beginner networking question
69 views
Skip to first unread message
alpine...@gmail.com
May 5, 2017, 4:33:47 PM5/5/17
to rkt-dev
[ If this is the wrong place for a question like this, my apologies. Please direct me to the appropriate venue. ]
I'm having trouble running a golang web app in a container built with acbuild, running under rkt on CoreOS, listening to ports 80 and 443. It works fine when listening to high-numbered ports.
For details, please see this post on ServerFault.
Thanks.
I'm having trouble running a golang web app in a container built with acbuild, running under rkt on CoreOS, listening to ports 80 and 443. It works fine when listening to high-numbered ports.
For details, please see this post on ServerFault.
Thanks.
Alban Crequy
May 8, 2017, 5:31:13 AM5/8/17
to rkt-dev, alpine...@gmail.com
acbuild set-user 500
acbuild set-group 500
I wonder if there is a bug when a non-root user tries to use extra capabilities.
Cheers,
Alban
Message has been deleted
alpine...@gmail.com
May 8, 2017, 6:24:23 PM5/8/17
to rkt-dev, alpine...@gmail.com
Yes, it does work when I remove those two lines. But if I do that, then
the app runs as root, which negates one of the main purposes of running
in a container - reducing privilege for the sake of security.
Alban Crequy
May 9, 2017, 4:43:04 AM5/9/17
to rkt-dev, alpine...@gmail.com
Hi,
When running as non-root, the capability is set correctly in the
bounding set but not in the effective set, so it is too restrictive in
practice:
$ sudo rkt run --insecure-options=image --interactive docker://ubuntu
--caps-retain=CAP_NET_BIND_SERVICE --exec=/bin/sh -- -c 'capsh
--print'
Current: = cap_net_bind_service+ep
Bounding set =cap_net_bind_service
$ sudo rkt run --insecure-options=image --interactive docker://ubuntu
--user=1000 --group=1000 --caps-retain=CAP_NET_BIND_SERVICE
--exec=/bin/sh -- -c 'capsh --print'
Current: =
Bounding set =cap_net_bind_service
rkt uses the systemd's option "CapabilityBoundingSet" to set the capability:
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=
It does not use the option "AmbientCapabilities" (the doc says it is
"useful if you want to execute a process as a non-privileged user but
still want to give it some capabilities"):
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#AmbientCapabilities=
Maybe we should add the option "AmbientCapabilities". Could you file
an issue on github to discuss this?
Cheers,
Alban
When running as non-root, the capability is set correctly in the
bounding set but not in the effective set, so it is too restrictive in
practice:
$ sudo rkt run --insecure-options=image --interactive docker://ubuntu
--caps-retain=CAP_NET_BIND_SERVICE --exec=/bin/sh -- -c 'capsh
--print'
Current: = cap_net_bind_service+ep
Bounding set =cap_net_bind_service
$ sudo rkt run --insecure-options=image --interactive docker://ubuntu
--user=1000 --group=1000 --caps-retain=CAP_NET_BIND_SERVICE
--exec=/bin/sh -- -c 'capsh --print'
Current: =
Bounding set =cap_net_bind_service
rkt uses the systemd's option "CapabilityBoundingSet" to set the capability:
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=
It does not use the option "AmbientCapabilities" (the doc says it is
"useful if you want to execute a process as a non-privileged user but
still want to give it some capabilities"):
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#AmbientCapabilities=
Maybe we should add the option "AmbientCapabilities". Could you file
an issue on github to discuss this?
Cheers,
Alban
Luca BRUNO
May 9, 2017, 5:11:33 AM5/9/17
to rkt...@googlegroups.com
On Tuesday, May 9, 2017 10:43:02 AM UTC Alban Crequy wrote:
> Hi,
>
> When running as non-root, the capability is set correctly in the
> bounding set but not in the effective set, so it is too restrictive in
> practice.
> Hi,
>
> When running as non-root, the capability is set correctly in the
> bounding set but not in the effective set, so it is too restrictive in
We should document that our capabilities features are (currently) implementing
the bounding-set semantics.
But it shouldn't be a blocker in this case, as setting the correct
file-capabilities should work anyway.
@alpinecarver, can you check whether the application in your image has the
correct filecaps? If so, I think the other default security isolators are
triggering NoNewPrivileges thus preventing this to elevate its privileges.
Ciao, Luca
--
"If you build a wall, think of what you leave outside it" - Italo Calvino
alpine...@gmail.com
May 10, 2017, 5:19:51 AM5/10/17
to rkt-dev
I'm not sure how to do that. I tried setting `cap_net_bind_service` on the executable before running acbuild, but that did not fix the problem.
Alban Crequy
May 10, 2017, 5:57:38 AM5/10/17
to rkt-dev, alpine...@gmail.com
I don't know if "acbuild copy" preserves the file capability
correctly, unfortunately. I filed the issue
https://github.com/rkt/rkt/issues/3672
correctly, unfortunately. I filed the issue
https://github.com/rkt/rkt/issues/3672
Reply all
Reply to author
Forward
0 new messages