URL: https://github.com/freeipa/freeipa/pull/3649 Author: Tiboris Title: #3649: [Backport][ipa-4-6] Don't configure KEYRING ccache in containers Action: opened
PR body: """ Manual backport of PR #2677 Kernel keyrings are not namespaced yet. Keyrings can leak into other containers. Therefore keyrings should not be used in containerized environment. Don't configure Kerberos to use KEYRING ccache backen when a container environment is detected by systemd-detect-virt --container. Fixes: https://pagure.io/freeipa/issue/7807 Signed-off-by: Christian Heimes [email protected] """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3649/head:pr3649 git checkout pr3649
From faaf64d1a32792f1aaf546136fbc60919d01b511 Mon Sep 17 00:00:00 2001 From: Christian Heimes <[email protected]> Date: Wed, 12 Dec 2018 17:32:06 +0100 Subject: [PATCH] Don't configure KEYRING ccache in containers Kernel keyrings are not namespaced yet. Keyrings can leak into other containers. Therefore keyrings should not be used in containerized environment. Don't configure Kerberos to use KEYRING ccache backen when a container environment is detected by systemd-detect-virt --container. Fixes: https://pagure.io/freeipa/issue/7807 Signed-off-by: Christian Heimes <[email protected]> Reviewed-By: Rob Crittenden <[email protected]> Reviewed-By: Tibor Dudlak <[email protected]> Reviewed-By: Oleg Kozlov <[email protected]> --- ipaplatform/base/paths.py | 1 + ipaplatform/base/tasks.py | 8 ++++ ipaplatform/redhat/tasks.py | 22 ++++++++++ ipapython/kernel_keyring.py | 10 ++++- ipatests/test_ipaplatform/test_tasks.py | 56 +++++++++++++++++++++++++ 5 files changed, 96 insertions(+), 1 deletion(-) create mode 100644 ipatests/test_ipaplatform/test_tasks.py diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 435d1b7de9..0395e40b7f 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -30,6 +30,7 @@ class BasePathNamespace(object): LS = "/bin/ls" SH = "/bin/sh" SYSTEMCTL = "/bin/systemctl" + SYSTEMD_DETECT_VIRT = "/bin/systemd-detect-virt" TAR = "/bin/tar" AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf" ETC_DIRSRV = "/etc/dirsrv" diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index cd0427197a..49c39e99b4 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -116,6 +116,14 @@ def check_ipv6_stack_enabled(self): raise NotImplementedError() + def detect_container(self): + """Check if running inside a container + + :returns: container runtime or None + :rtype: str, None + """ + raise NotImplementedError + def restore_hostname(self, fstore, statestore): """ Restores the original hostname as backed up in the diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index 9ce0d8375c..5fc32e26b5 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -30,6 +30,8 @@ import socket import traceback import errno +import urllib +import subprocess import sys from ctypes.util import find_library @@ -168,6 +170,26 @@ def check_ipv6_stack_enabled(self): "resolution to 'lo' interface. You might need to enable IPv6 " "on the interface 'lo' in sysctl.conf.") + def detect_container(self): + """Check if running inside a container + + :returns: container runtime or None + :rtype: str, None + """ + try: + output = subprocess.check_output( + [paths.SYSTEMD_DETECT_VIRT, '--container'], + stderr=subprocess.STDOUT + ) + except subprocess.CalledProcessError as e: + if e.returncode == 1: + # No container runtime detected + return None + else: + raise + else: + return output.decode('utf-8').strip() + def restore_pre_ipa_client_configuration(self, fstore, statestore, was_sssd_installed, was_sssd_configured): diff --git a/ipapython/kernel_keyring.py b/ipapython/kernel_keyring.py index 6ae1e74493..cd47108e58 100644 --- a/ipapython/kernel_keyring.py +++ b/ipapython/kernel_keyring.py @@ -24,6 +24,7 @@ from ipapython.ipautil import run from ipaplatform.paths import paths +from ipaplatform.tasks import tasks # NOTE: Absolute path not required for keyctl since we reset the environment # in ipautil.run. @@ -68,7 +69,14 @@ def get_persistent_key(key): return result.raw_output.rstrip() -def is_persistent_keyring_supported(): +def is_persistent_keyring_supported(check_container=True): + """Returns True if the kernel persistent keyring is supported. + + If check_container is True and a containerized environment is detected, + return False. There is no support for keyring namespace isolation yet. + """ + if check_container and tasks.detect_container() is not None: + return False uid = os.geteuid() try: get_persistent_key(str(uid)) diff --git a/ipatests/test_ipaplatform/test_tasks.py b/ipatests/test_ipaplatform/test_tasks.py new file mode 100644 index 0000000000..bc1e37ebf2 --- /dev/null +++ b/ipatests/test_ipaplatform/test_tasks.py @@ -0,0 +1,56 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# +from __future__ import absolute_import + +import os + +from ipaplatform.tasks import tasks + + +def test_ipa_version(): + v3 = tasks.parse_ipa_version('3.0') + assert v3.version == u'3.0' + if hasattr(v3, '_rpmvercmp'): + assert v3._rpmvercmp_func is None + v3._rpmvercmp(b'1', b'2') + assert v3._rpmvercmp_func is not None + + v4 = tasks.parse_ipa_version('4.0') + assert v4.version == u'4.0' + if hasattr(v4, '_rpmvercmp'): + assert v4._rpmvercmp_func is not None + + # pylint: disable=comparison-with-itself + assert v3 < v4 + assert v3 <= v4 + assert v3 <= v3 + assert v3 != v4 + assert v3 == v3 + assert not v3 == v4 + assert v4 > v3 + assert v4 >= v3 + + +def test_detect_container(): + container = None + # naive detection, may fail for OpenVZ and other container runtimes + if os.path.isfile('/run/systemd/container'): + with open('/run/systemd/container') as f: + container = f.read().strip() + elif os.geteuid() == 0: + with open('/proc/1/environ') as f: + environ = f.read() + for item in environ.split('\x00'): + if not item: + continue + k, v = item.split('=', 1) + if k == 'container': + container = v + + detected = tasks.detect_container() + if container == 'oci': + # systemd doesn't know about podman + assert detected in {'container-other', container} + else: + assert detected == container
_______________________________________________ FreeIPA-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
