Unable to read or use the SSH key inside the custom pipe

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Cloud のみ - この記事は、 クラウド プラットフォームのアトラシアン製品にのみ適用されます。

要約

Unable to read or use the SSH key inside the custom pipe (Child container). If a user is using any custom pipe and the pipe is trying to read the private SSH key mounted from the build container, they would get a permission denied error.

Load key "/opt/atlassian/pipelines/agent/ssh/id_rsa": Permission denied
cat: /opt/atlassian/pipelines/agent/ssh/id_rsa: Permission denied
Could not open a connection to your authentication agent. cat: /opt/atlassian/pipelines/agent/ssh/id_rsa: Permission denied 

環境

To replicate this issue, in a container with usernamespace enabled, create a child container and access the mounted volume.

診断

  • The child container (pipe) is unable to access the parent container (build container) data even though the volume is mounted

     --volume=/opt/atlassian/pipelines/agent/build:/opt/atlassian/pipelines/agent/build \
     --volume=/opt/atlassian/pipelines/agent/ssh:/opt/atlassian/pipelines/agent/ssh:ro  
  • The issue is reproducible internally. When examining the permissions, we can see the permissions to read/write/execute are set to nobody causing a permission denied error.

     Listing SSH Keys
    /opt/atlassian/pipelines/agent/build
    total 4
    drwxr-xr-x 3 nobody nogroup  140 Jul 21 10:39 .
    drwxr-xr-x 4 root   root    4096 Jul 21 10:40 ..
    drwxr-xr-x 2 nobody nogroup  100 Jul 21 10:39 ..2022_07_21_10_39_44.810911684
    lrwxrwxrwx 1 nobody nogroup   31 Jul 21 10:39 ..data -> ..2022_07_21_10_39_44.810911684
    lrwxrwxrwx 1 nobody nogroup   13 Jul 21 10:39 id_rsa -> ..data/id_rsa
    lrwxrwxrwx 1 nobody nogroup   17 Jul 21 10:39 id_rsa_tmp -> ..data/id_rsa_tmp
    lrwxrwxrwx 1 nobody nogroup   18 Jul 21 10:39 known_hosts -> ..data/known_hosts

原因

For each container that is spun up, the Docker user namespace feature will assign a specific UID/GID to it. With that UID/GID in place, Linux systems limit the file access permissions to the specific UID/GID. By default, your main build container will be root. Therefore, the main container can access the other containers that you create within it.

The user namespace feature will assign the child containers with a large UID/GID that it will recognize the container by. However, the child container won’t know that the ID it’s being recognized by. File/Directory owned by root on the parent container will not be inherited by the child container. This is why we’re seeing the ownership as “Nobody”.

According to the Docker documentation on userns-remap :

The best way to prevent privilege-escalation attacks from within a container is to configure your container’s applications to run as unprivileged users. For containers whose processes must run as the root user within the container, you can re-map this user to a less-privileged user on the Docker host. The mapped user is assigned a range of UIDs which function within the namespace as normal UIDs from 0 to 65536, but have no privileges on the host machine itself.

Basically, when we run a container, by default it will run as root. The root user's UID inside the container matches the UID on our host and can lead to container escape vulnerabilities. 

The change has been introduced to improve the security in pipelines as discussed in the security restrictions

ソリューション

To resolve this issue, the below steps need to be executed within a custom pipe script. This would create a directory with .ssh and copy the contents of SSH from the parent container (build container) to the child container (pipe). 

mkdir -p ~/.ssh
cp /opt/atlassian/pipelines/agent/ssh/id_rsa_tmp ~/.ssh/id_rsa
cp /opt/atlassian/pipelines/agent/ssh/known_hosts ~/.ssh/known_hosts

Modify the permission of the .ssh folder. It removes read/write/execute permissions from groups and others but preserves whatever permissions the owner had and it applies to the entire contents of the .ssh directory.

chmod -R go-rwx ~/.ssh/
最終更新日: 2024 年 1 月 2 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.