seccomp: Sync fields with runtime-spec fields #42604
Conversation
rata
force-pushed
the
rata/seccomp-new-fields
branch
from
364f79e
to
4ed2302
Compare
|
The CI failing seems unrelated to this PR. Pushed with no changes to re-run them, but I noticed it is the same failure for some commits merged in master, so I guess CI is failing in master, is unrelated to this and will continue to fail :) |
Thanks; I had the I don't exactly understand your description of the "error" condition though; as far as I'm aware, the field (and value) is optional (see opencontainers/runtime-spec#1087) so if it's unset, the previous default will apply. We should also
That looks problematic to me; if that's the case, it means runc updates will break backward compatibility with all current runtimes. Both of those fields are marked OPTIONAL in the spec. I'm also wondering: if I understand that feature correctly, the
Perhaps I don't understand the feature, and I'm completely wrong there, but if that's correct, I feel like those values should be either set dynamically (automatically) by the docker daemon (or by containerd or runc), and not defined in the profile? |
thaJeztah
added
area/security/seccomp
kind/enhancement
Cool :)
Yes, it is optional and if unset, the previous behaviour applies. That is indeed what happens without this patch: the previous behavior is applied. My point was that is not clear when it is used or not. Let's say you add the Maybe my example was not the best one? :) But yes, though, what is seen is the old behavior :)
Will add a test, thanks!
Cool, I can do a follow-up PR for that too. What should the default be?
Yes, both fields are optional but I don't think backwards compatibility is broken. That error only happens if you use the new action So, you only see the error if the new action is specified. IOW, that error only happens if you use a "new" seccomp profile (a profile with Sorry if I wasn't clear before.
Yes, it can only be specified in the json file.
A seccomp agent should be listening on that
No, is not unique per container. One seccomp agent can handle several containers (and typically it does). Also, the seccomp agent is tightly coupled with a seccomp profile: if the profile specifies that syscall X should notify to userpsace, the seccomp agent (listening in the listenerPath specified in the json) should handle syscall X. You may want to run different agents (like one different agent for containers that are allowed to run more high-privileged operations, etc.) and you can, but anyways you usually handle more than one container per seccomp agent. Does this clarifies the idea? Let me know if I'm not explaining myself correctly :) |
The runtime spec we are using has support for these 3 fields[1], but moby doesn't have them in its seccomp struct. This patch just adds and copies them when they are in the profile. DefaultErrnoRet is implemented in the runc version moby is using (it is implemented since runc-rc95[2]) but if we create a container without this moby patch, we don't see an error nor the expected behavior. This is not clear for the user (the profile they specify is valid, the syntax is ok, but the wrong behavior is seen). This is because the DefaultErrnoRet field is not copied to the config passed ultimately to runc (i.e. is like the field was not specified). With this patch, we see the expected behavior. The other two fileds are in the runtime-spec but not yet in runc (a PR is open and targets 1.1.0 milestone). However, I took the liberty to copy them now too for two reasons: 1. If we don't add them now and end up using a runc version that supports them, then the error that the user will see is not clear at all: docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: listenerPath is not set: unknown. And it is not obvious to debug for the user, as the field _is_ set in the profile they specify (just not copied by moby to the profile moby specifies ultimately to runc). 2. When using a runc without seccomp notify support (like today), the error we see is the same with and without this moby patch (when using a seccomp profile with the new fields): docker: Error response from daemon: OCI runtime create failed: string SCMP_ACT_NOTIFY is not a valid action for seccomp: unknown. Then, it seems like a clear win to add them now: we don't have to do it later (that implies not clear errors to the user if we forget, like we did with DefaultErrnoRet) and the user sees the exact same error when using a runc version that doesn't support these fields. [1]: Note we are vendoring version 1c3f411f041711bbeecf35ff7e93461ea6789220 and this version has these 3 fields https://github.com/opencontainers/runtime-spec/blob/1c3f411f041711bbeecf35ff7e93461ea6789220/config-linux.md#seccomp [2]: opencontainers/runc#2954 [3]: opencontainers/runc#2682 Signed-off-by: Rodrigo Campos <[email protected]>
rata
force-pushed
the
rata/seccomp-new-fields
branch
from
4ed2302
to
5d24467
Compare
|
Added tests now, PTAL :) |
Ah, yes, gotcha. We're back on the same page again 馃槄
I suggest to do it in two steps; first a PR to "add the current ( I'm open to have the discussion on a changing the default to be At least, with this PR, users will be able to use a custom profile with
Yup, that should be perfectly fine! My primary concern was that (e.g.) a user with an older version of docker/containerd installed to upgrade runc, and no longer being able to run containers.
Gotcha, clear! I thought this was a socket that the / a runtime had to provide, but it's the other way round. I clearly should've taken slightly more time to read up on the feature.
Just so I'm prepared for this; will there be a clear error message if the seccomp agent socket is not ready / doesn't exist? Running services in a container that other containers depend on (especially when required to start) lead to race-conditions ("agent" container not yet running). Of course this is a more advanced feature, but, well, users "try things" and then report "it doesn't work!!", so hoping the error is clear enough to allow them to identify the problem. |
|
(test failures are unrelated; it's being worked on, and a bit whack-a-mole currently: I'll kick CI to roll the dice) |
Cool, after this PR I'll open a new one setting the To be honest, I don't have an informed opinion on what the default should be, and it is definitely a big change that can break several users. From memory, switching to I'll start with being explicit in the default (setting
Yeap, should be super helpful for some cases :)
Ohh, I see. Sorry that wasn't clear before! :)
Ohh, yes, it is the other way around :)
Yes, runc should output:
Yes, good call. I think the error is clear, but there is only one way to know... ;) |
|
Thanks for the extra info! w.r.t. the error (didn't look at the runc PR yet), would be great if there was some "clue" what socket it is / where it comes from (just the name of the socket may not always give a clue; your |
|
@thaJeztah oh, good point. Will update the runc PR next week making it clearer in the error msg. Thanks! |
|
@AkihiroSuda @tianon ptal |
|
Just for the record, I improved the runc error msg: opencontainers/runc#2682 (comment) Thanks again! :) |
|
^^ reported the account for abuse / spam |
The runtime spec we are using has support for these 3 fields[1], but
moby doesn't have them in its seccomp struct. This patch just adds and
copies them when they are in the profile.
DefaultErrnoRet is implemented in the runc version moby is using (it is
implemented since runc-rc95[2]) but if we create a container without
this moby patch, we don't see an error nor the expected behavior. This
is not clear for the user (the profile they specify is valid, the syntax
is ok, but the wrong behavior is seen).
This is because the DefaultErrnoRet field is not copied to the config
passed ultimately to runc (i.e. is like the field was not specified).
With this patch, we see the expected behavior.
The other two fileds are in the runtime-spec but not yet in runc (a PR
is open and targets 1.1.0 milestone[3]). However, I took the liberty to
copy them now too for two reasons:
If we don't add them now and end up using a runc version that
supports them, then the error that the user will see is not clear at
all:
docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: listenerPath is not set: unknown.
And it is not obvious to debug for the user, as the field is set in
the profile they specify (just not copied by moby to the profile moby
specifies ultimately to runc).
When using a runc without seccomp notify support (like today), the
error we see is the same with and without this moby patch (when using a
seccomp profile with the new fields):
docker: Error response from daemon: OCI runtime create failed: string SCMP_ACT_NOTIFY is not a valid action for seccomp: unknown.
Then, it seems like a clear win to add them now: we don't have to do it
later (that implies not clear errors to the user if we forget, like we
did with DefaultErrnoRet) and the user sees the exact same error when
using a runc version that doesn't support these fields.
[1]: Note we are vendoring version 1c3f411f041711bbeecf35ff7e93461ea6789220 and this version has these 3 fields https://github.com/opencontainers/runtime-spec/blob/1c3f411f041711bbeecf35ff7e93461ea6789220/config-linux.md#seccomp
[2]: opencontainers/runc#2954
[3]: opencontainers/runc#2682
Signed-off-by: Rodrigo Campos [email protected]
- What I did
Sync moby struct seccomp fields with runtime-spec seccomp fields. This makes DefaultErrnoRet field in the seccomp spec work and prepares for other runc changes in the future.
- How I did it
Added the fields to the moby struct and copied them.
- How to verify it
I tested this with runc 1.0 compiled locally, but should work with runc-rc95 too.
Download the attached seccomp-defaulterrno.txt, let's say you save it as /tmp/seccomp-default-errno.txt.
Then, you should expect the following when running dockerd with this patch:
This is because the seccomp profile is using errno 6:
If you run dockerd without this patch, you should see EPERM (the DefaultErrnoRet option is ignored without this patch, and therefore it defaults to EPERM):
- Description for the changelog
Honor DefaultErrnoRet in seccomp profile
- A picture of a cute animal (not mandatory but encouraged)
Of course I chose a rat 馃槃