-
Notifications
You must be signed in to change notification settings - Fork 553
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
config: add idmap and ridmap mount options #1222
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, if this indeed causes the runtimes to fail when the option is not recognized.
Adding new fields for MOUNT_ATTR_IDMAP had the flaw that users specifying these fields with older runtimes would result in the fields being ignored and incorrect mounts being configured. In addition, there is no text in the specification indicating whether MOUNT_ATTR_IDMAP should be applied with AT_RECURSIVE (which matters for rbind idmapped mounts). In retrospect, the addition of the fields should've included new (dummy) mount options that would cause errors on older runtimes. Unfortunately, we have had a runtime-spec release since then so we cannot MUST these new mount options, but we can SHOULD them. Fixes: 9d1130d ("IDMapping field for mount point") Signed-off-by: Aleksa Sarai <[email protected]>
The idmapped mounts sections do not make any reference to how the mapping should be implemented. Add a reference to MOUNT_ATTR_IDMAP since that is what runtimes are expected to use. Signed-off-by: Aleksa Sarai <[email protected]>
@rata The error message is fairly ugly, but the mount will fail because no filesystem supports the flag "idmap" nor "ridmap". ... Oh actually, now that I think about it, I think this flag will be ignored for bind-mounts due to how they are implemented in runc (extra mount options for bind-mounts are ignored because that's what the kernel does). Damn. This is going to be ugly... I will need to think about this tomorrow (at least in the case of runc, I suspect we should actually error out if the mount has extra fs options that the kernel will ignore). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please check if this does old runtimes fail (runc and crun at least) and post the error it shows here, so we can easily know the impact of this change.
This is the error you get if you add it to a regular mount (for runc):
But for bind-mounts there's no error. |
Then this is not useful as-is, at least :( |
I think we need
Unfortunately this doesn't help with old versions of runc (though the same is true for #1219 because we need to update runtimes to say whether they support idmapped mounts), and I suspect other runtimes have the same behaviour because it's easy to miss this. @giuseppe @utam0k How do crun and youki handle data flags being passed to bind-mounts? Do you return errors or are the flags silently ignored? (Try adding |
Adding mount options which do NOP by themselves looks clumsy. Why not just use the
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd prefer mountExtensions
struct
@AkihiroSuda The features proposal doesn't help with:
Also, the flags aren't NOP flags -- they indicate you need to do a certain mount operation (just like "rro" and the other recursive mount settings). That being said, I think we need the features addition as well. |
I guess there is some other. By design, runtimes MUST ignore unknown fields. Probably in practice most of the stuff is supported for years, so not a real issue, but some example probably exists (probably also not with such awful consequences as this one). |
Hmm, now that I think about it some more, that's a good point @rata... FWIW, I'm starting to come to the view that the way we planned for extensibility in the spec was a bit misguided -- runtimes do not reject configurations from specification versions they do not support, which is behaviour that just begging to cause a security issue in the future. The purpose of the "runtimes MUST ignore unknown fields" text was to allow for vendor extensions (I think this was also motivated by the fact that the Go stdlib JSON parser didn't have a way to block unknown fields when we first started working on the spec -- For this particular feature, we should've caught this issue when reviewing the idmapped mounts additions to the spec. All of that being said, we need |
@cyphar I fully agree with that. I did a patch to runc, to fail on unknown fields, but never opened a PR as I found that note about extensibility. I completely share that that note creates more issues than it solves. There might be some "escapes" (besides going for v2.0.0, that I don't think is a good idea), like adding a That is a longer conversation and I'm not 100% sure what my thoughts are about it now. |
crun for bind mounts would just ignore a flag it doesn't know about. crun already supports |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. But the PR description is out of date (it doesn't mitigate the urgency of the other feature, this doesn't fail on old runtimes as we first thought).
|
This PR had to be updated to avoid conflict with crun? |
Sorry for missing it. I thought it was fine, especially since there was no objection, but I should have checked. @giuseppe The name of the mount options in crun seem to overlap, is that OK?
|
We will need to change the MUST language to allow crun's behaviour. In fact, maybe we should make crun's behaviour the standard behaviour if the mount doesn't have a mapping specified (it seems reasonable to me to default to the container mapping). I'm on vacation for the next two weeks, if someone else wants to pick this up in the meantime I'd appreciate it 😅 |
↑ @giuseppe WDYT? 🙏 |
what would be the best wording to allow the crun behaviour? Just dropping the following sentence?
|
opened a PR, we can discuss there how it should be: #1224 |
Adding new fields for MOUNT_ATTR_IDMAP had the flaw that users
specifying these fields with older runtimes would result in the fields
being ignored and incorrect mounts being configured. In addition, there
is no text in the specification indicating whether MOUNT_ATTR_IDMAP
should be applied with AT_RECURSIVE (which matters for rbind idmapped
mounts).
In retrospect, the addition of the fields should've included new (dummy)
mount options that would cause errors on older runtimes. Unfortunately,
we have had a runtime-spec release since then so we cannot MUST these
new mount options, but we can SHOULD them.
Fixes #1216
Resolves the main issue motivating the urgency of #1219 (though that feature is still something we should have).
Fixes: 9d1130d ("IDMapping field for mount point")
Signed-off-by: Aleksa Sarai [email protected]