Skip to content

daemon/setMounts(): do not make /dev/shm ro#36526

Merged
yongtang merged 2 commits intomoby:masterfrom
kolyshkin:ipc-ro
Mar 10, 2018
Merged

daemon/setMounts(): do not make /dev/shm ro#36526
yongtang merged 2 commits intomoby:masterfrom
kolyshkin:ipc-ro

Conversation

@kolyshkin
Copy link
Copy Markdown
Contributor

@kolyshkin kolyshkin commented Mar 8, 2018
edited by thaJeztah
Loading

It has been pointed out that if --read-only flag is given, /dev/shm
also becomes read-only, and it does not make sense, especially for
the case of --ipc private (added in #34087).

It is still debatable whether it makes sense to have it read-only
for --ipc shareable|host|container:NNN, but let's follow the --tmpfs
logic here and do NOT make /dev/shm read-only for all the cases.

Fixes #36503

@tonistiigi
Copy link
Copy Markdown
Member

tonistiigi commented Mar 8, 2018

LGTM

@thaJeztah
Copy link
Copy Markdown
Member

thaJeztah commented Mar 8, 2018

Discussing in the maintainers meeting; looks ok to make this rw - this should probably be added to the test that was added in #28823

@kolyshkin
Copy link
Copy Markdown
Contributor Author

kolyshkin commented Mar 8, 2018

Need to add a test case similar to #28823 but for --ipc private. The difference in this case is mount comes from the OCI spec.

kolyshkin added 2 commits March 8, 2018 14:04
@kolyshkin
daemon/oci_linux_test: add TestIpcPrivateVsReadonly
33dd562 
The test case checks that in case of IpcMode: private and
ReadonlyRootfs: true (as in "docker run --ipc private --read-only")
the resulting /dev/shm mount is NOT made read-only.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin
daemon/setMounts(): do not make /dev/shm ro
cad7405 
It has been pointed out that if --read-only flag is given, /dev/shm
also becomes read-only in case of --ipc private.

This happens because in this case the mount comes from OCI spec
(since commit 7120976), and is a regression caused by that
commit.

The meaning of --read-only flag is to only have a "main" container
filesystem read-only, not the auxiliary stuff (that includes /dev/shm,
other mounts and volumes, --tmpfs, /proc, /dev and so on).

So, let's make sure /dev/shm that comes from OCI spec is not made
read-only.

Fixes: 7120976 ("Implement none, private, and shareable ipc modes")

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 8, 2018
edited
Loading

Codecov Report

❗ No coverage uploaded for pull request base (master@0c01629). Click here to learn what that means.
The diff coverage is 100%.

@@            Coverage Diff            @@
##             master   #36526   +/-   ##
=========================================
  Coverage          ?   34.66%           
=========================================
  Files             ?      613           
  Lines             ?    45404           
  Branches          ?        0           
=========================================
  Hits              ?    15739           
  Misses            ?    27605           
  Partials          ?     2060

@kolyshkin
Copy link
Copy Markdown
Contributor Author

kolyshkin commented Mar 8, 2018

  • added a unit test (which is failing before the fixing commit and is passing after)
  • modified a commit message to reflect the latest findings about the meaning of --read-only

I am a bit concerned about this being a unit test, as I had to mimic the code flow of some actual code instead of calling it; but last time I tried adding an integration test it was strongly suggested that a unit test should be done instead, so I am following the suggestion here.

@kolyshkin
Copy link
Copy Markdown
Contributor Author

kolyshkin commented Mar 8, 2018

z failure (unrelated):

14:21:28 === RUN TestServiceWithPredefinedNetwork
14:21:41 --- FAIL: TestServiceWithPredefinedNetwork (12.32s)
14:21:41 daemon.go:283: [ded513e563058] waiting for daemon to start
14:21:41 daemon.go:315: [ded513e563058] daemon started
14:21:41 service_test.go:52: timeout hit after 10s: task count at 1 waiting for 0
14:21:41 daemon.go:273: [ded513e563058] exiting daemon
14:21:41 FAIL

@kolyshkin kolyshkin mentioned this pull request Mar 8, 2018
Closed
vdemeester
vdemeester approved these changes Mar 9, 2018
View reviewed changes
Copy link
Copy Markdown
Member

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🐸

@thaJeztah
Copy link
Copy Markdown
Member

thaJeztah commented Mar 9, 2018

Opened #36547 for the flaky TestServiceWithPredefinedNetwork

@yongtang yongtang merged commit cda9089 into moby:master Mar 10, 2018
@thaJeztah thaJeztah mentioned this pull request Mar 12, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

+1 more reviewer

@vdemeester vdemeester vdemeester approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

status/4-merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@kolyshkin @tonistiigi @thaJeztah @vdemeester @AkihiroSuda @yongtang @GordonTheTurtle