Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security review: launch build containers in a separate ephemeral Docker bridge network #2219

Closed
1 task
natalieparellano opened this issue Apr 23, 2024 · 2 comments · Fixed by buildpacks/pack-private#50
Closed
1 task

Security review: launch build containers in a separate ephemeral Docker bridge network #2219

natalieparellano opened this issue Apr 23, 2024 · 2 comments · Fixed by buildpacks/pack-private#50
Assignees
@natalieparellano

Comments

@natalieparellano
Copy link
Member

natalieparellano commented Apr 23, 2024
edited
Loading

Description

In the security review, this is MED-2: Docker permissive inter-container connectivity. The action plan asks us to ensure that

Launch the Docker build containers in a separate ephemeral Docker bridge network

Reference: https://docs.docker.com/network/network-tutorial-standalone/#use-user-defined-bridge-networks

Proposed solution

If pack build --network is NOT set, we should

  • create an ephemeral bridge network
  • start containers with this network
  • tear the network down after the build (or if the build fails for any reason)

We'll probably need to pass --network=host to more acceptance tests, so that build containers can reach the test registry. This ended up not being needed (we are already setting the network for these tests)

Additional context

  • This feature should be documented somewhere
@natalieparellano natalieparellano mentioned this issue Jul 1, 2024
Merged
@natalieparellano natalieparellano self-assigned this Jul 1, 2024
@natalieparellano natalieparellano transferred this issue from buildpacks/pack-private Jul 17, 2024
@natalieparellano natalieparellano mentioned this issue Jul 17, 2024
Closed
1 task
@modulo11
Copy link
Contributor

This change broke setups using podman. Apparently slashes are not allowed while it's perfectly fine for docker:

Using build cache volume pack-cache-library_node-npm-sample_latest-a3b5329b03b5.build
ERROR: failed to build: executing lifecycle: failed to create ephemeral bridge network: Error response from daemon: network name pack.local/network/7176696877677273646a invalid: names must match [a-zA-Z0-9][a-zA-Z0-9_.-]*: invalid argument

@natalieparellano
Copy link
Member Author

Apparently slashes are not allowed while it's perfectly fine for docker

That is unfortunate. I'll put up a fix for this. We can release it in the next patch.

natalieparellano added a commit that referenced this issue Jul 31, 2024
@natalieparellano
Fix ephemeral bridge network name for podman
6bf1947 
See #2219 (comment)

Signed-off-by: Natalie Arellano <narellano@vmware.com>
This was referenced Jul 31, 2024
Merged
Closed
natalieparellano added a commit that referenced this issue Aug 5, 2024
@natalieparellano
Fix ephemeral bridge network name for podman
56f4bf5 
See #2219 (comment)

Signed-off-by: Natalie Arellano <narellano@vmware.com>
@9numbernine9 9numbernine9 mentioned this issue Sep 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@natalieparellano natalieparellano

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Launch build containers in a separate ephemeral Docker bridge network buildpacks/pack-private
2 participants
@natalieparellano @modulo11