/dev/shm is mounted noexec by default

[dgl]

What happened?

I'm running user workloads within a container, including an unmodified Chrome (103.0.5060.53, using the official package).

Chrome uses shared memory in /dev/shm to store JIT'd code which it then runs. Through the io.kubernetes.cri-o.ShmSize annotation I can make this large enough, however Chrome tabs sometimes crash with an error about SIGILL, particularly on JavaScript heavy pages.

I've tracked this down to /dev/shm being mounted noexec. If I mount it without that option things work (as this is using user namespaces I'm root in the container and can do that within the container, but it would be cleaner if cri-o did all this for me).

What did you expect to happen?

Per the spec at https://github.com/opencontainers/runc/blob/main/libcontainer/SPEC.md#filesystem /dev/shm is expected to be mounted noexec, but there are workloads this breaks.

Similarly to the ShmSize annotation I can imagine providing a ShmExec annotation to allow this kind of workload. I'd be happy to contribute something along those lines.

How can we reproduce it (as minimally and precisely as possible)?

$ kubectl run -it --rm --image=busybox busybox-shm
If you don't see a command prompt, try pressing enter.
/ # mount | grep /dev/shm
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k,inode64)

Notice noexec.

Anything else we need to know?

Some other background on this:

• https://unix.stackexchange.com/questions/670362/mounting-dev-shm-with-noexec mounting /dev/shm noexec can break things.
• Very old Chromium bug which mentions noexec on /dev/shm can break things: https://bugs.chromium.org/p/chromium/issues/detail?id=199218

CRI-O and Kubernetes version

$ crio --version
crio version 1.25.0
Version:        1.25.0
GitCommit:      4102586132214263c5d0ae93ec257432653ab82b
GitCommitDate:  2022-07-01T01:23:08Z
GitTreeState:   dirty
BuildDate:      2022-07-01T02:51:20Z

$ kubectl --version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.2", GitCommit:"f66044f4361b9f1f96f0053dd46cb7dce5e990a8", GitTreeState:"clean", BuildDate:"2022-06-15T14:22:29Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}

OS version

# On Linux:
$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04 (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
$ uname -a
Linux xxx 5.15.0-39-generic #42-Ubuntu SMP Thu Jun 9 23:42:32 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Additional environment details (AWS, VirtualBox, physical, etc.)

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[haircommander]

sorry for the late response, this fell through the cracks. I think such an annotation makes sense! I await your contribution :)

[hasan4791]

I could provide support here if needed.

[haircommander]

@dgl were you planning on fixing this or shall @hasan4791 take it over?

[hasan4791]

@dgl Did you check this doc? Its for 3.11 but it should work across any versions.
https://docs.openshift.com/container-platform/3.11/dev_guide/shared_memory.html

root@hello-openshift:/# mount |grep shm
tmpfs on /dev/shm type tmpfs (rw,relatime,seclabel,size=28980500k)
root@hello-openshift:/# ls -l /dev/ | grep shm
drwxrwxrwt. 2 root root   40 Feb 15 06:46 shm
root@hello-openshift:/#

Here size defaults to the kernel behaviour, i.e. half of system memory, if not specified.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[github-actions]

Closing this issue since it had no activity in the past 90 days.