Skip to content
This repository was archived by the owner on Feb 24, 2020. It is now read-only.

stage1: update coreos image to 1298.1.0#3535

Closed
s-urbaniak wants to merge 2 commits intorkt:masterfrom
s-urbaniak:coreos-1284.2.0
Closed

stage1: update coreos image to 1298.1.0#3535
s-urbaniak wants to merge 2 commits intorkt:masterfrom
s-urbaniak:coreos-1284.2.0

Conversation

@s-urbaniak
Copy link
Contributor

This is needed for a recent version of systemd-nspawn to fix R/W support
in rkt.

Fixes #3245

@s-urbaniak s-urbaniak added this to the v1.23.0 milestone Jan 16, 2017
@s-urbaniak s-urbaniak requested a review from lucab January 16, 2017 14:58
@s-urbaniak
Copy link
Contributor Author

I verified locally that this enables r/w support of /proc and /sys if rkt is invoked with --insecure-options=paths:

$ sudo -E rkt run --insecure-options=paths quay.io/coreos/alpine-sh --exec=/bin/mount | grep -e 'on \/sys \|on \/proc'
[24506.991495] alpine-sh[5]: proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
[24506.991562] alpine-sh[5]: tmpfs on /proc/sys/kernel/random/boot_id type tmpfs (ro,nosuid,nodev,mode=755)
[24506.992130] alpine-sh[5]: tmpfs on /proc/kmsg type tmpfs (rw,nosuid,nodev,mode=755)
[24506.992442] alpine-sh[5]: sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
$ sudo -E rkt run quay.io/coreos/alpine-sh --exec=/bin/mount | grep -e 'on \/sys \|on \/proc'
[24496.678901] alpine-sh[5]: proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
[24496.679016] alpine-sh[5]: proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime)
[24496.679121] alpine-sh[5]: tmpfs on /proc/sys/kernel/random/boot_id type tmpfs (ro,nosuid,nodev,mode=755)
[24496.679224] alpine-sh[5]: tmpfs on /proc/sys/kernel/random/boot_id type tmpfs (rw,nosuid,nodev,mode=755)
[24496.679325] alpine-sh[5]: tmpfs on /proc/kmsg type tmpfs (rw,nosuid,nodev,mode=755)
[24496.679726] alpine-sh[5]: sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)
[24496.680019] alpine-sh[5]: tmpfs on /proc/config.gz type tmpfs (ro,nosuid,nodev,mode=755)
[24496.680117] alpine-sh[5]: tmpfs on /proc/kallsyms type tmpfs (ro,nosuid,nodev,mode=755)
[24496.680214] alpine-sh[5]: tmpfs on /proc/kcore type tmpfs (ro,nosuid,nodev,mode=755)
[24496.680312] alpine-sh[5]: tmpfs on /proc/sched_debug type tmpfs (ro,nosuid,nodev,mode=755)
[24496.680870] alpine-sh[5]: proc on /proc/bus type proc (ro,nosuid,nodev,noexec,relatime)
[24496.680981] alpine-sh[5]: proc on /proc/sys/kernel/core_pattern type proc (ro,nosuid,nodev,noexec,relatime)
[24496.681081] alpine-sh[5]: proc on /proc/sys/kernel/modprobe type proc (ro,nosuid,nodev,noexec,relatime)
[24496.681177] alpine-sh[5]: proc on /proc/sys/vm/panic_on_oom type proc (ro,nosuid,nodev,noexec,relatime)
[24496.681272] alpine-sh[5]: proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime)

@jonboulle
Copy link
Contributor

is this covered by functional tests somehow?

@s-urbaniak
Copy link
Contributor Author

@jonboulle good point, I can add one here in this PR

@s-urbaniak
Copy link
Contributor Author

Confirming that I have similar test failures with a userns-enabled kernel locally, investigating.

@s-urbaniak
Copy link
Contributor Author

local testing revealed that we are probably missing some systemd backport in conjunction with user namespaces around nspawn-mount.c:

$ sudo -E strace -e mount,fork,execve,mkdir -f -s 1024 rkt run --debug --no-overlay --private-users quay.io/coreos/alpine-sh --exec=/bin/date
...
[pid 27787] mkdir("/tmp", 0755)         = 0
[pid 27787] mount("tmpfs", "/tmp", "tmpfs", MS_STRICTATIME, "mode=1777,uid=1174339584,gid=1174339584") = -1 EINVAL (Invalid argument)

@s-urbaniak
Copy link
Contributor Author

I found locally that we are at least missing the following backport systemd/systemd@8492849

When I apply the above patch, I can invoke now rkt --private-users and i.e. TestNonRootReadInfo passes.

I am validating if the other tests are fixed by applying the above.

@s-urbaniak
Copy link
Contributor Author

s-urbaniak commented Jan 17, 2017

ok, after back-porting systemd/systemd@8492849 I was able to execute the following failed CI tests successfully locally with a userns-enabled kernel:

  • TestNonRootReadInfo
  • TestUserns
  • TestAppUserGroup
  • TestExport

I am preparing a PR against coreos/systemd.

@lucab
Copy link
Member

lucab commented Jan 18, 2017

Pushing this back to next CCL-alpha (and rkt version) due to the above bug.

@lucab lucab modified the milestones: v1.24.0, v1.23.0 Jan 18, 2017
@s-urbaniak s-urbaniak changed the title stage1: update coreos image to 1284.2.0 stage1: update coreos image to 1298.1.0 Feb 2, 2017
@squeed
Copy link
Contributor

squeed commented Feb 2, 2017

Jenkins failures:
Debian: TestAppUserGroup (known flake)
Fedora: TestUserns, TestExport, TestNonRootReadInfo
@s-urbaniak

@s-urbaniak
Copy link
Contributor Author

@squeed ok, I need to look into that, hence bumping to next release.

@s-urbaniak s-urbaniak modified the milestones: v1.25.0, v1.24.0 Feb 2, 2017
@s-urbaniak
Copy link
Contributor Author

dang, the above tests pass on my userns enabled kernel.

This is needed for a recent version of systemd-nspawn to fix R/W support
in rkt.

Fixes rkt#3245
@s-urbaniak
Copy link
Contributor Author

rebased to master. I don't see why it is failing exactly on Fedora 24, works on 23, 25 and Arch.

@s-urbaniak
Copy link
Contributor Author

passes on Fedora 24 virtualized (kernel 4.5.5)

@lucab
Copy link
Member

lucab commented Mar 16, 2017

Closing in favor of #3619 (which will probably hit the same issues, but well).

@lucab lucab closed this Mar 16, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

--insecure-options=all-run should mount /proc/sys read-write

4 participants