mirror of
https://github.com/opencontainers/runc.git
synced 2026-07-11 06:03:57 +08:00
50105de1d8
As reported in [1], in a case where read-only fuse (sshfs) mount
is used as a volume without specifying ro flag, the kernel fails
to remount it (when adding various flags such as nosuid and nodev),
returning EPERM.
Here's the relevant strace line:
> [pid 333966] mount("/tmp/bats-run-PRVfWc/runc.RbNv8g/bundle/mnt", "/proc/self/fd/7", 0xc0001e9164, MS_NOSUID|MS_NODEV|MS_REMOUNT|MS_BIND|MS_REC, NULL) = -1 EPERM (Operation not permitted)
I was not able to reproduce it with other read-only mounts as the source
(tried tmpfs, read-only bind mount, and an ext2 mount), so somehow this
might be specific to fuse.
The fix is to check whether the source has RDONLY flag, and retry the
remount with this flag added.
A test case (which was kind of hard to write) is added, and it fails
without the fix. Note that rootless user need to be able to ssh to
rootless@localhost in order to sshfs to work -- amend setup scripts
to make it work, and skip the test if the setup is not working.
[1] https://github.com/containers/podman/issues/12205
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
65 lines
2.1 KiB
Docker
65 lines
2.1 KiB
Docker
ARG GO_VERSION=1.17
|
|
ARG BATS_VERSION=v1.3.0
|
|
ARG LIBSECCOMP_VERSION=2.5.2
|
|
|
|
FROM golang:${GO_VERSION}-bullseye
|
|
ARG DEBIAN_FRONTEND=noninteractive
|
|
ARG CRIU_REPO=https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_11
|
|
|
|
RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \
|
|
wget -nv $CRIU_REPO/Release.key -O- | gpg --dearmor > "$KEYFILE" \
|
|
&& echo "deb [signed-by=$KEYFILE] $CRIU_REPO/ /" > /etc/apt/sources.list.d/criu.list \
|
|
&& dpkg --add-architecture armel \
|
|
&& dpkg --add-architecture armhf \
|
|
&& dpkg --add-architecture arm64 \
|
|
&& dpkg --add-architecture ppc64el \
|
|
&& apt-get update \
|
|
&& apt-get install -y --no-install-recommends \
|
|
build-essential \
|
|
criu \
|
|
crossbuild-essential-arm64 \
|
|
crossbuild-essential-armel \
|
|
crossbuild-essential-armhf \
|
|
crossbuild-essential-ppc64el \
|
|
crossbuild-essential-s390x \
|
|
curl \
|
|
gawk \
|
|
gcc \
|
|
gperf \
|
|
iptables \
|
|
jq \
|
|
kmod \
|
|
pkg-config \
|
|
python3-minimal \
|
|
sshfs \
|
|
sudo \
|
|
uidmap \
|
|
&& apt-get clean \
|
|
&& rm -rf /var/cache/apt /var/lib/apt/lists/* /etc/apt/sources.list.d/*.list
|
|
|
|
# Add a dummy user for the rootless integration tests. While runC does
|
|
# not require an entry in /etc/passwd to operate, one of the tests uses
|
|
# `git clone` -- and `git clone` does not allow you to clone a
|
|
# repository if the current uid does not have an entry in /etc/passwd.
|
|
RUN useradd -u1000 -m -d/home/rootless -s/bin/bash rootless
|
|
|
|
# install bats
|
|
ARG BATS_VERSION
|
|
RUN cd /tmp \
|
|
&& git clone https://github.com/bats-core/bats-core.git \
|
|
&& cd bats-core \
|
|
&& git reset --hard "${BATS_VERSION}" \
|
|
&& ./install.sh /usr/local \
|
|
&& rm -rf /tmp/bats-core
|
|
|
|
# install libseccomp
|
|
ARG LIBSECCOMP_VERSION
|
|
COPY script/* /tmp/script/
|
|
RUN mkdir -p /opt/libseccomp \
|
|
&& /tmp/script/seccomp.sh "$LIBSECCOMP_VERSION" /opt/libseccomp arm64 armel armhf ppc64le s390x
|
|
ENV LIBSECCOMP_VERSION=$LIBSECCOMP_VERSION
|
|
ENV LD_LIBRARY_PATH=/opt/libseccomp/lib
|
|
ENV PKG_CONFIG_PATH=/opt/libseccomp/lib/pkgconfig
|
|
|
|
WORKDIR /go/src/github.com/opencontainers/runc
|