Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow bind mount w/o explicit "bind" opt but w/ explicit "bind" type #2590

Closed
wants to merge 1 commit into from
Closed

allow bind mount w/o explicit "bind" opt but w/ explicit "bind" type #2590

wants to merge 1 commit into from

Conversation

AkihiroSuda
Copy link
Member

Previously, {"type":"bind"} without {"options": ["bind"]} was failing with ENODEV.

See containers/podman#7652

@AkihiroSuda
allow bind mount w/o explicit "bind" opt but w/ explicit "bind" type
98287ed 
Previously, {"type":"bind"} without {"options": ["bind"]} was failing with ENODEV.

See containers/podman#7652

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
kolyshkin
kolyshkin reviewed Sep 16, 2020
View reviewed changes
tests/integration/mounts.bats

runc run test_bind_mount
[ "$status" -eq 0 ]
[[ "${lines[0]}" == *'/tmp/bind/config.json'* ]]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will also match something like "ls: /tmp/bind/config.json: no such file or directory" which is not good.

I think we should list the directory instead, and check the file is present in the output.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We check the status code, so it won't match ls: /tmp/bind/config.json: no such file or directory

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

well in this case it does not make sense to check the output, since ls will definitely return the error if the file is not there, so this check is redundant

Copy link
Contributor

@kolyshkin kolyshkin Sep 21, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I guess either

  • list the directory, check the exit code, check the output to contain file name

or

  • list the file, check the exit code

kolyshkin
kolyshkin requested changes Sep 16, 2020
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test case needs fixing

@AkihiroSuda
Copy link
Member Author

The test should be ok, please see #2590 (comment)

@cyphar
Copy link
Member

cyphar commented Sep 21, 2020

I would argue the config is wrong -- "type": "bind" doesn't mean anything in Linux (all that matters is the existence of MS_BIND in the mount options) -- though in fairness this was a bug in runc as well (#1753). Is there a reason that the config generator is not adding the bind option to mounts?

I do see why we'd want to add it, but it means that a hypothetical filesystem called bind couldn't be mounted with this change.

@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented Sep 21, 2020
edited
Loading

Is there a reason that the config generator is not adding the bind option to mounts?

As crun doesn't require this option, projects using crun as the primary runtime are likely to forget adding this option. containers/podman#7652

a hypothetical filesystem called bind couldn't be mounted with this change.

This sounds too much hypothetical. When a new kind of "bind" filesystem is being added to the kernel, probably it will be called in another name like "bind2", to avoid breaking userspace mount(8) CLI

@cyphar
Copy link
Member

cyphar commented Sep 21, 2020
edited
Loading

That means crun is not implementing the runtime-spec correctly (or rather, is implementing an extension to the runtime-spec). To quote the spec:

A mount is a bind mount if it has either bind or rbind in the options. [...] For bind mounts (when options include either bind or rbind), the type is a dummy, often "none" (not listed in /proc/filesystems).

I'm not against adding something as simple as this workaround, but just because crun (or runc for that matter) does something doesn't make it the correct behaviour. Podman shouldn't be generating invalid OCI configurations.

When a new kind of "bind" filesystem is being added to the kernel, probably it will be called in another name like "bind2", to avoid breaking userspace mount(8) CLI

mount -t bind doesn't work, you have to do mount --bind.

@giuseppe
Copy link
Member

As crun doesn't require this option, projects using crun as the primary runtime are likely to forget adding this option. containers/podman#7652

I'll fix it in crun to follow more closely the OCI specs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kolyshkin kolyshkin kolyshkin requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@AkihiroSuda @cyphar @giuseppe @kolyshkin