Add webservice flag to mount project directory read-only
Closed, DeclinedPublic
Actions

Assigned To

None

Authored By

	LucasWerkmeister
	Jul 17 2021, 11:59 AM

Description

Many tools don’t need write access to their project / tool home directory: they only read source code and maybe configuration files from there. I think a webservice flag to add readOnly: true to the home volume mount would be useful to reduce the potential damage if a tool has a vulnerability that allows code execution on the server.

The flag should be available both on the command line and in service.template.

(I’m mainly interested in Kubernetes tools here; I have no idea if this would be possible on the Grid.)

Related Objects
Search...

Status	Subtype	Assigned	Task
Declined		None	T286847 Add webservice flag to mount project directory read-only
Resolved		taavi	T279106 Establish replacement for PodPresets in Toolforge Kubernetes
Resolved		• Bstorm	T292672 Issue creating pods after migration away from PodPresets
Open		None	T127367 [toolforge,jobs-api,webservice,storage] Provide modern, non-NFS log solution for Toolforge webservices and bots
Declined		None	T127368 Estimate hardware requirements for Toolforge logging elastic cluster
Open		None	T152235 Simple logrotate service for users of Tools as stopgap before central logging
Resolved	Feature	Raymond_Ndibe	T302211 toolforge-jobs: merge stdout/stderr output
Duplicate	Feature	Raymond_Ndibe	T304421 Allow customizing the out/err files with toolforge-jobs
Resolved	Feature	Raymond_Ndibe	T301901 Allow specifying the path for log files for jobs executed on the new toolforge Jobs framework
Resolved		None	T327165 toolforge-jobs: add logrotate
Resolved	Feature	taavi	T330715 Allow TJF job logs to go to Kuberenetes output buffer rather than disk
Resolved		taavi	T336057 Add commands to `webservice` and `jobs` to query logs from Kubernetes

Event Timeline

LucasWerkmeister created this task.Jul 17 2021, 11:59 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 17 2021, 11:59 AM

Most of the volume mounts are already read-only:

tools.lexeme-forms@tools-sgebastion-07:~/www/python/src$ kubectl get pod -l name=lexeme-forms -ojson | jq '.items[0].spec.containers[0].volumeMounts | .[]'
{
  "mountPath": "/public/dumps",
  "name": "dumps",
  "readOnly": true
}
{
  "mountPath": "/mnt/nfs/dumps-labstore1007.wikimedia.org",
  "name": "dumpsrc1",
  "readOnly": true
}
{
  "mountPath": "/mnt/nfs/dumps-labstore1006.wikimedia.org",
  "name": "dumpsrc2",
  "readOnly": true
}
{
  "mountPath": "/data/project",
  "name": "home"
}
{
  "mountPath": "/etc/wmcs-project",
  "name": "wmcs-project",
  "readOnly": true
}
{
  "mountPath": "/data/scratch",
  "name": "scratch"
}
{
  "mountPath": "/etc/ldap.conf",
  "name": "etcldap-conf",
  "readOnly": true
}
{
  "mountPath": "/etc/ldap.yaml",
  "name": "etcldap-yaml",
  "readOnly": true
}
{
  "mountPath": "/etc/novaobserver.yaml",
  "name": "etcnovaobserver-yaml",
  "readOnly": true
}
{
  "mountPath": "/var/lib/sss/pipes",
  "name": "sssd-pipes"
}
{
  "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount",
  "name": "default-token-xztsc",
  "readOnly": true
}

I haven’t been able to figure out where those mounts are configured; they’re not in the webservice source code, as far as I can tell.

In T286847#7219208, @LucasWerkmeister wrote:

I haven’t been able to figure out where those mounts are configured; they’re not in the webservice source code, as far as I can tell.

They're created with the PodPreset object keyed to a toolforge: tool label, created in maintain-kubeusers. This may change at some point due to T279106: Establish replacement for PodPresets in Toolforge Kubernetes.

One potential issue is that we currently write all log files to the home directory, at least until we get around implementing a proper logging solution T127367: [toolforge,jobs-api,webservice,storage] Provide modern, non-NFS log solution for Toolforge webservices and bots.

Ohhhh. That’s true, I completely forgot about the logs.

…Might even make sense to close this task in that case?

taavi changed the task status from Open to Stalled.Jul 18 2021, 7:19 AM

taavi added subtasks: T279106: Establish replacement for PodPresets in Toolforge Kubernetes, T127367: [toolforge,jobs-api,webservice,storage] Provide modern, non-NFS log solution for Toolforge webservices and bots.

taavi moved this task from Backlog to Feature requests on the Toolforge board.Jul 18 2021, 2:48 PM

taavi closed subtask T279106: Establish replacement for PodPresets in Toolforge Kubernetes as Resolved.Oct 7 2021, 9:19 AM

Closing this in favour of T334081: [tbs] Define what NFS access to enable and how users will interact with it and its subtasks which will make it possible to run tools with no NFS mounts.

Add webservice flag to mount project directory read-onlyClosed, DeclinedPublicActions

Description

Related ObjectsSearch...

Event Timeline

Add webservice flag to mount project directory read-only
Closed, DeclinedPublic
Actions

Related Objects
Search...