Fix ndt-virtual's permission issue (#804)

* Set data dir permissions to 2755 recursively. This means that the setgid bit is applied to datatype folders that already exist when the initContainer is started, such as those mounted separately from the main /var/spool/<experiment> folder. For example, /var/spool/ndt/ndt7 is mounted as a separate volume in the ndt-server container. Kubernetes will create this folder as owned by root/root and with 0755 permissions. Then, the set-data-dir-perms initContainer sets the owner to nobody/nogroup. This would not allow any other user to write to this folder. * Revert "Do not drop privileges in ndt-virtual's ndt containers (#802)" This reverts commit 079be28. * Run as group 'nogroup'. * Do not chmod recursively, the top-level folders are enough. * Do not overwrite pod-level runAsGroup
m-lab · May 24, 2023 · 4778526 · 4778526
1 parent b25e9c6
commit 4778526
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/k8s/daemonsets/experiments/ndt-virtual.jsonnet b/k8s/daemonsets/experiments/ndt-virtual.jsonnet
@@ -94,6 +94,9 @@ exp.ExperimentNoIndex(expName, 'pusher-' + std.extVar('PROJECT_ID'), 'none', dat
                 add: [
                   'NET_BIND_SERVICE',
                 ],
+                drop: [
+                  'all',
+                ],
               },
               runAsUser: 0,
             },

diff --git a/k8s/daemonsets/templates.jsonnet b/k8s/daemonsets/templates.jsonnet
@@ -126,7 +126,7 @@ local setDataDirOwnership(name) = {
     command: [
       '/bin/sh',
       '-c',
-      'cd ' + dataDir + ' && chown -R 65534:65534 . && chmod 2775 .',
+      'cd ' + dataDir + ' && chown -R 65534:65534 . && chmod 2775 . && chmod 2775 *',
     ],
     securityContext: {
       runAsUser: 0,