Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: Support atomfs molecule mount in containers #359

Merged
merged 2 commits into from
Jan 5, 2023
Merged

feature: Support atomfs molecule mount in containers #359

merged 2 commits into from
Jan 5, 2023

Conversation

hallyn
Copy link
Contributor

@hallyn hallyn commented Dec 13, 2022

Support mounting atomfs stacks as root in a container.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

smoser
smoser requested changes Dec 13, 2022
View reviewed changes
Copy link
Contributor

@smoser smoser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some suggestions / questions.
i do think the uid_map reading is wrong, so i'm saying 'Request changes'

squashfs/verity.go Outdated Show resolved Hide resolved
squashfs/verity.go Outdated Show resolved Hide resolved
squashfs/squashfs.go Outdated Show resolved Hide resolved
atomfs/molecule.go Outdated Show resolved Hide resolved
squashfs/squashfs.go Outdated Show resolved Hide resolved
squashfs/squashfs.go Outdated Show resolved Hide resolved
@hallyn hallyn marked this pull request as ready for review December 19, 2022 19:45
@hallyn hallyn marked this pull request as draft December 19, 2022 19:57
@hallyn hallyn force-pushed the 2022-12-11/mol-fuse branch 4 times, most recently from a7eef77 to 88b0636 Compare December 19, 2022 21:43
@hallyn hallyn marked this pull request as ready for review December 19, 2022 21:48
@hallyn hallyn marked this pull request as draft December 19, 2022 21:54
@rchincha rchincha added this to the v0.40.2 milestone Dec 19, 2022
@rchincha
Copy link
Contributor

Slated for v0.40.2

@hallyn hallyn marked this pull request as ready for review December 19, 2022 22:18
@hallyn
feat: use custom lockfile if we can't create one under /tmp
37021f0 
Signed-off-by: Serge Hallyn <serge@hallyn.com>
@hallyn
Copy link
Contributor Author

hallyn commented Dec 19, 2022

using fmt.Errorf directive; use errors.Errorf instead

That is wrong guidance. I see that it's hardcoded in test/static-analysis.sh, but as I don't have my nitrokey with me I can't append a patch to this PR to remove it.

smoser
smoser reviewed Dec 20, 2022
View reviewed changes
pkg/squashfs/verity.go Show resolved Hide resolved
pkg/squashfs/verity_test.go Show resolved Hide resolved
smoser
smoser reviewed Dec 20, 2022
View reviewed changes
Copy link
Contributor

@smoser smoser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are some issues that need fixing.

Would it be easier / better to have 'guestMount' return a known error?

noSquashFuseAvailable = errors.New("No squashfuse binary in PATH")

And then callers could handle that error specially ?

pkg/squashfs/verity.go Outdated Show resolved Hide resolved
pkg/squashfs/squashfs.go Outdated Show resolved Hide resolved
pkg/squashfs/squashfs.go Outdated Show resolved Hide resolved
@hallyn hallyn force-pushed the 2022-12-11/mol-fuse branch 2 times, most recently from 18b73d1 to e472442 Compare December 21, 2022 15:00
@hallyn
Copy link
Contributor Author

hallyn commented Dec 21, 2022

There are some issues that need fixing.

Would it be easier / better to have 'guestMount' return a known error?

noSquashFuseAvailable = errors.New("No squashfuse binary in PATH")

And then callers could handle that error specially ?

Oh - that's what I ended up doing.

@hallyn hallyn force-pushed the 2022-12-11/mol-fuse branch 2 times, most recently from 1e4402e to 30968be Compare December 21, 2022 16:06
smoser
smoser reviewed Dec 21, 2022
View reviewed changes
pkg/squashfs/verity.go Outdated Show resolved Hide resolved
@hallyn hallyn force-pushed the 2022-12-11/mol-fuse branch 2 times, most recently from 49f9503 to a86d7aa Compare December 21, 2022 16:35
@hallyn
feat: atomfs mount: use squashfuse for non-root users
6a64317 
While stacker knows how to use squashfuse for 'stacker grab', that
function simply keeps the squashfuse process running for the duration
of the grab, then lets it close.  For atomfs molecule.Mount, we must
release that process.

So when doing atomfs.Mount(),

first check whether we are definitely NOT root using amHostRoot().
There is a corner case which can slip past this - namely if you,
as root, create a userns wherein you map the full host uid range.
However, you'll never have real root being told it wasn't real
root.

Second, if neither of those are the case, then try the regular
mount syscall, requiring root.  If that succeeds, or fails with
a non-permission error, then return.

If we are detected as not-real-root, or if mount failed as real root
with a permission error, and no verity root has was provided, then use
squashfuse, and release the exec'd process so that it can outlive us.

The actual squashfuse mount function is shared with the
extract path.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
@hallyn hallyn merged commit 28fcdb4 into project-stacker:main Jan 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smoser smoser smoser requested changes

@rchincha rchincha Awaiting requested review from rchincha rchincha is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.40.2
Development

Successfully merging this pull request may close these issues.
3 participants
@hallyn @rchincha @smoser