api: add MaskedPaths and ReadonlyPaths options #36644
Conversation
|
As discussed in opencontainers/runc#1658 (comment) , |
|
Still would have the problem with read-only though |
oci/raw_access.go
Outdated
| for i, p := range s.Linux.MaskedPaths { | ||
| matched, err := filepath.Match(rawpath, p) | ||
| if err != nil { | ||
| return fmt.Errorf("masked paths: checking if %s matches %s failed: %v", rawpath, p, err) |
There was a problem hiding this comment.
Small nitpick/suggestion: maybe errors.Wrapf instead of fmt.Errorf?
oci/raw_access.go
Outdated
|
|
||
| // SetRawAccess removes the given raw access paths from the specs MaskedPaths and ReadonlyPaths. | ||
| func SetRawAccess(s *specs.Spec, rawaccess []string) error { | ||
| // Iterate over the rawaccess paths. |
There was a problem hiding this comment.
Small nitpick/suggestion: IMHO, this comment is a redundancy.
oci/raw_access.go
Outdated
| ) | ||
|
|
||
| // SetRawAccess removes the given raw access paths from the specs MaskedPaths and ReadonlyPaths. | ||
| func SetRawAccess(s *specs.Spec, rawaccess []string) error { |
There was a problem hiding this comment.
Small nitpick/suggestion: can you change from rawaccess to rawAccessPaths?
|
It looks like the CI failures aren't related to the change:
|
|
ok, design SGTM |
|
Discussing in the maintainers meeting, and generally looks like we're okay with the functionality. There's still some discussion on design, and possible alternatives Some concerns that were brought up:
Alternative approaches being discussed:
|
|
agree with documenting it to make sure its clear. I am okay with any design you all want so I'll update accordingly when it's decided :) |
|
Thanks! Yes, I'll pester some people to see if we can come to a decision asap 😂 |
|
no worries I know you all are busy
…On Thu, Mar 22, 2018 at 3:14 PM, Sebastiaan van Stijn < ***@***.***> wrote:
Thanks! Yes, I'll pester some people to see if we can come to a decision
asap 😂
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#36644 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABYNbGpLYp4Uq6FzOlmVqbjDteCMBillks5tg_gIgaJpZM4SyXtM>
.
--
Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu <http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3>
|
|
I dont think it makes sense to error if unmasking a path thats not masked, they vary by docker version quite a it so its better to be able to over specify. |
|
Brought this up in a maintainers meeting again to see if I could get things moving. Looks like generally people were in favor of; Instead of providing what paths to exclude from the defaults, provide al list of paths to mask (i.e., fully override the defaults) Also; for the time being; make this an API-only change (no option on the CLI yet to configure this) @justincormack let me know if you agree with the above ^^ |
oh cool, i will just wait on confirmation, thanks so much for moving this along :) you all are the dopest |
|
@justincormack SGTY? ^^ |
|
Yes an override list (possibly empty) seems cleanest. That way you dont need to know which ones to remove. SGTM. |
|
updated and added integration tests |
|
janky is mad at me, its like he doesn't remember who his mom is |
|
Janky, that's your mommy! Be nice! |
| @@ -113,3 +115,134 @@ func (s *DockerSuite) TestAPICreateWithInvalidHealthcheckParams(c *check.C) { | |||
| expected = fmt.Sprintf("StartPeriod in Healthcheck cannot be less than %s", container.MinimumDuration) | |||
| c.Assert(getErrorMessage(c, buf), checker.Contains, expected) | |||
| } | |||
|
|
|||
| func (s *DockerSuite) TestAPICreateWithCustomMaskedPaths(c *check.C) { | |||
There was a problem hiding this comment.
Can you move these to integration/container?
There was a problem hiding this comment.
ah so I had them there and they weren't working but will try again
|
ok should be good now :) |
|
LGTM 💯 |
thaJeztah
added
status/2-code-review
impact/api
impact/changelog
and removed
status/1-design-review
labels
|
Any update about |
|
oh will do, sorry been busy with other work things, i promise it is on the list :) probably will open a proposal next week |
This vendor change was purely for the changes in docker to allow for setting the Masked and Read-only paths. See: moby/moby#36644 But because of the docker dep update it also needed cadvisor to be updated and winterm due to changes in pkg/tlsconfig in docker See: google/cadvisor#1967 Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
This adds a RawAccess option to HostConfig for containers so that a user
can pass in an array of paths to not be set as masked or readonly.
closes #36597
- What I did
Added new API options for
Masked PathsandReadonlyPathsto the containerHostConfig- How I did it
Added it to the API and oci package.
- How to verify it
I wrote a test.
- Description for the changelog
RawAccess allows a set of paths to be not set as masked or readonly
- A picture of a cute animal (not mandatory but encouraged)
