New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libctr/init_linux: reorder chdir #2685
Conversation
I see there was some discussion around the original change in #2086 (comment) as well |
this doesn't seem related. can someon retrigger the tests? also, PTAL @kolyshkin @mrunalp @AkihiroSuda |
been running into that as well; /cc @cyphar |
Proposed CI fix is in #2686. Once merged, you'll need to rebase to fix CI. |
0f1cd71
to
bab8130
Compare
rebased, thanks @kolyshkin |
bab8130
to
322aaf3
Compare
@haircommander this seems like a regression. Can we have a test case? |
I am having trouble writing a test (I personally have not created a situation where this bug comes up, only had it come up in someone else's node in a pretty specific scenario). I'll keep trying, but ideally we could go forward with this without it for now |
ok the test is written--it's not pretty but it exists. PTAL @kolyshkin |
5a10c94
to
9227aa5
Compare
CI is failing on rootless tests
Maybe |
3c8925e
to
52bb075
Compare
commit 5e0e67d moved the chdir to be one of the first steps of finalizing the namespace of the container. However, this causes issues when the cwd is not accessible by the user running runc, but rather as the container user. Thus, setupUser has to happen before we call chdir. setupUser still happens before setting the caps, so the user should be privileged enough to mitigate the issues fixed in 5e0e67d Signed-off-by: Peter Hunt <pehunt@redhat.com>
Signed-off-by: Peter Hunt <pehunt@redhat.com>
52bb075
to
9059d0d
Compare
CI went south :(
|
# This test must be particular with how it's run. The user that runs it must have the privileges | ||
# to chown a directory it creates away from itself, but not have CAP_DAC_OVERRIDE to override | ||
# the fact it was chowned away. However, it must also be able to clean up. | ||
# Thus, this test must be skipped if the UID running the test is root, or the user doesn't have sudo privileges. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't quite get it. Can this test be run as root, and then drop the privs to a non-root user when it needs to?
Asking because the way it is right now, our CI never runs it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unfortunately, I wasn't able to figure out how to run the test as a non privileged user
Also related: containerd/containerd#4669 |
Carrying this over in #2712 |
commit 5e0e67d moved the chdir to be one of the
first steps of finalizing the namespace of the container.
However, this causes issues when the cwd is not accessible by the user running runc, but rather
as the container user.
Thus, setupUser has to happen before we call chdir. setupUser still happens before setting the caps,
so the user should be privileged enough to mitigate the issues fixed in 5e0e67d (I've tested it on my machine, so I believe it does not regress)
Signed-off-by: Peter Hunt pehunt@redhat.com