-
Notifications
You must be signed in to change notification settings - Fork 181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reuse the same rootfs for the inner and outer container #1048
Comments
Remove the need to copy the Dangerzone container image (used by the inner container) within a wrapper gVisor image (used by the outer container). Instead, use the root of the container filesystem for both containers. We can do this safely because we don't mount any secrets to the container, and because gVisor offers a read-only view of the underlying filesystem Fixes #1048
There's no reason why this wouldn't work in general. The risks are those that you highlighted: the sandbox exposes more files than it previously did, but if you trust gVisor to do its job then that should not be an issue. There is one additional important risk from exposure of the Unix Domain Socket that is used to control a running sandbox. gVisor stores per-sandbox UDSs inside the OCI root directory (passed to as To prevent this, gVisor has a In my opinion, sticking with the two-stage structure would be safer just on the basis of making fewer security assumptions. It may be possible to avoid the double-overhead of the Debian image by sharing the large-but-static subtrees of it. Deleting |
Truth is, I originally tried the symlink approach, but I did it the other way around, i.e., Also, good to know about the UDS and other potentially sensitive files that gVisor may create. I had a concern like that in mind, and turns out we already use dangerzone/dangerzone/gvisor_wrapper/entrypoint.py Lines 140 to 144 in 7f41811
dangerzone/dangerzone/gvisor_wrapper/entrypoint.py Lines 87 to 92 in 7f41811
What bothers me is that if an assumption of ours change, e.g., Docker decides to mount a sensitive file somewhere, then we may not detect it. I'll think more about this and report back. |
Right, it won't work in that direction because they would appear as symlinks that lead nowhere when trying to resolve them with the view of the filesystem that the inner container has. gVisor doesn't resolve these symlinks on the host when the sandbox attempts to read them (nor could it anyway, because it isolates its own view of the out-of-sandbox filesystem such that it can no longer access files outside of the rootfs directory and explicitly-configured mountpoints).
Should work. |
Remove the need to copy the Dangerzone container image (used by the inner container) within a wrapper gVisor image (used by the outer container). Instead, use the root of the container filesystem for both containers. We can do this safely because we don't mount any secrets to the container, and because gVisor offers a read-only view of the underlying filesystem Fixes #1048
Remove the need to copy the Dangerzone container image (used by the inner container) within a wrapper gVisor image (used by the outer container). Instead, use the root of the container filesystem for both containers. We can do this safely because we don't mount any secrets to the container, and because gVisor offers a read-only view of the underlying filesystem Fixes #1048
Mask some paths of the outer container in the OCI config of the inner container. This is done to avoid leaking any sensitive information from Podman / Docker / gVisor, since we reuse the same rootfs Refs #1048
Mask some paths of the outer container in the OCI config of the inner container. This is done to avoid leaking any sensitive information from Podman / Docker / gVisor, since we reuse the same rootfs Refs #1048
Mask some paths of the outer container in the OCI config of the inner container. This is done to avoid leaking any sensitive information from Podman / Docker / gVisor, since we reuse the same rootfs Refs #1048
Etienne's assumption that only Since it's just two dirs, and we can mask all the rest, well, I did just that. I went ahead and created a mount entry in our OCI config file for every root dir that is listed in the Filesystem Hierarchy Standard (FHS), except for:
See 005d742 (unmerged commit, hash may change) for details. I think I prefer that approach over the symlinks one for simplicity reasons. I'm aware it relies on gVisor properly implementing masking, and respecting container boundaries, but that's something we just have to rely on at the end of the day (and a separate container probably wouldn't help there). |
I also gave a shot at the symlinks route. It may be that my Linux fu is rusty, but I found that symlinking Anyways, check out 414efb6. Defense in depth -wise, it's better to go with the symlinks approach, but I can't attest to the maintainability of this option. Note that the way I've managed to make it work does not add any size overhead, so both approaches create a small-ish image tarball (~445 MiB) |
Mask some paths of the outer container in the OCI config of the inner container. This is done to avoid leaking any sensitive information from Podman / Docker / gVisor, since we reuse the same rootfs Refs #1048
Mask some paths of the outer container in the OCI config of the inner container. This is done to avoid leaking any sensitive information from Podman / Docker / gVisor, since we reuse the same rootfs Refs #1048
Update our Dockerfile and entrypoint script in order to reuse the /usr dir in the inner and outer container image. Refs #1048
When building the Dangerzone container image, we use multi-stage builds, where we create the inner container first, and then copy it to the outer container, under
/home/dangerzone/dangerzone-image/rootfs
:dangerzone/Dockerfile
Line 94 in 1298e9c
This was the most clean way to use nested containers, and was implemented during #590. Now that we plan to use Debian Stable for the base image of Dangerzone (see #1046), it would be nice to merge these two container images into one, to avoid the double overhead of the Debian container image.
I have experimented with a way we can achieve this, and the following seem to work:
/home/dangerzone/dangerzone-image/
dir, and write instead the OCI config to/config.json
, i.e., at the root of the container image./
) as the image bundle, instead of/home/dangerzone/dangerzone-image/rootfs
.These changes are reflected in the following diff:
My question is, do we risk something security-wise by doing this? Note that we instruct GVisor to treat the root filesystem as read-only (not that GVisor would write to these files in any case). Also, we mask sensitive system dirs (
/proc
,/tmp
,/dev
,sys
,/home/dangerzone
). There are some extra files that are mounted to the outer container on/etc/
and/run
that we can mask, although they don't seem to give any sensitive info:Overall, I'm inclined to go forward with this, but I'd like a second set of 👀 to validate my assumptions.
CCing @EtiennePerot for obvious reasons.
The text was updated successfully, but these errors were encountered: