linux: Keep MS_RDONLY when remounting bind mount of a read-only source #120
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
On Silverblue, the host's /usr is mounted read-only:
$ findmnt -o TARGET,OPTIONS,PROPAGATION /usr
TARGET OPTIONS PROPAGATION
/usr ro,relatime,seclabel shared
On such a system, this throws an EPERM when using crun as the OCI
runtime:
$ podman run \
--rm \
--volume /usr:/run/host/usr:ro \
registry.fedoraproject.org/fedora:31 \
/bin/true
Error: remount '... merged/run/host/usr': Operation not permitted: OCI
runtime permission denied error
The underlying system calls are:
mount("/usr",
"... merged/run/host/usr",
0x55d5dffb0bc0,
MS_NOSUID|MS_NODEV|MS_BIND|MS_REC|MS_SLAVE,
0x55d5dffaeef0) = 0
mount("/usr",
"... merged/run/host/usr",
0x55d5dffb0bc0,
MS_NOSUID|MS_NODEV|MS_REMOUNT|MS_BIND|MS_REC|MS_SLAVE,
NULL) = -1 EPERM (Operation not permitted)
Compare that to the system calls generated by runc when used as the
runtime with the same Podman invocation:
mount("/usr",
"... merged/run/host/usr",
0xc000170275,
MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND|MS_REC,
NULL) = 0
mount("",
"... merged/run/host/usr",
0xc00017027b,
MS_REC|MS_SLAVE,
NULL) = 0
mount("/usr",
"... merged/run/host/usr",
0xc000170285,
MS_RDONLY|MS_NOSUID|MS_NODEV|MS_REMOUNT|MS_BIND|MS_REC,
NULL) = 0
What's happening here is that when crun tries to remount the newly
created bind mount to apply the rest of the flags unrelated to mount
propagation, it doesn't have the MS_RDONLY flag. This isn't allowed
because the source on the host (ie., /usr) is mounted read-only.
While it's true that the MS_RDONLY flag is ignored in the first
invocation of mount(2) that creates the mount-point, there's also no
harm in mentioning it because it will be silently ignored. Therefore,
it's easier to just keep the flags as they are instead of trying to
track which subset of flags are used by each mount(2) invocation.
Fixes: f658f17 ("linux: remount to honor flags like ...")
|
I am not 100% sure about the role of the |
|
There's some related discussion in containers/podman#4061 but the issue there is something else. |
|
Makes sense to me. |
|
thanks for the patch! LGTM |
This was referenced Oct 3, 2019
|
It is a bugfix. I can give it a test. Is this patch packaged in Fedora? |
|
Here is a test build for f31: https://koji.fedoraproject.org/koji/taskinfo?taskID=38044787 |
|
@juhp Thanks! I have quickly tested and it works also for me, I did not need to try to enter three times :) |
|
Excellent. |
debarshiray
deleted the
wip/rishi/keep-msrdonly-when-remounting-bind-mount-of-a-read-only-source
branch
|
new release here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-845efd1d30 if it still works, please add karma :-) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
On Silverblue, the host's /usr is mounted read-only:
$ findmnt -o TARGET,OPTIONS,PROPAGATION /usr
TARGET OPTIONS PROPAGATION
/usr ro,relatime,seclabel shared
On such a system, this throws an EPERM when using crun as the OCI
runtime:
$ podman run
--rm
--volume /usr:/run/host/usr:ro
registry.fedoraproject.org/fedora:31
/bin/true
Error: remount '... merged/run/host/usr': Operation not permitted: OCI
runtime permission denied error
The underlying system calls are:
mount("/usr",
"... merged/run/host/usr",
0x55d5dffb0bc0,
MS_NOSUID|MS_NODEV|MS_BIND|MS_REC|MS_SLAVE,
0x55d5dffaeef0) = 0
mount("/usr",
"... merged/run/host/usr",
0x55d5dffb0bc0,
MS_NOSUID|MS_NODEV|MS_REMOUNT|MS_BIND|MS_REC|MS_SLAVE,
NULL) = -1 EPERM (Operation not permitted)
Compare that to the system calls generated by runc when used as the
runtime with the same Podman invocation:
mount("/usr",
"... merged/run/host/usr",
0xc000170275,
MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND|MS_REC,
NULL) = 0
mount("",
"... merged/run/host/usr",
0xc00017027b,
MS_REC|MS_SLAVE,
NULL) = 0
mount("/usr",
"... merged/run/host/usr",
0xc000170285,
MS_RDONLY|MS_NOSUID|MS_NODEV|MS_REMOUNT|MS_BIND|MS_REC,
NULL) = 0
What's happening here is that when crun tries to remount the newly
created bind mount to apply the rest of the flags unrelated to mount
propagation, it doesn't have the MS_RDONLY flag. This isn't allowed
because the source on the host (ie., /usr) is mounted read-only.
While it's true that the MS_RDONLY flag is ignored in the first
invocation of mount(2) that creates the mount-point, there's also no
harm in mentioning it because it will be silently ignored. Therefore,
it's easier to just keep the flags as they are instead of trying to
track which subset of flags are used by each mount(2) invocation.
Fixes: f658f17 ("linux: remount to honor flags like ...")