Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.0] Fix failure with read-only /dev in spec #3277

Merged
merged 3 commits into from
Nov 29, 2021
Merged

[1.0] Fix failure with read-only /dev in spec #3277

merged 3 commits into from
Nov 29, 2021

Conversation

kolyshkin
Copy link
Contributor

@kolyshkin kolyshkin commented Nov 12, 2021
edited
Loading

This is a backport of #3276 to release-1.0 branch. Original description follows.

NOTE: draft pending merge of #3282 and #3276.

Commit fb4c27c (PR #2570, went into v1.0.0-rc93) fixed a bug with
read-only tmpfs, but introduced a bug with read-only /dev (#3248).

This happens because /dev is a tmpfs mount and is therefore remounted
read-only a bit earlier than before.

To fix,

  1. Revert the part of the above commit which remounts all tmpfs mounts
    as read-only in mountToRootfs.

  2. Reuse finalizeRootfs (which is already used to remount /dev
    read-only) to also remount all ro tmpfs mounts that were previously
    mounted rw in mountPropagate.

Add a test case to validate the fix and prevent future regressions;
make sure it fails before the fix:

 ✗ runc run [ro /dev mount]
   (in test file tests/integration/mounts.bats, line 45)
     `[ "$status" -eq 0 ]' failed
   runc spec (status=0):

   runc run test_busybox (status=1):
   time="2021-11-12T12:19:48-08:00" level=error msg="runc run failed: unable to start container process: error during container init: error mounting \"devpts\" to rootfs at \"/dev/pts\": mkdir /tmp/bats-run-VJXQk7/runc.0Fj70w/bundle/rootfs/dev/pts: read-only file system"

Fixes: #3248

@kolyshkin kolyshkin added the backport/1.0-pr A backport PR to release-1.0 label Nov 12, 2021
@kolyshkin kolyshkin mentioned this pull request Nov 12, 2021
Merged
@kolyshkin kolyshkin added this to the 1.0.3 milestone Nov 12, 2021
@kolyshkin

This comment has been minimized.

Sign in to view
@kolyshkin kolyshkin mentioned this pull request Nov 12, 2021
Closed
@kolyshkin

This comment has been minimized.

Sign in to view
@kolyshkin kolyshkin marked this pull request as draft November 15, 2021 19:57
kailun-qin and others added 3 commits November 16, 2021 13:50
@kailun-qin @kolyshkin
libct/rootfs: consolidate utils imports
3640499 
Signed-off-by: Kailun Qin <kailun.qin@intel.com>
(cherry picked from commit c508a7b)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin
test/int/mount.bats: refer to github issue
e802cfa 
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f252eb5)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin
runc run: fix ro /dev
cbb2367 
Commit fb4c27c (went into v1.0.0-rc93) fixed a bug with
read-only tmpfs, but introduced a bug with read-only /dev.

This happens because /dev is a tmpfs mount and is therefore remounted
read-only a bit earlier than before.

To fix,

1. Revert the part of the above commit which remounts all tmpfs mounts
   as read-only in mountToRootfs.

2. Reuse finalizeRootfs (which is already used to remount /dev
   read-only) to also remount all ro tmpfs mounts that were previously
   mounted rw in mountPropagate.

3. Remove the break in finalizeRootfs, as now we have more than one
   mount to care about.

4. Reorder the if statements in finalizeRootfs to perform the fast check
   (for ro flag) first, and compare the strings second. Since /dev is
   most probably also a tmpfs mount, do the m.Device check first.

Add a test case to validate the fix and prevent future regressions;
make sure it fails before the fix:

 ✗ runc run [ro /dev mount]
   (in test file tests/integration/mounts.bats, line 45)
     `[ "$status" -eq 0 ]' failed
   runc spec (status=0):

   runc run test_busybox (status=1):
   time="2021-11-12T12:19:48-08:00" level=error msg="runc run failed: unable to start container process: error during container init: error mounting \"devpts\" to rootfs at \"/dev/pts\": mkdir /tmp/bats-run-VJXQk7/runc.0Fj70w/bundle/rootfs/dev/pts: read-only file system"

Fixes: fb4c27c
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b247cd3)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@cyphar
Copy link
Member

cyphar commented Nov 25, 2021

#3276 merged

cyphar
cyphar approved these changes Nov 25, 2021
View reviewed changes
Copy link
Member

@cyphar cyphar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

thaJeztah
thaJeztah approved these changes Nov 29, 2021
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

guess this can be moved out of draft, @kolyshkin

@kolyshkin kolyshkin marked this pull request as ready for review November 29, 2021 17:02
@kolyshkin kolyshkin merged commit 02d2e1f into opencontainers:release-1.0 Nov 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@cyphar cyphar cyphar approved these changes

@thaJeztah thaJeztah thaJeztah approved these changes

Assignees
No one assigned
Labels
backport/1.0-pr A backport PR to release-1.0 impact/changelog
Projects
None yet
Milestone
1.0.3
Development

Successfully merging this pull request may close these issues.
5 participants
@kolyshkin @cyphar @thaJeztah @AkihiroSuda @kailun-qin