Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-8286

Making bind mounts readonly fails with user namespaces.

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • None
    • 1.5.0
    • None
    • None

    Description

      When user namespaces are in effect, the additional mounts performed by the CNI isolator to bind host network files read-only fail. The initial bind mount succeeds, but the subsequent remount is failing. The reason for the failure isn't clear to me - there are a number of kernel checks and I don't know which one is failing yet.

      ...
[pid 15609] execve("/home/jpeach/src/mesos/build/src/mesos-containerizer", ["/home/jpeach/src/mesos/build/src"..., "launch"], 0x7f74a001c450 /* 30 vars */I1130 17:04:34.281958 15537 containerizer.cpp:2921] Transitioning the state of container 0a0fdd6b-9532-4010-913b-5e36cad6f666.c4b9a777-eb6c-4c4a-9c4c-5d39e23373eb from PREPARING to ISOLATING
) = 0
strace: Process 15610 attached
[pid 15610] execve("/home/jpeach/src/mesos/build/src/mesos-containerizer", ["mesos-containerizer", "network-cni-setup", "--bind_host_files=false", "--bind_readonly=true", "--etc_hostname_path=/etc/hostnam"..., "--etc_hosts_path=/etc/hosts", "--etc_resolv_conf=/etc/resolv.co"..., "--help=false", "--pid=15609", "--rootfs=/tmp/ExecutorType_UserN"...], 0x58f07f0 /* 24 vars */) = 0
[pid 15610] mount(NULL, "/", NULL, MS_REC|MS_SLAVE, NULL) = 0
[pid 15610] mount("/etc/resolv.conf", "/tmp/ExecutorType_UserNamespaceIsolatorTest_ROOT_USER_DockerTask_DefaultExecutor_IMJpTh/provisioner/containers/0a0fdd6b-9532-4010-913b-5e36cad6f666/containers/c4b9a777-eb6c-4c4a-9c4c-5d39e23373eb/backends/overlay/rootfses/0aaba267-75e7-444a-9f3a-adb22adcf195/etc/resolv.conf", NULL, MS_BIND, NULL) = 0
[pid 15610] mount(NULL, "/tmp/ExecutorType_UserNamespaceIsolatorTest_ROOT_USER_DockerTask_DefaultExecutor_IMJpTh/provisioner/containers/0a0fdd6b-9532-4010-913b-5e36cad6f666/containers/c4b9a777-eb6c-4c4a-9c4c-5d39e23373eb/backends/overlay/rootfses/0aaba267-75e7-444a-9f3a-adb22adcf195/etc/resolv.conf", NULL, MS_RDONLY|MS_REMOUNT, NULL) = -1 EPERM (Operation not permitted)
[pid 15610] +++ exited with 1 +++
...

      Note that in this log I've experimentally modified the mount flags, but that doesn't make any difference.

      Attachments

        Issue Links

          blocks

          Improvement - An improvement or enhancement to an existing feature or task. MESOS-8142 Improve container security with user namespaces.

          • Major - Major loss of function.
          • Accepted

          Activity

            People

              jamespeach James Peach
              jamespeach James Peach
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: