From 26e78c078e1f19e69b1d657137f8d643d6c162a0 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Tue, 17 Nov 2020 16:31:56 +0100 Subject: [PATCH] Fix running konnectivity-server as non-root and misc cleanups Fix running konnectivity-server as non-root user `konnectivity-server` by creating a directory for the unix socket with the proper permissions. Replace path.Join with filepath.Join since we are joining file paths and not URLs. Drop github.com/pkg/errors in favor of fmt.Errorf (see #227) Signed-off-by: Natanael Copa --- pkg/component/server/konnectivity.go | 29 +++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/pkg/component/server/konnectivity.go b/pkg/component/server/konnectivity.go index 117717fdfe14..42714228acf5 100644 --- a/pkg/component/server/konnectivity.go +++ b/pkg/component/server/konnectivity.go @@ -18,9 +18,8 @@ package server import ( "fmt" "os" - "path" + "path/filepath" - "github.com/pkg/errors" "github.com/sirupsen/logrus" config "github.com/k0sproject/k0s/pkg/apis/v1beta1" @@ -39,16 +38,28 @@ type Konnectivity struct { LogLevel string } +var konnectivitySocketDir = filepath.Join(constant.RunDir, "konnectivity-server") + // Init ... func (k *Konnectivity) Init() error { var err error k.uid, err = util.GetUID(constant.KonnectivityServerUser) if err != nil { - logrus.Warning(errors.Wrap(err, "Running konnectivity as root")) + logrus.Warning(fmt.Errorf("Running konnectivity as root: %v", err)) } k.gid, _ = util.GetGID(constant.Group) + err = util.InitDirectory(konnectivitySocketDir, 0755) + if err != nil { + return fmt.Errorf("failed to initialize directory %s: %v", konnectivitySocketDir, err) + } + + err = os.Chown(konnectivitySocketDir, k.uid, k.gid) + if err != nil && os.Geteuid() == 0 { + return fmt.Errorf("failed to chown %s: %v", konnectivitySocketDir, err) + } + return assets.Stage(constant.BinDir, "konnectivity-server", constant.BinDirMode, constant.Group) } @@ -60,9 +71,9 @@ func (k *Konnectivity) Run() error { BinPath: assets.BinPath("konnectivity-server"), Dir: constant.DataDir, Args: []string{ - fmt.Sprintf("--uds-name=%s", path.Join(constant.RunDir, "konnectivity-server.sock")), - fmt.Sprintf("--cluster-cert=%s", path.Join(constant.CertRootDir, "server.crt")), - fmt.Sprintf("--cluster-key=%s", path.Join(constant.CertRootDir, "server.key")), + fmt.Sprintf("--uds-name=%s", filepath.Join(konnectivitySocketDir, "konnectivity-server.sock")), + fmt.Sprintf("--cluster-cert=%s", filepath.Join(constant.CertRootDir, "server.crt")), + fmt.Sprintf("--cluster-key=%s", filepath.Join(constant.CertRootDir, "server.key")), fmt.Sprintf("--kubeconfig=%s", constant.AdminKubeconfigConfigPath), // FIXME: should have user rights "--mode=grpc", "--server-port=0", @@ -97,7 +108,7 @@ type konnectivityAgentConfig struct { } func (k *Konnectivity) writeKonnectivityAgent() error { - konnectivityDir := path.Join(constant.ManifestsDir, "konnectivity") + konnectivityDir := filepath.Join(constant.ManifestsDir, "konnectivity") err := os.MkdirAll(konnectivityDir, constant.ManifestsDirMode) if err != nil { return err @@ -110,11 +121,11 @@ func (k *Konnectivity) writeKonnectivityAgent() error { APIAddress: k.ClusterConfig.Spec.API.Address, Image: k.ClusterConfig.Images.Konnectivity.URI(), }, - Path: path.Join(konnectivityDir, "konnectivity-agent.yaml"), + Path: filepath.Join(konnectivityDir, "konnectivity-agent.yaml"), } err = tw.Write() if err != nil { - return errors.Wrap(err, "failed to write konnectivity agent manifest") + return fmt.Errorf("failed to write konnectivity agent manifest: %v", err) } return nil