[supervisor] execve into ring3

.gitpod.yml

@@ -1,4 +1,4 @@
-image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:gpl-update-docs.6
+image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:cw-supervisor-execve-ring3.25
 workspaceLocation: gitpod/gitpod-ws.theia-workspace
 checkoutLocation: gitpod
 ports:

.werft/build.js

@@ -31,6 +31,13 @@ async function build(context, version) {
      * Prepare
      */
     werft.phase("prepare");
+
+    const werftImg = shell.exec("cat .werft/build.yaml | grep dev-environment").trim().split(": ")[1];
+    const devImg = shell.exec("yq r .gitpod.yml image").trim();
+    if (werftImg !== devImg) {
+        werft.fail('prep', `Werft job image (${werftImg}) and Gitpod dev image (${devImg}) do not match`);
+    }
+
     let buildConfig = context.Annotations || {};
     try {
         exec(`gcloud auth activate-service-account --key-file "${GCLOUD_SERVICE_ACCOUNT_PATH}"`);
@@ -146,7 +153,7 @@ async function deployToDev(version, previewWithHttps, workspaceFeatureFlags, dyn
 
     werft.log("secret", "copy secret into namespace")
     try {
-        const auth = exec(`echo -n "_json_key:$(kubectl get secret gcp-sa-registry-auth --namespace=keys --export -o yaml \
+        const auth = exec(`echo -n "_json_key:$(kubectl get secret gcp-sa-registry-auth --namespace=keys -o yaml \
                         | yq r - data['.dockerconfigjson'] \
                         | base64 -d)" | base64 -w 0`, {silent: true}).stdout.trim();
         fs.writeFileSync("chart/gcp-sa-registry-auth",
@@ -164,7 +171,7 @@ async function deployToDev(version, previewWithHttps, workspaceFeatureFlags, dyn
 
     werft.log("authProviders", "copy authProviders")
     try {
-        exec(`kubectl get secret preview-envs-authproviders --namespace=keys --export -o yaml \
+        exec(`kubectl get secret preview-envs-authproviders --namespace=keys -o yaml \
                 | yq r - data.authProviders \
                 | base64 -d -w 0 \
                 > authProviders`, {silent: true}).stdout.trim();
@@ -304,7 +311,11 @@ async function issueAndInstallCertficate(namespace, domain) {
 
     werft.log('certificate', `copying certificate from "certs/${namespace}" to "${namespace}/proxy-config-certificates"`);
     // certmanager is configured to create a secret in the namespace "certs" with the name "${namespace}".
-    exec(`kubectl get secret ${namespace} --namespace=certs --export -o yaml \
+    exec(`kubectl get secret ${namespace} --namespace=certs -o yaml \
+        | yq d - 'metadata.namespace' \
+        | yq d - 'metadata.uid' \
+        | yq d - 'metadata.resourceVersion' \
+        | yq d - 'metadata.creationTimestamp' \
         | sed 's/${namespace}/proxy-config-certificates/g' \
         | kubectl apply --namespace=${namespace} -f -`);
 }

.werft/build.yaml

@@ -30,7 +30,7 @@ pod:
     - name: MYSQL_TCP_PORT
       value: 23306
   - name: build
-    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:as-add-golangci-lint.6
+    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:cw-supervisor-execve-ring3.25
     workingDir: /workspace
     imagePullPolicy: Always
     volumeMounts:

.werft/wipe-devstaging.yaml

@@ -14,7 +14,7 @@ pod:
       secretName: gcp-sa-gitpod-dev-deployer
   containers:
   - name: wipe-devstaging
-    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:as-add-golangci-lint.6
+    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:cw-supervisor-execve-ring3.25
     workingDir: /workspace
     imagePullPolicy: Always
     volumeMounts:

components/supervisor/BUILD.yaml

@@ -18,6 +18,10 @@ packages:
     config:
       buildFlags:
         - "-ldflags=-w"
+      # build with >= go1.16beta1 to make libcap work without CGO. See
+      # - https://pkg.go.dev/kernel.org/pub/linux/libs/security/libcap/cap, search for allthreadssyscall
+      # - https://github.com/golang/go/issues/1435
+      goVersion: go1.16beta1
   - name: docker
     type: docker
     srcs:

components/supervisor/cmd/rings.go

@@ -24,6 +24,7 @@ import (
 	sigproxysignal "github.com/rootless-containers/rootlesskit/pkg/sigproxy/signal"
 	"github.com/spf13/cobra"
 	"golang.org/x/sys/unix"
+	"kernel.org/pub/linux/libs/security/libcap/cap"
 )
 
 const (
@@ -364,29 +365,21 @@ var ring2Cmd = &cobra.Command{
 			return
 		}
 
-		cmd := exec.Command("/proc/self/exe", "run", "--inns")
-		cmd.SysProcAttr = &syscall.SysProcAttr{
-			Pdeathsig: syscall.SIGKILL,
-			Credential: &syscall.Credential{
-				Uid: 33333,
-				Gid: 33333,
-			},
+		err = cap.SetGroups(33333)
+		if err != nil {
+			log.WithError(err).Error("cannot setgid")
+			failed = true
+			return
 		}
-		cmd.Stdin = os.Stdin
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		cmd.Env = os.Environ()
-		if err := cmd.Start(); err != nil {
-			log.WithError(err).Error("failed to start the child process")
+		err = cap.SetUID(33333)
+		if err != nil {
+			log.WithError(err).Error("cannot setuid")
 			failed = true
 			return
 		}
-		sigc := sigproxy.ForwardAllSignals(context.Background(), cmd.Process.Pid)
-		defer sigproxysignal.StopCatch(sigc)
-
-		err = cmd.Wait()
+		err = unix.Exec("/proc/self/exe", []string{"supervisor", "run", "--inns"}, os.Environ())
 		if err != nil {
-			log.WithError(err).Error("unexpected exit")
+			log.WithError(err).Error("cannot exec")
 			failed = true
 			return
 		}

components/supervisor/go.mod

@@ -28,6 +28,7 @@ require (
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
 	google.golang.org/grpc v1.34.0
 	google.golang.org/grpc/examples v0.0.0-20200902210233-8630cac324bf // indirect
+	kernel.org/pub/linux/libs/security/libcap/cap v0.2.46
 )
 
 replace github.com/gitpod-io/gitpod/common-go => ../common-go // leeway

components/supervisor/go.sum

@@ -724,6 +724,10 @@ k8s.io/klog v0.3.1/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
 k8s.io/utils v0.0.0-20190221042446-c2654d5206da/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0=
 k8s.io/utils v0.0.0-20191030222137-2b95a09bc58d/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
+kernel.org/pub/linux/libs/security/libcap/cap v0.2.46 h1:2my+JWsYxD0mFKUbqgtEf7r9A0m/fCMUv21RGgknTiU=
+kernel.org/pub/linux/libs/security/libcap/cap v0.2.46/go.mod h1:Xni6/5rCuzPoHAac5sCFMuDxz9FuI8GTUyQ4qlw3e0w=
+kernel.org/pub/linux/libs/security/libcap/psx v0.2.46 h1:9GvXrCSQAcgQ3zZVxRN8K866o1aAY1DYdXj0vHIHvYA=
+kernel.org/pub/linux/libs/security/libcap/psx v0.2.46/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

components/ws-daemon/go.sum

@@ -397,6 +397,7 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
@@ -718,8 +719,6 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.32.0 h1:zWTV+LMdc3kaiJMSTOFz2UgSBgx8RNQoTGiZu3fR9S0=
-google.golang.org/grpc v1.32.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.34.0 h1:raiipEjMOIC/TO2AvyTxP25XFdLxNIBwzDh3FM3XztI=
 google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=

dev/image/Dockerfile

@@ -4,7 +4,7 @@
 
 FROM gitpod/workspace-full-vnc:latest
 
-ENV TRIGGER_REBUILD 2
+ENV TRIGGER_REBUILD 3
 
 USER root
 

test/tests/workspace/workspace_agent/main.go

@@ -40,6 +40,6 @@ func (*WorkspaceAgent) WriteFile(req *api.WriteFileRequest, resp *api.WriteFileR
 		return
 	}
 
-	resp = &api.WriteFileResponse{}
+	*resp = api.WriteFileResponse{}
 	return
 }