Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Modify nonroot, hostaccess, and hostmount-anyuid SCCs to drop some capabilities #16436

Merged
merged 1 commit into from
Sep 28, 2017
Merged

Modify nonroot, hostaccess, and hostmount-anyuid SCCs to drop some capabilities #16436

merged 1 commit into from
Sep 28, 2017

Conversation

php-coder
Copy link
Contributor

  • nonroot now drops KILL, MKNOD, SETUID, and SETGID
  • hostaccess now drops KILL, MKNOD, SETUID, and SETGID
  • hostmount-anyuid now drops MKNOD

PTAL @openshift/sig-security

Fixes #16371

@php-coder
Modify nonroot, hostaccess, and hostmount-anyuid SCCs to drop some ca…
9dad3fc 
…pabilities.

- nonroot drops KILL, MKNOD, SETUID, and SETGID
- hostaccess drops KILL, MKNOD, SETUID, and SETGID
- hostmount-anyuid drops MKNOD
@openshift-ci-robot openshift-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Sep 19, 2017
@php-coder
Copy link
Contributor Author

I see that many tasks failed because of infrastructure problems:

TASK [aws-up : provision an AWS EC2 instance] **********************************
task path: /var/lib/jenkins/origin-ci-tool/0e3f679e82df3bdf38d58b2189a4c43db1916eb1/lib/python2.7/site-packages/oct/ansible/oct/playbooks/provision/roles/aws-up/tasks/main.yml:81
fatal: [localhost]: FAILED! => {
    "changed": false, 
    "failed": true, 
    "generated_timestamp": "2017-09-19 12:46:38.926345", 
    "msg": "wait for instances running timeout on Tue Sep 19 12:46:38 2017"
}

Log: https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin_unit/2976/console

@stevekuznetsov Do you know about such issues?

@stevekuznetsov
Copy link
Contributor

Hmmmmm we were having issues with hitting our storage quota but we bumped that. I wish we got better API responses on failure from ec2 on this one ...

/retest

@php-coder
Copy link
Contributor Author

/retest

@smarterclayton
Copy link
Contributor

/lgtm

Needs to have a release note because this could break running applications.

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 28, 2017
@openshift-merge-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: smarterclayton

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 28, 2017
@smarterclayton smarterclayton added the kind/bug Categorizes issue or PR as related to a bug. label Sep 28, 2017
@openshift-merge-robot
Copy link
Contributor

Automatic merge from submit-queue (batch tested with PRs 16559, 16518, 16436).

@openshift-merge-robot openshift-merge-robot merged commit 092c32e into openshift:master Sep 28, 2017
@php-coder php-coder deleted the gh16371_drops_more_caps branch October 3, 2017 09:39
@php-coder
Copy link
Contributor Author

Needs to have a release note because this could break running applications.

@smarterclayton How/where to add a release note?

@php-coder
Copy link
Contributor Author

@smarterclayton How/where to add a release note?

Ping

@enj
Copy link
Contributor

enj commented Oct 16, 2017

@php-coder openshift/openshift-docs#4906

@php-coder php-coder mentioned this pull request Oct 23, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@liggitt liggitt

@smarterclayton smarterclayton

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@php-coder @stevekuznetsov @smarterclayton @openshift-merge-robot @enj @liggitt @openshift-ci-robot