Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bubblewrap should fall back to MS_MOVE if pivot_root() fails #592

Open
DaanDeMeyer opened this issue Sep 8, 2023 · 8 comments
Open

bubblewrap should fall back to MS_MOVE if pivot_root() fails #592

DaanDeMeyer opened this issue Sep 8, 2023 · 8 comments

Comments

@DaanDeMeyer
Copy link

pivot_root() does not work in the initramfs. As a fallback, MS_MOVE can be used together with chroot() to mimick pivot_root() somewhat. bubblewrap should use this fallback if pivot_root() is not possible (e.g. when running bubblewrap from the initramfs) so that bubblewrap can be used from the initramfs.

Currently running bubblewrap from the initramfs fails with bwrap: pivot_root: Invalid argument
@smcv
Copy link
Collaborator

smcv commented Sep 8, 2023

so that bubblewrap can be used from the initramfs

What's your use-case for using bubblewrap in an initramfs?

During early boot, at which point you are root and already have every privilege that could possibly exist, a tool that is not constrained by being designed for use by unprivileged users might be more successful.

@DaanDeMeyer
Copy link
Author

What's your use-case for using bubblewrap in an initramfs?

I often boot straight into an initramfs as it is faster and easier than building and booting into a full disk image.

During early boot, at which point you are root and already have every privilege that could possibly exist, a tool that is not constrained by being designed for use by unprivileged users might be more successful.

Sure, but the tool I maintain (https://github.com/systemd/mkosi) does have those constraints and is specifically intended to be used by unprivileged users. It just so happens that I also want to be able to run it from an initramfs. Supporting an alternative to bubblewrap in mkosi just to be able to run mkosi from an initramfs seems like a huge amount of work compared to making sure bubblewrap can operate in an initramfs.

@rusty-snake
Copy link
Contributor

Related: #595

@DaanDeMeyer
Copy link
Author

Workaround:

unshare --mount
mount --rbind / /abc --mkdir
cd /abc
mount --move . /
chroot .
# bwrap will not get EINVAL from pivot_root() anymore

@aconz2
Copy link

aconz2 commented Jul 24, 2024
edited
Loading

sorry for the tangential comment, but that workaround is very helpful, thanks for sharing @DaanDeMeyer . I came across this issue in googling a pivot_root error from crun running from initramfs and that fixes it. Are there any caveats to using that approach? I don't fully understand/appreciate what it is doing. My notes on using it to run a container in a VM from initramfs are here. Now that I say that, kata must deal with the same thing since that is also from initramfs, I think somewhere in here but only took a glance right now

@DaanDeMeyer
Copy link
Author

sorry for the tangential comment, but that workaround is very helpful, thanks for sharing @DaanDeMeyer . I came across this issue in googling a pivot_root error from crun running from initramfs and that fixes it. Are there any caveats to using that approach? I don't fully understand/appreciate what it is doing. My notes on using it to run a container in a VM from initramfs are here. Now that I say that, kata must deal with the same thing since that is also from initramfs, I think somewhere in here but only took a glance right now

I haven't encountered any caveats yet but I don't use this to run a container runtime so I wouldn't know.

@aconz2
Copy link

aconz2 commented Jul 25, 2024
edited
Loading

Could you explain why this works? My vague understanding was that pivot_root cannot be called on a rootfs and even after using the above trick, I still get rootfs on / type rootfs from mount, but pivot_root does work. EDIT: (to try not to spam this thread any further). I wrote up an explanation for why this works in case anyone finds this thread in the future. It is indeed as simple as setting up a parent mount, but that didn't make sense to me a few days ago.

@aconz2 aconz2 mentioned this issue Jul 25, 2024
Closed
@DaanDeMeyer
Copy link
Author

pivot_root needs a parent mount that it can switch, this snippet sets up a parent mount.

@aconz2 aconz2 mentioned this issue Jul 31, 2024
Closed
cyphar added a commit to cyphar/runc that referenced this issue Oct 10, 2024
@cyphar
rootfs: make pivot_root(2) dance handle initramfs case
16b45c8 
While pivot_root(2) normally refuses to pivot a mount if you are running
with / as initramfs (because initramfs doesn't have a parent mount), you
can create a bind-mount and make that a new root to work around this
problem.

This hack is fairly well known and is used all over the place (see
[1,2]) but until now we have forced users to have a far less secure
configuration with --no-pivot. There are some minor issues with this
trick (the initramfs sticks around at the top of the mount tree, but is
completely masked) but they don't really matter for containers.

[1]: containers/bubblewrap#592 (comment)
[2]: https://aconz2.github.io/2024/07/29/container-from-initramfs.html

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@kolyshkin kolyshkin mentioned this issue Oct 10, 2024
Draft
cyphar added a commit to cyphar/runc that referenced this issue Oct 25, 2024
@cyphar
rootfs: make pivot_root(2) dance handle initramfs case
a69d9d3 
While pivot_root(2) normally refuses to pivot a mount if you are running
with / as initramfs (because initramfs doesn't have a parent mount), you
can create a bind-mount of / and make that your new root to work around
this problem. This does use chroot(2), but this is only done temporarily
to set current->fs->root to the new mount. Once pivot_root(2) finishes,
the chroot(2) and / are gone.

Variants of this hack are fairly well known and is used all over the
place (see [1,2]) but until now we have forced users to have a far less
secure configuration with --no-pivot. This is a slightly modified
version that uses the container rootfs as the temporary spot for the /
clone -- this allows runc to continue working with read-only image-based
OS images.

[1]: containers/bubblewrap#592 (comment)
[2]: https://aconz2.github.io/2024/07/29/container-from-initramfs.html

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar added a commit to cyphar/runc that referenced this issue Oct 25, 2024
@cyphar
rootfs: make pivot_root(2) dance handle initramfs case
af71639 
While pivot_root(2) normally refuses to pivot a mount if you are running
with / as initramfs (because initramfs doesn't have a parent mount), you
can create a bind-mount of / and make that your new root to work around
this problem. This does use chroot(2), but this is only done temporarily
to set current->fs->root to the new mount. Once pivot_root(2) finishes,
the chroot(2) and / are gone.

Variants of this hack are fairly well known and is used all over the
place (see [1,2]) but until now we have forced users to have a far less
secure configuration with --no-pivot. This is a slightly modified
version that uses the container rootfs as the temporary spot for the /
clone -- this allows runc to continue working with read-only image-based
OS images.

[1]: containers/bubblewrap#592 (comment)
[2]: https://aconz2.github.io/2024/07/29/container-from-initramfs.html

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar added a commit to cyphar/runc that referenced this issue Oct 25, 2024
@cyphar
rootfs: make pivot_root(2) dance handle initramfs case
b2f0125 
While pivot_root(2) normally refuses to pivot a mount if you are running
with / as initramfs (because initramfs doesn't have a parent mount), you
can create a bind-mount of / and make that your new root to work around
this problem. This does use chroot(2), but this is only done temporarily
to set current->fs->root to the new mount. Once pivot_root(2) finishes,
the chroot(2) and / are gone.

Variants of this hack are fairly well known and is used all over the
place (see [1,2]) but until now we have forced users to have a far less
secure configuration with --no-pivot. This is a slightly modified
version that uses the container rootfs as the temporary spot for the /
clone -- this allows runc to continue working with read-only image-based
OS images.

[1]: containers/bubblewrap#592 (comment)
[2]: https://aconz2.github.io/2024/07/29/container-from-initramfs.html

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar added a commit to cyphar/runc that referenced this issue Oct 28, 2024
@cyphar
rootfs: make pivot_root(2) dance handle initramfs case
1e23a2e 
While pivot_root(2) normally refuses to pivot a mount if you are running
with / as initramfs (because initramfs doesn't have a parent mount), you
can create a bind-mount of / and make that your new root to work around
this problem. This does use chroot(2), but this is only done temporarily
to set current->fs->root to the new mount. Once pivot_root(2) finishes,
the chroot(2) and / are gone.

Variants of this hack are fairly well known and is used all over the
place (see [1,2]) but until now we have forced users to have a far less
secure configuration with --no-pivot. This is a slightly modified
version that uses the container rootfs as the temporary spot for the /
clone -- this allows runc to continue working with read-only image-based
OS images.

[1]: containers/bubblewrap#592 (comment)
[2]: https://aconz2.github.io/2024/07/29/container-from-initramfs.html

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar added a commit to cyphar/runc that referenced this issue Oct 29, 2024
@cyphar
rootfs: make pivot_root(2) dance handle initramfs case
1e24e82 
While pivot_root(2) normally refuses to pivot a mount if you are running
with / as initramfs (because initramfs doesn't have a parent mount), you
can create a bind-mount of / and make that your new root to work around
this problem. This does use chroot(2), but this is only done temporarily
to set current->fs->root to the new mount. Once pivot_root(2) finishes,
the chroot(2) and / are gone.

Variants of this hack are fairly well known and is used all over the
place (see [1,2]) but until now we have forced users to have a far less
secure configuration with --no-pivot. This is a slightly modified
version that uses the container rootfs as the temporary spot for the /
clone -- this allows runc to continue working with read-only image-based
OS images.

[1]: containers/bubblewrap#592 (comment)
[2]: https://aconz2.github.io/2024/07/29/container-from-initramfs.html

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar added a commit to cyphar/runc that referenced this issue Oct 30, 2024
@cyphar
rootfs: make pivot_root(2) dance handle initramfs case
7f84857 
While pivot_root(2) normally refuses to pivot a mount if you are running
with / as initramfs (because initramfs doesn't have a parent mount), you
can create a bind-mount of / and make that your new root to work around
this problem. This does use chroot(2), but this is only done temporarily
to set current->fs->root to the new mount. Once pivot_root(2) finishes,
the chroot(2) and / are gone.

Variants of this hack are fairly well known and is used all over the
place (see [1,2]) but until now we have forced users to have a far less
secure configuration with --no-pivot. This is a slightly modified
version that uses the container rootfs as the temporary spot for the /
clone -- this allows runc to continue working with read-only image-based
OS images.

[1]: containers/bubblewrap#592 (comment)
[2]: https://aconz2.github.io/2024/07/29/container-from-initramfs.html

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@smcv @aconz2 @DaanDeMeyer @rusty-snake