Support setting plugin TMPDIR in config as well as env (#24978)

2025-10-29 09:42:25 +00:00 · 2024-01-30 13:10:23 +00:00
parent 78ef25e70c
commit 6e111d92fe
16 changed files with 139 additions and 38 deletions
--- a/changelog/24978.txt
+++ b/changelog/24978.txt
@@ -0,0 +1,3 @@
 ```release-note:improvement
 core: Added new `plugin_tmpdir` config option for containerized plugins, in addition to the existing `VAULT_PLUGIN_TMPDIR` environment variable.
 ```
--- a/command/commands.go
+++ b/command/commands.go
@@ -97,6 +97,9 @@ const (
 	// logged at startup _per node_. This was initially introduced for the events
 	// system being developed over multiple release cycles.
 	EnvVaultExperiments = "VAULT_EXPERIMENTS"
 	// EnvVaultPluginTmpdir sets the folder to use for Unix sockets when setting
 	// up containerized plugins.
 	EnvVaultPluginTmpdir = "VAULT_PLUGIN_TMPDIR"
 	// flagNameAddress is the flag used in the base command to read in the
 	// address of the Vault server.
--- a/command/server.go
+++ b/command/server.go
@@ -1153,6 +1153,10 @@ func (c *ServerCommand) Run(args []string) int {
 		config.License = envLicense
 	}
 	if envPluginTmpdir := os.Getenv(EnvVaultPluginTmpdir); envPluginTmpdir != "" {
 		config.PluginTmpdir = envPluginTmpdir
 	}
 	if err := server.ExperimentsFromEnvAndCLI(config, EnvVaultExperiments, c.flagExperiments); err != nil {
 		c.UI.Error(err.Error())
 		return 1
@@ -3082,6 +3086,7 @@ func createCoreConfig(c *ServerCommand, config *server.Config, backend physical.
 		ClusterName:                    config.ClusterName,
 		CacheSize:                      config.CacheSize,
 		PluginDirectory:                config.PluginDirectory,
 		PluginTmpdir:                   config.PluginTmpdir,
 		PluginFileUid:                  config.PluginFileUid,
 		PluginFilePermissions:          config.PluginFilePermissions,
 		EnableUI:                       config.EnableUI,
--- a/command/server/config.go
+++ b/command/server/config.go
@@ -69,6 +69,7 @@ type Config struct {
 	ClusterCipherSuites string `hcl:"cluster_cipher_suites"`
 	PluginDirectory string `hcl:"plugin_directory"`
 	PluginTmpdir    string `hcl:"plugin_tmpdir"`
 	PluginFileUid int `hcl:"plugin_file_uid"`
@@ -363,6 +364,11 @@ func (c *Config) Merge(c2 *Config) *Config {
 		result.PluginDirectory = c2.PluginDirectory
 	}
 	result.PluginTmpdir = c.PluginTmpdir
 	if c2.PluginTmpdir != "" {
 		result.PluginTmpdir = c2.PluginTmpdir
 	}
 	result.PluginFileUid = c.PluginFileUid
 	if c2.PluginFileUid != 0 {
 		result.PluginFileUid = c2.PluginFileUid
@@ -1114,6 +1120,7 @@ func (c *Config) Sanitized() map[string]interface{} {
 		"cluster_cipher_suites": c.ClusterCipherSuites,
 		"plugin_directory": c.PluginDirectory,
 		"plugin_tmpdir":    c.PluginTmpdir,
 		"plugin_file_uid": c.PluginFileUid,
--- a/command/server/config_test_helpers.go
+++ b/command/server/config_test_helpers.go
@@ -476,6 +476,9 @@ func testLoadConfigFile(t *testing.T) {
 		EnableResponseHeaderRaftNodeIDRaw: true,
 		LicensePath: "/path/to/license",
 		PluginDirectory: "/path/to/plugins",
 		PluginTmpdir:    "/tmp/plugins",
 	}
 	addExpectedEntConfig(expected, []string{})
@@ -802,6 +805,7 @@ func testConfig_Sanitized(t *testing.T) {
 		"max_lease_ttl":    (30 * 24 * time.Hour) / time.Second,
 		"pid_file":         "./pidfile",
 		"plugin_directory": "",
 		"plugin_tmpdir":    "",
 		"seals": []interface{}{
 			map[string]interface{}{
 				"disabled": false,
--- a/command/server/test-fixtures/config.hcl
+++ b/command/server/test-fixtures/config.hcl
@@ -51,4 +51,6 @@ disable_sealwrap = true
 disable_printable_check = true
 enable_response_header_hostname = true
 enable_response_header_raft_node_id = true
-license_path = "/path/to/license"
+license_path = "/path/to/license"
 plugin_directory = "/path/to/plugins"
 plugin_tmpdir = "/tmp/plugins"
--- a/http/sys_config_state_test.go
+++ b/http/sys_config_state_test.go
@@ -162,6 +162,7 @@ func TestSysConfigState_Sanitized(t *testing.T) {
 				"max_lease_ttl":                       json.Number("0"),
 				"pid_file":                            "",
 				"plugin_directory":                    "",
 				"plugin_tmpdir":                       "",
 				"plugin_file_uid":                     json.Number("0"),
 				"plugin_file_permissions":             json.Number("0"),
 				"enable_response_header_hostname":     false,
--- a/sdk/helper/pluginutil/run_config.go
+++ b/sdk/helper/pluginutil/run_config.go
@@ -56,6 +56,7 @@ type runConfig struct {
 	runtimeConfig *pluginruntimeutil.PluginRuntimeConfig
 	PluginClientConfig
 	tmpdir string
 }
 func (rc runConfig) mlockEnabled() bool {
@@ -144,7 +145,7 @@ func (rc runConfig) makeConfig(ctx context.Context) (*plugin.ClientConfig, error
 		clientConfig.RunnerFunc = containerCfg.NewContainerRunner
 		clientConfig.UnixSocketConfig = &plugin.UnixSocketConfig{
 			Group:   strconv.Itoa(containerCfg.GroupAdd),
-			TempDir: os.Getenv("VAULT_PLUGIN_TMPDIR"),
+			TempDir: rc.tmpdir,
 		}
 		clientConfig.GRPCBrokerMultiplex = true
 	}
@@ -271,6 +272,7 @@ func (r *PluginRunner) RunConfig(ctx context.Context, opts ...RunOpt) (*plugin.C
 		sha256:        r.Sha256,
 		env:           r.Env,
 		runtimeConfig: r.RuntimeConfig,
 		tmpdir:        r.Tmpdir,
 		PluginClientConfig: PluginClientConfig{
 			Name:       r.Name,
 			PluginType: r.Type,
--- a/sdk/helper/pluginutil/runner.go
+++ b/sdk/helper/pluginutil/runner.go
@@ -69,6 +69,7 @@ type PluginRunner struct {
 	Builtin        bool                        `json:"builtin" structs:"builtin"`
 	BuiltinFactory func() (interface{}, error) `json:"-" structs:"-"`
 	RuntimeConfig  *prutil.PluginRuntimeConfig `json:"-" structs:"-"`
 	Tmpdir         string                      `json:"-" structs:"-"`
 }
 // BinaryReference returns either the OCI image reference if it's a container
--- a/vault/core.go
+++ b/vault/core.go
@@ -535,6 +535,9 @@ type Core struct {
 	// pluginDirectory is the location vault will look for plugin binaries
 	pluginDirectory string
 	// pluginTmpdir is the location vault will use for containerized plugin
 	// temporary files
 	pluginTmpdir string
 	// pluginFileUid is the uid of the plugin files and directory
 	pluginFileUid int
@@ -822,6 +825,7 @@ type CoreConfig struct {
 	EnableIntrospection bool
 	PluginDirectory string
 	PluginTmpdir    string
 	PluginFileUid int
@@ -1240,6 +1244,12 @@ func NewCore(conf *CoreConfig) (*Core, error) {
 			return nil, fmt.Errorf("core setup failed, could not verify plugin directory: %w", err)
 		}
 	}
 	if conf.PluginTmpdir != "" {
 		c.pluginTmpdir, err = filepath.Abs(conf.PluginTmpdir)
 		if err != nil {
 			return nil, fmt.Errorf("core setup failed, could not verify plugin tmpdir: %w", err)
 		}
 	}
 	if conf.PluginFileUid != 0 {
 		c.pluginFileUid = conf.PluginFileUid
@@ -2517,7 +2527,15 @@ func (c *Core) setupPluginRuntimeCatalog(ctx context.Context) error {
 // this method can be included in the slice of functions returned by the
 // buildUnsealSetupFunctionsSlice function.
 func (c *Core) setupPluginCatalog(ctx context.Context) error {
-	pluginCatalog, err := plugincatalog.SetupPluginCatalog(ctx, c.logger, c.builtinRegistry, NewBarrierView(c.barrier, pluginCatalogPath), c.pluginDirectory, c.enableMlock, c.pluginRuntimeCatalog)
+	pluginCatalog, err := plugincatalog.SetupPluginCatalog(ctx, &plugincatalog.PluginCatalogInput{
 		Logger:               c.logger,
 		BuiltinRegistry:      c.builtinRegistry,
 		CatalogView:          NewBarrierView(c.barrier, pluginCatalogPath),
 		PluginDirectory:      c.pluginDirectory,
 		Tmpdir:               c.pluginTmpdir,
 		EnableMlock:          c.enableMlock,
 		PluginRuntimeCatalog: c.pluginRuntimeCatalog,
 	})
 	if err != nil {
 		return err
 	}
--- a/vault/external_plugin_container_test.go
+++ b/vault/external_plugin_container_test.go
@@ -17,7 +17,7 @@ import (
 	"github.com/hashicorp/vault/sdk/logical"
 )
-func testClusterWithContainerPlugins(t *testing.T, types []consts.PluginType) (*Core, []pluginhelpers.TestPlugin) {
+func testClusterWithContainerPlugins(t *testing.T, types []consts.PluginType) (*TestClusterCore, []pluginhelpers.TestPlugin) {
 	var plugins []*TestPluginConfig
 	for _, typ := range types {
 		plugins = append(plugins, &TestPluginConfig{
@@ -26,15 +26,28 @@ func testClusterWithContainerPlugins(t *testing.T, types []consts.PluginType) (*
 			Container: true,
 		})
 	}
-	cluster := NewTestCluster(t, &CoreConfig{}, &TestClusterOptions{
+	// Use os.MkdirTemp because t.TempDir() exceeds the Unix socket length limit.
 	// See https://www.man7.org/linux/man-pages/man7/unix.7.html for details.
 	tmpdir, err := os.MkdirTemp("", "")
 	if err != nil {
 		t.Fatal(err)
 	}
 	t.Cleanup(func() {
 		if err := os.RemoveAll(tmpdir); err != nil {
 			t.Fatal(err)
 		}
 	})
 	cluster := NewTestCluster(t, &CoreConfig{
 		PluginTmpdir: tmpdir,
 	}, &TestClusterOptions{
 		Plugins: plugins,
 	})
 	cluster.Start()
 	t.Cleanup(cluster.Cleanup)
-	core := cluster.Cores[0].Core
+	core := cluster.Cores[0]
-	TestWaitActive(t, core)
+	TestWaitActive(t, core.Core)
 	return core, cluster.Plugins
 }
@@ -81,7 +94,7 @@ func TestExternalPluginInContainer_MountAndUnmount(t *testing.T) {
 	})
 }
-func mountAndUnmountContainerPlugin_WithRuntime(t *testing.T, c *Core, plugin pluginhelpers.TestPlugin, ociRuntime string, rootless bool) {
+func mountAndUnmountContainerPlugin_WithRuntime(t *testing.T, c *TestClusterCore, plugin pluginhelpers.TestPlugin, ociRuntime string, rootless bool) {
 	if ociRuntime != "" {
 		registerPluginRuntime(t, c.systemBackend, ociRuntime, rootless)
 	}
@@ -89,6 +102,18 @@ func mountAndUnmountContainerPlugin_WithRuntime(t *testing.T, c *Core, plugin pl
 	mountPlugin(t, c.systemBackend, plugin.Name, plugin.Typ, "v1.0.0", "")
 	expectTmpdirEntries := func(expected int) {
 		t.Helper()
 		entries, err := os.ReadDir(c.CoreConfig.PluginTmpdir)
 		if err != nil {
 			t.Fatal(err)
 		}
 		if len(entries) != expected {
 			t.Fatalf("expected %d in tmpdir, got %v", expected, entries)
 		}
 	}
 	expectTmpdirEntries(1)
 	routeRequest := func(expectMatch bool) {
 		pluginPath := "foo/bar"
 		if plugin.Typ == consts.PluginTypeCredential {
@@ -106,6 +131,7 @@ func mountAndUnmountContainerPlugin_WithRuntime(t *testing.T, c *Core, plugin pl
 	routeRequest(true)
 	unmountPlugin(t, c.systemBackend, plugin.Typ, "foo")
 	routeRequest(false)
 	expectTmpdirEntries(0)
 }
 func registerContainerPlugin(t *testing.T, sys *SystemBackend, pluginName, pluginType, version, sha, image, runtime string) {
--- a/vault/plugincatalog/plugin_catalog.go
+++ b/vault/plugincatalog/plugin_catalog.go
@@ -48,6 +48,7 @@ type PluginCatalog struct {
 	builtinRegistry BuiltinRegistry
 	catalogView     logical.Storage
 	directory       string
 	tmpdir          string
 	logger          log.Logger
 	// externalPlugins holds plugin process connections by a key which is
@@ -138,37 +139,42 @@ type pluginClient struct {
 	plugin.ClientProtocol
 }
-func SetupPluginCatalog(
+type PluginCatalogInput struct {
-	ctx context.Context,
+	Logger               log.Logger
-	logger log.Logger,
+	BuiltinRegistry      BuiltinRegistry
-	builtinRegistry BuiltinRegistry,
+	CatalogView          logical.Storage
-	catalogView logical.Storage,
+	PluginDirectory      string
-	pluginDirectory string,
+	Tmpdir               string
-	enableMlock bool,
+	EnableMlock          bool
-	pluginRuntimeCatalog *PluginRuntimeCatalog,
+	PluginRuntimeCatalog *PluginRuntimeCatalog
-) (*PluginCatalog, error) {
+}
-	pluginCatalog := &PluginCatalog{
+
-		builtinRegistry: builtinRegistry,
+func SetupPluginCatalog(ctx context.Context, in *PluginCatalogInput) (*PluginCatalog, error) {
-		catalogView:     catalogView,
+	logger := in.Logger
-		directory:       pluginDirectory,
+	catalog := &PluginCatalog{
 		builtinRegistry: in.BuiltinRegistry,
 		catalogView:     in.CatalogView,
 		directory:       in.PluginDirectory,
 		tmpdir:          in.Tmpdir,
 		logger:          logger,
-		mlockPlugins:    enableMlock,
+		mlockPlugins:    in.EnableMlock,
 		wrapper:         logical.StaticSystemView{VersionString: version.GetVersion().Version},
-		runtimeCatalog:  pluginRuntimeCatalog,
+		runtimeCatalog:  in.PluginRuntimeCatalog,
 	}
 	// Run upgrade if untyped plugins exist
-	err := pluginCatalog.UpgradePlugins(ctx, logger)
+	err := catalog.upgradePlugins(ctx, logger)
 	if err != nil {
 		logger.Error("error while upgrading plugin storage", "error", err)
 		return nil, err
 	}
-	if logger.IsInfo() {
+	logger.Info("successfully setup plugin catalog", "plugin-directory", catalog.directory)
-		logger.Info("successfully setup plugin catalog", "plugin-directory", pluginDirectory)
+	if catalog.tmpdir != "" {
 		logger.Debug("plugin temporary directory configured", "tmpdir", catalog.tmpdir)
 	}
-	return pluginCatalog, nil
+	return catalog, nil
 }
 type pluginClientConn struct {
@@ -723,9 +729,9 @@ func (c *PluginCatalog) isDatabasePlugin(ctx context.Context, pluginRunner *plug
 	return merr.ErrorOrNil()
 }
-// UpgradePlugins will loop over all the plugins of unknown type and attempt to
+// upgradePlugins will loop over all the plugins of unknown type and attempt to
 // upgrade them to typed plugins
-func (c *PluginCatalog) UpgradePlugins(ctx context.Context, logger log.Logger) error {
+func (c *PluginCatalog) upgradePlugins(ctx context.Context, logger log.Logger) error {
 	c.lock.Lock()
 	defer c.lock.Unlock()
@@ -739,6 +745,10 @@ func (c *PluginCatalog) UpgradePlugins(ctx context.Context, logger log.Logger) e
 	if err != nil {
 		return err
 	}
 	if len(pluginsRaw) == 0 {
 		return nil
 	}
 	plugins := make([]string, 0, len(pluginsRaw))
 	for _, p := range pluginsRaw {
 		if !strings.HasSuffix(p, "/") {
@@ -838,6 +848,7 @@ func (c *PluginCatalog) get(ctx context.Context, name string, pluginType consts.
 		// If none of the cases are satisfied, we'll search for a builtin plugin below.
 		switch {
 		case entry.OCIImage != "":
 			entry.Tmpdir = c.tmpdir
 			if entry.Runtime != "" {
 				entry.RuntimeConfig, err = c.runtimeCatalog.Get(ctx, entry.Runtime, consts.PluginRuntimeTypeContainer)
 				if err != nil {
@@ -1085,6 +1096,9 @@ func (c *PluginCatalog) ListPluginsWithRuntime(ctx context.Context, runtime stri
 		if plugin.Runtime == runtime {
 			ret = append(ret, plugin.Name)
 		}
 		if plugin.OCIImage != "" {
 			plugin.Tmpdir = c.tmpdir
 		}
 	}
 	return ret, nil
 }
@@ -1145,6 +1159,10 @@ func (c *PluginCatalog) listInternal(ctx context.Context, pluginType consts.Plug
 			continue
 		}
 		if plugin.OCIImage != "" {
 			plugin.Tmpdir = c.tmpdir
 		}
 		result = append(result, pluginutil.VersionedPlugin{
 			Name:            plugin.Name,
 			Type:            plugin.Type.String(),
--- a/vault/plugincatalog/plugin_catalog_test.go
+++ b/vault/plugincatalog/plugin_catalog_test.go
@@ -54,12 +54,14 @@ func testPluginCatalog(t *testing.T) *PluginCatalog {
 	pluginRuntimeCatalog := testPluginRuntimeCatalog(t)
 	pluginCatalog, err := SetupPluginCatalog(
 		context.Background(),
-		logger,
+		&PluginCatalogInput{
-		corehelpers.NewMockBuiltinRegistry(),
+			Logger:               logger,
-		logical.NewLogicalStorage(storage),
+			BuiltinRegistry:      corehelpers.NewMockBuiltinRegistry(),
-		testDir,
+			CatalogView:          logical.NewLogicalStorage(storage),
-		false,
+			PluginDirectory:      testDir,
-		pluginRuntimeCatalog,
+			EnableMlock:          false,
 			PluginRuntimeCatalog: pluginRuntimeCatalog,
 		},
 	)
 	if err != nil {
 		t.Fatal(err)
--- a/vault/plugincatalog/plugin_runtime_catalog.go
+++ b/vault/plugincatalog/plugin_runtime_catalog.go
@@ -40,9 +40,7 @@ func SetupPluginRuntimeCatalog(ctx context.Context, logger log.Logger, catalogVi
 		logger:      logger,
 	}
-	if logger.IsInfo() {
+	logger.Info("successfully setup plugin runtime catalog")
 		logger.Info("successfully setup plugin runtime catalog")
 	}
 	return pluginRuntimeCatalog, nil
 }
--- a/vault/testing.go
+++ b/vault/testing.go
@@ -1435,6 +1435,7 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te
 		coreConfig.MaxLeaseTTL = base.MaxLeaseTTL
 		coreConfig.CacheSize = base.CacheSize
 		coreConfig.PluginDirectory = base.PluginDirectory
 		coreConfig.PluginTmpdir = base.PluginTmpdir
 		coreConfig.Seal = base.Seal
 		coreConfig.UnwrapSeal = base.UnwrapSeal
 		coreConfig.DevToken = base.DevToken
--- a/website/content/docs/configuration/index.mdx
+++ b/website/content/docs/configuration/index.mdx
@@ -130,6 +130,16 @@ to specify where the configuration is.
  allowed to be loaded. Vault must have permission to read files in this
  directory to successfully load plugins, and the value cannot be a symbolic link.
 - `plugin_tmpdir` `(string: "")` - A directory that Vault can create temporary
  files in to support Unix socket communication with containerized plugins. If
  not set, Vault will use the system's default directory for temporary files.
  Generally not necessary unless you are using
  [containerized plugins](/vault/docs/plugins/containerized-plugins) and Vault
  does not share a temporary folder with other processes, such as if using
  systemd's [PrivateTmp](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PrivateTmp=)
  setting. This can also be specified via the `VAULT_PLUGIN_TMPDIR` environment
  variable.
  @include 'plugin-file-permissions-check.mdx'
 - `plugin_file_uid` `(integer: 0)` – Uid of the plugin directories and plugin binaries if they