|
 |
e358d9 |
From fb7d2b6bd6a16ffdbe4a69428e3ba5b487719e78 Mon Sep 17 00:00:00 2001
|
|
|
e358d9 |
From: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
e358d9 |
Date: Tue, 17 Dec 2019 15:24:29 -0500
|
|
|
e358d9 |
Subject: [PATCH] Add support for FIPS-Mode backends
|
|
|
e358d9 |
|
|
|
e358d9 |
If host is running in fips mode, then RHEL8.2 and beyond container images
|
|
|
e358d9 |
will come with a directory /usr/share/crypto-policies/back-ends/FIPS.
|
|
|
e358d9 |
This directory needs to be bind mounted over /etc/crypto-policies/back-ends in
|
|
|
e358d9 |
order to make all tools in the container follow the FIPS Mode rules.
|
|
|
e358d9 |
|
|
|
e358d9 |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
e358d9 |
---
|
|
|
e358d9 |
pkg/secrets/secrets.go | 48 +++++++++++++++++++++++++++++++++---------
|
|
|
e358d9 |
run_linux.go | 2 +-
|
|
|
e358d9 |
2 files changed, 39 insertions(+), 11 deletions(-)
|
|
|
e358d9 |
|
|
|
e358d9 |
diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go
|
|
|
e358d9 |
index 80ca05016..ee2e9a7c8 100644
|
|
|
e358d9 |
--- a/pkg/secrets/secrets.go
|
|
|
e358d9 |
+++ b/pkg/secrets/secrets.go
|
|
|
e358d9 |
@@ -148,12 +148,21 @@ func getMountsMap(path string) (string, string, error) {
|
|
|
e358d9 |
}
|
|
|
e358d9 |
|
|
|
e358d9 |
// SecretMounts copies, adds, and mounts the secrets to the container root filesystem
|
|
|
e358d9 |
+// Deprecated, Please use SecretMountWithUIDGID
|
|
|
e358d9 |
func SecretMounts(mountLabel, containerWorkingDir, mountFile string, rootless, disableFips bool) []rspec.Mount {
|
|
|
e358d9 |
return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0, rootless, disableFips)
|
|
|
e358d9 |
}
|
|
|
e358d9 |
|
|
|
e358d9 |
-// SecretMountsWithUIDGID specifies the uid/gid of the owner
|
|
|
e358d9 |
-func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
|
|
|
e358d9 |
+// SecretMountsWithUIDGID copies, adds, and mounts the secrets to the container root filesystem
|
|
|
e358d9 |
+// mountLabel: MAC/SELinux label for container content
|
|
|
e358d9 |
+// containerWorkingDir: Private data for storing secrets on the host mounted in container.
|
|
|
e358d9 |
+// mountFile: Additional mount points required for the container.
|
|
|
e358d9 |
+// mountPoint: Container image mountpoint
|
|
|
e358d9 |
+// uid: to assign to content created for secrets
|
|
|
e358d9 |
+// gid: to assign to content created for secrets
|
|
|
e358d9 |
+// rootless: indicates whether container is running in rootless mode
|
|
|
e358d9 |
+// disableFips: indicates whether system should ignore fips mode
|
|
|
e358d9 |
+func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
|
|
|
e358d9 |
var (
|
|
|
e358d9 |
secretMounts []rspec.Mount
|
|
|
e358d9 |
mountFiles []string
|
|
|
e358d9 |
@@ -171,7 +180,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
|
|
|
e358d9 |
}
|
|
|
e358d9 |
for _, file := range mountFiles {
|
|
|
e358d9 |
if _, err := os.Stat(file); err == nil {
|
|
|
e358d9 |
- mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid)
|
|
|
e358d9 |
+ mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, uid, gid)
|
|
|
e358d9 |
if err != nil {
|
|
|
e358d9 |
logrus.Warnf("error mounting secrets, skipping entry in %s: %v", file, err)
|
|
|
e358d9 |
}
|
|
|
e358d9 |
@@ -187,7 +196,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
|
|
|
e358d9 |
// Add FIPS mode secret if /etc/system-fips exists on the host
|
|
|
e358d9 |
_, err := os.Stat("/etc/system-fips")
|
|
|
e358d9 |
if err == nil {
|
|
|
e358d9 |
- if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil {
|
|
|
e358d9 |
+ if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPoint, mountLabel, uid, gid); err != nil {
|
|
|
e358d9 |
logrus.Errorf("error adding FIPS mode secret to container: %v", err)
|
|
|
e358d9 |
}
|
|
|
e358d9 |
} else if os.IsNotExist(err) {
|
|
|
e358d9 |
@@ -206,7 +215,7 @@ func rchown(chowndir string, uid, gid int) error {
|
|
|
e358d9 |
|
|
|
e358d9 |
// addSecretsFromMountsFile copies the contents of host directory to container directory
|
|
|
e358d9 |
// and returns a list of mounts
|
|
|
e358d9 |
-func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) {
|
|
|
e358d9 |
+func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string, uid, gid int) ([]rspec.Mount, error) {
|
|
|
e358d9 |
var mounts []rspec.Mount
|
|
|
e358d9 |
defaultMountsPaths := getMounts(filePath)
|
|
|
e358d9 |
for _, path := range defaultMountsPaths {
|
|
|
e358d9 |
@@ -285,7 +294,7 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
|
|
|
e358d9 |
}
|
|
|
e358d9 |
|
|
|
e358d9 |
m := rspec.Mount{
|
|
|
e358d9 |
- Source: filepath.Join(mountPrefix, ctrDirOrFile),
|
|
|
e358d9 |
+ Source: ctrDirOrFileOnHost,
|
|
|
e358d9 |
Destination: ctrDirOrFile,
|
|
|
e358d9 |
Type: "bind",
|
|
|
e358d9 |
Options: []string{"bind", "rprivate"},
|
|
|
e358d9 |
@@ -300,15 +309,15 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
|
|
|
e358d9 |
// root filesystem if /etc/system-fips exists on hosts.
|
|
|
e358d9 |
// This enables the container to be FIPS compliant and run openssl in
|
|
|
e358d9 |
// FIPS mode as the host is also in FIPS mode.
|
|
|
e358d9 |
-func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error {
|
|
|
e358d9 |
+func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPoint, mountLabel string, uid, gid int) error {
|
|
|
e358d9 |
secretsDir := "/run/secrets"
|
|
|
e358d9 |
ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
|
|
|
e358d9 |
if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
|
|
|
e358d9 |
if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
|
|
|
e358d9 |
- return errors.Wrapf(err, "making container directory on host failed")
|
|
|
e358d9 |
+ return errors.Wrapf(err, "making container directory %q on host failed", ctrDirOnHost)
|
|
|
e358d9 |
}
|
|
|
e358d9 |
if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
|
|
|
e358d9 |
- return errors.Wrap(err, "error applying correct labels")
|
|
|
e358d9 |
+ return errors.Wrapf(err, "error applying correct labels on %q", ctrDirOnHost)
|
|
|
e358d9 |
}
|
|
|
e358d9 |
}
|
|
|
e358d9 |
fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
|
|
|
e358d9 |
@@ -323,7 +332,7 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix,
|
|
|
e358d9 |
|
|
|
e358d9 |
if !mountExists(*mounts, secretsDir) {
|
|
|
e358d9 |
m := rspec.Mount{
|
|
|
e358d9 |
- Source: filepath.Join(mountPrefix, secretsDir),
|
|
|
e358d9 |
+ Source: ctrDirOnHost,
|
|
|
e358d9 |
Destination: secretsDir,
|
|
|
e358d9 |
Type: "bind",
|
|
|
e358d9 |
Options: []string{"bind", "rprivate"},
|
|
|
e358d9 |
@@ -331,6 +340,25 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix,
|
|
|
e358d9 |
*mounts = append(*mounts, m)
|
|
|
e358d9 |
}
|
|
|
e358d9 |
|
|
|
e358d9 |
+ srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
|
|
|
e358d9 |
+ destDir := "/etc/crypto-policies/back-ends"
|
|
|
e358d9 |
+ srcOnHost := filepath.Join(mountPoint, srcBackendDir)
|
|
|
e358d9 |
+ if _, err := os.Stat(srcOnHost); err != nil {
|
|
|
e358d9 |
+ if os.IsNotExist(err) {
|
|
|
e358d9 |
+ return nil
|
|
|
e358d9 |
+ }
|
|
|
e358d9 |
+ return errors.Wrapf(err, "failed to stat FIPS Backend directory %q", ctrDirOnHost)
|
|
|
e358d9 |
+ }
|
|
|
e358d9 |
+
|
|
|
e358d9 |
+ if !mountExists(*mounts, destDir) {
|
|
|
e358d9 |
+ m := rspec.Mount{
|
|
|
e358d9 |
+ Source: srcOnHost,
|
|
|
e358d9 |
+ Destination: destDir,
|
|
|
e358d9 |
+ Type: "bind",
|
|
|
e358d9 |
+ Options: []string{"bind", "rprivate"},
|
|
|
e358d9 |
+ }
|
|
|
e358d9 |
+ *mounts = append(*mounts, m)
|
|
|
e358d9 |
+ }
|
|
|
e358d9 |
return nil
|
|
|
e358d9 |
}
|
|
|
e358d9 |
|
|
|
e358d9 |
diff --git a/run_linux.go b/run_linux.go
|
|
|
e358d9 |
index 4c2d73edd..c8e75eada 100644
|
|
|
e358d9 |
--- a/run_linux.go
|
|
|
e358d9 |
+++ b/run_linux.go
|
|
|
e358d9 |
@@ -460,7 +460,7 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st
|
|
|
e358d9 |
}
|
|
|
e358d9 |
|
|
|
e358d9 |
// Get the list of secrets mounts.
|
|
|
e358d9 |
- secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, cdir, int(rootUID), int(rootGID), unshare.IsRootless(), false)
|
|
|
e358d9 |
+ secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, mountPoint, int(rootUID), int(rootGID), unshare.IsRootless(), false)
|
|
|
e358d9 |
|
|
|
e358d9 |
// Add temporary copies of the contents of volume locations at the
|
|
|
e358d9 |
// volume locations, unless we already have something there.
|