/snap-confine

Detach the hostfs version of /sys #183

Merged
merged 2 commits into from Nov 21, 2016

Conversation

Reviewers

@jdstrand jdstrand

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@zyga @lool @jdstrand
@zyga
Collaborator

zyga commented Nov 18, 2016

This patch detaches (aka umount --lazy) or umount2(1) with MNT_DETACH
flag the second sysfs that is visible from /var/lib/snapd/hostfs/sys
after the pivot_root call.

This is done so that the hostfs is more empty (second sysfs is not
really needed as we can always re-associated with pid-1 ns to get back
to the outer view) and so that certain application (cough docker
cough) that actually scan the mount table for sysfs don't find the
wrong one. The "wrong" one works exactly the same as /sys but is denied
by apparmor profiles.

Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com
@zyga
Detach the hostfs version of /sys 
This patch detaches (aka umount --lazy) or umount2(1) with MNT_DETACH
flag the second sysfs that is visible from /var/lib/snapd/hostfs/sys
after the pivot_root call.

This is done so that the hostfs is more empty (second sysfs is not
really needed as we can always re-associated with pid-1 ns to get back
to the outer view) and so that certain application (*cough* docker
*cough*) that actually scan the mount table for sysfs don't find the
wrong one. The "wrong" one works exactly the same as /sys but is denied
by apparmor profiles.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
b87d754
@lool
Contributor

lool commented Nov 18, 2016

Hi,
Zygmunt told me how to enter the target mount namespace:
sudo nsenter -m/run/snapd/ns/docker.mnt

I can confirm that if I "umount --lazy /var/lib/snapd/hostfs/sys" in there, it fixes subsequent docker runs.

NB: Zygmunt considers removing /proc and /dev too, and I can confirm that lazy unmounting /var/lib/snapd/hostfs/dev and /var/lib/snapd/hostfs/proc works there too, and docker keeps working.

Cheers,

  • Loïc
src/mount-support.c
@@ -495,6 +495,16 @@ static void sc_bootstrap_mount_namespace(const struct sc_mount_config *config)
die("cannot perform operation: mount --make-rslave %s",
SC_HOSTFS_DIR);
}
+ // Detach the hostfs version of sysfs. Some software may want to inspect
+ // the mount table to look for a particular filesystem. If that said
+ // software unlucklily picks the hostfs "version" of. The prominent example
@jdstrand

jdstrand Nov 18, 2016
Edited 1 time

Contributor

Typo: 'unlucklily'. This comment is phrased weird. How about:

// Detach the redundant hostfs version of sysfs since it shows up in the mount
// table and software inspecting the mount table may become confused (eg,
// docker and LP: #162601).
@zyga

zyga Nov 18, 2016

Collaborator

Thanks! Indeed much shorter and to the point

@zyga
Improve wording in comment (thanks to jdstrand) 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
f260dca

@zyga zyga merged commit 0ea07b5 into master Nov 21, 2016
1 check passed

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@zyga zyga deleted the no-2nd-sysfs branch Nov 23, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment