| *** irclogbot_0 has quit IRC | 02:19 | |
| *** lpetrut has joined #kata-dev | 03:50 | |
| *** lpetrut has quit IRC | 04:19 | |
| *** sameo has joined #kata-dev | 05:02 | |
| *** sameo has quit IRC | 06:49 | |
| *** tmhoang has joined #kata-dev | 06:49 | |
| *** sgarzare has joined #kata-dev | 06:56 | |
| *** lpetrut has joined #kata-dev | 06:57 | |
| *** jodh has joined #kata-dev | 07:30 | |
| *** sameo has joined #kata-dev | 07:36 | |
| *** davidgiluk has joined #kata-dev | 08:39 | |
| *** devimc has joined #kata-dev | 12:58 | |
| *** davidgiluk has quit IRC | 13:12 | |
| *** irclogbot_1 has joined #kata-dev | 13:25 | |
| *** davidgiluk has joined #kata-dev | 13:30 | |
| *** fuentess has joined #kata-dev | 13:50 | |
| kata-irc-bot | <teawater> Got “Jenkins is going to shut down” when I open http://jenkins.katacontainers.io. Is it going to reboot? | 14:11 |
|---|---|---|
| kata-irc-bot | <jose.carlos.venegas.m> @gmmaharaj let me take a look | 14:42 |
| kata-irc-bot | <jose.carlos.venegas.m> @gmmaharaj we have the fedora 29 packages successfully created for it | 14:46 |
| kata-irc-bot | <jose.carlos.venegas.m> what package repository are you pointing to ? | 14:46 |
| *** sameo has quit IRC | 14:52 | |
| *** lpetrut has quit IRC | 15:04 | |
| *** tmhoang has quit IRC | 16:19 | |
| *** sgarzare has quit IRC | 16:47 | |
| *** davidgiluk has quit IRC | 16:54 | |
| *** jodh has quit IRC | 17:02 | |
| *** sameo has joined #kata-dev | 17:32 | |
| kata-irc-bot | <eric.ernst> In reviewing pod annotations, I'm thinking it'd be useful to include kernel params on a per pod basis. | 17:39 |
| kata-irc-bot | <eric.ernst> I'm kind of surprised this isn't an option today; am I missing anything? Today kernel params are *just* set in the toml (so, at a node granularity)? @bergwolf @samuel.ortiz @manohar.r.castelino @archana.m.shinde ? | 17:39 |
| kata-irc-bot | <samuel.ortiz> @eric.ernst There has not been a use case for this. Yet. | 17:40 |
| kata-irc-bot | <eric.ernst> We have a potential user who was asking about it. | 18:25 |
| kata-irc-bot | <eric.ernst> For me, it could make sense? Example: ```The application may need a specific kernel parameter value, e.g. ElasticSearch need /proc/sys/vm/max_map_count to be 262144, how can we set it for kata VM?``` | 18:26 |
| kata-irc-bot | <archana.m.shinde> @eric.ernst that is more of a sysctl value | 18:29 |
| kata-irc-bot | <archana.m.shinde> I have added a doc that addresses spec that | 18:29 |
| kata-irc-bot | <archana.m.shinde> https://github.com/kata-containers/documentation/blob/master/how-to/how-to-use-sysctls-with-kata.md | 18:29 |
| kata-irc-bot | <archana.m.shinde> kind of a recipe for Kata, by having those set in a privileged container | 18:31 |
| kata-irc-bot | <archana.m.shinde> so that it affects only that guest/container rather than other containers which would not be possible with regular containers | 18:31 |
| kata-irc-bot | <eric.ernst> Nice link, @archana.m.shinde - agreed. | 18:32 |
| kata-irc-bot | <eric.ernst> Trying to see where this sits for forbidden/unsafe/safe list. | 18:32 |
| kata-irc-bot | <eric.ernst> or if it is namespaced | 18:33 |
| *** igordc has joined #kata-dev | 18:35 | |
| kata-irc-bot | <archana.m.shinde> the one that you mentioned `/proc/sys/vm/max_map_count` is not namespaced @eric.ernst | 18:36 |
| kata-irc-bot | <eric.ernst> Yeah, I was hoping that maybe this changed, but not seeing it. | 18:36 |
| kata-irc-bot | <eric.ernst> Thinking, though - wouldn't this be needed on the host? | 18:37 |
| kata-irc-bot | Action: eric.ernst is confused | 18:38 |
| kata-irc-bot | <eric.ernst> @manohar.r.castelino ^ | 18:41 |
| *** devimc has quit IRC | 19:58 | |
| *** devimc has joined #kata-dev | 19:59 | |
| kata-irc-bot | <manohar.r.castelino> @archana.m.shinde check nproc that is normally accurate | 20:07 |
| kata-irc-bot | <manohar.r.castelino> @eric.ernst do you see case where user chosen kernel params can cause security issues | 20:08 |
| kata-irc-bot | <eric.ernst> @xwlpt ping? | 20:08 |
| kata-irc-bot | <manohar.r.castelino> @eric.ernst we do not sanitize those params today | 20:08 |
| kata-irc-bot | <eric.ernst> I suppose it would open things. | 20:09 |
| kata-irc-bot | <archana.m.shinde> @manohar.r.castelino Didnt follow the nproc thing | 20:10 |
| kata-irc-bot | <manohar.r.castelino> @archana.m.shinde ignore that I did not read the message properly | 20:10 |
| kata-irc-bot | <eric.ernst> they could write it with --priv, which also isn't ideal, but at least they know what they're getting into... | 20:11 |
| kata-irc-bot | <eric.ernst> Or just set it by default. | 20:11 |
| kata-irc-bot | <manohar.r.castelino> @gabrielle.n.beyer on the kata podman work can you check the following even when not running rootless | 20:12 |
| kata-irc-bot | <manohar.r.castelino> create files within the container | 20:12 |
| kata-irc-bot | <manohar.r.castelino> check what the uid and gid end up being on the host side file system | 20:12 |
| *** jugs has quit IRC | 20:45 | |
| *** jugs has joined #kata-dev | 20:46 | |
| kata-irc-bot | <xwlpt> @eric.ernst It is better for user to specify the kernel parameter but not use --priv way. For pod in k8s, most of the user will not have privileged permission. If they have privileged permission, then they can do almost every at the host. | 20:47 |
| kata-irc-bot | <eric.ernst> Sure, I undertsand. | 20:48 |
| kata-irc-bot | <eric.ernst> What do you think about just setting the kernel parameters via the configuration.toml? | 20:48 |
| kata-irc-bot | <eric.ernst> (this will be a node level setting) | 20:48 |
| kata-irc-bot | <eric.ernst> I'm not sure there's a major draw back (for your specific example) | 20:48 |
| kata-irc-bot | <xwlpt> It is better to make it per pod, so that we can support many kind of different users. | 20:49 |
| kata-irc-bot | <eric.ernst> my concern is that by making that annotation, users could then start expressing more kernel parameters which could be exploitable. | 21:12 |
| kata-irc-bot | <gabrielle.n.beyer> @manohar.r.castelino I may be misunderstanding you, but it looks like both are root, which I guess makes sense since the initial user of the container is root, should I try and make a user within the podman container, and see if it still sets uid/guid to be root in teh storage/overlay on teh host? | 21:34 |
| kata-irc-bot | <gabrielle.n.beyer> [g@podman2 ~]$ sudo ls -lht /var/lib/containers/storage/overlay/06429d218f6236a6c0f18a08445ba2052e1c6cfd66a4d41d237ced03f214e40e/diff/root total 4.0K -rw-r--r-- 1 root root 11 Apr 1 21:27 testfile | 21:35 |
| *** eernst has joined #kata-dev | 22:14 | |
| *** eernst has quit IRC | 22:18 | |
| *** devimc has quit IRC | 22:48 | |
| *** sameo has quit IRC | 22:48 | |
| *** fuentess has quit IRC | 23:05 | |
| kata-irc-bot | <gmmaharaj> Was using the automatic scripts.. didn't choose the repository by hand. | 23:26 |
| kata-irc-bot | <gmmaharaj> Not sure why it was failing.. | 23:26 |
| kata-irc-bot | <gmmaharaj> Should I try again @jose.carlos.venegas.m? | 23:26 |
| kata-irc-bot | <gmmaharaj> Sorry was in a day long meeting.. hence no earlier reply.. | 23:26 |
| *** auk has joined #kata-dev | 23:30 | |
| *** auk has quit IRC | 23:52 | |
| *** kata-irc-bot has quit IRC | 23:53 | |
| *** kata-irc-bot has joined #kata-dev | 23:54 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!