From: "Ludovic Courtès" <ludo@gnu.org>
To: Jan Nieuwenhuizen <janneke@gnu.org>
Cc: 44261@debbugs.gnu.org
Subject: bug#44261: running a daemon with userns in relocateble pack breaks
Date: Fri, 30 Oct 2020 22:33:42 +0100 [thread overview]
Message-ID: <871rhfxutl.fsf@gnu.org> (raw)
In-Reply-To: <875z6v2zz5.fsf@gnu.org> (Jan Nieuwenhuizen's message of "Tue, 27 Oct 2020 21:09:02 +0100")
[-- Attachment #1: Type: text/plain, Size: 813 bytes --]
Hello!
As discussed on IRC, my initial advice about MS_PRIVATE was misguided.
The real issue is the “rm_rf (new_root);” call, which removes the root
directory and thus leaves child processes (the daemon) with nothing.
The attached patch adds a test loosely based on yours and a fix for
that. The fix (for the “userns” engine) is to make NEW_ROOT a tmpfs,
such that upon completion, all we need to do is to unmount it and remove
it; it lives on as the root file system of child processes.
In the “fakechroot” case, we have to leave NEW_ROOT behind, which is not
great but acceptable (it’s user-owned, #o700, and it’s under /tmp). The
test only checks the “userns” engine.
If you confirm that it works for you and looks reasonable, we can apply
it.
Thanks,
Ludo’.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 6809 bytes --]
diff --git a/gnu/packages/aux-files/run-in-namespace.c b/gnu/packages/aux-files/run-in-namespace.c
index 52a16a5362..1d64ef9f44 100644
--- a/gnu/packages/aux-files/run-in-namespace.c
+++ b/gnu/packages/aux-files/run-in-namespace.c
@@ -41,6 +41,7 @@
#include <fcntl.h>
#include <dirent.h>
#include <sys/syscall.h>
+#include <sys/prctl.h>
/* Whether we're building the ld.so/libfakechroot wrapper. */
#define HAVE_EXEC_WITH_LOADER \
@@ -258,11 +259,20 @@ exec_in_user_namespace (const char *store, int argc, char *argv[])
{
/* Spawn @WRAPPED_PROGRAM@ in a separate namespace where STORE is
bind-mounted in the right place. */
- int err;
+ int err, is_tmpfs;
char *new_root = mkdtemp (strdup ("/tmp/guix-exec-XXXXXX"));
char *new_store = concat (new_root, original_store);
char *cwd = get_current_dir_name ();
+ /* Become the new parent of grand-children when their parent dies. */
+ prctl (PR_SET_CHILD_SUBREAPER, 1);
+
+ /* Optionally, make NEW_ROOT a tmpfs. That way, if we have to leave it
+ behind because there are sub-processes still running when this wrapper
+ exits, it's OK. */
+ err = mount ("none", new_root, "tmpfs", 0, NULL);
+ is_tmpfs = (err == 0);
+
/* Create a child with separate namespaces and set up bind-mounts from
there. That way, bind-mounts automatically disappear when the child
exits, which simplifies cleanup for the parent. Note: clone is more
@@ -300,6 +310,7 @@ exec_in_user_namespace (const char *store, int argc, char *argv[])
/* Failure: user namespaces not supported. */
fprintf (stderr, "%s: error: 'clone' failed: %m\n", argv[0]);
rm_rf (new_root);
+ free (new_root);
break;
default:
@@ -312,10 +323,27 @@ exec_in_user_namespace (const char *store, int argc, char *argv[])
write_id_map (child, "uid_map", getuid ());
write_id_map (child, "gid_map", getgid ());
- int status;
+ int status, status_other;
waitpid (child, &status, 0);
- chdir ("/"); /* avoid EBUSY */
- rm_rf (new_root);
+
+ if (is_tmpfs)
+ {
+ /* NEW_ROOT lives on in child processes and we no longer need it
+ to exist as an empty directory in the global namespace. */
+ umount (new_root);
+ rmdir (new_root);
+ }
+ /* Check whether there are child processes left. If there are none,
+ we can remove NEW_ROOT just fine. Conversely, if there are
+ processes left (for example because this wrapper's child forked),
+ we have to leave NEW_ROOT behind so that those processes can still
+ access their root file system (XXX). */
+ else if (waitpid (-1 , &status_other, WNOHANG) == -1)
+ {
+ chdir ("/"); /* avoid EBUSY */
+ rm_rf (new_root);
+ }
+
free (new_root);
if (WIFEXITED (status))
@@ -490,6 +518,9 @@ exec_with_loader (const char *store, int argc, char *argv[])
setenv ("FAKECHROOT_BASE", new_root, 1);
+ /* Become the new parent of grand-children when their parent dies. */
+ prctl (PR_SET_CHILD_SUBREAPER, 1);
+
pid_t child = fork ();
switch (child)
{
@@ -507,11 +538,18 @@ exec_with_loader (const char *store, int argc, char *argv[])
default:
{
- int status;
+ int status, status_other;
waitpid (child, &status, 0);
- chdir ("/"); /* avoid EBUSY */
- rm_rf (new_root);
- free (new_root);
+
+ /* If there are child processes still running, leave NEW_ROOT around
+ so they can still access it. XXX: In that case NEW_ROOT is left
+ behind. */
+ if (waitpid (-1 , &status_other, WNOHANG) == -1)
+ {
+ chdir ("/"); /* avoid EBUSY */
+ rm_rf (new_root);
+ free (new_root);
+ }
close (2); /* flushing stderr should be silent */
diff --git a/tests/guix-pack-relocatable.sh b/tests/guix-pack-relocatable.sh
index a960ecd209..88cbe63b59 100644
--- a/tests/guix-pack-relocatable.sh
+++ b/tests/guix-pack-relocatable.sh
@@ -58,6 +58,19 @@ run_without_store ()
fi
}
+# Wait for the given file to show up. Error out if it doesn't show up in a
+# timely fashion.
+wait_for_file ()
+{
+ i=0
+ while ! test -f "$1" && test $i -lt 20
+ do
+ sleep 0.3
+ i=`expr $i + 1`
+ done
+ test -f "$1"
+}
+
test_directory="`mktemp -d`"
export test_directory
trap 'chmod -Rf +w "$test_directory"; rm -rf "$test_directory"' EXIT
@@ -129,6 +142,65 @@ case "`uname -m`" in
;;
esac
+if unshare -r true
+then
+ # Check what happens if the wrapped binary forks and leaves child
+ # processes behind, like a daemon. The root file system should remain
+ # available to those child processes. See <https://bugs.gnu.org/44261>.
+ cat > "$test_directory/manifest.scm" <<EOF
+(use-modules (guix))
+
+(define daemon
+ (program-file "daemon"
+ #~(begin
+ (use-modules (ice-9 match)
+ (ice-9 ftw))
+
+ (call-with-output-file "parent-store"
+ (lambda (port)
+ (write (scandir (ungexp (%store-prefix)))
+ port)))
+
+ (match (primitive-fork)
+ (0 (sigaction SIGHUP (const #t))
+ (call-with-output-file "pid"
+ (lambda (port)
+ (display (getpid) port)))
+ (pause)
+ (call-with-output-file "child-store"
+ (lambda (port)
+ (write (scandir (ungexp (%store-prefix)))
+ port))))
+ (_ #t)))))
+
+(define package
+ (computed-file "package"
+ #~(let ((out (ungexp output)))
+ (mkdir out)
+ (mkdir (string-append out "/bin"))
+ (symlink (ungexp daemon)
+ (string-append out "/bin/daemon")))))
+
+(manifest (list (manifest-entry
+ (name "daemon")
+ (version "0")
+ (item package))))
+EOF
+
+ tarball="$(guix pack -S /bin=bin -R -m "$test_directory/manifest.scm")"
+ (cd "$test_directory"; tar xf "$tarball")
+
+ # Run '/bin/daemon', which forks, then wait for the child, send it SIGHUP
+ # so that it dumps its view of the store, and make sure the child and
+ # parent both see the same store contents.
+ (cd "$test_directory"; run_without_store ./bin/daemon)
+ wait_for_file "$test_directory/pid"
+ kill -HUP $(cat "$test_directory/pid")
+ diff -u "$test_directory/parent-store" "$test_directory/child-store"
+
+ chmod -Rf +w "$test_directory"; rm -rf "$test_directory"/*
+fi
+
# Ensure '-R' works with outputs other than "out".
tarball="`guix pack -R -S /share=share groff:doc`"
(cd "$test_directory"; tar xf "$tarball")
next prev parent reply other threads:[~2020-10-30 21:34 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-27 19:49 bug#44261: running a daemon with userns in relocateble pack breaks Jan Nieuwenhuizen
2020-10-27 20:09 ` Jan Nieuwenhuizen
2020-10-30 21:33 ` Ludovic Courtès [this message]
2020-10-30 22:05 ` Jan Nieuwenhuizen
2020-10-31 22:19 ` Ludovic Courtès
2020-11-01 6:07 ` Jan Nieuwenhuizen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871rhfxutl.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=44261@debbugs.gnu.org \
--cc=janneke@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).