Skip to content
This repository has been archived by the owner on Feb 8, 2021. It is now read-only.

readonly rootfs support #638

Merged
merged 5 commits into from
Jun 12, 2017
Merged

readonly rootfs support #638

merged 5 commits into from
Jun 12, 2017

Conversation

bergwolf
Copy link
Member

@bergwolf bergwolf commented May 31, 2017
edited
Loading

A new command line option --read-only is added to hyperctl run and hyperctl create to enable readonly rootfs support. A new field readonly is added to container spec to enable it as well.

Readonly rootfs is enforced in two ways:

  1. when specified, hyperstart will mount the container rootfs readonly
  2. when specified, qemu will hotplug the device readonly for block storage. For aufs and overlay, hyperd will mount the rootfs readonly so that they are shared to qemu readonly, even though the 9p share dir is writable.

Needs: hyperhq/hyperstart#314 hyperhq/runv#511
Fixes: #564

@feiskyer feiskyer mentioned this pull request Jun 5, 2017
Closed
@feiskyer
Copy link
Contributor

feiskyer commented Jun 8, 2017

@bergwolf Any updates on this?

@bergwolf
Copy link
Member Author

bergwolf commented Jun 8, 2017

The hyperstart part needs rebase.

@bergwolf bergwolf closed this Jun 8, 2017
@bergwolf bergwolf reopened this Jun 8, 2017
@bergwolf
Copy link
Member Author

bergwolf commented Jun 8, 2017

CI failures are because of readonly field parsing failure in hyperstart. We should merge hyperhq/hyperstart#314 first and re-trigger CI here.

@laijs laijs closed this Jun 9, 2017
@laijs laijs reopened this Jun 9, 2017
@bergwolf
update runv vendor
32ab02b 
Signed-off-by: Peng Tao <bergwolf@gmail.com>
@bergwolf
support readonly rootfs
bcaa43b 
ReadOnly option is added to container spec.

Signed-off-by: Peng Tao <bergwolf@gmail.com>
@bergwolf bergwolf force-pushed the rootfs-ro branch 2 times, most recently from b42fca2 to b6f3067 Compare June 10, 2017 04:32
@bergwolf
aufs/overlay: mount container rootfs readonly if required
6b8e564 
Mount rootfs readonly here so that even if user remount it rw inside
container, the rootfs is still readonly.

```
[hypervsock@~]$sudo hyperctl run -t --read-only busybox
/ # mount
share_dir on / type 9p (ro,sync,dirsync,relatime,trans=virtio)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
devtmpfs on /dev type devtmpfs (rw,nosuid,relatime,size=21984k,nr_inodes=5496,mode=755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,relatime)
devpts on /dev/pts type devpts (rw,nosuid,relatime,mode=620,ptmxmode=666)
share_dir on /etc/hosts type 9p (rw,sync,dirsync,nodev,relatime,trans=virtio)
rootfs on /etc/hostname type rootfs (rw,size=21984k,nr_inodes=5496)
/ # mount / -o remount,rw
/ # mount
share_dir on / type 9p (rw,sync,dirsync,relatime,trans=virtio)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
devtmpfs on /dev type devtmpfs (rw,nosuid,relatime,size=21984k,nr_inodes=5496,mode=755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,relatime)
devpts on /dev/pts type devpts (rw,nosuid,relatime,mode=620,ptmxmode=666)
share_dir on /etc/hosts type 9p (rw,sync,dirsync,nodev,relatime,trans=virtio)
rootfs on /etc/hostname type rootfs (rw,size=21984k,nr_inodes=5496)
/ # touch foo
touch: foo: Read-only file system
```

Signed-off-by: Peng Tao <bergwolf@gmail.com>
@bergwolf
add readonly rootfs ut
a9a291a 
Signed-off-by: Peng Tao <bergwolf@gmail.com>
@bergwolf
btrfs: mount container rootfs readonly if required
55fa349 
Signed-off-by: Peng Tao <bergwolf@gmail.com>
@laijs
Copy link
Contributor

laijs commented Jun 10, 2017

it seems that the ro-mount for btrfs driver is not included.

@bergwolf
Copy link
Member Author

hykins was running too slow (>40 mins) and timed out. retest this please @hykins

laijs
laijs reviewed Jun 11, 2017
View reviewed changes
daemon/storage.go
@@ -446,6 +446,12 @@ func (s *BtrfsStorage) PrepareContainer(containerId, sharedDir string, readonly
if err := syscall.Mount(btrfsRootfs, mountPoint, "bind", syscall.MS_BIND, ""); err != nil {
return nil, fmt.Errorf("failed to mount %s to %s: %v", btrfsRootfs, mountPoint, err)
}
if readonly {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so there may be a security problem among these two mount operations. The early existing container can possible write to the roofs of this one.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They are different subvolumes. It needs to break its own chroot sandbox to access another container's rootfs, no?

@laijs
Copy link
Contributor

laijs commented Jun 12, 2017

LGTM

@laijs laijs merged commit 7a07c71 into hyperhq:master Jun 12, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@laijs laijs laijs left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@bergwolf @feiskyer @laijs @purusothaman2502