improved non-root user handling for the debug command, renamed the --auto-run-as-non-root debug command flag to --fallback-to-target-user

Signed-off-by: Kyle Quest <[email protected]>

Author: kcq

README.md

@@ -587,7 +587,7 @@ Debug minimal or regular container images running in Docker, Podman, Kubernetes
 - `--gid` - GID to use for the debugging sidecar container.
 - `--run-privileged` - Run the debug sidecar as a privileged container (true by default).
 - `--security-context-from-target` - Use the security context params from the target container with the debug sidecar container.
-- `--auto-run-as-non-root` - Auto-adjust the config to run as non-root (true by default; set it to false to disable this behavior).
+- `--fallback-to-target-user` - Fallback to using target container user if it's non-root (true by default; set it to false to disable this behavior).
 - `--run-as-target-shell` - Attach an interactive terminal to the debug container and run shell as if it's running in the target container environment (true by default).
 - `--list-sessions` - List all debug sessions for the selected target (pod and optionally selected container for k8s or container for other runtimes).
 - `--show-session-logs` - Show logs for the selected debug session (using namespace, pod, target container or debug session container name for k8s or debug session container name for other runtimes).

examples/k8s_nginx_cgr/manifest_nonroot.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: example-pod-nonroot
+  labels:
+    name: nginx
+spec:
+  securityContext:
+    runAsNonRoot: true
+  containers:
+  - name: example-container
+    image: cgr.dev/chainguard/nginx:latest
+    ports:
+    - containerPort: 8080
+      hostPort: 8080
+
+# kubectl apply -f manifest_nonroot.yaml
+# kubectl exec -it example-pod-nonroot -c example-container -- /bin/sh
+# kubectl attach -it example-pod-nonroot -c example-container
+# mint debug --runtime=k8s --namespace=default --pod=example-pod-nonroot --target=example-container
+# kubectl delete -f manifest_nonroot.yaml

examples/k8s_nginx_cgr/manifest_nonrootc.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: example-pod-nonrootc
+  labels:
+    name: nginx
+spec:
+  containers:
+  - name: example-container
+    image: cgr.dev/chainguard/nginx:latest
+    securityContext:
+      runAsNonRoot: true
+    ports:
+    - containerPort: 8080
+      hostPort: 8080
+
+# kubectl apply -f manifest_nonroot.yaml
+# kubectl exec -it example-pod-nonroot -c example-container -- /bin/sh
+# kubectl attach -it example-pod-nonroot -c example-container
+# mint debug --runtime=k8s --namespace=default --pod=example-pod-nonroot --target=example-container
+# kubectl delete -f manifest_nonroot.yaml

pkg/app/master/command/build/handler.go

@@ -214,7 +214,7 @@ func OnCommand(
 	xc.Out.State("started")
 
 	if kubeOpts.HasTargetSet() {
-		xc.Out.Info("params",
+		xc.Out.Info("cmd.input.params",
 			ovars{
 				"target.type":        "kubernetes.workload",
 				"target":             kubeOpts.Target.Workload,
@@ -288,7 +288,7 @@ func OnCommand(
 	}
 
 	if len(composeFiles) > 0 && targetComposeSvc != "" {
-		xc.Out.Info("params",
+		xc.Out.Info("cmd.input.params",
 			ovars{
 				"target.type":        "compose.service",
 				"target":             targetRef,
@@ -299,7 +299,7 @@ func OnCommand(
 				"image-build-engine": imageBuildEngine,
 			})
 	} else if cbOpts.Dockerfile != "" {
-		xc.Out.Info("params",
+		xc.Out.Info("cmd.input.params",
 			ovars{
 				"target.type":        "dockerfile",
 				"context":            targetRef,
@@ -310,7 +310,7 @@ func OnCommand(
 				"image-build-engine": imageBuildEngine,
 			})
 	} else {
-		xc.Out.Info("params",
+		xc.Out.Info("cmd.input.params",
 			ovars{
 				"target.type":        "image",
 				"target.image":       targetRef,

pkg/app/master/command/debug/cli.go

@@ -83,8 +83,8 @@ type CommandParams struct {
 	DoRunPrivileged bool
 	/// use the security context params from the target container with the debug sidecar container
 	UseSecurityContextFromTarget bool
-	/// auto-adjust the config to run as non-root (mostly for kubernetes)
-	DoAutoRunAsNonRoot bool
+	/// fallback to using target container user if it's non-root (mostly for kubernetes)
+	DoFallbackToTargetUser bool
 }
 
 func ParseNameValueList(list []string) []NVPair {
@@ -164,7 +164,7 @@ var CLI = &cli.Command{
 		cflag(FlagGID),
 		cflag(FlagRunPrivileged),
 		cflag(FlagSecurityContextFromTarget),
-		cflag(FlagAutoRunAsNonRoot),
+		cflag(FlagFallbackToTargetUser),
 	},
 	Action: func(ctx *cli.Context) error {
 		gcvalues := command.GlobalFlagValues(ctx)
@@ -207,7 +207,7 @@ var CLI = &cli.Command{
 			GID:                            ctx.Int64(FlagGID),
 			DoRunPrivileged:                ctx.Bool(FlagRunPrivileged),
 			UseSecurityContextFromTarget:   ctx.Bool(FlagSecurityContextFromTarget),
-			DoAutoRunAsNonRoot:             ctx.Bool(FlagAutoRunAsNonRoot),
+			DoFallbackToTargetUser:         ctx.Bool(FlagFallbackToTargetUser),
 		}
 
 		if commandParams.ActionListNamespaces &&

pkg/app/master/command/debug/debug_images.go

@@ -11,7 +11,7 @@ const (
 	NicolakaNetshootImage = "nicolaka/netshoot"
 	KoolkitsNodeImage     = "lightruncom/koolkits:node"
 	KoolkitsPythonImage   = "lightruncom/koolkits:python"
-	KoolkitsGolangImage   = "lightruncom/koolkits:golang"
+	KoolkitsGolangImage   = "mintoolkit/koolkits-golang:latest"
 	KoolkitsJVMImage      = "lightruncom/koolkits:jvm"
 	DigitaloceanDoksImage = "digitalocean/doks-debug:latest"
 	ZinclabsUbuntuImage   = "public.ecr.aws/zinclabs/debug-ubuntu-base:latest"

pkg/app/master/command/debug/flags.go

@@ -97,8 +97,8 @@ const (
 	FlagSecurityContextFromTarget      = "security-context-from-target"
 	FlagSecurityContextFromTargetUsage = "Use the security context params from the target container with the debug sidecar container"
 
-	FlagAutoRunAsNonRoot      = "auto-run-as-non-root"
-	FlagAutoRunAsNonRootUsage = "Auto-adjust the config to run as non-root (true by default)"
+	FlagFallbackToTargetUser      = "fallback-to-target-user"
+	FlagFallbackToTargetUserUsage = "Fallback to using target container user if it's non-root (true by default)"
 )
 
 var Flags = map[string]cli.Flag{
@@ -270,11 +270,11 @@ var Flags = map[string]cli.Flag{
 		Usage:   FlagSecurityContextFromTargetUsage,
 		EnvVars: []string{"DSLIM_DBG_USE_TARGET_SEC_CTX"},
 	},
-	FlagAutoRunAsNonRoot: &cli.BoolFlag{
-		Name:    FlagAutoRunAsNonRoot,
+	FlagFallbackToTargetUser: &cli.BoolFlag{
+		Name:    FlagFallbackToTargetUser,
 		Value:   true, //true by default
-		Usage:   FlagAutoRunAsNonRootUsage,
-		EnvVars: []string{"DSLIM_DBG_AUTO_RUN_AS_NONROOT"},
+		Usage:   FlagFallbackToTargetUserUsage,
+		EnvVars: []string{"DSLIM_DBG_FALLBACK_TO_TARGET_USER"},
 	},
 }
 

pkg/app/master/command/debug/handle_docker_runtime.go

@@ -270,6 +270,14 @@ func HandleDockerRuntime(
 	exe.NetworkMode = mode
 	exe.PidMode = mode
 
+	if commandParams.UID > -1 {
+		options.User = fmt.Sprintf("%v", commandParams.UID)
+	}
+
+	if commandParams.GID > -1 {
+		options.Group = fmt.Sprintf("%v", commandParams.GID)
+	}
+
 	xc.FailOn(err)
 
 	logger.Tracef("Debugger sidecar spec: %s", jsonutil.ToString(exe))