From ed34ff3255f3e340062a34caca4443a75a3bd3c5 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Sat, 11 Nov 2017 12:00:48 +0100 Subject: [PATCH 1/5] server: validate labels size to avoid dos Signed-off-by: Antonio Murdaca --- server/container_create.go | 4 ++++ server/sandbox_run.go | 4 ++++ server/utils.go | 14 ++++++++++++++ 3 files changed, 22 insertions(+) diff --git a/server/container_create.go b/server/container_create.go index e512e587..e1c5e025 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -620,6 +620,10 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, labels := containerConfig.GetLabels() + if err := validateLabels(labels); err != nil { + return nil, err + } + metadata := containerConfig.GetMetadata() kubeAnnotations := containerConfig.GetAnnotations() diff --git a/server/sandbox_run.go b/server/sandbox_run.go index fa7c17e5..c71b813c 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -227,6 +227,10 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest // add labels labels := req.GetConfig().GetLabels() + if err := validateLabels(labels); err != nil { + return nil, err + } + // Add special container name label for the infra container labelsJSON := []byte{} if labels != nil { diff --git a/server/utils.go b/server/utils.go index 1e98aef2..2a15ab42 100644 --- a/server/utils.go +++ b/server/utils.go @@ -18,6 +18,8 @@ const ( // According to http://man7.org/linux/man-pages/man5/resolv.conf.5.html: // "The search list is currently limited to six domains with a total of 256 characters." maxDNSSearches = 6 + + maxLabelSize = 4096 ) func copyFile(src, dest string) error { @@ -196,3 +198,15 @@ func recordError(operation string, err error) { metrics.CRIOOperationsErrors.WithLabelValues(operation).Inc() } } + +func validateLabels(labels map[string]string) error { + for k, v := range labels { + if (len(k) + len(v)) > maxLabelSize { + if len(k) > 10 { + k = k[:10] + } + return fmt.Errorf("label key and value greater than maximum size (%d bytes), key: %s", maxLabelSize, k) + } + } + return nil +} From bc4319c7a8f97f2fddff6d5a73d312d3c63f9932 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Sat, 11 Nov 2017 12:05:36 +0100 Subject: [PATCH 2/5] *: add crictl.yaml Signed-off-by: Antonio Murdaca --- Dockerfile | 2 +- Makefile | 2 ++ contrib/test/integration/build/cri-tools.yml | 2 +- crictl.yaml | 1 + test/helpers.bash | 4 ++-- 5 files changed, 7 insertions(+), 4 deletions(-) create mode 100644 crictl.yaml diff --git a/Dockerfile b/Dockerfile index 3caf5ac5..702918e8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -97,7 +97,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install crictl -ENV CRICTL_COMMIT 16e6fe4d7199c5689db4630a9330e6a8a12cecd1 +ENV CRICTL_COMMIT b42fc3f364dd48f649d55926c34492beeb9b2e99 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/kubernetes-incubator/cri-tools.git "$GOPATH/src/github.com/kubernetes-incubator/cri-tools" \ diff --git a/Makefile b/Makefile index 24bf0e2b..3bc03efc 100644 --- a/Makefile +++ b/Makefile @@ -12,6 +12,7 @@ MANDIR ?= ${PREFIX}/share/man ETCDIR ?= ${DESTDIR}/etc ETCDIR_CRIO ?= ${ETCDIR}/crio BUILDTAGS ?= seccomp $(shell hack/btrfs_tag.sh) $(shell hack/libdm_tag.sh) $(shell hack/btrfs_installed_tag.sh) $(shell hack/ostree_tag.sh) $(shell hack/selinux_tag.sh) +CRICTL_CONFIG_DIR=${DESTDIR}/etc BASHINSTALLDIR=${PREFIX}/share/bash-completion/completions OCIUMOUNTINSTALLDIR=$(PREFIX)/share/oci-umount/oci-umount.d @@ -165,6 +166,7 @@ install.config: install ${SELINUXOPT} -D -m 644 crio.conf $(ETCDIR_CRIO)/crio.conf install ${SELINUXOPT} -D -m 644 seccomp.json $(ETCDIR_CRIO)/seccomp.json install ${SELINUXOPT} -D -m 644 crio-umount.conf $(OCIUMOUNTINSTALLDIR)/crio-umount.conf + install ${SELINUXOPT} -D -m 644 crictl.yaml $(CRICTL_CONFIG_DIR) install.completions: install ${SELINUXOPT} -d -m 755 ${BASHINSTALLDIR} diff --git a/contrib/test/integration/build/cri-tools.yml b/contrib/test/integration/build/cri-tools.yml index e314225e..5d748112 100644 --- a/contrib/test/integration/build/cri-tools.yml +++ b/contrib/test/integration/build/cri-tools.yml @@ -4,7 +4,7 @@ git: repo: "https://github.com/kubernetes-incubator/cri-tools.git" dest: "{{ ansible_env.GOPATH }}/src/github.com/kubernetes-incubator/cri-tools" - version: "16e6fe4d7199c5689db4630a9330e6a8a12cecd1" + version: "b42fc3f364dd48f649d55926c34492beeb9b2e99" - name: install crictl command: "/usr/bin/go install github.com/kubernetes-incubator/cri-tools/cmd/crictl" diff --git a/crictl.yaml b/crictl.yaml new file mode 100644 index 00000000..841cbe47 --- /dev/null +++ b/crictl.yaml @@ -0,0 +1 @@ +runtime-endpoint: /var/run/crio.sock diff --git a/test/helpers.bash b/test/helpers.bash index 9c6d8d91..4c9dfc23 100644 --- a/test/helpers.bash +++ b/test/helpers.bash @@ -211,9 +211,9 @@ function retry() { false } -# Waits until the given crio becomes reachable. +# Waits until crio becomes reachable. function wait_until_reachable() { - retry 15 1 crictl status + retry 15 1 crictl version } # Start crio. From 8bdb7b912db5743b538e02082292036b160aaf97 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Sat, 11 Nov 2017 12:15:59 +0100 Subject: [PATCH 3/5] container_list: guard against list filter being nil Signed-off-by: Antonio Murdaca --- server/container_list.go | 54 +++++++++++++++++++++------------------- 1 file changed, 28 insertions(+), 26 deletions(-) diff --git a/server/container_list.go b/server/container_list.go index 3dc3f5cb..9542067a 100644 --- a/server/container_list.go +++ b/server/container_list.go @@ -38,38 +38,40 @@ func (s *Server) ListContainers(ctx context.Context, req *pb.ListContainersReque logrus.Debugf("ListContainersRequest %+v", req) var ctrs []*pb.Container - filter := req.Filter + filter := req.GetFilter() ctrList, err := s.ContainerServer.ListContainers() if err != nil { return nil, err } - // Filter using container id and pod id first. - if filter.Id != "" { - id, err := s.CtrIDIndex().Get(filter.Id) - if err != nil { - return nil, err - } - c := s.ContainerServer.GetContainer(id) - if c != nil { - if filter.PodSandboxId != "" { - if c.Sandbox() == filter.PodSandboxId { - ctrList = []*oci.Container{c} - } else { - ctrList = []*oci.Container{} - } - - } else { - ctrList = []*oci.Container{c} + if filter != nil { + // Filter using container id and pod id first. + if filter.Id != "" { + id, err := s.CtrIDIndex().Get(filter.Id) + if err != nil { + return nil, err } - } - } else { - if filter.PodSandboxId != "" { - pod := s.ContainerServer.GetSandbox(filter.PodSandboxId) - if pod == nil { - ctrList = []*oci.Container{} - } else { - ctrList = pod.Containers().List() + c := s.ContainerServer.GetContainer(id) + if c != nil { + if filter.PodSandboxId != "" { + if c.Sandbox() == filter.PodSandboxId { + ctrList = []*oci.Container{c} + } else { + ctrList = []*oci.Container{} + } + + } else { + ctrList = []*oci.Container{c} + } + } + } else { + if filter.PodSandboxId != "" { + pod := s.ContainerServer.GetSandbox(filter.PodSandboxId) + if pod == nil { + ctrList = []*oci.Container{} + } else { + ctrList = pod.Containers().List() + } } } } From 4aceedee21c5aa2edf8d186a7b1c04f81f983a53 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Sat, 11 Nov 2017 12:16:25 +0100 Subject: [PATCH 4/5] version: bump to v1.0.4 Signed-off-by: Antonio Murdaca --- version/version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version/version.go b/version/version.go index fb9bdff7..aec0d7ea 100644 --- a/version/version.go +++ b/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "1.0.4-dev" +const Version = "1.0.4" From d45e90673f1362f53cbf5168dbc53d0541cc74d0 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Sat, 11 Nov 2017 12:16:47 +0100 Subject: [PATCH 5/5] version: bump to v1.0.5-dev Signed-off-by: Antonio Murdaca --- version/version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version/version.go b/version/version.go index aec0d7ea..46cc7a68 100644 --- a/version/version.go +++ b/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "1.0.4" +const Version = "1.0.5-dev"