Skip to content
This repository was archived by the owner on Feb 24, 2020. It is now read-only.

stage1: update coreos image to 1298.1.0#3535

Closed
s-urbaniak wants to merge 2 commits intorkt:masterfrom
s-urbaniak:coreos-1284.2.0
Closed

stage1: update coreos image to 1298.1.0#3535
s-urbaniak wants to merge 2 commits intorkt:masterfrom
s-urbaniak:coreos-1284.2.0

Conversation

@s-urbaniak
Copy link
Contributor

@s-urbaniak s-urbaniak commented Jan 16, 2017

This is needed for a recent version of systemd-nspawn to fix R/W support
in rkt.

Fixes #3245

@s-urbaniak s-urbaniak added this to the v1.23.0 milestone Jan 16, 2017
@s-urbaniak s-urbaniak requested a review from lucab January 16, 2017 14:58
@s-urbaniak
Copy link
Contributor Author

s-urbaniak commented Jan 16, 2017

I verified locally that this enables r/w support of /proc and /sys if rkt is invoked with --insecure-options=paths:

$ sudo -E rkt run --insecure-options=paths quay.io/coreos/alpine-sh --exec=/bin/mount | grep -e 'on \/sys \|on \/proc'
[24506.991495] alpine-sh[5]: proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
[24506.991562] alpine-sh[5]: tmpfs on /proc/sys/kernel/random/boot_id type tmpfs (ro,nosuid,nodev,mode=755)
[24506.992130] alpine-sh[5]: tmpfs on /proc/kmsg type tmpfs (rw,nosuid,nodev,mode=755)
[24506.992442] alpine-sh[5]: sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)

$ sudo -E rkt run quay.io/coreos/alpine-sh --exec=/bin/mount | grep -e 'on \/sys \|on \/proc'
[24496.678901] alpine-sh[5]: proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
[24496.679016] alpine-sh[5]: proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime)
[24496.679121] alpine-sh[5]: tmpfs on /proc/sys/kernel/random/boot_id type tmpfs (ro,nosuid,nodev,mode=755)
[24496.679224] alpine-sh[5]: tmpfs on /proc/sys/kernel/random/boot_id type tmpfs (rw,nosuid,nodev,mode=755)
[24496.679325] alpine-sh[5]: tmpfs on /proc/kmsg type tmpfs (rw,nosuid,nodev,mode=755)
[24496.679726] alpine-sh[5]: sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)
[24496.680019] alpine-sh[5]: tmpfs on /proc/config.gz type tmpfs (ro,nosuid,nodev,mode=755)
[24496.680117] alpine-sh[5]: tmpfs on /proc/kallsyms type tmpfs (ro,nosuid,nodev,mode=755)
[24496.680214] alpine-sh[5]: tmpfs on /proc/kcore type tmpfs (ro,nosuid,nodev,mode=755)
[24496.680312] alpine-sh[5]: tmpfs on /proc/sched_debug type tmpfs (ro,nosuid,nodev,mode=755)
[24496.680870] alpine-sh[5]: proc on /proc/bus type proc (ro,nosuid,nodev,noexec,relatime)
[24496.680981] alpine-sh[5]: proc on /proc/sys/kernel/core_pattern type proc (ro,nosuid,nodev,noexec,relatime)
[24496.681081] alpine-sh[5]: proc on /proc/sys/kernel/modprobe type proc (ro,nosuid,nodev,noexec,relatime)
[24496.681177] alpine-sh[5]: proc on /proc/sys/vm/panic_on_oom type proc (ro,nosuid,nodev,noexec,relatime)
[24496.681272] alpine-sh[5]: proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime)

@jonboulle
Copy link
Contributor

jonboulle commented Jan 16, 2017

is this covered by functional tests somehow?

@s-urbaniak
Copy link
Contributor Author

s-urbaniak commented Jan 16, 2017

@jonboulle good point, I can add one here in this PR

@s-urbaniak
Copy link
Contributor Author

s-urbaniak commented Jan 17, 2017

Confirming that I have similar test failures with a userns-enabled kernel locally, investigating.

@s-urbaniak
Copy link
Contributor Author

s-urbaniak commented Jan 17, 2017

local testing revealed that we are probably missing some systemd backport in conjunction with user namespaces around nspawn-mount.c:

$ sudo -E strace -e mount,fork,execve,mkdir -f -s 1024 rkt run --debug --no-overlay --private-users quay.io/coreos/alpine-sh --exec=/bin/date
...
[pid 27787] mkdir("/tmp", 0755)         = 0
[pid 27787] mount("tmpfs", "/tmp", "tmpfs", MS_STRICTATIME, "mode=1777,uid=1174339584,gid=1174339584") = -1 EINVAL (Invalid argument)

@s-urbaniak
Copy link
Contributor Author

s-urbaniak commented Jan 17, 2017

I found locally that we are at least missing the following backport systemd/systemd@8492849

When I apply the above patch, I can invoke now rkt --private-users and i.e. TestNonRootReadInfo passes.

I am validating if the other tests are fixed by applying the above.

@s-urbaniak
Copy link
Contributor Author

s-urbaniak commented Jan 17, 2017
edited
Loading

ok, after back-porting systemd/systemd@8492849 I was able to execute the following failed CI tests successfully locally with a userns-enabled kernel:

  • TestNonRootReadInfo
  • TestUserns
  • TestAppUserGroup
  • TestExport

I am preparing a PR against coreos/systemd.

@s-urbaniak s-urbaniak removed the request for review from lucab January 17, 2017 17:55
@s-urbaniak s-urbaniak mentioned this pull request Jan 17, 2017
Merged
@lucab
Copy link
Member

lucab commented Jan 18, 2017
edited
Loading

Pushing this back to next CCL-alpha (and rkt version) due to the above bug.

@lucab lucab modified the milestones: v1.24.0, v1.23.0 Jan 18, 2017
This was referenced Jan 19, 2017
Open
Open
@s-urbaniak s-urbaniak changed the title stage1: update coreos image to 1284.2.0 stage1: update coreos image to 1298.1.0 Feb 2, 2017
@squeed
Copy link
Contributor

squeed commented Feb 2, 2017

Jenkins failures:
Debian: TestAppUserGroup (known flake)
Fedora: TestUserns, TestExport, TestNonRootReadInfo
@s-urbaniak

@s-urbaniak
Copy link
Contributor Author

s-urbaniak commented Feb 2, 2017

@squeed ok, I need to look into that, hence bumping to next release.

@s-urbaniak s-urbaniak modified the milestones: v1.25.0, v1.24.0 Feb 2, 2017
@s-urbaniak
Copy link
Contributor Author

s-urbaniak commented Feb 2, 2017

dang, the above tests pass on my userns enabled kernel.

stage1: update coreos image to 1298.1.0
e9c7499 
This is needed for a recent version of systemd-nspawn to fix R/W support
in rkt.

Fixes rkt#3245
@s-urbaniak s-urbaniak mentioned this pull request Feb 2, 2017
Closed
@s-urbaniak
Copy link
Contributor Author

s-urbaniak commented Feb 2, 2017

rebased to master. I don't see why it is failing exactly on Fedora 24, works on 23, 25 and Arch.

@s-urbaniak
Copy link
Contributor Author

s-urbaniak commented Feb 2, 2017

passes on Fedora 24 virtualized (kernel 4.5.5)

@lucab lucab modified the milestones: v1+, v1.25.0 Feb 17, 2017
@dm0- dm0- mentioned this pull request Mar 15, 2017
Closed
@lucab
Copy link
Member

lucab commented Mar 16, 2017

Closing in favor of #3619 (which will probably hit the same issues, but well).

@lucab lucab closed this Mar 16, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

component/stage1

Projects

None yet

Milestone

v1+

Development

Successfully merging this pull request may close these issues.

--insecure-options=all-run should mount /proc/sys read-write

4 participants

@s-urbaniak @jonboulle @lucab @squeed