Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mount static kmod as /sbin/modprobe #4007

Merged
merged 3 commits into from
May 30, 2024
Merged

Mount static kmod as /sbin/modprobe #4007

merged 3 commits into from
May 30, 2024

Conversation

vigh-m
Copy link
Contributor

@vigh-m vigh-m commented May 30, 2024

Issue number:

Closes #3968

Description of changes:
This change mounts the static kmod built in #3981 into a customer container.

Testing done:
Tested on the host-ctr:

[ssm-user@control]$ enter-admin-container
Confirming admin container is enabled...
Waiting for admin container to start........
Entering admin container
          Welcome to Bottlerocket's admin container!
    ╱╲
   ╱┄┄╲   This container provides access to the Bottlerocket host
   │▗▖│   filesystems (see /.bottlerocket/rootfs) and contains common
  ╱│  │╲  tools for inspection and troubleshooting.  It is based on
  │╰╮╭╯│  Amazon Linux 2, and most things are in the same places you
    ╹╹    would find them on an AL2 host.

To permit more intrusive troubleshooting, including actions that mutate the
running state of the Bottlerocket host, we provide a tool called "sheltie"
(`sudo sheltie`).  When run, this tool drops you into a root shell in the
Bottlerocket host's root filesystem.
[root@admin]# ldd /usr/sbin/modprobe
  not a dynamic executable

Tested on a kubernetes container:

root@my-pod:/# ldd /usr/sbin/modprobe
  not a dynamic executable
root@my-pod:/# ldd /sbin/modprobe
  not a dynamic executable
root@my-pod:/# ldd /usr/bin/kmod
ldd: /usr/bin/kmod: No such file or directory

Pod Spec used:

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  containers:
  - name: my-container
    image: ubuntu:noble
    command: ["/bin/sh", "-c", "while true; do echo 'Running...'; sleep 5; done"]
    securityContext:
      capabilities:
        add: ["SYS_MODULE"]
    volumeMounts:
    - name: kernel-modules
      mountPath: /lib/modules/
      readOnly: true
  volumes:
  - name: kernel-modules
    hostPath:
      path: /lib/modules/

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@bcressey
Copy link
Contributor

bcressey commented May 30, 2024
edited
Loading

Code changes LGTM, though I would split them into one for host-ctr and one for containerd.

Does it work for Cilium? For the example pod spec, can you load a module via modprobe?

@yeazelm
Copy link
Contributor

yeazelm commented May 30, 2024

The code looks good, it would be awesome to include a before and after on that pod test to show the change, even better showing it loading a module after the fix to prove this fixes the issue.

@vigh-m
Copy link
Contributor Author

vigh-m commented May 30, 2024

Yeah. It loads the modules like expected.

root@my-pod:/# ln -s /usr/sbin/modprobe /usr/bin/lsmod
root@my-pod:/# lsmod | grep tables
nf_tables             307200  0
nfnetlink              20480  2 nf_conntrack_netlink,nf_tables
root@my-pod:/# modprobe -r nf_tables
root@my-pod:/# lsmod | grep tables
root@my-pod:/# modprobe nf_tables
root@my-pod:/# lsmod | grep tables
nf_tables             307200  0
nfnetlink              20480  2 nf_conntrack_netlink,nf_tables

I had validated but didn't add it to the initial notes

@vigh-m
Copy link
Contributor Author

vigh-m commented May 30, 2024

Validated via SHA512 that it's the same modprobe

  • On admin container
[root@admin]# sha512sum /usr/bin/kmod
b2f5451a89fc2e21a971b23086380ea3c8916b5ad753c31812b4419992e6f63687da3b35723ec1d1545039c4e946e54a01ff2555420966bcceda6bb8d0569404  /usr/bin/kmod
  • On rootfs
[root@admin]# sha512sum /.bottlerocket/rootfs/bin/kmod
b2f5451a89fc2e21a971b23086380ea3c8916b5ad753c31812b4419992e6f63687da3b35723ec1d1545039c4e946e54a01ff2555420966bcceda6bb8d0569404  /.bottlerocket/rootfs/bin/kmod
  • On container
root@my-pod:/# sha512sum /usr/sbin/modprobe
b2f5451a89fc2e21a971b23086380ea3c8916b5ad753c31812b4419992e6f63687da3b35723ec1d1545039c4e946e54a01ff2555420966bcceda6bb8d0569404  /usr/sbin/modprobe

@arnaldo2792
Copy link
Contributor

For the validation, you could just have checked that the modprobe binary is coming from the host via /proc/self/mountinfo.

arnaldo2792
arnaldo2792 reviewed May 30, 2024
View reviewed changes
sources/host-ctr/cmd/host-ctr/main.go Outdated Show resolved Hide resolved
packages/containerd/containerd-cri-base-json
@@ -102,6 +102,15 @@ oci-defaults = { version = "v1", helpers = ["oci_defaults"] }
"mode=755",
"size=65536k"
]
},
{
"destination": "/sbin/modprobe",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One risk of this implementation is that if PATH is /usr/bin:/sbin, the modprobe binary in the container will be used instead of the injected modprobe. I guess that's a calculated risk to take, since we can't inject modprobe in every single path in PATH. Probably something to follow up for a later release is checking PATH and inject modprobe to the first path in that list.

bcressey
bcressey approved these changes May 30, 2024
View reviewed changes
Copy link
Contributor

@bcressey bcressey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be good to validate that Cilium specifically works as expected with this change, in case there are more paths we need to bind to.

@vigh-m vigh-m force-pushed the mount-modprobe branch 2 times, most recently from bd4debd to 54d8e27 Compare May 30, 2024 17:16
@vigh-m vigh-m requested review from bcressey and yeazelm May 30, 2024 17:16
@vigh-m
Copy link
Contributor Author

vigh-m commented May 30, 2024

New changes include:

  • Updates to docker to inject kmod by default
  • Fix based on comments
  • Typo fixes

@vigh-m @arnaldo2792
docker-engine: inject kmod in all containers
e718060 
Co-authored-by: Arnaldo Garcia Rincon <agarrcia@amazon.com>
@vigh-m
Copy link
Contributor Author

vigh-m commented May 30, 2024

Fixing typo in the commit message

@vigh-m
Copy link
Contributor Author

vigh-m commented May 30, 2024

Validated by running the cilium/cilium:v1.15.5 image from DockerHub:

Locally launched container:

$ docker run -it --rm cilium/cilium:v1.15.5 sh
# ldd /usr/sbin/modprobe
	linux-vdso.so.1 (0x00007fffc838c000)
	libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007f6632d16000)
	liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f6632ceb000)
	libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x00007f66328a7000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f663267e000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f6632e14000)
# ls -la /usr/sbin/modprobe
lrwxrwxrwx. 1 root root 9 Aug 17  2021 /usr/sbin/modprobe -> /bin/kmod
# cat /proc/self/mountinfo  | grep kmod
#

VS container launched on bottlerocket

$ kubectl exec -it my-pod -- bash
root@my-pod:/home/cilium#
root@my-pod:/home/cilium# ldd /usr/sbin/modprobe
	not a dynamic executable
root@my-pod:/home/cilium# ls -la /usr/sbin/modprobe
lrwxrwxrwx. 1 root root 9 Aug 17  2021 /usr/sbin/modprobe -> /bin/kmod
root@my-pod:/home/cilium# ldd /bin/kmod
	not a dynamic executable
root@my-pod:/home/cilium# cat /proc/self/mountinfo | grep kmod
1281 1275 252:0 /x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/kmod /usr/bin/kmod ro,relatime master:1 - ext4 /dev/root ro,seclabel,stripe=1024

I'm able to load and unload modules

root@my-pod:/home/cilium# lsmod | grep tables
nf_tables             307200  0
nfnetlink              20480  2 nf_conntrack_netlink,nf_tables
root@my-pod:/home/cilium# modprobe -r nf_tables
root@my-pod:/home/cilium# lsmod | grep tables
root@my-pod:/home/cilium# modprobe nf_tables
root@my-pod:/home/cilium# lsmod | grep tables
nf_tables             307200  0
nfnetlink              20480  2 nf_conntrack_netlink,nf_tables

@vigh-m vigh-m merged commit 70c60c6 into bottlerocket-os:develop May 30, 2024
34 checks passed
@vigh-m vigh-m deleted the mount-modprobe branch May 30, 2024 21:17
@larvacea larvacea mentioned this pull request May 30, 2024
Merged
@yeazelm yeazelm mentioned this pull request Jun 3, 2024
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yeazelm yeazelm yeazelm approved these changes

@arnaldo2792 arnaldo2792 arnaldo2792 approved these changes

@bcressey bcressey bcressey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Changes to kernel module compression can break certain workflows
4 participants
@vigh-m @bcressey @yeazelm @arnaldo2792