Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hasher: hash security.capability attributes #1994

Merged
merged 1 commit into from
May 4, 2022
Merged

hasher: hash security.capability attributes #1994

merged 1 commit into from
May 4, 2022

Conversation

zhouhaibing089
Copy link
Contributor

@zhouhaibing089 zhouhaibing089 commented Mar 16, 2022
edited
Loading

Fixes #1851

Description

In Dockerfile, if there is something like:

RUN setcap cap_net_raw=+ep /path/to/binary

kaniko won't detect that there is a change on file /path/to/binary and
thus discards this layer. This patch allows the hasher function to
actually look at security.capability extended attributes.

The function Lgetxattr uses https://github.com/moby/moby/blob/c72c1ca62cd20e74582a01b8a54a58ae7f646d4c/pkg/system/xattrs_linux.go#L8

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

  • Includes unit tests
  • Adds integration tests if needed.

See the contribution guide for more details.

Reviewer Notes

  • The code flow looks good.
  • Unit tests and or integration tests added.

Release Notes

default hahser (--snapshotMode=full) now hashes security.capability attribute

@zhouhaibing089
hasher: hash security.capability attributes
d09dd60 
In Dockerfile, if there is something like:

```
RUN setcap cap_net_raw=+ep /path/to/binary
```

kaniko won't detect that there is a change on file `/path/to/binary` and
thus discards this layer. This patch allows the hasher function to
actually look at `security.capability` extended attributes.
@zhouhaibing089 zhouhaibing089 changed the title [WIP] hasher: hash security.capability attributes hasher: hash security.capability attributes Mar 16, 2022
@zhouhaibing089
Copy link
Contributor Author

@imjasonh: Could you help take a look when you get a chance? Thanks~

imjasonh
imjasonh reviewed Apr 29, 2022
View reviewed changes
pkg/util/util.go
@@ -172,3 +177,28 @@ func Retry(operation retryFunc, retryCount int, initialDelayMilliseconds int) er

return err
}

func Lgetxattr(path string, attr string) ([]byte, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't look like this function needs to be exported, can we rename to lgetxattr and add a comment?

I'd also love to have a test covering this behavior, since it's pretty inscrutable to me personally.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I can add a comment there.

Regarding tests, I can take a look at how to write a test(either a unit test or e2e test). But if you have any pointers or suggestions, that'd be great.

@imjasonh imjasonh merged commit 96a8ee0 into GoogleContainerTools:main May 4, 2022
zhouhaibing089 added a commit to zhouhaibing089/kaniko that referenced this pull request May 9, 2022
@zhouhaibing089
test: add test case for setcap in Dockerfile
ba7730b 
This is a followup of GoogleContainerTools#1994. This test runs a Dockerfile where setcap is
executed. Without the fix in GoogleContainerTools#1994, the last command won't generate any
diff and thus is discarded by kaniko and thus should fail this test.
@zhouhaibing089 zhouhaibing089 mentioned this pull request May 9, 2022
Closed
4 tasks
zhouhaibing089 added a commit to zhouhaibing089/kaniko that referenced this pull request May 9, 2022
@zhouhaibing089
test: add test case for setcap in Dockerfile
b9cc586 
This is a followup of GoogleContainerTools#1994. This test runs a Dockerfile where setcap is
executed. Without the fix in GoogleContainerTools#1994, the last command won't generate any
diff and thus is discarded by kaniko and thus should fail this test.
zhouhaibing089 added a commit to zhouhaibing089/kaniko that referenced this pull request May 9, 2022
@zhouhaibing089
test: add test case for setcap in Dockerfile
9efdff0 
This is a followup of GoogleContainerTools#1994. This test runs a Dockerfile where setcap is
executed. Without the fix in GoogleContainerTools#1994, the last command won't generate any
diff and thus is discarded by kaniko and thus should fail this test.
zhouhaibing089 added a commit to zhouhaibing089/kaniko that referenced this pull request May 9, 2022
@zhouhaibing089
test: add test case for setcap in Dockerfile
ce042f0 
This is a followup of GoogleContainerTools#1994. This test runs a Dockerfile where setcap is
executed. Without the fix in GoogleContainerTools#1994, the last command won't generate any
diff and thus is discarded by kaniko and thus should fail this test.
zhouhaibing089 added a commit to zhouhaibing089/kaniko that referenced this pull request May 9, 2022
@zhouhaibing089
test: add test case for setcap in Dockerfile
f12fab4 
This is a followup of GoogleContainerTools#1994. This test runs a Dockerfile where setcap is
executed. Without the fix in GoogleContainerTools#1994, the last command won't generate any
diff and thus is discarded by kaniko and thus should fail this test.
@zhouhaibing089 zhouhaibing089 deleted the check-security-capability branch May 17, 2022 17:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imjasonh imjasonh imjasonh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Kaniko does not persist setcap side effects
2 participants
@zhouhaibing089 @imjasonh