Page MenuHomePhabricator
Create Task
Maniphest T319694

Fork buildkitd and disable the auth token cache that is currently shared between client connections
Closed, ResolvedPublic
Actions

Description

When buildkitd is asked by a client to push or pull from a registry, it asks the client in turn for registry credentials. The credential may be a passthrough token or username/password pair that are used to acquire a token. Either way, the resulting token is then cached in memory (a go map) by buildkitd's auth handler using only the scope (image ref and registry action, e.g. blubber:sometag,push) and no client specific or session information. This means that registry credentials leak between client connections.

I've reported this to upstream.

i've run a test with two clients: client A has a ~/.docker/config.json set up with an auths section and a valid token for a given registry; client B has no ~/.docker/config.json at all. client A builds an image and publishes it to the registry, having its auth token retrieved successfully and used by the resolver. client B builds its own image and pushes it with the same image ref just seconds after client A. buildkitd uses the cached auth token from client A and successfully pushes the image from client B to the registry

Upstream does not strictly consider this a security issue and have stated that for the moment we should assume all clients to be mutually trusting. (I'm not embargoing this discussion for that reason.) They do seem, however, open to features that would change this behavior.

For us and our current use case, this seems like a potential vector and needs to be patched before we depend at all on buildkitd from GitLab trusted runners.

As a first step, I'd like to:

  • fork buildkitd and maintain our own mirror repo in GitLab (https://gitlab.wikimedia.org/repos/releng/buildkit)
  • branch from upstream v0.10 (wmf/v0.10)
  • patch the image resolver (part of code responsible for pushing and pulling images) to key the auth tokens using the session group's IDs, isolating the cache to each session
  • build and publish`buildkitd` image to WMF registry from fork (published as docker-registry.wikimedia.org/repos/releng/buildkit:wmf-v0.10-1)
  • edit buildkitd image ref in puppet and restart buildkitd service on gitlab-runner hosts

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
P:gitlab::runner: Fix buildkitd image ref on WMCSoperations/puppetproduction+1 -1
P:gitlab::runner: Use WMF fork of buildkit for buildkitd serviceoperations/puppetproduction+2 -2
Customize query in gerrit
Related Changes in GitLab:
TitleReferenceAuthorSource BranchDest Branch
wmf/ci: Provide build environment and gitlab-ci.ymlrepos/releng/buildkit!2dduvallfeature/wmf-ciwmf/v0.10
resolver: Isolate token cache to each client sessionrepos/releng/buildkit!1dduvallfix/isolate-token-cachewmf/v0.10
Customize query in GitLab

Related Objects

Event Timeline

dduvall created this task.Oct 6 2022, 6:25 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 6 2022, 6:25 PM
dduvall changed the task status from Open to In Progress.Oct 6 2022, 6:27 PM
dduvall claimed this task.
dduvall triaged this task as High priority.
dduvall updated the task description. (Show Details)
dduvall added a project: GitLab.
dduvall moved this task from Ready to In progress on the Release-Engineering-Team (GitLab II: Wrath of Kahn 👾) board.
dduvall updated the task description. (Show Details)Oct 6 2022, 6:30 PM
dduvall mentioned this in T308501: Authenticate trusted runners for registry access against GitLab using temporary JSON Web Token.Oct 6 2022, 8:07 PM
dduvall updated the task description. (Show Details)Oct 6 2022, 9:37 PM
dduvall updated the task description. (Show Details)Oct 6 2022, 11:35 PM
dduvall added a comment.Oct 6 2022, 11:51 PM

https://gitlab.wikimedia.org/repos/releng/buildkit/-/merge_requests/1

dduvall updated the task description. (Show Details)Oct 6 2022, 11:51 PM
dduvall updated the task description. (Show Details)
dduvall updated the task description. (Show Details)Oct 10 2022, 10:09 PM
dduvall updated the task description. (Show Details)
gerritbot added a comment.Oct 11 2022, 4:57 PM

Change 841556 had a related patch set uploaded (by Dduvall; author: Dduvall):

[operations/puppet@production] P:gitlab::runner: Use WMF fork of buildkit for buildkitd service

https://gerrit.wikimedia.org/r/841556

gerritbot added a project: Patch-For-Review.Oct 11 2022, 4:57 PM
dduvall updated the task description. (Show Details)Oct 11 2022, 5:02 PM
gerritbot added a comment.Oct 11 2022, 5:38 PM

Change 841556 merged by Jbond:

[operations/puppet@production] P:gitlab::runner: Use WMF fork of buildkit for buildkitd service

https://gerrit.wikimedia.org/r/841556

Maintenance_bot removed a project: Patch-For-Review.Oct 11 2022, 6:30 PM
gerritbot added a comment.Oct 11 2022, 8:55 PM

Change 841584 had a related patch set uploaded (by Dduvall; author: Dduvall):

[operations/puppet@production] P:gitlab::runner: Fix buildkitd image ref on WMCS

https://gerrit.wikimedia.org/r/841584

gerritbot added a project: Patch-For-Review.Oct 11 2022, 8:55 PM
gerritbot added a comment.Oct 11 2022, 9:22 PM

Change 841584 merged by Dzahn:

[operations/puppet@production] P:gitlab::runner: Fix buildkitd image ref on WMCS

https://gerrit.wikimedia.org/r/841584

Maintenance_bot removed a project: Patch-For-Review.Oct 11 2022, 9:30 PM
dduvall closed this task as Resolved.Oct 11 2022, 9:32 PM
dduvall updated the task description. (Show Details)
dduvall moved this task from In progress to Done on the Release-Engineering-Team (GitLab II: Wrath of Kahn 👾) board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits