Correctly restore containers with nested bind mounts#2798
Merged
AkihiroSuda merged 2 commits intoopencontainers:masterfrom Mar 17, 2021
Merged
Correctly restore containers with nested bind mounts#2798AkihiroSuda merged 2 commits intoopencontainers:masterfrom
AkihiroSuda merged 2 commits intoopencontainers:masterfrom
Conversation
adrianreber
force-pushed
the
2021-02-08-nested-bind.mounts
branch
from
de92cdc to
155f6d5
Compare
cyphar
changed the title
adrianreber
force-pushed
the
2021-02-08-nested-bind.mounts
branch
from
155f6d5 to
884adab
Compare
kolyshkin
reviewed
Feb 8, 2021
kolyshkin
reviewed
Feb 8, 2021
kolyshkin
reviewed
Feb 8, 2021
kolyshkin
reviewed
Feb 8, 2021
kolyshkin
reviewed
Feb 8, 2021
kolyshkin
reviewed
Feb 8, 2021
kolyshkin
reviewed
Feb 8, 2021
adrianreber
force-pushed
the
2021-02-08-nested-bind.mounts
branch
2 times, most recently
from
11c7d94 to
0283608
Compare
kolyshkin
reviewed
Feb 9, 2021
kolyshkin
reviewed
Feb 9, 2021
kolyshkin
reviewed
Feb 9, 2021
kolyshkin
requested changes
Feb 9, 2021
Contributor
kolyshkin
left a comment
kolyshkin
left a comment
There was a problem hiding this comment.
Just a single nit about making temp dirs under CWD, LGTM otherwise, thanks @adrianreber!
I have also checked that the test case indeed fails before the fix.
runc was already re-creating mountpoints before calling CRIU to restore a container. But mountpoints inside a bind mount were not re-created. During initial container creation runc will mount bind mounts and then create the necessary mountpoints for further mounts inside those bind mounts. If, for example, one of the bind mounts is a tmpfs and empty before restore, CRIU will fail re-mounting all mounts because the mountpoints in the bind mounted tmpfs no longer exist. CRIU expects all mount points to exist as during checkpointing. This changes runc to mount bind mounts after mountpoint creation to ensure nested bind mounts have their mountpoints created before CRIU does the restore. Signed-off-by: Adrian Reber <[email protected]>
This adds a checkpoint/restore test to ensure that nested bind mount mountpoints are correctly re-created. Signed-off-by: Adrian Reber <[email protected]>
adrianreber
force-pushed
the
2021-02-08-nested-bind.mounts
branch
from
0283608 to
051646a
Compare
Contributor
Author
|
Fixed mktemp to use |
Contributor
|
@cyphar @AkihiroSuda @mrunalp PTAL |
AkihiroSuda
approved these changes
Mar 17, 2021
Member
CI seems to have got stuck, attempting to restart by closing & reopening this PR |
pothos
added a commit
to flatcar-archive/coreos-overlay
that referenced
this pull request
May 19, 2021
The upstream patch (itself backported for rc93) was backported to rc92. Original cover letter: From 14faf1c20948688a48edb9b41367ab07ac11ca91 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Wed, 28 Apr 2021 15:44:36 +1000 Subject: [PATCH 0/5] rootfs: add mount destination validation This is a backport of the fix for CVE-2021-30465 to the v1.0.0-rc93 release. However, because the patch does not apply cleanly it was necessary to backport the following commits (from [1]): * deb8a8dd7767 ("libct/newInitConfig: nit") * 1e476578b6cd ("libct/rootfs: introduce and use mountConfig") * 3826db196d59 ("libct/rootfs/mountCgroupV2: minor refactor") * ff692f289b60 ("Fix cgroup2 mount for rootless case") And the patch itself was modified to remove hardenings for code which didn't exist in v1.0.0-rc93 (in particular, the mount changes in [2]). [1]: opencontainers/runc#2818 [2]: opencontainers/runc#2798 Aleksa Sarai (1): rootfs: add mount destination validation Kir Kolyshkin (4): libct/newInitConfig: nit libct/rootfs: introduce and use mountConfig libct/rootfs/mountCgroupV2: minor refactor Fix cgroup2 mount for rootless case libcontainer/container_linux.go | 11 +- libcontainer/init_linux.go | 1 + libcontainer/rootfs_linux.go | 291 +++++++++++++++++-------------- libcontainer/specconv/example.go | 18 +- libcontainer/utils/utils.go | 54 ++++++ libcontainer/utils/utils_test.go | 35 ++++ 6 files changed, 263 insertions(+), 147 deletions(-) -- 2.31.1
pothos
added a commit
to flatcar-archive/coreos-overlay
that referenced
this pull request
May 19, 2021
The upstream patch (itself backported for rc93) was backported to rc92. Original cover letter: From 14faf1c20948688a48edb9b41367ab07ac11ca91 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Wed, 28 Apr 2021 15:44:36 +1000 Subject: [PATCH 0/5] rootfs: add mount destination validation This is a backport of the fix for CVE-2021-30465 to the v1.0.0-rc93 release. However, because the patch does not apply cleanly it was necessary to backport the following commits (from [1]): * deb8a8dd7767 ("libct/newInitConfig: nit") * 1e476578b6cd ("libct/rootfs: introduce and use mountConfig") * 3826db196d59 ("libct/rootfs/mountCgroupV2: minor refactor") * ff692f289b60 ("Fix cgroup2 mount for rootless case") And the patch itself was modified to remove hardenings for code which didn't exist in v1.0.0-rc93 (in particular, the mount changes in [2]). [1]: opencontainers/runc#2818 [2]: opencontainers/runc#2798 Aleksa Sarai (1): rootfs: add mount destination validation Kir Kolyshkin (4): libct/newInitConfig: nit libct/rootfs: introduce and use mountConfig libct/rootfs/mountCgroupV2: minor refactor Fix cgroup2 mount for rootless case libcontainer/container_linux.go | 11 +- libcontainer/init_linux.go | 1 + libcontainer/rootfs_linux.go | 291 +++++++++++++++++-------------- libcontainer/specconv/example.go | 18 +- libcontainer/utils/utils.go | 54 ++++++ libcontainer/utils/utils_test.go | 35 ++++ 6 files changed, 263 insertions(+), 147 deletions(-) -- 2.31.1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This tries to fix #2748
This change is motivated by the work in kubernetes/kubernetes#97194
During restore CRIU mounts all mounts as they were during checkpointing. Using nested bind mounts this can lead to situation where a mountpoint in the parent bind mount is missing.
During initial container creation 'runc' mounts a bind mount and then creates the mountpoints for nested mountpoints.
This PR changes
runcto also mount all bind mounts before telling CRIU to restore the container to re-create missing mountpoints.