From f7d9b19cacf96a314da6e62965c32a4a232698df Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Tue, 12 Mar 2024 13:26:47 +0100 Subject: [PATCH 1/3] ansible: Create proper user/group for cockpituous services This gets rid of duplicating the magic number "1111" in a lot of places. It's also a prerequisite for the next commit, as systemd doesn't like refering to random GIDs in units. --- ansible/psi/image-cache.yml | 4 ++-- ansible/roles/ci-data-cache/tasks/main.yml | 16 ++++++++++++++-- ansible/roles/install-secrets-dir/tasks/main.yml | 8 ++++---- tasks/install-service | 4 ++-- 4 files changed, 22 insertions(+), 10 deletions(-) diff --git a/ansible/psi/image-cache.yml b/ansible/psi/image-cache.yml index dce3940b..ee05e228 100644 --- a/ansible/psi/image-cache.yml +++ b/ansible/psi/image-cache.yml @@ -24,8 +24,8 @@ src: self-hosted dest: "/var/lib/cockpit-secrets/tasks/s3-keys/{{ hostvars[groups['psi_s3'][0]].ansible_host }}" state: link - owner: 1111 - group: 1111 + owner: cockpituous + group: cockpituous - name: Tell tasks containers to drain and restart command: pkill -ex cockpit-tasks diff --git a/ansible/roles/ci-data-cache/tasks/main.yml b/ansible/roles/ci-data-cache/tasks/main.yml index d4e7c138..430e8964 100644 --- a/ansible/roles/ci-data-cache/tasks/main.yml +++ b/ansible/roles/ci-data-cache/tasks/main.yml @@ -1,7 +1,19 @@ +- name: Create cockpituous group + group: + name: cockpituous + gid: 1111 + +- name: Create cockpituous user + user: + name: cockpituous + group: cockpituous + create_home: false + uid: 1111 + - name: Set up Cockpit tasks cache directory file: path: /var/cache/cockpit-tasks/images - owner: '1111' - group: '1111' + owner: cockpituous + group: cockpituous state: directory setype: container_file_t diff --git a/ansible/roles/install-secrets-dir/tasks/main.yml b/ansible/roles/install-secrets-dir/tasks/main.yml index 4a1cd1f9..5de31e07 100644 --- a/ansible/roles/install-secrets-dir/tasks/main.yml +++ b/ansible/roles/install-secrets-dir/tasks/main.yml @@ -13,8 +13,8 @@ - name: Set up secrets dir file: path: /var/lib/cockpit-secrets - owner: '1111' - group: '1111' + owner: cockpituous + group: cockpituous state: directory setype: container_file_t @@ -23,8 +23,8 @@ src: /tmp/secrets.tar.gz remote_src: true dest: /var/lib/cockpit-secrets/ - owner: '1111' - group: '1111' + owner: cockpituous + group: cockpituous mode: 'u=rwX,g=rX,o=rX' setype: container_file_t diff --git a/tasks/install-service b/tasks/install-service index 10f667bb..2e3cbd87 100755 --- a/tasks/install-service +++ b/tasks/install-service @@ -19,7 +19,7 @@ TMPVOL=${TMPVOL:-"--tmpfs /tmp:size=14g"} systemctl stop 'cockpit-tasks@*.service' mkdir -p $SECRETS/tasks $SECRETS/webhook $CACHE -chown -R 1111:1111 $SECRETS $CACHE +chown -R cockpituous:cockpituous $SECRETS $CACHE chcon -R -t container_file_t $SECRETS $CACHE if [ $INSTANCES -eq 1 ]; then @@ -56,7 +56,7 @@ ExecStartPre=/usr/bin/chcon -R -l s0 \${TEST_CACHE}/images/ ExecStartPre=/usr/bin/flock /tmp/cockpit-image-pull podman pull quay.io/cockpit/tasks ExecStartPre=/usr/bin/podman network create cockpit-tasks-%i # idmapped mount would be better, but did not figure out how -ExecStartPre=/usr/bin/chgrp 1111 %t/podman/podman.sock +ExecStartPre=/usr/bin/chgrp cockpituous %t/podman/podman.sock ExecStart=/usr/bin/podman run --name=cockpit-tasks-%i --hostname=${CONTAINER_HOSTNAME} \ --device=/dev/kvm --network=cockpit-tasks-%i \ --memory=24g --pids-limit=16384 --shm-size=1024m ${TMPVOL:-} \ From 149e864df47a24b85aae819cb5dc4ffa293fe5ba Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Tue, 12 Mar 2024 13:32:03 +0100 Subject: [PATCH 2/3] ansible: Properly set podman.socket group The `ExecStartPre=` was a quick hack, but it goes against the declared system state and e.g. doesn't survive restarts of `podman.socket`. Declare that properly with a unit drop-in. --- ansible/roles/tasks-systemd/tasks/main.yml | 14 ++++++++++++++ tasks/install-service | 2 -- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/ansible/roles/tasks-systemd/tasks/main.yml b/ansible/roles/tasks-systemd/tasks/main.yml index 63111877..4247b8d0 100644 --- a/ansible/roles/tasks-systemd/tasks/main.yml +++ b/ansible/roles/tasks-systemd/tasks/main.yml @@ -40,6 +40,20 @@ maxsockets=3 cafile=/run/secrets/tasks/npm-registry.crt +- name: Create podman.socket drop-in directory + file: + path: /etc/systemd/system/podman.socket.d + state: directory + +# idmapped mount would be better, but did not figure out how +- name: Allow access to podman.socket to unprivileged container user + copy: + dest: /etc/systemd/system/podman.socket.d/container-access.conf + mode: 0644 + content: | + [Socket] + SocketGroup=cockpituous + - name: Create job-runner configuration copy: dest: /etc/job-runner.toml diff --git a/tasks/install-service b/tasks/install-service index 2e3cbd87..0ac7332a 100755 --- a/tasks/install-service +++ b/tasks/install-service @@ -55,8 +55,6 @@ ExecStartPre=-/usr/bin/podman network rm cockpit-tasks-%i ExecStartPre=/usr/bin/chcon -R -l s0 \${TEST_CACHE}/images/ ExecStartPre=/usr/bin/flock /tmp/cockpit-image-pull podman pull quay.io/cockpit/tasks ExecStartPre=/usr/bin/podman network create cockpit-tasks-%i -# idmapped mount would be better, but did not figure out how -ExecStartPre=/usr/bin/chgrp cockpituous %t/podman/podman.sock ExecStart=/usr/bin/podman run --name=cockpit-tasks-%i --hostname=${CONTAINER_HOSTNAME} \ --device=/dev/kvm --network=cockpit-tasks-%i \ --memory=24g --pids-limit=16384 --shm-size=1024m ${TMPVOL:-} \ From 83d7f8c2863e220e1254223720ddca716da16fee Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Tue, 12 Mar 2024 16:25:56 +0100 Subject: [PATCH 3/3] ansible: Add SELinux policy for podman socket When the tasks/job containers access the bind-mounted podman.sock, they currently run into a lot of SELinux denials. This happened to work as we have run SELinux in permissive mode on our bots in the last two weeks (see commit c118069e5476). Create a proper SELinux policy plugin instead, so that we can put it back into enforce mode. --- ansible/roles/tasks-systemd/tasks/main.yml | 27 ++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/ansible/roles/tasks-systemd/tasks/main.yml b/ansible/roles/tasks-systemd/tasks/main.yml index 4247b8d0..ff55ae0d 100644 --- a/ansible/roles/tasks-systemd/tasks/main.yml +++ b/ansible/roles/tasks-systemd/tasks/main.yml @@ -5,7 +5,15 @@ dest: /run/install-service mode: preserve -- name: Create custom SELinux rules to fix Chromium +- name: Create custom SELinux policy file contexts + copy: + dest: /tmp/cockpituous.fc + mode: 0644 + content: | + /var/run/podman/podman.sock system_u:object_r:container_file_t:s0 + register: selinux_policy_fc + +- name: Create custom SELinux policy type enforcements copy: dest: /tmp/cockpituous.te mode: 0644 @@ -13,19 +21,30 @@ module cockpituous 1.0; require { type container_t; + type container_file_t; + type container_runtime_t; + type init_t; class process execheap; + class sock_file { create unlink setattr }; + class unix_stream_socket { connectto }; } + # allow systemd to create the socket after changing its type + allow init_t container_file_t:sock_file { create unlink setattr }; + + # container can access that socket + allow container_t container_runtime_t:unix_stream_socket connectto; + # HACK: See https://github.com/cockpit-project/cockpituous/issues/579 allow container_t self:process execheap; - register: selinux_policy + register: selinux_policy_te - name: Install custom SELinux rules shell: | checkmodule -M -m -o /tmp/cockpituous.mod /tmp/cockpituous.te - semodule_package -o /tmp/cockpituous.pp -m /tmp/cockpituous.mod + semodule_package -o /tmp/cockpituous.pp -m /tmp/cockpituous.mod -f /tmp/cockpituous.fc semodule -i /tmp/cockpituous.pp - when: selinux_policy.changed + when: selinux_policy_fc.changed or selinux_policy_te.changed # This only applies to RH VPN; make that optional if we ever deploy to public infrastructure - name: Create npm configuration