readonly volume should be bind mounted readonly on the host #3042
Conversation
So that we get protected at the VM boundary not just the guest kernel. Signed-off-by: Peng Tao <bergwolf@hyper.sh>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @bergwolf
|
Thanks for raising this @bergwolf - code works in my environment on 1.11.x and fixes the issue. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks @bergwolf - just one nit
bindmount remount events are not propagated through mount subtrees, so we have to remount the shared dir mountpoint directly. E.g., ``` mkdir -p source dest foo source/foo mount -o bind --make-shared source dest mount -o bind foo source/foo echo bind mount rw mount | grep foo echo remount ro mount -o remount,bind,ro source/foo mount | grep foo ``` would result in: ``` bind mount rw /dev/xvda1 on /home/ubuntu/source/foo type ext4 (rw,relatime,discard,data=ordered) /dev/xvda1 on /home/ubuntu/dest/foo type ext4 (rw,relatime,discard,data=ordered) remount ro /dev/xvda1 on /home/ubuntu/source/foo type ext4 (ro,relatime,discard,data=ordered) /dev/xvda1 on /home/ubuntu/dest/foo type ext4 (rw,relatime,discard,data=ordered) ``` The reason is that bind mount creats new mount structs and attaches them to different mount subtrees. However, MS_REMOUNT only looks for existing mount structs to modify and does not try to propagate the change to mount structs in other subtrees. Fixes: kata-containers#3041 Signed-off-by: Peng Tao <bergwolf@hyper.sh>
|
/test |
Codecov Report
@@ Coverage Diff @@
## master #3042 +/- ##
==========================================
+ Coverage 50.23% 50.34% +0.10%
==========================================
Files 120 120
Lines 15842 15844 +2
==========================================
+ Hits 7959 7976 +17
+ Misses 6799 6783 -16
- Partials 1084 1085 +1 |
|
@chavafg Is the |
|
The job looks stable, only failing in this PR with blogbench metric going out over the limit with a percentage value of 110.7%. |
|
I dont see how making volumes as read-only could impact the metrics. I'll rerun the the metrics CI to double check. |
So that even if the guest is compromised, we still ensure that readonly volumes cannot be modified.
backport kata-containers/kata-containers#1062