create volume/fsmap mountpoints properly #271

bergwolf · 2017-03-06T11:59:53Z

If there is a symlink in the middle, resolve it as if we were in a chroot jail.

e.g., following pod file will fail to start without this PR, because nginx image has /var/run symlink pointing to /run. Fixes hyperhq/hyperd#521

{
        "containers" : [{
            "image": "nginx",
            "command": ["/bin/sh"],
            "user": {
                "name":"nobody"
            },
            "volumes": [{
                "volume": "tmp",
                "path": "/var/run/secrets/kubernetes.io/serviceaccount",
                "readOnly": false
             }]
        }],
        "resource": {
            "vcpu": 1,
            "memory": 256
        },
        "files": [],
        "volumes": [{
            "name": "tmp",
            "source": "/tmp",
            "format": "vfs"
        }],
        "tty": true
}

bergwolf · 2017-03-06T19:32:37Z

hykins failed with �Failed to mkfs the block:exec: "mkfs.xfs": executable file not found in $PATH:.

gnawux · 2017-03-07T00:02:53Z

@bergwolf will check the hykins config. jimmy has fixed this for hyperd

gnawux · 2017-03-07T01:27:28Z

I updated the jenkins configuration, could ask retest this please.

bergwolf · 2017-03-07T04:26:46Z

retest this please, @hykins

feiskyer · 2017-03-07T05:10:52Z

@bergwolf Confirmed this PR works properly. LGTM.

feiskyer · 2017-03-08T07:06:33Z

@bergwolf Any updates on this?

bergwolf · 2017-03-08T07:15:50Z

@feiskyer working on an updated version that handles symlinks in symlink targets.

bergwolf · 2017-03-08T14:09:48Z

updated to handle following additional cases:

symlinks in symlink file contents.
.. in path components in which case chroot jail is always valid.

For a container created with below Dockerfile:

FROM busybox
RUN mkdir /data; ln -s /etc/ /data/foo; ln -s ../../data/foo /etc/bar

Following pod file can still work:

{
        "containers" : [{
            "image": "bergwolf/test",
            "command": ["/bin/sh"],
            "user": {
                "name":"nobody"
            },
            "volumes": [{
                "volume": "tmp",
                "path": "/etc/bar/haha",
                "readOnly": false
             }]
        }],
        "resource": {
            "vcpu": 1,
            "memory": 256
        },
        "files": [],
        "volumes": [{
            "name": "tmp",
            "source": "/tmp",
            "format": "vfs"
        }],
        "tty": true
}

laijs · 2017-03-08T23:50:20Z

src/util.c

+		return NULL;
+	}
+
+	buf[len] = '\0';


need to check the case len==sizeof(buf)

If there is a symlink in the middle, resolve it as if we were in a chroot jail. At most 40 symlinks are allowed to follow before failing with ELOOP. Signed-off-by: Peng Tao <bergwolf@gmail.com>

bergwolf mentioned this pull request Mar 6, 2017

Volume not mounted into container hyperhq/hyperd#521

Closed

bergwolf force-pushed the symlink_mkdir branch 2 times, most recently from 7ea3d57 to 1c8393c Compare March 6, 2017 17:07

bergwolf force-pushed the symlink_mkdir branch from 1c8393c to ba2901c Compare March 7, 2017 03:22

bergwolf force-pushed the symlink_mkdir branch from ba2901c to fbf4633 Compare March 8, 2017 13:52

bergwolf force-pushed the symlink_mkdir branch from fbf4633 to 053b1a4 Compare March 8, 2017 17:37

laijs reviewed Mar 8, 2017

View reviewed changes

src/util.c Outdated

return NULL;

}

buf[len] = '\0';

Copy link

Contributor

laijs Mar 8, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

need to check the case len==sizeof(buf)

bergwolf force-pushed the symlink_mkdir branch 3 times, most recently from 59e5ef7 to e4dcdc1 Compare March 9, 2017 06:38

bergwolf closed this Mar 9, 2017

bergwolf reopened this Mar 9, 2017

create volume/fsmap mountpoints properly

a368dae

If there is a symlink in the middle, resolve it as if we were in a chroot jail. At most 40 symlinks are allowed to follow before failing with ELOOP. Signed-off-by: Peng Tao <bergwolf@gmail.com>

bergwolf force-pushed the symlink_mkdir branch from e4dcdc1 to a368dae Compare March 9, 2017 15:41

laijs merged commit 2175595 into hyperhq:master Mar 9, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

create volume/fsmap mountpoints properly #271

create volume/fsmap mountpoints properly #271

Uh oh!

bergwolf commented Mar 6, 2017

Uh oh!

bergwolf commented Mar 6, 2017

Uh oh!

gnawux commented Mar 7, 2017

Uh oh!

gnawux commented Mar 7, 2017

Uh oh!

bergwolf commented Mar 7, 2017

Uh oh!

feiskyer commented Mar 7, 2017

Uh oh!

feiskyer commented Mar 8, 2017

Uh oh!

bergwolf commented Mar 8, 2017

Uh oh!

bergwolf commented Mar 8, 2017

Uh oh!

laijs Mar 8, 2017

Uh oh!

Uh oh!

create volume/fsmap mountpoints properly #271

create volume/fsmap mountpoints properly #271

Uh oh!

Conversation

bergwolf commented Mar 6, 2017

Uh oh!

bergwolf commented Mar 6, 2017

Uh oh!

gnawux commented Mar 7, 2017

Uh oh!

gnawux commented Mar 7, 2017

Uh oh!

bergwolf commented Mar 7, 2017

Uh oh!

feiskyer commented Mar 7, 2017

Uh oh!

feiskyer commented Mar 8, 2017

Uh oh!

bergwolf commented Mar 8, 2017

Uh oh!

bergwolf commented Mar 8, 2017

Uh oh!

laijs Mar 8, 2017

Choose a reason for hiding this comment

Uh oh!

Uh oh!