Skip to content

Isolated layerextract #1399

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
helsaawy wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Isolated layerextract #1399

helsaawy wants to merge 5 commits into from

Conversation

@helsaawy
Copy link
Contributor

@helsaawy helsaawy commented May 16, 2022

Adding a new binary (cmd/differ) that functions as a binary stream processor for containerd differ plugins.
The command can extract tars and run both tar2ext4 or wclayer.extract for LCOW and WCOW images, respectively.

@helsaawy helsaawy force-pushed the he/layerextract branch 4 times, most recently from 18f5ba7 to 25aa0aa Compare May 18, 2022 17:55
@jterry75
Copy link
Contributor

jterry75 commented May 18, 2022

Oh shoot. Whats the plan for this in containerd integrations? Interesting hack to add the re-exec on the differ itself.

@helsaawy
Copy link
Contributor Author

helsaawy commented May 19, 2022

Oh shoot. Whats the plan for this in containerd integrations? Interesting hack to add the re-exec on the differ itself.

I didnt know of another way to reduce privileges and isolate the extraction/conversion.
containerd integration is here: kevpar/containerd#47. I am not sure how much upstream will be interested in it.

@jterry75 jterry75 mentioned this pull request May 19, 2022
Closed
@jterry75
Copy link
Contributor

jterry75 commented May 19, 2022

Just linked the containerd thread on this for ya. We for sure want this in upstream

@helsaawy
Stream processor for image layer unpack
a9a00a0 
Created binary stream processors to extract tar layers and then convert
to a VHD for LCOW or WCOW (via tar2ext4.Convert or
ociwclayer.ImportLayerFromTar, respectively).

Currently, binary re-execs itself using a restricted token with limited
privileges and reduced access.

Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>
@helsaawy helsaawy force-pushed the he/layerextract branch 2 times, most recently from 072eacd to f2e2b95 Compare May 20, 2022 22:56
helsaawy added 3 commits May 22, 2022 18:07
@helsaawy
adding LPAC isolation
afb444b 
Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>
@helsaawy
got LPAC partiall working - need privileges
8de5a4a 
Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>
@helsaawy
attempting to inherit token
c3550ff 
Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>
@helsaawy
spliting out AC and privliges
e875fe4 
restricted SIDs on restricted token now work

Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@helsaawy @jterry75