New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd/snap-confine: handle mounted shared /run/snapd/ns #6159
Conversation
7db5561
to
fe3eae8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, some nitpicks about comments.
The code that handles special sharing mode of /run/snapd/ns did cope with /run/snapd/ns being a private mount point and not being a mount point at all. When it was a mount point but one with shared mount event propagation all kinds of hell would break loose. This patch fixes this. The existing unit tests were nixed and replaced with a much more readable and comprehensive spread test. Fixes: https://bugs.launchpad.net/snapd/+bug/1803542 Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
Instead of using findmnt to find a mount point and show the mount event propagation with -o PROPAGATION we can look at /proc/self/mountinfo and do the unholy grep awk cut combo. Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
|
I saw the failure last night, I need to look at that. |
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
I reproduced the bug, looks like something didn't clean up after itself in a prior test. |
This is blocked by a bug fixed by #6203 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good +1, one question below.
private) | ||
mkdir -p /run/snapd/ns | ||
mount --bind /run/snapd/ns /run/snapd/ns | ||
mount --make-private /run/snapd/ns |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we do anything about these mount points in restore:
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really, snap-confine restores the correct setup on each execution. We don't have to unmount them. The code here is what snap-confine does internally.
VARIANT/absent: absent | ||
VARIANT/present: present | ||
VARIANT/shared: shared | ||
VARIANT/private: private |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, worked better than the unit test :)
The code that handles special sharing mode of /run/snapd/ns did cope
with /run/snapd/ns being a private mount point and not being a mount
point at all. When it was a mount point but one with shared mount event
propagation all kinds of hell would break loose. This patch fixes this.
The existing unit tests were nixed and replaced with a much more
readable and comprehensive spread test.
Fixes: https://bugs.launchpad.net/snapd/+bug/1803542
Signed-off-by: Zygmunt Krynicki me@zygoon.pl