Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

use unshare to enforce `networkAccess: false` when not running in a container

See original GitHub issue

I guess users expect that networkAccess: false can restrict tools to access network but cwltool does not.

Currently I am not sure it is really the issue because the spec only says:

If networkAccess is false or not specified, tools must not assume network access, except for localhost (the loopback device).

That is,

this behavior is valid because the spec only requests tools not to assume network access but does not request platforms to restrict network access for tools
users expect that networkAccess: false can restrict tools to access network, I guess
I am not sure there is a reasonable way to restrict network access if the tool is not in a container

What do you think about it?

How to reproduce

$ cwltool curl.cwl

Expected Behavior

It fails because curl needs network but networkAccess: false is specified.

Actual Behavior

It does not fail.

$ cwltool curl.cwl
INFO /opt/homebrew/bin/cwltool 3.1.20220830195442
INFO Resolved 'curl.cwl' to 'file:///Users/tanjo/tmp/net/curl.cwl'
INFO [job curl.cwl] /private/tmp/docker_tmpz4hne9ck$ curl \
    -fsS \
    https://www.commonwl.org/v1.2/index.html > /private/tmp/docker_tmpz4hne9ck/index.html
INFO [job curl.cwl] completed success
{
    "out": {
        "location": "file:///Users/tanjo/tmp/net/index.html",
        "basename": "index.html",
        "class": "File",
        "checksum": "sha1$4a7d4583b995e2fb27980ddc4ce4a9e1b4ed3952",
        "size": 6525,
        "path": "/Users/tanjo/tmp/net/index.html"
    }
}
INFO Final process status is success

Workflow Code

#!/usr/bin/env cwl-runner

requirements:
  NetworkAccess:
    networkAccess: false

class: CommandLineTool
cwlVersion: v1.2
baseCommand: curl
arguments:
  - -fsS
  - $(inputs.fsS)
inputs:
  - id: fsS
    type: string
    default: https://www.commonwl.org/v1.2/index.html
outputs:
  - id: out
    type: stdout
stdout: index.html

Full Traceback

No exceptions.

Your Environment

cwltool version:

$ cwltool --version
/opt/homebrew/bin/cwltool 3.1.20220830195442

Issue Analytics

State:
Created a year ago
Reactions:1
Comments:8 (8 by maintainers)

Top GitHub Comments

2reactions

kinowcommented, Nov 19, 2022

Tested both bwrap and unshare, successfully failed to execute ping with both tools 😅

With bwrap:

kinow@ranma:~/Development/python/workspace/lukasa$ bwrap --ro-bind / / --unshare-net ping google.com
kinow@ranma:~/Development/python/workspace/lukasa$ echo $?
2

And unshare:

kinow@ranma:~/Development/python/workspace/lukasa$ unshare -r -n ping google.com
ping: google.com: Temporary failure in name resolution
kinow@ranma:~/Development/python/workspace/lukasa$ echo $?
2

2reactions

tetroncommented, Nov 18, 2022

It doesn’t use unshare because I wasn’t familiar with it when I wrote that part of cwltool. I was mainly thinking about how you can enable/disable network access for Docker containers. I have no objections to using unshare, it sounds like a good idea.

Bubblewrap is also interesting, I glanced at it and it looks like you can basically create ad-hoc isolated environments where you get to decide what is shared and what isn’t?