Skip to content

[1.0] Fix failure with rw bind mount of a ro fuse#3292

Merged
AkihiroSuda merged 1 commit intoopencontainers:release-1.0from
kolyshkin:1.0-rootless-ro-bind-rw
Nov 23, 2021
Merged

[1.0] Fix failure with rw bind mount of a ro fuse#3292
AkihiroSuda merged 1 commit intoopencontainers:release-1.0from
kolyshkin:1.0-rootless-ro-bind-rw

Conversation

@kolyshkin
Copy link
Contributor

@kolyshkin kolyshkin commented Nov 22, 2021
edited
Loading

This is a backport of #3283 to release-1.0 branch. See original PR for details.

Fixes: containers/podman#12205

@kolyshkin
[1.0] Fix failure with rw bind mount of a ro fuse
e84e7f9 
As reported in [1], in a case where read-only fuse (sshfs) mount
is used as a volume without specifying ro flag, the kernel fails
to remount it (when adding various flags such as nosuid and nodev),
returning EPERM.

Here's the relevant strace line:

> [pid 333966] mount("/tmp/bats-run-PRVfWc/runc.RbNv8g/bundle/mnt", "/proc/self/fd/7", 0xc0001e9164, MS_NOSUID|MS_NODEV|MS_REMOUNT|MS_BIND|MS_REC, NULL) = -1 EPERM (Operation not permitted)

I was not able to reproduce it with other read-only mounts as the source
(tried tmpfs, read-only bind mount, and an ext2 mount), so somehow this
might be specific to fuse.

The fix is to check whether the source has RDONLY flag, and retry the
remount with this flag added.

A test case (which was kind of hard to write) is added, and it fails
without the fix. Note that rootless user need to be able to ssh to
rootless@localhost in order to sshfs to work -- amend setup scripts
to make it work, and skip the test if the setup is not working.

[1] containers/podman#12205

Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit 50105de)

Conflicts:
 - .cirrus.yml: trivial, due to missing commit f0dbefa.
 - .github/workflows/test.yml: due to missing commits 120f740 and
   3fd1851, resolved manually.
 - Dockerfile: trivial, due to missing commit 24d318b.
 - libcontainer/rootfs_linux.go: due to missing commits 36aefad
   and 9c44407, resolved manually.

Signed-off-by: Kir Kolyshkin <[email protected]>
@kolyshkin kolyshkin added this to the 1.0.3 milestone Nov 22, 2021
@kolyshkin kolyshkin marked this pull request as ready for review November 22, 2021 18:47
@kolyshkin kolyshkin requested review from AkihiroSuda, cyphar and thaJeztah and removed request for AkihiroSuda and cyphar November 22, 2021 18:47
thaJeztah
thaJeztah approved these changes Nov 22, 2021
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kolyshkin kolyshkin added backport/1.0-pr A backport PR to release-1.0 impact/changelog labels Nov 22, 2021
@kolyshkin kolyshkin mentioned this pull request Nov 22, 2021
Merged
@AkihiroSuda AkihiroSuda merged commit 69eba42 into opencontainers:release-1.0 Nov 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@cyphar cyphar Awaiting requested review from cyphar

Assignees

No one assigned

Labels

backport/1.0-pr A backport PR to release-1.0 impact/changelog

Projects

None yet

Milestone

1.0.3

Development

Successfully merging this pull request may close these issues.

3 participants

@kolyshkin @thaJeztah @AkihiroSuda