Use pivot_root instead of chroot for chrootarchive by cpuguy83 · Pull Request #22506 · moby/moby

cpuguy83 · 2016-05-04T17:39:43Z

- What I did
Make chrootarchive default to using pivot_root instead of chroot

This fixes one issue with Docker running under a grsec kernel, which
denies chmod and mknod under chroot.

Note, if pivot_root fails it will still fallback to chroot.

- How to verify it
Run chrootarchive tests (may want to disable fallback to chroot to really verify that the pivot code works)

- A picture of a cute animal (not mandatory but encouraged)

Related to #20303

cpuguy83 · 2016-05-04T17:40:54Z

ping @ncopa @justincormack

unclejack · 2016-05-04T18:06:56Z

@cpuguy83 Perhaps it might be a good idea to change its name from chrootarchive to something better now. isolatedarchive, containedarchive or something along those lines would make it an adequate name for other platforms as well. It was named chrootarchive because Docker was Linux only at the time and it was also the only platform using that code.

Should we also keep the old chroot code for unix platforms (e.g. !linux) to make it easier in the future?

I'll be trying this out shortly.

cpuguy83 · 2016-05-04T18:09:56Z

@unclejack It's kept under chroot_unix.go

unclejack · 2016-05-04T18:10:52Z

@cpuguy83 I'm sorry, I've missed that.

LK4D4 · 2016-05-04T20:02:17Z

pkg/chrootarchive/chroot_linux.go

It could be also mounted at this point, right?

This fixes one issue with Docker running under a grsec kernel, which denies chmod and mknod under chroot. Note, if pivot_root fails it will still fallback to chroot. Signed-off-by: Brian Goff <[email protected]>

LK4D4 · 2016-05-06T17:19:19Z

LGTM

thaJeztah · 2016-05-06T20:22:02Z

ping @unclejack PTAL

unclejack · 2016-05-06T20:28:59Z

LGTM

justincormack · 2016-05-06T20:42:21Z

pkg/chrootarchive/chroot_linux.go

+	}
+	mounted = false
+
+	return nil


shouldnt this be return to return cleanup error if there was one?

@justincormack Which errors are you referring to?

return and return nil would do the same thing

yeah sorry its late ignore me

justincormack · 2016-05-06T21:19:49Z

LGTM

runcom · 2016-05-08T10:32:03Z

getting

Sending build context to Docker daemon   196 MB
Error response from daemon: Untar re-exec error: exit status 1: output: Error cleaning up after pivot: remove /var/lib/docker/tmp/docker-builder113372687/.pivot_root936443744: no such file or directory

runcom · 2016-05-08T10:44:42Z

Filled #22587

The path we're trying to remove doesn't exist after a successful chroot+chdir because a / is only appended after pivot_root is successful and so we can't cleanup anymore with the old path. Also fix leaking .pivot_root dirs under /var/lib/docker/tmp/docker-builder* on error. Fix moby#22587 Introduced by moby#22506 Signed-off-by: Antonio Murdaca <[email protected]>

The path we're trying to remove doesn't exist after a successful chroot+chdir because a / is only appended after pivot_root is successful and so we can't cleanup anymore with the old path. Also fix leaking .pivot_root dirs under /var/lib/docker/tmp/docker-builder* on error. Fix moby/moby#22587 Introduced by moby/moby#22506 Signed-off-by: Antonio Murdaca <[email protected]>

GordonTheTurtle added the status/0-triage label May 4, 2016

cpuguy83 force-pushed the no_chroot branch from af3a9de to 8a52e1d Compare May 4, 2016 17:41

cpuguy83 added status/2-code-review and removed status/0-triage labels May 4, 2016

LK4D4 reviewed May 4, 2016
View reviewed changes

Use pivot_root instead of chroot for chrootarchive

85988b3

This fixes one issue with Docker running under a grsec kernel, which denies chmod and mknod under chroot. Note, if pivot_root fails it will still fallback to chroot. Signed-off-by: Brian Goff <[email protected]>

cpuguy83 force-pushed the no_chroot branch from 8a52e1d to 85988b3 Compare May 4, 2016 23:55

cpuguy83 mentioned this pull request May 6, 2016

grsec (in)compatibilities (security feature) #20303

Closed

justincormack reviewed May 6, 2016
View reviewed changes

unclejack merged commit eb52730 into moby:master May 6, 2016

cpuguy83 deleted the no_chroot branch May 7, 2016 00:39

runcom mentioned this pull request May 8, 2016

Error cleaning up after pivot: remove /var/lib/docker/tmp/docker-builder113372687/.pivot_root936443744: no such file or directory #22587

Closed

runcom mentioned this pull request May 9, 2016

pkg: chrootarchive: chroot_linux: fix docker build #22603

Merged

runcom mentioned this pull request Jun 9, 2016

pkg: chrootarchive: chroot_linux: fix mount leak #22631

Merged

estesp mentioned this pull request Jul 31, 2016

Support running the Engine daemon inside a user namespace #20902

Closed

thaJeztah mentioned this pull request Nov 3, 2016

mounts behavior differs between 1.10.3 and 1.12 #27773

Closed

Conversation

cpuguy83 commented May 4, 2016 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

cpuguy83 commented May 4, 2016

Uh oh!

unclejack commented May 4, 2016

Uh oh!

cpuguy83 commented May 4, 2016

Uh oh!

unclejack commented May 4, 2016

Uh oh!

LK4D4 May 4, 2016

Choose a reason for hiding this comment

Uh oh!

cpuguy83 May 4, 2016

Choose a reason for hiding this comment

Uh oh!

LK4D4 commented May 6, 2016

Uh oh!

thaJeztah commented May 6, 2016

Uh oh!

unclejack commented May 6, 2016

Uh oh!

justincormack May 6, 2016

Choose a reason for hiding this comment

Uh oh!

unclejack May 6, 2016

Choose a reason for hiding this comment

Uh oh!

cpuguy83 May 6, 2016

Choose a reason for hiding this comment

Uh oh!

justincormack May 6, 2016

Choose a reason for hiding this comment

Uh oh!

justincormack commented May 6, 2016

Uh oh!

runcom commented May 8, 2016

Uh oh!

runcom commented May 8, 2016

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

cpuguy83 commented May 4, 2016 •

edited

Loading