checkpoint: resolve symlink for external bind mount (take II) by liusdu · Pull Request #3047 · opencontainers/runc

liusdu · 2021-06-28T12:16:08Z

[From @kolyshkin: This is a respin of #2902 which was reverted in #3043]

runc resolves symlink before doing bind mount. So
we should save original path while formatting CriuReq for
dump and restore.

"checkpoint: resolve symlink for external bind mount" is merged as
da22625 (PR #2902) previously. And reverted
in commit 70fdc05 (PR #3043) duo to behavior changes
caused by commit 0ca91f4 (Fixes: CVE-2021-30465)

Signed-off-by: Liu Hua weldonliu@tencent.com

Changelog entry

(by @kolyshkin)

* runc checkpoint/restore: fixed for containers with an external bind mount
  which destination is a symlink. (#3047).

liusdu · 2021-06-28T12:17:40Z

Hi @kolyshkin and @cyphar Sorry for broking CI system in the weekend..

When #2902 is merge, issue #3042 shows that CI is broken, with error message No mapping for /real/conf mountpoint.
After a quick bisect search, I found it is cause by changes from commit 0ca91f4.

diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 945a0fa..849bf4a 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -1217,7 +1217,6 @@ func (c *linuxContainer) makeCriuRestoreMountpoints(m *configs.Mount) error {
                if err := checkProcMount(c.config.Rootfs, dest, ""); err != nil {
                        return err
                }
-               m.Destination = dest
                if err := os.MkdirAll(dest, 0755); err != nil {
                        return err
                }

I am not sure whether it is introduced due to security issue. So I choose Solution 2 described in #3042

kolyshkin

LGTM

kolyshkin

LGTM

kolyshkin · 2021-07-12T00:06:58Z

@cyphar @AkihiroSuda PTAL

liusdu · 2021-07-12T08:30:42Z

Thanks @kolyshkin , @cyphar @AkihiroSuda rebased and tested with newest master.

kolyshkin · 2021-07-20T23:29:56Z

@liusdu can you please rebase? we did some changes to CI that unfortunately require an explicit rebase.

liusdu · 2021-07-21T06:29:20Z

@kolyshkin rebased~

kolyshkin · 2021-07-28T20:38:21Z

@liusdu needs another rebase (we're tackling with CI lately)

liusdu · 2021-07-29T07:32:18Z

rebased

kolyshkin

LGTM

runc resolves symlink before doing bind mount. So we should save original path while formatting CriuReq for dump and restore. "checkpoint: resolve symlink for external bind mount" is merged as da22625(PR 2902) previously. And reverted in commit 70fdc05(PR 3043) duo to behavior changes caused by commit 0ca91f4(Fixes: CVE-2021-30465) Signed-off-by: Liu Hua <weldonliu@tencent.com>

liusdu · 2021-08-19T10:49:59Z

@kolyshkin @cyphar @crosbymichael rebased, please take a look at this patch.

kolyshkin

Still LGTM

cyphar

LGTM. Tbh I'm still not sure I understand why it's necessary, but if it fixes stuff for CRIU I'm happy.

This is a rough equivalent of runc PR 3047 [1], fixing c/r for the case when the bind mount destination is a symlink. Found when running runc's integration test named "checkpoint and restore (bind mount, destination is symlink)". [1]: opencontainers/runc#3047 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

liusdu force-pushed the broken_symlink branch from 72eb88d to 41b0b46 Compare June 28, 2021 12:36

kolyshkin requested a review from cyphar June 28, 2021 18:38

kolyshkin previously approved these changes Jun 28, 2021

View reviewed changes

kolyshkin added the area/checkpoint-restore label Jun 30, 2021

liusdu dismissed kolyshkin’s stale review via d587ce1 July 6, 2021 12:19

liusdu force-pushed the broken_symlink branch from 41b0b46 to d587ce1 Compare July 6, 2021 12:19

kolyshkin changed the title ~~[FIX CI broken]checkpoint: resolve symlink for external bind mount~~ xheckpoint: resolve symlink for external bind mount (take II) Jul 12, 2021

kolyshkin added this to the 1.1.0 milestone Jul 12, 2021

kolyshkin changed the title ~~xheckpoint: resolve symlink for external bind mount (take II)~~ checkpoint: resolve symlink for external bind mount (take II) Jul 12, 2021

kolyshkin previously approved these changes Jul 12, 2021

View reviewed changes

kolyshkin requested a review from AkihiroSuda July 12, 2021 00:06

liusdu dismissed kolyshkin’s stale review via b844189 July 12, 2021 08:29

liusdu force-pushed the broken_symlink branch from d587ce1 to b844189 Compare July 12, 2021 08:29

liusdu closed this Jul 12, 2021

liusdu reopened this Jul 12, 2021

liusdu force-pushed the broken_symlink branch from b844189 to dde9bbf Compare July 21, 2021 06:28

liusdu requested a review from kolyshkin July 22, 2021 02:48

liusdu force-pushed the broken_symlink branch from dde9bbf to a153102 Compare July 29, 2021 07:31

kolyshkin previously approved these changes Jul 29, 2021

View reviewed changes

kolyshkin added the impact/changelog label Jul 29, 2021

liusdu dismissed kolyshkin’s stale review via 74ae9e0 August 19, 2021 10:48

liusdu force-pushed the broken_symlink branch from a153102 to 74ae9e0 Compare August 19, 2021 10:48

kolyshkin mentioned this pull request Aug 31, 2021

Implement best-effort mount clean up when using host mount namespace #3118

Open

kolyshkin approved these changes Aug 31, 2021

View reviewed changes

kolyshkin requested a review from thaJeztah September 3, 2021 21:10

cyphar approved these changes Sep 9, 2021

View reviewed changes

cyphar merged commit 8bf0326 into opencontainers:master Sep 9, 2021

Conversation

liusdu commented Jun 28, 2021 • edited by kolyshkin Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changelog entry

Uh oh!

liusdu commented Jun 28, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

kolyshkin left a comment

Choose a reason for hiding this comment

Uh oh!

kolyshkin left a comment

Choose a reason for hiding this comment

Uh oh!

kolyshkin commented Jul 12, 2021

Uh oh!

liusdu commented Jul 12, 2021

Uh oh!

kolyshkin commented Jul 20, 2021

Uh oh!

liusdu commented Jul 21, 2021

Uh oh!

kolyshkin commented Jul 28, 2021

Uh oh!

liusdu commented Jul 29, 2021

Uh oh!

kolyshkin left a comment

Choose a reason for hiding this comment

Uh oh!

liusdu commented Aug 19, 2021

Uh oh!

kolyshkin left a comment

Choose a reason for hiding this comment

Uh oh!

cyphar left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

liusdu commented Jun 28, 2021 •

edited by kolyshkin

Loading

liusdu commented Jun 28, 2021 •

edited

Loading