Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

runc run: resolve tmpfs mount dest in container scope #2715

Merged
merged 3 commits into from
Jan 27, 2021
Merged

runc run: resolve tmpfs mount dest in container scope #2715

merged 3 commits into from
Jan 27, 2021

Conversation

kolyshkin
Copy link
Contributor

In case a tmpfs mount path contains absolute symlinks, runc errors out
because those symlinks are resolved in the host (rather than container)
filesystem scope.

The fix is similar to that for bind mounts -- resolve the destination
in container rootfs scope using securejoin, and use the resolved path.

A simple integration test case is added to prevent future regressions.

Fixes #2683.

@kolyshkin kolyshkin mentioned this pull request Jan 5, 2021
Merged
@AkihiroSuda
Copy link
Member

Failure on Travis is unrelated

not ok 55 runc run (hooks library tests)
# (from function `get_and_extract_debian' in file tests/integration/multi-arch.bash, line 35,
#  from function `setup_debian' in file tests/integration/helpers.bash, line 512,
#  from function `setup' in test file tests/integration/hooks.bats, line 16)
#   `setup_debian' failed
# time="2021-01-05T04:38:21Z" level=fatal msg="Error initializing source docker://amd64/debian:buster: Error reading manifest buster in docker.io/amd64/debian: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit"

AkihiroSuda
AkihiroSuda previously approved these changes Jan 5, 2021
View reviewed changes
@AkihiroSuda AkihiroSuda mentioned this pull request Jan 5, 2021
Closed
@kolyshkin
tests/int/mounts.bats: cleanup
a2c9866 
1. Make sure that containers created are stopped and removed.
This is done by using a predefined test_busybox container name,
which is getting removed in teardown_busybox.

2. Fix space at EOL.

Signed-off-by: Kir Kolyshkin <[email protected]>
@kolyshkin
tests/int/mount.bats: reformat
d64c3af 
Easier to read mounts. No functional change.

Signed-off-by: Kir Kolyshkin <[email protected]>
@kolyshkin
runc run: resolve tmpfs mount dest in container scope
637f82d 
In case a tmpfs mount path contains absolute symlinks, runc errors out
because those symlinks are resolved in the host (rather than container)
filesystem scope.

The fix is similar to that for bind mounts -- resolve the destination
in container rootfs scope using securejoin, and use the resolved path.

A simple integration test case is added to prevent future regressions.

Fixes opencontainers#2683.

Signed-off-by: Kir Kolyshkin <[email protected]>
@kolyshkin
Copy link
Contributor Author

rebased (for new CI)

@AkihiroSuda AkihiroSuda requested a review from cyphar January 27, 2021 05:51
cyphar
cyphar approved these changes Jan 27, 2021
View reviewed changes
Copy link
Member

@cyphar cyphar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, surprised we haven't hit this before.

@cyphar cyphar closed this in 346f87f Jan 27, 2021
@cyphar cyphar merged commit 346f87f into opencontainers:master Jan 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@cyphar cyphar cyphar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

tmpfs and symlink resolution
3 participants
@kolyshkin @AkihiroSuda @cyphar