Use pivot_root instead of chroot for chrootarchive#22506
Use pivot_root instead of chroot for chrootarchive#22506unclejack merged 1 commit intomoby:masterfrom
Conversation
|
ping @ncopa @justincormack |
|
@cpuguy83 Perhaps it might be a good idea to change its name from chrootarchive to something better now. Should we also keep the old chroot code for unix platforms (e.g. !linux) to make it easier in the future? I'll be trying this out shortly. |
|
@unclejack It's kept under |
|
@cpuguy83 I'm sorry, I've missed that. |
pkg/chrootarchive/chroot_linux.go
Outdated
There was a problem hiding this comment.
It could be also mounted at this point, right?
This fixes one issue with Docker running under a grsec kernel, which denies chmod and mknod under chroot. Note, if pivot_root fails it will still fallback to chroot. Signed-off-by: Brian Goff <[email protected]>
|
LGTM |
|
ping @unclejack PTAL |
|
LGTM |
| } | ||
| mounted = false | ||
|
|
||
| return nil |
There was a problem hiding this comment.
shouldnt this be return to return cleanup error if there was one?
There was a problem hiding this comment.
@justincormack Which errors are you referring to?
There was a problem hiding this comment.
return and return nil would do the same thing
There was a problem hiding this comment.
yeah sorry its late ignore me
|
LGTM |
|
getting |
|
Filled #22587 |
The path we're trying to remove doesn't exist after a successful chroot+chdir because a / is only appended after pivot_root is successful and so we can't cleanup anymore with the old path. Also fix leaking .pivot_root dirs under /var/lib/docker/tmp/docker-builder* on error. Fix moby#22587 Introduced by moby#22506 Signed-off-by: Antonio Murdaca <[email protected]>
The path we're trying to remove doesn't exist after a successful chroot+chdir because a / is only appended after pivot_root is successful and so we can't cleanup anymore with the old path. Also fix leaking .pivot_root dirs under /var/lib/docker/tmp/docker-builder* on error. Fix moby/moby#22587 Introduced by moby/moby#22506 Signed-off-by: Antonio Murdaca <[email protected]>
- What I did
Make chrootarchive default to using
pivot_rootinstead ofchrootThis fixes one issue with Docker running under a grsec kernel, which
denies chmod and mknod under chroot.
Note, if pivot_root fails it will still fallback to chroot.
- How to verify it
Run chrootarchive tests (may want to disable fallback to chroot to really verify that the pivot code works)
- A picture of a cute animal (not mandatory but encouraged)
Related to #20303