Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

plugin: fix mounting /etc/hosts when running in UserNS #47558

Merged
merged 1 commit into from Mar 15, 2024
Merged

plugin: fix mounting /etc/hosts when running in UserNS #47558

merged 1 commit into from Mar 15, 2024

Conversation

AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Mar 14, 2024
edited

- What I did
Fix error mounting "/etc/hosts" to rootfs at "/etc/hosts": mount /etc/hosts:/etc/hosts (via /proc/self/fd/6), flags: 0x5021: operation not permitted.

This error was introduced in 7d08d84 (dockerd-rootless.sh: set rootlesskit --state-dir=DIR) that changed the filesystem of the state dir from /tmp to /run (in a typical setup).

Fixes #47248

- How I did it

Applied mountsopts.FixUpOCI

- How to verify it

docker plugin install ghcr.io/ibm/docker-logdna:1.0.1

- Description for the changelog

plugin: fix mounting /etc/hosts when running in UserNS

- A picture of a cute animal (not mandatory but encouraged)

馃惂

@AkihiroSuda AkihiroSuda added this to the 26.0.0 milestone Mar 14, 2024
This was referenced Mar 14, 2024
Closed
Open
thaJeztah
thaJeztah reviewed Mar 14, 2024
View reviewed changes
plugin/v2/plugin_linux.go Outdated Show resolved Hide resolved
plugin/v2/plugin_linux.go Show resolved Hide resolved
plugin/v2/plugin_linux.go Outdated Show resolved Hide resolved
@thaJeztah
Copy link
Member

Curious; what's different about the new location that's used; is it a permissions issue, and in that case, should we just fail to start, asking the user to fix the permissions for the $XDG_RUNTIME_DIR/dockerd-rootless directory?

@AkihiroSuda
Copy link
Member Author

Curious; what's different about the new location that's used; is it a permissions issue, and in that case, should we just fail to start, asking the user to fix the permissions for the $XDG_RUNTIME_DIR/dockerd-rootless directory?

No, this is not a permission issue

moby/daemon/oci_linux.go

Lines 448 to 499 in ff05850

// Get the set of mount flags that are set on the mount that contains the given
// path and are locked by CL_UNPRIVILEGED. This is necessary to ensure that
// bind-mounting "with options" will not fail with user namespaces, due to
// kernel restrictions that require user namespace mounts to preserve
// CL_UNPRIVILEGED locked flags.
func getUnprivilegedMountFlags(path string) ([]string, error) {
var statfs unix.Statfs_t
if err := unix.Statfs(path, &statfs); err != nil {
return nil, err
}
// The set of keys come from https://github.com/torvalds/linux/blob/v4.13/fs/namespace.c#L1034-L1048.
unprivilegedFlags := map[uint64]string{
unix.MS_RDONLY: "ro",
unix.MS_NODEV: "nodev",
unix.MS_NOEXEC: "noexec",
unix.MS_NOSUID: "nosuid",
unix.MS_NOATIME: "noatime",
unix.MS_RELATIME: "relatime",
unix.MS_NODIRATIME: "nodiratime",
}
var flags []string
for mask, flag := range unprivilegedFlags {
if uint64(statfs.Flags)&mask == mask {
flags = append(flags, flag)
}
}
return flags, nil
}
var (
mountPropagationMap = map[string]int{
"private": mount.PRIVATE,
"rprivate": mount.RPRIVATE,
"shared": mount.SHARED,
"rshared": mount.RSHARED,
"slave": mount.SLAVE,
"rslave": mount.RSLAVE,
}
mountPropagationReverseMap = map[int]string{
mount.PRIVATE: "private",
mount.RPRIVATE: "rprivate",
mount.SHARED: "shared",
mount.RSHARED: "rshared",
mount.SLAVE: "slave",
mount.RSLAVE: "rslave",
}
)

@AkihiroSuda
plugin: fix mounting /etc/hosts when running in UserNS
762ec4b 
Fix `error mounting "/etc/hosts" to rootfs at "/etc/hosts": mount
/etc/hosts:/etc/hosts (via /proc/self/fd/6), flags: 0x5021: operation
not permitted`.

This error was introduced in 7d08d84
(`dockerd-rootless.sh: set rootlesskit --state-dir=DIR`) that changed
the filesystem of the state dir from /tmp to /run (in a typical setup).

Fix issue 47248

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
thaJeztah
thaJeztah approved these changes Mar 15, 2024
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@neersighted PTAL

@neersighted neersighted merged commit 959c2ee into moby:master Mar 15, 2024
126 checks passed
@vvoland vvoland mentioned this pull request Mar 19, 2024
Merged
@vvoland vvoland mentioned this pull request Mar 19, 2024
Merged
This was referenced Mar 24, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@neersighted neersighted neersighted approved these changes

@thaJeztah thaJeztah thaJeztah approved these changes

@cpuguy83 cpuguy83 Awaiting requested review from cpuguy83 cpuguy83 is a code owner

Assignees
No one assigned
Labels
area/plugins area/rootless Rootless mode kind/bugfix PR's that fix bugs process/cherry-picked
Projects
None yet
Milestone
26.0.0
Development

Successfully merging this pull request may close these issues.

v25 Regression: Docker-Rootless Fails to Enable Plugins
4 participants
@AkihiroSuda @thaJeztah @neersighted @vvoland