-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Always mount tmpfs with noexec #3803
Comments
I'll take this one - I was thinking about this as part of the |
Also, to be clear, we don't intend on stripping security-related options by default. You'll probably have to pass |
Passing an argument is acceptable. Besides, this inelegant argument is intended to workaround a problem with all images based on s6-overlay. ➜ ~ sudo podman run --net=host linuxserver/jackett
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...
usermod: no changes
-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/
Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------
User uid: 911
User gid: 911
-------------------------------------
[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 30-config: executing...
[cont-init.d] 30-config: exited 0.
[cont-init.d] 99-custom-scripts: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-scripts: exited 0.
[cont-init.d] done.
[services.d] starting services
s6-supervise (child): fatal: unable to exec run: Permission denied
s6-supervise jackett: warning: unable to spawn ./run - waiting 10 seconds
[services.d] done.
s6-supervise jackett: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise (child): fatal: unable to exec run: Permission denied
s6-supervise (child): fatal: unable to exec run: Permission denied
s6-supervise jackett: warning: unable to spawn ./run - waiting 10 seconds
s6-supervise (child): fatal: unable to exec run: Permission denied
s6-supervise jackett: warning: unable to spawn ./run - waiting 10 seconds just-containers/s6-overlay#248 said it can be workaround by this which is caused by just-containers/s6-overlay#158 said Docker encountered this problem before, but is fixed now (from my testing). It's caused because a RedHat's patch mount Hope there is a way to fix the problem completely as it makes a large number of interesting containers unusable. |
Try running with the --systemd=false flag. |
|
Great, it works! Is there any method to control this behavior during packaging? Or maybe I'll try to let the image producer add some documentation. |
What is triggering it is the name ending with "init". If this first program run in the image was not init, it would not happen.
|
Dan - defaulting --systemd to true/false sounds like a good use case for
containers.conf, if we add one. Some people will rarely use systemd
containers and might want it to be opt in.
…On Tue, Aug 13, 2019, 14:11 Daniel J Walsh ***@***.***> wrote:
What is triggering it is the name ending with "init". If this first
program run in the image was not init, it would not happen.
if c.Systemd && (strings.HasSuffix(c.Command[0], "init") ||
strings.HasSuffix(c.Command[0], "systemd")) {
options = append(options, libpod.WithSystemd())
}
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#3803>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB3AOCCEYVDXEHVNRNF7KUTQEL2O3ANCNFSM4ILMG2WA>
.
|
Previously, we explicitly set noexec/nosuid/nodev on every mount, with no ability to disable them. The 'mount' command on Linux will accept their inverses without complaint, though - 'noexec' is counteracted by 'exec', 'nosuid' by 'suid', etc. Add support for passing these options at the command line to disable our explicit forcing of security options. This also cleans up mount option handling significantly. We are still parsing options in more than one place, which isn't good, but option parsing for bind and tmpfs mounts has been unified. Fixes: containers#3819 Fixes: containers#3803 Signed-off-by: Matthew Heon <[email protected]>
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
By default
podman run --tmpfs
always go withnoexec,nosuid,nodev
mount options as the code describes.However, there is a use case where containers include s6-supervisor who needs to spawn child from files in
/run
: just-containers/s6-overlay#248 (although program at /etc/services.d/run cannot be executed as well.)So it shouldn't be set without choices.
Steps to reproduce the issue:
podman run -d -e S6_READ_ONLY_ROOT=1 --read-only=true --read-only-tmpfs=false --tmpfs=/run:exec --systemd=false --privileged linuxserver/jackett
podman exec -i -l mount | grep /run
Describe the results you received:
Describe the results you expected:
Additional information you deem important (e.g. issue happens only occasionally):
Output of
podman version
:Output of
podman info --debug
:Additional environment details (AWS, VirtualBox, physical, etc.):
The text was updated successfully, but these errors were encountered: