Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[1.2] dmz: overlay: minor fixups #4530

Merged
merged 4 commits into from
Nov 15, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -113,8 +113,6 @@ The following build tags were used earlier, but are now obsoleted:
- **apparmor** (since runc v1.0.0-rc93 the feature is always enabled)
- **selinux** (since runc v1.0.0-rc93 the feature is always enabled)

[contrib-memfd-bind]: /contrib/cmd/memfd-bind/README.md

### Running the test suite

`runc` currently supports running its test suite via Docker.
Expand Down
13 changes: 12 additions & 1 deletion contrib/cmd/memfd-bind/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,15 @@
## memfd-bind ##

`runc` normally has to make a binary copy of itself when constructing a
> **NOTE**: Since runc 1.2.0, runc will now use a private overlayfs mount to
> protect the runc binary (if you are on Linux 5.1 or later). This protection
> is far more light-weight than memfd-bind, and for most users this should
> obviate the need for `memfd-bind` entirely. Rootless containers will still
> make a memfd copy (unless you are using `runc` itself inside a user namespace
> -- a-la [`rootlesskit`][rootlesskit] -- and are on Linux 5.11 or later), but
> `memfd-bind` is not particularly useful for rootless container users anyway
> (see [Caveats](#Caveats) for more details).

`runc` sometimes has to make a binary copy of itself when constructing a
container process in order to defend against certain container runtime attacks
such as CVE-2019-5736.

Expand Down Expand Up @@ -38,6 +47,8 @@ much memory usage they can use:
container process setup takes up about 10MB per process spawned inside the
container by runc (both pid1 and `runc exec`).

[rootlesskit]: https://github.com/rootless-containers/rootlesskit

### Caveats ###

There are several downsides with using `memfd-bind` on the `runc` binary:
Expand Down
7 changes: 7 additions & 0 deletions libcontainer/dmz/overlayfs_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,13 @@ func sealedOverlayfs(binPath, tmpDir string) (_ *os.File, Err error) {
return nil, fmt.Errorf("fsconfig set overlayfs lowerdir=%s: %w", lowerDirStr, err)
}

// We don't care about xino (Linux 4.17) but it will be auto-enabled on
// some systems (if /run/runc and /usr/bin are on different filesystems)
// and this produces spurious dmesg log entries. We can safely ignore
// errors when disabling this because we don't actually care about the
// setting and we're just opportunistically disabling it.
_ = unix.FsconfigSetString(int(overlayCtx.Fd()), "xino", "off")

// Get an actual handle to the overlayfs.
if err := unix.FsconfigCreate(int(overlayCtx.Fd())); err != nil {
return nil, os.NewSyscallError("fsconfig create overlayfs", err)
Expand Down
Loading