Set ReadOnly during function create and update

[LucasRoesler]

Description

• Set the ReadOnlyRoot option in the function container
• Fix broken secrets test
  • Create slice of secret names found in Swarm
  • Use %v to fix a type issue in the error message format string
• Update vendored version of faas

Motivation and Context

• This enforces that the function container is created with a read-only filesystem at /

• Tests were failing because the %s was not allows for the array of Secrets

• This version of the faas dependency is required for the ReadOnlyRootFilesystem property in the CreateFunctionRequest

  • I am not sure why so much of it is vendored, but it is what dep ensure created

• [X] I have raised an issue to propose this change (required)

Closed openfaas/faas#590

How Has This Been Tested?

Getting this posted so that others can check it out, I will be testing it soon with its companion PR for the faas-cli openfaas/faas-cli#439

Types of changes

• [ ] Bug fix (non-breaking change which fixes an issue)
• [X] New feature (non-breaking change which adds functionality)
• [ ] Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• [X] My code follows the code style of this project.
• [X] My change requires a change to the documentation.
• [ ] I have updated the documentation accordingly.
• [X] I've read the CONTRIBUTION guide
• [X] I have signed-off my commits with git commit -s
• [ ] I have added tests to cover my changes.
• [X] All new and existing tests passed.

[LucasRoesler]

It occurs to me that I did not add writable mount for /tmp when the ReadOnlyRootFilesystem is true. I assume that tmpfs is probably the most appropriate, perhaps someone with more experience or an opinion on Swarm can let me know?

    if request.ReadOnlyRootFilesystem {
        spec.TaskTemplate.ContainerSpec.Mounts = []mount.Mount{
            {
                Type:   mount.TypeTmpfs,
                Target: "/tmp",
            },
        }
    }

Per the docs https://docs.docker.com/storage/tmpfs/#specify-tmpfs-options, this should create a world writable folder with unlimited size. Perhaps we need an additional flag to allow a max size to be set?

[Templum]

@LucasRoesler Regarding an additional flag for max size. As far as I know for the K8S implementation we use the emptyDir and I'm not aware of a way how to limit an emptyDir so this could cause for differences in the behavior.

[alexellis]

Lucas thank you for your work co-coordinating this.

I saw this comment and wondered if it was from before we talked about prune?

I am not sure why so much of it is vendored, but it is what dep ensure created

Is prune enabled?

Thanks,

Alex

[LucasRoesler]

Just checked, prune is not enabled. I will create a PR for that and then rebase once it is merged.

[alexellis]

Hi @LucasRoesler I'm now seeing "conflicting files" such as:

vendor/github.com/openfaas/faas/.DEREK.yml
vendor/github.com/openfaas/faas/.travis.yml
vendor/github.com/openfaas/faas/BACKERS.md
vendor/github.com/openfaas/faas/CONTRIBUTING.md
vendor/github.com/openfaas/faas/DEV.md
vendor/github.com/openfaas/faas/README.md
vendor/github.com/openfaas/faas/TestDrive.md
vendor/github.com/openfaas/faas/api-docs/swagger.yml
vendor/github.com/openfaas/faas/build.sh
vendor/github.com/openfaas/faas/community.md
vendor/github.com/openfaas/faas/contrib/HACK.md
vendor/github.com/openfaas/faas/contrib/ci.sh
vendor/github.com/openfaas/faas/deploy_stack.sh
vendor/github.com/openfaas/faas/docker-compose.armhf.yml
vendor/github.com/openfaas/faas/docker-compose.yml
vendor/github.com/openfaas/faas/docs/README.md
vendor/github.com/openfaas/faas/gateway/Dockerfile
vendor/github.com/openfaas/faas/gateway/Dockerfile.arm64
vendor/github.com/openfaas/faas/gateway/Dockerfile.armhf
vendor/github.com/openfaas/faas/gateway/Gopkg.lock

This is probably due to the PR I just merged ( #27 )

Alex

[LucasRoesler]

I have rebased and I have bumped the version of faas again

[alexellis]

Merged, thanks @LucasRoesler for working on this.