Skip to content

Commit

Permalink
nix: explicitly set PATH for OCI images
Browse files Browse the repository at this point in the history
This deals with a missing feature of genpolicy: the Kata runtime adds a
default PATH environment variable if there is none in the image
configuration, but the genpolicy tool does not add a corresponding
allowlist entry. We work around that by just setting a PATH, although we
don't need it.

This fix allows to use the upstream genpolicy-settings.json, which we're
switching to simultaneously.
  • Loading branch information
burgerdev committed Feb 14, 2024
1 parent 57a0eef commit 9b985e4
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 3 deletions.
8 changes: 5 additions & 3 deletions packages/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@ rec {
copyToRoot = with dockerTools; [ caCertificates ];
config = {
Cmd = [ "${nunki.coordinator}/bin/coordinator" ];
Env = [ "PATH=/bin" ]; # This is only here for policy generation.
};
};
initializer = dockerTools.buildImage {
Expand All @@ -97,6 +98,7 @@ rec {
copyToRoot = with dockerTools; [ caCertificates ];
config = {
Cmd = [ "${nunki.initializer}/bin/initializer" ];
Env = [ "PATH=/bin" ]; # This is only here for policy generation.
};
};

Expand All @@ -106,6 +108,7 @@ rec {
copyToRoot = [ openssl bash coreutils ncurses bashInteractive vim procps ];
config = {
Cmd = [ "bash" ];
Env = [ "PATH=/bin" ];
};
};
port-forwarder = dockerTools.buildImage {
Expand Down Expand Up @@ -273,7 +276,7 @@ rec {
# write-coordinator-yaml prints a Nunki Coordinator deployment including the default policy.
# It's intended for two purposes: (1) releasing a portable coordinator.yaml and (2) updating the embedded policy hash.
write-coordinator-yaml = writeShellApplication {
name = "print-coordinator-policy";
name = "write-coordinator-yaml";
runtimeInputs = [
yq-go
genpolicy
Expand All @@ -289,8 +292,7 @@ rec {
"del(.metadata.namespace) | (select(.kind == \"Deployment\") | .spec.template.spec.containers[0].image) = \"$imageRef\""
pushd "$tmpdir" >/dev/null
# TODO(burgerdev): this should not be dev, but there are unknown env vars
cp ${genpolicy.settings-dev}/genpolicy-settings.json .
cp ${genpolicy.settings}/genpolicy-settings.json .
cp ${genpolicy.rules-coordinator}/genpolicy-rules.rego rules.rego
genpolicy < "$tmpdir/coordinator.yml"
popd >/dev/null
Expand Down
1 change: 1 addition & 0 deletions packages/genpolicy_msft.nix
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ rustPlatform.buildRustPackage rec {
postFetch = "install -D $downloadedFile $out/genpolicy-settings.json";
};

# Settings that allow exec into CVM pods - not safe for production use!
settings-dev = applyPatches {
src = settings;
patches = [ ./genpolicy_msft_settings_dev.patch ];
Expand Down

0 comments on commit 9b985e4

Please sign in to comment.