Page MenuHomePhabricator

Add webservice flag to mount project directory read-only
Open, Stalled, Needs TriagePublic

Description

Many tools don’t need write access to their project / tool home directory: they only read source code and maybe configuration files from there. I think a webservice flag to add readOnly: true to the home volume mount would be useful to reduce the potential damage if a tool has a vulnerability that allows code execution on the server.

The flag should be available both on the command line and in service.template.

(I’m mainly interested in Kubernetes tools here; I have no idea if this would be possible on the Grid.)

Event Timeline

Most of the volume mounts are already read-only:

tools.lexeme-forms@tools-sgebastion-07:~/www/python/src$ kubectl get pod -l name=lexeme-forms -ojson | jq '.items[0].spec.containers[0].volumeMounts | .[]'
{
  "mountPath": "/public/dumps",
  "name": "dumps",
  "readOnly": true
}
{
  "mountPath": "/mnt/nfs/dumps-labstore1007.wikimedia.org",
  "name": "dumpsrc1",
  "readOnly": true
}
{
  "mountPath": "/mnt/nfs/dumps-labstore1006.wikimedia.org",
  "name": "dumpsrc2",
  "readOnly": true
}
{
  "mountPath": "/data/project",
  "name": "home"
}
{
  "mountPath": "/etc/wmcs-project",
  "name": "wmcs-project",
  "readOnly": true
}
{
  "mountPath": "/data/scratch",
  "name": "scratch"
}
{
  "mountPath": "/etc/ldap.conf",
  "name": "etcldap-conf",
  "readOnly": true
}
{
  "mountPath": "/etc/ldap.yaml",
  "name": "etcldap-yaml",
  "readOnly": true
}
{
  "mountPath": "/etc/novaobserver.yaml",
  "name": "etcnovaobserver-yaml",
  "readOnly": true
}
{
  "mountPath": "/var/lib/sss/pipes",
  "name": "sssd-pipes"
}
{
  "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount",
  "name": "default-token-xztsc",
  "readOnly": true
}

I haven’t been able to figure out where those mounts are configured; they’re not in the webservice source code, as far as I can tell.

I haven’t been able to figure out where those mounts are configured; they’re not in the webservice source code, as far as I can tell.

They're created with the PodPreset object keyed to a toolforge: tool label, created in maintain-kubeusers. This may change at some point due to T279106: Establish replacement for PodPresets in Toolforge Kubernetes.

One potential issue is that we currently write all log files to the home directory, at least until we get around implementing a proper logging solution T127367: Provide modern, non-NFS error log solution for Toolforge webservices and bots.

Ohhhh. That’s true, I completely forgot about the logs.

…Might even make sense to close this task in that case?