Signed-off-by: James Strong <strong.james.e@gmail.com>
This commit is contained in:
James Strong 2022-11-03 11:38:42 -04:00 committed by James Strong
parent 75ab7c826d
commit 3110846e41
Failed to extract signature
3 changed files with 9 additions and 26 deletions

View file

@ -30,13 +30,13 @@ MELANGE_DIR ?= melange
APKO_DIR ?= apko APKO_DIR ?= apko
MELANGE ?= docker run --rm --privileged -w /work -v "${PWD}":/work distroless.dev/melange:latest MELANGE ?= docker run --rm --privileged -w /work -v "${PWD}":/work distroless.dev/melange:latest
MELANGE_DETACHED ?= docker run -d -w /work --rm --privileged -v "${PWD}":/work distroless.dev/melange:latest MELANGE_DETACHED ?= docker run -d -w /work --rm --privileged -v "${PWD}":/work distroless.dev/melange:latest
APKO ?= docker run --rm -w /work -v "${PWD}":/work ko.local:5f90a47e3144af5b529930d71eb58fc6ea0004113aa0cdb3d1da35d6065b594e APKO ?= docker run --rm -w /work -v "${PWD}":/work ko.local:282aa9f94ed181bbe42ab3897f41687c92a86260ea0820151c9353ecfc1ae3d6
KEY ?= melange.rsa KEY ?= melange.rsa
REPO ?= packages REPO ?= packages
TEMPLATE ?= melange/nginx-templates.json TEMPLATE ?= melange/nginx-templates.json
MELANGE_OPTS ?= -k ${KEY}.pub --signing-key ${KEY} --arch ${ARCHS} MELANGE_OPTS ?= -k ${KEY}.pub --signing-key ${KEY} --arch ${ARCHS}
MELANGE_INGRESS_OPT ?= -k ${KEY}.pub --signing-key ${KEY} --arch ${ARCHS} --empty-workspace MELANGE_INGRESS_OPT ?= -k ${KEY}.pub --signing-key ${KEY} --arch ${ARCHS} --empty-workspace
APKO_OPTS ?= -k ${KEY}.pub --debug --use-docker-mediatypes --sbom=false --build-arch ${ARCHS} ${APKO_DIR}/${FILE}.yaml APKO_OPTS ?= -k ${KEY}.pub --debug --sbom=false --build-arch ${ARCHS} ${APKO_DIR}/${FILE}.yaml
KEY ?= melange.rsa KEY ?= melange.rsa
REPO ?= $(shell pwd)/packages REPO ?= $(shell pwd)/packages
ARCHS ?="amd64,arm64,arm/v6,arm/v7,s390x" ARCHS ?="amd64,arm64,arm/v6,arm/v7,s390x"

View file

@ -214,8 +214,6 @@ pipeline:
set -o nounset set -o nounset
set -o pipefail set -o pipefail
ls -lah
ls -lah etc/nginx
export BUILD_PATH="${PWD}" export BUILD_PATH="${PWD}"
echo "BUILD_PATH $BUILD_PATH" echo "BUILD_PATH $BUILD_PATH"
echo "Arch: $(uname -m)" echo "Arch: $(uname -m)"

View file

@ -17,12 +17,9 @@ limitations under the License.
package net package net
import ( import (
"errors"
"fmt" "fmt"
"k8s.io/klog/v2"
"kernel.org/pub/linux/libs/security/libcap/cap" "kernel.org/pub/linux/libs/security/libcap/cap"
_net "net" _net "net"
"os"
"os/exec" "os/exec"
) )
@ -66,28 +63,16 @@ func IsIPv6Enabled() bool {
// CheckCapNetBind checks if cap_net_bind_service is set for ingress // CheckCapNetBind checks if cap_net_bind_service is set for ingress
func CheckCapNetBind() error { func CheckCapNetBind() error {
processID := os.Getpid() orig := cap.GetProc()
set, err := cap.GetPID(processID)
if err != nil {
return err
}
klog.InfoS("ingress-nginx capability set %v", set.String())
//check effective defer orig.SetProc() // restore original caps on exit.
// Value 10 = NET_BIND_SERVICE
effective, err := set.GetFlag(0, 10)
if err != nil {
return err
}
//check permitted c, err := orig.Dup()
permitted, err := set.GetFlag(1, 10)
if err != nil { if err != nil {
return err return fmt.Errorf("failed to read capabilitiess: %v", err)
} }
klog.InfoS("ingress-nginx capabilities: permitted %v effective %v", permitted, effective) if on, _ := c.GetFlag(cap.Effective, cap.NET_BIND_SERVICE); !on {
if !permitted && !effective { return fmt.Errorf("insufficient privilege to bind to low ports - want %q, have %q", cap.NET_BIND_SERVICE, c)
return errors.New(fmt.Sprintf("ingress-nginx capabilities: permitted %v effective %v", permitted, effective))
} }
return nil return nil