Jail/chroot nginx process inside controller container (#8337)
* Initial work on chrooting nginx process * More improvements in chroot * Fix charts and some file locations * Fix symlink on non chrooted container * fix psp test * Add e2e tests to chroot image * Fix logger * Add internal logger in controller * Fix overlay for chrooted tests * Fix tests * fix boilerplates * Fix unittest to point to the right pid * Fix PR review
This commit is contained in:
Ricardo Katz
GitHub
parent
83ce21b4dd
commit
3def835a6a
41 changed files with 456 additions and 49 deletions
55
rootfs/chroot.sh
Executable file
55
rootfs/chroot.sh
Executable file
|
|
@ -0,0 +1,55 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Copyright 2022 The Kubernetes Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
set -x
|
||||
writeDirs=( \
|
||||
/chroot/etc/nginx \
|
||||
/chroot/usr/local/ \
|
||||
/chroot/etc/ingress-controller \
|
||||
/chroot/etc/ingress-controller/ssl \
|
||||
/chroot/etc/ingress-controller/auth \
|
||||
/chroot/opt/modsecurity/var/log \
|
||||
/chroot/opt/modsecurity/var/upload \
|
||||
/chroot/opt/modsecurity/var/audit \
|
||||
/chroot/var/log/audit \
|
||||
/chroot/var/lib/nginx \
|
||||
/chroot/var/log/nginx \
|
||||
/chroot/var/lib/nginx/body \
|
||||
/chroot/var/lib/nginx/fastcgi \
|
||||
/chroot/var/lib/nginx/proxy \
|
||||
/chroot/var/lib/nginx/scgi \
|
||||
/chroot/var/lib/nginx/uwsgi \
|
||||
/chroot/tmp/nginx
|
||||
);
|
||||
|
||||
for dir in "${writeDirs[@]}"; do
|
||||
mkdir -p ${dir};
|
||||
chown -R www-data.www-data ${dir};
|
||||
done
|
||||
|
||||
mkdir -p /chroot/lib /chroot/proc /chroot/usr /chroot/bin /chroot/dev /chroot/run
|
||||
cp /etc/passwd /etc/group /chroot/etc/
|
||||
cp -a /usr/* /chroot/usr/
|
||||
mv /var/log/nginx /chroot/var/log/
|
||||
cp -a /etc/nginx/* /chroot/etc/nginx/
|
||||
cp /lib/ld-musl-* /lib/libcrypto* /lib/libssl* /lib/libz* /chroot/lib/
|
||||
mknod -m 0666 /chroot/dev/null c 1 3
|
||||
mknod -m 0666 /chroot/dev/random c 1 8
|
||||
mknod -m 0666 /chroot/dev/urandom c 1 9
|
||||
mknod -m 0666 /chroot/dev/full c 1 7
|
||||
mknod -m 0666 /chroot/dev/ptmx c 5 2
|
||||
mknod -m 0666 /chroot/dev/zero c 1 5
|
||||
mknod -m 0666 /chroot/dev/tty c 5 0
|
||||
Loading…
Add table
Add a link
Reference in a new issue