-
Notifications
You must be signed in to change notification settings - Fork 256
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add GMSA support for V2 process isolated containers
* Add generated V2 schema files for Container Credential Guard * Add new hcs calls that are necessary to setup container credential guard instances. * Add new resource type CCGState that implements ResourceCloser so a containers ccg instance will be cleaned up on container close. * Add tests to validate gmsa Signed-off-by: Daniel Canter <dcanter@microsoft.com>
- Loading branch information
Showing
21 changed files
with
649 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,137 @@ | ||
// +build windows | ||
|
||
package hcsoci | ||
|
||
import ( | ||
"context" | ||
"encoding/json" | ||
"fmt" | ||
|
||
"github.com/Microsoft/hcsshim/internal/hcs" | ||
"github.com/Microsoft/hcsshim/internal/log" | ||
hcsschema "github.com/Microsoft/hcsshim/internal/schema2" | ||
) | ||
|
||
// CCGState stores a containers Container Credential Guard state. Used when | ||
// closing a container to be able to release the instance. | ||
type CCGState struct { | ||
// ID of container that instance belongs to. | ||
id string | ||
} | ||
|
||
// Release calls into hcs to remove the ccg instance. These do not get cleaned up automatically | ||
// they MUST be explicitly removed with a call to ModifyServiceSettings. The instances will persist | ||
// unless vmcompute.exe exits or they are removed manually as done here. | ||
func (instance *CCGState) Release(ctx context.Context) error { | ||
if err := removeCredentialGuard(ctx, instance.id); err != nil { | ||
log.G(ctx).WithError(err).WithField("containerID", instance.id).Warn("failed to remove Container Credential Guard instance") | ||
return err | ||
} | ||
return nil | ||
} | ||
|
||
// CreateCredentialGuard creates a container credential guard and returns the state object to be placed in a v2 container doc. | ||
func CreateCredentialGuard(ctx context.Context, ID, credSpec string, uvm bool) (*hcsschema.ContainerCredentialGuardState, error) { | ||
log.G(ctx).WithField("containerID", ID).Debug("creating container credential guard") | ||
// V2 schema ccg setup a little different as its expected to be passed | ||
// through all the way to the gcs. Can no longer be enabled just through | ||
// a single property. The flow is as follows | ||
// ------------------------------------------------------------------------ | ||
// 1. Call HcsModifyServiceSettings with a ModificationRequest set with a | ||
// ContainerCredentialGuardAddInstanceRequest. This is where the cred spec | ||
// gets passed in. Transport either "LRPC" (Argon) or "HvSocket" (Xenon). | ||
// 2. Query the instance with a call to HcsGetServiceProperties with the | ||
// PropertyType "ContainerCredentialGuard". This will return all instances | ||
// 3. Parse for the id of our container to find which one correlates to the | ||
// container we're building the doc for, then add to the v2 doc. | ||
// 4. If xenon container the hvsocketconfig will need to be attached BEFORE | ||
// being created. It must be in the doc itself as we do not support hot adding | ||
// service table entries. This is currently a blocker for adding support for | ||
// hyper-v gmsa. | ||
transport := "LRPC" | ||
if uvm { | ||
transport = "HvSocket" | ||
} | ||
req := hcsschema.ModificationRequest{ | ||
PropertyType: "ContainerCredentialGuard", | ||
Settings: &hcsschema.ContainerCredentialGuardOperationRequest{ | ||
Operation: hcsschema.AddInstance, | ||
OperationDetails: &hcsschema.ContainerCredentialGuardAddInstanceRequest{ | ||
Id: ID, | ||
CredentialSpec: credSpec, | ||
Transport: transport, | ||
}, | ||
}, | ||
} | ||
if err := hcs.ModifyServiceSettings(ctx, req); err != nil { | ||
log.G(ctx).WithError(err).WithField("containerID", ID).Warn("failed to generate container credential guard instance") | ||
return nil, err | ||
} | ||
|
||
q := hcsschema.PropertyQuery{ | ||
PropertyTypes: []hcsschema.PropertyType{hcsschema.PTContainerCredentialGuard}, | ||
} | ||
serviceProps, err := hcs.GetServiceProperties(ctx, q) | ||
if err != nil { | ||
log.G(ctx).WithError(err).WithField("containerID", ID).Warn("failed to retrieve container credential guard instances") | ||
return nil, err | ||
} | ||
|
||
ccgState, err := unmarshalCCGInstances(serviceProps, ID) | ||
if err != nil { | ||
return nil, err | ||
} | ||
return ccgState, nil | ||
} | ||
|
||
// Checks to see if doc has non-nil ccg field | ||
func hasCCG(doc *hcsschema.Container) bool { | ||
if doc.ContainerCredentialGuard != nil { | ||
return true | ||
} | ||
return false | ||
} | ||
|
||
// Removes a ContainerCredentialGuard instance by container ID. | ||
func removeCredentialGuard(ctx context.Context, ID string) error { | ||
log.G(ctx).WithField("containerID", ID).Debug("removing container credential guard") | ||
|
||
req := hcsschema.ModificationRequest{ | ||
PropertyType: "ContainerCredentialGuard", | ||
Settings: &hcsschema.ContainerCredentialGuardOperationRequest{ | ||
Operation: hcsschema.RemoveInstance, | ||
OperationDetails: &hcsschema.ContainerCredentialGuardRemoveInstanceRequest{ | ||
Id: ID, | ||
}, | ||
}, | ||
} | ||
if err := hcs.ModifyServiceSettings(ctx, req); err != nil { | ||
return err | ||
} | ||
return nil | ||
} | ||
|
||
// Unmarshals a ServiceProperties struct if the only property queried was 'ContainerCredentialGuard' | ||
// Returns the ContainerCredentialGuardInstance matching the id passed in. | ||
func unmarshalCCGInstances(sp *hcsschema.ServiceProperties, ID string) (*hcsschema.ContainerCredentialGuardState, error) { | ||
if len(sp.Properties) != 1 { | ||
return nil, fmt.Errorf("wrong number of service properties present") | ||
} | ||
// Properties is []interface{} | ||
ccgSysInfo := &hcsschema.ContainerCredentialGuardSystemInfo{} | ||
ccgJSON, err := json.Marshal(sp.Properties[0]) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
if err := json.Unmarshal(ccgJSON, ccgSysInfo); err != nil { | ||
return nil, err | ||
} | ||
|
||
for _, ccgInstance := range ccgSysInfo.Instances { | ||
if ccgInstance.Id == ID { | ||
return ccgInstance.CredentialGuard, nil | ||
} | ||
} | ||
return nil, fmt.Errorf("failed to find credential guard instance with ID %s", ID) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16 changes: 16 additions & 0 deletions
16
internal/schema2/container_credential_guard_add_instance_request.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
/* | ||
* HCS API | ||
* | ||
* No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen) | ||
* | ||
* API version: 2.4 | ||
* Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) | ||
*/ | ||
|
||
package hcsschema | ||
|
||
type ContainerCredentialGuardAddInstanceRequest struct { | ||
Id string `json:"Id,omitempty"` | ||
CredentialSpec string `json:"CredentialSpec,omitempty"` | ||
Transport string `json:"Transport,omitempty"` | ||
} |
15 changes: 15 additions & 0 deletions
15
internal/schema2/container_credential_guard_hv_socket_service_config.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
/* | ||
* HCS API | ||
* | ||
* No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen) | ||
* | ||
* API version: 2.4 | ||
* Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) | ||
*/ | ||
|
||
package hcsschema | ||
|
||
type ContainerCredentialGuardHvSocketServiceConfig struct { | ||
ServiceId string `json:"ServiceId,omitempty"` | ||
ServiceConfig *HvSocketServiceConfig `json:"ServiceConfig,omitempty"` | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
/* | ||
* HCS API | ||
* | ||
* No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen) | ||
* | ||
* API version: 2.4 | ||
* Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) | ||
*/ | ||
|
||
package hcsschema | ||
|
||
type ContainerCredentialGuardInstance struct { | ||
Id string `json:"Id,omitempty"` | ||
CredentialGuard *ContainerCredentialGuardState `json:"CredentialGuard,omitempty"` | ||
HvSocketConfig *ContainerCredentialGuardHvSocketServiceConfig `json:"HvSocketConfig,omitempty"` | ||
} |
17 changes: 17 additions & 0 deletions
17
internal/schema2/container_credential_guard_modify_operation.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
/* | ||
* HCS API | ||
* | ||
* No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen) | ||
* | ||
* API version: 2.4 | ||
* Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) | ||
*/ | ||
|
||
package hcsschema | ||
|
||
type ContainerCredentialGuardModifyOperation string | ||
|
||
const ( | ||
AddInstance ContainerCredentialGuardModifyOperation = "AddInstance" | ||
RemoveInstance ContainerCredentialGuardModifyOperation = "RemoveInstance" | ||
) |
15 changes: 15 additions & 0 deletions
15
internal/schema2/container_credential_guard_operation_request.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
/* | ||
* HCS API | ||
* | ||
* No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen) | ||
* | ||
* API version: 2.4 | ||
* Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) | ||
*/ | ||
|
||
package hcsschema | ||
|
||
type ContainerCredentialGuardOperationRequest struct { | ||
Operation ContainerCredentialGuardModifyOperation `json:"Operation,omitempty"` | ||
OperationDetails interface{} `json:"OperationDetails,omitempty"` | ||
} |
14 changes: 14 additions & 0 deletions
14
internal/schema2/container_credential_guard_remove_instance_request.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
/* | ||
* HCS API | ||
* | ||
* No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen) | ||
* | ||
* API version: 2.4 | ||
* Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) | ||
*/ | ||
|
||
package hcsschema | ||
|
||
type ContainerCredentialGuardRemoveInstanceRequest struct { | ||
Id string `json:"Id,omitempty"` | ||
} |
14 changes: 14 additions & 0 deletions
14
internal/schema2/container_credential_guard_system_info.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
/* | ||
* HCS API | ||
* | ||
* No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen) | ||
* | ||
* API version: 2.4 | ||
* Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) | ||
*/ | ||
|
||
package hcsschema | ||
|
||
type ContainerCredentialGuardSystemInfo struct { | ||
Instances []ContainerCredentialGuardInstance `json:"Instances,omitempty"` | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
/* | ||
* HCS API | ||
* | ||
* No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen) | ||
* | ||
* API version: 2.4 | ||
* Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) | ||
*/ | ||
|
||
package hcsschema | ||
|
||
type ModificationRequest struct { | ||
PropertyType PropertyType `json:"PropertyType,omitempty"` | ||
Settings interface{} `json:"Settings,omitempty"` | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.