Skip to content

Bind mount device nodes on EPERM #357

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
LK4D4 merged 1 commit into from
Nov 16, 2015
Merged

Bind mount device nodes on EPERM #357

LK4D4 merged 1 commit into from
Nov 16, 2015

Conversation

@ashahab-altiscale
Copy link
Contributor

@ashahab-altiscale ashahab-altiscale commented Oct 23, 2015

Enables launching userns containers by catching EPERM errors for writing
to devices cgroups, and for mknod invocations.

This reflected the changes suggested by @mrunalp and @crosbymichael in opencontainers/runtime-spec#228

Signed-off-by: Abin Shahab ashahab@altiscale.com

@hqhq
Copy link
Contributor

hqhq commented Oct 23, 2015

I don't think this is what they suggested, this will omit those real EPERM errors. Maybe we need some hack like #351 did, which needs to be more robust that people can not fool.

@crosbymichael @mrunalp what's your suggestion indeed? Maybe I understand wrong?

@ashahab-altiscale
Copy link
Contributor Author

ashahab-altiscale commented Oct 23, 2015

@hqhq The only other alternative that I see to this approach is that runC stop manipulating cgroups completely, and the operator pass the entire cgroup to runC. That's a larger change, and requires more design discussion than this one.

@crosbymichael
Copy link
Member

crosbymichael commented Nov 2, 2015

the bind mount is what I had in mind but i'm not sure what to do with the cgroup errors yet.

@ashahab-altiscale
Copy link
Contributor Author

ashahab-altiscale commented Nov 2, 2015

@mrunalp Did you ask Eric Beiderman what he thinks of catching EPERMs when host is unprivileged?

@mrunalp
Copy link
Contributor

mrunalp commented Nov 3, 2015

He said that we shouldn't have to check and kernel should be fixed whereever we need to check.
However, in this scenario, it looks like we could workaround by making the cgroup writeable by top level container (under which the other containers are nested)?

@ashahab-altiscale
Copy link
Contributor Author

ashahab-altiscale commented Nov 3, 2015

No, that does not work. I did make the cgroup writeable, and I'm able to
write to all other groups other than devices.

On Tue, Nov 3, 2015 at 2:26 PM, Mrunal Patel notifications@github.com
wrote:

He said that we shouldn't have to check and kernel should be fixed
whereever we need to check.
However, in this scenario, it looks like we could workaround by making the
cgroup writeable by top level container (under which the other containers
are nested)?


Reply to this email directly or view it on GitHub
#357 (comment).

@ashahab-altiscale
Copy link
Contributor Author

ashahab-altiscale commented Nov 6, 2015

@mrunalp any other suggestions on how to get this done for now?

@ashahab-altiscale
Copy link
Contributor Author

ashahab-altiscale commented Nov 8, 2015

@mrunalp @crosbymichael Another way to get this done maybe is:

  1. Catch EPERM for mknod error as this PR(that seems less controvertial)
  2. For Cgroups, don't catch any EPERM, but allow a way for the operator to pass a fully specified cgroupsPath(@mrunalp indicated this feature exists but I don't think so), and do not write to the devices of this passed in cgroup. What do you guys think?

@crosbymichael
Copy link
Member

crosbymichael commented Nov 13, 2015

eperm on mknod sounds good to me for this first step

@ashahab-altiscale ashahab-altiscale mentioned this pull request Nov 13, 2015
Closed
@ashahab-altiscale
Copy link
Contributor Author

ashahab-altiscale commented Nov 13, 2015

@crosbymichael Ok, I will remove the cgroup stuff from here and wait for @hqhq to merge his or my PR regarding cgroupsPath.

@ashahab-altiscale ashahab-altiscale force-pushed the 350-container-in-container branch from 5bf6a13 to 3b8d797 Compare November 15, 2015 22:34
@ashahab-altiscale ashahab-altiscale force-pushed the 350-container-in-container branch from 3b8d797 to 4c90fa1 Compare November 15, 2015 22:34
@ashahab-altiscale
Copy link
Contributor Author

ashahab-altiscale commented Nov 15, 2015

@crosbymichael @mrunalp Removed cgroups changes. Now Im only checking EPERM for mknod.

@ashahab-altiscale
Userns container in containers
28c9d02 
Enables launching userns containers by catching EPERM errors for writing
to devices cgroups, and for mknod invocations.

Signed-off-by: Abin Shahab <ashahab@altiscale.com>
@ashahab-altiscale ashahab-altiscale force-pushed the 350-container-in-container branch from 4c90fa1 to 28c9d02 Compare November 15, 2015 22:42
@crosbymichael crosbymichael changed the title Userns container in containers Bind mount device nodes on EPERM Nov 16, 2015
@crosbymichael
Copy link
Member

crosbymichael commented Nov 16, 2015

LGTM

1 similar comment
@LK4D4
Copy link
Contributor

LK4D4 commented Nov 16, 2015

LGTM

LK4D4 added a commit that referenced this pull request Nov 16, 2015
@LK4D4
Merge pull request #357 from ashahab-altiscale/350-container-in-conta…
7767914 
…iner

Bind mount device nodes on EPERM
@LK4D4 LK4D4 merged commit 7767914 into opencontainers:master Nov 16, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

status/0-triage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@ashahab-altiscale @hqhq @crosbymichael @mrunalp @LK4D4 @GordonTheTurtle