Skip to content

Use chroot over pivot_root #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 9, 2021
Merged

Use chroot over pivot_root #23

merged 1 commit into from
Jan 9, 2021

Conversation

jD91mZM2
Copy link
Member

@jD91mZM2 jD91mZM2 commented Jan 9, 2021

We only used pivot_root in order to temporarily bind /nix to the host and lift in different files. Now, we instead bind everything beforehand and finally do a simple chroot.

As discussed in #22, I kept the container.sh script.

You suggested only using the CLONE_NEWUSER flag in case uid != 0, however, that did not work for me. For me, that seemed to not clone the namespace at all (I know, right, wtf?) because mount listed the temporary directories we created. I got me a real scare when I realised that tempdir would probably try to remove the files recursively, although I rebooted and my system doesn't appear to be harmed.

Thus, this PR does not tackle the issue you perceived when the user was root. Sorry.

Mic92
Mic92 reviewed Jan 9, 2021
View reviewed changes
Mic92
Mic92 reviewed Jan 9, 2021
View reviewed changes
@jD91mZM2 jD91mZM2 force-pushed the use-chroot branch 3 times, most recently from 9c0a864 to e21605e Compare January 9, 2021 12:05
@Mic92
Copy link
Member

Mic92 commented Jan 9, 2021

I mean only using CloneFlags::CLONE_NEWNS instead of CLONE_USER. Also if the tempdir is only deleted by the process not in the chroot than it would not see the bind mounts when cleanup up everything.

@jD91mZM2
Copy link
Member Author

jD91mZM2 commented Jan 9, 2021
edited
Loading

I was unclear, I meant "only" CLONE_NEWUSER when X as if "only in this condition". Of course CLONE_NEWNS should always be used, which is why it's so strange and scary honestly that the binds seemed to show up anyway when running mount to list all mounts

Mic92
Mic92 reviewed Jan 9, 2021
View reviewed changes
@Mic92
Copy link
Member

Mic92 commented Jan 9, 2021

At least with docker I get:

root@cdcb9eb19dc3:/app# run bash
    Finished dev [unoptimized + debuginfo] target(s) in 0.01s
     Running `target/debug/nix-user-chroot .nix bash`
thread 'main' panicked at 'unshare failed: Sys(EPERM)', src/main.rs:108:70
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread 'main' panicked at 'failed to remove temporary directory: /tmp/.tmpL9ifcs', src/main.rs:186:21
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

adding --privileged makes it work.

Mic92
Mic92 reviewed Jan 9, 2021
View reviewed changes
@jD91mZM2 jD91mZM2 force-pushed the use-chroot branch 2 times, most recently from b0b7047 to 5b6278a Compare January 9, 2021 13:40
@jD91mZM2 @Mic92
Use chroot over pivot_root
6288562 
We only used pivot_root in order to temporarily bind /nix to the host
and lift in different files. Now, we instead bind everything beforehand
and finally do a simple chroot.

Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
@Mic92 Mic92 merged commit a54db22 into nix-community:master Jan 9, 2021
@jD91mZM2
Copy link
Member Author

jD91mZM2 commented Jan 9, 2021

Yay, thanks 😄

@jD91mZM2 jD91mZM2 deleted the use-chroot branch January 9, 2021 14:52
@Mic92 Mic92 mentioned this pull request Jan 10, 2021
Closed
@deliciouslytyped deliciouslytyped mentioned this pull request Sep 7, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mic92 Mic92 Mic92 left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jD91mZM2 @Mic92