Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix working with read-only /dev #3345

Merged
merged 3 commits into from Jan 25, 2022
Merged

Fix working with read-only /dev #3345

merged 3 commits into from Jan 25, 2022

Conversation

kolyshkin
Copy link
Contributor

TL;DR: do not chown /dev/std{in,out,err} if there's no need; ignore EROFS when chown fails.

For the context, see containers/podman#12954

Please review commit-by-commit.

@kolyshkin
libct: fixStdioPermissions: minor refactoring
b7fdb68 
Use os/file Chown method instead of bare unix.Fchown as it already have
access to underlying fd, and produces nice-looking errors. This allows
us to remove our error wrapping and some linter annotations.

We still use unix.Fstat since os.Stat access to os-specific fields
like uid/gid is not very straightforward. The only change here is to use
file name (rather than fd) in the error text.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin
libct: fixStdioPermissions: skip chown if not needed
18c4760 
Since we already called fstat, we know the current file uid. In case it
is the same as the one we want it to be, there's no point in trying
chown.

Remove the specific /dev/null check, as the above also covers it
(comparing /dev/null uid with itself is true).

This also fixes runc exec with read-only /dev for root user.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin
libct: fixStdioPermissions: ignore EROFS
146c8c0 
In case of a read-only /dev, it's better to move on and let whatever is
run in a container to handle any possible errors.

This solves runc exec for a user with read-only /dev.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin kolyshkin changed the title Rodev Fix working with read-only /dev Jan 22, 2022
@kolyshkin
Copy link
Contributor Author

I guess I could add some integration tests, but this is pretty straightforward.

@kolyshkin kolyshkin mentioned this pull request Jan 22, 2022
Closed
cyphar
cyphar approved these changes Jan 24, 2022
View reviewed changes
Copy link
Member

@cyphar cyphar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rhatdan
Copy link
Contributor

rhatdan commented Jan 24, 2022

LGTM

@rhatdan
Copy link
Contributor

rhatdan commented Jan 25, 2022

@AkihiroSuda PTAL

@rhatdan
Copy link
Contributor

rhatdan commented Jan 25, 2022

@mrunalp PTAL

@kolyshkin
Copy link
Contributor Author

Depending on podman release plans, we may need to have 1.1.1 released with the backport of this one.

@mrunalp mrunalp merged commit a1727ef into opencontainers:master Jan 25, 2022
@kolyshkin
Copy link
Contributor Author

It looks like we need to release 1.1.1
containers/podman#12954 (comment)

@kolyshkin kolyshkin added the backport/todo/1.1 A PR in main branch which needs to be backported to release-1.1 label Jan 27, 2022
@kolyshkin kolyshkin mentioned this pull request Jan 27, 2022
Merged
@kolyshkin kolyshkin added backport/done/1.1 A PR in main branch which was backported to release-1.1 and removed backport/todo/1.1 A PR in main branch which needs to be backported to release-1.1 labels Feb 18, 2022
@cyphar cyphar mentioned this pull request Feb 2, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mrunalp mrunalp mrunalp approved these changes

@cyphar cyphar cyphar approved these changes

Assignees
No one assigned
Labels
backport/done/1.1 A PR in main branch which was backported to release-1.1 enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@kolyshkin @rhatdan @mrunalp @cyphar