Jerome St-Louis opened 2 years ago
|
|||||||
OneDev currently does not support rootless container. |
|||||||
Jerome St-Louis changed fields 2 years ago
|
|||||||
@robin Note that user name space remaps is somewhat similar, but different than rootless docker. With user namespace remap, the code in the docker container is still running as Changing this to an improvement request to support either or both. I think it should be high priority due to the security issues associated with allowing execution in docker containers with root access. Thank you! |
|||||||
Thanks for the info. Just have time to look into this. When run a docker based job, OneDev create an unique workspace for the build, and clone the repository into it. This is done outside of container, and this is the reason why command running in container has permission issue creating directories in the workspace (set as working directory automatically). The workaround is to edit Also you may run docker in rootless mode (yes, I verified that OneDev works with rootless mode). If OneDev is running in service mode, make sure to use As to security issues for all onedev-build* directories, I do not think this will be a problem if |
|||||||
Thank you very much @robin, I will give all that another try. Wouldn't it enhance security to specify a user that the Server Docker Executor should use for that workspace and clone the repository etc.? This way different projects / jobs could be more isolated, and from the start the docker executor would not have the full range of permissions as OneDev itself? There is some info on container escapes here that I will try to understand better into exactly what the requirements are . At minimum we want to avoid Perhaps we can add these options like Thank you! |
|||||||
Running as root inside container will greatly simplify things. As long as docker sock mount and privilege is not enabled, I do not think there is any chance of container escape except for container bugs. I'd glad to know if I am wrong on this. Also preparing workspace is quite involved, including setup credentials, symbol-linking caches, etc. These tasks are much easier to be handled out side of container. |
|||||||
@robin My suggestion was not to not allow root inside container or to prepare workspace inside container, but rather to allow the option of selecting a user in the ServerDockerExecutor setup for the workspace preparation separate from the user running OneDev as a whole.
That user could then be remapped to a docker daemon for that particular docker executor.
Multiple docker daemons with different |
|||||||
Thanks for the suggestion. This will complicate things quite a lot, and even impossible. As mentioned previously OneDev has to handle caches and other complicate things outside of container, map container user to a different user than OneDev process owner will make OneDev impossible to clear cache, clear workspace, etc. Unless there is an obvious security issue, this mode will not be changed. |
|||||||
Thanks @robin .
Well that should at least still be possible if OneDev runs as root. There might not be any way to make it work without OneDev being ran as root... we would need 3 different user tiers, where the workspace and the remapped docker user are still fully under the control of the OneDev user.
I was thinking that there could be, but I am not an expert on any of this. Of course if at some point in the future when vulnerabilities are pointed out, then this issue might be worth re-considering. The idea was that to separate the docker executor which can easily bring in arbitrary containers and code as soon as you have Code Writer role on any project and a Can be used by any job Server Docker Executor (by pushing a But that is just my two cents as someone quite new and unfamiliar with containers :) |
|||||||
Even if OneDev runs as root, as long as container is not mapped to same host user as OneDev, there still exist permission issue. Assume OneDev sets up workspace, and your code insides container wants to modify checked out files and commit, it will not be possible... For job executors can be used by any jobs, you absolutely should not enable |
|||||||
The idea was that OneDev would have chown'ed the whole job workspace to that remapped docker user before running the docker.
I hear that, but on one hand I am not convinced, and on the other I am not experienced/knowledgeable enough with docker and security to know for sure :) So I will cautiously take your word for it, and throw in Thanks again! :) |
|||||||
It might not be obvious which host user OneDev should chown the workspace to. Also requiring OneDev running as root is somewhat too strict. Thanks for this discussion. I am taking security seriously, let me know if there is real security issue here, and I will be open to change. |
|||||||
That is the option I was suggesting could be configured in the Docker Server Executor.
Indeed. I wish there were another way... but the chown job workspace option could have been only enabled when running OneDev as root.
Thank you very much for listening to my concerns and providing guidance. I will try to investigate this more when I have time and discuss the issue with people more knowledgeable about dockers and security than myself, and come back to you if there is a real issue. |
|||||||
I see. I was thinking you are mentioning the uid remap approach. So with |
|||||||
@robin Yes still with the user namespace remap approach (but not If OneDev runs as root, no issue to clean up caches etc.
Server Docker Executor option to select a user to chown the job workspace to.
I would set that chown user to the same user as the The only issue with this I think is if you cannot or don't want to run OneDev as root: how to regain ownership after having chowned to the docker remapped user, to clean up caches etc.? Perhaps one potential solution is something like a bind mount, which would allow to chown the bind mount while retaining ownership of the true job workspace being mounted there? |
|||||||
This option is used to start docker daemon instead of docker container. Also docker container will not be mapped to this user, it looks up /etc/subuid for entry of that user to determine which host user id to use. Or I am misunderstanding something here? |
|||||||
It could very well be me who is misunderstanding things. How I understand users-remap is that a range of users IDs (specified in e.g., if Then this means 'root' inside the container is actually testuser / 231072 in the host, and all the other users inside the container (mapping to 231073..65536 in the host) are also in the That is the user namespace ( NOTE: I also noticed that the temporary job workspace have read permissions for all users, so other users on the system running OneDev have full visibility into all of them, and I think that is also an issue. I think this bind mount idea could allow OneDev only to have permissions on the job workspace, while the bind mounts reflect the different permissions and ownership that you want the docker to have. |
|||||||
Confirmed that you've misundertood users-remap here, 😉
As to temporarity job workspace read permission, you may just change OneDev installation directory to make it less permissive (chmod o-x) if you do not trust other users in the machine running OneDev. Different systems (Windows, Linux) have different approach of restricting access, and OneDev leaves this to OneDev administrator. |
|||||||
Robin Shen changed state to 'Closed' 1 year ago
|
Type |
Improvement
|
Priority |
Normal
|
Assignee |
Trying to use Server Docker Executor Docker with isolated containers within a user name space ( https://docs.docker.com/engine/security/userns-remap/ ), I get permission issues creating directories in builds.
All of the onedev-build* directories get the same user and group as the
RUN_AS_USER
of onedev itself.I am confused as to what steps of the .onedev-buildspec.yml are performed by the container, and which, if any, are performed by onedev beforehand... e.g., I have a
!CheckoutStep
, and a!CommandStep
... Theapt install
commands of the!CommandStep
seem to work fine, but the firstmkdir
command also in!CommandStep
fails with permission denied.I would have expected anything created by the container to take the remapped docker user on the host.
Adding the remaped to the OneDev user group did not seem to help either.
I am also wondering about the security issues of having all those onedev-build* directories with read permissions enabled for all users (in addition to the same user which may also be used perform some steps configured in the .yml?), containing any code fetched for the build.
Thank you.