Inicio Explorar Axuda
Rexistro Iniciar sesión
Apq
/
s6-overlay
réplica de https://github.com/just-containers/s6-overlay.git
1
0
Fork 0
Ficheiros Incidencias 0 Wiki
Explorar o código

Add (tentative) option to accept k8s-flavored /run permissions

Laurent Bercot hai 5 meses
pai
ba4ea4c5c0
achega
4a6bb3a0f5
Modificáronse 2 ficheiros con 13 adicións e 1 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 10 0
      README.md
  2. 3 1
      layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/libexec/preinit

+ 10 - 0
README.md
Ver ficheiro 

@@ -913,6 +913,16 @@ cannot be diverted and are necessarily handled by pid 1. Please be aware that us
 
 this option may prevent interactive CMDs from working at all - in other words, if
 
 you're running an interactive CMD in a terminal, don't set this variable; but that
 
 should be fine since in this case you already have interactive ways of stopping your CMD.
 
+* `S6_YES_I_WANT_A_WORLD_WRITABLE_RUN_BECAUSE_KUBERNETES` (default = 0): yes, it's a
 
+mouthful, and yes, we're deadly serious. If you set this variable to 1 (or any non-zero
 
+value), s6-overlay will accept to boot in a situation where `/run` belongs to uid 0 and
 
+is world-writable (permissions 0777) but the container is run as a non-root user. This
 
+is the configuration enforced by some Kubernetes environments, and it is completely
 
+insecure, except that Kubernetes ensures isolation by its own security mechanisms; so,
 
+if you're in such a situation, set that variable, and s6-overlay will still print a
 
+(literally) bright red warning, but it will boot. Otherwise, by default, s6-overlay
 
+refuses to run when it encounters such a insecure setup that it doesn't have the
 
+necessary privileges to fix.
 
 
 ### syslog

+ 3 - 1
layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/libexec/preinit
Ver ficheiro 

@@ -93,8 +93,10 @@ if test "$UID" -ne "$uid" ; then  # /run does not belong to the container user
 
     if test "$gid" -eq "$EGID" ; then x=g ; y=gs ; else x=o ; y= ; fi
 
     if test "$uid" -eq 0 && echo "$perms" | s6-grep -q "${x}x${x}w${x}r.*os${y}" ; then
 
       echo "$prog: warning: /run belongs to uid $uid instead of $UID, but we can still work in single-uid mapping."
 
+    elif test "$uid" -eq 0 && echo "$perms" | s6-grep -q "oxoworgxgwgruxuwur" && test "0$S6_YES_I_WANT_A_WORLD_WRITABLE_RUN_BECAUSE_KUBERNETES" -ne 0 ; then
 
+      printf "$prog: \e[1;31mwarning\e[0m: /run belongs to uid $uid instead of $UID, \e[1;31mis world writable\e[0m, and we're lacking the privileges to fix it, but we have been instructed to accept it.\n"
 
     else
 
-      echo "$prog: fatal: /run belongs to uid $uid instead of $UID, has insecure permissions, and we're lacking the privileges to fix it."
 
+      echo "$prog: fatal: /run belongs to uid $uid instead of $UID, has insecure and/or unworkable permissions, and we're lacking the privileges to fix it."
 
       exit 100
 
     fi
 
   fi