-
Notifications
You must be signed in to change notification settings - Fork 42
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
If the PATH is empty, Pebble will be default use the standard Ubuntu value of "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" (see [0]). Follow this lead and set this value on the image's PATH. This PATH setting on the image itself has no bearing on most cases, as the PATH that prevails is the one defined by Pebble and its services, but an empty (or unset) PATH is a potential security issue in cases where the pebble entrypoint is bypassed. 0: https://github.com/canonical/pebble/blob/master/internals/overlord/cmdstate/request.go#L91 Fixes #711
- Loading branch information
Showing
5 changed files
with
79 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,7 +3,7 @@ version: latest | |
summary: A tiny rock | ||
description: Building a tiny rock from a bare base, with just one package | ||
license: Apache-2.0 | ||
build-base: [email protected] | ||
build-base: placeholder-base | ||
base: bare | ||
services: | ||
hello: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,14 @@ | ||
summary: bare base build test | ||
environment: | ||
BASE/24_04: "[email protected]" | ||
PEBBLE_DIR/24_04: "/usr/bin" | ||
|
||
BASE/22_04: "[email protected]" | ||
PEBBLE_DIR/22_04: "/bin" | ||
|
||
execute: | | ||
sed "s/placeholder-base/$BASE/" rockcraft.orig.yaml > rockcraft.yaml | ||
run_rockcraft pack | ||
test -f bare-base-test_latest_amd64.rock | ||
|
@@ -15,6 +23,11 @@ execute: | | |
grep_docker_log "$id" "ship it!" | ||
docker exec "$id" pebble services | grep hello | ||
docker exec "$id" pebble ls /usr/bin/hello | ||
test "$(docker inspect "$id" -f '{{json .Config.Entrypoint}}')" = '["/bin/pebble","enter"]' | ||
test "$(docker inspect "$id" -f '{{json .Config.Entrypoint}}')" = "[\"${PEBBLE_DIR}/pebble\",\"enter\"]" | ||
# Bare-based rocks should have the default Ubuntu path, as an empty PATH is a | ||
# security issue when containers bypass the pebble entrypoint. | ||
EXPECTED_PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" | ||
test "$(docker inspect "$id" -f '{{json .Config.Env}}')" = "[\"PATH=${EXPECTED_PATH}\"]" | ||
docker rm -f "$id" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -951,3 +951,49 @@ def test_stat(self, new_dir, mock_run, mocker): | |
) | ||
] | ||
assert mock_loads.called | ||
|
||
@pytest.mark.parametrize( | ||
"build_base", | ||
[ | ||
"[email protected]", | ||
"ubuntu@devel", | ||
"[email protected]", | ||
"[email protected]", | ||
], | ||
) | ||
def test_set_path_bare(self, mock_run, build_base): | ||
image = oci.Image("a:b", Path("/c")) | ||
|
||
image.set_path("bare", build_base) | ||
|
||
expected = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" | ||
assert mock_run.mock_calls == [ | ||
call( | ||
[ | ||
"umoci", | ||
"config", | ||
"--image", | ||
"/c/a:b", | ||
"--config.env", | ||
f"PATH={expected}", | ||
] | ||
) | ||
] | ||
|
||
@pytest.mark.parametrize( | ||
["base", "build_base"], | ||
[ | ||
("[email protected]", "[email protected]"), | ||
("[email protected]", None), | ||
("[email protected]", "[email protected]"), | ||
("[email protected]", None), | ||
("[email protected]", "[email protected]"), | ||
("[email protected]", None), | ||
], | ||
) | ||
def test_set_path_non_bare(self, mock_run, base, build_base): | ||
image = oci.Image("a:b", Path("/c")) | ||
|
||
image.set_path(base, build_base) | ||
|
||
assert not mock_run.called |