This repository has been archived by the owner on May 12, 2021. It is now read-only.
vc: make host shared path readonly #2713
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bergwolf
force-pushed
the
ro-shared-dir
branch
2 times, most recently
from
2b5a529 to
a2269c7
Compare
Codecov Report
@@ Coverage Diff @@
## master #2713 +/- ##
==========================================
+ Coverage 45.57% 50.50% +4.92%
==========================================
Files 118 118
Lines 17261 17291 +30
==========================================
+ Hits 7867 8732 +865
+ Misses 8517 7486 -1031
- Partials 877 1073 +196 |
|
@bergwolf CI seems to be failing. Can you take a look? |
|
Yeah, it's slightly ironic 😄: |
bergwolf
force-pushed
the
ro-shared-dir
branch
2 times, most recently
from
570615e to
8eae5b1
Compare
|
/test |
|
Thanks @jodh-intel ! I wasn't expecting dm based rootfs to still use the shared fs path but it turns out that we do reply on shared fs path even if there is no file system to share. |
We need to make sure containers cannot modify host path unless it is explicitly shared to it. Right now we expose an additional top level shared directory to the guest and allow it to be modified. This is less ideal and can be enhanced by following method: 1. create two directories for each sandbox: -. /run/kata-containers/shared/sandboxes/$sbx_id/mounts/, a directory to hold all host/guest shared mounts -. /run/kata-containers/shared/sandboxes/$sbx_id/shared/, a host/guest shared directory (9pfs/virtiofs source dir) 2. /run/kata-containers/shared/sandboxes/$sbx_id/mounts/ is bind mounted readonly to /run/kata-containers/shared/sandboxes/$sbx_id/shared/, so guest cannot modify it 3. host-guest shared files/directories are mounted one-level under /run/kata-containers/shared/sandboxes/$sbx_id/mounts/ and thus present to guest at one level under /run/kata-containers/shared/sandboxes/$sbx_id/shared/ Fixes: kata-containers#2712 Signed-off-by: Peng Tao <bergwolf@hyper.sh>
|
The two failed ci are unrelated and tracked at kata-containers/tests#2594 and kata-containers/tests#2592 |
teawater
approved these changes
Jun 2, 2020
|
@jcvenegas and @likebreath there is an issue with the ci of clh-k8s could you please take a look? |
|
@GabyCT I believe the clh-k8s-crio is still work-in-progress, and we should be able to ignore its failing for now. @jcvenegas Please correct me if I am mistaken on it. |
liubogithub
reviewed
Nov 19, 2020
| // Ensure container mount destination exists | ||
| // TODO: remove dependency on shared fs path. shared fs is just one kind of storage sources. | ||
| // we should not always use shared fs path for all kinds of storage. Stead, all storage | ||
| // should be bind mounted to a tmpfs path for containers to use. |
# for free
to subscribe to this conversation on GitHub.
Already have an account?
#.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We need to make sure containers cannot modify host path unless it is explicitly shared to it. Right now we expose an additional top level shared directory to the guest and allow it to be modified. This is less ideal and can be enhanced by following method:
-. /run/kata-containers/shared/sandboxes/$sbx_id/mounts/, a directory to hold all host/guest shared mounts
-. /run/kata-containers/shared/sandboxes/$sbx_id/shared/, a host/guest shared directory (9pfs/virtiofs source dir)
Fixes: #2712