Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

configs: validate: add validation for bind-mount fsflags #3990

Merged
merged 1 commit into from
Nov 18, 2023
Merged

configs: validate: add validation for bind-mount fsflags #3990

merged 1 commit into from
Nov 18, 2023

Conversation

cyphar
Copy link
Member

@cyphar cyphar commented Aug 22, 2023

Bind-mounts cannot have any filesystem-specific "data" arguments, because the kernel ignores the data argument for MS_BIND and MS_BIND|MS_REMOUNT and we cannot safely try to override the flags because those would affect mounts on the host (these flags affect the superblock).

It should be noted that there are cases where the filesystem-specified flags will also be ignored for non-bind-mounts but those are kernel quirks and there's no real way for us to work around them. And users wouldn't get any real benefit from us adding guardrails to existing kernel behaviour.

See the discussion in opencontainers/runtime-spec#1222. I am a little worried this could break users, but I also would be very surprised if users were specifying flags to bind mounts that are always ignored.

Signed-off-by: Aleksa Sarai [email protected]

@cyphar cyphar added this to the 1.2.0 milestone Aug 22, 2023
@cyphar cyphar marked this pull request as ready for review August 23, 2023 04:05
@cyphar cyphar added the backport/1.1-todo A PR in main branch which needs to be backported to release-1.1 label Aug 23, 2023
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@rata ptal

@rata
Copy link
Member

rata commented Aug 25, 2023

The code per-se is fine. But I'm not sure I understand is the intent of this PR. In the description is said quite clearly too:

I am a little worried this could break users, but I also would be very surprised if users were specifying flags to bind mounts that are always ignored.

If this always worked, why do we want to start throwing an error? What would be simpler for us in the future if we do this?

I'd like to think a warning can help as a first step if we want to go on this direction, but no one really looks at the warnings we throw at this part of the stack today, so I don't think it will help :-/

@cyphar
Copy link
Member Author

cyphar commented Aug 25, 2023

At the moment we are ignoring flags the user has explicitly requested and there is no way for us to not ignore them (you by defintion cannot set fs-specific flags on bind-mounts because they are per-superblock). I see this as being related to the work in #3967. The runtime-spec has frustratingly loose wording on how mounts should be handled in these sorts of edge cases.

Perhaps it would be less aggressive to make this a warning and we can return an error in 1.3 if nobody complains.

@rata
Copy link
Member

rata commented Aug 25, 2023

Perhaps it would be less aggressive to make this a warning and we can return an error in 1.3 if nobody complains.

I think we already have a bunch of changes in 1.2, I prefer to not add more possibly breaking changes. A warning SGTM.

But what do we have to win by returning an error? Will something be better for us, or it just has the potential to break users? Can't we even assign data to "" and throw a warning and consider it done?

Copy link
Member

@rata rata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I think the value this adds is that we will reject flags we don't recognize.

I think this is nice (would be even better to do it in crun and reflect this in the spec in some way), and I'm up for backporting this to 1.1 so we find out early if this causes issues to users.

Left some small comments on the error and minor nits.

libcontainer/configs/validate/validator.go Outdated Show resolved Hide resolved
libcontainer/configs/validate/validator.go Outdated Show resolved Hide resolved
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple of nits but overall LGTM.

Copy link
Member

@rata rata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM, no need to fix the nits in this PR, and if you fix them here no need to re-review, they are trivial

@lifubang
Copy link
Member

lifubang commented Oct 7, 2023

I am a little worried this could break users

Is this need to be backported to '1.1'? I am a bit worried too.

Perhaps it would be less aggressive to make this a warning and we can return an error in 1.3 if nobody complains.

If we change to output a warning msg, I think we can backport it to '1.1'.

@kolyshkin
Copy link
Contributor

I am a little worried this could break users

Is this need to be backported to '1.1'? I am a bit worried too.

My thinking is, it will help users to find problems in their setups before we release 1.2.0 (meaning, instead of piling everything to 1.2.0, we can use the 1.1.10 opportunity to introduce this change -- and, if it is really breaking users setups, revert it).

A warning seems better, the only problem is, no one sees these warnings, because no one uses runc directly, and (AFAIK) upper level tools do not show runc output to users.

OTOH I don't have a stong opinion, and since this is definitely not a bug fix, let's not backport it.

@kolyshkin kolyshkin removed the backport/1.1-todo A PR in main branch which needs to be backported to release-1.1 label Oct 9, 2023
@cyphar
Copy link
Member Author

cyphar commented Oct 23, 2023

Fixed up the nits.

I agree with @kolyshkin that it would be nice if warnings were useful, but they're not so making it warning-only in 1.2 (or backporting a warning-only version to 1.1) are of limited usefulness...

@kolyshkin
Copy link
Contributor

Also, in case it causes a major breakage, we can address that in a 1.2.z stable release in a timely manner.

@kolyshkin kolyshkin requested a review from AkihiroSuda October 27, 2023 20:18
Bind-mounts cannot have any filesystem-specific "data" arguments,
because the kernel ignores the data argument for MS_BIND and
MS_BIND|MS_REMOUNT and we cannot safely try to override the flags
because those would affect mounts on the host (these flags affect the
superblock).

It should be noted that there are cases where the filesystem-specified
flags will also be ignored for non-bind-mounts but those are kernel
quirks and there's no real way for us to work around them. And users
wouldn't get any real benefit from us adding guardrails to existing
kernel behaviour.

Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar cyphar mentioned this pull request Nov 7, 2023
21 tasks
@kolyshkin
Copy link
Contributor

@opencontainers/runc-maintainers PTAL

// possible for userspace to detect this caching, but this wouldn't help
// runc because the behaviour wouldn't even be desirable for most users.
if m.Data != "" {
return errors.New("bind mounts cannot have any filesystem-specific options applied")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can be just a warning?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem is that (at least, according to some other recent issues) most people can't see runc warnings because higher-level runtimes don't provide them to users, so adding a warning doesn't do much. I think we had the same issue with the relative-mount-paths validation.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW, I would prefer if we made this a warning for one release and then upgraded it to an error in runc 1.3, but if warnings are invisible to most users then there's not much point.

@thaJeztah
Copy link
Member

because the kernel will completely ignore these flags

This PR seems reasonable to me, although we must be careful to what extent it's "our" responsibility to validate things (or to leave it to the kernel). I still recall at some point we added validation for "valid environment variable names", which turned out to be a bit over-enthusiastic, as there were many systems depending on names outside of the "safe" range.
So for situations where it doesn't "really" complicate things for us, I'm leaning towards leaving it to the kernel to decide whether something should be considered valid or not.

@cyphar
Copy link
Member Author

cyphar commented Nov 15, 2023

@thaJeztah The problem is that in this case (unlike the variable name cases, and most other cases where we don't restrict things the kernel allows), not checking means we are ignoring any set flags on bind-mounts, which means that the idmap and ridmap flags won't produce errors on older runc versions -- meaning that adding new mount options in a backwards-compatible way (where users are told the flag is being ignored) isn't possible for bind-mounts without this kind of validation.

The fact the kernel ignores the data argument for MS_BIND is due to the way the mount(2) syscall was designed (it's a multiplexer where some arguments are not relevant for some operations, and has finally been broken up into a much better design with the new mount API) and it's not possible for any future Linux kernel version to change the behaviour.

@cyphar cyphar merged commit 32d433c into opencontainers:main Nov 18, 2023
45 checks passed
@cyphar cyphar deleted the bind-mount-data-error branch November 18, 2023 05:48
@cyphar cyphar mentioned this pull request Mar 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants