tmpfs and symlink resolution #2683

zhangyoufu · 2020-11-17T08:27:39Z

# docker run --rm -i --tmpfs /conf/stack quay.io/projectquay/quay:vader
docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"tmpfs\\\" to rootfs \\\"/var/lib/docker/overlay2/698f55615c6cb50d3cd3eaa1b6ab38ab8ffdc32366fa410d8fbc596039ad8890/merged\\\" at \\\"/conf/stack\\\" caused \\\"mkdir /var/lib/docker/overlay2/698f55615c6cb50d3cd3eaa1b6ab38ab8ffdc32366fa410d8fbc596039ad8890/merged/conf: file exists\\\"\"": unknown.

/conf is a symlink pointing to /quay-registry/conf, which confuses --tmpfs.
Of course I can pass resolved path /quay-registry/conf/stack to --tmpfs as a workaround. However, this produces an unnamed volume for the original path /conf/stack, which is unwanted.

The text was updated successfully, but these errors were encountered:

kolyshkin · 2020-12-10T03:02:07Z

Reproduced with bare runc.

Add the following into config.json (same as what docker run --tmpfs /conf/stack adds):

    {
      "destination": "/conf/stack",
      "type": "tmpfs",
      "source": "tmpfs",
      "options": [
        "noexec",
        "nosuid",
        "nodev",
        "rprivate"
      ]
    }

$ cd rootfs
$ mkdir -p /real/conf
$ ln -s /real/conf conf
$ ls -l conf 
lrwxrwxrwx. 1 kir kir 10 Dec  9 18:31 conf -> /real/conf
$ cd ..
$ runc run  -d xxx
WARN[0000] unable to terminate initProcess               error="exit status 1"
ERRO[0000] container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: rootfs_linux.go:60: mounting "tmpfs" to rootfs at "/conf/stack" caused: mkdir /home/kir/go/src/github.com/opencontainers/runc/tst/rootfs/conf: file exists

This is caused by the fact that the symlink is broken in the host context, so MkdirAll is called:

runc/libcontainer/rootfs_linux.go

Lines 305 to 313 in 544048b

    
           func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns bool) error { 
        
           	var ( 
        
           		dest = m.Destination 
        
           	) 
        
           	if !strings.HasPrefix(dest, rootfs) { 
        
           		dest = filepath.Join(rootfs, dest) 
        
           	} 
        
           	switch m.Device {

...

runc/libcontainer/rootfs_linux.go

Lines 340 to 346 in 544048b

    
           case "tmpfs": 
        
           	copyUp := m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP 
        
           	tmpDir := "" 
        
           	stat, err := os.Stat(dest) 
        
           	if err != nil { 
        
           		if err := os.MkdirAll(dest, 0755); err != nil { 
        
           			return err

To fix, we need to have Stat() and MkdirAll in container root scope. I'll take a look.

@zhangyoufu a workaround would be to use a relative symlink in your image, i.e.

-/conf -> /quay-registry/conf
+/conf -> quay-registry/conf

kolyshkin · 2021-01-05T02:50:32Z

Now, this can be fixed, but I am not sure if it is possible to do so without introducing any new and interesting attack vectors similar to say #2197.

Looking.

In case a tmpfs mount path contains absolute symlinks, runc errors out because those symlinks are resolved in the host (rather than container) filesystem scope. The fix is similar to that for bind mounts -- resolve the destination in container rootfs scope using securejoin, and use the resolved path. A simple integration test case is added to prevent future regressions. Fixes opencontainers#2683. Signed-off-by: Kir Kolyshkin <[email protected]>

While working on a test case for [1], I got the following warning: > level=warning msg="unable to terminate initProcess" error="exit status 1" Obviously, the warning is bogus since the initProcess is terminated. This is happening because terminate() can return errors from either Kill() or Wait(), and the latter returns an error if the process has not finished successfully (i.e. exit status is not 0 or it was killed). Check for a particular error type and filter out those errors. [1] opencontainers#2683 Signed-off-by: Kir Kolyshkin <[email protected]>

In case a tmpfs mount path contains absolute symlinks, runc errors out because those symlinks are resolved in the host (rather than container) filesystem scope. The fix is similar to that for bind mounts -- resolve the destination in container rootfs scope using securejoin, and use the resolved path. A simple integration test case is added to prevent future regressions. Fixes opencontainers/runc#2683. Signed-off-by: Kir Kolyshkin <[email protected]>

While working on a test case for [1], I got the following warning: > level=warning msg="unable to terminate initProcess" error="exit status 1" Obviously, the warning is bogus since the initProcess is terminated. This is happening because terminate() can return errors from either Kill() or Wait(), and the latter returns an error if the process has not finished successfully (i.e. exit status is not 0 or it was killed). Check for a particular error type and filter out those errors. [1] opencontainers/runc#2683 Signed-off-by: Kir Kolyshkin <[email protected]>

While working on a test case for [1], I got the following warning: > level=warning msg="unable to terminate initProcess" error="exit status 1" Obviously, the warning is bogus since the initProcess is terminated. This is happening because terminate() can return errors from either Kill() or Wait(), and the latter returns an error if the process has not finished successfully (i.e. exit status is not 0 or it was killed). Check for a particular error type and filter out those errors. [1] opencontainers#2683 Signed-off-by: Kir Kolyshkin <[email protected]>

In case a tmpfs mount path contains absolute symlinks, runc errors out because those symlinks are resolved in the host (rather than container) filesystem scope. The fix is similar to that for bind mounts -- resolve the destination in container rootfs scope using securejoin, and use the resolved path. A simple integration test case is added to prevent future regressions. Fixes opencontainers#2683. Signed-off-by: Kir Kolyshkin <[email protected]>

In case a tmpfs mount path contains absolute symlinks, runc errors out because those symlinks are resolved in the host (rather than container) filesystem scope. The fix is similar to that for bind mounts -- resolve the destination in container rootfs scope using securejoin, and use the resolved path. A simple integration test case is added to prevent future regressions. Fixes opencontainers/runc#2683. Signed-off-by: Kir Kolyshkin <[email protected]> (cherry-picked from 637f82d6)

While working on a test case for [1], I got the following warning: > level=warning msg="unable to terminate initProcess" error="exit status 1" Obviously, the warning is bogus since the initProcess is terminated. This is happening because terminate() can return errors from either Kill() or Wait(), and the latter returns an error if the process has not finished successfully (i.e. exit status is not 0 or it was killed). Check for a particular error type and filter out those errors. [1] opencontainers/runc#2683 Signed-off-by: Kir Kolyshkin <[email protected]> (cherry-picked from d7df3018)

In case a tmpfs mount path contains absolute symlinks, runc errors out because those symlinks are resolved in the host (rather than container) filesystem scope. The fix is similar to that for bind mounts -- resolve the destination in container rootfs scope using securejoin, and use the resolved path. A simple integration test case is added to prevent future regressions. Fixes opencontainers/runc#2683. Signed-off-by: Kir Kolyshkin <[email protected]> (cherry-picked from 637f82d6)

While working on a test case for [1], I got the following warning: > level=warning msg="unable to terminate initProcess" error="exit status 1" Obviously, the warning is bogus since the initProcess is terminated. This is happening because terminate() can return errors from either Kill() or Wait(), and the latter returns an error if the process has not finished successfully (i.e. exit status is not 0 or it was killed). Check for a particular error type and filter out those errors. [1] opencontainers/runc#2683 Signed-off-by: Kir Kolyshkin <[email protected]> (cherry-picked from d7df3018)

kolyshkin self-assigned this Dec 10, 2020

kolyshkin added the kind/bug label Dec 10, 2020

kolyshkin mentioned this issue Jan 5, 2021

runc run: resolve tmpfs mount dest in container scope #2715

Merged

cyphar closed this as completed in 637f82d Jan 27, 2021

kolyshkin added this to the 1.0.0-rc93 milestone Feb 3, 2021

kolyshkin removed their assignment May 4, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

tmpfs and symlink resolution #2683

tmpfs and symlink resolution #2683

zhangyoufu commented Nov 17, 2020

kolyshkin commented Dec 10, 2020 •

edited

Loading

kolyshkin commented Jan 5, 2021

tmpfs and symlink resolution #2683

tmpfs and symlink resolution #2683

Comments

zhangyoufu commented Nov 17, 2020

kolyshkin commented Dec 10, 2020 • edited Loading

kolyshkin commented Jan 5, 2021

kolyshkin commented Dec 10, 2020 •

edited

Loading