lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CADxym3a5nsuw2hiDF=ZS51Wpjs-i_VW+OGd-sgGDVrKYw2AiHQ@mail.gmail.com>
Date:   Wed, 26 May 2021 09:51:22 +0800
From:   Menglong Dong <menglong8.dong@...il.com>
To:     "Eric W. Biederman" <ebiederm@...ssion.com>
Cc:     Luis Chamberlain <mcgrof@...nel.org>,
        Josh Triplett <josh@...htriplett.org>,
        Alexander Viro <viro@...iv.linux.org.uk>,
        Kees Cook <keescook@...omium.org>,
        Sami Tolvanen <samitolvanen@...gle.com>, ojeda@...nel.org,
        johan@...nel.org, Bjorn Helgaas <bhelgaas@...gle.com>,
        masahiroy@...nel.org, Menglong Dong <dong.menglong@....com.cn>,
        joe@...ches.com, Jens Axboe <axboe@...nel.dk>, hare@...e.de,
        Jan Kara <jack@...e.cz>, tj@...nel.org,
        gregkh@...uxfoundation.org, song@...nel.org,
        NeilBrown <neilb@...e.de>,
        Andrew Morton <akpm@...ux-foundation.org>,
        f.fainelli@...il.com, arnd@...db.de,
        Rasmus Villemoes <linux@...musvillemoes.dk>,
        wangkefeng.wang@...wei.com, Barret Rhoden <brho@...gle.com>,
        mhiramat@...nel.org, Steven Rostedt <rostedt@...dmis.org>,
        vbabka@...e.cz, Alexander Potapenko <glider@...gle.com>,
        pmladek@...e.com, Chris Down <chris@...isdown.name>,
        jojing64@...il.com, terrelln@...com, geert@...ux-m68k.org,
        mingo@...nel.org, linux-fsdevel@...r.kernel.org,
        LKML <linux-kernel@...r.kernel.org>, jeyu@...nel.org
Subject: Re: [PATCH v2 2/3] init/do_cmounts.c: introduce 'user_root' for initramfs

On Wed, May 26, 2021 at 2:50 AM Eric W. Biederman <ebiederm@...ssion.com> wrote:
>
......
>
> What is the flow where docker uses an initramfs?
>
> Just thinking about this I am not being able to connect the dots.
>
> The way I imagine the world is that an initramfs will be used either
> when a linux system boots for the first time, or an initramfs would
> come from the distribution you are running inside a container.  In
> neither case do I see docker being in a position to add functionality
> to the initramfs as docker is not responsible for it.
>
> Is docker doing something creating like running a container in a VM,
> and running some directly out of the initramfs, and wanting that code
> to exactly match the non-VM case?
>
> If that is the case I think the easy solution would be to actually use
> an actual ramdisk where pivot_root works.

In fact, nowadays, initramfs is widely used by embedded devices in the
production environment, which makes the whole system run in ram.

That make sense. First, running in ram will speed up the system. The size
of the system won't be too large for embedded devices, which makes this
idea work. Second, this will reduce the I/O of disk devices, which can
extend the life of the disk. Third, RAM is getting cheaper.

So in this scene, Docker runs directly in initramfs.

>
> I really don't see why it makes sense for docker to be a special
> snowflake and require kernel features that no other distribution does.
>
> It might make sense to create a completely empty filesystem underneath
> an initramfs, and use that new rootfs as the unchanging root of the
> mount tree, if it can be done with a trivial amount of code, and
> generally make everything cleaner.
>
> As this change sits it looks like a lot of code to handle a problem
> in the implementation of docker.   Which quite frankly will be a pain
> to have to maintain if this is not a clean general feature that
> other people can also use.
>

I don't think that it's all for docker, pivot_root may be used by other
users in the above scene. It may work to create an empty filesystem, as you
mentioned above. But I don't think it's a good idea to make all users,
who want to use pivot_root, do that. After all, it's not friendly to
users.

As for the code, it may look a lot, but it's not complex. Maybe a clean
up for the code I add can make it better?

Thanks!
Menglong Dong

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ