You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@mesos.apache.org by Jason Lai <ja...@jasonlai.net> on 2018/03/13 01:26:04 UTC
Review Request 66034: Remount several proc filesystem entries as
read-only.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66034/
-----------------------------------------------------------
Review request for mesos, Eric Chung, Gilbert Song, Ian Downes, Jie Yu, James Peach, and Zhitao Li.
Bugs: MESOS-8654
https://issues.apache.org/jira/browse/MESOS-8654
Repository: mesos
Description
-------
Several entries under the proc FS within Mesos containers need to be
remounted as readonly for improved security reasons.
The list should include the important ones introduced by Systemd's
`ProtectKernelTunables` option:
* `/proc/bus`
* `/proc/fs`
* `/proc/irq`
* `/proc/sys`
* `/proc/sysrq-trigger`
It is particularly necessary to remount `/proc/sysrq-trigger` as
read-only. Otherwise, it would be possible for users running in
containers as `root` to perform privileged operations, such as host
reboot.
Extra mount options should include `nosuid,noexec,nodev` (see also
`mount(2)` for detailed explanations of the options).
Diffs
-----
src/linux/fs.cpp ed26f80ef7315809a1df9f2c50b4fe3445810f8a
Diff: https://reviews.apache.org/r/66034/diff/1/
Testing
-------
The mount table of the container launched by the patched version of `mesos-containerizer launch` include the entries listed above, with `nosuid,noexec,nodev` mount points.
```
$ sudo unshare -m -p -f /usr/local/libexec/mesos/mesos-containerizer launch --launch_info="$(jq -c . launch_info.json)" --runtime_directory="$(pwd)"
Marked '/' as rslave
Prepared mount '{"flags":20480,"source":"\/etc\/hostname","target":"\/home\/jlai\/containers\/rootfs\/etc\/hostname"}'
Prepared mount '{"flags":20480,"source":"\/etc\/hosts","target":"\/home\/jlai\/containers\/rootfs\/etc\/hosts"}'
Prepared mount '{"flags":20480,"source":"\/etc\/resolv.conf","target":"\/home\/jlai\/containers\/rootfs\/etc\/resolv.conf"}'
Changing root to /home/jlai/containers/rootfs
bash-4.4# findmnt -a
TARGET SOURCE FSTYPE OPTIONS
/ alpine overlay rw,relatime,lowerdir=overlay/lower,upperdir=overlay/upper,workdir=overlay/work
|-/etc/hostname /dev/dm-0[/etc/hostname] ext4 rw,noatime,errors=panic,data=ordered
|-/etc/hosts /dev/dm-0[/etc/hosts] ext4 rw,noatime,errors=panic,data=ordered
|-/etc/resolv.conf /dev/dm-0[/etc/resolv.conf] ext4 rw,noatime,errors=panic,data=ordered
|-/proc proc proc rw,nosuid,nodev,noexec,relatime
| |-/proc/bus proc[/bus] proc ro,nosuid,nodev,noexec,relatime
| |-/proc/fs proc[/fs] proc ro,nosuid,nodev,noexec,relatime
| |-/proc/irq proc[/irq] proc ro,nosuid,nodev,noexec,relatime
| |-/proc/sys proc[/sys] proc ro,nosuid,nodev,noexec,relatime
| `-/proc/sysrq-trigger proc[/sysrq-trigger] proc ro,nosuid,nodev,noexec,relatime
|-/sys sysfs sysfs ro,nosuid,nodev,noexec,relatime
`-/dev tmpfs tmpfs rw,nosuid,noexec,mode=755
|-/dev/pts devpts devpts rw,nosuid,noexec,relatime,mode=600,ptmxmode=666
`-/dev/shm tmpfs tmpfs rw,nosuid,nodev
```
Thanks,
Jason Lai
Re: Review Request 66034: Remount several proc filesystem entries as
read-only.
Posted by Jie Yu <yu...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66034/#review199366
-----------------------------------------------------------
Ship it!
Ship It!
- Jie Yu
On March 15, 2018, 6:24 p.m., Jason Lai wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/66034/
> -----------------------------------------------------------
>
> (Updated March 15, 2018, 6:24 p.m.)
>
>
> Review request for mesos, Eric Chung, Gilbert Song, Ian Downes, Jie Yu, James Peach, and Zhitao Li.
>
>
> Bugs: MESOS-8654
> https://issues.apache.org/jira/browse/MESOS-8654
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Several entries under the proc FS within Mesos containers need to be
> remounted as readonly for improved security reasons.
>
> The list should include the important ones introduced by Systemd's
> `ProtectKernelTunables` option:
>
> * `/proc/bus`
> * `/proc/fs`
> * `/proc/irq`
> * `/proc/sys`
> * `/proc/sysrq-trigger`
>
> It is particularly necessary to remount `/proc/sysrq-trigger` as
> read-only. Otherwise, it would be possible for processes running in
> containers as `root` to perform privileged operations, such as host
> reboot.
>
> Extra mount options should include `nosuid,noexec,nodev` (see also
> `mount(2)` for detailed explanations of the options).
>
>
> Diffs
> -----
>
> src/linux/fs.cpp ed26f80ef7315809a1df9f2c50b4fe3445810f8a
>
>
> Diff: https://reviews.apache.org/r/66034/diff/1/
>
>
> Testing
> -------
>
> The mount table of the container launched by the patched version of `mesos-containerizer launch` include the entries listed below, with `nosuid,noexec,nodev` mount options:
> ```
> $ sudo unshare -m -p -f /usr/local/libexec/mesos/mesos-containerizer launch --launch_info="$(jq -c . launch_info.json)" --runtime_directory="$(pwd)"
> Marked '/' as rslave
> Prepared mount '{"flags":20480,"source":"\/etc\/hostname","target":"\/home\/jlai\/containers\/rootfs\/etc\/hostname"}'
> Prepared mount '{"flags":20480,"source":"\/etc\/hosts","target":"\/home\/jlai\/containers\/rootfs\/etc\/hosts"}'
> Prepared mount '{"flags":20480,"source":"\/etc\/resolv.conf","target":"\/home\/jlai\/containers\/rootfs\/etc\/resolv.conf"}'
> Changing root to /home/jlai/containers/rootfs
> bash-4.4# findmnt -a
> TARGET SOURCE FSTYPE OPTIONS
> / alpine overlay rw,relatime,lowerdir=overlay/lower,upperdir=overlay/upper,workdir=overlay/work
> |-/etc/hostname /dev/dm-0[/etc/hostname] ext4 rw,noatime,errors=panic,data=ordered
> |-/etc/hosts /dev/dm-0[/etc/hosts] ext4 rw,noatime,errors=panic,data=ordered
> |-/etc/resolv.conf /dev/dm-0[/etc/resolv.conf] ext4 rw,noatime,errors=panic,data=ordered
> |-/proc proc proc rw,nosuid,nodev,noexec,relatime
> | |-/proc/bus proc[/bus] proc ro,nosuid,nodev,noexec,relatime
> | |-/proc/fs proc[/fs] proc ro,nosuid,nodev,noexec,relatime
> | |-/proc/irq proc[/irq] proc ro,nosuid,nodev,noexec,relatime
> | |-/proc/sys proc[/sys] proc ro,nosuid,nodev,noexec,relatime
> | `-/proc/sysrq-trigger proc[/sysrq-trigger] proc ro,nosuid,nodev,noexec,relatime
> |-/sys sysfs sysfs ro,nosuid,nodev,noexec,relatime
> `-/dev tmpfs tmpfs rw,nosuid,noexec,mode=755
> |-/dev/pts devpts devpts rw,nosuid,noexec,relatime,mode=600,ptmxmode=666
> `-/dev/shm tmpfs tmpfs rw,nosuid,nodev
> ```
>
>
> Thanks,
>
> Jason Lai
>
>
Re: Review Request 66034: Remount several proc filesystem entries as
read-only.
Posted by Jason Lai <ja...@jasonlai.net>.
> On March 15, 2018, 6:30 p.m., Zhitao Li wrote:
> > I feel that the complexity of this code justifies better user doc, possibly when we create a new isolator for this?
> >
> > Also, how much of each mount should be allow to reconfigure? Should this behavior be dictated for every user of Mesos containerizer?
Totally agreed that we should move the above mount points to different isolators and it's part of my plan about the patches for [MESOS-6798](https://issues.apache.org/jira/browse/MESOS-6798).
It would make more sense if the mount points under `/proc` and `/sys` (as well as some of `/dev`) are moved to `filesystem/linux`.
As for whether these extra mount points should be applied to each and every Mesos containers, my answer is no. But they should definitely be applied to most of Mesos containers for security purpose, as they are usually application containers.
That said, for more privileged containers, they should not be mandated. We could consider adding a few knobs to different levels to allow users to tweak the behavior. For example, an extra agent flag can be added, so we can have the agent level default of container security settings. And further more we could also consider adding an extra field like `privileged` or something else (similar to Docker's `--privileged` flag), or have something finer-grained like negated versions of `Protect*` directives in [Systemd's sandboxing configurations](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing), to `LinuxInfo`, if people need control security settings of Mesos containers.
I'll put the comments on the tasks themselves, so we can track this better.
> On March 15, 2018, 6:30 p.m., Zhitao Li wrote:
> > src/linux/fs.cpp
> > Lines 686-692 (original), 686-692 (patched)
> > <https://reviews.apache.org/r/66034/diff/1/?file=1974223#file1974223line686>
> >
> > Can we move the `TODO` to the sentence about follow-up? The sentence `These special filesystem mount points need to be bind-mounted prior to all other ...` is a comment on requirement which your follow up work would not change.
Makes sense. It's worth nothing, though, as I said in the other comment in this thread, the list will eventually be moved away from this file, as I polish up the mounts with other isolators.
- Jason
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66034/#review199281
-----------------------------------------------------------
On March 15, 2018, 6:24 p.m., Jason Lai wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/66034/
> -----------------------------------------------------------
>
> (Updated March 15, 2018, 6:24 p.m.)
>
>
> Review request for mesos, Eric Chung, Gilbert Song, Ian Downes, Jie Yu, James Peach, and Zhitao Li.
>
>
> Bugs: MESOS-8654
> https://issues.apache.org/jira/browse/MESOS-8654
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Several entries under the proc FS within Mesos containers need to be
> remounted as readonly for improved security reasons.
>
> The list should include the important ones introduced by Systemd's
> `ProtectKernelTunables` option:
>
> * `/proc/bus`
> * `/proc/fs`
> * `/proc/irq`
> * `/proc/sys`
> * `/proc/sysrq-trigger`
>
> It is particularly necessary to remount `/proc/sysrq-trigger` as
> read-only. Otherwise, it would be possible for processes running in
> containers as `root` to perform privileged operations, such as host
> reboot.
>
> Extra mount options should include `nosuid,noexec,nodev` (see also
> `mount(2)` for detailed explanations of the options).
>
>
> Diffs
> -----
>
> src/linux/fs.cpp ed26f80ef7315809a1df9f2c50b4fe3445810f8a
>
>
> Diff: https://reviews.apache.org/r/66034/diff/1/
>
>
> Testing
> -------
>
> The mount table of the container launched by the patched version of `mesos-containerizer launch` include the entries listed below, with `nosuid,noexec,nodev` mount options:
> ```
> $ sudo unshare -m -p -f /usr/local/libexec/mesos/mesos-containerizer launch --launch_info="$(jq -c . launch_info.json)" --runtime_directory="$(pwd)"
> Marked '/' as rslave
> Prepared mount '{"flags":20480,"source":"\/etc\/hostname","target":"\/home\/jlai\/containers\/rootfs\/etc\/hostname"}'
> Prepared mount '{"flags":20480,"source":"\/etc\/hosts","target":"\/home\/jlai\/containers\/rootfs\/etc\/hosts"}'
> Prepared mount '{"flags":20480,"source":"\/etc\/resolv.conf","target":"\/home\/jlai\/containers\/rootfs\/etc\/resolv.conf"}'
> Changing root to /home/jlai/containers/rootfs
> bash-4.4# findmnt -a
> TARGET SOURCE FSTYPE OPTIONS
> / alpine overlay rw,relatime,lowerdir=overlay/lower,upperdir=overlay/upper,workdir=overlay/work
> |-/etc/hostname /dev/dm-0[/etc/hostname] ext4 rw,noatime,errors=panic,data=ordered
> |-/etc/hosts /dev/dm-0[/etc/hosts] ext4 rw,noatime,errors=panic,data=ordered
> |-/etc/resolv.conf /dev/dm-0[/etc/resolv.conf] ext4 rw,noatime,errors=panic,data=ordered
> |-/proc proc proc rw,nosuid,nodev,noexec,relatime
> | |-/proc/bus proc[/bus] proc ro,nosuid,nodev,noexec,relatime
> | |-/proc/fs proc[/fs] proc ro,nosuid,nodev,noexec,relatime
> | |-/proc/irq proc[/irq] proc ro,nosuid,nodev,noexec,relatime
> | |-/proc/sys proc[/sys] proc ro,nosuid,nodev,noexec,relatime
> | `-/proc/sysrq-trigger proc[/sysrq-trigger] proc ro,nosuid,nodev,noexec,relatime
> |-/sys sysfs sysfs ro,nosuid,nodev,noexec,relatime
> `-/dev tmpfs tmpfs rw,nosuid,noexec,mode=755
> |-/dev/pts devpts devpts rw,nosuid,noexec,relatime,mode=600,ptmxmode=666
> `-/dev/shm tmpfs tmpfs rw,nosuid,nodev
> ```
>
>
> Thanks,
>
> Jason Lai
>
>
Re: Review Request 66034: Remount several proc filesystem entries as
read-only.
Posted by Zhitao Li <zh...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66034/#review199281
-----------------------------------------------------------
I feel that the complexity of this code justifies better user doc, possibly when we create a new isolator for this?
Also, how much of each mount should be allow to reconfigure? Should this behavior be dictated for every user of Mesos containerizer?
src/linux/fs.cpp
Lines 686-692 (original), 686-692 (patched)
<https://reviews.apache.org/r/66034/#comment279584>
Can we move the `TODO` to the sentence about follow-up? The sentence `These special filesystem mount points need to be bind-mounted prior to all other ...` is a comment on requirement which your follow up work would not change.
- Zhitao Li
On March 15, 2018, 6:24 p.m., Jason Lai wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/66034/
> -----------------------------------------------------------
>
> (Updated March 15, 2018, 6:24 p.m.)
>
>
> Review request for mesos, Eric Chung, Gilbert Song, Ian Downes, Jie Yu, James Peach, and Zhitao Li.
>
>
> Bugs: MESOS-8654
> https://issues.apache.org/jira/browse/MESOS-8654
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Several entries under the proc FS within Mesos containers need to be
> remounted as readonly for improved security reasons.
>
> The list should include the important ones introduced by Systemd's
> `ProtectKernelTunables` option:
>
> * `/proc/bus`
> * `/proc/fs`
> * `/proc/irq`
> * `/proc/sys`
> * `/proc/sysrq-trigger`
>
> It is particularly necessary to remount `/proc/sysrq-trigger` as
> read-only. Otherwise, it would be possible for processes running in
> containers as `root` to perform privileged operations, such as host
> reboot.
>
> Extra mount options should include `nosuid,noexec,nodev` (see also
> `mount(2)` for detailed explanations of the options).
>
>
> Diffs
> -----
>
> src/linux/fs.cpp ed26f80ef7315809a1df9f2c50b4fe3445810f8a
>
>
> Diff: https://reviews.apache.org/r/66034/diff/1/
>
>
> Testing
> -------
>
> The mount table of the container launched by the patched version of `mesos-containerizer launch` include the entries listed below, with `nosuid,noexec,nodev` mount options:
> ```
> $ sudo unshare -m -p -f /usr/local/libexec/mesos/mesos-containerizer launch --launch_info="$(jq -c . launch_info.json)" --runtime_directory="$(pwd)"
> Marked '/' as rslave
> Prepared mount '{"flags":20480,"source":"\/etc\/hostname","target":"\/home\/jlai\/containers\/rootfs\/etc\/hostname"}'
> Prepared mount '{"flags":20480,"source":"\/etc\/hosts","target":"\/home\/jlai\/containers\/rootfs\/etc\/hosts"}'
> Prepared mount '{"flags":20480,"source":"\/etc\/resolv.conf","target":"\/home\/jlai\/containers\/rootfs\/etc\/resolv.conf"}'
> Changing root to /home/jlai/containers/rootfs
> bash-4.4# findmnt -a
> TARGET SOURCE FSTYPE OPTIONS
> / alpine overlay rw,relatime,lowerdir=overlay/lower,upperdir=overlay/upper,workdir=overlay/work
> |-/etc/hostname /dev/dm-0[/etc/hostname] ext4 rw,noatime,errors=panic,data=ordered
> |-/etc/hosts /dev/dm-0[/etc/hosts] ext4 rw,noatime,errors=panic,data=ordered
> |-/etc/resolv.conf /dev/dm-0[/etc/resolv.conf] ext4 rw,noatime,errors=panic,data=ordered
> |-/proc proc proc rw,nosuid,nodev,noexec,relatime
> | |-/proc/bus proc[/bus] proc ro,nosuid,nodev,noexec,relatime
> | |-/proc/fs proc[/fs] proc ro,nosuid,nodev,noexec,relatime
> | |-/proc/irq proc[/irq] proc ro,nosuid,nodev,noexec,relatime
> | |-/proc/sys proc[/sys] proc ro,nosuid,nodev,noexec,relatime
> | `-/proc/sysrq-trigger proc[/sysrq-trigger] proc ro,nosuid,nodev,noexec,relatime
> |-/sys sysfs sysfs ro,nosuid,nodev,noexec,relatime
> `-/dev tmpfs tmpfs rw,nosuid,noexec,mode=755
> |-/dev/pts devpts devpts rw,nosuid,noexec,relatime,mode=600,ptmxmode=666
> `-/dev/shm tmpfs tmpfs rw,nosuid,nodev
> ```
>
>
> Thanks,
>
> Jason Lai
>
>
Re: Review Request 66034: Remount several proc filesystem entries as
read-only.
Posted by Jason Lai <ja...@jasonlai.net>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66034/
-----------------------------------------------------------
(Updated March 15, 2018, 6:24 p.m.)
Review request for mesos, Eric Chung, Gilbert Song, Ian Downes, Jie Yu, James Peach, and Zhitao Li.
Changes
-------
Fix typos in test plan.
Bugs: MESOS-8654
https://issues.apache.org/jira/browse/MESOS-8654
Repository: mesos
Description
-------
Several entries under the proc FS within Mesos containers need to be
remounted as readonly for improved security reasons.
The list should include the important ones introduced by Systemd's
`ProtectKernelTunables` option:
* `/proc/bus`
* `/proc/fs`
* `/proc/irq`
* `/proc/sys`
* `/proc/sysrq-trigger`
It is particularly necessary to remount `/proc/sysrq-trigger` as
read-only. Otherwise, it would be possible for processes running in
containers as `root` to perform privileged operations, such as host
reboot.
Extra mount options should include `nosuid,noexec,nodev` (see also
`mount(2)` for detailed explanations of the options).
Diffs
-----
src/linux/fs.cpp ed26f80ef7315809a1df9f2c50b4fe3445810f8a
Diff: https://reviews.apache.org/r/66034/diff/1/
Testing (updated)
-------
The mount table of the container launched by the patched version of `mesos-containerizer launch` include the entries listed below, with `nosuid,noexec,nodev` mount options:
```
$ sudo unshare -m -p -f /usr/local/libexec/mesos/mesos-containerizer launch --launch_info="$(jq -c . launch_info.json)" --runtime_directory="$(pwd)"
Marked '/' as rslave
Prepared mount '{"flags":20480,"source":"\/etc\/hostname","target":"\/home\/jlai\/containers\/rootfs\/etc\/hostname"}'
Prepared mount '{"flags":20480,"source":"\/etc\/hosts","target":"\/home\/jlai\/containers\/rootfs\/etc\/hosts"}'
Prepared mount '{"flags":20480,"source":"\/etc\/resolv.conf","target":"\/home\/jlai\/containers\/rootfs\/etc\/resolv.conf"}'
Changing root to /home/jlai/containers/rootfs
bash-4.4# findmnt -a
TARGET SOURCE FSTYPE OPTIONS
/ alpine overlay rw,relatime,lowerdir=overlay/lower,upperdir=overlay/upper,workdir=overlay/work
|-/etc/hostname /dev/dm-0[/etc/hostname] ext4 rw,noatime,errors=panic,data=ordered
|-/etc/hosts /dev/dm-0[/etc/hosts] ext4 rw,noatime,errors=panic,data=ordered
|-/etc/resolv.conf /dev/dm-0[/etc/resolv.conf] ext4 rw,noatime,errors=panic,data=ordered
|-/proc proc proc rw,nosuid,nodev,noexec,relatime
| |-/proc/bus proc[/bus] proc ro,nosuid,nodev,noexec,relatime
| |-/proc/fs proc[/fs] proc ro,nosuid,nodev,noexec,relatime
| |-/proc/irq proc[/irq] proc ro,nosuid,nodev,noexec,relatime
| |-/proc/sys proc[/sys] proc ro,nosuid,nodev,noexec,relatime
| `-/proc/sysrq-trigger proc[/sysrq-trigger] proc ro,nosuid,nodev,noexec,relatime
|-/sys sysfs sysfs ro,nosuid,nodev,noexec,relatime
`-/dev tmpfs tmpfs rw,nosuid,noexec,mode=755
|-/dev/pts devpts devpts rw,nosuid,noexec,relatime,mode=600,ptmxmode=666
`-/dev/shm tmpfs tmpfs rw,nosuid,nodev
```
Thanks,
Jason Lai
Re: Review Request 66034: Remount several proc filesystem entries as
read-only.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66034/#review199068
-----------------------------------------------------------
Patch looks great!
Reviews applied: [66034]
Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' CONFIGURATION='--verbose --disable-libtool-wrappers' ENVIRONMENT='GLOG_v=1 MESOS_VERBOSE=1'; ./support/docker-build.sh
- Mesos Reviewbot
On March 13, 2018, 1:29 a.m., Jason Lai wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/66034/
> -----------------------------------------------------------
>
> (Updated March 13, 2018, 1:29 a.m.)
>
>
> Review request for mesos, Eric Chung, Gilbert Song, Ian Downes, Jie Yu, James Peach, and Zhitao Li.
>
>
> Bugs: MESOS-8654
> https://issues.apache.org/jira/browse/MESOS-8654
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Several entries under the proc FS within Mesos containers need to be
> remounted as readonly for improved security reasons.
>
> The list should include the important ones introduced by Systemd's
> `ProtectKernelTunables` option:
>
> * `/proc/bus`
> * `/proc/fs`
> * `/proc/irq`
> * `/proc/sys`
> * `/proc/sysrq-trigger`
>
> It is particularly necessary to remount `/proc/sysrq-trigger` as
> read-only. Otherwise, it would be possible for processes running in
> containers as `root` to perform privileged operations, such as host
> reboot.
>
> Extra mount options should include `nosuid,noexec,nodev` (see also
> `mount(2)` for detailed explanations of the options).
>
>
> Diffs
> -----
>
> src/linux/fs.cpp ed26f80ef7315809a1df9f2c50b4fe3445810f8a
>
>
> Diff: https://reviews.apache.org/r/66034/diff/1/
>
>
> Testing
> -------
>
> The mount table of the container launched by the patched version of `mesos-containerizer launch` include the entries listed above, with `nosuid,noexec,nodev` mount points.
> ```
> $ sudo unshare -m -p -f /usr/local/libexec/mesos/mesos-containerizer launch --launch_info="$(jq -c . launch_info.json)" --runtime_directory="$(pwd)"
> Marked '/' as rslave
> Prepared mount '{"flags":20480,"source":"\/etc\/hostname","target":"\/home\/jlai\/containers\/rootfs\/etc\/hostname"}'
> Prepared mount '{"flags":20480,"source":"\/etc\/hosts","target":"\/home\/jlai\/containers\/rootfs\/etc\/hosts"}'
> Prepared mount '{"flags":20480,"source":"\/etc\/resolv.conf","target":"\/home\/jlai\/containers\/rootfs\/etc\/resolv.conf"}'
> Changing root to /home/jlai/containers/rootfs
> bash-4.4# findmnt -a
> TARGET SOURCE FSTYPE OPTIONS
> / alpine overlay rw,relatime,lowerdir=overlay/lower,upperdir=overlay/upper,workdir=overlay/work
> |-/etc/hostname /dev/dm-0[/etc/hostname] ext4 rw,noatime,errors=panic,data=ordered
> |-/etc/hosts /dev/dm-0[/etc/hosts] ext4 rw,noatime,errors=panic,data=ordered
> |-/etc/resolv.conf /dev/dm-0[/etc/resolv.conf] ext4 rw,noatime,errors=panic,data=ordered
> |-/proc proc proc rw,nosuid,nodev,noexec,relatime
> | |-/proc/bus proc[/bus] proc ro,nosuid,nodev,noexec,relatime
> | |-/proc/fs proc[/fs] proc ro,nosuid,nodev,noexec,relatime
> | |-/proc/irq proc[/irq] proc ro,nosuid,nodev,noexec,relatime
> | |-/proc/sys proc[/sys] proc ro,nosuid,nodev,noexec,relatime
> | `-/proc/sysrq-trigger proc[/sysrq-trigger] proc ro,nosuid,nodev,noexec,relatime
> |-/sys sysfs sysfs ro,nosuid,nodev,noexec,relatime
> `-/dev tmpfs tmpfs rw,nosuid,noexec,mode=755
> |-/dev/pts devpts devpts rw,nosuid,noexec,relatime,mode=600,ptmxmode=666
> `-/dev/shm tmpfs tmpfs rw,nosuid,nodev
> ```
>
>
> Thanks,
>
> Jason Lai
>
>
Re: Review Request 66034: Remount several proc filesystem entries as
read-only.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66034/#review199057
-----------------------------------------------------------
PASS: Mesos patch 66034 was successfully built and tested.
Reviews applied: `['66034']`
All the build artifacts available at: http://dcos-win.westus.cloudapp.azure.com/mesos-build/review/66034
- Mesos Reviewbot Windows
On March 13, 2018, 1:29 a.m., Jason Lai wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/66034/
> -----------------------------------------------------------
>
> (Updated March 13, 2018, 1:29 a.m.)
>
>
> Review request for mesos, Eric Chung, Gilbert Song, Ian Downes, Jie Yu, James Peach, and Zhitao Li.
>
>
> Bugs: MESOS-8654
> https://issues.apache.org/jira/browse/MESOS-8654
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Several entries under the proc FS within Mesos containers need to be
> remounted as readonly for improved security reasons.
>
> The list should include the important ones introduced by Systemd's
> `ProtectKernelTunables` option:
>
> * `/proc/bus`
> * `/proc/fs`
> * `/proc/irq`
> * `/proc/sys`
> * `/proc/sysrq-trigger`
>
> It is particularly necessary to remount `/proc/sysrq-trigger` as
> read-only. Otherwise, it would be possible for processes running in
> containers as `root` to perform privileged operations, such as host
> reboot.
>
> Extra mount options should include `nosuid,noexec,nodev` (see also
> `mount(2)` for detailed explanations of the options).
>
>
> Diffs
> -----
>
> src/linux/fs.cpp ed26f80ef7315809a1df9f2c50b4fe3445810f8a
>
>
> Diff: https://reviews.apache.org/r/66034/diff/1/
>
>
> Testing
> -------
>
> The mount table of the container launched by the patched version of `mesos-containerizer launch` include the entries listed above, with `nosuid,noexec,nodev` mount points.
> ```
> $ sudo unshare -m -p -f /usr/local/libexec/mesos/mesos-containerizer launch --launch_info="$(jq -c . launch_info.json)" --runtime_directory="$(pwd)"
> Marked '/' as rslave
> Prepared mount '{"flags":20480,"source":"\/etc\/hostname","target":"\/home\/jlai\/containers\/rootfs\/etc\/hostname"}'
> Prepared mount '{"flags":20480,"source":"\/etc\/hosts","target":"\/home\/jlai\/containers\/rootfs\/etc\/hosts"}'
> Prepared mount '{"flags":20480,"source":"\/etc\/resolv.conf","target":"\/home\/jlai\/containers\/rootfs\/etc\/resolv.conf"}'
> Changing root to /home/jlai/containers/rootfs
> bash-4.4# findmnt -a
> TARGET SOURCE FSTYPE OPTIONS
> / alpine overlay rw,relatime,lowerdir=overlay/lower,upperdir=overlay/upper,workdir=overlay/work
> |-/etc/hostname /dev/dm-0[/etc/hostname] ext4 rw,noatime,errors=panic,data=ordered
> |-/etc/hosts /dev/dm-0[/etc/hosts] ext4 rw,noatime,errors=panic,data=ordered
> |-/etc/resolv.conf /dev/dm-0[/etc/resolv.conf] ext4 rw,noatime,errors=panic,data=ordered
> |-/proc proc proc rw,nosuid,nodev,noexec,relatime
> | |-/proc/bus proc[/bus] proc ro,nosuid,nodev,noexec,relatime
> | |-/proc/fs proc[/fs] proc ro,nosuid,nodev,noexec,relatime
> | |-/proc/irq proc[/irq] proc ro,nosuid,nodev,noexec,relatime
> | |-/proc/sys proc[/sys] proc ro,nosuid,nodev,noexec,relatime
> | `-/proc/sysrq-trigger proc[/sysrq-trigger] proc ro,nosuid,nodev,noexec,relatime
> |-/sys sysfs sysfs ro,nosuid,nodev,noexec,relatime
> `-/dev tmpfs tmpfs rw,nosuid,noexec,mode=755
> |-/dev/pts devpts devpts rw,nosuid,noexec,relatime,mode=600,ptmxmode=666
> `-/dev/shm tmpfs tmpfs rw,nosuid,nodev
> ```
>
>
> Thanks,
>
> Jason Lai
>
>
Re: Review Request 66034: Remount several proc filesystem entries as
read-only.
Posted by Jason Lai <ja...@jasonlai.net>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66034/
-----------------------------------------------------------
(Updated March 13, 2018, 1:29 a.m.)
Review request for mesos, Eric Chung, Gilbert Song, Ian Downes, Jie Yu, James Peach, and Zhitao Li.
Changes
-------
Updated description.
Bugs: MESOS-8654
https://issues.apache.org/jira/browse/MESOS-8654
Repository: mesos
Description (updated)
-------
Several entries under the proc FS within Mesos containers need to be
remounted as readonly for improved security reasons.
The list should include the important ones introduced by Systemd's
`ProtectKernelTunables` option:
* `/proc/bus`
* `/proc/fs`
* `/proc/irq`
* `/proc/sys`
* `/proc/sysrq-trigger`
It is particularly necessary to remount `/proc/sysrq-trigger` as
read-only. Otherwise, it would be possible for processes running in
containers as `root` to perform privileged operations, such as host
reboot.
Extra mount options should include `nosuid,noexec,nodev` (see also
`mount(2)` for detailed explanations of the options).
Diffs
-----
src/linux/fs.cpp ed26f80ef7315809a1df9f2c50b4fe3445810f8a
Diff: https://reviews.apache.org/r/66034/diff/1/
Testing
-------
The mount table of the container launched by the patched version of `mesos-containerizer launch` include the entries listed above, with `nosuid,noexec,nodev` mount points.
```
$ sudo unshare -m -p -f /usr/local/libexec/mesos/mesos-containerizer launch --launch_info="$(jq -c . launch_info.json)" --runtime_directory="$(pwd)"
Marked '/' as rslave
Prepared mount '{"flags":20480,"source":"\/etc\/hostname","target":"\/home\/jlai\/containers\/rootfs\/etc\/hostname"}'
Prepared mount '{"flags":20480,"source":"\/etc\/hosts","target":"\/home\/jlai\/containers\/rootfs\/etc\/hosts"}'
Prepared mount '{"flags":20480,"source":"\/etc\/resolv.conf","target":"\/home\/jlai\/containers\/rootfs\/etc\/resolv.conf"}'
Changing root to /home/jlai/containers/rootfs
bash-4.4# findmnt -a
TARGET SOURCE FSTYPE OPTIONS
/ alpine overlay rw,relatime,lowerdir=overlay/lower,upperdir=overlay/upper,workdir=overlay/work
|-/etc/hostname /dev/dm-0[/etc/hostname] ext4 rw,noatime,errors=panic,data=ordered
|-/etc/hosts /dev/dm-0[/etc/hosts] ext4 rw,noatime,errors=panic,data=ordered
|-/etc/resolv.conf /dev/dm-0[/etc/resolv.conf] ext4 rw,noatime,errors=panic,data=ordered
|-/proc proc proc rw,nosuid,nodev,noexec,relatime
| |-/proc/bus proc[/bus] proc ro,nosuid,nodev,noexec,relatime
| |-/proc/fs proc[/fs] proc ro,nosuid,nodev,noexec,relatime
| |-/proc/irq proc[/irq] proc ro,nosuid,nodev,noexec,relatime
| |-/proc/sys proc[/sys] proc ro,nosuid,nodev,noexec,relatime
| `-/proc/sysrq-trigger proc[/sysrq-trigger] proc ro,nosuid,nodev,noexec,relatime
|-/sys sysfs sysfs ro,nosuid,nodev,noexec,relatime
`-/dev tmpfs tmpfs rw,nosuid,noexec,mode=755
|-/dev/pts devpts devpts rw,nosuid,noexec,relatime,mode=600,ptmxmode=666
`-/dev/shm tmpfs tmpfs rw,nosuid,nodev
```
Thanks,
Jason Lai