Skip to content

fix 714-plugin add netns validation reinforcement #890

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 10, 2022
Merged

fix 714-plugin add netns validation reinforcement #890

merged 1 commit into from
Oct 10, 2022

Conversation

Poor12
Copy link
Contributor

@Poor12 Poor12 commented Mar 31, 2022

@Poor12
Copy link
Contributor Author

Poor12 commented Apr 1, 2022

Is something like this? Need your review. :) @squeed

squeed
squeed reviewed Apr 13, 2022
View reviewed changes
pkg/skel/skel.go Outdated

func checkNetNS(nsPath string) (bool, *types.Error) {
ns, err := netns.GetFromPath(nsPath)
if err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to support CNI DEL for empty nsPath as well as already-deleted nsPath. So, paradoxically, I think we can return true here if err != nil.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean we just pass the check and let plugins deal with empty plugins as well as already-deleted nsPath?

dcbw
dcbw reviewed Apr 13, 2022
View reviewed changes
pkg/skel/skel.go Outdated
if err != nil {
return err
}
if cmdArgs.NetnsOverride != "TRUE" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Poor12 could we make this a case-insensitive comparison for "true", and also add a check for "1"?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

make it.

squeed
squeed reviewed Apr 13, 2022
View reviewed changes
pkg/skel/skel.go
@@ -241,6 +277,17 @@ func (t *dispatcher) pluginMain(cmdAdd, cmdCheck, cmdDel func(_ *CmdArgs) error,
return types.NewError(types.ErrIncompatibleCNIVersion, "plugin version does not allow CHECK", "")
case "DEL":
err = t.checkVersionAndCall(cmdArgs, versionInfo, cmdDel)
if err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we check this for ADD as well? I don't see why not...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add check for ADD.

@coveralls
Copy link

coveralls commented Apr 19, 2022
edited
Loading

Coverage Status

Coverage increased (+0.02%) to 72.228% when pulling c31383f on Poor12:fix-714 into 8dba382 on containernetworking:main.

@squeed
Copy link
Member

squeed commented Apr 19, 2022

@Poor12 surprise: this doesn't build on Windows :). We'll need to stub out the function with build flags.

@Poor12
Copy link
Contributor Author

Poor12 commented Apr 20, 2022

@Poor12 surprise: this doesn't build on Windows :). We'll need to stub out the function with build flags.

I am not familiar with this. Could you do me a favor?Thanks a lot.

@dcbw
Copy link
Member

dcbw commented Apr 27, 2022

I am not familiar with this. Could you do me a favor?Thanks a lot.

 # github.com/vishvananda/netns
Error: C:\Users\runneradmin\go\pkg\mod\github.com\vishvananda\[email protected]\netns.go:28:13: undefined: unix.Stat_t
Error: C:\Users\runneradmin\go\pkg\mod\github.com\vishvananda\[email protected]\netns.go:29:12: undefined: unix.Fstat
Error: C:\Users\runneradmin\go\pkg\mod\github.com\vishvananda\[email protected]\netns.go:32:12: undefined: unix.Fstat
Error: C:\Users\runneradmin\go\pkg\mod\github.com\vishvananda\[email protected]\netns.go:43:8: undefined: unix.Stat_t
Error: C:\Users\runneradmin\go\pkg\mod\github.com\vishvananda\[email protected]\netns.go:44:12: undefined: unix.Fstat
Error: C:\Users\runneradmin\go\pkg\mod\github.com\vishvananda\[email protected]\netns.go:56:8: undefined: unix.Stat_t
Error: C:\Users\runneradmin\go\pkg\mod\github.com\vishvananda\[email protected]\netns.go:57:12: undefined: unix.Fstat
Error: C:\Users\runneradmin\go\pkg\mod\github.com\vishvananda\[email protected]\netns.go:71:12: undefined: unix.Close

That just means that because the netlink library and Unix stuff doesn't work on Windows, you need to move that code to a different file. Here's what you do.

  1. Make a new file called netns_linux.go and put getCurrentNS(), getCurrentThreadNetNSPath(), and checkNetNS() into that.
  2. Make a new file called netns_windows.go and stub out the checkNetNS() function there like:
func checkNetNS(nsPath string) (bool, *types.Error) {
    return false, nil
}

Files with _ at the end are automatically only built on the platform in question. It's magic :) That way Linux builds will use the full implementation, and the Windows builds will use the stub implementation that just returns OK. @MikeZappa87 says that Windows doesn't have a good way (that we know of) to get the root compartment, so let's just ignore this on Windows for now.

@Poor12 Poor12 changed the title [WIP]fix 714-plugin add netns validation reinforcement fix 714-plugin add netns validation reinforcement Apr 28, 2022
@Poor12
Copy link
Contributor Author

Poor12 commented Apr 28, 2022

Thanks for informing this. I have not seen _windows files before. And Happy Labor Day :) @dcbw

dcbw
dcbw reviewed May 4, 2022
View reviewed changes
pkg/ns/ns_windows.go

package ns

func CheckNetNS(nsPath string) (bool, *types.Error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Poor12 you need to import "github.com/containernetworking/cni/pkg/types" here to get types.Error.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@Poor12
Copy link
Contributor Author

Poor12 commented May 20, 2022

/cc @squeed @dcbw

@kkBill
Copy link

kkBill commented Jun 14, 2022

Is there any progress about this issue?

@Poor12
Copy link
Contributor Author

Poor12 commented Jun 20, 2022

Excuse me, several months ago I started a issue about containernetworking/plugins#714 and have proposed a tentative solution but got very few replies lately. Actually our productive environment has had this problem for a while and we really hope to fix this problem in the community in order to avoid the problem of upstream and downstream inconsistencies caused by our private modification.

But during several months waiting for a response from the community, I have several confusion about this problem.

  1. Do we still need to fix this problem?Or we don't think it's a problem?
  2. Is there a more reasonable solution for this problem?

cc @squeed @dcbw @mars1024 @matthewdupre @mccv1r0 @MikeZappa87 @jellonek
Really sorry if disturbing you.

@squeed squeed merged commit dbf33e2 into containernetworking:main Oct 10, 2022
@s1061123 s1061123 mentioned this pull request Nov 13, 2023
Merged
@Icarus9913 Icarus9913 mentioned this pull request May 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@squeed squeed squeed left review comments

@dcbw dcbw dcbw left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Poor12 @coveralls @squeed @dcbw @kkBill