From dccd0ed2920ff2c8df90f4afaba7b814464e288f Mon Sep 17 00:00:00 2001 From: Christie Wilson Date: Tue, 8 Dec 2020 15:34:36 -0500 Subject: [PATCH] Revert "Add a "dropNetworking" function and unit tests to the runner package." This reverts commit e097c523cb02bd527d28c2026983c6909ac1e74e. The int used `Size: 4294967295` seems to be too large for the machines that we build Tekton on! Or too large for int anyway Opened https://github.com/tektoncd/pipeline/issues/3612 to figure out a longer term fix but for now let's revert this to make sure we're in a releasable state. --- cmd/entrypoint/namespaces.go | 11 ------- cmd/entrypoint/namespaces_linux.go | 50 ------------------------------ cmd/entrypoint/namespaces_test.go | 41 ------------------------ 3 files changed, 102 deletions(-) delete mode 100644 cmd/entrypoint/namespaces.go delete mode 100644 cmd/entrypoint/namespaces_linux.go delete mode 100644 cmd/entrypoint/namespaces_test.go diff --git a/cmd/entrypoint/namespaces.go b/cmd/entrypoint/namespaces.go deleted file mode 100644 index 75774abc057..00000000000 --- a/cmd/entrypoint/namespaces.go +++ /dev/null @@ -1,11 +0,0 @@ -// +build !linux - -package main - -import "os/exec" - -// The implementation of this currently only works on Linux. -// This is a placeholder for compilation/testing. -func dropNetworking(cmd *exec.Cmd) { - panic("only implemented on linux") -} diff --git a/cmd/entrypoint/namespaces_linux.go b/cmd/entrypoint/namespaces_linux.go deleted file mode 100644 index abf8f8ef977..00000000000 --- a/cmd/entrypoint/namespaces_linux.go +++ /dev/null @@ -1,50 +0,0 @@ -package main - -import ( - "os/exec" - "syscall" -) - -// dropNetworking modifies the supplied exec.Cmd to execute in a net set of namespaces that do not -// have network access -func dropNetworking(cmd *exec.Cmd) { - // These flags control the behavior of the new process. - // Documentation for these is available here: https://man7.org/linux/man-pages/man2/clone.2.html - // We mostly want to just create a new network namespace, unattached to any networking devices. - // The other flags are necessary for that to work. - - if cmd.SysProcAttr == nil { - // We build this up piecemeal in case it was already set, to avoid overwriting anything. - cmd.SysProcAttr = &syscall.SysProcAttr{} - } - cmd.SysProcAttr.Cloneflags = syscall.CLONE_NEWNS | - syscall.CLONE_NEWPID | // NEWPID creates a new process namespace - syscall.CLONE_NEWNET | // NEWNET creates a new network namespace (this is the one we really care about) - syscall.CLONE_NEWUSER // NEWUSER creates a new user namespace - - // We need to map the existing user IDs into the new namespace. - // Just map everything. - cmd.SysProcAttr.UidMappings = []syscall.SysProcIDMap{ - { - ContainerID: 0, - HostID: 0, - // Map all users - Size: 4294967295, - }, - } - - // This is needed to allow programs to call setgroups when in a new Gid namespace. - // Things like apt-get install require this to work. - cmd.SysProcAttr.GidMappingsEnableSetgroups = true - // We need to map the existing group IDs into the new namespace. - // Just map everything. - cmd.SysProcAttr.GidMappings = []syscall.SysProcIDMap{ - { - ContainerID: 0, - HostID: 0, - - // Map all groups - Size: 4294967295, - }, - } -} diff --git a/cmd/entrypoint/namespaces_test.go b/cmd/entrypoint/namespaces_test.go deleted file mode 100644 index efea66f43ea..00000000000 --- a/cmd/entrypoint/namespaces_test.go +++ /dev/null @@ -1,41 +0,0 @@ -// +build linux - -package main - -import ( - "os/exec" - "testing" - - "github.com/google/go-cmp/cmp" -) - -// This isn't a great unit test, but it's the best I can think of. -// It attempts to verify there is no network access by making a network -// request. If the test were to run in an offline environment, or an already -// sandboxed environment, the test could pass even if the dropNetworking -// function did nothing. -func TestDropNetworking(t *testing.T) { - cmd := exec.Command("curl", "google.com") - dropNetworking(cmd) - b, err := cmd.CombinedOutput() - if err == nil { - t.Errorf("Expected an error making a network connection. Got %s", string(b)) - } - - // Other things (env, etc.) should all be the same - cmds := []string{"env", "whoami", "pwd", "uname"} - for _, cmd := range cmds { - withNetworking := exec.Command(cmd) - withoutNetworking := exec.Command(cmd) - dropNetworking(withoutNetworking) - - b1, err1 := withNetworking.CombinedOutput() - b2, err2 := withoutNetworking.CombinedOutput() - if err1 != err2 { - t.Errorf("Expected no errors, got %v %v", err1, err2) - } - if diff := cmp.Diff(string(b1), string(b2)); diff != "" { - t.Error(diff) - } - } -}