This commit should be squashed

xibz · xibz · commit 69775f6478ff · 2019-10-17T21:18:17.000Z
This commit removes the NET_ADMIN capability. This change also removes
the network interfaces for the jailer test since Firecracker will
attempt to create a tap device if one does not exist, and since the
jailer currently has no netns, it makes sense that one would be created
which causes the permission denied error when attempting to create a tap
device

Signed-off-by: xibz &lt;impactbchang@gmail.com&gt;
diff --git a/runtime/firecracker-runc-config.json.example b/runtime/firecracker-runc-config.json.example
@@ -21,13 +21,10 @@
             "bounding": [
             ],
             "inheritable": [
-                "CAP_NET_ADMIN"
             ],
             "permitted": [
-                "CAP_NET_ADMIN"
             ],
             "ambient": [
-                "CAP_NET_ADMIN"
             ]
         },
         "rlimits": [
diff --git a/runtime/jailer_integ_test.go b/runtime/jailer_integ_test.go
diff --git a/runtime/service_integ_test.go b/runtime/service_integ_test.go
@@ -221,7 +221,9 @@ func createTapDevice(ctx context.Context, tapName string) error {
 }
 
 func TestMultipleVMs_Isolated(t *testing.T) {
-	prepareIntegTest(t)
+	prepareIntegTest(t, func(cfg *Config) {
+		cfg.JailerConfig.RuncBinaryPath = "/usr/local/bin/runc"
+	})
 
 	cases := []struct {
 		MaxContainers int32
@@ -276,7 +278,7 @@ func TestMultipleVMs_Isolated(t *testing.T) {
 			rootfsPath := defaultVMRootfsPath
 
 			fcClient := fccontrol.NewFirecrackerClient(pluginClient.Client())
-			_, err = fcClient.CreateVM(ctx, &proto.CreateVMRequest{
+			req := &proto.CreateVMRequest{
 				VMID: strconv.Itoa(vmID),
 				MachineCfg: &proto.FirecrackerMachineConfiguration{
 					MemSizeMib: 512,
@@ -296,7 +298,13 @@ func TestMultipleVMs_Isolated(t *testing.T) {
 				},
 				ContainerCount: containerCount,
 				JailerConfig:   jailerConfig,
-			})
+			}
+
+			if jailerConfig != nil {
+				req.NetworkInterfaces = nil
+			}
+
+			_, err = fcClient.CreateVM(ctx, req)
 			require.NoError(t, err, "failed to create vm")
 
 			var containerWg sync.WaitGroup
@@ -306,18 +314,26 @@ func TestMultipleVMs_Isolated(t *testing.T) {
 					defer containerWg.Done()
 					containerName := fmt.Sprintf("container-%d-%d", vmID, containerID)
 					snapshotName := fmt.Sprintf("snapshot-%d-%d", vmID, containerID)
+					processArgs := oci.WithProcessArgs("/bin/sh", "-c", strings.Join([]string{
+						fmt.Sprintf("/bin/cat /sys/class/net/%s/address", defaultVMNetDevName),
+						"/usr/bin/readlink /proc/self/ns/mnt",
+						fmt.Sprintf("/bin/sleep %d", testTimeout/time.Second),
+					}, " && "))
+
+					if jailerConfig != nil {
+						// TODO: this if statement block can go away once we add netns
+						processArgs = oci.WithProcessArgs("/bin/sh", "-c", strings.Join([]string{
+							fmt.Sprintf("/bin/sleep %d", testTimeout/time.Second),
+						}, " && "))
+					}
 
 					// spawn a container that just prints the VM's eth0 mac address (which we have set uniquely per VM)
 					newContainer, err := client.NewContainer(ctx,
 						containerName,
 						containerd.WithSnapshotter(naiveSnapshotterName),
 						containerd.WithNewSnapshot(snapshotName, image),
 						containerd.WithNewSpec(
-							oci.WithProcessArgs("/bin/sh", "-c", strings.Join([]string{
-								fmt.Sprintf("/bin/cat /sys/class/net/%s/address", defaultVMNetDevName),
-								"/usr/bin/readlink /proc/self/ns/mnt",
-								fmt.Sprintf("/bin/sleep %d", testTimeout/time.Second),
-							}, " && ")),
+							processArgs,
 							oci.WithHostNamespace(specs.NetworkNamespace),
 							firecrackeroci.WithVMID(strconv.Itoa(vmID)),
 						),
@@ -438,13 +454,21 @@ func TestMultipleVMs_Isolated(t *testing.T) {
 						}
 
 						stdoutLines := strings.Split(strings.TrimSpace(taskStdout.String()), "\n")
-						require.Len(t, stdoutLines, 2)
+						lines := 2
+						if jailerConfig != nil {
+							lines = 1
+						}
+						require.Len(t, stdoutLines, lines)
 
 						printedVMID := strings.TrimSpace(stdoutLines[0])
-						require.Equal(t, vmIDtoMacAddr(uint(vmID)), printedVMID, "unexpected VMID output from container %q", containerName)
+						// TODO: Remove this if statement once we can add a netns which
+						// will allow firecracker to have visibility of the tap devices.
+						if jailerConfig == nil {
+							require.Equal(t, vmIDtoMacAddr(uint(vmID)), printedVMID, "unexpected VMID output from container %q", containerName)
 
-						taskMntNS := strings.TrimSpace(stdoutLines[1])
-						require.Equal(t, execMntNS, taskMntNS, "unexpected mnt NS output from container %q", containerName)
+							taskMntNS := strings.TrimSpace(stdoutLines[1])
+							require.Equal(t, execMntNS, taskMntNS, "unexpected mnt NS output from container %q", containerName)
+						}
 
 					case <-ctx.Done():
 						require.Fail(t, "context cancelled",
@@ -572,7 +596,6 @@ func TestStubBlockDevices_Isolated(t *testing.T) {
 			},
 		},
 		ContainerCount: 5,
-		JailerConfig:   &proto.JailerConfig{},
 	})
 	require.NoError(t, err, "failed to create VM")
 
@@ -700,7 +723,6 @@ func testCreateContainerWithSameName(t *testing.T, vmID string) {
 				IsRootDevice: true,
 			},
 			ContainerCount: 2,
-			JailerConfig:   &proto.JailerConfig{},
 		})
 		require.NoError(t, err)
 	}
diff --git a/runtime/service_test.go b/runtime/service_test.go
@@ -95,7 +95,7 @@ func TestBuildVMConfiguration(t *testing.T) {
 					{
 						DriveID:      firecracker.String("root_drive"),
 						PathOnHost:   firecracker.String("REQUEST ROOT DRIVE"),
-						IsReadOnly:   firecracker.Bool(true),
+						IsReadOnly:   firecracker.Bool(false),
 						IsRootDevice: firecracker.Bool(true),
 					},
 				},
@@ -135,7 +135,7 @@ func TestBuildVMConfiguration(t *testing.T) {
 					{
 						DriveID:      firecracker.String("root_drive"),
 						PathOnHost:   firecracker.String("REQUEST ROOT DRIVE"),
-						IsReadOnly:   firecracker.Bool(true),
+						IsReadOnly:   firecracker.Bool(false),
 						IsRootDevice: firecracker.Bool(true),
 					},
 				},
