Skip to content

Incorrect "mount" in config.json is either silently ignored or crashes runsc #11736

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
stepancheg opened this issue May 16, 2025 · 1 comment
Open

Incorrect "mount" in config.json is either silently ignored or crashes runsc #11736

stepancheg opened this issue May 16, 2025 · 1 comment
Labels
type: bug Something isn't working

Comments

@stepancheg
Copy link
Contributor

stepancheg commented May 16, 2025
edited
Loading

Description

    "mounts": [
        {
            "destination": "/ddd",
            "source": "/",
            // and if we specify here "type": "bind", runsc crashes
        }
    ]

does not do anything except creating empty directory.

Moreover, specifying "type": "bind" causes runsc to crash.

This is correct version, but this issue is about missing validation, if this configuration is not correct.

"mounts": [
    {
      "destination": "/ddd",
      "source": "/",
      "type": "bind",
      "options": ["rbind", "rw"]
    }
  ]

Steps to reproduce

{
    "process": {
        "args": ["/bin/bash"],
        "terminal": true
    },
    "root": {
        "path": "/"
    },
    "mounts": [
        {
            "destination": "/ddd",
            "source": "/"
        }
    ]
}

$ sudo bazel-bin/runsc/runsc_/runsc run --bundle ~/bu2 cont-x

root@:/# ls -l /ddd 
total 0

root@:/# mount
none on / type overlay (rw)
none on /sys type sysfs (rw,dentry_cache_limit=1000)
none on /dev type tmpfs (rw,mode=0755)
none on /proc type proc (rw,dentry_cache_limit=1000)
none on /dev/pts type devpts (rw)

Log: https://gist.github.com/stepancheg/82cee1f2095405d1c5b790240ad62564

{
    "process": {
        "args": ["/bin/bash"],
        "terminal": true
    },
    "root": {
        "path": "/"
    },
    "mounts": [
        {
            "destination": "/ddd",
            "source": "/",
            "type": "bind"
        }
    ]
}

$ sudo bazel-bin/runsc/runsc_/runsc run --bundle ~/bu2 cont-x

running container: creating container: cannot create sandbox: cannot read client sync file: waiting for sandbox to start: EOF

Log: https://gist.github.com/stepancheg/81c05a3b18909e28716f6cee945c456e

runsc version

runsc version release-20250505.0-31-gd30c58e5b8a4
spec: 1.2.0

uname

Linux w-st 6.6.72+ #1 SMP PREEMPT_DYNAMIC Sat Apr 19 09:07:01 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

repo state (if built from source)

release-20250505.0-31-gd30c58e5b
@stepancheg stepancheg added the type: bug Something isn't working label May 16, 2025
copybara-service bot pushed a commit that referenced this issue May 16, 2025
@ayushr2 @gvisor-bot
Validate the process spec on runsc run.
1e36eb1 
The run command was missing the process spec validation.

Updates #11736

PiperOrigin-RevId: 759739146
@copybara-service copybara-service bot mentioned this issue May 16, 2025
Open
@ayushr2 ayushr2 mentioned this issue May 16, 2025
Open
copybara-service bot pushed a commit that referenced this issue May 16, 2025
@ayushr2 @gvisor-bot
Validate the process spec on runsc run.
f24c9aa 
The run command was missing the process spec validation.

Updates #11736

PiperOrigin-RevId: 759739146
@ayushr2
Copy link
Collaborator

ayushr2 commented May 16, 2025

When the mount type is not specified, gVisor just ignores the mount:

gvisor/runsc/boot/vfs.go

Lines 929 to 931 in d30c58e

default:
log.Warningf("ignoring unknown filesystem type %q", m.mount.Type)
return "", nil, nil

In this case, runc attempts to mount it and fails with:

WARN[0000] freezer not supported: openat2 /sys/fs/cgroup/user.slice/user-676784.slice/cont/cgroup.freeze: no such file or directory 
WARN[0000] lstat /sys/fs/cgroup/user.slice/user-676784.slice/cont: no such file or directory 
ERRO[0000] runc run failed: unable to start container process: error during container init: error mounting "/" to rootfs at "/ddd": mount /:/ddd (via /proc/self/fd/7): no such device

After adding "type": "bind" but without the options, the failure happens with gVisor because the gofer fails with:

FATAL ERROR: error setting up FS: mounting {Destination:/ddd Type:bind Source:/ Options:[] UIDMappings:[] GIDMappings:[]}: mount("/", "/proc/fs/root/ddd", 4096) failed: mount("/", "/proc/fs/proc/self/fd/14", "bind", 0x1000, "") failed: invalid argument

This failure is WAI I think.

BTW don't try this reproducer with runc (after adding type=bind), because it can brick your system: opencontainers/runc#4767.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stepancheg @ayushr2