-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ensure etc-host file permission is 644 whatever umask is #113209
Conversation
|
Welcome @luozhiwenn! |
Hi @luozhiwenn. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/ok-to-test |
Is there a reason to add this specific chmod vs say, altering umask in the process? What's the use case where we'd want to have a custom umask only for some of kubelet's files? |
Hi, is the following change what you refer to func ensureHostsFile(fileName string, hostIPs []string, hostName, hostDomainName string, hostAliases []v1.HostAlias, useHostNetwork bool) error {
// ...
oldMask, _ := util.Umask(0)
err = ioutil.WriteFile(fileName, hostsFileContent, 0644)
util.Umask(oldMask)
return err
} There is a concurrency problem in
This concurrency problem causes the umask of the kubelet to be modified, therefore, I prefer to explicitly correct permissions with chmod rather than adding lock in this process. Inspired by
|
No I am referring to syscall.Umask early in the process and leaving it altered. Instead of scoped only to writing this particular file. |
Or alternately: What is the use case to not permanently alter the umask of kubelet early in the process? What use case requires a umask for kubelet that does not require it here? If we're going to intentionally ignore umask for this file, why not for the whole kubelet process? |
Apologies for the delayed response.
|
/priority important-longterm |
@luozhiwenn as I understand it, the bug occurs only when there is no |
Forgot to comment: I unassigned because I'm not an approver here and someone who is needs to decide on the approach. |
I don't think that's an issue because we're relaxing permissions, not tightening them. This is unavoidable I think, unless maybe we write it to a temp location, chmod, then move it (like projected configmaps) |
/lgtm |
LGTM label has been added. Git tree hash: 8fbeee55acf3094a0c8b4a7b31b8affb55967c74
|
/assign @derekwaynecarr @dchen1107 @mrunalp |
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: luozhiwenn, mrunalp The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I think maybe this warrants a release note? It's a behavior change. |
release note: "kubelet will ensure |
In case we're updating the release notes, which you can do by editing the PR body: Comment |
done /hold cancel |
What type of PR is this?
/kind bug
What this PR does / why we need it:
ensure etc-host file permission is 644 whatever umask of kubelet is
Which issue(s) this PR fixes:
Fixes #96342, #80668
Special notes for your reviewer:
When the umask of kubelet is not
000
, the permission on the etc-hosts files created by kubelet is unexpected, which causes non-root applications to be unable to access these files.Explicitly modify the files permissions to ensure that the files permissions meet the expected
644
.Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: