From d541af66d5c5d249a535c20aa75131d7be7db54a Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Wed, 14 Feb 2024 11:20:32 +0100 Subject: [PATCH] nix: explicitly set PATH for OCI images This deals with a missing feature of genpolicy: the Kata runtime adds a default PATH environment variable if there is none in the image configuration, but the genpolicy tool does not add a corresponding allowlist entry. We work around that by just setting a PATH, although we don't need it. This fix allows to use the upstream genpolicy-settings.json, which we're switching to simultaneously. Co-authored-by: 3u13r --- packages/default.nix | 8 +++++--- packages/genpolicy_msft.nix | 1 + 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/packages/default.nix b/packages/default.nix index a31f0e914..152836412 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -89,6 +89,7 @@ rec { copyToRoot = with dockerTools; [ caCertificates ]; config = { Cmd = [ "${nunki.coordinator}/bin/coordinator" ]; + Env = [ "PATH=/bin" ]; # This is only here for policy generation. }; }; initializer = dockerTools.buildImage { @@ -97,6 +98,7 @@ rec { copyToRoot = with dockerTools; [ caCertificates ]; config = { Cmd = [ "${nunki.initializer}/bin/initializer" ]; + Env = [ "PATH=/bin" ]; # This is only here for policy generation. }; }; @@ -106,6 +108,7 @@ rec { copyToRoot = [ openssl bash coreutils ncurses bashInteractive vim procps ]; config = { Cmd = [ "bash" ]; + Env = [ "PATH=/bin" ]; # This is only here for policy generation. }; }; port-forwarder = dockerTools.buildImage { @@ -273,7 +276,7 @@ rec { # write-coordinator-yaml prints a Nunki Coordinator deployment including the default policy. # It's intended for two purposes: (1) releasing a portable coordinator.yaml and (2) updating the embedded policy hash. write-coordinator-yaml = writeShellApplication { - name = "print-coordinator-policy"; + name = "write-coordinator-yaml"; runtimeInputs = [ yq-go genpolicy @@ -289,8 +292,7 @@ rec { "del(.metadata.namespace) | (select(.kind == \"Deployment\") | .spec.template.spec.containers[0].image) = \"$imageRef\"" pushd "$tmpdir" >/dev/null - # TODO(burgerdev): this should not be dev, but there are unknown env vars - cp ${genpolicy.settings-dev}/genpolicy-settings.json . + cp ${genpolicy.settings}/genpolicy-settings.json . cp ${genpolicy.rules-coordinator}/genpolicy-rules.rego rules.rego genpolicy < "$tmpdir/coordinator.yml" popd >/dev/null diff --git a/packages/genpolicy_msft.nix b/packages/genpolicy_msft.nix index f0d239e87..3e72187e8 100644 --- a/packages/genpolicy_msft.nix +++ b/packages/genpolicy_msft.nix @@ -49,6 +49,7 @@ rustPlatform.buildRustPackage rec { postFetch = "install -D $downloadedFile $out/genpolicy-settings.json"; }; + # Settings that allow exec into CVM pods - not safe for production use! settings-dev = applyPatches { src = settings; patches = [ ./genpolicy_msft_settings_dev.patch ];