This patch fixes a vulnerability in the secrets API, however
it is important to stress that the user must be authenticated
as the admin user on the REST API before they can attempt this.
Reported by Appsecco via email. @lucasroesler, Appsecco and
myself believe this to be of low severity.
The fix prevents directory traversal characters from being
used in secret names. If a secret name such as:
../../root/.ssh/authorized_keys were to be used, an attacker
could remove the value and write their own.
Tested with unit tests and tests are now made to run
via the CI and a new Makefile target.
Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
**What**
- Instead of sleeping to ensure the msg channel is populated, use an
unbuffered channel. This seems to work just as well in all the manual
tests cases
Signed-off-by: Lucas Roesler <roesler.lucas@gmail.com>
**What**
- Remove the `output-fields` flag because not all journalctl versions
support it
- Add a short sleep to the start of the log stream to avoid some kind of
race/buffering condition with the Handler
Signed-off-by: Lucas Roesler <roesler.lucas@gmail.com>
**What**
- journald log provider using exec to journalctl
```
journalctl -t <namespace>:<name> --output=json --since=<timestamp> <--follow> --output-fields=SYSLOG_IDENTIFIER,MESSAGE,_PID,_SOURCE_REALTIME_TIMESTAMP
```
- This can be tested manually using `faas-cli logs` as normal, e.g.
`faas-cli logs nodeinfo` should tail the last 5 mins of logs.
- Very basic tests ensuring that the `journalctl` comamand is correctly
construction and that the json log entrys are parsed correctly.
- Add simple e2e test to grep the function logs
Signed-off-by: Lucas Roesler <roesler.lucas@gmail.com>
When ListFunctions populate it's function map, it should not add
functions that GetFunction returned error.
Signed-off-by: Carlos de Paula <me@carlosedp.com>
The behaviour prior to this patch caused some confusion for
users since they expected a behaviour like Swarm / Kubernetes
which always pulls images by default, even if cached. I've tested
the change and it is working as expected. By default images are
always pulled upon deployment.
To revert to the prior behaviour, simply add to faasd up:
--pull-policy=IfNotPresent
Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
Adding label when a /system/function/<name> endpoint
is invoked as it was missed in the previous commit
Signed-off-by: Martin Dekov <mvdekov@gmail.com>
The collect command redirects function logs to the journal for
viewing on journalctl. faas-cli logs is not implemented as of
yet. View logs with journalctl -t openfaas-fn:FN_NAME_HERE.
Tested on Dell XPS with Ubuntu Linux. The approach takes
inspiration from the Stellar project.
Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
* Adds new step for installing containerd with systemd
* Adds warning up top that this is not for newbies :-)
Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
Not sure how this got reverted / affected, but was wrong. The
name "faas-containerd" is gone and not in use.
Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
The use of containerd and CNI functions has been refactored to reuse
the same codebase.
Added all network functionality to own directory and package. Removed
netlink and weave library in favor of using CNI plugin result files.
Rename containers handler to functions to clear-up functionality.
Signed-off-by: Carlos de Paula <me@carlosedp.com>
This appeared to prevent the provider's secret code from
creating files in its working directory. The patch makes all
code use the same permission.
Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
