You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
My environment is as follows
OS:OpenEuler 22.04
Podman:3.4.4
Crun: 1.4.3
My issue:
I had created containers in my host using podman. and the os is running for several days. I found the root devices sda2 is mounted on /tmp/crun.c8hM4O on the host. the ouput using lsblk is as follows.
[root@controller-1 opadmin]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 557.9G 0 disk
├─sda1 8:1 0 1G 0 part /boot
├─sda2 8:2 0 50G 0 part /tmp/crun.c8hM4O
│ /
├─sda3 8:3 0 50G 0 part /var/log
├─sda4 8:4 0 1K 0 part
├─sda5 8:5 0 4G 0 part [SWAP]
└─sda6 8:6 0 452.9G 0 part /opt/platform
sdb 8:16 0 1.1T 0 disk
sdc 8:32 0 1.1T 0 disk
sdd 8:48 1 14.6G 0 disk
I found the self clone in crun code. the ensure_cloned_binary will call the function clone_binary. then clone_binary calls the try_bindfd function. Here crun will try to mount itself to %s/crun.XXXXXX. so I think
this place causes /dev/sda2 to be mounted on the %s/crun.XXXXXX directory. so is this normal or a bug?
static int try_bindfd(void)
{
mode_t mask;
int fd, ret = -1;
char template[PATH_MAX] = {0};
char *prefix = getenv("_LIBCONTAINER_STATEDIR");
if (!prefix || *prefix != '/')
prefix = "/tmp";
if (snprintf(template, sizeof(template), "%s/crun.XXXXXX", prefix) < 0)
return ret;
/*
* We need somewhere to mount it, mounting anything over /proc/self is a
* BAD idea on the host -- even if we do it temporarily.
*/
mask = umask(0700);
fd = mkstemp(template);
umask(mask);
if (fd < 0)
return ret;
close(fd);
/*
* For obvious reasons this won't work in rootless mode because we haven't
* created a userns+mntns -- but getting that to work will be a bit
* complicated and it's only worth doing if someone actually needs it.
*/
ret = -EPERM;
if (mount("/proc/self/exe", template, "", MS_BIND, "") < 0)
goto out;
if (mount("", template, "", MS_REMOUNT | MS_BIND | MS_RDONLY, "") < 0)
goto out_umount;
/* Get read-only handle that we're sure can't be made read-write. */
ret = open(template, O_PATH | O_CLOEXEC);
out_umount:
/*
* Make sure the MNT_DETACH works, otherwise we could get remounted
* read-write and that would be quite bad (the fd would be made read-write
* too, invalidating the protection).
*/
if (umount2(template, MNT_DETACH) < 0) {
if (ret >= 0)
close(ret);
ret = -ENOTRECOVERABLE;
}
out:
/*
* We don't care about unlink errors, the worst that happens is that
* there's an empty file left around in STATEDIR.
*/
unlink(template);
return ret;
}
Anyone can help me?
The text was updated successfully, but these errors were encountered:
wuji1020
changed the title
Crun
Crun self clone and mount the /tmp/crun.c8hM4O to root dev
Jan 8, 2024
My environment is as follows
OS:OpenEuler 22.04
Podman:3.4.4
Crun: 1.4.3
My issue:
[root@controller-1 opadmin]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 557.9G 0 disk
├─sda1 8:1 0 1G 0 part /boot
├─sda2 8:2 0 50G 0 part /tmp/crun.c8hM4O
│ /
├─sda3 8:3 0 50G 0 part /var/log
├─sda4 8:4 0 1K 0 part
├─sda5 8:5 0 4G 0 part [SWAP]
└─sda6 8:6 0 452.9G 0 part /opt/platform
sdb 8:16 0 1.1T 0 disk
sdc 8:32 0 1.1T 0 disk
sdd 8:48 1 14.6G 0 disk
ensure_cloned_binary
will call the functionclone_binary
. thenclone_binary
calls thetry_bindfd
function. Here crun will try to mount itself to%s/crun.XXXXXX
. so I thinkthis place causes /dev/sda2 to be mounted on the %s/crun.XXXXXX directory. so is this normal or a bug?
Anyone can help me?
The text was updated successfully, but these errors were encountered: