Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NSM_LISTEN_ON unix socket file permissions #510

Closed
zolug opened this issue Jun 28, 2022 · 4 comments
Closed

NSM_LISTEN_ON unix socket file permissions #510

zolug opened this issue Jun 28, 2022 · 4 comments
Assignees
@NikitaSkrynnik
Labels
enhancement New feature or request question Further information is requested

Comments

@zolug
Copy link

zolug commented Jun 28, 2022
edited
Loading

This item is related to using nsm from an nsc app running as non-root.

Currently the unix listenOn socket gets created with file permissions that do not grant write access for others:

Defaulted container "nsmgr" out of: nsmgr, exclude-prefixes
/ # ls -l /var/lib/networkservicemesh/nsm.io.sock
srwxr-xr-x    1 root     root             0 Jun 28 15:01 /var/lib/networkservicemesh/nsm.io.sock

Since the socket gets created in a hostPath volume, nsm users mounting it can't rely for example on fsGroup to change group ownership. To workaround this, either an init container could be applied changing file permission/ownership, or CAP_DAC_OVERRIDE capability could be utilized by the nsc binary to bypass permission checks.

A more user friendly approach could be setting os.ModePerm file permissions in nsmgr when the socket is created, as it would not put additional requirements on the nsc application (to run as non-root).
This behaviour would match how Spire handles their unix listener:
https://github.com/spiffe/spire/blob/07219c7aed188820ebe5ffb67125fdbf69d00286/pkg/agent/endpoints/endpoints_posix.go#L31

What do you think?

nsmgr:

cmd-nsmgr/internal/manager/manager.go

Line 205 in 90a32f8

errChan := grpcutils.ListenAndServe(m.ctx, listenURL, server)

https://github.com/networkservicemesh/sdk/blob/main/pkg/tools/grpcutils/listen_and_serve.go#L66
@zolug zolug added enhancement New feature or request question Further information is requested labels Jun 28, 2022
@denis-tingaikin
Copy link
Member

/сс @edwarnicke, @fkautz

@zolug zolug mentioned this issue Jun 29, 2022
Merged
11 tasks
@denis-tingaikin
Copy link
Member

denis-tingaikin commented Jul 3, 2022
edited
Loading

I think that is a good suggestion and can be done in v1.5.0.

@edwarnicke, @fkautz Do you have any thoughts on that?

@edwarnicke
Copy link
Member

I think the os.ModePerm is the right solution here.

@NikitaSkrynnik NikitaSkrynnik mentioned this issue Jul 7, 2022
Merged
9 tasks
@denis-tingaikin
Copy link
Member

Should be resovled with networkservicemesh/sdk#1320

@zolug Feel free to reopen if we missed something.

zolug added a commit to Nordix/Meridio that referenced this issue Aug 8, 2022
@zolug
CAP_DAC_OVERRIDE no longer needed by non-root to interact with NSM
c76bbe4 
Since NSM v1.5 CAP_DAC_OVERRIDE capability is no longer required to
interact with the nsm-sock mounted as hostPath volume.
networkservicemesh/cmd-nsmgr#510

Affected images: proxy, load-balancer, TAPA, NSC
(The official NSM cmd-nsc image can be used again. No need for a custom
Dockerfile, unless e.g. ping is required to work.)
@zolug zolug mentioned this issue Aug 8, 2022
Merged
11 tasks
zolug added a commit to Nordix/Meridio that referenced this issue Aug 9, 2022
@zolug
CAP_DAC_OVERRIDE no longer needed by non-root to interact with NSM
6292b15 
Since NSM v1.5 CAP_DAC_OVERRIDE capability is no longer required to
interact with the nsm-sock mounted as hostPath volume.
networkservicemesh/cmd-nsmgr#510

Affected images: proxy, load-balancer, TAPA, NSC
(The official NSM cmd-nsc image can be used again. No need for a custom
Dockerfile, unless e.g. ping is required to work.)

Note: New images will NOT work on older NSM versions
zolug added a commit to Nordix/Meridio that referenced this issue Aug 10, 2022
@zolug
CAP_DAC_OVERRIDE no longer needed by non-root to interact with NSM
6dd2800 
Since NSM v1.5 CAP_DAC_OVERRIDE capability is no longer required to
interact with the nsm-sock mounted as hostPath volume.
networkservicemesh/cmd-nsmgr#510

Affected images: proxy, load-balancer, TAPA, NSC
(The official NSM cmd-nsc image can be used again. No need for a custom
Dockerfile, unless e.g. ping is required to work.)

Note: New images will NOT work on older NSM versions
@LionelJouin LionelJouin moved this to ✅ Done in Meridio Aug 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@NikitaSkrynnik NikitaSkrynnik

Labels
enhancement New feature or request question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@edwarnicke @denis-tingaikin @zolug @NikitaSkrynnik