Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--userns-remap causes shared mounts to also become slaves #36472

Open
gvessere opened this issue Mar 2, 2018 · 16 comments
Open

--userns-remap causes shared mounts to also become slaves #36472

gvessere opened this issue Mar 2, 2018 · 16 comments
Labels
area/security/userns

Comments

@gvessere
Copy link

gvessere commented Mar 2, 2018
edited
Loading

the --userns-remap option only mounts shared mounts using the slave option. if the daemon is started without the userns-remap option, the container mountpoint is not a slave

Steps to reproduce the issue:

  1. mkdir hostmount
  2. sudo mount --bind hostmount hostmount (edited 3/21)
  3. sudo mount --make-shared hostmount (edited 3/21)
  4. docker run -it --mount type=bind,source=hostmount,target=containermount,bind-propagation=shared ubuntu bash
  5. (inside container) findmnt -o PROPAGATION,TARGET

Describe the results you received:
...
shared,slave |-/containermount
...

Describe the results you expected:
...
shared |-/containermount
...

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client:
 Version:	18.02.0-ce
 API version:	1.36
 Go version:	go1.9.3
 Git commit:	fc4de44
 Built:	Wed Feb  7 21:16:33 2018
 OS/Arch:	linux/amd64
 Experimental:	false
 Orchestrator:	swarm

Server:
 Engine:
  Version:	18.02.0-ce
  API version:	1.36 (minimum version 1.12)
  Go version:	go1.9.3
  Git commit:	fc4de44
  Built:	Wed Feb  7 21:15:05 2018
  OS/Arch:	linux/amd64
  Experimental:	false

Output of docker info:

Containers: 50
 Running: 0
 Paused: 0
 Stopped: 50
Images: 2
Server Version: 18.02.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9b55aab90508bd389d7654c4baf173a981477d55
runc version: 9f9c96235cc97674e935002fc3d78361b696a69e
init version: 949e6fa
Security Options:
 apparmor
 seccomp
  Profile: default
 userns
Kernel Version: 4.4.0-1052-aws
Operating System: Ubuntu 16.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 36
Total Memory: 58.97GiB
Name: ip-172-30-91-26
ID: BXCO:ZVDX:QSQR:5V6W:SQSW:SDMU:RXVC:KZNN:CGMZ:W3F5:LDHY:MDMS
Docker Root Dir: /var/lib/docker/231072.231072
Debug Mode (client): false
Debug Mode (server): false
Username: basespace
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support

output of uname -a:

Linux ip-172-30-91-26 4.4.0-1052-aws #61-Ubuntu SMP Mon Feb 12 23:05:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
@gvessere gvessere changed the title --userns-remap and causes shared mounts to also become slaves --userns-remap causes shared mounts to also become slaves Mar 2, 2018
@thaJeztah
Copy link
Member

ping @kolyshkin @estesp PTAL

@kolyshkin
Copy link
Contributor

Quick look at the source code doesn't reveal how this might happen; I will play with it more tomorrow

@kolyshkin
Copy link
Contributor

@cpuguy83 maybe you have an idea?

@cpuguy83
Copy link
Member

Are you sure the host mount point is just shared as well? IIRC this should be due to how the parent mount is propagated.

@gvessere
Copy link
Author

step #3 in repro specifies the sharing status on the host folder:

  1. mount --make-shared hostmount

yet still the mountpoint is mounted as a slave in the container...

@cpuguy83
Copy link
Member

@gvessere What does /proc/$(pidof dockerd)/mountinfo say about the mount?
Note that depending on how the system is setup, dockerd may be in a difference namespace than the user running mount --make-shared.

@gvessere
Copy link
Author

I get the following:

ubuntu@ip-172-30-91-26:~$ cat /proc/85553/mountinfo | grep hostmount
347 24 202:1 /home/ubuntu/hostmount /home/ubuntu/hostmount rw,relatime shared:1 - ext4 /dev/xvda1 rw,discard,data=ordered

dockerd runs as root, and I did have to run the --makeshared command with sudo (corrected in my original repro steps)

@gvessere
Copy link
Author

@cpuguy83 my docker daemon runs as a "--userns-remap default" daemon. If I run the docker run command with host user namespace, things work as expected, the mountpoint is shared only and not also a slave:

docker run --userns=host -it --mount type=bind,source=hostmount,target=containermount,bind-propagation=shared ubuntu bash

so according to your statement, if the daemon and container are not running in the same user namespace then the mount point becomes a slave automatically, and this would be by design?

@fphammerle
Copy link

Any update on this?

I run dockerd with --userns-remap default.

host $ mkdir /tmp/outside && chmod a+rwx /tmp/outside
host $ docker run -it --rm -v /tmp/outside:/outside:shared --security-opt apparmor:unconfined --cap-add SYS_ADMIN alpine:3.9
container # mkdir /outside/source /outside/target
container # mount --bind /outside/source /outside/target
container # echo foo > /outside/source/bar
host $ cat /tmp/outside/source/bar
foo
host $ cat /tmp/outside/target/bar
/bin/cat: /tmp/outside/target/bar: No such file or directory

When adding --userns host I get:

host $ docker run -it --rm -v /tmp/outside:/outside:shared --security-opt apparmor:unconfined --cap-add SYS_ADMIN --userns host alpine:3.9
container # mount --bind /outside/source /outside/target
host $ cat /tmp/outside/target/bar
foo

kernel 4.15.0-46-generic 49-Ubuntu
docker 18.09.2

@fphammerle
Copy link 

$ systemctl show docker.service | grep -i mount
MountFlags=
MountAPIVFS=no

Setting MountFlags=shared did not make any difference.

@fphammerle
Copy link 

$ docker run --rm -v /tmp/outside:/outside:shared --userns host debian:stretch findmnt -o TARGET,PROPAGATION /outside
TARGET   PROPAGATION
/outside shared
$ docker run --rm -v /tmp/outside:/outside:shared debian:stretch findmnt -o TARGET,PROPAGATION /outside
TARGET   PROPAGATION
/outside shared,slave

Is this behavior intended?

@fphammerle
Copy link

@gvessere, did you maybe find a fix or workaround for this issue?

@Rid
Copy link
Contributor

Rid commented Oct 22, 2022

@cpuguy83 We're also hitting this issue trying to mount a directory as rshared inside a userns container, the mounts are always set as slaves. This is quite an old issue, should we assume this is a limitation of userns mode?

@cpuguy83
Copy link
Member

I personally see the same behavior regardless of userns mode and mounts propagating back to the host as expected even with shared,slave

@Rid
Copy link
Contributor

Rid commented Oct 31, 2022

@cpuguy83 Are you doing remap on the daemon or container level? I'm not sure if it makes a difference but we're doing the remap on the daemon.

@Rid
Copy link
Contributor

Rid commented Jan 23, 2023

@cpuguy83 Are you doing remap on the daemon or container level? I'm not sure if it makes a difference but we're doing the remap on the daemon.

@cpuguy83 would you be able to test the scenario with the userns-remap flag on the daemon?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security/userns
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@cpuguy83 @gvessere @thaJeztah @Rid @kolyshkin @fphammerle