Skip to content

Commit

Permalink
Fix running konnectivity-server as non-root and misc cleanups
Browse files Browse the repository at this point in the history
Fix running konnectivity-server as non-root user `konnectivity-server`
by creating a directory for the unix socket with the proper permissions.

Replace path.Join with filepath.Join since we are joining file paths and
not URLs.

Drop github.com/pkg/errors in favor of fmt.Errorf (see k0sproject#227)

Signed-off-by: Natanael Copa <ncopa@mirantis.com>
  • Loading branch information
ncopa committed Nov 17, 2020
1 parent d8dac59 commit 26e78c0
Showing 1 changed file with 20 additions and 9 deletions.
29 changes: 20 additions & 9 deletions pkg/component/server/konnectivity.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,8 @@ package server
import (
"fmt"
"os"
"path"
"path/filepath"

"github.com/pkg/errors"
"github.com/sirupsen/logrus"

config "github.com/k0sproject/k0s/pkg/apis/v1beta1"
Expand All @@ -39,16 +38,28 @@ type Konnectivity struct {
LogLevel string
}

var konnectivitySocketDir = filepath.Join(constant.RunDir, "konnectivity-server")

// Init ...
func (k *Konnectivity) Init() error {
var err error
k.uid, err = util.GetUID(constant.KonnectivityServerUser)
if err != nil {
logrus.Warning(errors.Wrap(err, "Running konnectivity as root"))
logrus.Warning(fmt.Errorf("Running konnectivity as root: %v", err))
}

k.gid, _ = util.GetGID(constant.Group)

err = util.InitDirectory(konnectivitySocketDir, 0755)
if err != nil {
return fmt.Errorf("failed to initialize directory %s: %v", konnectivitySocketDir, err)
}

err = os.Chown(konnectivitySocketDir, k.uid, k.gid)
if err != nil && os.Geteuid() == 0 {
return fmt.Errorf("failed to chown %s: %v", konnectivitySocketDir, err)
}

return assets.Stage(constant.BinDir, "konnectivity-server", constant.BinDirMode, constant.Group)
}

Expand All @@ -60,9 +71,9 @@ func (k *Konnectivity) Run() error {
BinPath: assets.BinPath("konnectivity-server"),
Dir: constant.DataDir,
Args: []string{
fmt.Sprintf("--uds-name=%s", path.Join(constant.RunDir, "konnectivity-server.sock")),
fmt.Sprintf("--cluster-cert=%s", path.Join(constant.CertRootDir, "server.crt")),
fmt.Sprintf("--cluster-key=%s", path.Join(constant.CertRootDir, "server.key")),
fmt.Sprintf("--uds-name=%s", filepath.Join(konnectivitySocketDir, "konnectivity-server.sock")),
fmt.Sprintf("--cluster-cert=%s", filepath.Join(constant.CertRootDir, "server.crt")),
fmt.Sprintf("--cluster-key=%s", filepath.Join(constant.CertRootDir, "server.key")),
fmt.Sprintf("--kubeconfig=%s", constant.AdminKubeconfigConfigPath), // FIXME: should have user rights
"--mode=grpc",
"--server-port=0",
Expand Down Expand Up @@ -97,7 +108,7 @@ type konnectivityAgentConfig struct {
}

func (k *Konnectivity) writeKonnectivityAgent() error {
konnectivityDir := path.Join(constant.ManifestsDir, "konnectivity")
konnectivityDir := filepath.Join(constant.ManifestsDir, "konnectivity")
err := os.MkdirAll(konnectivityDir, constant.ManifestsDirMode)
if err != nil {
return err
Expand All @@ -110,11 +121,11 @@ func (k *Konnectivity) writeKonnectivityAgent() error {
APIAddress: k.ClusterConfig.Spec.API.Address,
Image: k.ClusterConfig.Images.Konnectivity.URI(),
},
Path: path.Join(konnectivityDir, "konnectivity-agent.yaml"),
Path: filepath.Join(konnectivityDir, "konnectivity-agent.yaml"),
}
err = tw.Write()
if err != nil {
return errors.Wrap(err, "failed to write konnectivity agent manifest")
return fmt.Errorf("failed to write konnectivity agent manifest: %v", err)
}

return nil
Expand Down

0 comments on commit 26e78c0

Please sign in to comment.