Skip to content

control-service: Container read-only file system#1291

Merged
gabrielgeorgiev1 merged 40 commits intomainfrom
person/gageorgiev/ephemeral-storage
Nov 16, 2022
Merged

control-service: Container read-only file system#1291
gabrielgeorgiev1 merged 40 commits intomainfrom
person/gageorgiev/ephemeral-storage

Conversation

@gabrielgeorgiev1
Copy link
Copy Markdown
Contributor

@gabrielgeorgiev1 gabrielgeorgiev1 commented Nov 3, 2022
edited
Loading

To reduce the attack surface of jobs containers, jobs
should run with the root file system set to read-only.
However, this means that job pods cannot write to the
file system, so we need to create an ephemeral file
system that jobs can use instead.

The test job contains one step with the following code:

import logging

import time

from vdk.api.job_input  import IJobInput

log = logging.getLogger(__name__)


def run(job_input: IJobInput):
    log.info("Testing we can still write to the ephemeral filesystem.")

    with open("test-file.txt", 'w') as f:
        f.write("Testing sentence.")

    with open("test-file.txt", 'r') as f:
        if str(f.read()) != 'Testing sentence.':
            raise Exception("File write was unsuccessful.")

    log.info("Testing we cannot write to the root filesystem.")

    try:
        with open("/test-file.txt", 'w') as f:
            f.write("Testing sentence.")
    except OSError:
        log.info("Root filesystem is read-only, as it should.")
    else:
        raise Exception("Root filesystem is not read-only")

Testing done: integration test

Signed-off-by: Gabriel Georgiev gageorgiev@vmware.com

@gabrielgeorgiev1
control-service: Container read-only file system
88696a9 
To reduce the attack surface of jobs containers, jobs
should run with the root file system set to read-only.
However, this means that job pods cannot write to the
file system, so we need to create an ephemeral file
system that jobs can use instead.

Testing done: TBD

Signed-off-by: Gabriel Georgiev <gageorgiev@vmware.com>
gabrielgeorgiev1 and others added 6 commits November 10, 2022 15:47
@gabrielgeorgiev1
more changes
ec246c5 
Signed-off-by: Gabriel Georgiev <gageorgiev@vmware.com>
@gabrielgeorgiev1
more changes
121c4bc 
Signed-off-by: Gabriel Georgiev <gageorgiev@vmware.com>
Google Java Format
2485c91
@gabrielgeorgiev1
correcting issues
96fa499 
Signed-off-by: Gabriel Georgiev <gageorgiev@vmware.com>
@gabrielgeorgiev1
Merge branch 'person/gageorgiev/ephemeral-storage' of github.com:vmwa…
45d9083 
…re/versatile-data-kit into person/gageorgiev/ephemeral-storage

Signed-off-by: Gabriel Georgiev <gageorgiev@vmware.com>
@gabrielgeorgiev1
mroe stuff
180266f 
Signed-off-by: Gabriel Georgiev <gageorgiev@vmware.com>
@antoniivanov
Copy link
Copy Markdown
Contributor

antoniivanov commented Nov 11, 2022

This is setting root file system for the builder jobs. And it looks ok.

What happens for the data jobs themselves ? Are you planning to do it? It make sense to me to be a separate PR but I just wondered because initially it seems we are changing the data job .
You need to fix the title if this PR is to be for builder jobs

@mivanov1988 mivanov1988 self-requested a review November 11, 2022 10:18
gabrielgeorgiev1 and others added 7 commits November 14, 2022 11:21
@gabrielgeorgiev1
added it file
11fbea3 
Signed-off-by: Gabriel Georgiev <gageorgiev@vmware.com>
@gabrielgeorgiev1
it
19ec044 
Signed-off-by: Gabriel Georgiev <gageorgiev@vmware.com>
Google Java Format
56ba90b
@gabrielgeorgiev1
add test job zip
e926dc5 
Signed-off-by: Gabriel Georgiev <gageorgiev@vmware.com>
@gabrielgeorgiev1
Merge branch 'person/gageorgiev/ephemeral-storage' of github.com:vmwa…
a53ec15 
…re/versatile-data-kit into person/gageorgiev/ephemeral-storage
@gabrielgeorgiev1
fix test job
b5512e8 
Signed-off-by: Gabriel Georgiev <gageorgiev@vmware.com>
@gabrielgeorgiev1
Merge branch 'main' into person/gageorgiev/ephemeral-storage
31d4505
@gabrielgeorgiev1
no readonly fs for builder jobs
1f7d800 
Signed-off-by: Gabriel Georgiev <gageorgiev@vmware.com>
@gabrielgeorgiev1
Merge branch 'person/gageorgiev/ephemeral-storage' of github.com:vmwa…
42633d4 
…re/versatile-data-kit into person/gageorgiev/ephemeral-storage
@mivanov1988 mivanov1988 marked this pull request as ready for review November 14, 2022 15:30
@gabrielgeorgiev1
dropped value in jobimagebuilder
2fb32c0 
Signed-off-by: Gabriel Georgiev <gageorgiev@vmware.com>
antoniivanov
antoniivanov suggested changes Nov 14, 2022
View reviewed changes
Comment thread ...rvice/src/integration-test/java/com/vmware/taurus/datajobs/it/DataJobEphemeralStorageIT.java Outdated
Comment thread ...rvice/src/integration-test/java/com/vmware/taurus/datajobs/it/DataJobEphemeralStorageIT.java
Comment thread ...rvice/src/integration-test/java/com/vmware/taurus/datajobs/it/DataJobEphemeralStorageIT.java
gabrielgeorgiev1 and others added 3 commits November 15, 2022 10:26
@gabrielgeorgiev1
Merge branch 'main' into person/gageorgiev/ephemeral-storage
2716d81
@gabrielgeorgiev1
refactoring
5c61a7c 
Signed-off-by: Gabriel Georgiev <gageorgiev@vmware.com>
@gabrielgeorgiev1
Merge branch 'person/gageorgiev/ephemeral-storage' of github.com:vmwa…
0b15685 
…re/versatile-data-kit into person/gageorgiev/ephemeral-storage
github-actions and others added 7 commits November 15, 2022 09:47
Google Java Format
ba52ff4
@gabrielgeorgiev1
reverted refactoring, better test
12c7a52 
Signed-off-by: Gabriel Georgiev <gageorgiev@vmware.com>
@gabrielgeorgiev1
Merge branch 'person/gageorgiev/ephemeral-storage' of github.com:vmwa…
bbdeee5 
…re/versatile-data-kit into person/gageorgiev/ephemeral-storage

Signed-off-by: Gabriel Georgiev <gageorgiev@vmware.com>
@gabrielgeorgiev1
fixing merge issues
082c416 
Signed-off-by: Gabriel Georgiev <gageorgiev@vmware.com>
Google Java Format
7e7bacf
@gabrielgeorgiev1
fixing faulty imports
26879dd 
Signed-off-by: Gabriel Georgiev <gageorgiev@vmware.com>
@gabrielgeorgiev1
Merge branch 'person/gageorgiev/ephemeral-storage' of github.com:vmwa…
c8d634b 
…re/versatile-data-kit into person/gageorgiev/ephemeral-storage
@mivanov1988
Copy link
Copy Markdown
Contributor

mivanov1988 commented Nov 15, 2022

Probably you are going to expose this option through the Helm chart in a separate PR, right?

@gabrielgeorgiev1
amend test
e0288dc 
Signed-off-by: Gabriel Georgiev <gageorgiev@vmware.com>
@gabrielgeorgiev1
Copy link
Copy Markdown
Contributor Author

gabrielgeorgiev1 commented Nov 15, 2022

Probably you are going to expose this option through the Helm chart in a separate PR, right?

I don't follow. My understanding was that this will be configured through values.yml.

@gabrielgeorgiev1
amend testing job
9a17705 
Signed-off-by: Gabriel Georgiev <gageorgiev@vmware.com>
@mivanov1988
Copy link
Copy Markdown
Contributor

mivanov1988 commented Nov 15, 2022

Probably you are going to expose this option through the Helm chart in a separate PR, right?

I don't follow. My understanding was that this will be configured through values.yml.

Yes, but now it is not possible, since this property is not exposed yet, right?

@gabrielgeorgiev1 gabrielgeorgiev1 mentioned this pull request Nov 15, 2022
Closed
gabrielgeorgiev1 and others added 4 commits November 15, 2022 19:06
@gabrielgeorgiev1
fixing codacy issues
4bd5266 
Signed-off-by: Gabriel Georgiev <gageorgiev@vmware.com>
@gabrielgeorgiev1
Merge branch 'person/gageorgiev/ephemeral-storage' of github.com:vmwa…
b5fdf2b 
…re/versatile-data-kit into person/gageorgiev/ephemeral-storage
@pre-commit-ci
[pre-commit.ci] auto fixes from pre-commit.com hooks
935737c 
for more information, see https://pre-commit.ci
Google Java Format
e9de684
@gabrielgeorgiev1 gabrielgeorgiev1 merged commit fbc9b02 into main Nov 16, 2022
@gabrielgeorgiev1 gabrielgeorgiev1 deleted the person/gageorgiev/ephemeral-storage branch November 16, 2022 10:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ivakoleva ivakoleva Awaiting requested review from ivakoleva

2 more reviewers

@mivanov1988 mivanov1988 mivanov1988 approved these changes

@antoniivanov antoniivanov antoniivanov approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cla-not-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@gabrielgeorgiev1 @antoniivanov @mivanov1988 @ivakoleva @vmwclabot