Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Crun self clone and mount the /tmp/crun.c8hM4O to root dev #1383

Open
wuji1020 opened this issue Jan 8, 2024 · 0 comments
Open

Crun self clone and mount the /tmp/crun.c8hM4O to root dev #1383

wuji1020 opened this issue Jan 8, 2024 · 0 comments

Comments

@wuji1020
Copy link

wuji1020 commented Jan 8, 2024
edited
Loading

My environment is as follows
OS:OpenEuler 22.04
Podman:3.4.4
Crun: 1.4.3

My issue:

  1. I had created containers in my host using podman. and the os is running for several days. I found the root devices sda2 is mounted on /tmp/crun.c8hM4O on the host. the ouput using lsblk is as follows.
    [root@controller-1 opadmin]# lsblk
    NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
    sda 8:0 0 557.9G 0 disk
    ├─sda1 8:1 0 1G 0 part /boot
    ├─sda2 8:2 0 50G 0 part /tmp/crun.c8hM4O
    │ /
    ├─sda3 8:3 0 50G 0 part /var/log
    ├─sda4 8:4 0 1K 0 part
    ├─sda5 8:5 0 4G 0 part [SWAP]
    └─sda6 8:6 0 452.9G 0 part /opt/platform
    sdb 8:16 0 1.1T 0 disk
    sdc 8:32 0 1.1T 0 disk
    sdd 8:48 1 14.6G 0 disk
  2. I found the self clone in crun code. the ensure_cloned_binary will call the function clone_binary. then clone_binary calls the try_bindfd function. Here crun will try to mount itself to %s/crun.XXXXXX. so I think
    this place causes /dev/sda2 to be mounted on the %s/crun.XXXXXX directory. so is this normal or a bug?
static int try_bindfd(void)
{
	mode_t mask;
	int fd, ret = -1;
	char template[PATH_MAX] = {0};
	char *prefix = getenv("_LIBCONTAINER_STATEDIR");

	if (!prefix || *prefix != '/')
		prefix = "/tmp";
	if (snprintf(template, sizeof(template), "%s/crun.XXXXXX", prefix) < 0)
		return ret;

	/*
	 * We need somewhere to mount it, mounting anything over /proc/self is a
	 * BAD idea on the host -- even if we do it temporarily.
	 */
	mask = umask(0700);
	fd = mkstemp(template);
	umask(mask);
	if (fd < 0)
		return ret;
	close(fd);

	/*
	 * For obvious reasons this won't work in rootless mode because we haven't
	 * created a userns+mntns -- but getting that to work will be a bit
	 * complicated and it's only worth doing if someone actually needs it.
	 */
	ret = -EPERM;
	if (mount("/proc/self/exe", template, "", MS_BIND, "") < 0)
		goto out;
	if (mount("", template, "", MS_REMOUNT | MS_BIND | MS_RDONLY, "") < 0)
		goto out_umount;


	/* Get read-only handle that we're sure can't be made read-write. */
	ret = open(template, O_PATH | O_CLOEXEC);

out_umount:
	/*
	 * Make sure the MNT_DETACH works, otherwise we could get remounted
	 * read-write and that would be quite bad (the fd would be made read-write
	 * too, invalidating the protection).
	 */
	if (umount2(template, MNT_DETACH) < 0) {
		if (ret >= 0)
			close(ret);
		ret = -ENOTRECOVERABLE;
	}

out:
	/*
	 * We don't care about unlink errors, the worst that happens is that
	 * there's an empty file left around in STATEDIR.
	 */
	unlink(template);
	return ret;
}

Anyone can help me?
@wuji1020 wuji1020 changed the title Crun Crun self clone and mount the /tmp/crun.c8hM4O to root dev Jan 8, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@wuji1020