Skip to content
This repository has been archived by the owner on May 12, 2021. It is now read-only.

Backports: Read-only mount fixes for 1.11 #3051

Merged
merged 2 commits into from Nov 10, 2020

Conversation

amshinde
Copy link
Member

3f0e61c runtime: mount shared mountpoint readonly
228e6eb runtime: readonly mounts should be readonly bindmount on the host

So that we get protected at the VM boundary not just the guest kernel.

Signed-off-by: Peng Tao <bergwolf@hyper.sh>
(cherry picked from commit 509eb6f)
bindmount remount events are not propagated through mount subtrees,
so we have to remount the shared dir mountpoint directly.

E.g.,
```
mkdir -p source dest foo source/foo

mount -o bind --make-shared source dest

mount -o bind foo source/foo
echo bind mount rw
mount | grep foo
echo remount ro
mount -o remount,bind,ro source/foo
mount | grep foo
```
would result in:
```
bind mount rw
/dev/xvda1 on /home/ubuntu/source/foo type ext4 (rw,relatime,discard,data=ordered)
/dev/xvda1 on /home/ubuntu/dest/foo type ext4 (rw,relatime,discard,data=ordered)
remount ro
/dev/xvda1 on /home/ubuntu/source/foo type ext4 (ro,relatime,discard,data=ordered)
/dev/xvda1 on /home/ubuntu/dest/foo type ext4 (rw,relatime,discard,data=ordered)
```

The reason is that bind mount creats new mount structs and attaches them to different mount subtrees.
However, MS_REMOUNT only looks for existing mount structs to modify and does not try to propagate the
change to mount structs in other subtrees.

Fixes: kata-containers#3041
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
(cherry picked from commit 7739905)
@amshinde amshinde added no-backport-needed Changed do not need to be applied to an older branch / repository no-forward-port-needed Changed do not need to be applied to a newer branch / repository labels Nov 10, 2020
@amshinde
Copy link
Member Author

/test

Copy link
Member

@fidencio fidencio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks!

@codecov
Copy link

codecov bot commented Nov 10, 2020

Codecov Report

Merging #3051 (3f0e61c) into stable-1.11 (dbc914a) will decrease coverage by 1.61%.
The diff coverage is 44.21%.

@@               Coverage Diff               @@
##           stable-1.11    #3051      +/-   ##
===============================================
- Coverage        50.43%   48.82%   -1.62%     
===============================================
  Files              118      118              
  Lines            17114    15352    -1762     
===============================================
- Hits              8631     7495    -1136     
+ Misses            7425     6815     -610     
+ Partials          1058     1042      -16     

@amshinde amshinde merged commit f779d5c into kata-containers:stable-1.11 Nov 10, 2020
16 of 20 checks passed
@amshinde amshinde deleted the my-stable-1.11 branch December 8, 2020 23:56
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
no-backport-needed Changed do not need to be applied to an older branch / repository no-forward-port-needed Changed do not need to be applied to a newer branch / repository
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants