Details
-
Improvement
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
None
-
None
-
None
Description
When user namespaces are in effect, the additional mounts performed by the CNI isolator to bind host network files read-only fail. The initial bind mount succeeds, but the subsequent remount is failing. The reason for the failure isn't clear to me - there are a number of kernel checks and I don't know which one is failing yet.
... [pid 15609] execve("/home/jpeach/src/mesos/build/src/mesos-containerizer", ["/home/jpeach/src/mesos/build/src"..., "launch"], 0x7f74a001c450 /* 30 vars */I1130 17:04:34.281958 15537 containerizer.cpp:2921] Transitioning the state of container 0a0fdd6b-9532-4010-913b-5e36cad6f666.c4b9a777-eb6c-4c4a-9c4c-5d39e23373eb from PREPARING to ISOLATING ) = 0 strace: Process 15610 attached [pid 15610] execve("/home/jpeach/src/mesos/build/src/mesos-containerizer", ["mesos-containerizer", "network-cni-setup", "--bind_host_files=false", "--bind_readonly=true", "--etc_hostname_path=/etc/hostnam"..., "--etc_hosts_path=/etc/hosts", "--etc_resolv_conf=/etc/resolv.co"..., "--help=false", "--pid=15609", "--rootfs=/tmp/ExecutorType_UserN"...], 0x58f07f0 /* 24 vars */) = 0 [pid 15610] mount(NULL, "/", NULL, MS_REC|MS_SLAVE, NULL) = 0 [pid 15610] mount("/etc/resolv.conf", "/tmp/ExecutorType_UserNamespaceIsolatorTest_ROOT_USER_DockerTask_DefaultExecutor_IMJpTh/provisioner/containers/0a0fdd6b-9532-4010-913b-5e36cad6f666/containers/c4b9a777-eb6c-4c4a-9c4c-5d39e23373eb/backends/overlay/rootfses/0aaba267-75e7-444a-9f3a-adb22adcf195/etc/resolv.conf", NULL, MS_BIND, NULL) = 0 [pid 15610] mount(NULL, "/tmp/ExecutorType_UserNamespaceIsolatorTest_ROOT_USER_DockerTask_DefaultExecutor_IMJpTh/provisioner/containers/0a0fdd6b-9532-4010-913b-5e36cad6f666/containers/c4b9a777-eb6c-4c4a-9c4c-5d39e23373eb/backends/overlay/rootfses/0aaba267-75e7-444a-9f3a-adb22adcf195/etc/resolv.conf", NULL, MS_RDONLY|MS_REMOUNT, NULL) = -1 EPERM (Operation not permitted) [pid 15610] +++ exited with 1 +++ ...
Note that in this log I've experimentally modified the mount flags, but that doesn't make any difference.
Attachments
Issue Links
- blocks
-
MESOS-8142 Improve container security with user namespaces.
- Accepted