Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set the scripts dir to readonly after init #4161

Merged
merged 1 commit into from
Aug 17, 2021
Merged

Set the scripts dir to readonly after init #4161

merged 1 commit into from
Aug 17, 2021

Conversation

06kellyjac
Copy link
Contributor

@06kellyjac 06kellyjac commented Aug 16, 2021
edited
Loading

Changes

Make the script volume mount read-only for all mounts excluding the init container that creates the scripts

This resolves issue #4160 and prevents overwriting the scripts from subsequent steps leading to anomalous, obscure, or dangerous results.

I made these changes a while ago before the debug scripts volume was added. I added an extra commit to deal with debug scripts too. I've ran the unit tests and I've deployed with ko and done some normal runs (using the tests from catalog) in a k3d cluster but I'm not very familiar with this debug scripts feature so some deeper testing might be necessary.
Edit: the debug scripts need to be written to each step like /tekton/tools with it's post/wait files

/kind bug

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Docs included if any changes are user facing
  • Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including
    functionality, content, code)
  • Release notes block below has been filled in or deleted (only if no user facing changes)

Release Notes

Note: I can modify the release-note to "action required" if we think someone might actually be overwriting the scripts in their use of tekton
Their resolution action would be to either an alternative mentioned at the bottom of #4160 or to mount their own volume to write other scripts to

Mount script workspace as readonly

@tekton-robot tekton-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. labels Aug 16, 2021
@tekton-robot tekton-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 16, 2021
@tekton-robot
Copy link
Collaborator

Hi @06kellyjac. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@ghost
Copy link

ghost commented Aug 16, 2021

/ok-to-test

/approve

@tekton-robot tekton-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 16, 2021
@06kellyjac
Set the scripts dir to readonly after init
142cdcf 
The scripts dir only needs to be writable during `place-scripts`

Previously you could replace the script of other steps before they're ran and
this mitigates that issue
@06kellyjac 06kellyjac force-pushed the make_scripts_dir_readonly branch from 5d11d83 to 142cdcf Compare August 16, 2021 15:31
@06kellyjac 06kellyjac changed the title Set the scripts dir and debug scripts dir to readonly after init Set the scripts dir to readonly after init Aug 16, 2021
@06kellyjac
Copy link
Contributor Author

Ok, my unit tests were passing but that was just a cached result 😕

I've dropped the debug scripts part

vdemeester
vdemeester approved these changes Aug 16, 2021
View reviewed changes
Copy link
Member

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/cc @tektoncd/core-maintainers

@tekton-robot tekton-robot requested a review from a team August 16, 2021 15:52
@06kellyjac
Copy link
Contributor Author

/retest

@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dibyom, sbwsg, vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [dibyom,sbwsg,vdemeester]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@wlynch
Copy link
Member

wlynch commented Aug 17, 2021

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Aug 17, 2021
@06kellyjac
Copy link
Contributor Author

I can't at a glance tell what the cause of the failure is. Is this known flakeyness?

@ghost
Copy link

ghost commented Aug 17, 2021

Here's the data race log in full:

==================
WARNING: DATA RACE
Read at 0x00c000aa0943 by goroutine 235:
  testing.(*common).logDepth()
      /usr/local/go/src/testing/testing.go:753 +0xa6
  testing.(*common).log()
      /usr/local/go/src/testing/testing.go:746 +0x8f
  testing.(*common).Logf()
      /usr/local/go/src/testing/testing.go:792 +0x21
  testing.(*T).Logf()
      <autogenerated>:1 +0x75
  go.uber.org/zap/zaptest.testingWriter.Write()
      /home/prow/go/src/github.com/tektoncd/pipeline/vendor/go.uber.org/zap/zaptest/logger.go:130 +0x153
  go.uber.org/zap/zaptest.(*testingWriter).Write()
      <autogenerated>:1 +0xad
  go.uber.org/zap/zapcore.(*ioCore).Write()
      /home/prow/go/src/github.com/tektoncd/pipeline/vendor/go.uber.org/zap/zapcore/core.go:90 +0x1e7
  go.uber.org/zap/zapcore.(*CheckedEntry).Write()
      /home/prow/go/src/github.com/tektoncd/pipeline/vendor/go.uber.org/zap/zapcore/entry.go:220 +0x1f1
  go.uber.org/zap.(*SugaredLogger).log()
      /home/prow/go/src/github.com/tektoncd/pipeline/vendor/go.uber.org/zap/sugar.go:227 +0x154
  go.uber.org/zap.(*SugaredLogger).Warnf()
      /home/prow/go/src/github.com/tektoncd/pipeline/vendor/go.uber.org/zap/sugar.go:143 +0x1ab
  github.com/tektoncd/pipeline/pkg/reconciler/taskrun.(*Reconciler).ReconcileKind.func1()
      /home/prow/go/src/github.com/tektoncd/pipeline/pkg/reconciler/taskrun/taskrun.go:144 +0x12b

Previous write at 0x00c000aa0943 by goroutine 250:
  testing.tRunner.func1()
      /usr/local/go/src/testing/testing.go:1180 +0x52c
  testing.tRunner()
      /usr/local/go/src/testing/testing.go:1197 +0x22a

Goroutine 235 (running) created at:
  github.com/tektoncd/pipeline/pkg/reconciler/taskrun.(*Reconciler).ReconcileKind()
      /home/prow/go/src/github.com/tektoncd/pipeline/pkg/reconciler/taskrun/taskrun.go:131 +0x647
  github.com/tektoncd/pipeline/pkg/client/injection/reconciler/pipeline/v1beta1/taskrun.Interface.ReconcileKind-fm()
      /home/prow/go/src/github.com/tektoncd/pipeline/pkg/client/injection/reconciler/pipeline/v1beta1/taskrun/reconciler.go:53 +0x79
  github.com/tektoncd/pipeline/pkg/client/injection/reconciler/pipeline/v1beta1/taskrun.(*reconcilerImpl).Reconcile()
      /home/prow/go/src/github.com/tektoncd/pipeline/pkg/client/injection/reconciler/pipeline/v1beta1/taskrun/reconciler.go:246 +0x18ee
  github.com/tektoncd/pipeline/pkg/reconciler/taskrun.TestReconcileOnCancelledTaskRun()
      /home/prow/go/src/github.com/tektoncd/pipeline/pkg/reconciler/taskrun/taskrun_test.go:2212 +0x1353
  testing.tRunner()
      /usr/local/go/src/testing/testing.go:1193 +0x202

Goroutine 250 (running) created at:
  testing.(*T).Run()
      /usr/local/go/src/testing/testing.go:1238 +0x5d7
  testing.runTests.func1()
      /usr/local/go/src/testing/testing.go:1511 +0xa6
  testing.tRunner()
      /usr/local/go/src/testing/testing.go:1193 +0x202
  testing.runTests()
      /usr/local/go/src/testing/testing.go:1509 +0x612
  testing.(*M).Run()
      /usr/local/go/src/testing/testing.go:1417 +0x3b3
  main.main()
      _testmain.go:121 +0x236
==================

But I don't see how your change has caused this. 😕

@ghost
Copy link

ghost commented Aug 17, 2021

/test tekton-pipeline-unit-tests

@ghost
Copy link

ghost commented Aug 17, 2021

Looks like the UT race was a flake :/

/test pull-tekton-pipeline-alpha-integration-tests

@tekton-robot tekton-robot merged commit 89a6233 into tektoncd:main Aug 17, 2021
@06kellyjac 06kellyjac deleted the make_scripts_dir_readonly branch August 18, 2021 10:09
@06kellyjac 06kellyjac mentioned this pull request Aug 27, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dibyom dibyom dibyom approved these changes

@vdemeester vdemeester vdemeester approved these changes

@bobcatfish bobcatfish Awaiting requested review from bobcatfish

@imjasonh imjasonh Awaiting requested review from imjasonh

Assignees

@wlynch wlynch

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@06kellyjac @tekton-robot @wlynch @vdemeester @dibyom