Allow mounting cgroups as read-only when user namespace is configured by mrunalp · Pull Request #763 · opencontainers/runc

mrunalp · 2016-04-19T16:57:23Z

We use bind mount to achieve this as other file system remounts are disallowed
in a user namespace.

Signed-off-by: Mrunal Patel mrunalp@gmail.com

mrunalp · 2016-04-19T16:57:43Z

LK4D4 · 2016-04-19T17:10:21Z

@mrunalp I think this requires little explanation in commit message :)

We use bind mount to achieve this as other file system remounts are disallowed in a user namespace. Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

mrunalp · 2016-04-19T17:14:41Z

@LK4D4 Sure, updated :)

mrunalp · 2016-04-19T17:16:21Z

You can use ocitools to test this:

# The rootfs needs to be chowned to 1000.1000 to test this
[root@dhcp-16-129 testroot]# ocitools generate --tty --uidmappings 1000:0:32768 --gidmappings 1000:0:32768 --mount-cgroups ro 
[root@dhcp-16-129 testroot]# runc start 1234
/ # mount
/dev/mapper/fedora_dhcp--16--129-root on / type ext4 (rw,seclabel,relatime,data=ordered)
proc on /proc type proc (rw,nodev,relatime)
tmpfs on /dev type tmpfs (rw,seclabel,nosuid,nodev,size=65536k,mode=755,uid=1000,gid=1000)
devpts on /dev/pts type devpts (rw,seclabel,nosuid,noexec,relatime,gid=1005,mode=620,ptmxmode=666)
shm on /dev/shm type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,size=65536k,uid=1000,gid=1000)
mqueue on /dev/mqueue type mqueue (rw,seclabel,nosuid,nodev,noexec,relatime)
sysfs on /sys type sysfs (ro,seclabel,nosuid,nodev,noexec,relatime)
tmpfs on /sys/fs/cgroup type tmpfs (ro,seclabel,nosuid,nodev,noexec,relatime,mode=755,uid=1000,gid=1000)
cgroup on /sys/fs/cgroup/systemd type cgroup (ro,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (ro,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (ro,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/blkio type cgroup (ro,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/freezer type cgroup (ro,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/memory type cgroup (ro,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/devices type cgroup (ro,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/cpuset type cgroup (ro,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (ro,nosuid,nodev,noexec,relatime,hugetlb)
cgroup on /sys/fs/cgroup/perf_event type cgroup (ro,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/pids type cgroup (ro,nosuid,nodev,noexec,relatime,pids)
devtmpfs on /dev/null type devtmpfs (rw,seclabel,nosuid,size=8172976k,nr_inodes=2043244,mode=755)
devtmpfs on /dev/random type devtmpfs (rw,seclabel,nosuid,size=8172976k,nr_inodes=2043244,mode=755)
devtmpfs on /dev/full type devtmpfs (rw,seclabel,nosuid,size=8172976k,nr_inodes=2043244,mode=755)
devtmpfs on /dev/tty type devtmpfs (rw,seclabel,nosuid,size=8172976k,nr_inodes=2043244,mode=755)
devtmpfs on /dev/zero type devtmpfs (rw,seclabel,nosuid,size=8172976k,nr_inodes=2043244,mode=755)
devtmpfs on /dev/urandom type devtmpfs (rw,seclabel,nosuid,size=8172976k,nr_inodes=2043244,mode=755)
devpts on /dev/console type devpts (rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
/ #

LK4D4 · 2016-04-19T17:28:11Z

LGTM

crosbymichael · 2016-04-19T17:35:58Z

LGTM

cyphar · 2016-04-19T22:14:06Z

Nice.

specs-go/config: Add omitempty to LinuxSyscall.Args

GordonTheTurtle added the status/0-triage label Apr 19, 2016

Allow mounting cgroups as read-only when user namespace is configured

a6104c3

We use bind mount to achieve this as other file system remounts are disallowed in a user namespace. Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

mrunalp force-pushed the userns_cgroups_ro branch from 0354b92 to a6104c3 Compare April 19, 2016 17:14

crosbymichael merged commit 27fd057 into opencontainers:master Apr 19, 2016

hqhq mentioned this pull request Apr 20, 2016

Add option to generate userns enabled spec #764

Closed

stefanberger pushed a commit to stefanberger/runc that referenced this pull request Sep 8, 2017

Merge pull request opencontainers#763 from wking/seccomp-args-omitempty

67316f0

specs-go/config: Add omitempty to LinuxSyscall.Args

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allow mounting cgroups as read-only when user namespace is configured#763

Allow mounting cgroups as read-only when user namespace is configured#763
crosbymichael merged 1 commit intoopencontainers:masterfrom
mrunalp:userns_cgroups_ro

mrunalp commented Apr 19, 2016 •

edited

Loading

Uh oh!

mrunalp commented Apr 19, 2016

Uh oh!

LK4D4 commented Apr 19, 2016

Uh oh!

mrunalp commented Apr 19, 2016

Uh oh!

mrunalp commented Apr 19, 2016 •

edited

Loading

Uh oh!

LK4D4 commented Apr 19, 2016

Uh oh!

crosbymichael commented Apr 19, 2016

Uh oh!

cyphar commented Apr 19, 2016

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

mrunalp commented Apr 19, 2016 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

mrunalp commented Apr 19, 2016

Uh oh!

LK4D4 commented Apr 19, 2016

Uh oh!

mrunalp commented Apr 19, 2016

Uh oh!

mrunalp commented Apr 19, 2016 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

LK4D4 commented Apr 19, 2016

Uh oh!

crosbymichael commented Apr 19, 2016

Uh oh!

cyphar commented Apr 19, 2016

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

mrunalp commented Apr 19, 2016 •

edited

Loading

mrunalp commented Apr 19, 2016 •

edited

Loading