Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

supporting core dumps when Envoy has more capabilities #15242

Closed
rgs1 opened this issue Mar 1, 2021 · 3 comments · Fixed by #15245
Closed

supporting core dumps when Envoy has more capabilities #15242

rgs1 opened this issue Mar 1, 2021 · 3 comments · Fixed by #15245
Labels
enhancement Feature requests. Not bugs or questions.

Comments

@rgs1
Copy link
Member

rgs1 commented Mar 1, 2021
edited
Loading

When Envoy is running inside a container where CAP_NET_BIND_SERVICE isn't available but the Envoy binary itself has this capability (e.g.: via setcap 'cap_net_bind_service=+ep' envoy), core dumps won't happen unless Envoy was launched via a process with the same capabilities [0].

Forcing deployments to use a helper with bind capabilities to launch Envoy isn't great, because the helper would have to be restricted itself otherwise it could be use by others to gain bind privileges.

One potential solution is to have Envoy re-exec itself, since no new capabilities are gained when Envoy re-executes itself.

Would something like this be acceptable?

cc: @mattklein123

[0] See PR_SET_DUMPABLE in https://man7.org/linux/man-pages/man2/prctl.2.html and also https://man7.org/linux/man-pages/man7/capabilities.7.html
@rgs1 rgs1 added enhancement Feature requests. Not bugs or questions. triage Issue requires triage labels Mar 1, 2021
@rgs1 rgs1 changed the title supporting core dumps when inside a container and Envoy has more capabilities supporting core dumps when Envoy has more capabilities Mar 1, 2021
@rgs1
Copy link
Member Author

rgs1 commented Mar 1, 2021
edited
Loading

Ok, just had a chat with @martinezjavier about capabilities and prctl, the solution is much simpler than having to re exec: prctl(PR_SET_DUMPABLE, 1); does it.

I'll prepare a draft PR and we can discuss if this has to be behind a command line flag or runtime flag.

@alyssawilk alyssawilk removed the triage Issue requires triage label Mar 1, 2021
rgs1 pushed a commit to rgs1/envoy that referenced this issue Mar 1, 2021
server: add --enable-core-dump flag
9d8c32d 
This ensures Envoy can core dump when the dumpability bit might have
been unset (e.g.: running inside a container with fewer capabilities
than the ones Envoy itself has).

Fixes envoyproxy#15242.

Signed-off-by: Raul Gutierrez Segales <rgs@pinterest.com>
@rgs1 rgs1 mentioned this issue Mar 1, 2021
Merged
@mattklein123
Copy link
Member

I don't know much about this stuff, but these seems reasonable to me. I think there was another issue at some point about dropping privileges after starting which seems somewhat related but I can't find that issue right now.

@rgs1
Copy link
Member Author

rgs1 commented Mar 1, 2021

Ah yes, I think uid --> euid mismatches means the dumpability bit will be unset as well. This should work for that case too.

mattklein123 pushed a commit that referenced this issue Mar 6, 2021
server: add --enable-core-dump flag (#15245)
4f1ec4f 
This ensures Envoy can core dump when the dumpability bit might have
been unset (e.g.: running inside a container with fewer capabilities
than the ones Envoy itself has).

Fixes #15242.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Feature requests. Not bugs or questions.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

server: add --enable-core-dump flag rgs1/envoy
3 participants
@rgs1 @mattklein123 @alyssawilk