lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <YeZvDrUexrOqvmnF@kernel.org>
Date:   Tue, 18 Jan 2022 09:41:02 +0200
From:   Mike Rapoport <rppt@...nel.org>
To:     cgel.zte@...il.com
Cc:     mhiramat@...nel.org, viro@...iv.linux.org.uk,
        keescook@...omium.org, samitolvanen@...gle.com, ojeda@...nel.org,
        johan@...nel.org, bhelgaas@...gle.com, elver@...gle.com,
        masahiroy@...nel.org, zhang.yunkai@....com.cn, axboe@...nel.dk,
        vgoyal@...hat.com, jack@...e.cz, leon@...nel.org,
        akpm@...ux-foundation.org, linux@...musvillemoes.dk,
        palmerdabbelt@...gle.com, f.fainelli@...il.com,
        wangkefeng.wang@...wei.com, rostedt@...dmis.org,
        ahalaney@...hat.com, valentin.schneider@....com,
        peterz@...radead.org, geert@...ux-m68k.org,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
        dong.menglong@....com.cn
Subject: Re: [PATCH v7 2/2] init/do_mounts.c: create second mount for
 initramfs

On Mon, Jan 17, 2022 at 01:43:52PM +0000, cgel.zte@...il.com wrote:
> From: Zhang Yunkai <zhang.yunkai@....com.cn>
> 
> If using container platforms such as Docker, upon initialization it
> wants to use pivot_root() so that currently mounted devices do not
> propagate to containers. An example of value in this is that
> a USB device connected prior to the creation of a containers on the
> host gets disconnected after a container is created; if the
> USB device was mounted on containers, but already removed and
> umounted on the host, the mount point will not go away until all
> containers unmount the USB device.
> 
> Another reason for container platforms such as Docker to use pivot_root
> is that upon initialization the net-namspace is mounted under
> /var/run/docker/netns/ on the host by dockerd. Without pivot_root
> Docker must either wait to create the network namespace prior to
> the creation of containers or simply deal with leaking this to each
> container.
> 
> pivot_root is supported if the rootfs is a initrd or block device, but
> it's not supported if the rootfs uses an initramfs (tmpfs). This means
> container platforms today must resort to using block devices if
> they want to pivot_root from the rootfs. A workaround to use chroot()
> is not a clean viable option given every container will have a
> duplicate of every mount point on the host.

Sorry if this was already answered.

My understanding is that you have initramfs with docker installed on it and
with one or more container images packed there. And the desire is to use
this initramfs to run docker containers and for that you need to enable
pivot_root for initramfs.

Have you tried packing docker and the containers to a block image that can
be loop-mounted from the initramfs? Then you can chroot to that loop
mounted filesystem and there pivot_root will be available for docker.
 
> In order to support using container platforms such as Docker on
> all the supported rootfs types we must extend Linux to support
> pivot_root on initramfs as well. This patch does the work to do
> just that.

-- 
Sincerely yours,
Mike.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ