Skip to content

fix: enable to use secrets with special characters #961

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: enable to use secrets with special characters #961

wants to merge 1 commit into from
+18 −1

Conversation

mpatlasov
Copy link
Contributor

If the password to SMB-server contained special characters (e.g. "foo,bar"), the mount failed. Now, when the password is passed to mount via "credentials=filename" option, then mount succeeds.

/kind bug

Fixes #507, #358, #573

Release note:

none

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. release-note-none Denotes a PR that doesn't merit a release note. labels Jun 25, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mpatlasov
Once this PR has been reviewed and has the lgtm label, please assign msau42 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 25, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @mpatlasov. Thanks for your PR.

I'm waiting for a kubernetes-csi member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jun 25, 2025
@mpatlasov
fix: enable to use secrets with special characters
a700858 
If the password to SMB-server contained special characters (e.g. "foo,bar"), the mount failed. Now, when the password is passed to mount via "credentials=filename" option, then mount succeeds.
@mpatlasov mpatlasov force-pushed the Use-credentials-mount-option branch from a118c24 to a700858 Compare June 25, 2025 21:30
andyzhangx
andyzhangx reviewed Jun 28, 2025
View reviewed changes
Copy link
Member

@andyzhangx andyzhangx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 28, 2025
andyzhangx
andyzhangx reviewed Jun 28, 2025
View reviewed changes
pkg/smb/nodeserver.go
@@ -231,7 +231,7 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
return nil, status.Error(codes.Internal, fmt.Sprintf("MkdirAll %s failed with error: %v", targetPath, err))
}
if requireUsernamePwdOption && !useKerberosCache {
sensitiveMountOptions = []string{fmt.Sprintf("%s=%s,%s=%s", usernameField, username, passwordField, password)}
sensitiveMountOptions = []string{fmt.Sprintf("%s=%s", usernameField, username), fmt.Sprintf("%s=%s", passwordField, password)}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there could be problem when there is mount process concurrently, is it possible to detect whether there is special chars in secrets first, if yes, then mount with cred file? I think that would be safer since it won't break anything, thanks.

@andyzhangx
Copy link
Member

btw, sanity tests all failed with this PR: https://prow.k8s.io/view/gs/kubernetes-ci-logs/pr-logs/pull/kubernetes-csi_csi-driver-smb/961/pull-csi-driver-smb-sanity/1938798037342097408

@k8s-ci-robot
Copy link
Contributor

@mpatlasov: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-csi-driver-smb-sanity a700858 link true /test pull-csi-driver-smb-sanity
pull-csi-driver-smb-e2e a700858 link false /test pull-csi-driver-smb-e2e

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@coveralls
Copy link

Pull Request Test Coverage Report for Build 15887613607

Details

  • 10 of 14 (71.43%) changed or added relevant lines in 2 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.1%) to 78.356%
Changes Missing Coverage Covered Lines Changed/Added Lines %
pkg/smb/smb_common_linux.go 9 13 69.23%
Totals Coverage Status
Change from base Build 15728679263: -0.1%
Covered Lines: 1115
Relevant Lines: 1423
💛 - Coveralls

johanot
johanot suggested changes Jul 14, 2025
View reviewed changes
pkg/smb/smb_common_linux.go
"os"

mount "k8s.io/mount-utils"
)

func Mount(m *mount.SafeFormatAndMount, source, target, fsType string, options, sensitiveMountOptions []string, _ string) error {
if len(sensitiveMountOptions) != 0 {
file, err := os.CreateTemp("/tmp/", "*.smb.credentials")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer this file on a ramfs so it wouldn't touch the disk at all. But... at the very minimum, the temp file must have restricted permissions, since /tmp is world-readable on most systems. This needs to be safe in the rare cases that the driver is not run in a container and/or with multiple processes sharing /tmp.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@johanot , the temp file already has restricted permissions (rw for the user only) because that's how os.CreateTemp() works. See its official docs here: https://pkg.go.dev/os#CreateTemp .

I intentionally used "/tmp" instead of ramfs, because the location of ramfs mount may vary depending on environment (at least, I don't know any path that would exist everywhere). But generally I fully agree -- not touching the disk would be better. And "defer os.Remove" will wipe it anyway.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the temp file already has restricted permissions

Oh.. Never mind then :)

And "defer os.Remove" will wipe it anyway.

I guess a rare case exists where the process could get SIGKILL'ed before the deferred function is executed, but.. yeah.

because the location of ramfs mount may vary depending on environment

I think I would create a new ramfs for this purpose alone and choose the location myself, e.g. mount at a level below /tmp. However it's easier said than done, iirc, because you'd have to pull in mount-utils only for this pre-mount purpose. If the maintainers here are good with a standard temp file, then I rest my case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johanot johanot johanot requested changes

@andyzhangx andyzhangx andyzhangx left review comments

@ZeroMagic ZeroMagic Awaiting requested review from ZeroMagic

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesn't merit a release note. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

support passwords containing comma character
5 participants
@mpatlasov @k8s-ci-robot @andyzhangx @coveralls @johanot