Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

how to use securityContext.readOnlyRootFilesystem=true? #123

Open
rgl opened this issue May 26, 2024 · 3 comments
Open

how to use securityContext.readOnlyRootFilesystem=true? #123

rgl opened this issue May 26, 2024 · 3 comments

Comments

@rgl
Copy link
Contributor

rgl commented May 26, 2024

What do we have to do to be able to set securityContext.readOnlyRootFilesystem=true?

This is my current securityContext, which I would like to not use the parts marked with TODO:

          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              #drop:
              #  - ALL
              # TODO use non-privileged port and drop ALL when the following
              #      issue is resolved.
              #      https://github.com/spinkube/containerd-shim-spin/issues/52
              add:
                - NET_BIND_SERVICE
            readOnlyRootFilesystem: false # TODO how to run this with true?
            runAsNonRoot: true
            runAsUser: 65534 # 65534 is the uid of the nobody user.
            runAsGroup: 65534 # 65534 is the gid of the nogroup group.
            seccompProfile:
              type: RuntimeDefault
@rajatjindal
Copy link
Member

rajatjindal commented May 28, 2024
edited
Loading

I think this is happening when we call oci loader:

time="2024-05-28T07:59:59.580959880Z" level=info msg="StartContainer for \"911a64dfb90d3f6fe64ee8aa2d133d79503a2627a909efce8bd048c634c1073b\""
time="2024-05-28T07:59:59.615163214Z" level=error msg="run_wasi ERROR >>>  failed: failed to build spin trigger

Caused by:
    0: failed to write "/spin.lock"
    1: Read-only file system (os error 30)"

It may be an unintentional side-effect of what is described as a problem here: #40

@rajatjindal
Copy link
Member

In this particular example that I tried, it is happening with-in the shim here:

containerd-shim-spin/containerd-shim-spin/src/engine.rs

Line 299 in d9d5777

async fn write_locked_app(&self, locked_app: &LockedApp, working_dir: &Path) -> Result<String> {
, but if the app has static assets, we would run into similar problems due to readonly file system.

@rajatjindal rajatjindal mentioned this issue May 28, 2024
Open
@lann
Copy link

lann commented May 28, 2024
edited
Loading

The problem is that the trigger working_dir is being hard-coded to "/":

containerd-shim-spin/containerd-shim-spin/src/engine.rs

Line 167 in d9d5777

let working_dir = PathBuf::from("/");

containerd-shim-spin/containerd-shim-spin/src/engine.rs

Line 216 in d9d5777

let working_dir = PathBuf::from("/");

If readOnlyRootFilesystem: true then that clearly wouldn't be writable. spin up defaults this to a random tempdir under e.g. /tmp/: https://github.com/fermyon/spin/blob/5bb2ca977fc32f01aaa69f08044a9054735a4128/src/commands/up.rs#L240

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rgl @lann @rajatjindal