Data loss in root overlayfs and other container mounts when using user namespaces

[mbaynton]

Description

When using containers with user namespaces enabled, we are observing that it is possible for containerd to remove files from the overlayfs snapshotter's data for the container image, as well as from other mounts that may be added to the container. When the removed files are on the snapshot, it affects future containers started on the host. When the removed files are from other mounts it could cause permanent data loss.

Steps to reproduce the issue

1. Start a container on a host with user namespaces enabled
2. Run some executable processes in one of these containers or open some files to cause the idmapped mount to be busy
3. Kill the container
4. Be unlucky. This does not always cause data loss, presumably only when the kernel has not finished cleaning up its accounting of open file handles by the time the containerd unmount call is attempted.

Describe the results you received and expected

Actual results, from containerd log:

time="2024-09-17T23:04:52.334331723Z" level=warning msg="failed to unmount temp lowerdir /var/lib/containerd/tmpmounts/ovl-idmapped1999575633/2" error="device or resource busy"
time="2024-09-17T23:04:52.337862379Z" level=info msg="TaskExit event in podsandbox handler container_id:\"3e5d4ccbf1246380d2db67bb97d49f614dc21b2493fac0656f7d5dd8815cec5c\" id:\"a917de21e41c6c09e3e06ecbd605b3775e68c6bb40e1aef6ab37338dbcc59df3\" pid:2449241 exited_at:{seconds:1726614292 nanos:327893138}"
time="2024-09-17T23:04:52.388515611Z" level=warning msg="failed to remove temporary overlay lowerdir's" error="unlinkat /var/lib/containerd/tmpmounts/ovl-idmapped1999575633/2: device or resource busy"

Resulting in the underlying path behind /var/lib/containerd/tmpmounts/ovl-idmapped1999575633/2, a layer of the container image, having its files removed since it was not successfully unmounted before it was os.RemoveAll()ed.

Expected results:
Temporary idmap mount is cleaned up without underlying data loss

What version of containerd are you using?

containerd github.com/containerd/containerd v2.0.0-rc.0 93022d8

Any other relevant information

Relevant code appears to be here,

containerd/core/mount/mount_linux.go

Lines 254 to 260 in 67b0687

	if err := unix.Unmount(lowerDir, 0); err != nil {
	log.L.WithError(err).Warnf("failed to unmount temp lowerdir %s", lowerDir)
	}
	}
	if terr := os.RemoveAll(filepath.Clean(filepath.Join(tmpLowerDirs[0], ".."))); terr != nil {
	log.L.WithError(terr).Warnf("failed to remove temporary overlay lowerdir's")
	}

If the unmounts fail it does not prevent the os.RemoveAll

Show configuration if it is related to CRI plugin.

No response

[rata]

@mbaynton Are you sure this can cause data-loss? Have you seen that?

When the removed files are on the snapshot, it affects future containers started on the host.

How is this affected really? Are you guessing or did you observe something?

I don't think it is possible, the files being removed should not affect the host at all. The thing is, for overlayfs mounts, you need to create an idmap mount of each layer. What is being deleted and unmounted is those tmp idmapped layers. That is just to not leak them later, as the kernel already keeps an a reference to the mount tree (it's the same as doing open(2) of a file and then delete it, the fd is still valid).

In fact, this was discussed during review: #5890 (comment). And as mentioned there, podman is also doing the same too.

When the removed files are from other mounts it could cause permanent data loss.

I think this is also a guess you are doing, is it possible? containerd doesn't do the volume mounts, that code doesn't do anything with volumes. The volume mounts are handled by the OCI runtime, so it is not in containerd, the code is completely different and there are no rm (as we don't have the layers to deal with for volumes).

There might be something to improve in the cleanup code, but IIUC no data-loss is even remotely possible. Please confirm that first, then we can see how to improve the log messages/cleaup code if that is the only issue here.

cc @fuweid

[mbaynton]

Hey @rata thanks for the reply. Yes this is real, yes we have seen files disappear from image rootfs on several hosts, yes future containers fail because files are not present, yes the logs I included with failed to unmount temp lowerdir and failed to remove temporary overlay lowerdir's were recorded on the affected hosts, and yes, the mtimes on the directories where files were deleted (eg /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/243/fs) exactly match the log timestamps. I have enough corroborating evidence to have high confidence in this report.

The challenge of course is the intermittently reproducible nature of it; perhaps it would be possible to rig a scenario where the idmapped unmount reliably fails. If we can set that up it will be easy to see current containerd 2 deletes files.

The thing is, for overlayfs mounts, you need to create an idmap mount of each layer. What is being deleted and unmounted is those tmp idmapped layers.

What is supposed to be deleted and unmounted is the tmp idmapped layers. However if the idmap bindmount is still intact when unlinks are issued against it, and because we are also using a recursive removal with os.RemoveAll, then that removes all the files and directories inside the location we bind-mounted to, such as one layer of the rootfs image's snapshot.

When the removed files are from other mounts it could cause permanent data loss.

I think this is also a guess you are doing, is it possible?

Hmm, yes, I do have lower confidence that the root cause here is the same bug in containerd. We observed files disappearing from hostPath mounts too, which I assume are also getting the same idmapping and cleanup treatment, but I have only carefully tracked down corresponding log messages/mtimes/corresponding code in the image rootfs case.

[rata]

Hey @rata thanks for the reply. Yes this is real, yes we have seen files disappear from image rootfs on several hosts, yes future containers fail because files are not present, yes the logs I included with failed to unmount temp lowerdir and failed to remove temporary overlay lowerdir's were recorded on the affected hosts, and yes, the mtimes on the directories where files were deleted (eg /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/243/fs) exactly match the log timestamps. I have enough corroborating evidence to have high confidence in this report.

@mbaynton This is a lot of very valuable information. Especially the mtime on the dir, but also how you nailed it down to lines of code. Thanks :)

Can you try to compile this branch and see if you can repro? https://github.com/rata/containerd/commits/issue-10704-try/

Hmm, yes, I do have lower confidence that the root cause here is the same bug in containerd. We observed files disappearing from hostPath mounts too, which I assume are also getting the same idmapping and cleanup treatment,

This assumption is not correct. The code here is specific for overlayfs and only for the container rootfs (i.e. the container image).

But it would be great if you can investigate this path too. I'm curious what is happening and if there is something we can do (here or in runc) to make those cases better. But I wrote the idmap code for volumes in runc, there was no rm at all, so maybe we are not screwing it up there :)

[rata]

@mbaynton I opened #10721 that should fix the issue for you. Can you please try it out?

Also, can you share more about your setup? I don't fully understand why the unmount fails in your setup with resource busy. I couldn't find a way to repro so far.

Here are some questions, it would be great if you can get to them. But the most important part now is if you can verify if the PR solves the issue for you:

1. How are you killing the container? I wonder if you are killing the containerd shim, doing a kubectl delete pod or what
2. Your hostPath volumes mount like "/" from the host?
3. Can you share the pod yaml of the relevant pods?

I'm trying to see if there is something else we can do to improve the situation for that workload.