rootfs with symlinks path components

[giuseppe]

is there a reason why it is not possible to run a container from a rootfs which has a symlink in its path?

I see it is checked explicitly by rootfs(config *configs.Config) in libcontainer/configs/validate/config.go, but can the evaluated path be used instead of returning an error?

For a quick test I tried this patch:

diff --git a/libcontainer/configs/validate/config.go b/libcontainer/configs/validate/config.go
index 848a67c..519a779 100644
--- a/libcontainer/configs/validate/config.go
+++ b/libcontainer/configs/validate/config.go
@@ -48,9 +48,7 @@ func (v *ConfigValidator) rootfs(config *configs.Config) error {
        if cleaned, err = filepath.EvalSymlinks(cleaned); err != nil {
                return err
        }
-       if config.Rootfs != cleaned {
-               return fmt.Errorf("%s is not an absolute path or is a symlink", config.Rootfs)
-       }
+       config.Rootfs = cleaned
        return nil
 }

but I suppose ConfigValidator is not meant to modify the configuration. What would be the best place to store this information?

[mikebrow]

Maybe @crosbymichael will explain why that test was put in. The spec does not specify one way or the other whether such limitations MUST or MAY be placed on the rootfs. It went in a long time ago maybe it's time to pull it out?

[crosbymichael]

There are various security issues and bugs that happen when rootfs is a symlink. If you want it to live somewhere else, you should use a bind mount.

There is alot of bugs and weird things that happen when you have this as a symlink so that is why we made this a requirement in libcontainer.

[giuseppe]

what kinds of issues? Would not these be fixed if any symlink in the rootfs is resolved before using it (as my hacky patch does)?

[c4milo]

@crosbymichael is there anyway to force runc to follow the symlink?

[c4milo]

nvm, I'm re-rendering config.json instead. It works just like a symlink.

[cyphar]

@giuseppe Well, for one you can change the symlink after runc has started and now a higher level runner will think that rootfs is different from the actual rootfs. Granted, you could probably do the same with multiple bind-mounts, but I think the concern is that we use Lstat and Stat in ways that means we'd have to carefully audit things to make sure that symlink rootfs wouldn't break anything.

[eMPee584]

@crosbymichael a warning message more grokable than

docker: Error response from daemon: OCI runtime create failed: /var/lib/docker/overlay2/959e47dfae61bae2601529408eadb1419b631fa12af46b5f24c10e752d3
d8134/merged is not an absolute path or is a symlink: unknown.

would be nice. An addition such as

(!) /var/lib/docker is a symlink, this causes problems and is not supported.
(i) You should bind-mount the directory instead (c.f. http://…/docs#rootfs).

[eMPee584]

Oh, I only now realized this is most probably not the right project to point my suggestion at (as I'm not even using runc)... Or is it 😁

[crosbymichael]

@eMPee584 no problem. How are you getting a symlinked rootfs when using docker?