diff --git a/.gitpod.yml b/.gitpod.yml index 5cacd79e613ed6..ca00e2d7c33a43 100644 --- a/.gitpod.yml +++ b/.gitpod.yml @@ -1,4 +1,4 @@ -image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:gpl-update-docs.6 +image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:cw-supervisor-execve-ring3.25 workspaceLocation: gitpod/gitpod-ws.theia-workspace checkoutLocation: gitpod ports: diff --git a/.werft/build.js b/.werft/build.js index 9d667d5585c1e1..4c9fed70b5dd3b 100644 --- a/.werft/build.js +++ b/.werft/build.js @@ -31,6 +31,13 @@ async function build(context, version) { * Prepare */ werft.phase("prepare"); + + const werftImg = shell.exec("cat .werft/build.yaml | grep dev-environment").trim().split(": ")[1]; + const devImg = shell.exec("yq r .gitpod.yml image").trim(); + if (werftImg !== devImg) { + werft.fail('prep', `Werft job image (${werftImg}) and Gitpod dev image (${devImg}) do not match`); + } + let buildConfig = context.Annotations || {}; try { exec(`gcloud auth activate-service-account --key-file "${GCLOUD_SERVICE_ACCOUNT_PATH}"`); @@ -146,7 +153,7 @@ async function deployToDev(version, previewWithHttps, workspaceFeatureFlags, dyn werft.log("secret", "copy secret into namespace") try { - const auth = exec(`echo -n "_json_key:$(kubectl get secret gcp-sa-registry-auth --namespace=keys --export -o yaml \ + const auth = exec(`echo -n "_json_key:$(kubectl get secret gcp-sa-registry-auth --namespace=keys -o yaml \ | yq r - data['.dockerconfigjson'] \ | base64 -d)" | base64 -w 0`, {silent: true}).stdout.trim(); fs.writeFileSync("chart/gcp-sa-registry-auth", @@ -164,7 +171,7 @@ async function deployToDev(version, previewWithHttps, workspaceFeatureFlags, dyn werft.log("authProviders", "copy authProviders") try { - exec(`kubectl get secret preview-envs-authproviders --namespace=keys --export -o yaml \ + exec(`kubectl get secret preview-envs-authproviders --namespace=keys -o yaml \ | yq r - data.authProviders \ | base64 -d -w 0 \ > authProviders`, {silent: true}).stdout.trim(); @@ -304,7 +311,11 @@ async function issueAndInstallCertficate(namespace, domain) { werft.log('certificate', `copying certificate from "certs/${namespace}" to "${namespace}/proxy-config-certificates"`); // certmanager is configured to create a secret in the namespace "certs" with the name "${namespace}". - exec(`kubectl get secret ${namespace} --namespace=certs --export -o yaml \ + exec(`kubectl get secret ${namespace} --namespace=certs -o yaml \ + | yq d - 'metadata.namespace' \ + | yq d - 'metadata.uid' \ + | yq d - 'metadata.resourceVersion' \ + | yq d - 'metadata.creationTimestamp' \ | sed 's/${namespace}/proxy-config-certificates/g' \ | kubectl apply --namespace=${namespace} -f -`); } diff --git a/.werft/build.yaml b/.werft/build.yaml index 79b0659f9bc511..f5ecd44f674356 100644 --- a/.werft/build.yaml +++ b/.werft/build.yaml @@ -30,7 +30,7 @@ pod: - name: MYSQL_TCP_PORT value: 23306 - name: build - image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:as-add-golangci-lint.6 + image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:cw-supervisor-execve-ring3.25 workingDir: /workspace imagePullPolicy: Always volumeMounts: diff --git a/.werft/wipe-devstaging.yaml b/.werft/wipe-devstaging.yaml index 45818ea185f606..c955450dba47be 100644 --- a/.werft/wipe-devstaging.yaml +++ b/.werft/wipe-devstaging.yaml @@ -14,7 +14,7 @@ pod: secretName: gcp-sa-gitpod-dev-deployer containers: - name: wipe-devstaging - image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:as-add-golangci-lint.6 + image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:cw-supervisor-execve-ring3.25 workingDir: /workspace imagePullPolicy: Always volumeMounts: diff --git a/components/supervisor/BUILD.yaml b/components/supervisor/BUILD.yaml index 56fbd4d7fd1d7c..9023b1950c27ee 100644 --- a/components/supervisor/BUILD.yaml +++ b/components/supervisor/BUILD.yaml @@ -18,6 +18,10 @@ packages: config: buildFlags: - "-ldflags=-w" + # build with >= go1.16beta1 to make libcap work without CGO. See + # - https://pkg.go.dev/kernel.org/pub/linux/libs/security/libcap/cap, search for allthreadssyscall + # - https://github.com/golang/go/issues/1435 + goVersion: go1.16beta1 - name: docker type: docker srcs: diff --git a/components/supervisor/cmd/rings.go b/components/supervisor/cmd/rings.go index 83cc6c260aa5d6..e665f6b8dbd1d7 100644 --- a/components/supervisor/cmd/rings.go +++ b/components/supervisor/cmd/rings.go @@ -24,6 +24,7 @@ import ( sigproxysignal "github.com/rootless-containers/rootlesskit/pkg/sigproxy/signal" "github.com/spf13/cobra" "golang.org/x/sys/unix" + "kernel.org/pub/linux/libs/security/libcap/cap" ) const ( @@ -364,29 +365,21 @@ var ring2Cmd = &cobra.Command{ return } - cmd := exec.Command("/proc/self/exe", "run", "--inns") - cmd.SysProcAttr = &syscall.SysProcAttr{ - Pdeathsig: syscall.SIGKILL, - Credential: &syscall.Credential{ - Uid: 33333, - Gid: 33333, - }, + err = cap.SetGroups(33333) + if err != nil { + log.WithError(err).Error("cannot setgid") + failed = true + return } - cmd.Stdin = os.Stdin - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - cmd.Env = os.Environ() - if err := cmd.Start(); err != nil { - log.WithError(err).Error("failed to start the child process") + err = cap.SetUID(33333) + if err != nil { + log.WithError(err).Error("cannot setuid") failed = true return } - sigc := sigproxy.ForwardAllSignals(context.Background(), cmd.Process.Pid) - defer sigproxysignal.StopCatch(sigc) - - err = cmd.Wait() + err = unix.Exec("/proc/self/exe", []string{"supervisor", "run", "--inns"}, os.Environ()) if err != nil { - log.WithError(err).Error("unexpected exit") + log.WithError(err).Error("cannot exec") failed = true return } diff --git a/components/supervisor/go.mod b/components/supervisor/go.mod index 45e6db747b2eb3..c40c4c3b802f1d 100644 --- a/components/supervisor/go.mod +++ b/components/supervisor/go.mod @@ -28,6 +28,7 @@ require ( golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 google.golang.org/grpc v1.34.0 google.golang.org/grpc/examples v0.0.0-20200902210233-8630cac324bf // indirect + kernel.org/pub/linux/libs/security/libcap/cap v0.2.46 ) replace github.com/gitpod-io/gitpod/common-go => ../common-go // leeway diff --git a/components/supervisor/go.sum b/components/supervisor/go.sum index eca74b5a8ce44f..034b62c56b631a 100644 --- a/components/supervisor/go.sum +++ b/components/supervisor/go.sum @@ -724,6 +724,10 @@ k8s.io/klog v0.3.1/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc= k8s.io/utils v0.0.0-20190221042446-c2654d5206da/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0= k8s.io/utils v0.0.0-20191030222137-2b95a09bc58d/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= +kernel.org/pub/linux/libs/security/libcap/cap v0.2.46 h1:2my+JWsYxD0mFKUbqgtEf7r9A0m/fCMUv21RGgknTiU= +kernel.org/pub/linux/libs/security/libcap/cap v0.2.46/go.mod h1:Xni6/5rCuzPoHAac5sCFMuDxz9FuI8GTUyQ4qlw3e0w= +kernel.org/pub/linux/libs/security/libcap/psx v0.2.46 h1:9GvXrCSQAcgQ3zZVxRN8K866o1aAY1DYdXj0vHIHvYA= +kernel.org/pub/linux/libs/security/libcap/psx v0.2.46/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/components/ws-daemon/go.sum b/components/ws-daemon/go.sum index c32e94b3f6b304..b5061045d2a5e4 100644 --- a/components/ws-daemon/go.sum +++ b/components/ws-daemon/go.sum @@ -397,6 +397,7 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI= @@ -718,8 +719,6 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.32.0 h1:zWTV+LMdc3kaiJMSTOFz2UgSBgx8RNQoTGiZu3fR9S0= -google.golang.org/grpc v1.32.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.34.0 h1:raiipEjMOIC/TO2AvyTxP25XFdLxNIBwzDh3FM3XztI= google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= diff --git a/dev/image/Dockerfile b/dev/image/Dockerfile index 0c36cca6bbeee2..d59e93ec09b1e5 100644 --- a/dev/image/Dockerfile +++ b/dev/image/Dockerfile @@ -4,7 +4,7 @@ FROM gitpod/workspace-full-vnc:latest -ENV TRIGGER_REBUILD 2 +ENV TRIGGER_REBUILD 3 USER root diff --git a/test/tests/workspace/workspace_agent/main.go b/test/tests/workspace/workspace_agent/main.go index ea1f51f015d1b4..caaaa024b6db95 100644 --- a/test/tests/workspace/workspace_agent/main.go +++ b/test/tests/workspace/workspace_agent/main.go @@ -40,6 +40,6 @@ func (*WorkspaceAgent) WriteFile(req *api.WriteFileRequest, resp *api.WriteFileR return } - resp = &api.WriteFileResponse{} + *resp = api.WriteFileResponse{} return }