Skip to content

Fix build tools image so make test in ztunnel can work without root #3207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 28, 2025
Merged

Fix build tools image so make test in ztunnel can work without root #3207

merged 1 commit into from
May 28, 2025

Conversation

krinkinmu
Copy link
Contributor

@krinkinmu krinkinmu commented May 16, 2025
edited
Loading

There were a few issues that prevented me from being able to successfully run make test in ztunnel code:

  1. Cargo directories are owned by root, while the make test runs cargo as non root; there was an attempt to give cargo directories in the build tools image broad enough permissions, so that user does not matter anymore (see Permissions on mount points need to be expanded #249) but when cargo directories were added on top of that we should have applied chmod recursively for this to work;
  2. /var/run/netns directory just does not exist in the container
  3. AppArmor transfer process to a restricted profile when it creates a new user namespace and the restrictions break the test.

This change addresses issues 1 and 2. To test that the change works I worked around the issue 3 by running this:

echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns

And once I did that, I was able to run make test in ztunnel repo successfully with the locally built build-tools image.

+cc @keithmattix @Stevenjin8 @jaellio

@krinkinmu
Fix build tools image so make test in ztunnel can work without root
6a9febe 
There were a few issues that prevented me from being able to
successfully run `make test` in ztunnel code:

1. Cargo directories are owned by root, while the `make test` runs cargo
   as non root; there was an attempt to give cargo directories in the
   build tools image broad enough permissions, so that user does not
   matter anymore (see istio#249) but when cargo directories were added on
   top of that we should have applied chmod recursively for this to
   work;
2. /var/run/netns directory just does not exist in the container
3. AppArmor transfer process to a restricted profile when it creates a
   new user namespace and the restrictions breaks the test.

This change addresses issues 1 and 2. To test that the change works I
worked around the issue 3 by running this:

```
echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
```

And once I did that, I was able to run `make test` in ztunnel repo
successfully with the locally built build-tools image.

Signed-off-by: Mikhail Krinkin <[email protected]>
@krinkinmu krinkinmu requested a review from a team as a code owner May 16, 2025 21:03
@istio-policy-bot
Copy link

😊 Welcome @krinkinmu! This is either your first contribution to the Istio tools repo, or it's been
a while since you've been here.

You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented May 16, 2025
edited
Loading

CLA Signed


The committers listed above are authorized under a signed CLA.

@istio-testing istio-testing added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label May 16, 2025
@istio-testing
Copy link
Contributor

Hi @krinkinmu. Thanks for your PR.

I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@keithmattix
Copy link
Contributor

/ok-to-test

@istio-testing istio-testing added ok-to-test Set this label allow normal testing to take place for a PR not submitted by an Istio org member. and removed needs-ok-to-test labels May 16, 2025
@istio-testing istio-testing merged commit 8d2a100 into istio:master May 28, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kfaseela kfaseela kfaseela approved these changes

@jaellio jaellio jaellio approved these changes

Assignees
No one assigned
Labels
ok-to-test Set this label allow normal testing to take place for a PR not submitted by an Istio org member. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@krinkinmu @istio-policy-bot @istio-testing @keithmattix @kfaseela @jaellio