Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move sudo commands to a new Vertex Kernel #27

Merged
merged 22 commits into from
Sep 28, 2023
Merged

Move sudo commands to a new Vertex Kernel #27

merged 22 commits into from
Sep 28, 2023

Conversation

quentinguidee
Copy link
Member

@quentinguidee quentinguidee commented Sep 26, 2023
edited
Loading

This pull request adds a new Vertex Kernel executable, which improves security. This way, only some sudo commands are handled by Vertex Kernel, and everything else is handled by Vertex.

How it works

Instead of running vertex, we now need to run vertex-kernel as sudo. vertex-kernel will then start vertex by dropping unnecessary privileges and running it as an unprivileged user.

To run the vertex-kernel, we need to pass the username of the user that runs vertex. By default, it will pass "vertex" as username.

sudo vertex-kernel -user my_username

or

sudo vertex-kernel -uid 1000 -gid 1000

Vertex Kernel will now be able to handle SSH or Docker containers safely.

It is still possible to run Vertex as usual without Vertex-Kernel, but all features that need superuser permissions will not be usable.

Todo

  • Create a new executable
  • Move sudo commands to the kernel
    • Move Docker commands
    • Move SSH commands
  • Make the Vertex-Kernel run Vertex with setcap 'cap_net_bind_service=+ep' vertex, as it needs port 80 for the proxy
  • Adapt the updates to download Kernel updates
  • Adapt the Dockerfile
  • Fix Kernel Logs accessing the same log files
  • Forward environment variable to the vertex executable

@quentinguidee quentinguidee added the type: Enhancement New feature or request label Sep 26, 2023
@quentinguidee quentinguidee added this to the Vertex v0.9.0 milestone Sep 26, 2023
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 26, 2023
View reviewed changes
kernel/main.go Fixed Show fixed Hide fixed
kernel/main.go Fixed Show fixed Hide fixed
@quentinguidee quentinguidee force-pushed the feature/kernel branch 5 times, most recently from 5059605 to 0d11c8c Compare September 28, 2023 04:08
@quentinguidee
Create a basic Vertex Kernel with no functionalities
38eddad
@quentinguidee
Run Vertex Kernel with sudo in JetBrains IDE
2573aba
@quentinguidee
Start kernel router and vertex executable
52b60e5
@quentinguidee
Handle kernel router signals correctly
0267276
@quentinguidee
Improve kernel startup error handling
03bbed8
@quentinguidee
Added automatic vertex building when running the kernel in a dev envi…
4bd34d4 
…ronment
@quentinguidee
Fix potential issue in vertex-kernel while converting int64 to int32
637317e
@quentinguidee
Move Docker sudo commands to the kernel
df6caaa 
Signed-off-by: Quentin Guidée <[email protected]>
@quentinguidee
Improve stdout handling with the Docker Kernel
b10aa5e
@quentinguidee
Improve stderr handling with the Docker Kernel
9e32087
@quentinguidee
Fix some issues with logs using Vertex Kernel
b53be22
@quentinguidee
Fix recreating container when the container don't exist
75164ce
@quentinguidee
Move the Proxy router to the kernel
c05781d 
Because it needs access to port 80.
@quentinguidee
Move the Proxy back to vertex
8bc62bb
@quentinguidee
Move all executables to cmd/
a531d33 
Signed-off-by: Quentin Guidée <[email protected]>
@quentinguidee
Allow Vertex to use port 80 with the Kernel
6ebcbda
@quentinguidee
Update the Dockerfile to support Vertex-Kernel
105108c
@quentinguidee
Move SSH keys handling to the kernel
38bb9ad
@quentinguidee
Change the update process to update the Kernel
16d11fa
@quentinguidee
Move kernel data to live_kernel directory
b7b4d41
@quentinguidee
Fix logs permissions with the kernel
3095545
@quentinguidee quentinguidee marked this pull request as ready for review September 28, 2023 05:04
@quentinguidee
Copy link
Member Author

🚀

@quentinguidee quentinguidee merged commit 2b93fcf into dev Sep 28, 2023
10 checks passed
@quentinguidee quentinguidee deleted the feature/kernel branch September 28, 2023 05:17
quentinguidee added a commit that referenced this pull request Mar 3, 2024
@quentinguidee
Merge pull request #27 from vertex-center/dependabot/npm_and_yarn/pac…
4332137 
…kages/components/follow-redirects-1.15.5

build(deps): bump follow-redirects from 1.15.3 to 1.15.5 in /packages/components
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
repo: Server type: Enhancement New feature or request
Projects
Vertex Project
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@quentinguidee