opa-docker-authz icon indicating copy to clipboard operation
opa-docker-authz copied to clipboard
verified publisher icon open-policy-agent

seccomp example not functional

Open tacerus opened this issue 3 years ago • 9 comments

Hello,

I was following the tutorial up until step 6, but using the sample code with the seccomp filter prevents the Docker daemon from starting.

package docker.authz

default allow := false

allow {
        not deny
}

deny {
        seccomp_unconfined
}

seccomp_unconfined {
        input.Body.HostConfig.SecurityOpt[_] == "seccomp:unconfined"
}

Aug 08 13:01:13 tumbleweed01 dockerd[8453]: time="2022-08-08T13:01:13.263502988+02:00" level=warning msg="cleanup warnings time=\"2022-08-08T13:01:13+02:00\" level=info msg=\"starting signal loop\" namespace=plugins.moby pid=8564 runtime=io.containerd.runc.v2\n"
Aug 08 13:01:13 tumbleweed01 dockerd[8445]: time="2022-08-08T13:01:13.432391656+02:00" level=error msg="failed to enable plugin" error="dial unix /run/docker/plugins/a0cd415558a1ad08534f3e2047087c44436f108a313e5ac9e8a84cca38133951/opa-docker-authz.sock: connect: no such file or directory" id=a0cd415558a1ad08534f3e2047087c44436f108a313e5ac9e8a84cca38133951
Aug 08 13:01:15 tumbleweed01 dockerd[8445]: failed to validate authorization plugin: plugin openpolicyagent/opa-docker-authz-v2:0.8 found but disabled

Only if I revert the changes to the sample in step 5 it will come up again.

package docker.authz

allow := false

Aug 08 13:01:51 tumbleweed01 systemd[1]: Started Docker Application Container Engine.

Maybe something peculiar about my setup? Is there possibly a way to enable some debug output?

Best, Georg

tacerus avatar Aug 08 '22 11:08 tacerus

Thanks for reporting this. I'm not sure what could be wrong here to be honest 🤔 Updating the policy should at most make authorized requests unauthorized — it should have no effect on whether the plugin keeps running or not. Been so long since I worked on this that I don't remember entirely how to get debug logs, but some journald command IIRC — there's some pointers to it in the docker docs on authorization plugins, but it's certainly a bit convoluted.

anderseknert avatar Aug 09 '22 18:08 anderseknert

Thanks for your reply! Maybe something changed in Docker's authorization API? The log output I pasted already comes from what the Docker daemon prints to the system journal.

tacerus avatar Aug 10 '22 09:08 tacerus

Ah, thanks! Yeah, the pain of debugging this plugin is pretty much why I only revisit it every once in a while 😅 Definitely possible that something changed in the Docker API or internals since the last time I worked on this. I'm on paternity leave until September, but if you figure something out until then, I'd be interested in knowing about it!

anderseknert avatar Aug 10 '22 19:08 anderseknert

Just got this one. Put a known-good bundle back in place, threw --debug onto the docker unit file, reloaded systemd/restarted docker. I'm pretty sure it's a single character error. :)

This is on Ubuntu 22.04 using 20.10.19 w/ api 1.41 and opa-docker-authz2:0.8 (all in a multipass vm)

Dec 15 14:49:53 docker dockerd[35358]: time="2022-12-15T14:49:53-08:00" level=error msg="{\"bundles\":{\"authz\":{\"code\":\"bundle_error\",\"errors\":[{\"code\":\"rego_parse_error\",\"details\":{\"idx\":14,\"line\":\"default allow := false\"},\"location\":{\"col\":15,\"file\":\"/authz.rego\",\"row\":3},\"message\":\"default rules must use = operator (not := operator)\"}],\"last_request\":\"2022-12-15T22:49:53.690025694Z\",\"last_successful_activation\":\"2022-12-15T21:58:17.629903954Z\",\"last_successful_download\":\"2022-12-15T21:58:17.618617545Z\",\"last_successful_request\":\"2022-12-15T22:48:02.538372188Z\",\"message\":\"error(s) occurred while compiling module(s)\",\"metrics\":{\"timer_rego_data_parse_ns\":89791,\"timer_rego_load_bundles_ns\":7201702,\"timer_rego_module_parse_ns\":277206},\"name\":\"authz\"}},\"labels\":{\"id\":\"3bf9eeb4-41b8-4305-a638-b75b496f584a\",\"version\":\"0.30.1\"},\"level\":\"info\",\"msg\":\"Status Log\",\"plugins\":{\"bundle\":{\"state\":\"OK\"},\"decision_logs\":{\"state\":\"OK\"},\"discovery\":{\"state\":\"OK\"},\"status\":{\"state\":\"OK\"}},\"time\":\"2022-12-15T22:49:53Z\",\"type\":\"openpolicyagent.org/status\"}" plugin=ead3c99a24ab4eed95782f77e62cf3c821955013bba6131c27be65019038efbe

Changed

default allow := false

to

default allow = false

and no more problems.

Is there somewhere I can PR the docs? I'll fix this.

chuckyz avatar Dec 15 '22 22:12 chuckyz

Thanks for reporting that @chuckyz! That means we’re running an ancient version of OPA in the container. I think the dependency is fine, so we’ll probably just need to push a release. Will look into that ASAP. In the meantime, your fix is a good workaround 👍

anderseknert avatar Dec 16 '22 01:12 anderseknert

Hello. @anderseknert I traced the same issue to the import rego.v1 statement. Adding that line to any policy seems to crash the plugin. Unfortunately I cannot seem to get a way to get the actual logs. In the playground everything works, the bundle check says it's ok, but the plugin crashes.

rendler-denis avatar Jan 08 '24 17:01 rendler-denis

Hey there! That makes sense as the published version of the plugin runs an older OPA. I don't have the bandwidth to push a new release right now but I'll add it to my TODOs.

anderseknert avatar Jan 10 '24 09:01 anderseknert

hey, @anderseknert ! Thanks for the reply. I was suspecting as much. Is there anything I can help with? I have a few systems where this plugin would be immensely helpful.

rendler-denis avatar Jan 16 '24 14:01 rendler-denis

I'll see if I can get to it tonight =)

anderseknert avatar Jan 16 '24 16:01 anderseknert