)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"a7605a9907b0a778429b87d01dc3eb100e6993bb","unresolved":true,"context_lines":[{"line_number":14,"context_line":"The container will detect if this capability is present on startup and"},{"line_number":15,"context_line":"configure fluentd accordingly. It is possible to opt out of this"},{"line_number":16,"context_line":"functionality by not giving the container the CAP_DAC_READ_SEARCH"},{"line_number":17,"context_line":"capability, in which case, it should function as before. When using"},{"line_number":18,"context_line":"CAP_DAC_READ_SEARCH care should be taken not to mount sensitive files"},{"line_number":19,"context_line":"into the container (i.e only mount in files you don\u0027t mind it reading"},{"line_number":20,"context_line":"e.g /var/log/kolla)"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"See: https://docs.fluentd.org/deployment/linux-capability"},{"line_number":23,"context_line":"Change-Id: I7149f5ae3d137407eea9e1a81ca7ddfa8f439c96"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"b1d7c72a_8bd03470","line":20,"range":{"start_line":17,"start_character":57,"end_line":20,"end_character":19},"updated":"2024-07-18 12:24:25.000000000","message":"this is misleading.\n\nWith cap_dac_read_search you can easily escape most containers, see e.g. this for an actual exploit: https://medium.com/@fun_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3\n\nwe are significantly increasing the attack surface here.","commit_id":"a2034e299be947540b41c73ae5c967b2bd2941c4"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"12ad6a30b77c341279b22fb3c1b625cb18db9fee","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"b342e572_9f799b27","updated":"2024-01-15 11:56:20.000000000","message":"this allows ruby do read any file on any reachable filesystem.\n\nThere needs to be stated a strong reason why we can\u0027t simply add the necessary permission bits to log files which fluentd needs to read instead (principle of least privilege).","commit_id":"a1bc328d40325a4bf8eb0804d0341b1a1b9f932c"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"6f4d83a0c3188c8622945220739051d4cc9b27a4","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"ba57d131_2cdf24af","in_reply_to":"b28cd97c_23bc2857","updated":"2024-01-16 11:18:21.000000000","message":"Well, I also didn\u0027t find a good solution for this so far.\n\nIt might be worth contacting the libvirt/nova folks or see how other projects are handling this case. I did have a quick look at openstack-ansible project, but I have found nothing resembling qemu domain log handling there, so far.\n\nThat being said I\u0027m not terrible familiar with openstack-ansible so it might be I overlooked something.\n\nMaybe one could even persuade the libvirt folks to make this configurable in upstream libvirt, as I think this might be a common problem.\n\nAnother solution I could think of, which still requires less privileges than the current approach would be, to add the fluentd user to the libvirt group, which should afaik be sufficient to read all logs created by libvirt.","commit_id":"a1bc328d40325a4bf8eb0804d0341b1a1b9f932c"},{"author":{"_account_id":28048,"name":"Will Szumski","email":"will@stackhpc.com","username":"jovial"},"change_message_id":"3da088f3ba173b6a4e703c0117a772d636cd9839","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"b28cd97c_23bc2857","in_reply_to":"b342e572_9f799b27","updated":"2024-01-15 12:35:17.000000000","message":"Agreed that ideally we wouldn\u0027t need this, but it was the only method I could find to collect the libvirt domain logs (which seem to lack any kind of configuration of the permissions and output directory). I don\u0027t think we routinely mount anything sensitive into the fluentd container (apart from /var/log/kolla). It is also opt in so you have to explicitly add the capability like this: https://review.opendev.org/c/openstack/kolla-ansible/+/905590/1/ansible/roles/common/defaults/main.yml#8. Open to suggestions for alternatives.","commit_id":"a1bc328d40325a4bf8eb0804d0341b1a1b9f932c"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"5df0cdd14025dd212c4c847251288e0d4ba52196","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"d7939b05_927d4ee7","in_reply_to":"ba57d131_2cdf24af","updated":"2024-07-17 10:12:38.000000000","message":"Acknowledged","commit_id":"a1bc328d40325a4bf8eb0804d0341b1a1b9f932c"},{"author":{"_account_id":28048,"name":"Will Szumski","email":"will@stackhpc.com","username":"jovial"},"change_message_id":"6b39fed3d88cdf5867720a5a71eaebb39d3e1cb3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"214769d6_cfaff518","updated":"2024-01-29 09:36:04.000000000","message":"recheck: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock\n\nIt does happen when doing `docker inspect fluentd`, so could be related, but not sure how...","commit_id":"e84944a44ea0e9fc897c4d22bf4af6e3e6c3a1fc"},{"author":{"_account_id":28048,"name":"Will Szumski","email":"will@stackhpc.com","username":"jovial"},"change_message_id":"7c16b8f1d49705e656be3d65f18768a2484db421","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"1dfc5b9f_681502c8","in_reply_to":"214769d6_cfaff518","updated":"2024-01-29 09:44:23.000000000","message":"Oh, I see it now... we only do docker inspect on the non-running containers: /opt/fluent/bin/ruby: symbol lookup error: /opt/fluent/lib/ruby/gems/3.2.0/gems/capng_c-0.2.2/lib/capng/capng.so: undefined symbol: capng_get_caps_process","commit_id":"e84944a44ea0e9fc897c4d22bf4af6e3e6c3a1fc"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"c8f75fc2fd4fba5d11a87d5fe2a6c5cfe4bea26b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"77a43eb5_4866cf40","updated":"2024-07-18 12:37:21.000000000","message":"I agree with Sven here, this doesn\u0027t seem to be a proper solution from a security perspective, in particular if this only for a very limited subset of logfiles.\n\nIn this case I would ask the following questions about libvirt: Why are permissions for those log files so restricted? Maybe it isn\u0027t a good idea to digest them by fluentd then? Why is it so important for you to have their content in fluentd? Would it be possible to run a special fluentd instance just for this use case?","commit_id":"a2034e299be947540b41c73ae5c967b2bd2941c4"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"e3206ca23fbbf06aeec136af0e37895b067c3381","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"d99a60a6_c8b7abca","updated":"2024-07-21 08:00:56.000000000","message":"security flaw is a very bad","commit_id":"a2034e299be947540b41c73ae5c967b2bd2941c4"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"2c9f2fcc87283310abf81ce616bb1fd10c3e7c7a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"a560ca81_4ed9d802","in_reply_to":"77a43eb5_4866cf40","updated":"2024-07-18 12:47:38.000000000","message":"Thanks Jens, there is this old bug report for nova about this same topic which has also pointers to some upstream sources and other bug reports. I\u0027ll work through them and will have a look if I can come up with a less invasive solution:\n\nhttps://bugs.launchpad.net/nova/+bug/1549828\n\n\nfrom what I read so far calling ` nova console-log \u003cinstance\u003e` moves the log files and changes their permission bits, so there must be some functionality for this already be present inside nova, maybe we can reuse that somehow.","commit_id":"a2034e299be947540b41c73ae5c967b2bd2941c4"},{"author":{"_account_id":28048,"name":"Will Szumski","email":"will@stackhpc.com","username":"jovial"},"change_message_id":"badc6e66e4e2832086d26c7c27088b90d3d9686e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"2fc78631_8b6082ae","in_reply_to":"a560ca81_4ed9d802","updated":"2024-07-19 16:08:21.000000000","message":"To be honest I don\u0027t see this change as the controversial one since it is just exposing the functionality in fluentd. I could accept these comments on the kolla-ansible patch that tried to use these as default.","commit_id":"a2034e299be947540b41c73ae5c967b2bd2941c4"}]}