fix(podman): harden sandbox callbacks#2111
Conversation
Deliver per-sandbox JWTs through Podman secrets so containerized gateways do not leak gateway-local paths to the host Podman API. Add protected, bindability-checked callback listeners for host Podman gateways, including rootless pasta loopback binds discovered from local interfaces. Default RPM gateways to loopback, expose enable_auto_callback_listener for opt-out, and improve containerized socket diagnostics. Signed-off-by: Adam Miller <admiller@redhat.com>
|
/ok to test 74eb820 |
| const VOLUME_PREFIX: &str = "openshell-sandbox-"; | ||
|
|
||
| /// Secret name prefix for per-sandbox gateway JWTs. | ||
| const TOKEN_SECRET_PREFIX: &str = "openshell-token-"; |
There was a problem hiding this comment.
Do secret names allow "namespacing"? (i.e. would something like token.openshell/ be valid)?
| /// Gateway gRPC endpoint the sandbox connects back to. | ||
| /// | ||
| /// When empty, the driver auto-detects the endpoint using | ||
| /// `gateway_port` and `host.containers.internal`. | ||
| pub grpc_endpoint: String, | ||
| /// Port the gateway server is actually listening on. | ||
| /// | ||
| /// Used by the driver's auto-detection fallback when `grpc_endpoint` | ||
| /// is empty. The server must set this to `config.bind_address.port()` | ||
| /// so the correct port is used even when `--port` differs from the | ||
| /// default. Defaults to [`openshell_core::config::DEFAULT_SERVER_PORT`]. | ||
| pub gateway_port: u16, | ||
| /// Full gateway bind address supplied by the gateway process at runtime. | ||
| #[serde(skip)] | ||
| pub gateway_bind_address: Option<SocketAddr>, | ||
| /// Whether the gateway has TLS enabled. Supplied by the gateway process. | ||
| #[serde(skip)] | ||
| pub gateway_tls_enabled: bool, | ||
| /// Whether gateway callbacks are protected by an auth mechanism. | ||
| #[serde(skip)] | ||
| pub gateway_callback_auth_enabled: bool, |
There was a problem hiding this comment.
nit: I would assume that these gateway-specific properties are shared across other drivers. Does it make sense to embed them in a struct?
| uid: 0, | ||
| gid: 0, |
There was a problem hiding this comment.
UID=0 and GID=0 are the defaults. Also, does this need to be readable by any other users? (we only specified ro when this was handled as a mount).
|
@maxamillion, is the use of Podman secrets separate from the callback changes? If so, could we pull the secret changes into a separate PR? They independently fix the containerized gateway token-path problem, while the callback changes affect broader behavior—for example, automatically selecting a host interface and exposing the full gateway service on the additional listener. Separating them would make both changes easier to review and test. |
|
@elezar yes, but that change is also related to fixes for issue ticket I referenced so I wasn't sure if I should break it out or leave them combined. I'm happy to split them if preferred. |
I definitely have some thoughts on the callback changes, but don't want to block the secret changes on those, so splitting them out may be cleaner. |
Summary
Fix Podman sandbox callbacks for containerized and rootless pasta deployments. Sandbox JWTs now use Podman secrets instead of host bind-mounted token files, and loopback-bound host gateways can add a protected callback listener for rootless pasta without binding the primary listener to every interface.
Related Issue
Fixes #1909
Changes
127.0.0.1:17670and document the automatic callback listener behavior.enable_auto_callback_listenerandOPENSHELL_PODMAN_ENABLE_AUTO_CALLBACK_LISTENERopt-out support.Testing
mise run pre-commitpassescargo test -p openshell-driver-podman --lib gateway_bind_address -- --nocapturecargo test -p openshell-server --lib rpm_default_config_parses_and_has_podman_defaultscargo test -p openshell-server podman_auto_callback_listener -- --nocapturecargo test -p openshell-server driver_config -- --nocapturepackit srpmandmock -r fedora-44-x86_64ttl.sh/openshell-gateway:devandttl.sh/openshell-supervisor:devChecklist