Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

daemon/setMounts(): do not make /dev/shm ro#36526

Merged
merged 2 commits into from
Mar 10, 2018
Merged

daemon/setMounts(): do not make /dev/shm ro #36526

merged 2 commits into from
Mar 10, 2018

Conversation

kolyshkin
Copy link
Contributor

@kolyshkin kolyshkin commented Mar 8, 2018
edited by thaJeztah
Loading

It has been pointed out that if --read-only flag is given, /dev/shm
also becomes read-only, and it does not make sense, especially for
the case of --ipc private (added in #34087).

It is still debatable whether it makes sense to have it read-only
for --ipc shareable|host|container:NNN, but let's follow the --tmpfs
logic here and do NOT make /dev/shm read-only for all the cases.

Fixes #36503

@tonistiigi
Copy link
Member

LGTM

@thaJeztah
Copy link
Member

Discussing in the maintainers meeting; looks ok to make this rw - this should probably be added to the test that was added in #28823

@kolyshkin
Copy link
Contributor Author

Need to add a test case similar to #28823 but for --ipc private. The difference in this case is mount comes from the OCI spec.

@kolyshkin
daemon/oci_linux_test: add TestIpcPrivateVsReadonly
33dd562 
The test case checks that in case of IpcMode: private and
ReadonlyRootfs: true (as in "docker run --ipc private --read-only")
the resulting /dev/shm mount is NOT made read-only.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin
daemon/setMounts(): do not make /dev/shm ro
cad7405 
It has been pointed out that if --read-only flag is given, /dev/shm
also becomes read-only in case of --ipc private.

This happens because in this case the mount comes from OCI spec
(since commit 7120976), and is a regression caused by that
commit.

The meaning of --read-only flag is to only have a "main" container
filesystem read-only, not the auxiliary stuff (that includes /dev/shm,
other mounts and volumes, --tmpfs, /proc, /dev and so on).

So, let's make sure /dev/shm that comes from OCI spec is not made
read-only.

Fixes: 7120976 ("Implement none, private, and shareable ipc modes")

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@codecov
Copy link

codecov bot commented Mar 8, 2018
edited
Loading

Codecov Report

❗ No coverage uploaded for pull request base (master@0c01629). Click here to learn what that means.
The diff coverage is 100%.

@@            Coverage Diff            @@
##             master   #36526   +/-   ##
=========================================
  Coverage          ?   34.66%           
=========================================
  Files             ?      613           
  Lines             ?    45404           
  Branches          ?        0           
=========================================
  Hits              ?    15739           
  Misses            ?    27605           
  Partials          ?     2060

@kolyshkin
Copy link
Contributor Author

  • added a unit test (which is failing before the fixing commit and is passing after)
  • modified a commit message to reflect the latest findings about the meaning of --read-only

I am a bit concerned about this being a unit test, as I had to mimic the code flow of some actual code instead of calling it; but last time I tried adding an integration test it was strongly suggested that a unit test should be done instead, so I am following the suggestion here.

@kolyshkin
Copy link
Contributor Author

z failure (unrelated):

14:21:28 === RUN TestServiceWithPredefinedNetwork
14:21:41 --- FAIL: TestServiceWithPredefinedNetwork (12.32s)
14:21:41 daemon.go:283: [ded513e563058] waiting for daemon to start
14:21:41 daemon.go:315: [ded513e563058] daemon started
14:21:41 service_test.go:52: timeout hit after 10s: task count at 1 waiting for 0
14:21:41 daemon.go:273: [ded513e563058] exiting daemon
14:21:41 FAIL

@kolyshkin kolyshkin mentioned this pull request Mar 8, 2018
Closed
vdemeester
vdemeester approved these changes Mar 9, 2018
View reviewed changes
Copy link
Member

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🐸

@thaJeztah
Copy link
Member

Opened #36547 for the flaky TestServiceWithPredefinedNetwork

@yongtang yongtang merged commit cda9089 into moby:master Mar 10, 2018
@thaJeztah thaJeztah mentioned this pull request Mar 12, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vdemeester vdemeester vdemeester approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes
Assignees
No one assigned
Labels
status/4-merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

7 participants
@kolyshkin @tonistiigi @thaJeztah @vdemeester @AkihiroSuda @yongtang @GordonTheTurtle