User ns reworked

[mauriciovasquezbernal]

It's a reworked version of #3.

[rata]

I did some silly comments.

I'll need to review with more time the changes for the kuberuntime. Is tomorrow okay? :)

[rata]

@mauriciovasquezbernal thanks a lot for the patch, looks very good!

Added some silly questions for some things I didn't follow and wanted to confirm if we want that behavior, but overall LGTM! :)

[rata]

nit picking: is the uint32() needed? I think we shouldn't need it. Or am I missing something?

I mean, golang does force to use some explicit conversions, but as explained here I don't think it should be needed to compare a var with a constant.

Am I missing something?

[mauriciovasquezbernal]

You're right. I'll remove them.

[rata]

why c.UserNamespaceConfig.UidMappings[0].Size == uint32(4294967295)? I mean, why equal to that constant value? It is set to that when the runtime doesn't support user ns?

[cdesiniotis]

4294967295 encapsulates the entire uid/gid range I believe. The initial root namespace has a uid_map of 0 0 4294967295. But I agree that the use of it here is unclear

[mauriciovasquezbernal]

Yes, the idea is that if the configured mapping is 0 0 4294967295 it means that the support is not enabled (all the ids in the container are mapped to the same ids in the host).

[rata]

Ohh, I see. Thanks! Maybe a comment can make it very clear to everyone :)

[rata]

Idem regarding uint32(). Is it needed?

[rata]

Maybe add a test with more than one mapping too, given that this is a slice?

[rata]

Why if len(...) == 1 and hostID == 0 and size == 0? Not sure I follow what you are trying to detect.

Is it just when the size is 0? Why does it matter, in that case, that the hostID is 0 too? Or why wouldn't it be a problem if the specified mappings are more than one?

[mauriciovasquezbernal]

It's trying to detect the case where a mapping like 0 1000 0 is configured. You're totally right, the whole logic to check if the usernamespace is supported or enabled has to be checked again. I think it could be simplified a lot but I avoided touching that at this time.

[rata]

Makes sense

[rata]

What is 4294967295? The max value for something? Is it constant across platforms?

[rata]

Why use uint32 for container and host UIDs? Is it because in all platforms will be 32 or less?

I think we talked about this in the past, about being maybe an unsigned int in C, but can't find that thread now. Sorry to re-ask :-/

[rata]

Idem, will be nice to test more than once mapping, just in case

[rata]

status and codes can be too generic and, in the future, clash with other imports. Maybe should we use a name that makes it clear that is a grpc specific thing?

Not now, but in the future. Ah, and only if this codes continues to live here :)

[cdesiniotis]

Hi! Overall this is really good work. I left a few comments/questions.

[cdesiniotis]

I think this would be more clear.

Suggested change

	if len(c.UserNamespaceConfig.UidMappings) == 1 &&
	c.UserNamespaceConfig.UidMappings[0].HostID == uint32(0) && c.UserNamespaceConfig.UidMappings[0].Size == uint32(4294967295) {
	if len(c.UserNamespaceConfig.UidMappings) == 1 &&
	c.UserNamespaceConfig.UidMappings[0].HostID == c.UserNamespaceConfig.UidMappings[0].ContainerID {

[cdesiniotis]

4294967295 encapsulates the entire uid/gid range I believe. The initial root namespace has a uid_map of 0 0 4294967295. But I agree that the use of it here is unclear

[cdesiniotis]

The output of path.Base(. . .) is /var/lib/docker if userns is not enabled, and /var/lib/docker/1000.1000 if userns is enabled (replace 1000 with whatever uid remapping is configured). I agree this is a little hard to review, but it works :)

[cdesiniotis]

Does POD mean that all pods will be remapped to the same namespace (assuming userns are supported/enabled at runtime)? If so, I think the term POD is unclear as it suggests that each pod gets mapped to its own namespace. What happened to NODE_WIDE_REMAPPED?

[rata]

Pod means each pod will have it's own namespace. The mapping, at least in this PoC, is the same for all pods, though.

NODE_WIDE_REMAPPED is not implemented here. We find out it was easier to implement a per-pod user ns, that also seems better. IIUC, NODE_WIDE_REMAPPED was proposed years ago before most container runtime added support for user ns and as a way to run containers as root but not be root on the host. We can implement that if there is still value, though :)

[cdesiniotis]

Thanks for the clarification. I don't think NODE_WIDE_REMAPPED is necessary. But maybe a comment here clarifying what POD means (and what it will mean in the future) would be helpful.

[cdesiniotis]

Is there a reason why this entire sections shows as a diff? I believe you are just removing the experimentalHostUserNamespaceDefaulting feature

[cdesiniotis]

Is using an annotation a temporary fix? What's the reasoning behind not updating the pod spec?

[rata]

We are using an annotation to easily test on real clusters without changing the pod.Spec. Upstream PR will change the pod spec.

[cdesiniotis]

Got it

[cdesiniotis]

nit: add comment for UserNamespaceForPod() for consistency

[rata]

Hi! Overall this is really good work. I left a few comments/questions.

thanks for the review and your answers, really helpful! :)

[cdesiniotis]

Is this expected to work with dockershim at the moment?

[mauriciovasquezbernal]

Yes, it should work when using the userns-remap option in docker https://docs.docker.com/engine/security/userns-remap/.

[cdesiniotis]

Hmm okay. I get permission issues when kubelet attempts to mount from /var/lib/pods/ to /var/lib/docker/231072.231072/. I am using Docker 19.03 (and the latest versions of containderd/runc that ship with it). Is there something I am missing with my setup?

[mauriciovasquezbernal]

@cdesiniotis I have the following:

$ dockerd --version
Docker version 19.03.9, build 9d988398e7
 $ sudo cat /etc/subuid
mvb:500000:65536
$ sudo cat /etc/subgid
mvb:500000:65536
$ sudo dockerd --userns-remap="mvb:mvb"

Can you share the exact error you're getting?

[cdesiniotis]

@mauriciovasquezbernal My setup:

$ dockerd --version
Docker version 19.03.12, build 48a66213fe
$ sudo cat /etc/subuid
dockremap:231072:65536
$ sudo cat /etc/subgid
dockremap:231072:65536
$ sudo dockerd --userns-remap="default"

I run some pods. When I specify to use the pod userns it fails:

$ cluster/kubectl.sh apply -f nodens.yaml
pod/node-userns created
$ cluster/kubectl.sh get pods
NAME          READY   STATUS    RESTARTS   AGE
node-userns   1/1     Running   0          4s
$ cluster/kubectl.sh apply -f podns.yaml
pod/pod-userns created
$ cluster/kubectl.sh get pods
NAME          READY   STATUS               RESTARTS   AGE
node-userns   1/1     Running              0          22s
pod-userns    0/1     ContainerCannotRun   0          4s
$ cluster/kubectl.sh apply -f default.yaml
pod/default created
$ cluster/kubectl.sh get pods
NAME          READY   STATUS               RESTARTS   AGE
node-userns   1/1     Running              0          38s
pod-userns    0/1     ContainerCannotRun   0          20s
default       0/1     ContainerCannotRun   0          2s

Looking in the kubelet logs at /tmp/kubelet.log I see error messages like the following for the pods that fail:

E0707 21:17:01.437863   15695 remote_runtime.go:222] StartContainer "b48e2e5bc448b58b43a6eed9488e418b3d4753b26303688790e790c3ce2fae88" from runtime service failed: rpc error: code = Unknown desc = failed to star
t container "b48e2e5bc448b58b43a6eed9488e418b3d4753b26303688790e790c3ce2fae88": Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:
449: container init caused \"rootfs_linux.go:58: mounting \\\"/var/lib/kubelet/pods/8696e9a0-836c-4539-95c9-3a3ab735dd6c/containers/container1/c1987dfa\\\" to rootfs \\\"/var/lib/docker/231072.231072/overlay2/bb0fe03
d4faab00737d5ed23fb0d6d571af66f8d4c978e346ea8f7871a71e7d9/merged\\\" at \\\"/dev/termination-log\\\" caused \\\"stat /var/lib/kubelet/pods/8696e9a0-836c-4539-95c9-3a3ab735dd6c/containers/container1/c1987dfa: permissi
on denied\\\"\"": unknown

[mauriciovasquezbernal]

@cdesiniotis oh right. I suppose you are running containerd with systemd, if that's the case it needs to have the supplemental group 0 (SupplementaryGroups=0 in the systemd unit). More details in opencontainers/runc#2484.

[cdesiniotis]

@mauriciovasquezbernal Ah that was it. Thank you for the help!

[rata]

It seems that the first field can be numbers too. We probably need to modify this. Or maybe just use Split() with : as separator? Might be simpler, not sure

From https://docs.docker.com/engine/security/userns-remap/#prerequisites:

Each file contains three fields: the username or ID of the user, followed by a beginning UID or GID (which is treated as UID or GID 0 within the namespace) and a maximum number of UIDs or GIDs available to the user

[cdesiniotis]

Additionally, a typical accepted regex for usernames in Linux is "^[a-z][-a-z0-9_]*\$", so need to account for numbers in the first field anyways.

[mauriciovasquezbernal]

@rata @cdesiniotis I'm checking the state of the art on the proposals for this feature first. I'll address your comments once I have a clear view of what are the next steps on this implementation. Thanks a lot for the review.

[cdesiniotis]

@mauriciovasquezbernal Thanks for your work! I am willing to help/review, so feel free to include me for review on this (or related work). Also, what are the current plans for upstream work (i.e. KEP and upstream PR)? Are you (@rata @mauriciovasquezbernal) still planning to lead that effort?