From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sree Harsha Totakura Subject: /dev/shm inconsistency in chroot Date: Thu, 23 Jan 2014 20:21:37 +0100 Message-ID: <52E16BC1.6050908@totakura.in> Reply-To: sreeharsha@totakura.in Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1322763435==" Return-path: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: nix-dev-bounces@lists.science.uu.nl Errors-To: nix-dev-bounces@lists.science.uu.nl To: guix-devel@gnu.org, nix-dev@lists.science.uu.nl List-Id: guix-devel.gnu.org This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============1322763435== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2FMPOINQQSNOXVRMMKTTQ" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2FMPOINQQSNOXVRMMKTTQ Content-Type: multipart/mixed; boundary="------------060409040805080701040502" This is a multi-part message in MIME format. --------------060409040805080701040502 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi, It has been known for a while that any access to /dev/shm fails inside chroot if the host system has /dev/shm symlinked to /run/shm. The suggested method to deal with this until now is to remove the symlink from the host system, create /dev/shm directory and mount a tmpfs on it. I spent sometime investigating why this is needed and here are some points I noted: from libstore/build.cc the daemon tries to bind mount some paths from the host system into the chroot directory. Among these are /dev and /dev/pts. The daemon also mounts a tmpfs file system under chrootdir+/dev/shm should the path /dev/shm exist. Due to bind mounting /dev, on systems where /dev/shm is a symlink, the symlink is also present in the chrootdir+/dev. Since the symlink points to /run/shm, and since /run is not bind mounted by default into the chrootdir+/run, the symlink is broken inside chroot. The above problem can be addressed by passing --chroot-directory=3D/run t= o the guix-daemon which then includes /run into the list of mounts that are to be bind mounted inside chroot. This will resolve the chroot+/dev/shm symlink properly. Yet, the accesses to /dev/shm fail inside the chroot. This is because the mount statement in build.cc for mounting tmpfs at chroot+/dev/shm mounts the tmpfs at /run/shm the target of the symlink and since /run tree is made private the mount does not propagate into the bind mounted chroot+/run tree. In the chroot, this leaves the /dev/shm symlink to point to the directory /run/shm and obviously any shared memory accesses fail. This problem can be fixed finally by passing --chroot-directory=3D/run/shm. Although the tmpfs mount for chroot+/dev/shm still ends up mounting tmpfs at /run/shm, since /run/shm is now bind mounted to chroot+/run/shm, inside the chroot the symlink /dev/shm points to /run/shm which is now a tmpfs. The shared memory accesses work fine here. However there is caveat: since /run/shm is bindmounted any files from the host system from that directory are also present in the chroot. To address this further and to get rid of having the user to pass --chroot-directory flag, I propose the attached patch. Regards, Sree --------------060409040805080701040502 Content-Type: text/x-patch; name="0001-Create-tmpfs-on-dev-shm-after-chrooting.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="0001-Create-tmpfs-on-dev-shm-after-chrooting.patch" =46rom 359fda36b6dcabea79a76b56e10d4d67702f545f Mon Sep 17 00:00:00 2001 From: Sree Harsha Totakura Date: Thu, 23 Jan 2014 20:11:57 +0100 Subject: [PATCH] Create tmpfs on /dev/shm after chrooting. src/libstore/build.cc: Create tmpfs on /dev/shm after chrooting. If /dev= /shm is a link, create required directory for mounting. --- src/libstore/build.cc | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 4329d9a..b01bf92 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -2054,12 +2054,6 @@ void DerivationGoal::initChild() if (mount("none", (chrootRootDir + "/proc").c_str(), "proc",= 0, 0) =3D=3D -1) throw SysError("mounting /proc"); =20 - /* Mount a new tmpfs on /dev/shm to ensure that whatever - the builder puts in /dev/shm is cleaned up automatically.= */ - if (pathExists("/dev/shm")) - if (mount("none", (chrootRootDir + "/dev/shm").c_str(), = "tmpfs", 0, 0) =3D=3D -1) - throw SysError("mounting /dev/shm"); - /* Do the chroot(). Below we do a chdir() to the temporary build directory to make sure the current directory is in the chroot. (Actually the order @@ -2067,6 +2061,17 @@ void DerivationGoal::initChild() tmpRootDit/tmpDir are the same directories.) */ if (chroot(chrootRootDir.c_str()) =3D=3D -1) throw SysError(format("cannot change root directory to `= %1%'") % chrootRootDir); + + /* Mount a new tmpfs on /dev/shm to ensure that whatever + the builder puts in /dev/shm is cleaned up automatically.= */ + if (pathExists ("/dev/shm")) + { + Path target =3D "/dev/shm"; + if (isLink(target) && !pathExists(target =3D readLink(ta= rget))) + createDirs(target); + if (mount("none", "/dev/shm", "tmpfs", 0, 0) =3D=3D -1) + throw SysError("mounting /dev/shm"); + } } #endif =20 --=20 1.7.10.4 --------------060409040805080701040502-- ------enig2FMPOINQQSNOXVRMMKTTQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iEYEARECAAYFAlLha8EACgkQO2+K8UPCHzt1gQCgt3+xYjzEHVby9WIeVNOtaxKI yqAAnjsF7AwG7cpK1fF26+GuhRtw4vDF =O8oI -----END PGP SIGNATURE----- ------enig2FMPOINQQSNOXVRMMKTTQ-- --===============1322763435== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev --===============1322763435==--