kubelet: set terminationMessagePath perms to 0660 #108076
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -336,7 +336,7 @@ func (m *kubeGenericRuntimeManager) generateContainerConfig(ctx context.Context, | |
| Annotations: newContainerAnnotations(container, pod, restartCount, opts), | ||
| Devices: makeDevices(opts), | ||
| CDIDevices: makeCDIDevices(opts), | ||
| Mounts: m.makeMounts(opts, container, pod), | ||
| LogPath: containerLogsPath, | ||
| Stdin: container.Stdin, | ||
| StdinOnce: container.StdinOnce, | ||
|
|
@@ -405,7 +405,7 @@ func makeCDIDevices(opts *kubecontainer.RunContainerOptions) []*runtimeapi.CDIDe | |
| } | ||
|
|
||
| // makeMounts generates container volume mounts for kubelet runtime v1. | ||
| func (m *kubeGenericRuntimeManager) makeMounts(opts *kubecontainer.RunContainerOptions, container *v1.Container, pod *v1.Pod) []*runtimeapi.Mount { | ||
| volumeMounts := []*runtimeapi.Mount{} | ||
|
|
||
| for idx := range opts.Mounts { | ||
|
|
@@ -441,10 +441,33 @@ func (m *kubeGenericRuntimeManager) makeMounts(opts *kubecontainer.RunContainerO | |
| // open(2) to create the file, so the final mode used is "mode & | ||
| // ~umask". But we want to make sure the specified mode is used | ||
| // in the file no matter what the umask is. | ||
| if err := m.osInterface.Chmod(containerLogPath, 0660); err != nil { | ||
| utilruntime.HandleError(fmt.Errorf("unable to set termination-log file permissions %q: %v", containerLogPath, err)) | ||
| } | ||
|
|
||
| var containerUid, containerGid int | ||
| if container.SecurityContext != nil && container.SecurityContext.RunAsUser != nil { | ||
| containerUid = int(*container.SecurityContext.RunAsUser) | ||
| } else if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.RunAsUser != nil { | ||
| containerUid = int(*pod.Spec.SecurityContext.RunAsUser) | ||
| } else { | ||
| containerUid = 0 | ||
|
There was a problem hiding this comment. Should we also consider There was a problem hiding this comment. as far as I understand the There was a problem hiding this comment. That's true, but this change would set UID to 0 (root) even if RunAsNonRoot is true. It's may be ok, but looked suspicious to me. What would happen if container runs as non-root, but containerLogPath owner is root? There was a problem hiding this comment. The container would not run at all if the There was a problem hiding this comment. I'm not sure about it. I thought that There was a problem hiding this comment. Here is the code I'm talking about: https://github.com/kubernetes/kubernetes/blob/release-1.29/pkg/kubelet/kuberuntime/kuberuntime_container.go#L326 |
||
| } | ||
|
|
||
| if container.SecurityContext != nil && container.SecurityContext.RunAsGroup != nil { | ||
| containerGid = int(*container.SecurityContext.RunAsGroup) | ||
| } else if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.RunAsGroup != nil { | ||
| containerGid = int(*pod.Spec.SecurityContext.RunAsGroup) | ||
| } else { | ||
| containerGid = 0 | ||
| } | ||
|
|
||
| if goruntime.GOOS != "windows" { | ||
| if err := os.Chown(containerLogPath, containerUid, containerGid); err != nil { | ||
| utilruntime.HandleError(fmt.Errorf("unable to chown termination-log file: %q: %v", containerLogPath, err)) | ||
| } | ||
| } | ||
|
|
||
| // Volume Mounts fail on Windows if it is not of the form C:/ | ||
| containerLogPath = volumeutil.MakeAbsolutePath(goruntime.GOOS, containerLogPath) | ||
| terminationMessagePath := volumeutil.MakeAbsolutePath(goruntime.GOOS, container.TerminationMessagePath) | ||
|
|
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The PR mentions the terminationMessagePath that is defined a few lines below: https://github.com/kubernetes/kubernetes/pull/108076/files#diff-d86ffc24d8e4c9deafd3e39e8f4ee3546ee46a31dcea8ea6526443b3f4bffa28R420
How is it that changing the
containerLogPathaffects theterminationMessagePath?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, so my goal is to get rid of the world writeable file regardless of how is it called. The error message on line 406 suggests that
termination-log fileis the same ascontainerLogPath- is it not?The
terminationMessagePathas I understand it is an absolute path that is used when mounting the volume andit has not much to do with what is known as the concept of termination message despite the name. In fact, even the error message on 415 refers to
containerLogPathrather thanterminationMessagePath.At this point I am bit confused about this code - if that's not the line responsible for creating the empty world writable files like this:
then what is?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might very well be the same, I'm unsure. But some explanation on the commit msg would be helpful so it is easier to review, you probably figured that out when writing the PR :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ohh, I see it now. It seems a bind mount is created a few lines below where the source is the host path (containerLogPath) and the destination is the terminationMessagePath.
See here: https://github.com/kubernetes/kubernetes/pull/108076/files#diff-d86ffc24d8e4c9deafd3e39e8f4ee3546ee46a31dcea8ea6526443b3f4bffa28L422-L426
So this is solved :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I didn't want to make any statements I was not sure about - initially I also had thought that
containerLogPathreferred to a log with whatever is printed out to container's standard output, but that doesn't seem to be the case.Either way, big thank you for the review and looking into this. Apologies it took me so long to respond, I have missed the notification email.