-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow bind mounts of nodev,nosuid,noexec filesystems #3805
Conversation
22cb767
to
2fcc2bf
Compare
@rpluem-vf can you please
|
2fcc2bf
to
5db5636
Compare
@kolyshkin: Like now? |
Yes, thanks! If you can rebase one more time, CI might even become green again :) Also, a nit in the first commit message: you have "roset" without a space, and an extra space before period. |
update_config '.linux.namespaces += [{type: "user"}] | ||
| .linux.uidMappings += [{"hostID": 100000, "containerID": 0, "size": 65534}] | ||
| .linux.gidMappings += [{"hostID": 100000, "containerID": 0, "size": 65534}]' | ||
fi | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The original test has to be kept
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I moved out my check to a new bats test file (b7bb49b). Furthermore I reviewed the test again and I could simplify it and make it more like the existing test.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kolyshkin: Like now?
Yes, thanks!
If you can rebase one more time, CI might even become green again :)
One more rebase done. After the rebase is before the next one :-)
Also, a nit in the first commit message: you have "roset" without a space, and an extra space before period.
Fixed commit message.
Originally posted by @AkihiroSuda in #3801 (comment) |
493e752
to
b7bb49b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks. Let me know if another final rebase is required. |
type: "bind", | ||
source: "'"$DIR"'", | ||
destination: "/mnt", | ||
options: ["dev", "suid", "exec", "rprivate", "rbind", "sync"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we test just using "rbind", "rprivate"
too? We hit that in #3770 with COS
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately this is not sufficient. It will not trigger a remount.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, because of this:
runc/libcontainer/rootfs_linux.go
Lines 471 to 473 in 5726682
if m.Flags&^(unix.MS_REC|unix.MS_REMOUNT|unix.MS_BIND) != 0 { | |
// only remount if unique mount options are set | |
if err := remount(m, rootfs, mountFd); err != nil { |
Then this is solving a real problem for you? You happen to hit it and the flags that were used included some that trigger a remount?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could try "rbind", "rprivate", "sync"
. In order to trigger a remount an additional flag different to unix.MS_REC|unix.MS_REMOUNT|unix.MS_BIND
must be present. "dev", "suid", "exec"
do not meet this as they are parsed to set no flag (their value is true
):
runc/libcontainer/specconv/spec_linux.go
Lines 74 to 77 in 5726682
"dev": {true, unix.MS_NODEV}, | |
"diratime": {true, unix.MS_NODIRATIME}, | |
"dirsync": {false, unix.MS_DIRSYNC}, | |
"exec": {true, unix.MS_NOEXEC}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I understand that. But the only time I hit this in the wild was without such an option being set. It doesn't seem like crun needs that either.
With this patch, are you fixing an issue you encounter in a real world scenario?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rpluem-vf probably nodev,nosuid,noexec are enough. But it would be great if @vinayakankugoyal shares what options the COS mount of /var
has.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So nodev
, nosuid
, noexec
on the source and rbind
, ro
on the destination (pending @vinayakankugoyal confirmation)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about 06f65bf that is now added?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SGTM
Is there anything I can do to move this forward? |
@rpluem-vf maintainers review time is scarce, sadly I'm no maintainer here. I think you should ping them from time to time. |
@vinayakankugoyal can you test this PR to see if, without the containerd patch and this PR, it all works as expected for your use case too? It should, but just a sanity check won't hurt |
I had a typo when posting the last comment, cc @vinayakankugoyal again just in case it doesn't send notifications when tagging on edits. |
b7bb49b
to
06f65bf
Compare
@vinayakankugoyal : Any update? |
@AkihiroSuda : Would you mind having another look? Freshly rebased and I think all things are addressed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@rpluem-vf I received an email notification that @vinayakankugoyal tested it and works fine, but github had some issues today and it seems it is not showing it here. |
Got that as well, but I thought that he probably deleted it for whatever reason. |
66c149e
to
8cb4ca7
Compare
@kolyshkin : Can you please have a look if the current state matches your expectations? |
@kolyshkin / @cyphar : Can one of you please do a review? |
@kolyshkin / @cyphar : Can one of you please do a review? |
8cb4ca7
to
a131dc9
Compare
Ping @kolyshkin |
ping @kolyshkin |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
Currently bind mounts of filesystems with nodev, nosuid, noexec, noatime, relatime, strictatime, nodiratime options set fail in rootless mode if the same options are not set for the bind mount. For ro filesystems this was resolved by opencontainers#2570 by remounting again with ro set. Follow the same approach for nodev, nosuid, noexec, noatime, relatime, strictatime, nodiratime but allow to revert back to the old behaviour via the new `--no-mount-fallback` command line option. Add a testcase to verify that bind mounts of filesystems with nodev, nosuid, noexec, noatime options set work in rootless mode. Add a testcase that mounts a nodev, nosuid, noexec, noatime filesystem with a ro flag. Add two further testcases that ensure that the above testcases would fail if the `--no-mount-fallback` command line option is set. * contrib/completions/bash/runc: Add `--no-mount-fallback` command line option for bash completion. * create.go: Add `--no-mount-fallback` command line option. * restore.go: Add `--no-mount-fallback` command line option. * run.go: Add `--no-mount-fallback` command line option. * libcontainer/configs/config.go: Add `NoMountFallback` field to the `Config` struct to store the command line option value. * libcontainer/specconv/spec_linux.go: Add `NoMountFallback` field to the `CreateOpts` struct to store the command line option value and store it in the libcontainer config. * utils_linux.go: Store the command line option value in the `CreateOpts` struct. * libcontainer/rootfs_linux.go: In case that `--no-mount-fallback` is not set try to remount the bind filesystem again with the options nodev, nosuid, noexec, noatime, relatime, strictatime or nodiratime if they are set on the source filesystem. * tests/integration/mounts_sshfs.bats: Add testcases and rework sshfs setup to allow specifying different mount options depending on the test case. Signed-off-by: Ruediger Pluem <[email protected]>
a131dc9
to
da780e4
Compare
Sorry for not reviewing this earlier -- what was the reason for adding |
Because it seemed controversial to modify the config on runc(-compatible) side. |
Hmm. Given we do this for ro, this is for rootless containers, and all of the flags are mnt_locked flags, I think it's safe to do the rewriting indiscriminately. We can discuss this in a separate PR though. |
I think more preferable behaviour would be to error out if the user explicitly requested a mount option we couldn't provide. I'll write a patch. EDIT: #3967 is my proposed solution |
Hi, I'm glad this has been merged to master yet I don't see any milestone set. Do you know when we can expect this to be released (1.2.0, other?). Thanks in advance |
This is being reworked in #3967 and there are a few other PRs we need to merge before we release a 1.2.0-rc.1. |
Thanks @cyphar |
Currently bind mounts of filesystems with
nodev
,nosuid
,noexec
options set fail in rootless mode if the same options are not set for the bind mount. Forro
filesystems this was resolved by #2570 by remounting again withro
set. Follow the same approach fornodev
,nosuid
,noexec
.This is a replacement for the now closed #3710