Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Isolated layerextract #1399

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Isolated layerextract #1399

wants to merge 5 commits into from

Conversation

helsaawy
Copy link
Contributor

Adding a new binary (cmd/differ) that functions as a binary stream processor for containerd differ plugins.
The command can extract tars and run both tar2ext4 or wclayer.extract for LCOW and WCOW images, respectively.

@helsaawy helsaawy force-pushed the he/layerextract branch 4 times, most recently from 18f5ba7 to 25aa0aa Compare May 18, 2022 17:55
@jterry75
Copy link
Contributor

Oh shoot. Whats the plan for this in containerd integrations? Interesting hack to add the re-exec on the differ itself.

@helsaawy
Copy link
Contributor Author

Oh shoot. Whats the plan for this in containerd integrations? Interesting hack to add the re-exec on the differ itself.

I didnt know of another way to reduce privileges and isolate the extraction/conversion.
containerd integration is here: kevpar/containerd#47. I am not sure how much upstream will be interested in it.

@jterry75 jterry75 mentioned this pull request May 19, 2022
Closed
@jterry75
Copy link
Contributor

Just linked the containerd thread on this for ya. We for sure want this in upstream

@helsaawy
Stream processor for image layer unpack
a9a00a0 
Created binary stream processors to extract tar layers and then convert
to a VHD for LCOW or WCOW (via tar2ext4.Convert or
ociwclayer.ImportLayerFromTar, respectively).

Currently, binary re-execs itself using a restricted token with limited
privileges and reduced access.

Signed-off-by: Hamza El-Saawy <[email protected]>
@helsaawy helsaawy force-pushed the he/layerextract branch 2 times, most recently from 072eacd to f2e2b95 Compare May 20, 2022 22:56
helsaawy added 3 commits May 22, 2022 18:07
@helsaawy
adding LPAC isolation
afb444b 
Signed-off-by: Hamza El-Saawy <[email protected]>
@helsaawy
got LPAC partiall working - need privileges
8de5a4a 
Signed-off-by: Hamza El-Saawy <[email protected]>
@helsaawy
attempting to inherit token
c3550ff 
Signed-off-by: Hamza El-Saawy <[email protected]>
@helsaawy
spliting out AC and privliges
e875fe4 
restricted SIDs on restricted token now work

Signed-off-by: Hamza El-Saawy <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@helsaawy @jterry75