From e61aa4747254d88cc8bc648bc00e6123ff06ddef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= Date: Thu, 25 Feb 2021 12:40:04 +0100 Subject: [PATCH] src/create: Handle read-only /boot CoreOS recently made /boot read-only[0]. This caused an issue with starting containers because /boot was mounted only with option rslave but missed the ro option. This caused a permission issue. This scenario is very similar to the one with /usr on Fedora Silverblue. The solution for this is to check mount options of the path and check if it uses the rw option or ro and then add it to the mount options in the --volume option in 'podman create'. Fixes: https://github.com/coreos/fedora-coreos-tracker/issues/734 [0] https://github.com/coreos/fedora-coreos-config/commit/1de21ffa98bb22995e5b059501e1955bf52b562c https://github.com/containers/toolbox/pull/712 --- src/cmd/create.go | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/src/cmd/create.go b/src/cmd/create.go index 315b824df..058e0e87e 100644 --- a/src/cmd/create.go +++ b/src/cmd/create.go @@ -265,8 +265,19 @@ func createContainer(container, image, release string, showCommandToEnter bool) logrus.Debugf("%s canonicalized to %s", currentUser.HomeDir, homeDirEvaled) homeDirMountArg := homeDirEvaled + ":" + homeDirEvaled + ":rslave" + bootMountFlags := "rw" + isBootReadWrite, err := isPathReadWrite("/boot") + if err != nil { + return err + } + if !isBootReadWrite { + bootMountFlags = "ro" + } + + bootMountArg := "/boot:/run/host/boot:" + bootMountFlags + ",rslave" + usrMountFlags := "ro" - isUsrReadWrite, err := isUsrReadWrite() + isUsrReadWrite, err := isPathReadWrite("/usr") if err != nil { return err } @@ -414,7 +425,7 @@ func createContainer(container, image, release string, showCommandToEnter bool) createArgs = append(createArgs, []string{ "--userns", usernsArg, "--user", "root:root", - "--volume", "/boot:/run/host/boot:rslave", + "--volume", bootMountArg, "--volume", "/etc:/run/host/etc", "--volume", "/dev:/dev:rslave", "--volume", "/run:/run/host/run:rslave", @@ -624,22 +635,22 @@ func getServiceSocket(serviceName string, unitName string) (string, error) { return "", errors.New(errMsg) } -func isUsrReadWrite() (bool, error) { - logrus.Debug("Checking if /usr is mounted read-only or read-write") +func isPathReadWrite(path string) (bool, error) { + logrus.Debugf("Checking if %s is mounted read-only or read-write", path) - mountPoint, err := utils.GetMountPoint("/usr") + mountPoint, err := utils.GetMountPoint(path) if err != nil { - return false, fmt.Errorf("failed to get the mount-point of /usr: %s", err) + return false, fmt.Errorf("failed to get the mount-point of %s: %s", path, err) } - logrus.Debugf("Mount-point of /usr is %s", mountPoint) + logrus.Debugf("Mount-point of %s is %s", path, mountPoint) mountFlags, err := utils.GetMountOptions(mountPoint) if err != nil { return false, fmt.Errorf("failed to get the mount options of %s: %s", mountPoint, err) } - logrus.Debugf("Mount flags of /usr on the host are %s", mountFlags) + logrus.Debugf("Mount flags of %s on the host are %s", path, mountFlags) if !strings.Contains(mountFlags, "ro") { return true, nil