Merge pull request #2723 from amshinde/enable-agent-pid

namespace: Allow container to join pid namespace of agent

Gopkg.toml

@@ -52,7 +52,7 @@
 
 [[constraint]]
   name = "github.com/kata-containers/agent"
-  revision = "906f7e2e4c52c568f0d990b3c049f863546df848"
+  revision = "e921aa3d0fa39cbd7933c15bd6ae7f0a1d7ab757"
 
 [[constraint]]
   name = "github.com/containerd/cri-containerd"

cli/config/configuration-acrn.toml.in

@@ -235,3 +235,10 @@ sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@
 # Supported experimental features:
 # (default: [])
 experimental=@DEFAULTEXPFEATURES@
+
+# If enabled, containers are allowed to join the pid namespace of the agent
+# when the env variable KATA_AGENT_PIDNS is set for a container.
+# Use this with caution and only when required, as this option allows the container
+# to access the agent process. It is recommended to enable this option 
+# only in debug scenarios and with containers with lowered priveleges.
+#enable_agent_pidns = true

cli/config/configuration-clh.toml.in

@@ -236,3 +236,10 @@ sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@
 # Supported experimental features:
 # (default: [])
 experimental=@DEFAULTEXPFEATURES@
+
+# If enabled, containers are allowed to join the pid namespace of the agent
+# when the env variable KATA_AGENT_PIDNS is set for a container.
+# Use this with caution and only when required, as this option allows the container
+# to access the agent process. It is recommended to enable this option 
+# only in debug scenarios and with containers with lowered priveleges.
+#enable_agent_pidns = true

cli/config/configuration-fc.toml.in

@@ -344,3 +344,10 @@ sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@
 # Supported experimental features:
 # (default: [])
 experimental=@DEFAULTEXPFEATURES@
+
+# If enabled, containers are allowed to join the pid namespace of the agent
+# when the env variable KATA_AGENT_PIDNS is set for a container.
+# Use this with caution and only when required, as this option allows the container
+# to access the agent process. It is recommended to enable this option 
+# only in debug scenarios and with containers with lowered priveleges.
+#enable_agent_pidns = true

cli/config/configuration-qemu.toml.in

@@ -470,3 +470,12 @@ sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@
 # Supported experimental features:
 # (default: [])
 experimental=@DEFAULTEXPFEATURES@
+
+
+# If enabled, containers are allowed to join the pid namespace of the agent
+# when the env variable KATA_AGENT_PIDNS is set for a container.
+# Use this with caution and only when required, as this option allows the container
+# to access the agent process. It is recommended to enable this option 
+# only in debug scenarios and with containers with lowered priveleges.
+#enable_agent_pidns = true
+

pkg/katatestutils/utils.go

@@ -34,6 +34,7 @@ type RuntimeConfigOptions struct {
 	EnableIOThreads      bool
 	HotplugVFIOOnRootBus bool
 	DisableNewNetNs      bool
+	EnableAgentPidNs     bool
 	HypervisorDebug      bool
 	RuntimeDebug         bool
 	RuntimeTrace         bool
@@ -89,5 +90,6 @@ func MakeRuntimeConfigFileData(config RuntimeConfigOptions) string {
 	[runtime]
 	enable_debug = ` + strconv.FormatBool(config.RuntimeDebug) + `
 	enable_tracing = ` + strconv.FormatBool(config.RuntimeTrace) + `
-	disable_new_netns= ` + strconv.FormatBool(config.DisableNewNetNs)
+	disable_new_netns= ` + strconv.FormatBool(config.DisableNewNetNs) + `
+	enable_agent_pidns= ` + strconv.FormatBool(config.EnableAgentPidNs)
 }

pkg/katautils/config.go

@@ -144,6 +144,7 @@ type runtime struct {
 	DisableNewNetNs     bool     `toml:"disable_new_netns"`
 	DisableGuestSeccomp bool     `toml:"disable_guest_seccomp"`
 	SandboxCgroupOnly   bool     `toml:"sandbox_cgroup_only"`
+	EnableAgentPidNs    bool     `toml:"enable_agent_pidns"`
 	Experimental        []string `toml:"experimental"`
 	InterNetworkModel   string   `toml:"internetworking_model"`
 }
@@ -1220,6 +1221,11 @@ func LoadConfiguration(configPath string, ignoreLogging, builtIn bool) (resolved
 
 	config.SandboxCgroupOnly = tomlConf.Runtime.SandboxCgroupOnly
 	config.DisableNewNetNs = tomlConf.Runtime.DisableNewNetNs
+	config.EnableAgentPidNs = tomlConf.Runtime.EnableAgentPidNs
+	if config.EnableAgentPidNs {
+		kataUtilsLogger.Warn("Feature to allow containers to share PID namespace with the agent has been enabled. Please understand this has security implications and should only be used for debug purposes")
+	}
+
 	for _, f := range tomlConf.Runtime.Experimental {
 		feature := exp.Get(f)
 		if feature == nil {

pkg/katautils/config_test.go

@@ -86,6 +86,7 @@ func createAllRuntimeConfigFiles(dir, hypervisor string) (config testRuntimeConf
 	disableNewNetNs := false
 	sharedFS := "virtio-9p"
 	virtioFSdaemon := path.Join(dir, "virtiofsd")
+	enableAgentPidNs := true
 
 	configFileOptions := ktu.RuntimeConfigOptions{
 		Hypervisor:           "qemu",
@@ -119,6 +120,7 @@ func createAllRuntimeConfigFiles(dir, hypervisor string) (config testRuntimeConf
 		AgentTrace:           agentTrace,
 		SharedFS:             sharedFS,
 		VirtioFSDaemon:       virtioFSdaemon,
+		EnableAgentPidNs:     enableAgentPidNs,
 	}
 
 	runtimeConfigFileData := ktu.MakeRuntimeConfigFileData(configFileOptions)
@@ -210,7 +212,8 @@ func createAllRuntimeConfigFiles(dir, hypervisor string) (config testRuntimeConf
 		NetmonConfig:    netmonConfig,
 		DisableNewNetNs: disableNewNetNs,
 
-		FactoryConfig: factoryConfig,
+		EnableAgentPidNs: enableAgentPidNs,
+		FactoryConfig:    factoryConfig,
 	}
 
 	err = SetKernelParams(&runtimeConfig)