ChanServ changed the topic of #freedesktop to: https://www.freedesktop.org infrastructure and online services || for questions about freedesktop.org projects, please see each project's contact || for discussions about specifications, please use https://gitlab.freedesktop.org/xdg or xdg@lists.freedesktop.org
ximion has joined #freedesktop
<DemiMarie>
Has the use of Kata containers in CI been considered?
columbarius has joined #freedesktop
<__tim>
yes
co1umbarius has quit [Ping timeout: 480 seconds]
<DemiMarie>
As a security researcher I am curious how the attackers managed to break out of the sandbox. This would make for an interesting postmortem, but not until the flaw is patched!
co1umbarius has joined #freedesktop
columbarius has quit [Ping timeout: 480 seconds]
agd5f has quit [Remote host closed the connection]
jramsay has quit [Read error: Connection reset by peer]
lack has joined #freedesktop
Lyude has quit [Ping timeout: 480 seconds]
Lyude has joined #freedesktop
ofourdan has quit [Ping timeout: 480 seconds]
<mupuf>
DemiMarie: the runners are still running containers as privileged
<mupuf>
I'll let you figure out the rest ;)
<mupuf>
We have been working towards moving away from privileged runners, but of course it regresses some projects... and admins didn't have the time to get there
<mupuf>
At least, the attack made it easier for us to just... not care and ask devs to rework their CI pipelines
lack has quit [Read error: Connection reset by peer]
<alatiera>
not sure if anyone less here had updated podman/build yet but in case the ci-template image builds stop working that's why
<daniels>
alatiera: weston and mesa also use kvm
<alatiera>
ah, but isn't that under qemu?
<mupuf>
alatiera: thanks for the link, that may explain why valve infra had to reenable privileged mode after a buildah update
<alatiera>
mupuf let's say it was a while until I've found out why myself too :P
<alatiera>
we can fix that though through the gitlab-runner config
<alatiera>
I think the key si "cap_add" in the runner toml
<alatiera>
there's also another one to explicitly set the whole seccomp profile if needed
<mupuf>
Thanks :)
<mupuf>
Will revert to unprivileged when I come back to work
<mupuf>
All the test machines are unprivileged
<mupuf>
Only the gateway runners aren't... But they have pretty strong restrictions on who can submit jobs there
gchini has joined #freedesktop
lack has quit [Read error: Connection reset by peer]
lack has joined #freedesktop
<DemiMarie>
If something really needs privileges (perhaps because it deals with privileged kernel APIs), it can be run in a KVM VM via Firecracker.
Haaninjo has joined #freedesktop
ximion has joined #freedesktop
psychon has quit [Remote host closed the connection]
<mupuf>
DemiMarie: true that, it's just making CI pipelines more complex. Luckily, bentiss wrote vm2c (VM to container, a wrapper around my boot2container initramfs) that makes running VMs more manageable
<DemiMarie>
mupuf: what I meant is that your container orchestration tool might have Kata container support
<alatiera>
it does, but its not plug n play
<alatiera>
supposedly you can use kata as an oci runtime, but a bunch of things in our setup need to be adjusted accordingly
* alatiera
goes to mumble somewhere about oci
<mupuf>
DemiMarie: ha, right. Never tested that
* alatiera
spent a couple days yelling at the computer trying to get runner+kata working
<alatiera>
didn't get far
<mupuf>
alatiera: sounds like a sensible place to plug a VM
<mupuf>
Oh boy!
<alatiera>
half of my issues wouldn't exist if instead of tarballs+json it was some sensible storage format like DDIs
<alatiera>
which would accommodate for the kernel+initiramfs we have to shove into the kata setup