root.readOnly: true does not work on filesystems mounted with nodev or nosuid #1247
Comments
|
@justincormack just changed the code to be the way it is today (#1222) , because |
|
We saw similar issue when trying to bind mount a directory which is a mount. We can read the existing mount options and pass them on remount. I am working on a fix for it. |
|
Hmm, I don't think you need to read the existing mount options, it should be possibly to do a bind again if this fails and then remount read only. Will take a look at this case. Hmm, maybe we do need to read them... |
|
We are now seeing this issue in testing and running a locked down crio instance. |
|
Few findings related to this while working with crio:
|
|
It should be noted that currently LXC sets all of the filesystems to be readonly (except |
|
@brauner is working on the kernel-side fix for recursive read-only mount moby/moby#37838 |
|
Right, I know. I talked to him about it a while ago (he's currently busy with a few other projects though). |
|
My understanding of MS_REC is ONLY for setting the way "sharing" is handled. No other mount options are handled with it. SHARED,RSHARED, PRIVATE,RPRIVATE, SLAVE, RSLAVE. |
|
|
|
Right but it only sets the propogation on bind-mounts not the read-only option. |
|
I think we're talking past each other -- You're quite right that |
|
Yes, I guess we are in agreement. I have failed at least twice making this assumption, and have had to jump through hoops to get the ro bindmount to work in code. Podman has a hacky version to bind mount the cgroup hierarchy read/only into a container |
This is a workaround for the runc issue: opencontainers/runc#1247 If the source of a bind mount has any of nosuid, noexec or nodev, be sure to propagate them to the bind mount so that when runc tries to remount using MS_RDONLY, these options are also used. Closes: containers#2312 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This is a workaround for the runc issue: opencontainers/runc#1247 If the source of a bind mount has any of nosuid, noexec or nodev, be sure to propagate them to the bind mount so that when runc tries to remount using MS_RDONLY, these options are also used. Closes: containers#2312 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This is a workaround for the runc issue: opencontainers/runc#1247 If the source of a bind mount has any of nosuid, noexec or nodev, be sure to propagate them to the bind mount so that when runc tries to remount using MS_RDONLY, these options are also used. Closes: containers#2312 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This is a workaround for the runc issue: opencontainers/runc#1247 If the source of a bind mount has any of nosuid, noexec or nodev, be sure to propagate them to the bind mount so that when runc tries to remount using MS_RDONLY, these options are also used. Closes: containers#2312 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
I'm using runc 1.0.0_rc2 on Linux 4.7.10 with grsecurity. Say I have a container rootfs mounted like so:
rpool/srv/test/rootfs-1 on /srv/test/rootfs type zfs (rw,nosuid,nodev,noatime,xattr,noacl)I have in my /srv/test/config.json:
"root": { "path": "rootfs", "readonly": true }When I run
runc run -b /srv/test test, I getcontainer_linux.go:247: starting container process caused "process_linux.go:359: container init caused \"rootfs_linux.go:110: setting rootfs as readonly caused \\\"operation not permitted\\\"\""strace tells me the failing mount call is
mount("/", "/", 0xc4200da900, MS_RDONLY|MS_REMOUNT|MS_BIND|MS_REC, NULL) = -1 EPERMThis looks to be from setReadonly() manually specifying the mount flags and not respecting existing ones.
If I remount the rootfs like so:
host0/srv/test/rootfs-1 on /srv/test/rootfs type zfs (rw,noatime,xattr,noacl)starting the container succeeds.
This can be fixed by changing setReadonly() to also pass MS_NODEV/MS_NOEXEC/MS_NOSUID to mount() if they are already present in the mount options.
The text was updated successfully, but these errors were encountered: