Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gefyra-bridge: bridging fails when pod uses (privileged) user id #740

Open
crkurz opened this issue Nov 5, 2024 · 0 comments
Open

gefyra-bridge: bridging fails when pod uses (privileged) user id #740

crkurz opened this issue Nov 5, 2024 · 0 comments

Comments

@crkurz
Copy link

crkurz commented Nov 5, 2024
edited
Loading

What happened?

Problem description

bridging does not work when pod uses (privileged) user id e.g. 12 as opposed to 1000 used as default in gefyra-carrier-image. This prevents setroute.sh to write the ngx config file.

RCA

Carrier._configure_carrier() uses k8s-exec with setroute.sh to configure Carrier container. In this k8s-exec call no user-id is specified. So default user will be used. The unspoken assumption here is that default user (in our case privileged userid 12) is able to execute setroute.sh and is able to update file /tmp/nginx.conf, which is not the case.

Notes/Questions:

  • docker images have root user removed
  • docker images use userid 12; probably configured by USER-cmd in dockerfile
  • different pods/containers may use different (privileged) user ids.
  • would it be enough to enable any user to write to /tmp/nginx.conf and to execute setroute.sh and setprobe.sh ?

work-around (not really)

change carrier/Dockerfile from

COPY --chown=1000:1000 gefyra-carrier.conf /tmp/nginx.conf
COPY setroute.sh setroute.sh
COPY setprobe.sh setprobe.sh

to

COPY --chown=12:12 gefyra-carrier.conf /tmp/nginx.conf
COPY --chown=12:12 setroute.sh setroute.sh
COPY --chown=12:12 setprobe.sh setprobe.sh

What did you expect to happen?

gefyra-bridge to succeed

Please provide the output of gefyra check.

.

How can we reproduce it (as minimally and precisely as possible)?

untested: use bridging on a pod with docker image, which has default user set to 12 (via USER-cmd in Dockerfile)

What Kubernetes setup are you working with?

.

OS version

.

Anything else we need to know?

in Carrier._configure_carrier() we call set_route.sh. Even though setroute.sh fails with

sed: can't move '/tmp/nginx.confpnajIJ' to '/tmp/nginx.conf': Operation not permitted

the error is ignored: nothing reported in operator logs neither failure of gefyra-bridge command. Fixing this may require two things:

  • Carrier._configure_carrier() must fail on error (not swallow exception)
  • setroute.sh may need to enable strict bash exception handling: set -eo pipefail
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@crkurz