lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1583442550.3927.47.camel@HansenPartnership.com>
Date:   Thu, 05 Mar 2020 13:09:10 -0800
From:   James Bottomley <James.Bottomley@...senPartnership.com>
To:     Ignat Korchagin <ignat@...udflare.com>, viro@...iv.linux.org.uk,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Cc:     kernel-team@...udflare.com
Subject: Re: [PATCH] mnt: add support for non-rootfs initramfs

On Thu, 2020-03-05 at 19:35 +0000, Ignat Korchagin wrote:
> The main need for this is to support container runtimes on stateless
> Linux system (pivot_root system call from initramfs).
> 
> Normally, the task of initramfs is to mount and switch to a "real"
> root filesystem. However, on stateless systems (booting over the
> network) it is just convenient to have your "real" filesystem as
> initramfs from the start.
> 
> This, however, breaks different container runtimes, because they
> usually use pivot_root system call after creating their mount
> namespace. But pivot_root does not work from initramfs, because
> initramfs runs form rootfs, which is the root of the mount tree and
> can't be unmounted.

Can you say more about why this is a problem?  We use pivot_root to
pivot from the initramfs rootfs to the newly discovered and mounted
real root ... the same mechanism should work for a container (mount
namespace) running from initramfs ... why doesn't it?

The sequence usually looks like: create and enter a mount namespace,
build a tmpfs for the container in some $root directory then do


    cd $root
    mkdir old-root
    pivot_root . old-root
    mount --
make-rprivate /old-root
    umount -l /old-root
    rmdir /old-root

Once that's done you're disconnected from the initramfs root.  The
sequence is really no accident because it's what the initramfs would
have done to pivot to the new root anyway (that's where container
people got it from).


James

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ