Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow bind mounts of nodev,nosuid,noexec filesystems #3805

Merged
merged 1 commit into from
Jul 29, 2023

Conversation

rpluem-vf
Copy link
Contributor

@rpluem-vf rpluem-vf commented Apr 3, 2023

Currently bind mounts of filesystems with nodev, nosuid, noexec options set fail in rootless mode if the same options are not set for the bind mount. For ro filesystems this was resolved by #2570 by remounting again with roset. Follow the same approach for nodev, nosuid, noexec .

This is a replacement for the now closed #3710

@rpluem-vf rpluem-vf force-pushed the nodev_noexec_nosuid branch 5 times, most recently from 22cb767 to 2fcc2bf Compare April 3, 2023 18:49
@rpluem-vf rpluem-vf marked this pull request as ready for review April 3, 2023 19:43
@kolyshkin
Copy link
Contributor

@rpluem-vf can you please

  • merge the last commit into the previous one
  • move the test case commit to after the fix (this way we won't break git-bisect)

@rpluem-vf rpluem-vf force-pushed the nodev_noexec_nosuid branch from 2fcc2bf to 5db5636 Compare April 4, 2023 06:16
@rpluem-vf
Copy link
Contributor Author

@rpluem-vf can you please

  • merge the last commit into the previous one
  • move the test case commit to after the fix (this way we won't break git-bisect)

@kolyshkin: Like now?

@kolyshkin
Copy link
Contributor

@kolyshkin: Like now?

Yes, thanks!

If you can rebase one more time, CI might even become green again :)

Also, a nit in the first commit message: you have "roset" without a space, and an extra space before period.

update_config '.linux.namespaces += [{type: "user"}]
| .linux.uidMappings += [{"hostID": 100000, "containerID": 0, "size": 65534}]
| .linux.gidMappings += [{"hostID": 100000, "containerID": 0, "size": 65534}]'
fi

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original test has to be kept

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I moved out my check to a new bats test file (b7bb49b). Furthermore I reviewed the test again and I could simplify it and make it more like the existing test.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kolyshkin: Like now?

Yes, thanks!

If you can rebase one more time, CI might even become green again :)

One more rebase done. After the rebase is before the next one :-)

Also, a nit in the first commit message: you have "roset" without a space, and an extra space before period.

Fixed commit message.

@AkihiroSuda
Copy link
Member

I think we discussed this before in somewhere, and we wanted high-level runtimes to generate the proper config.

Originally posted by @AkihiroSuda in #3801 (comment)

@rpluem-vf rpluem-vf force-pushed the nodev_noexec_nosuid branch 2 times, most recently from 493e752 to b7bb49b Compare April 5, 2023 07:14
@rpluem-vf rpluem-vf requested a review from AkihiroSuda April 5, 2023 10:50
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rpluem-vf
Copy link
Contributor Author

LGTM

Thanks. Let me know if another final rebase is required.

type: "bind",
source: "'"$DIR"'",
destination: "/mnt",
options: ["dev", "suid", "exec", "rprivate", "rbind", "sync"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we test just using "rbind", "rprivate" too? We hit that in #3770 with COS

cc @vinayakankugoyal

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately this is not sufficient. It will not trigger a remount.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, because of this:

if m.Flags&^(unix.MS_REC|unix.MS_REMOUNT|unix.MS_BIND) != 0 {
// only remount if unique mount options are set
if err := remount(m, rootfs, mountFd); err != nil {
?

Then this is solving a real problem for you? You happen to hit it and the flags that were used included some that trigger a remount?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could try "rbind", "rprivate", "sync". In order to trigger a remount an additional flag different to unix.MS_REC|unix.MS_REMOUNT|unix.MS_BIND must be present. "dev", "suid", "exec" do not meet this as they are parsed to set no flag (their value is true):

"dev": {true, unix.MS_NODEV},
"diratime": {true, unix.MS_NODIRATIME},
"dirsync": {false, unix.MS_DIRSYNC},
"exec": {true, unix.MS_NOEXEC},

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I understand that. But the only time I hit this in the wild was without such an option being set. It doesn't seem like crun needs that either.

With this patch, are you fixing an issue you encounter in a real world scenario?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rpluem-vf probably nodev,nosuid,noexec are enough. But it would be great if @vinayakankugoyal shares what options the COS mount of /var has.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So nodev, nosuid, noexec on the source and rbind, ro on the destination (pending @vinayakankugoyal confirmation)?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about 06f65bf that is now added?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM

@rpluem-vf
Copy link
Contributor Author

Is there anything I can do to move this forward?

@rata
Copy link
Member

rata commented Apr 13, 2023

@rpluem-vf maintainers review time is scarce, sadly I'm no maintainer here. I think you should ping them from time to time.

@rata
Copy link
Member

rata commented Apr 14, 2023

@vinayakankugoyal can you test this PR to see if, without the containerd patch and this PR, it all works as expected for your use case too? It should, but just a sanity check won't hurt

@rata
Copy link
Member

rata commented Apr 14, 2023

I had a typo when posting the last comment, cc @vinayakankugoyal again just in case it doesn't send notifications when tagging on edits.

@rpluem-vf rpluem-vf force-pushed the nodev_noexec_nosuid branch from b7bb49b to 06f65bf Compare April 18, 2023 08:54
@rpluem-vf
Copy link
Contributor Author

@vinayakankugoyal can you test this PR to see if, without the containerd patch and this PR, it all works as expected for your use case too? It should, but just a sanity check won't hurt

@vinayakankugoyal : Any update?

@rpluem-vf
Copy link
Contributor Author

@AkihiroSuda : Would you mind having another look? Freshly rebased and I think all things are addressed.

Copy link
Member

@rata rata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rata
Copy link
Member

rata commented Apr 18, 2023

@rpluem-vf I received an email notification that @vinayakankugoyal tested it and works fine, but github had some issues today and it seems it is not showing it here.

@rpluem-vf
Copy link
Contributor Author

@rpluem-vf I received an email notification that @vinayakankugoyal tested it and works fine, but github had some issues today and it seems it is not showing it here.

Got that as well, but I thought that he probably deleted it for whatever reason.

@rpluem-vf rpluem-vf force-pushed the nodev_noexec_nosuid branch from 66c149e to 8cb4ca7 Compare June 12, 2023 10:22
@AkihiroSuda AkihiroSuda requested a review from kolyshkin June 12, 2023 10:23
@rpluem-vf
Copy link
Contributor Author

@kolyshkin : Can you please have a look if the current state matches your expectations?

@AkihiroSuda AkihiroSuda requested a review from cyphar June 23, 2023 12:47
@rpluem-vf
Copy link
Contributor Author

@kolyshkin / @cyphar : Can one of you please do a review?

@rpluem-vf
Copy link
Contributor Author

@kolyshkin / @cyphar : Can one of you please do a review?

@rpluem-vf rpluem-vf force-pushed the nodev_noexec_nosuid branch from 8cb4ca7 to a131dc9 Compare July 12, 2023 06:22
@AkihiroSuda
Copy link
Member

Merging is blocked
Merging can be performed automatically once the requested changes are addressed.

Ping @kolyshkin

@lifubang
Copy link
Member

See above.

ping @kolyshkin
#3805 (review)

Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

Currently bind mounts of filesystems with nodev, nosuid, noexec,
noatime, relatime, strictatime, nodiratime options set fail in rootless
mode if the same options are not set for the bind mount.
For ro filesystems this was resolved by opencontainers#2570 by remounting again
with ro set.

Follow the same approach for nodev, nosuid, noexec, noatime, relatime,
strictatime, nodiratime but allow to revert back to the old behaviour
via the new `--no-mount-fallback` command line option.

Add a testcase to verify that bind mounts of filesystems with nodev,
nosuid, noexec, noatime options set work in rootless mode.
Add a testcase that mounts a nodev, nosuid, noexec, noatime filesystem
with a ro flag.
Add two further testcases that ensure that the above testcases would
fail if the `--no-mount-fallback` command line option is set.

* contrib/completions/bash/runc:
      Add `--no-mount-fallback` command line option for bash completion.

* create.go:
      Add `--no-mount-fallback` command line option.

* restore.go:
      Add `--no-mount-fallback` command line option.

* run.go:
      Add `--no-mount-fallback` command line option.

* libcontainer/configs/config.go:
      Add `NoMountFallback` field to the `Config` struct to store
      the command line option value.

* libcontainer/specconv/spec_linux.go:
      Add `NoMountFallback` field to the `CreateOpts` struct to store
      the command line option value and store it in the libcontainer
      config.

* utils_linux.go:
      Store the command line option value in the `CreateOpts` struct.

* libcontainer/rootfs_linux.go:
      In case that `--no-mount-fallback` is not set try to remount the
      bind filesystem again with the options nodev, nosuid, noexec,
      noatime, relatime, strictatime or nodiratime if they are set on
      the source filesystem.

* tests/integration/mounts_sshfs.bats:
      Add testcases and rework sshfs setup to allow specifying
      different mount options depending on the test case.

Signed-off-by: Ruediger Pluem <[email protected]>
@kolyshkin kolyshkin force-pushed the nodev_noexec_nosuid branch from a131dc9 to da780e4 Compare July 28, 2023 23:32
@kolyshkin kolyshkin enabled auto-merge July 28, 2023 23:32
@kolyshkin kolyshkin merged commit b15a6a3 into opencontainers:main Jul 29, 2023
@cyphar
Copy link
Member

cyphar commented Aug 3, 2023

Sorry for not reviewing this earlier -- what was the reason for adding --no-mount-fallback? Is it only there for tests? In general we want to avoid adding arguments to runc because runc-compatible runtimes have to copy all of our cli arguments.

@AkihiroSuda
Copy link
Member

Sorry for not reviewing this earlier -- what was the reason for adding --no-mount-fallback? Is it only there for tests? In general we want to avoid adding arguments to runc because runc-compatible runtimes have to copy all of our cli arguments.

Because it seemed controversial to modify the config on runc(-compatible) side.

@cyphar
Copy link
Member

cyphar commented Aug 3, 2023

Hmm. Given we do this for ro, this is for rootless containers, and all of the flags are mnt_locked flags, I think it's safe to do the rewriting indiscriminately. We can discuss this in a separate PR though.

@cyphar
Copy link
Member

cyphar commented Aug 6, 2023

I think more preferable behaviour would be to error out if the user explicitly requested a mount option we couldn't provide. I'll write a patch.

EDIT: #3967 is my proposed solution

@testinfected
Copy link

testinfected commented Aug 22, 2023

Hi,

I'm glad this has been merged to master yet I don't see any milestone set. Do you know when we can expect this to be released (1.2.0, other?).

Thanks in advance

@cyphar cyphar added this to the 1.2.0 milestone Aug 22, 2023
@cyphar
Copy link
Member

cyphar commented Aug 22, 2023

This is being reworked in #3967 and there are a few other PRs we need to merge before we release a 1.2.0-rc.1.

@testinfected
Copy link

Thanks @cyphar

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants