Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use user namespaces! #12

Merged
merged 6 commits into from
Jun 27, 2014
Merged

Use user namespaces! #12

merged 6 commits into from
Jun 27, 2014

Conversation

amluto
Copy link
Contributor

@amluto amluto commented Apr 26, 2014

This is a draft of user namespace support. --uid, --gid, and setuid root support are gone!

The sequence of events looks like:

unshare(CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID) = 0
mount("none", "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0
mount("/mnt/test", "/tmp/sandstorm-grain", NULL, MS_BIND, NULL) = 0
mount("/mnt/test", "/tmp/sandstorm-grain", NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_REMOUNT|MS_NOATIME|MS_BIND, NULL) = 0
chdir("/tmp/sandstorm-grain")           = 0
mount("sandstorm-tmp", "tmp", "tmpfs", MS_NOSUID|MS_NOEXEC|MS_NOATIME, "size=16m,nr_inodes=4k,mode=770") = 0
mount("sandstorm-dev", "dev", "tmpfs", MS_NOSUID|MS_NOEXEC|MS_NOATIME, "size=1m,nr_inodes=16,mode=755") = 0
mount("/dev/null", "dev/null", NULL, MS_BIND, NULL) = 0
mount("/dev/zero", "dev/zero", NULL, MS_BIND, NULL) = 0
mount("/dev/random", "dev/random", NULL, MS_BIND, NULL) = 0
mount("/dev/urandom", "dev/urandom", NULL, MS_BIND, NULL) = 0
mount("dev", "dev", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_REMOUNT|MS_NOATIME|MS_BIND, NULL) = 0
mount("/var/sandstorm/grains/rootgrain/sandbox", "var", NULL, MS_BIND, NULL) = 0
mount("/var/sandstorm/grains/rootgrain/sandbox", "var", NULL, MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_NOATIME|MS_BIND, NULL) = 0
mount("/proc", "proc", NULL, MS_BIND, NULL) = 0
mount("/var/sandstorm/grains/rootgrain", "usr", NULL, MS_BIND, NULL) = 0
mount("/var/sandstorm/grains/rootgrain", "usr", NULL, MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_NOATIME|MS_BIND, NULL) = 0
pivot_root(".", "usr/sandbox")          = 0
chdir("/usr")                           = 0
umount("sandbox", MNT_DETACH)           = 0
umount("/usr", MNT_DETACH)              = 0
** SANDSTORM SUPERVISOR: Starting up grain.
Process 28771 attached
[pid 28771] chdir("/")                  = 0
[pid 28771] unshare(CLONE_NEWNET)       = 0
[pid 28771] mount("proc", "usr", NULL, MS_MOVE, NULL) = 0
[pid 28771] mount("proc", "proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = 0
[pid 28771] umount("usr", MNT_DETACH)   = 0

@amluto
Use user namespaces
cdae1fb 
On new enough kernels, sandbox-supervisor now works without being
setuid root.  I know of two regressions:

 * --proc is broken when user namespaces are used.  Fixing this is possible
   but tricky.

 * Running sandbox-supervisor as root with user namespaces fails.  This
   happens because, once root has entered the namespace, it has insufficient
   privilege to map anyone else into the namespace.  This should be
   straightforward to fix.
@amluto
sandbox-supervisor: Remove non-userns support and all uid and gid code
1d0378a 
This now requires CONFIG_USER_NAMESPACE.  It is no longer safe to install
setuid root.  It is probably unwise to run it as root.  The code
simplification should be worth it.
@amluto
sandstorm-supervisor: Fix --proc
fbd84d3
@amluto
Copy link
Contributor Author

amluto commented Apr 28, 2014

It occurs to me that this might allow sandstorm to run inside Docker.

@kentonv
Copy link
Member

kentonv commented Apr 29, 2014

This is awesome and I'm excited to merge it.

Currently, it looks like AWS and GCE both default to kernel 3.10 and don't provide any particularly easy way to upgrade (you can compile your own kernel, but that's not exactly turnkey). I see that 3.12 is being dubbed a long-term release as well, so there's at least some chance they'll switch over, but I have no idea how to determine if/when this might actually happen.

It would be pretty sad if people couldn't easily run instances on AWS/GCE, but maybe supporting Docker better would be worth it. Maybe we just need to provide decent instructions for updating the kernel on these targets.

Thoughts?

@amluto
Merge remote-tracking branch 'amluto/userns'
a6d867f 
Conflicts:
	src/sandstorm/supervisor-main.c++
@amluto
supervisor: With --proc, bind-mount procfs recursively
c83643c 
This is useful: it makes /proc more useful inside the container.  It
also works around a kernel bug that was introduced by Linux commit
e51db73532955dc5eaba4235e62b74b460709d5b and fixed in
41301ae78a99ead04ea42672a1ab72c6f44cc81d.
@amluto
supervisor: Stop relying on /usr existing for the --proc shuffle
a873bfa 
We can use "/".  Yes, this is ugly.
@amluto
Copy link
Contributor Author

amluto commented Jun 8, 2014

I'm reasonably happy with this now.

@kentonv kentonv merged commit a873bfa into sandstorm-io:master Jun 27, 2014
kentonv added a commit that referenced this pull request Jun 27, 2014
@kentonv
Tweak style from PR #12.
fc90bf5
@kentonv
Copy link
Member

kentonv commented Jun 27, 2014

Yay, no more suid-root supervisor!

Now to use UID namespaces in run-bundle as well, so that it need not be root... and then maybe we can make Sandstorm work in Docker.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@amluto @kentonv