New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
jailer: check if exec file exists in the jail dir before copy #4418
base: main
Are you sure you want to change the base?
jailer: check if exec file exists in the jail dir before copy #4418
Conversation
The exec file copy to jail dir is a costly operation. Check if the destination already exists before performing the actual copy. Signed-off-by: Valentin Ghita <valx92@gmail.com>
Hi @valighita , As the comment in the code says, Jailer does copy instead of hardlink intentionally for a reason of threat model. This can be a breaking change on things that we ensures our customer here. Also, we have another concern. If the original file has changed since the last copy and the same filename already exists in the jailed environment, Jailer does not copy it. For these reasons, when this change would be accepted, we would like to make this behavior optional. To understand your use case, could you please share more details?
Thanks, |
Hi @zulinx86, Regarding your questions:
To make it optional, do you think it's better to use an env variable or a command line argument? Thank you! |
@valighita Thanks for your reply!
So does it mean your use case is single-tenant and only running trusted code?
That makes sense. So sounds like disk I/O throughput contention or something.
A command line argument would be preferable!
Thanks, |
And it would be super nice if you were able to share your performance comparison between with and without this change!! |
Ok. I will submit the changes and the performance comparison when they are ready. But it's not really clear for us why this can cause a security concern. In theory, only the RO/exec sections of the executable would be shared between different firecracker instances, and any attempt to change the protections to allow writes would lead to a COW operation. This is also true for any shared library (libc for example). Or is this not necessarily a security concern but a policy to not have shared memory? Thank you, |
Sorry for my poor explanation. Yes, that is our threat model, a kind of policy. In theory, if everything were working as intended without bugs, that couldn't be a security issue. We're in a stance of defense in depth, since Firecracker is purpose-built for multi-tenant. You may already know, but Firecracker is statically linked and built with musl toolchain by default to not share as much stuff as possible. I appreciate your understanding. Thanks, |
Having another discussion with other maintainers today, we re-confirmed that we wouldn't like to share any memory in production. This is because it could be vulnerable to some micro-architectural side-channel attacks (e.g. cache-timing attacks like FLUSH+RELOAD attack: https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/yarom). Thanks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, as @zulinx86 mentioned, the Firecracker jailer is very opinionated on how it does things and was developed with a secure defaults.
While the change is backwards compatible if the caller does not copy the file in advance, it would silently change behavior. As such we would prefer some mechanism to make this opt-in.
I think we could accept this change if we put this functionality behind an option (--unsafe-no-copy
is the best name I can come up with), and document the tradeoff.
Another way would be to use a different jailer like systemd-nspawn
or runc
, which is more flexible but would require a bit more wiring up.
Changes
Check whether the exec file already exists in the jail dir before copying it.
Reason
While trying to spawn multiple instances in parallel (more than 500), we're seeing contention while the jailer tries to copy the exec file to each of the instances jail dirs (some VMs end up starting in more than 20 seconds). Hard-linking the exec file in the jail dirs before starting the VMs avoids the issue, but the copy operation in the jailer needs to be skipped.
License Acceptance
By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following
Developer Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md
.PR Checklist
CHANGELOG.md
.TODO
s link to an issue.rust-vmm
.