opencontainers/runc
1
0
Fork 0
mirror of https://github.com/opencontainers/runc.git synced 2025-11-09 13:00:56 +03:00
Code Activity

Fix failure with rw bind mount of a ro fuse

Browse Source 
As reported in [1], in a case where read-only fuse (sshfs) mount
is used as a volume without specifying ro flag, the kernel fails
to remount it (when adding various flags such as nosuid and nodev),
returning EPERM.

Here's the relevant strace line:

> [pid 333966] mount("/tmp/bats-run-PRVfWc/runc.RbNv8g/bundle/mnt", "/proc/self/fd/7", 0xc0001e9164, MS_NOSUID|MS_NODEV|MS_REMOUNT|MS_BIND|MS_REC, NULL) = -1 EPERM (Operation not permitted)

I was not able to reproduce it with other read-only mounts as the source
(tried tmpfs, read-only bind mount, and an ext2 mount), so somehow this
might be specific to fuse.

The fix is to check whether the source has RDONLY flag, and retry the
remount with this flag added.

A test case (which was kind of hard to write) is added, and it fails
without the fix. Note that rootless user need to be able to ssh to
rootless@localhost in order to sshfs to work -- amend setup scripts
to make it work, and skip the test if the setup is not working.

[1] https://github.com/containers/podman/issues/12205

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This commit is contained in:
Kir Kolyshkin
2021-11-16 13:50:09 -08:00
parent 20e928875a
commit 50105de1d8
6 changed files with 71 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.cirrus.yml
View File

@@ -99,7 +99,7 @@ task:
# Work around dnf mirror failures by retrying a few times. # Work around dnf mirror failures by retrying a few times.
for i in $(seq 0 2); do for i in $(seq 0 2); do
sleep $i sleep $i
yum install -y -q gcc git iptables jq glibc-static libseccomp-devel make criu && break yum install -y -q gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs && break
done done
[ $? -eq 0 ] # fail if yum failed [ $? -eq 0 ] # fail if yum failed
# install Go # install Go
@@ -113,6 +113,12 @@ task:
cd - cd -
# Add a user for rootless tests # Add a user for rootless tests
useradd -u2000 -m -d/home/rootless -s/bin/bash rootless useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
# Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh
ssh-keygen -t ecdsa -N "" -f /root/rootless.key
mkdir -m 0700 -p /home/rootless/.ssh
cp /root/rootless.key /home/rootless/.ssh/id_ecdsa
cat /root/rootless.key.pub >> /home/rootless/.ssh/authorized_keys
chown -R rootless.rootless /home/rootless
# set PATH # set PATH
echo 'export PATH=/usr/local/go/bin:/usr/local/bin:$PATH' >> /root/.bashrc echo 'export PATH=/usr/local/go/bin:/usr/local/bin:$PATH' >> /root/.bashrc
# Setup ssh localhost for terminal emulation (script -e did not work) # Setup ssh localhost for terminal emulation (script -e did not work)

7
.github/workflows/test.yml vendored
View File

@@ -46,13 +46,13 @@ jobs:
curl -fSsl $REPO/Release.key | sudo apt-key add - curl -fSsl $REPO/Release.key | sudo apt-key add -
echo "deb $REPO/ /" | sudo tee /etc/apt/sources.list.d/criu.list echo "deb $REPO/ /" | sudo tee /etc/apt/sources.list.d/criu.list
sudo apt update sudo apt update
sudo apt install libseccomp-dev criu sudo apt install libseccomp-dev criu sshfs
- name: install deps (criu ${{ matrix.criu }}) - name: install deps (criu ${{ matrix.criu }})
if: matrix.criu != '' if: matrix.criu != ''
run: | run: |
sudo apt -q update sudo apt -q update
sudo apt -q install libseccomp-dev \ sudo apt -q install libseccomp-dev sshfs \
libcap-dev libnet1-dev libnl-3-dev \ libcap-dev libnet1-dev libnl-3-dev \
libprotobuf-c-dev libprotobuf-dev protobuf-c-compiler protobuf-compiler libprotobuf-c-dev libprotobuf-dev protobuf-c-compiler protobuf-compiler
git clone https://github.com/checkpoint-restore/criu.git ~/criu git clone https://github.com/checkpoint-restore/criu.git ~/criu
@@ -81,9 +81,10 @@ jobs:
if: matrix.rootless == 'rootless' if: matrix.rootless == 'rootless'
run: | run: |
sudo useradd -u2000 -m -d/home/rootless -s/bin/bash rootless sudo useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
# Allow root to execute `ssh rootless@localhost` in tests/rootless.sh # Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh
ssh-keygen -t ecdsa -N "" -f $HOME/rootless.key ssh-keygen -t ecdsa -N "" -f $HOME/rootless.key
sudo mkdir -m 0700 -p /home/rootless/.ssh sudo mkdir -m 0700 -p /home/rootless/.ssh
sudo cp $HOME/rootless.key /home/rootless/.ssh/id_ecdsa
sudo cp $HOME/rootless.key.pub /home/rootless/.ssh/authorized_keys sudo cp $HOME/rootless.key.pub /home/rootless/.ssh/authorized_keys
sudo chown -R rootless.rootless /home/rootless sudo chown -R rootless.rootless /home/rootless

1
Dockerfile
View File

@@ -31,6 +31,7 @@ RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \
kmod \ kmod \
pkg-config \ pkg-config \
python3-minimal \ python3-minimal \
sshfs \
sudo \ sudo \
uidmap \ uidmap \
&& apt-get clean \ && apt-get clean \

5
Vagrantfile.fedora
View File

@@ -27,7 +27,7 @@ Vagrant.configure("2") do |config|
cat << EOF | dnf -y --exclude=kernel,kernel-core,systemd,systemd-* shell && break cat << EOF | dnf -y --exclude=kernel,kernel-core,systemd,systemd-* shell && break
config install_weak_deps false config install_weak_deps false
update update
install iptables gcc make golang-go glibc-static libseccomp-devel bats jq git-core criu install iptables gcc make golang-go glibc-static libseccomp-devel bats jq git-core criu fuse-sshfs
ts run ts run
EOF EOF
done done
@@ -36,9 +36,10 @@ EOF
# Add a user for rootless tests # Add a user for rootless tests
useradd -u2000 -m -d/home/rootless -s/bin/bash rootless useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
# Allow root to execute `ssh rootless@localhost` in tests/rootless.sh # Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh
ssh-keygen -t ecdsa -N "" -f /root/rootless.key ssh-keygen -t ecdsa -N "" -f /root/rootless.key
mkdir -m 0700 -p /home/rootless/.ssh mkdir -m 0700 -p /home/rootless/.ssh
cp /root/rootless.key /home/rootless/.ssh/id_ecdsa
cat /root/rootless.key.pub >> /home/rootless/.ssh/authorized_keys cat /root/rootless.key.pub >> /home/rootless/.ssh/authorized_keys
chown -R rootless.rootless /home/rootless chown -R rootless.rootless /home/rootless

17
libcontainer/rootfs_linux.go
View File

@@ -1065,7 +1065,22 @@ func remount(m *configs.Mount, rootfs string, mountFd *int) error {
} }
return utils.WithProcfd(rootfs, m.Destination, func(procfd string) error { return utils.WithProcfd(rootfs, m.Destination, func(procfd string) error {
return mount(source, m.Destination, procfd, m.Device, uintptr(m.Flags|unix.MS_REMOUNT), "") flags := uintptr(m.Flags | unix.MS_REMOUNT)
err := mount(source, m.Destination, procfd, m.Device, flags, "")
if err == nil {
return nil
}
// Check if the source has ro flag...
var s unix.Statfs_t
if err := unix.Statfs(source, &s); err != nil {
return &os.PathError{Op: "statfs", Path: source, Err: err}
}
if s.Flags&unix.MS_RDONLY != unix.MS_RDONLY {
return err
}
// ... and retry the mount with ro flag set.
flags |= unix.MS_RDONLY
return mount(source, m.Destination, procfd, m.Device, flags, "")
}) })
} }

40
tests/integration/mounts_sshfs.bats Normal file
View File

@@ -0,0 +1,40 @@
#!/usr/bin/env bats
load helpers
function setup() {
# Create a ro fuse-sshfs mount; skip the test if it's not working.
local sshfs="sshfs
-o UserKnownHostsFile=/dev/null
-o StrictHostKeyChecking=no
-o PasswordAuthentication=no"
DIR="$BATS_RUN_TMPDIR/fuse-sshfs"
mkdir -p "$DIR"
if ! $sshfs -o ro rootless@localhost: "$DIR"; then
skip "test requires working sshfs mounts"
fi
setup_hello
}
function teardown() {
# New distros (Fedora 35) do not have fusermount installed
# as a dependency of fuse-sshfs, and good ol' umount works.
fusermount -u "$DIR" || umount "$DIR"
teardown_bundle
}
@test "runc run [rw bind mount of a ro fuse sshfs mount]" {
update_config ' .mounts += [{
type: "bind",
source: "'"$DIR"'",
destination: "/mnt",
options: ["rw", "rprivate", "nosuid", "nodev", "rbind"]
}]'
runc run test_busybox
[ "$status" -eq 0 ]
}