daemon: split owner daemon from root helper
Move the supported systemd path to two services: an owner-user bangerd for orchestration and a narrow root helper for bridge/tap, NAT/resolver, dm/loop, and Firecracker ownership. This removes repeated sudo from daily vm and image flows without leaving the general daemon running as root. Add install metadata, system install/status/restart/uninstall commands, and a system-owned runtime layout. Keep user SSH/config material in the owner home, lock file_sync to the owner home, and move daemon known_hosts handling out of the old root-owned control path. Route privileged lifecycle steps through typed privilegedOps calls, harden the two systemd units, and rewrite smoke plus docs around the supported service model. Verified with make build, make test, make lint, and make smoke on the supported systemd host path.
This commit is contained in:
parent
3edd7c6de7
commit
59e48e830b
53 changed files with 3239 additions and 726 deletions
|
|
@ -73,19 +73,29 @@ func (m *Manager) EnsureBridge(ctx context.Context) error {
|
|||
// vsock sockets all live inside, so it must be readable only by the
|
||||
// invoking user.
|
||||
func (m *Manager) EnsureSocketDir() error {
|
||||
if err := os.MkdirAll(m.cfg.RuntimeDir, 0o700); err != nil {
|
||||
mode := os.FileMode(0o700)
|
||||
if os.Geteuid() == 0 {
|
||||
mode = 0o711
|
||||
}
|
||||
if err := os.MkdirAll(m.cfg.RuntimeDir, mode); err != nil {
|
||||
return err
|
||||
}
|
||||
return os.Chmod(m.cfg.RuntimeDir, 0o700)
|
||||
return os.Chmod(m.cfg.RuntimeDir, mode)
|
||||
}
|
||||
|
||||
// CreateTap (re)creates a TAP owned by the current uid/gid, attaches it to
|
||||
// the bridge, and brings both up.
|
||||
func (m *Manager) CreateTap(ctx context.Context, tap string) error {
|
||||
return m.CreateTapOwned(ctx, tap, os.Getuid(), os.Getgid())
|
||||
}
|
||||
|
||||
// CreateTapOwned (re)creates a TAP owned by uid:gid, attaches it to the
|
||||
// bridge, and brings both up.
|
||||
func (m *Manager) CreateTapOwned(ctx context.Context, tap string, uid, gid int) error {
|
||||
if _, err := m.runner.Run(ctx, "ip", "link", "show", tap); err == nil {
|
||||
_, _ = m.runner.RunSudo(ctx, "ip", "link", "del", tap)
|
||||
}
|
||||
if _, err := m.runner.RunSudo(ctx, "ip", "tuntap", "add", "dev", tap, "mode", "tap", "user", strconv.Itoa(os.Getuid()), "group", strconv.Itoa(os.Getgid())); err != nil {
|
||||
if _, err := m.runner.RunSudo(ctx, "ip", "tuntap", "add", "dev", tap, "mode", "tap", "user", strconv.Itoa(uid), "group", strconv.Itoa(gid)); err != nil {
|
||||
return err
|
||||
}
|
||||
if _, err := m.runner.RunSudo(ctx, "ip", "link", "set", tap, "master", m.cfg.BridgeName); err != nil {
|
||||
|
|
@ -121,13 +131,26 @@ func (m *Manager) ResolveBinary() (string, error) {
|
|||
// EnsureSocketAccess waits for the socket to appear then chowns/chmods it to
|
||||
// the current uid/gid, mode 0600.
|
||||
func (m *Manager) EnsureSocketAccess(ctx context.Context, socketPath, label string) error {
|
||||
return m.EnsureSocketAccessFor(ctx, socketPath, label, os.Getuid(), os.Getgid())
|
||||
}
|
||||
|
||||
// EnsureSocketAccessFor waits for the socket to appear then chowns/chmods it
|
||||
// to uid:gid, mode 0600.
|
||||
func (m *Manager) EnsureSocketAccessFor(ctx context.Context, socketPath, label string, uid, gid int) error {
|
||||
if err := waitForPath(ctx, socketPath, 5*time.Second, label); err != nil {
|
||||
return err
|
||||
}
|
||||
if _, err := m.runner.RunSudo(ctx, "chown", fmt.Sprintf("%d:%d", os.Getuid(), os.Getgid()), socketPath); err != nil {
|
||||
if os.Geteuid() == 0 {
|
||||
if _, err := m.runner.Run(ctx, "chmod", "600", socketPath); err != nil {
|
||||
return err
|
||||
}
|
||||
_, err := m.runner.Run(ctx, "chown", fmt.Sprintf("%d:%d", uid, gid), socketPath)
|
||||
return err
|
||||
}
|
||||
_, err := m.runner.RunSudo(ctx, "chmod", "600", socketPath)
|
||||
if _, err := m.runner.RunSudo(ctx, "chmod", "600", socketPath); err != nil {
|
||||
return err
|
||||
}
|
||||
_, err := m.runner.RunSudo(ctx, "chown", fmt.Sprintf("%d:%d", uid, gid), socketPath)
|
||||
return err
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -107,37 +107,10 @@ func TestWaitForPathRespectsContextCancellation(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
// TestEnsureSocketAccessChownFailureBubbles verifies a sudo chown
|
||||
// error surfaces untouched. The daemon's cleanup path relies on
|
||||
// this — if chown fails, the socket is still root-owned and can't
|
||||
// be used by the invoking user, so we absolutely must not pretend
|
||||
// success.
|
||||
func TestEnsureSocketAccessChownFailureBubbles(t *testing.T) {
|
||||
socketPath := filepath.Join(t.TempDir(), "present.sock")
|
||||
if err := os.WriteFile(socketPath, []byte{}, 0o600); err != nil {
|
||||
t.Fatalf("WriteFile: %v", err)
|
||||
}
|
||||
|
||||
chownErr := errors.New("sudo chown failed")
|
||||
runner := &scriptedRunner{
|
||||
t: t,
|
||||
sudos: []scriptedCall{{err: chownErr}},
|
||||
}
|
||||
mgr := New(runner, Config{}, slog.Default())
|
||||
|
||||
err := mgr.EnsureSocketAccess(context.Background(), socketPath, "api socket")
|
||||
if !errors.Is(err, chownErr) {
|
||||
t.Fatalf("err = %v, want chown error", err)
|
||||
}
|
||||
// chmod must not have been attempted.
|
||||
if len(runner.sudos) != 0 {
|
||||
t.Fatalf("chmod was attempted after chown failed: %d sudo calls left", len(runner.sudos))
|
||||
}
|
||||
}
|
||||
|
||||
// TestEnsureSocketAccessChmodFailureBubbles verifies the chmod step
|
||||
// (the belt-and-braces tighten to 0600 after chown) also surfaces
|
||||
// errors cleanly.
|
||||
// fails fast before any ownership handoff. Once chown runs, the
|
||||
// bounded helper no longer owns the socket and can't tighten its mode
|
||||
// without CAP_FOWNER, so the order matters.
|
||||
func TestEnsureSocketAccessChmodFailureBubbles(t *testing.T) {
|
||||
socketPath := filepath.Join(t.TempDir(), "present.sock")
|
||||
if err := os.WriteFile(socketPath, []byte{}, 0o600); err != nil {
|
||||
|
|
@ -146,11 +119,8 @@ func TestEnsureSocketAccessChmodFailureBubbles(t *testing.T) {
|
|||
|
||||
chmodErr := errors.New("sudo chmod failed")
|
||||
runner := &scriptedRunner{
|
||||
t: t,
|
||||
sudos: []scriptedCall{
|
||||
{}, // chown succeeds
|
||||
{err: chmodErr}, // chmod fails
|
||||
},
|
||||
t: t,
|
||||
sudos: []scriptedCall{{err: chmodErr}},
|
||||
}
|
||||
mgr := New(runner, Config{}, slog.Default())
|
||||
|
||||
|
|
@ -158,6 +128,34 @@ func TestEnsureSocketAccessChmodFailureBubbles(t *testing.T) {
|
|||
if !errors.Is(err, chmodErr) {
|
||||
t.Fatalf("err = %v, want chmod error", err)
|
||||
}
|
||||
// chown must not have been attempted.
|
||||
if len(runner.sudos) != 0 {
|
||||
t.Fatalf("chown was attempted after chmod failed: %d sudo calls left", len(runner.sudos))
|
||||
}
|
||||
}
|
||||
|
||||
// TestEnsureSocketAccessChownFailureBubbles verifies the ownership
|
||||
// handoff still surfaces errors after chmod succeeds.
|
||||
func TestEnsureSocketAccessChownFailureBubbles(t *testing.T) {
|
||||
socketPath := filepath.Join(t.TempDir(), "present.sock")
|
||||
if err := os.WriteFile(socketPath, []byte{}, 0o600); err != nil {
|
||||
t.Fatalf("WriteFile: %v", err)
|
||||
}
|
||||
|
||||
chownErr := errors.New("sudo chown failed")
|
||||
runner := &scriptedRunner{
|
||||
t: t,
|
||||
sudos: []scriptedCall{
|
||||
{}, // chmod succeeds
|
||||
{err: chownErr}, // chown fails
|
||||
},
|
||||
}
|
||||
mgr := New(runner, Config{}, slog.Default())
|
||||
|
||||
err := mgr.EnsureSocketAccess(context.Background(), socketPath, "api socket")
|
||||
if !errors.Is(err, chownErr) {
|
||||
t.Fatalf("err = %v, want chown error", err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestEnsureSocketAccessTimesOutBeforeTouchingRunner pins the
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue