libctr/init_linux: reorder chdir #2685
Conversation
|
I see there was some discussion around the original change in #2086 (comment) as well |
this doesn't seem related. can someon retrigger the tests? also, PTAL @kolyshkin @mrunalp @AkihiroSuda |
|
been running into that as well; /cc @cyphar |
|
Proposed CI fix is in #2686. Once merged, you'll need to rebase to fix CI. |
haircommander
force-pushed
the
fix-chdir
branch
from
0f1cd71
to
bab8130
Compare
|
rebased, thanks @kolyshkin |
haircommander
force-pushed
the
fix-chdir
branch
from
bab8130
to
322aaf3
Compare
|
@haircommander this seems like a regression. Can we have a test case? |
|
I am having trouble writing a test (I personally have not created a situation where this bug comes up, only had it come up in someone else's node in a pretty specific scenario). I'll keep trying, but ideally we could go forward with this without it for now |
|
ok the test is written--it's not pretty but it exists. PTAL @kolyshkin |
haircommander
force-pushed
the
fix-chdir
branch
from
5a10c94
to
9227aa5
Compare
|
CI is failing on rootless tests Maybe |
haircommander
force-pushed
the
fix-chdir
branch
4 times, most recently
from
3c8925e
to
52bb075
Compare
commit 5e0e67d moved the chdir to be one of the first steps of finalizing the namespace of the container. However, this causes issues when the cwd is not accessible by the user running runc, but rather as the container user. Thus, setupUser has to happen before we call chdir. setupUser still happens before setting the caps, so the user should be privileged enough to mitigate the issues fixed in 5e0e67d Signed-off-by: Peter Hunt <pehunt@redhat.com>
Signed-off-by: Peter Hunt <pehunt@redhat.com>
haircommander
force-pushed
the
fix-chdir
branch
from
52bb075
to
9059d0d
Compare
|
CI went south :(
|
| # This test must be particular with how it's run. The user that runs it must have the privileges | ||
| # to chown a directory it creates away from itself, but not have CAP_DAC_OVERRIDE to override | ||
| # the fact it was chowned away. However, it must also be able to clean up. | ||
| # Thus, this test must be skipped if the UID running the test is root, or the user doesn't have sudo privileges. |
There was a problem hiding this comment.
I don't quite get it. Can this test be run as root, and then drop the privs to a non-root user when it needs to?
Asking because the way it is right now, our CI never runs it.
There was a problem hiding this comment.
unfortunately, I wasn't able to figure out how to run the test as a non privileged user
|
Also related: containerd/containerd#4669 |
|
Carrying this over in #2712 |
commit 5e0e67d moved the chdir to be one of the
first steps of finalizing the namespace of the container.
However, this causes issues when the cwd is not accessible by the user running runc, but rather
as the container user.
Thus, setupUser has to happen before we call chdir. setupUser still happens before setting the caps,
so the user should be privileged enough to mitigate the issues fixed in 5e0e67d (I've tested it on my machine, so I believe it does not regress)
Signed-off-by: Peter Hunt pehunt@redhat.com