[20.10 backport] rootless: bind mount: fix "operation not permitted" #42233

AkihiroSuda · 2021-04-01T09:46:19Z

Cherry-pick #42230

- What I did
Fix #42090

Fix the following issue

$ sudo mount -t tmpfs -o noexec none /tmp/foo
$ docker --context=rootless run -it --rm -v /tmp/foo:/mnt:ro alpine
docker: Error response from daemon: OCI runtime create failed: container_linux.go:367: starting container process caused: process_linux.go:520: container init caused: rootfs_linux.go:60: mounting "/tmp/foo" to rootfs at "/home/suda/.local/share/docker/overlay2/b8e7ea02f6ef51247f7f10c7fb26edbfb308d2af8a2c77915260408ed3b0a8ec/merged/mnt" caused: operation not permitted: unknown.

- How I did it

Call getUnprivilegedMountFlags(m.Source)

- How to verify it

$ sudo mount -t tmpfs -o noexec none /tmp/foo
$ docker --context=rootless run -it --rm -v /tmp/foo:/mnt:ro alpine

- Description for the changelog

rootless: bind mount: fix "operation not permitted"

- A picture of a cute animal (not mandatory but encouraged)
🐧

The following was failing previously, because `getUnprivilegedMountFlags()` was not called: ```console $ sudo mount -t tmpfs -o noexec none /tmp/foo $ $ docker --context=rootless run -it --rm -v /tmp/foo:/mnt:ro alpine docker: Error response from daemon: OCI runtime create failed: container_linux.go:367: starting container process caused: process_linux.go:520: container init caused: rootfs_linux.go:60: mounting "/tmp/foo" to rootfs at "/home/suda/.local/share/docker/overlay2/b8e7ea02f6ef51247f7f10c7fb26edbfb308d2af8a2c77915260408ed3b0a8ec/merged/mnt" caused: operation not permitted: unknown. ``` Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit 248f98e) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

thaJeztah

LGTM

thaJeztah · 2021-04-01T12:04:57Z

Never seen this message (illegal wireType 7)

[2021-04-01T09:54:37.212Z] + docker build --force-rm --build-arg APT_MIRROR -t docker:e974cb638c384a45b5223f839d7c2bce7453f59c .
[2021-04-01T09:54:37.212Z] #2 [internal] load .dockerignore
[2021-04-01T09:54:37.212Z] #2 transferring context: 87B done
[2021-04-01T09:54:37.212Z] #2 DONE 0.0s
[2021-04-01T09:54:37.212Z] 
[2021-04-01T09:54:37.212Z] #1 [internal] load build definition from Dockerfile
[2021-04-01T09:54:37.212Z] #1 ERROR: proto: illegal wireType 7
[2021-04-01T09:54:37.212Z] ------
[2021-04-01T09:54:37.212Z]  > [internal] load build definition from Dockerfile:
[2021-04-01T09:54:37.212Z] ------
[2021-04-01T09:54:37.212Z] failed to solve with frontend dockerfile.v0: failed to resolve dockerfile: failed to build LLB: proto: illegal wireType 7

AkihiroSuda added area/rootless Rootless mode kind/bugfix PR's that fix bugs labels Apr 1, 2021

AkihiroSuda added this to the 20.10.6 milestone Apr 1, 2021

AkihiroSuda mentioned this pull request Apr 1, 2021

[20.10 backport] rootless: bind mount: fix "operation not permitted" #42234

Closed

tiborvass approved these changes Apr 1, 2021

View reviewed changes

thaJeztah approved these changes Apr 1, 2021

View reviewed changes

thaJeztah added the status/4-merge label Apr 1, 2021

tiborvass merged commit 88bd96d into moby:20.10 Apr 1, 2021

AkihiroSuda mentioned this pull request Apr 6, 2021

Can not use docker socket as read-only volume in rootless mode #40313

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[20.10 backport] rootless: bind mount: fix "operation not permitted" #42233

[20.10 backport] rootless: bind mount: fix "operation not permitted" #42233

AkihiroSuda commented Apr 1, 2021 •

edited by thaJeztah

thaJeztah left a comment

thaJeztah commented Apr 1, 2021

[20.10 backport] rootless: bind mount: fix "operation not permitted" #42233

[20.10 backport] rootless: bind mount: fix "operation not permitted" #42233

Conversation

AkihiroSuda commented Apr 1, 2021 • edited by thaJeztah

thaJeztah left a comment

Choose a reason for hiding this comment

thaJeztah commented Apr 1, 2021

AkihiroSuda commented Apr 1, 2021 •

edited by thaJeztah