Skip to content

[1.0] Fix failure with read-only /dev in spec#3277

Merged
kolyshkin merged 3 commits intoopencontainers:release-1.0from
kolyshkin:1.0-fix-ro-dev
Nov 29, 2021
Merged

[1.0] Fix failure with read-only /dev in spec#3277
kolyshkin merged 3 commits intoopencontainers:release-1.0from
kolyshkin:1.0-fix-ro-dev

Conversation

@kolyshkin
Copy link
Copy Markdown
Contributor

@kolyshkin kolyshkin commented Nov 12, 2021
edited
Loading

This is a backport of #3276 to release-1.0 branch. Original description follows.

NOTE: draft pending merge of #3282 and #3276.

Commit fb4c27c (PR #2570, went into v1.0.0-rc93) fixed a bug with
read-only tmpfs, but introduced a bug with read-only /dev (#3248).

This happens because /dev is a tmpfs mount and is therefore remounted
read-only a bit earlier than before.

To fix,

  1. Revert the part of the above commit which remounts all tmpfs mounts
    as read-only in mountToRootfs.

  2. Reuse finalizeRootfs (which is already used to remount /dev
    read-only) to also remount all ro tmpfs mounts that were previously
    mounted rw in mountPropagate.

Add a test case to validate the fix and prevent future regressions;
make sure it fails before the fix:

 ✗ runc run [ro /dev mount]
   (in test file tests/integration/mounts.bats, line 45)
     `[ "$status" -eq 0 ]' failed
   runc spec (status=0):

   runc run test_busybox (status=1):
   time="2021-11-12T12:19:48-08:00" level=error msg="runc run failed: unable to start container process: error during container init: error mounting \"devpts\" to rootfs at \"/dev/pts\": mkdir /tmp/bats-run-VJXQk7/runc.0Fj70w/bundle/rootfs/dev/pts: read-only file system"

Fixes: #3248

@kolyshkin kolyshkin added the backport/1.0-pr A backport PR to release-1.0 label Nov 12, 2021
@kolyshkin kolyshkin mentioned this pull request Nov 12, 2021
Merged
@kolyshkin kolyshkin added this to the 1.0.3 milestone Nov 12, 2021
@kolyshkin

This comment has been minimized.

Sign in to view
@kolyshkin kolyshkin mentioned this pull request Nov 12, 2021
Closed
@kolyshkin

This comment has been minimized.

Sign in to view
@kolyshkin kolyshkin marked this pull request as draft November 15, 2021 19:57
kailun-qin and others added 3 commits November 16, 2021 13:50
@kailun-qin @kolyshkin
libct/rootfs: consolidate utils imports
3640499 
Signed-off-by: Kailun Qin <kailun.qin@intel.com>
(cherry picked from commit c508a7b)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin
test/int/mount.bats: refer to github issue
e802cfa 
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f252eb5)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin
runc run: fix ro /dev
cbb2367 
Commit fb4c27c (went into v1.0.0-rc93) fixed a bug with
read-only tmpfs, but introduced a bug with read-only /dev.

This happens because /dev is a tmpfs mount and is therefore remounted
read-only a bit earlier than before.

To fix,

1. Revert the part of the above commit which remounts all tmpfs mounts
   as read-only in mountToRootfs.

2. Reuse finalizeRootfs (which is already used to remount /dev
   read-only) to also remount all ro tmpfs mounts that were previously
   mounted rw in mountPropagate.

3. Remove the break in finalizeRootfs, as now we have more than one
   mount to care about.

4. Reorder the if statements in finalizeRootfs to perform the fast check
   (for ro flag) first, and compare the strings second. Since /dev is
   most probably also a tmpfs mount, do the m.Device check first.

Add a test case to validate the fix and prevent future regressions;
make sure it fails before the fix:

 ✗ runc run [ro /dev mount]
   (in test file tests/integration/mounts.bats, line 45)
     `[ "$status" -eq 0 ]' failed
   runc spec (status=0):

   runc run test_busybox (status=1):
   time="2021-11-12T12:19:48-08:00" level=error msg="runc run failed: unable to start container process: error during container init: error mounting \"devpts\" to rootfs at \"/dev/pts\": mkdir /tmp/bats-run-VJXQk7/runc.0Fj70w/bundle/rootfs/dev/pts: read-only file system"

Fixes: fb4c27c
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b247cd3)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin kolyshkin requested a review from cyphar November 19, 2021 02:15
@cyphar
Copy link
Copy Markdown
Member

cyphar commented Nov 25, 2021

#3276 merged

cyphar
cyphar approved these changes Nov 25, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@cyphar cyphar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

thaJeztah
thaJeztah approved these changes Nov 29, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

guess this can be moved out of draft, @kolyshkin

@kolyshkin kolyshkin marked this pull request as ready for review November 29, 2021 17:02
@kolyshkin kolyshkin merged commit 02d2e1f into opencontainers:release-1.0 Nov 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

@cyphar cyphar cyphar approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees

No one assigned

Labels

backport/1.0-pr A backport PR to release-1.0 impact/changelog

Projects

None yet

Milestone

1.0.3

Development

Successfully merging this pull request may close these issues.

5 participants

@kolyshkin @cyphar @thaJeztah @AkihiroSuda @kailun-qin