Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.2] libct/nsenter: become root after joining userns #4474

Closed
wants to merge 1 commit into from
Closed

[1.2] libct/nsenter: become root after joining userns #4474

wants to merge 1 commit into from

Conversation

kolyshkin
Copy link
Contributor

@kolyshkin kolyshkin commented Oct 24, 2024
edited
Loading

Containerd pre-creates userns and netns before calling runc, which results in the current code not working when SELinux is enabled, resulting in the following error:

runc create failed: unable to start container process: error during container init: error mounting "mqueue" to rootfs at "/dev/mqueue": setxattr /path/to/rootfs/dev/mqueue: operation not permitted

The solution (kudos to @lifubang, @fuweid, and @rata) is to become root in the user namespace right after we join it.

Fixes #4466.

@kolyshkin @fuweid @lifubang
libct/nsenter: become root after joining userns
7169f2d 
Containerd pre-creates userns and netns before calling runc, which
results in the current code not working when SELinux is enabled,
resulting in the following error:

> runc create failed: unable to start container process: error during container init: error mounting "mqueue" to rootfs at "/dev/mqueue": setxattr /path/to/rootfs/dev/mqueue: operation not permitted

The solution is to become root in the user namespace right after
we join it.

Fixes 4473.

Co-authored-by: Wei Fu <[email protected]>
Co-authored-by: lifubang <[email protected]>
Signed-off-by: Kir Kolyshkin <[email protected]>
@kolyshkin kolyshkin added this to the 1.2.1 milestone Oct 24, 2024
@lifubang

This comment was marked as outdated.

Sign in to view
kolyshkin added a commit to kolyshkin/containerd that referenced this pull request Oct 24, 2024
@kolyshkin
[DNM] Checking runc v1.2.0 fix
5e3beca 
This is just to run CI in order to check if
 opencontainers/runc#4474
fixes
 opencontainers/runc#4466.

Signed-off-by: Kir Kolyshkin <[email protected]>
@kolyshkin kolyshkin mentioned this pull request Oct 24, 2024
Closed
kolyshkin added a commit to kolyshkin/containerd that referenced this pull request Oct 25, 2024
@kolyshkin
[DNM] Checking runc v1.2.0 fix
c2a86e3 
This is just to run CI in order to check if
 opencontainers/runc#4474
fixes
 opencontainers/runc#4466.

Signed-off-by: Kir Kolyshkin <[email protected]>
@lifubang
Copy link
Member

Would you mind change this PR to a backport of #4473? Thanks.

@kolyshkin
Copy link
Contributor Author

Would you mind change this PR to a backport of #4473? Thanks.

I only opened this one to check if it's sufficient, and to test in using release-1.2 branch because this is where it will end up.

We'll do a backport once we'll be sure the issue is fixed and the original PR is merged.

In here I'm going to try @cyphar's solution (or see what's wrong with it). But this is for tomorrow :)

@AkihiroSuda
Copy link
Member

#4474 was merged

@kolyshkin kolyshkin removed this from the 1.2.1 milestone Oct 28, 2024
@kolyshkin
Copy link
Contributor Author

#4474 was merged

To clarify, this PR was never meant to be merged. It is replaced by #4477. Removed from the 1.2.1 milestone.

@AkihiroSuda
Copy link
Member

Sorry, accidentally pasted a wrong PR number

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kolyshkin @lifubang @AkihiroSuda