New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[rootless & fuse-ovl] mount command makes most directories disappear rendering the container useless #1225

Closed
TomasTomecek opened this Issue Dec 6, 2018 · 5 comments

Comments

Projects
None yet
3 participants
@TomasTomecek
Copy link
Contributor

TomasTomecek commented Dec 6, 2018

Description
mount command seems to be a magician:

$ buildah from registry.fedoraproject.org/fedora:29
fedora-working-container

$ buildah run fedora-working-container ls /
bin  boot  dev  etc  home  lib  lib64  lost+found  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var

so far so good

$ buildah mount fedora-working-container
/home/tt/.local/share/containers/storage/overlay/ecf5d2cc2ea73f428dd2aef0f5159af1b97e7c1ea555e50a02adb674bc776ed3/merged

$ ls -lha /home/tt/.local/share/containers/storage/overlay/ecf5d2cc2ea73f428dd2aef0f5159af1b97e7c1ea555e50a02adb674bc776ed3/merged
total 0
drwx------. 6 tt tt 51 Dec  6 17:31 .
drwx------. 5 tt tt 69 Dec  6 17:30 ..
drwxr-xr-x. 2 tt tt  6 Dec  6 17:31 dev
drwxr-xr-x. 2 tt tt 38 Dec  6 17:31 etc
drwxr-xr-x. 2 tt tt  6 Dec  6 17:31 proc
drwxr-xr-x. 2 tt tt  6 Dec  6 17:31 sys

where is the rest?

$ buildah run fedora-working-container ls /
container_linux.go:337: starting container process caused "exec: \"ls\": executable file not found in $PATH"
error running container: error creating container for [ls /]: : exit status 1
error while running runtime: exit status 1
ERRO[0000] exit status 1

It's true, whole /usr is gone.

Can this be an issue of fuse-overlayfs?

$ cat ~/.config/containers/storage.conf
RunRoot = "/run/user/1000"
GraphRoot = "/home/tt/.local/share/containers/storage"
GraphDriverName = "overlay"
GraphDriverOptions = ["overlay.mount_program=/usr/bin/fuse-overlayfs"]

$ buildah version
Version:         1.5
Go Version:      go1.11.2
Image Spec:      1.0.0
Runtime Spec:    1.0.0
CNI Spec:        0.4.0
libcni Version:
Git Commit:
Built:           Thu Jan  1 01:00:00 1970
OS/Arch:         linux/amd64
@giuseppe

This comment has been minimized.

Copy link
Member

giuseppe commented Dec 7, 2018

fuse-overlayfs is running inside of a new user+mount namespace, so what is mounted is not visible outside of the mount namespace. We could run fuse-overlayfs in the host mount namespace, after all it is just a FUSE file system but in this way we wouldn't be able to use the multiple IDs we have in the user namespace.

To improve usability we could disable mount when overlay is used in rootless mode, but technically it is possible to use, it is just a "nsenter -u -m" away:

$ buildah from registry.fedoraproject.org/fedora:29
$ mnt=$(buildah mount fedora-working-container
/home/gscrivano/.local/share/containers/storage/overlay)
$ ls $mnt
$ nsenter -m -U -t $(pgrep fuse-overlayfs) ls $mnt
bin  boot  dev	etc  home  lib	lib64  lost+found  media  mnt  opt  proc  root	run  sbin  srv	sys  tmp  usr  var
$ nsenter -m -U -t $(pgrep fuse-overlayfs) bash -c 'echo foo > $mnt/bar'
$ nsenter -m -U -t $(pgrep fuse-overlayfs) ls $mnt
bar bin  boot  dev	etc  home  lib	lib64  lost+found  media  mnt  opt  proc  root	run  sbin  srv	sys  tmp  usr  var

Maybe should we just print a warning on how it must be used?

@TomasTomecek

This comment has been minimized.

Copy link
Contributor

TomasTomecek commented Dec 7, 2018

To improve usability we could disable mount when overlay is used in rootless mode

Yes please. This issue actually breaks buildah connection plugin in ansible: ansible first performs buildah mount and then starts firing off commands with buildah run -- obviously, none of them succeeds.

Maybe should we just print a warning on how it must be used?

Definitely worth documenting.

Well, for me it's back to vfs :<

@rhatdan

This comment has been minimized.

Copy link
Member

rhatdan commented Dec 7, 2018

Can't buildah (podman) mount mount the fuse file system in the user space, so that this would work?

@giuseppe

This comment has been minimized.

Copy link
Member

giuseppe commented Dec 8, 2018

fuse-overlayfs can be used in the host mount namespace, but there are two issues that block us for using it:

  • the rootless user keeps its UID, not 0
  • we have only one UID/GID available

@TomasTomecek TomasTomecek changed the title mount command makes most directories disappear rendering the container useless [rootless & fuse-ovl] mount command makes most directories disappear rendering the container useless Dec 9, 2018

@rhatdan

This comment has been minimized.

Copy link
Member

rhatdan commented Dec 10, 2018

We could probably warn about that. I think we need to add podman cp command to allow users to copy in and out of the container, if podman mount does not really work in nonroot use cases.

giuseppe added a commit to giuseppe/buildah that referenced this issue Dec 12, 2018

mount: allow mount only when using vfs
when using a driver different than vfs, the mount is probably in a
different mount namespace thus not accessible from the host.  Avoid
the confusion by not allowing mount when a different driver is used.

Closes: containers#1225

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

giuseppe added a commit to giuseppe/buildah that referenced this issue Dec 12, 2018

mount: allow mount only when using vfs
when using a driver different than vfs, the mount is probably in a
different mount namespace thus not accessible from the host.  Avoid
the confusion by not allowing mount when a different driver is used.

Closes: containers#1225

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

giuseppe added a commit to giuseppe/buildah that referenced this issue Dec 12, 2018

mount: allow mount only when using vfs
when using a driver different than vfs, the mount is probably in a
different mount namespace thus not accessible from the host.  Avoid
the confusion by not allowing mount when a different driver is used.

Closes: containers#1225

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

giuseppe added a commit to giuseppe/buildah that referenced this issue Dec 12, 2018

mount: allow mount only when using vfs
when using a driver different than vfs, the mount is probably in a
different mount namespace thus not accessible from the host.  Avoid
the confusion by not allowing mount when a different driver is used.

Closes: containers#1225

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment