Skip to content

run-in-node-container: support rootless mode#25841

Merged
k8s-ci-robot merged 1 commit intokubernetes:masterfrom
markmc:rootless-podman
Apr 20, 2022
Merged

run-in-node-container: support rootless mode#25841
k8s-ci-robot merged 1 commit intokubernetes:masterfrom
markmc:rootless-podman

Conversation

@markmc
Copy link
Copy Markdown
Contributor

@markmc markmc commented Apr 1, 2022

run-in-node-container is used for javascript "rollup", so the tools running in the container produce files which must be owned by the user on the host.

To achieve this, the docker run --user option is used to ensure that the tools in the container are run as host user.

However, with rootless mode - apparently in both docker and podman, but I'm using podman - a user namespace is used and users in the container are mapped to a range of users on the host. This means that if we run a command as root in the container, this corresponds to the host user. When we specify --user, this results in a different host user being used.

There are apparently two ways of achieving what we want - not using --user so that the commands run as root in the container, which is mapped to the desired host user. Or we can use --userns keep-id which means a 1:1 user mapping is used, and the user specified by --user corresponds to the same user on the host. The former seems more like how you'd typically use this mode.

And so we detect rootless mode using docker system info, and avoid the --user flag in this case.

Podman reports rootless: (true|false), whereas docker just includes a rootless keyword.

For more on this, see:

https://www.redhat.com/sysadmin/user-flag-rootless-containers
https://docs.docker.com/engine/security/rootless
pre-commit/pre-commit#1243
pre-commit/pre-commit#1484

(Note: all of the above applies even without SELinux (see #25798) and was tested with "setenforce 0")

@markmc
run-in-node-container: support rootless mode
1c183aa 
run-in-node-container is used for javascript "rollup", so the tools
running in the container produce files which must be owned by the user
on the host.

To achieve this, the docker run --user option is used to ensure that
the tools in the container are run as host user.

However, with rootless mode - apparently in both docker and podman,
but I'm using podman - a user namespace is used and users in the
container are mapped to a range of users on the host. This means that
if we run a command as root in the container, this corresponds to the
host user. When we specify --user, this results in a different host
user being used.

There are apparently two ways of achieving what we want - not using
--user so that the commands run as root in the container, which is
mapped to the desired host user. Or we can use --userns keep-id which
means a 1:1 user mapping is used, and the user specified by --user
corresponds to the same user on the host. The former seems more like
how you'd typically use this mode.

And so we detect rootless mode using "docker system info", and avoid
the --user flag in this case.

Podman reports "rootless: (true|false)", whereas docker just includes
a "rootless" keyword.

For more on this, see:

https://www.redhat.com/sysadmin/user-flag-rootless-containers
https://docs.docker.com/engine/security/rootless
pre-commit/pre-commit#1243
pre-commit/pre-commit#1484

(Note: all of the above applies even without SELinux and was tested
with "setenforce 0")
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 1, 2022
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Apr 1, 2022

Hi @markmc. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Apr 1, 2022
@k8s-ci-robot k8s-ci-robot requested review from cjwagner and spiffxp April 1, 2022 10:55
@k8s-ci-robot k8s-ci-robot added the sig/testing Categorizes an issue or PR as relevant to SIG Testing. label Apr 1, 2022
@markmc markmc mentioned this pull request Apr 1, 2022
Merged
@markmc
Copy link
Copy Markdown
Contributor Author

markmc commented Apr 1, 2022

I have only tested this with rootless podman. I'll try to test with docker soon, unless someone else wants to!

It should be sufficient to just run:

./hack/run-in-node-container.sh _bin/ts-rollup --packages="$(pwd)/prow/cmd/deck/.ts-packages" --root-dir=.

and check _ouput

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 1, 2022
@dims
Copy link
Copy Markdown
Member

dims commented Apr 1, 2022

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 1, 2022
@markmc
Copy link
Copy Markdown
Contributor Author

markmc commented Apr 1, 2022

I have only tested this with rootless podman. I'll try to test with docker soon, unless someone else wants to!

Or ... maybe CI will do it for me? lol

From test-infra-integration build.log:

Running rollup
WARNING: No swap limit support

_output/js/gopherage/cmd/html/static/browser.js → _output/js/gopherage/cmd/html/static/bundle.js...
created _output/js/gopherage/cmd/html/static/bundle.js in 158ms

/unhold

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 1, 2022
@markmc markmc mentioned this pull request Apr 7, 2022
Closed
9 tasks
@dims
Copy link
Copy Markdown
Member

dims commented Apr 14, 2022

/approve
/lgtm

thanks Mark!

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 14, 2022
@dims
Copy link
Copy Markdown
Member

dims commented Apr 20, 2022

/assign @stevekuznetsov @BenTheElder

BenTheElder
BenTheElder approved these changes Apr 20, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@BenTheElder BenTheElder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve
FYI @chaodaiG

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 20, 2022
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Apr 20, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: BenTheElder, chaodaiG, dims, markmc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [BenTheElder,chaodaiG]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit be6161b into kubernetes:master Apr 20, 2022
@k8s-ci-robot k8s-ci-robot added this to the v1.25 milestone Apr 20, 2022
@themr0c themr0c mentioned this pull request Aug 25, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BenTheElder BenTheElder BenTheElder approved these changes

@cjwagner cjwagner Awaiting requested review from cjwagner

@spiffxp spiffxp Awaiting requested review from spiffxp

+1 more reviewer

@chaodaiG chaodaiG chaodaiG approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@dims dims

@BenTheElder BenTheElder

@stevekuznetsov stevekuznetsov

@chaodaiG chaodaiG

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

v1.25

Development

Successfully merging this pull request may close these issues.

6 participants

@markmc @k8s-ci-robot @dims @BenTheElder @chaodaiG @stevekuznetsov