New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fsverity content verification #10007
base: main
Are you sure you want to change the base?
Fsverity content verification #10007
Conversation
Hi @Jenkins-J. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
e77afe7
to
aa28f9e
Compare
26cc644
to
7ab2438
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we have a unit test?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to clarify, would you like a unit test of the modified writer Commit
method, the functions in the fsverity package, or both?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally both
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, I will work on creating those unit tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@AkihiroSuda I've created some tests for the new functionality, please take a look. Thank you.
Please squash the commits |
|
||
args.blockSize = uint32(blockSize) | ||
|
||
_, _, errno := unix.Syscall(syscall.SYS_IOCTL, f.Fd(), uintptr(unix.FS_IOC_ENABLE_VERITY), uintptr(unsafe.Pointer(args))) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
content.Provider
needs to call FS_IOC_MEASURE_VERITY
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The fsverity module will automatically verify the integrity of the data on every read operation of the enabled file. If fsverity detects corruption, the read operation will return an error. The case where we would need to call FS_IOC_MEASURE_VERITY
manually is if we wanted to detect intentional, malicious corruption of the blob data. In that case, we would measure the data after fsverity is enabled on the blob, safely store the known-good digest, then when the blob data a is read by the provider, call FS_IOC_MEASURE_VERITY
again and compare the returned digest to the known-good value.
I'd be happy to implement this if the malicious corruption of blob data is a case containerd should cover.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it would be nice to cover malicious corruption.
Can be another PR.
Implement calls to the fsverity kernel module, allowing containerd to enable fsverity on blob data in the content store. This causes fsverity to veirfy the integrity of blob data when the blob is read. Signed-off-by: James Jenkins <James.Jenkins@ibm.com>
7ab2438
to
36e1ad4
Compare
efc8f9b
to
bf8dc69
Compare
HI @AkihiroSuda shall we target this to v2.1 release? It's good feature but we still have pending work items in 2.0, like transfer service migration for CRI. |
I think this is safe to have in v2.0, but can be postponed to v2.1 if you have a concern.
I'm not sure we can complete this in v2.0, as we will retain schema1 (now disabled by default). |
It's in content store code path. But yeah, it looks good and safe to have in 2.0.
Sure. |
pkg/fsverity/fsverity_test.go
Outdated
defer func() { | ||
err := m.Close() | ||
if err != nil { | ||
fmt.Printf("could not close mountinfo\n") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fmt.Printf("could not close mountinfo\n") | |
t.Fatalf("could not close mountinfo: %v", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@AkihiroSuda This change is in a helper function, resolveDevicePath
, which does not have access to the testing.T
variable t
. I've modified it so now the appropriate error message is returned from this function. I can pass the variable t
as a parameter to these helper functions instead if you believe the code would be more readable that way.
a5d7cda
to
5a9bd0d
Compare
Signed-off-by: James Jenkins <James.Jenkins@ibm.com>
5a9bd0d
to
9ba5d37
Compare
Run out of bandwidth this week. Will take a look this after travel. |
|
||
func TestIsEnabled(t *testing.T) { | ||
|
||
testDir := filepath.Join(t.TempDir(), "content") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can use truncate
and mkfs.ext4 -O verity
to create testable environment for this function.
verity is not default option in most distros so it would help.
It can be handled in the follow-up.
plugins/content/local/writer.go
Outdated
integritySupported bool | ||
supportErr error | ||
) | ||
if integritySupported, supportErr = fsverity.IsSupported(w.s.root); integritySupported { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the IsSupported
cache should be handled in content local plugin.
The fsverity.IsSupported
is just handled once. If we change the input from A to B, the cache might not be correct.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've updated the implementation to cache IsSupported
value in the content plugin.
Cache the result of the IsSupported fsverity method in the content plugin instead of in the fsverity package. Signed-off-by: James Jenkins <James.Jenkins@ibm.com>
plugins/content/local/writer.go
Outdated
startedAt time.Time | ||
updatedAt time.Time | ||
once sync.Once | ||
integritySupported bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what about moving this to store
struct?
type store struct {
root string
ls LabelStore
integritySupported bool
}
So that we can just run fsverity.IsSupported once and all the writers from same store can share it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, that makes more sense now. I've made the change.
pkg/fsverity/fsverity_linux.go
Outdated
} | ||
|
||
digestFile.Close() | ||
defer os.RemoveAll(integrityDir) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
move this line to L57.
pkg/fsverity/fsverity_linux.go
Outdated
return s, err | ||
} | ||
|
||
integrityDir := filepath.Join(rootPath, "integrity") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can rename this to .fsverity-check
by os.MkdirTemp
. So, the node admin will know it's tempdir to verify something.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Thank you for the suggestion.
Move cached fsverity integrity supported value from the local content writer to the local content store. Signed-off-by: James Jenkins <James.Jenkins@ibm.com>
Clean up fsverity IsSupproted function, improving readability. Signed-off-by: James Jenkins <James.Jenkins@ibm.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
The Linux Kernel fs-verity feature can be utilized to verify the integrity of blob data in the content store. Enabling fs-verity on the blob data allows fs-verity to verify the integrity of the data at the time it is read. A read error will occur if fs-verity detects any accidental corruption of the data.
Here, containerd will enable fs-verity on the content blob files if it determines that both the kernel and the filesystem support fs-verity operations.
Addresses issue #3849 and issue #953.