Page MenuHomePhabricator
Create Task
Maniphest T316706

Run user-submitted code under gVisor
Open, LowPublic
Actions

Description

Wikifunctions relies on containers as the sole sandboxing mechanism for executing user-controlled code. This is unwise, because code running in containers still has access to the host kernel via syscalls, and can escape the container by exploiting vulnerabilities in the Linux kernel. gVisor provides an additional layer of protection by intercepting and monitoring all system calls made by the application in user space.

TODO:

  • Configure Beta Cluster instance of function-evaluator to run under GVisor.
  • Configure production instance of function-evaluator to run under GVisor.

Details

SubjectRepoBranchLines +/-
service::docker: allow runtime to be specifiedoperations/puppetproduction+4 -1
add profile::docker::gvisoroperations/puppetproduction+26 -0
[WIP] Install gVisor on our test and run imagesmediawiki/services/function-evaluatormaster+4 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

ori created this task.Aug 30 2022, 7:34 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 30 2022, 7:34 PM
ori added a project: Abstract Wikipedia team.Aug 30 2022, 7:35 PM
ori removed a subscriber: Abstract Wikipedia team.
Joe awarded a token.Sep 2 2022, 5:15 AM
Joe subscribed.
DVrandecic moved this task from To triage to Phase θ – Throttling on the Abstract Wikipedia team board.Sep 6 2022, 6:36 PM
DVrandecic edited projects, added Abstract Wikipedia team (Phase θ – Throttling); removed Abstract Wikipedia team.
Joe changed the status of subtask T316879: Make gVisor packages available via apt.wikimedia.org from Open to In Progress.Oct 6 2022, 2:10 PM
Joe closed subtask T316879: Make gVisor packages available via apt.wikimedia.org as Resolved.Oct 6 2022, 2:52 PM
Jdforrester-WMF added a project: function-evaluator.Oct 6 2022, 3:53 PM
gerritbot added a comment.Oct 6 2022, 4:05 PM

Change 839632 had a related patch set uploaded (by Jforrester; author: Jforrester):

[mediawiki/services/function-evaluator@master] [WIP] Install gVisor on our test and run images

https://gerrit.wikimedia.org/r/839632

gerritbot added a project: Patch-For-Review.Oct 6 2022, 4:05 PM
gerritbot added a comment.Oct 11 2022, 6:29 PM

Change 841574 had a related patch set uploaded (by Ori; author: Ori):

[operations/puppet@production] service::docker: allow runtime to be specified

https://gerrit.wikimedia.org/r/841574

gerritbot added a comment.Oct 11 2022, 6:29 PM

Change 841575 had a related patch set uploaded (by Ori; author: Ori):

[operations/puppet@production] add profile::docker::gvisor

https://gerrit.wikimedia.org/r/841575

ori added a comment.Oct 12 2022, 2:23 PM

I've cherry-picked the two Puppet patches on the beta cluster. The mediawiki-function-evaluator service is now running under gVisor.

gerritbot added a comment.Oct 12 2022, 4:22 PM

Change 839632 abandoned by Jforrester:

[mediawiki/services/function-evaluator@master] [WIP] Install gVisor on our test and run images

Reason:

https://gerrit.wikimedia.org/r/839632

gerritbot added a comment.Oct 18 2022, 9:44 AM

Change 841575 merged by Giuseppe Lavagetto:

[operations/puppet@production] add profile::docker::gvisor

https://gerrit.wikimedia.org/r/841575

gerritbot added a comment.Oct 18 2022, 9:44 AM

Change 841574 merged by Giuseppe Lavagetto:

[operations/puppet@production] service::docker: allow runtime to be specified

https://gerrit.wikimedia.org/r/841574

Maintenance_bot removed a project: Patch-For-Review.Oct 18 2022, 10:31 AM
ori updated the task description. (Show Details)Oct 18 2022, 3:58 PM
ori added a subscriber: Jdforrester-WMF.Oct 18 2022, 4:05 PM

@Jdforrester-WMF : the Beta Cluster instance of the function-evaluator now runs under GVisor. Some additional work will be required to make the production instance of the function-evaluator run under GVisor. There is documentation here: https://gvisor.dev/docs/user_guide/quick_start/kubernetes/.

Jdforrester-WMF moved this task from Incoming to Ready: G2. Correct & efficient on the Abstract Wikipedia team (Phase θ – Throttling) board.Nov 21 2022, 8:28 PM
akosiaris mentioned this in T326785: Kubernetes Wikifunctions security and control measures.Jan 12 2023, 9:40 AM
Jdforrester-WMF added a parent task: T326785: Kubernetes Wikifunctions security and control measures.Jan 26 2023, 5:39 PM
cmassaro claimed this task.Mar 6 2023, 7:50 PM
cmassaro removed cmassaro as the assignee of this task.May 18 2023, 3:23 PM
cmassaro subscribed.

Unassigning myself for now; it's not clear what there is to do on our end since we won't control the production environment.

Jdforrester-WMF moved this task from Phase θ – Throttling to Phase λ – Launch on the Abstract Wikipedia team board.Jun 16 2023, 9:04 AM
Jdforrester-WMF edited projects, added Abstract Wikipedia team (Phase λ – Launch); removed Abstract Wikipedia team (Phase θ – Throttling).
Jdforrester-WMF moved this task from Incoming to Production tasks on the Abstract Wikipedia team (Phase λ – Launch) board.Jun 16 2023, 9:39 AM
Jdforrester-WMF removed a parent task: T326785: Kubernetes Wikifunctions security and control measures.Jul 11 2023, 3:51 PM
Jdforrester-WMF edited projects, added Abstract Wikipedia team; removed Abstract Wikipedia team (Phase λ – Launch).
Jdforrester-WMF moved this task from To triage to To triage: After launch on the Abstract Wikipedia team board.
Jdforrester-WMF triaged this task as Low priority.Oct 5 2023, 4:53 PM
Jdforrester-WMF moved this task from To triage: After launch to Backlog on the Abstract Wikipedia team board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL