Skip to content

libct: close the mount source fd ASAP! #5177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cyphar merged 3 commits into from
Mar 28, 2026
+78 −50
Merged

libct: close the mount source fd ASAP! #5177

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0d0fd95
libct: add a nil check for mountError
lifubang Mar 19, 2026
c77e71a
libct: close mount source fd as soon as possible
lifubang Mar 19, 2026
7fdab1c
test: check mount source fds are cleaned up with idmapped mounts
lifubang Mar 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion libcontainer/mount_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ func (e *mountError) Error() string {

if e.source != "" {
out += "src=" + e.source + ", "
if e.srcFile != nil {
if e.srcFile != nil && e.srcFile.file != nil {
out += "srcType=" + string(e.srcFile.Type) + ", "
out += "srcFd=" + strconv.Itoa(int(e.srcFile.file.Fd())) + ", "
}
Expand Down
104 changes: 56 additions & 48 deletions libcontainer/rootfs_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,60 @@ func needsSetupDev(config *configs.Config) bool {
return true
}

// setupAndMountToRootfs sets up the mount for a single mount point and mounts it to the rootfs.
func setupAndMountToRootfs(pipe *syncSocket, config *configs.Config, mountConfig *mountConfig, m *configs.Mount) error {
Copy link
Copy Markdown
Member

@cyphar cyphar Mar 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I think something like doMount or applyMount would be a little less specific (I think setupAndMountToRootfs is too descriptive without telling you what stage in the process it is) but I don't really like any of those names to be honest... 🤔

entry := mountEntry{Mount: m}
// Figure out whether we need to request runc to give us an
// open_tree(2)-style mountfd. For idmapped mounts, this is always
// necessary. For bind-mounts, this is only necessary if we cannot
// resolve the parent mount (this is only hit if you are running in a
// userns -- but for rootless the host-side thread can't help).
wantSourceFile := m.IsIDMapped()
if m.IsBind() && !config.RootlessEUID {
if _, err := os.Stat(m.Source); err != nil {
wantSourceFile = true
}
}
if wantSourceFile {
Comment thread
lifubang marked this conversation as resolved.
// Request a source file from the host.
if err := writeSyncArg(pipe, procMountPlease, m); err != nil {
return fmt.Errorf("failed to request mountfd for %q: %w", m.Source, err)
}
sync, err := readSyncFull(pipe, procMountFd)
if err != nil {
return fmt.Errorf("mountfd request for %q failed: %w", m.Source, err)
}
if sync.File == nil {
return fmt.Errorf("mountfd request for %q: response missing attached fd", m.Source)
}
defer sync.File.Close()
// Sanity-check to make sure we didn't get the wrong fd back. Note
// that while m.Source might contain symlinks, the (*os.File).Name
// is based on the path provided to os.OpenFile, not what it
// resolves to. So this should never happen.
if sync.File.Name() != m.Source {
return fmt.Errorf("returned mountfd for %q doesn't match requested mount configuration: mountfd path is %q", m.Source, sync.File.Name())
}
// Unmarshal the procMountFd argument (the file is sync.File).
var src *mountSource
if sync.Arg == nil {
return fmt.Errorf("sync %q is missing an argument", sync.Type)
}
if err := json.Unmarshal(*sync.Arg, &src); err != nil {
return fmt.Errorf("invalid mount fd response argument %q: %w", string(*sync.Arg), err)
}
if src == nil {
return fmt.Errorf("mountfd request for %q: no mount source info received", m.Source)
}
src.file = sync.File
entry.srcFile = src
}
if err := mountToRootfs(mountConfig, entry); err != nil {
return fmt.Errorf("error mounting %q to rootfs at %q: %w", m.Source, m.Destination, err)
}
return nil
}

// prepareRootfs sets up the devices, mount points, and filesystems for use
// inside a new mount namespace. It doesn't set anything as ro. You must call
// finalizeRootfs after this function to finish setting up the rootfs.
Expand All @@ -114,54 +168,8 @@ func prepareRootfs(pipe *syncSocket, iConfig *initConfig) (err error) {
cgroupns: config.Namespaces.Contains(configs.NEWCGROUP),
}
for _, m := range config.Mounts {
entry := mountEntry{Mount: m}
// Figure out whether we need to request runc to give us an
// open_tree(2)-style mountfd. For idmapped mounts, this is always
// necessary. For bind-mounts, this is only necessary if we cannot
// resolve the parent mount (this is only hit if you are running in a
// userns -- but for rootless the host-side thread can't help).
wantSourceFile := m.IsIDMapped()
if m.IsBind() && !config.RootlessEUID {
if _, err := os.Stat(m.Source); err != nil {
wantSourceFile = true
}
}
if wantSourceFile {
// Request a source file from the host.
if err := writeSyncArg(pipe, procMountPlease, m); err != nil {
return fmt.Errorf("failed to request mountfd for %q: %w", m.Source, err)
}
sync, err := readSyncFull(pipe, procMountFd)
if err != nil {
return fmt.Errorf("mountfd request for %q failed: %w", m.Source, err)
}
if sync.File == nil {
return fmt.Errorf("mountfd request for %q: response missing attached fd", m.Source)
}
defer sync.File.Close()
// Sanity-check to make sure we didn't get the wrong fd back. Note
// that while m.Source might contain symlinks, the (*os.File).Name
// is based on the path provided to os.OpenFile, not what it
// resolves to. So this should never happen.
if sync.File.Name() != m.Source {
return fmt.Errorf("returned mountfd for %q doesn't match requested mount configuration: mountfd path is %q", m.Source, sync.File.Name())
}
// Unmarshal the procMountFd argument (the file is sync.File).
var src *mountSource
if sync.Arg == nil {
return fmt.Errorf("sync %q is missing an argument", sync.Type)
}
if err := json.Unmarshal(*sync.Arg, &src); err != nil {
return fmt.Errorf("invalid mount fd response argument %q: %w", string(*sync.Arg), err)
}
if src == nil {
return fmt.Errorf("mountfd request for %q: no mount source info received", m.Source)
}
src.file = sync.File
entry.srcFile = src
}
if err := mountToRootfs(mountConfig, entry); err != nil {
return fmt.Errorf("error mounting %q to rootfs at %q: %w", m.Source, m.Destination, err)
if err := setupAndMountToRootfs(pipe, config, mountConfig, m); err != nil {
return err
Comment thread
rata marked this conversation as resolved.
}
}

Expand Down
22 changes: 21 additions & 1 deletion tests/integration/idmap.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,27 @@ function setup_idmap_single_mount() {

function setup_idmap_basic_mount() {
mountname="${1:-1}"
setup_idmap_single_mount 0:100000:65536 0:100000:65536 "$mountname"
destname="${2:-}"
setup_idmap_single_mount 0:100000:65536 0:100000:65536 "$mountname" "$destname"
}
Comment on lines +107 to +109
Copy link
Copy Markdown
Member

@rata rata Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are you changing this? It's not really need it in the test, right?

Copy link
Copy Markdown
Member Author

@lifubang lifubang Mar 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is necessary because I need to mount to more than three target directories within the container.


@test "Check mount source fds are cleaned up with idmapped mounts [userns]" {
setup_idmap_userns
for i in {1..10}; do
setup_idmap_basic_mount 1 "1$i"
setup_idmap_basic_mount 2 "2$i"
done

update_config '.process.args = ["sh", "-c", "stat -c =%u=%g= /tmp/mount-11/foo.txt"]'
update_config '.process.rlimits = [{
"type": "RLIMIT_NOFILE",
"soft": 20,
"hard": 20
Comment on lines +119 to +122
Copy link
Copy Markdown
Member

@rata rata Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test is using exactly 20, right?

I think there are many things that can use fds and this might be flaky or failing in the future. But if this is important for your environment, I'm fine having it. If it causes CI issues in the future, we can decide then what to do

Copy link
Copy Markdown
Member Author

@lifubang lifubang Mar 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test is using exactly 20, right?

Yes, the test explicitly adds 20 mounts. Before this patch, this would have caused a failure due to the limit.
Since runc theoretically supports an RLIMIT_NOFILE value of 1, this test case is deterministic and should not be flaky in the future.

}]'

runc run test_debian
[ "$status" -eq 0 ]
[[ "$output" == *"=0=0="* ]]
}

@test "simple idmap mount [userns]" {
Expand Down
Loading