Skip to content

[TOB-K8S-027] Fix Incorrect isKernelPid check #81086

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 9, 2019
Merged

[TOB-K8S-027] Fix Incorrect isKernelPid check #81086

merged 1 commit into from
Aug 9, 2019

Conversation

dims
Copy link
Member

@dims dims commented Aug 7, 2019
edited
Loading

isKernelPid should explicitly check the error returned from os.Readlink and return true
only if the error value is ENOENT. Without this fix, if Readlink
returned say ENAMETOOLONG or EACESS, we would still count the process as
a kernel process (which is not true).

What type of PR is this?
/kind bug

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #81144

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

NONE

@dims
[TOB-K8S-027] Fix Incorrect isKernelPid check
bd925d6 
isKernelPid should explicitly check the error returned from os.Readlink and return true
only if the error value is ENOENT. Without this fix, if Readlink
returned say ENAMETOOLONG or EACESS, we would still count the process as
a kernel process (which is not true).
@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Aug 7, 2019
@dims
Copy link
Member Author

dims commented Aug 7, 2019

/sig node
/priority important-soon

@k8s-ci-robot k8s-ci-robot added sig/node Categorizes an issue or PR as relevant to SIG Node. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note-none Denotes a PR that doesn't merit a release note. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Aug 7, 2019
@dims
Copy link
Member Author

dims commented Aug 7, 2019

/sig node
/assign @yujuhong @dchen1107

@k8s-ci-robot k8s-ci-robot requested review from feiskyer and tmrts August 7, 2019 15:24
@dims
Copy link
Member Author

dims commented Aug 7, 2019

/test pull-kubernetes-integration

@dims
Copy link
Member Author

dims commented Aug 7, 2019

/retest

1 similar comment
@dims
Copy link
Member Author

dims commented Aug 8, 2019

/retest

@dims
Copy link
Member Author

dims commented Aug 8, 2019

/test pull-kubernetes-integration

mattjmcnaughton
mattjmcnaughton approved these changes Aug 8, 2019
View reviewed changes
Copy link
Contributor

@mattjmcnaughton mattjmcnaughton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Thanks for fixing this :)

P.S. As a side note... this security review is pretty cool - thanks for tackling the outcomes so quickly :)

pkg/kubelet/cm/container_manager_linux.go
@@ -888,7 +888,7 @@ func ensureSystemCgroups(rootCgroupPath string, manager *fs.Manager) error {
func isKernelPid(pid int) bool {
// Kernel threads have no associated executable.
_, err := os.Readlink(fmt.Sprintf("/proc/%d/exe", pid))
return err != nil
return err != nil && os.IsNotExist(err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Q: If it is a situation in which (for example) the file name is too long (i.e. an ENAMETOOLONG error), do we want to return that it isn't a kernel pid or do we want to return some other form of error message?

Copy link

@disconnect3d disconnect3d Aug 15, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's hard to imagine a kernel PID would belong to a process spawned in a too long path so imho not returning an error is fine here.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 8, 2019
@yujuhong
Copy link
Contributor

yujuhong commented Aug 8, 2019

/lgtm
/approve
Thanks for the fix!

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dims, yujuhong

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 8, 2019
@k8s-ci-robot k8s-ci-robot merged commit d47f9ff into kubernetes:master Aug 9, 2019
@k8s-ci-robot k8s-ci-robot added this to the v1.16 milestone Aug 9, 2019
@cji cji mentioned this pull request Aug 15, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@feiskyer feiskyer Awaiting requested review from feiskyer

@tmrts tmrts Awaiting requested review from tmrts

2 more reviewers

@disconnect3d disconnect3d disconnect3d left review comments

@mattjmcnaughton mattjmcnaughton mattjmcnaughton approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@mattjmcnaughton mattjmcnaughton

@dchen1107 dchen1107

@yujuhong yujuhong

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubelet cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note-none Denotes a PR that doesn't merit a release note. sig/node Categorizes an issue or PR as relevant to SIG Node. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
v1.16
Development

Successfully merging this pull request may close these issues.

TOB-K8S-027: Incorrect isKernelPid check
6 participants
@dims @yujuhong @k8s-ci-robot @mattjmcnaughton @disconnect3d @dchen1107