Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve uid shifting via chown. #44

Merged
merged 1 commit into from
Nov 29, 2021
Merged

Improve uid shifting via chown. #44

merged 1 commit into from
Nov 29, 2021

Conversation

ctalledo
Copy link
Member

Sysbox performs uid-shifting using chown for host dirs that are mounted into
certain special dirs in the container (e.g., /var/lib/docker, /var/lib/kubelet,
etc.)

Prior to this change, the uid shifting via chown worked well when the host dir
was initially owned by root:root. In this case, when the container started,
Sysbox would shift uids to match the container's root user (e.g.,
165536:165536); later when the container stopped, Sysbox would revert the uids
back to the original one (i.e, root:root).

However, we've seen situations where the uid revert may not occur because the
host dir gets detached from the host. In this case, a subsequent creation of a
container where said host dir is again mounted into a special dir in the
container, would result in Sysbox not performing or mishandling the uid
shifting.

This commit fixes this by ensuring that Sysbox always performs the uid
shifting regardless of the original uid associated with the host dir
being mounted into the container.

Signed-off-by: Cesar Talledo ctalledo@nestybox.com

@ctalledo ctalledo self-assigned this Nov 29, 2021
@ctalledo ctalledo added the bug Something isn't working label Nov 29, 2021
rodnymolina
rodnymolina reviewed Nov 29, 2021
View reviewed changes
utils.go Outdated
@@ -723,28 +723,13 @@ func mntSrcUidShiftNeeded(mntSrc string, uid, gid uint32) (bool, uint32, uint32,
mntSrcUid = st.Uid
mntSrcGid = st.Gid

// If the host uid assigned to the container is higher than the uid
// of the dir being mounted into the container, then we perform uid
// If the host uid assigned to the container's root user differs from the the
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/the the/the/

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

rodnymolina
rodnymolina reviewed Nov 29, 2021
View reviewed changes
utils.go Outdated

needChown = false
break
if uid != st.Uid && gid != st.Gid {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this an OR op?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, I changed it to OR. In practice it won't make a difference, because the chown happens on host dirs that get mounted into the container's special dirs (e.g., /var/lib/docker) and for those we always expect the uid:gid to match. But it's clearer / more correct to do the OR instead of AND.

rodnymolina
rodnymolina approved these changes Nov 29, 2021
View reviewed changes
Copy link
Member

@rodnymolina rodnymolina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LG

Check comments.

@ctalledo
Improve uid shifting via chown.
4e375d7 
Sysbox performs uid-shifting using chown for host dirs that are mounted into
certain special dirs in the container (e.g., /var/lib/docker, /var/lib/kubelet,
etc.)

Prior to this change, the uid shifting via chown worked well when the host dir
was initially owned by root:root.  In this case, when the container started,
Sysbox would shift uids to match the container's root user (e.g.,
165536:165536); later when the container stopped, Sysbox would revert the uids
back to the original one (i.e, root:root).

However, we've seen situations where the uid revert may not occur because the
host dir gets detached from the host. In this case, a subsequent creation of a
container where said host dir is again mounted into a special dir in the
container, would result in Sysbox not performing or mishandling the uid
shifting.

This commit fixes this by ensuring that Sysbox always performs the uid
shifting regardless of the original uid associated with the host dir
being mounted into the container.

Signed-off-by: Cesar Talledo <ctalledo@nestybox.com>
@ctalledo ctalledo merged commit 1dfe32d into master Nov 29, 2021
@ctalledo ctalledo deleted the issue-431 branch November 29, 2021 21:55
@ctalledo ctalledo mentioned this pull request Nov 29, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rodnymolina rodnymolina rodnymolina approved these changes

Assignees

@ctalledo ctalledo

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ctalledo @rodnymolina