Skip to content

[release/1.7] Add noexec nodev and nosuid to sandbox /etc/resolv.conf mount bind.#8336

Merged
samuelkarp merged 3 commits intocontainerd:release/1.7from
vinayakankugoyal:fixresolv-cp2
Mar 31, 2023
Merged

[release/1.7] Add noexec nodev and nosuid to sandbox /etc/resolv.conf mount bind.#8336
samuelkarp merged 3 commits intocontainerd:release/1.7from
vinayakankugoyal:fixresolv-cp2

Conversation

@vinayakankugoyal
Copy link
Copy Markdown
Contributor

@vinayakankugoyal vinayakankugoyal commented Mar 31, 2023
edited by fuweid
Loading

If you are running a pod with user namespace enabled you might see EPERM errors while mounting resolv.conf without these options.

This was discovered while we were debugging: opencontainers/runc#3770

cherry-pick: #8309

@vinayakankugoyal
Add noexec nodev and nosuid to sandbox /etc/resolv.conf mount bind.
0aad93f 
Signed-off-by: Vinayak Goyal <[email protected]>
(cherry picked from commit ae4dbb6)
Signed-off-by: Vinayak Goyal <[email protected]>
@vinayakankugoyal
Test to ensure nosuid,nodev,noexec are set on /etc/reolv.conf mount.
5e953cf 
Signed-off-by: Vinayak Goyal <[email protected]>
(cherry picked from commit 990199a)
Signed-off-by: Vinayak Goyal <[email protected]>
@vinayakankugoyal
Update sbserver to add noexec nodev and nosuid to /etc/resolv.conf mo…
9b4935d 
…unt bind.

Signed-off-by: Vinayak Goyal <[email protected]>
(cherry picked from commit ac84bf7)
Signed-off-by: Vinayak Goyal <[email protected]>
@k8s-ci-robot
Copy link
Copy Markdown

k8s-ci-robot commented Mar 31, 2023

Hi @vinayakankugoyal. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@vinayakankugoyal
Copy link
Copy Markdown
Contributor Author

vinayakankugoyal commented Mar 31, 2023

/cc @samuelkarp @rata

@k8s-ci-robot k8s-ci-robot requested a review from samuelkarp March 31, 2023 04:11
@k8s-ci-robot
Copy link
Copy Markdown

k8s-ci-robot commented Mar 31, 2023

@vinayakankugoyal: GitHub didn't allow me to request PR reviews from the following users: rata.

Note that only containerd members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/cc @samuelkarp @rata

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@samuelkarp
Copy link
Copy Markdown
Member

samuelkarp commented Mar 31, 2023

/ok-to-test
/test pull-containerd-sandboxed-node-e2e

@samuelkarp
Copy link
Copy Markdown
Member

samuelkarp commented Mar 31, 2023

/test pull-containerd-sandboxed-node-e2e

@k8s-ci-robot
Copy link
Copy Markdown

k8s-ci-robot commented Mar 31, 2023

@samuelkarp: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

  • /test pull-containerd-build
  • /test pull-containerd-node-e2e-1-7

Use /test all to run all jobs.

Details

In response to this:

/test pull-containerd-sandboxed-node-e2e

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@samuelkarp samuelkarp merged commit 110b38c into containerd:release/1.7 Mar 31, 2023
@kiashok kiashok mentioned this pull request May 5, 2023
Closed
@dmcgowan dmcgowan mentioned this pull request May 9, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@samuelkarp samuelkarp samuelkarp approved these changes

@fuweid fuweid fuweid approved these changes

Assignees

No one assigned

Labels

ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@vinayakankugoyal @k8s-ci-robot @samuelkarp @fuweid