libcontainer: skip chown of /dev/null caused by fd redirection by Dzejrou · Pull Request #3707 · opencontainers/runc

Dzejrou · 2023-01-20T20:48:56Z

In #3355 the check whether the STDIO file descriptors point to /dev/null was removed which can cause /dev/null to change ownership e.g. when using docker exec on a running container:

$ ls -l /dev/null
crw-rw-rw- 1 root root 1, 3 Aug 1 14:12 /dev/null
$ docker exec -u test 0ad6d3064e9d ls
$ ls -l /dev/null
crw-rw-rw- 1 test root 1, 3 Aug 1 14:12 /dev/null

This PR reintroduces that check and fixes the issue for me on runc v1.1.{3,4} (I did not find any information about this change being intentional, if it was feel free to close this PR).

Fixes: #3674

Dzejrou · 2023-01-20T20:51:17Z

I think this may be fixing #3674, but the reporter there never provided reproduction steps.

cyphar · 2023-02-02T04:16:03Z

LGTM, however we require a DCO for all commits (just do git commit --amend -s and force-push to add it).

@kolyshkin It seems we broke this in #3345.

kolyshkin

The change looks good to me. I spent some time last week trying to create a repro but couldn't.

Can you please change the commit message to point to a commit (rather that GitHub PR)? Otherwise LGTM

Dzejrou · 2023-02-02T16:10:19Z

LGTM, however we require a DCO for all commits (just do git commit --amend -s and force-push to add it).

Done.

Can you please change the commit message to point to a commit (rather that GitHub PR)? Otherwise LGTM

Is this format of commit reference OK?

kolyshkin

LGTM

kolyshkin · 2023-02-02T19:57:19Z

This is a commit to the main branch thus the milestone should be set to 1.2.0.

Indeed we need to backport it to release-1.1 as soon as this is merged, thus the appropriate label.

kolyshkin · 2023-02-02T21:11:44Z

Ah! I finally got a reproducer for this, currently being tested in #3720.

kolyshkin · 2023-02-03T00:13:32Z

Can you please rebase and pick up 65c94b8 ?

Something like

wget https://github.com/opencontainers/runc/pull/3720/commits/65c94b899ed0c7c5bceeec5c515990c392894db8.patch
git am 65c94b899ed0c7c5bceeec5c515990c392894db8.patch

should work

In 18c4760 (libct: fixStdioPermissions: skip chown if not needed) the check whether the STDIO file descriptors point to /dev/null was removed which can cause /dev/null to change ownership e.g. when using docker exec on a running container: $ ls -l /dev/null crw-rw-rw- 1 root root 1, 3 Aug 1 14:12 /dev/null $ docker exec -u test 0ad6d3064e9d ls $ ls -l /dev/null crw-rw-rw- 1 test root 1, 3 Aug 1 14:12 /dev/null Signed-off-by: Jaroslav Jindrak <dzejrou@gmail.com>

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Dzejrou · 2023-02-03T00:38:37Z

Can you please rebase and pick up 65c94b8 ?

Done, I hope.

kolyshkin

LGTM

kolyshkin · 2023-02-07T22:04:54Z

@cyphar @AkihiroSuda @thaJeztah PTAL

(once this is in, we need to backport to 1.1 and release 1.1.5)

thaJeztah

LGTM, thanks!

kolyshkin · 2023-02-09T03:48:57Z

1.1 backport: #3731

cyphar force-pushed the main branch from 1dce002 to e123f1f Compare February 2, 2023 04:11

cyphar requested a review from kolyshkin February 2, 2023 04:13

cyphar added the backport/1.1-todo A PR in main branch which needs to be backported to release-1.1 label Feb 2, 2023

cyphar added the regression label Feb 2, 2023

cyphar added this to the 1.1.5 milestone Feb 2, 2023

kolyshkin reviewed Feb 2, 2023

View reviewed changes

Dzejrou force-pushed the main branch from e123f1f to 8219fba Compare February 2, 2023 16:05

kolyshkin previously approved these changes Feb 2, 2023

View reviewed changes

kolyshkin modified the milestones: 1.1.5, 1.2.0 Feb 2, 2023

kolyshkin mentioned this pull request Feb 3, 2023

[DNM] integration test for #3707 #3720

Closed

kolyshkin self-requested a review February 3, 2023 00:16

Dzejrou and others added 2 commits February 3, 2023 01:24

tests/int: test for /dev/null owner regression

1bb6209

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Dzejrou dismissed kolyshkin’s stale review via 1bb6209 February 3, 2023 00:25

Dzejrou force-pushed the main branch from 8219fba to 1bb6209 Compare February 3, 2023 00:25

kolyshkin approved these changes Feb 3, 2023

View reviewed changes

thaJeztah approved these changes Feb 7, 2023

View reviewed changes

thaJeztah merged commit f8e2629 into opencontainers:main Feb 7, 2023

kolyshkin mentioned this pull request Feb 9, 2023

[1.1] libcontainer: skip chown of /dev/null caused by fd redirection #3731

Merged

kolyshkin removed the backport/1.1-todo A PR in main branch which needs to be backported to release-1.1 label Feb 9, 2023

kolyshkin added the backport/1.1-done A PR in main branch which has been backported to release-1.1 label Feb 9, 2023

vasiliy-ul mentioned this pull request Jul 12, 2023

allow kubevirt VM work under container kubevirt/kubevirt#9668

Merged

Conversation

Dzejrou commented Jan 20, 2023 • edited by kolyshkin Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Dzejrou commented Jan 20, 2023

Uh oh!

cyphar commented Feb 2, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

kolyshkin left a comment

Choose a reason for hiding this comment

Uh oh!

Dzejrou commented Feb 2, 2023

Uh oh!

kolyshkin left a comment

Choose a reason for hiding this comment

Uh oh!

kolyshkin commented Feb 2, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

kolyshkin commented Feb 2, 2023

Uh oh!

kolyshkin commented Feb 3, 2023

Uh oh!

Dzejrou commented Feb 3, 2023

Uh oh!

kolyshkin left a comment

Choose a reason for hiding this comment

Uh oh!

kolyshkin commented Feb 7, 2023

Uh oh!

thaJeztah left a comment

Choose a reason for hiding this comment

Uh oh!

kolyshkin commented Feb 9, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Dzejrou commented Jan 20, 2023 •

edited by kolyshkin

Loading

cyphar commented Feb 2, 2023 •

edited

Loading

kolyshkin commented Feb 2, 2023 •

edited

Loading