to work.) Note: New images will NOT work on older NSM versions --- build/load-balancer/Dockerfile | 4 +--- build/proxy/Dockerfile | 4 +--- build/tapa/Dockerfile | 3 --- 3 files changed, 2 insertions(+), 9 deletions(-) diff --git a/build/load-balancer/Dockerfile b/build/load-balancer/Dockerfile index e61eec0c..4b6bb3af 100644 --- a/build/load-balancer/Dockerfile +++ b/build/load-balancer/Dockerfile @@ -33,9 +33,7 @@ RUN addgroup --gid $UID $USER \ WORKDIR $HOME COPY --from=build /app/load-balancer . COPY --from=lb-builder /bin/nfqlb /bin/nfqlb -# cap_dac_override required by non-root user because of nsm-socket hostPath file permissions -# (while file permissions of hostPath unix spire-agent-socket grant "write" access for "others") -RUN setcap 'cap_net_admin,cap_dac_override+ep' ./load-balancer \ +RUN setcap 'cap_net_admin+ep' ./load-balancer \ && chown root:root /bin/nfqlb && setcap 'cap_net_admin,cap_ipc_lock,cap_ipc_owner+ep' /bin/nfqlb \ && setcap 'cap_net_admin+ep' /usr/sbin/nft USER ${UID}:${UID} diff --git a/build/proxy/Dockerfile b/build/proxy/Dockerfile index aece5685..d4ce2f41 100644 --- a/build/proxy/Dockerfile +++ b/build/proxy/Dockerfile @@ -28,8 +28,6 @@ RUN addgroup --gid $UID $USER \ && chown -R :root "${HOME}" && chmod -R g+s=u "${HOME}" WORKDIR $HOME COPY --from=build /app/proxy . -# cap_dac_override required by non-root user because of nsm-socket hostPath file permissions -# (while file permissions of hostPath unix spire-agent-socket grant "write" access for "others") -RUN setcap 'cap_net_admin,cap_dac_override+ep' ./proxy +RUN setcap 'cap_net_admin+ep' ./proxy USER ${UID}:${UID} CMD ["./proxy"] diff --git a/build/tapa/Dockerfile b/build/tapa/Dockerfile index 0d4c2a22..33799766 100644 --- a/build/tapa/Dockerfile +++ b/build/tapa/Dockerfile @@ -28,8 +28,5 @@ RUN addgroup --gid $UID $USER \ && chown -R :root "${HOME}" && chmod -R g+s=u "${HOME}" WORKDIR $HOME COPY --from=build /app/tapa . -# cap_dac_override required by non-root user because of nsm-socket hostPath file permissions -# (while file permissions of hostPath unix spire-agent-socket grant "write" access for "others") -RUN setcap 'cap_dac_override+ep' ./tapa USER ${UID}:${UID} CMD ["./tapa"] From d675b15d254f005dc3d5ae992475dbb16f909bad Mon Sep 17 00:00:00 2001 From: Lugossy Zoltan Date: Tue, 9 Aug 2022 13:33:51 +0200 Subject: [PATCH 2/2] docs; update list of privileges according to NSM v1.5 Note: images must be in sync (binaries with excess file capabilities will NOT start if said capabilities are not provided to the container) --- docs/load-balancer.md | 1 - docs/proxy.md | 1 - docs/tapa.md | 4 +--- docs/user-application.md | 4 +--- 4 files changed, 2 insertions(+), 8 deletions(-) diff --git a/docs/load-balancer.md b/docs/load-balancer.md index d15f92e1..bc954f62 100644 --- a/docs/load-balancer.md +++ b/docs/load-balancer.md @@ -60,6 +60,5 @@ Sysctl: net.ipv6.fib_multipath_hash_policy=1 | Sysctl: net.ipv4.conf.all.rp_filter=0 | Sysctl: net.ipv4.conf.default.rp_filter=0 | NET_ADMIN | The load balancer configures IP rules and IP routes to steer packets (processed by [nfqueue-loadbalancer program](https://github.com/Nordix/nfqueue-loadbalancer)) to targets. The user space load balancer program relies on [libnetfilter_queue](https://netfilter.org/projects/libnetfilter_queue). -DAC_OVERRIDE | The load balancer requires access to a unix socket provided by a hostPath volume to interact with NSM. IPC_LOCK | The user space load balancer program uses shared memory. IPC_OWNER | The user space load balancer program uses shared memory. diff --git a/docs/proxy.md b/docs/proxy.md index 6d75ad26..927edd48 100644 --- a/docs/proxy.md +++ b/docs/proxy.md @@ -72,4 +72,3 @@ Sysctl: net.ipv6.fib_multipath_hash_policy=1 | Sysctl: net.ipv4.conf.all.rp_filter=0 | Sysctl: net.ipv4.conf.default.rp_filter=0 | NET_ADMIN | The proxy creates IP rules, IP routes, bridge interfaces and modifies NSM interfaces to link them to bridge interfaces. -DAC_OVERRIDE | The proxy requires access to a unix socket provided by a hostPath volume to interact with NSM. diff --git a/docs/tapa.md b/docs/tapa.md index e55bfc89..5353586f 100644 --- a/docs/tapa.md +++ b/docs/tapa.md @@ -80,6 +80,4 @@ TODO ## Privileges -Name | Description ---- | --- -DAC_OVERRIDE | The TAPA requires access to a unix socket provided by a hostPath volume to interact with NSM. +No privileges required. diff --git a/docs/user-application.md b/docs/user-application.md index 99ddb41c..047b01dc 100644 --- a/docs/user-application.md +++ b/docs/user-application.md @@ -35,8 +35,6 @@ Here is the minimal TAPA container specification required: capabilities: drop: - all - add: - - DAC_OVERRIDE ``` Additional configuration via environment variables can be found on the [TAPA Configuration](tapa.md#configuration) documentation page. @@ -44,7 +42,7 @@ Additional configuration via environment variables can be found on the [TAPA Con ### Volumes Four Volumes must be added to the pod. Spire and NSM are required to access the socket files to communicate with the APIs. And the Meridio volume provides a socket file user container can use to communicate with the TAPA API. -If readOnlyRootFilesystem is enabled, the tmp volume provides a writable mount to create the health server socket that can be used by liveness, startup probes. +If readOnlyRootFilesystem is enabled, the tmp volume provides a writable mount to create the health server unix socket that can be used by liveness, startup probes. ```yaml volumes: