Bug 967118 - Make manifest.yml and managed_files.yml uneditable by the cart writer when cart unlocked
Make manifest.yml and managed_files.yml uneditable by the cart writer when ca...
Product: OpenShift Online
Classification: Red Hat
Component: Image (Show other bugs)
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Jhon Honce
libra bugs
: UpcomingRelease
Depends On:
  Show dependency treegraph
Reported: 2013-05-24 15:15 EDT by Dan McPherson
Modified: 2015-05-14 20:33 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-04-08 17:35:11 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Dan McPherson 2013-05-24 15:15:05 EDT
Description of problem:

We just changed to always lock the manifest/managed_files/IDENT but we really need to protect these from cart writers as well.  So we should also restrict these files from unlocking.

Steps to recreate:
1) Create a cart that modifies the manifest on setup
2) Install the cart

Actual results:
It works

Expected results:
It should fail
Comment 1 Jhon Honce 2013-05-24 22:39:54 EDT
Fixed in https://github.com/openshift/origin-server/pull/2642
Comment 2 openshift-github-bot 2013-05-25 00:42:39 EDT
Commits pushed to master at https://github.com/openshift/origin-server

Bug 967118 - Make Platform/Cartridge shared files immutable

* Add OpenShift::ManagedFiles::IMMUTABLE_FILES
* Remove immutable files from all lock/unlock lists
* Refactor cartridge create to protect these files

Bug 967118 - Remove redundant entries from managed_files.yml

* Removed all occurances where locked_files was protecting just managed_files.yml
  and manifest.yml. Platform ensures those are immutable.
Comment 3 Xiaoli Tian 2013-05-28 00:58:38 EDT
Does that mean the immutable files should not be changed by the cartridge scripts as well? if that's expected, it seems it still does not work on devenv_3277:

1) Added the following debug code to custom perl cartridge  setup script:
client_message "Try to modify manifest file"
ls -lh $OPENSHIFT_PERL_DIR/metadata/
echo "TRYTRY"
echo "Invalid entry: Append the words to manifest file" >> $OPENSHIFT_PERL_DIR/metadata/manifest.yml
tail -n 3  $OPENSHIFT_PERL_DIR/metadata/manifest.yml
echo "conf.d" >> $OPENSHIFT_PERL_DIR/metadata/managed_files.yml
echo "hatnot:testperl:5.10:0.0.1" >$OPENSHIFT_PERL_DIR/env/OPENSHIFT_PERL_IDENT
echo "NEW value for OPENSHIFT_PERL_IDNET is"

2)Try to create app with the custom cartridge, it will fail, but leaves everything in the node and mongo

#rhc app create perltest4 https://raw.github.com/xltian/perltestonly/master/metadata/manifest.yml
The cartridge 'https://raw.github.com/xltian/perltestonly/master/metadata/manifest.yml' will be downloaded and installed

Creating application 'perltest4' ... 
Unable to complete the requested operation due to: Node execution failure (invalid exit code from node).  If the problem persists please contact Red Hat support..
Reference ID: 8cf33255a9bcb6bb2f28b0e175852d4b

3) Check the debug result of step 1) in log:

May 27 23:48:35 DEBUG oo_spawn buffer(10/) CLIENT_MESSAGE: Try to modify manifest file

3a) Out put for "ls -lh $OPENSHIFT_PERL_DIR/metadata/", note that these files are not root owned 
May 27 23:48:35 DEBUG oo_spawn buffer(10/) total 12K
-rw-r--r--. 1 51a429075696d0070d000020 51a429075696d0070d000020  711 May 27 23:48 jenkins_shell_command.erb
-rw-r--r--. 1 51a429075696d0070d000020 51a429075696d0070d000020  114 May 27 23:48 managed_files.yml
-rw-r--r--. 1 51a429075696d0070d000020 51a429075696d0070d000020 2.9K May 27 23:48 manifest.yml

May 27 23:48:35 DEBUG oo_spawn buffer(10/) TRYTRY

3b) Output for "tail -n 3  $OPENSHIFT_PERL_DIR/metadata/manifest.yml",  note that manifest.yml could still be modified:

May 27 23:48:35 DEBUG oo_spawn buffer(10/)     Mappings:
Install-Build-Required: false
Source-Url: https://github.com/xltian/perltestonly.git
Invalid entry: Append the words to manifest file

3c) OPENSHIFT_PERL_IDENT could still be changed. 

May 27 23:48:35 DEBUG oo_spawn buffer(10/) OPENSHIFT_PERL_IDENT is nonhat:perltest:5.10:0.0.1

May 27 23:48:35 DEBUG oo_spawn buffer(10/) NEW value for OPENSHIFT_PERL_IDNET is

May 27 23:48:35 DEBUG oo_spawn buffer(10/) hatnot:testperl:5.10:0.0.1
Comment 4 Jhon Honce 2013-05-28 17:11:26 EDT
Example cartridge now fails as expected.

Fixed in https://github.com/openshift/li/pull/1475
Fixed in https://github.com/openshift/origin-server/pull/2647
Comment 5 openshift-github-bot 2013-05-28 18:31:56 EDT
Commit pushed to master at https://github.com/openshift/li

Bug 967118 - Support immutable cartridge files

* when migrating need to support immutable files
Comment 6 openshift-github-bot 2013-05-28 23:52:39 EDT
Commit pushed to master at https://github.com/openshift/origin-server

Bug 967118 - Immutable files in cartridges

* Fix exception failure bug
* Fix generating file list
* Fix unit tests
Comment 7 Xiaoli Tian 2013-05-29 04:16:27 EDT
Tested it on devenv_3282:

metadata/managed_files is immutable now, but the other files in the IMMUTABLE_FILES list are still writable by cartridge writer.

It should cover the following files according to the latest code:

IMMUTABLE_FILES = %w(metadata/manifest.yml metadata/managed_files.yml env/OPENSHIFT_*_IDENT env/OPENSHIFT_*_DIR)

1) Add the following line in setup file and try to create app:
echo "conf.d" >> $OPENSHIFT_PERL_DIR/metadata/managed_files.yml

It will get permission denied error:
Creating application 'perlapp2' ... /var/lib/openshift/192587893960361151299584/perltest/bin/setup: line 21: /var/lib/openshift/192587893960361151299584/perltest//metadata/managed_files.yml: Permission denied

2) Add the following lines to test manifest.yml and OPENSHIFT_*_IDENT env/OPENSHIFT_*_DIR

ls -lh $OPENSHIFT_PERL_DIR/metadata/
echo "TRYTRY"
echo "Before modifying manifest file, the name of the cartridge is"
cat  $OPENSHIFT_PERL_DIR/metadata/manifest.yml|grep perltest
sed -i "s/perltest/changename/g" $OPENSHIFT_PERL_DIR/metadata/manifest.yml
echo "After trying to modify the manifest file"
cat  $OPENSHIFT_PERL_DIR/metadata/manifest.yml|grep perltest
cat  $OPENSHIFT_PERL_DIR/metadata/manifest.yml|grep changename
echo "hatnot:testperl:5.10:0.0.1" >$OPENSHIFT_PERL_DIR/env/OPENSHIFT_PERL_IDENT
echo "NEW value for OPENSHIFT_PERL_IDNET is"
echo "Original OPENSHIFT_PERL_DIR is $perldir"
echo "ChangedDIR" > $perldir/env/OPENSHIFT_PERL_DIR
echo "New value of OPENSHIFT_PERL_DIR is"
cat  $perldir/env/OPENSHIFT_PERL_DIR

The result is: manifest.yml, OPENSHIFT_PERL_IDENT,OPENSHIFT_PERL_DIR are all changed:

May 29 03:26:32 INFO Ran /var/lib/openshift/877563397989228630507520/perltest/bin/setup --version 5.10 for 877563397989228630507520/perltest

#ls -lh $OPENSHIFT_PERL_DIR/metadata/
total 12K
-rw-r--r--. 1 877563397989228630507520 877563397989228630507520  711 May 29 03:26 jenkins_shell_command.erb
-rw-r--r--. 1 root                     877563397989228630507520  114 May 29 03:26 managed_files.yml
-rw-r--r--. 1 root                     877563397989228630507520 2.9K May 29 03:26 manifest.yml
total 20K

#ls -lh $OPENSHIFT_PERL_DIR/env/
-rw-r--r--. 1 877563397989228630507520 877563397989228630507520  53 May 29 03:26 OPENSHIFT_PERL_DIR
-rw-r--r--. 1 877563397989228630507520 877563397989228630507520  26 May 29 03:26 OPENSHIFT_PERL_IDENT
-rw-r--r--. 1 877563397989228630507520 877563397989228630507520  60 May 29 03:26 OPENSHIFT_PERL_LOG_DIR
-rw-r--r--. 1 877563397989228630507520 877563397989228630507520   5 May 29 03:26 OPENSHIFT_PERL_VERSION
-rw-r--r--. 1 877563397989228630507520 877563397989228630507520 143 May 29 03:26 PERL5LIB


Before modifying manifest file, the name of the cartridge is

#cat  $OPENSHIFT_PERL_DIR/metadata/manifest.yml|grep perltest
Name: perltest
  - perltest-5.10
  - "perltest"
  - "perltest(version) = 5.10"
    - perltest-5.10
Source-Url: https://github.com/xltian/perltestonly.git

After trying to modify the manifest file

#cat  $OPENSHIFT_PERL_DIR/metadata/manifest.yml|grep changename

Name: changename
  - changename-5.10
  - "changename"
  - "changename(version) = 5.10"
    - changename-5.10
Source-Url: https://github.com/xltian/changenameonly.git

Original OPENSHIFT_PERL_IDENT is nonhat:perltest:5.10:0.0.1

NEW value for OPENSHIFT_PERL_IDNET is hatnot:testperl:5.10:0.0.1

Original OPENSHIFT_PERL_DIR is /var/lib/openshift/877563397989228630507520/perltest/
New value of OPENSHIFT_PERL_DIR is ChangedDIR
Comment 8 Jhon Honce 2013-05-29 14:53:03 EDT
I understand the issue, files cannot be modified but they can be deleted and replace.  I have an email out to the selinux team to see if they have ideas. This is a design omission.
Comment 9 Ben Parees 2014-04-08 17:35:11 EDT
I don't think this is an SELinux problem.  The directories in question (env, metadata) are owned by the gear user while the gear is unlocked.

write permission on a directory means you can always remove and create files in that directory, regardless of the permissions on the files themselves, because you own write permission into the directory.

Note You need to log in before you can comment on or make changes to this bug.