-
Notifications
You must be signed in to change notification settings - Fork 689
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secure validator mode #1444
Comments
Just a note to me. We should add the logic to enable the flag automatically in zombienet so users can still run from the current configs. |
Once we have this we will officially be treating Linux as a first-class citizen so we can close #881. |
The warning should say that this will soon be required to run securely, with a link to the announcement. See #1444
Currently the "can-unshare-and-change-root" capability is required for secure-mode. But we just had a user for whom it failed: #2304 However, he was on a Linux version (5.15) which should support Landlock. So I think that either the unshare capability or the Landlock capability should be present, since either provides filesystem security. This way the user can still run securely without a CLI flag. :) |
I run validators in lx containers where host kernel has CONFIG_SECCOMP=y but client is not able to detect that maybe because kernel files are not mounted inside the lxc at all.
what options do I have, should I abandon using proxmox completely or move to using less efficient qemu vm:s or just forget any provision at all? current setup: https://github.com/rotkonetworks/unlabored |
Hi @hitchhooker! I think you should be fine:
If all else fails, you will have the option to disable this error with a CLI flag. If you see the error on the next release, it will tell you exactly what to do. I hope that helps! |
so any instructiuons how do I run secure validator setup inside lx containers? https://github.com/proxmox/pve-kernel I tested running client on host instance of the machines(5.15.108-1-pve and 6.2.16-10-pve kernels) and im not getting errors, only when running with exact same kernel inside the LX container so there is some issue how the client detects the SECCOMP support. |
Thanks @hitchhooker! Looks like the error is about Landlock, which is optional (fortunately in your case) because there is also another feature we use to sandbox the filesystem. The manual seccomp check fails but it looks like a false positive and the actual syscall still works. So unless I missed something, there is no issue. If you want to fix the warning about Landlock, you need at least Linux 5.13+; what does uname say inside the container? Or, since you say the kernel is the exact same, what do you get when you run this? (from here)
|
I guess we lack permissions for dmesg/kernelinfos inside the container. |
* remove duplicate parachain heads exension * fix benchmarks compilation * actually fix it
* remove duplicate parachain heads exension * fix benchmarks compilation * actually fix it
* remove duplicate parachain heads exension * fix benchmarks compilation * actually fix it
* remove duplicate parachain heads exension * fix benchmarks compilation * actually fix it
* remove duplicate parachain heads exension * fix benchmarks compilation * actually fix it
* remove duplicate parachain heads exension * fix benchmarks compilation * actually fix it
* remove duplicate parachain heads exension * fix benchmarks compilation * actually fix it
* remove duplicate parachain heads exension * fix benchmarks compilation * actually fix it
* remove duplicate parachain heads exension * fix benchmarks compilation * actually fix it
* remove duplicate parachain heads exension * fix benchmarks compilation * actually fix it
* remove duplicate parachain heads exension * fix benchmarks compilation * actually fix it
* remove duplicate parachain heads exension * fix benchmarks compilation * actually fix it
* remove duplicate parachain heads exension * fix benchmarks compilation * actually fix it
Overview
Summary: Running
--validator
on a platform other than Linux x86-64 requires the--insecure-validator-i-know-what-i-do flag
.Due to #882 becoming high-priority for parathreads, we are now forced to provide a secure validator mode only for Linux x86-64 (to start).
We will still support other platforms with an
--insecure-validator-i-know-what-i-do flag
. (Naming follows interpreted-i-know-what-i-do.)Todo
Preparation:
Code:
Followup:
Related
Previous draft PR: paritytech/polkadot#7073
Proposed announcement: w3f/polkadot-wiki#4881
The text was updated successfully, but these errors were encountered: