Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

no-pivot option? #56

Closed
pwFoo opened this issue Jul 25, 2019 · 7 comments · Fixed by #57
Closed

no-pivot option? #56

pwFoo opened this issue Jul 25, 2019 · 7 comments · Fixed by #57

Comments

@pwFoo
Copy link

pwFoo commented Jul 25, 2019

To run inside of a ramdisk the --no-pivot option is needed?

--no-pivot do not use pivot root to jail process inside rootfs. This should be used whenever the rootfs is on top of a ramdisk
@giuseppe
Copy link
Member

--no-pivot is unsafe as it inhibits most of the security benefits we have with a mount namespace and pivot_root. In facts it turned into a security issue for runc: opencontainers/runc#1962.
There are possibly other cases where this could be exploited, so I've preferred to explicitly drop it with 31d1cf1.

@pwFoo
Copy link
Author

pwFoo commented Jul 25, 2019

Is there a workaround for that? Because I use runc (maybe switch to crun) in a custom initrd / ramdisk project. I'll add disk mount to that, but if no disk is there I still need to start some containers.

@giuseppe
Copy link
Member

I am not aware of any workaround (but I've not looked at all into that). If that is blocking you from using crun, I could revert 31d1cf1 and add some warnings to make sure people knows about the possible risks.

@pwFoo
Copy link
Author

pwFoo commented Jul 25, 2019

Would be nice! At the moment missing --no-pivot would blocking me.
And warings should be added if it is unsafe!

giuseppe referenced this issue Jul 25, 2019
@giuseppe
Revert "crun: drop --no-pivot"
c8b470e 
This reverts commit 31d1cf1.

Closes: https://github.com/giuseppe/crun/issues/56

Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
@giuseppe giuseppe mentioned this issue Jul 25, 2019
Merged
@giuseppe
Copy link
Member

I've opened a PR just now. Could you please verify if it works for you?

I'll add documentation/warnings later. So far I've just verified that a simple container can run.

@pwFoo
Copy link
Author

pwFoo commented Jul 26, 2019

Hi @giuseppe,
looks good to me!

/ # crun list
NAME         PID       BUNDLE PATH                            
000-modprobe 673       /containers/onboot/000-modprobe        
rngd         683       /containers/services/rngd              
mdevd        689       /containers/services/mdevd             
dhcpcd       697       /containers/services/dhcpcd

Two other points I'll open new issues 👍

@aconz2
Copy link
Contributor

aconz2 commented Jul 25, 2024

I found this issue after also exploring using crun from initramfs where / is rootfs and was getting pivot_root errors. I found a workaround in this comment from the bubblewrap project and thought I'd link the two discussions. I've successfully used that workaround to run crun without --no-pivot from initramfs and that is cool. I'm trying to understand why it actually works and if there are any caveats in doing that in conjunction with crun. It appears that kata uses the equivalent no_pivot_root for runc when the kata agent is init. I asked about that in this discussion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Revert "crun: drop --no-pivot" containers/crun
3 participants
@giuseppe @pwFoo @aconz2