libcontainer: config: validate default filesystems by cyphar · Pull Request #1176 · opencontainers/runc

cyphar · 2016-11-06T04:04:21Z

According to the runtime-spec, some filesystems must be mounted in all
containers'. So, add verification to make sure someone doesn't ask us to
create a rootfs that is missing key features.

Signed-off-by: Aleksa Sarai asarai@suse.de

According to the runtime-spec[1], some filesystems must be mounted in all containers'. So, add verification to make sure someone doesn't ask us to create a rootfs that is missing key features. [1]: https://github.com/opencontainers/runtime-spec/blob/v1.0.0-rc2/config-linux.md#default-filesystems Signed-off-by: Aleksa Sarai <asarai@suse.de>

cyphar · 2016-11-06T04:33:31Z

Also, apparently runc will not complain if you have mounts set but don't have the right namespace setup. We should probably error out validation in that case too.

hqhq · 2016-11-07T03:54:41Z

libcontainer/configs/validate/validator_test.go

+			{Destination: "/sys"},
+			{Destination: "/dev/shm"},
+			{Destination: "/dev/pts"},
+		},


One more test to make it failed with invalid mount info?

Sure. I'll do it tomorrow (have an exam tomorrow morning).

dqminh · 2016-11-07T17:17:52Z

libcontainer/configs/validate/validator.go

+		dests[filepath.Clean(mount.Destination)] = true
+	}
+
+	// From the spec.


nit: i think this comment is redundant.

dqminh · 2016-11-07T17:18:48Z

do we want to swap this validator package with https://github.com/opencontainers/runtime-tools. They are mostly the same .

cyphar · 2016-11-07T17:26:15Z

@dqminh We validate configs.Config, while the runtime-tools validator validates spec configs. Not to mention that AFAIK we do more comprehensive testing of edge cases than runtime-tools. We should eventually upstream our validation, but we have to switch away from the legacy configs.Config first.

dqminh · 2016-11-07T22:50:19Z

@cyphar yah i supposed that's fair.

mrunalp · 2016-11-09T19:22:09Z

LGTM

crosbymichael · 2016-11-28T19:17:40Z

I don't know who added a MUST to the spec but these are not required, they are just things that most applications expect.

Things like /sys are not required and you can leave it out for added security. Also you don't need /dev/shm at all for most applications and PTS is only required when you want a PTY.

This is also weird because if we say that they are required then why even give the user the option to mess up.

I would rather leave this as is and change the spec to a SHOULD.

crosbymichael · 2016-11-28T19:21:35Z

@philips Could you take a look at this and let me know what you think since you added the section for these required filesystems?

justincormack · 2017-01-23T11:00:59Z

Yes I have containers that really don't need or want these filesystems. They are required by (for example) most libc implementations, but eg only if you use shm do you need /dev/shm. runc is a low level tool and should allow for weird use cases. In particular if you want to totally lock down ability to write to files by having no writeable mounts you want to remove /dev/shm.

cyphar · 2017-01-23T11:05:00Z

In which case, can you please make a PR against the runtime specification to switch things to SHOULD?

crosbymichael · 2017-03-03T19:09:39Z

We changed this in the spec to SHOULDs so we don't need this PR, it would have created many issues if we did validate this in the first place

GordonTheTurtle added the status/0-triage label Nov 6, 2016

hqhq reviewed Nov 7, 2016

View reviewed changes

dqminh reviewed Nov 7, 2016

View reviewed changes

dqminh mentioned this pull request Jan 23, 2017

linux: relax filesystem requirements for container opencontainers/runtime-spec#666

Merged

crosbymichael closed this Mar 3, 2017

cyphar deleted the validate-default-filesystems branch March 4, 2017 13:51

Conversation

cyphar commented Nov 6, 2016

Uh oh!

cyphar commented Nov 6, 2016

Uh oh!

hqhq Nov 7, 2016

Choose a reason for hiding this comment

Uh oh!

cyphar Nov 7, 2016

Choose a reason for hiding this comment

Uh oh!

dqminh Nov 7, 2016

Choose a reason for hiding this comment

Uh oh!

dqminh commented Nov 7, 2016

Uh oh!

cyphar commented Nov 7, 2016

Uh oh!

dqminh commented Nov 7, 2016

Uh oh!

mrunalp commented Nov 9, 2016 • edited by caniszczyk Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

crosbymichael commented Nov 28, 2016 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

crosbymichael commented Nov 28, 2016

Uh oh!

justincormack commented Jan 23, 2017

Uh oh!

cyphar commented Jan 23, 2017

Uh oh!

crosbymichael commented Mar 3, 2017

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

mrunalp commented Nov 9, 2016 •

edited by caniszczyk

Loading

crosbymichael commented Nov 28, 2016 •

edited

Loading