mirror of
https://github.com/opencontainers/runc.git
synced 2026-06-30 19:58:25 +00:00
50105de1d8
As reported in [1], in a case where read-only fuse (sshfs) mount
is used as a volume without specifying ro flag, the kernel fails
to remount it (when adding various flags such as nosuid and nodev),
returning EPERM.
Here's the relevant strace line:
> [pid 333966] mount("/tmp/bats-run-PRVfWc/runc.RbNv8g/bundle/mnt", "/proc/self/fd/7", 0xc0001e9164, MS_NOSUID|MS_NODEV|MS_REMOUNT|MS_BIND|MS_REC, NULL) = -1 EPERM (Operation not permitted)
I was not able to reproduce it with other read-only mounts as the source
(tried tmpfs, read-only bind mount, and an ext2 mount), so somehow this
might be specific to fuse.
The fix is to check whether the source has RDONLY flag, and retry the
remount with this flag added.
A test case (which was kind of hard to write) is added, and it fails
without the fix. Note that rootless user need to be able to ssh to
rootless@localhost in order to sshfs to work -- amend setup scripts
to make it work, and skip the test if the setup is not working.
[1] https://github.com/containers/podman/issues/12205
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
130 lines
4.2 KiB
YAML
130 lines
4.2 KiB
YAML
# NOTE Github Actions execution environments lack a terminal, needed for
|
|
# some integration tests. So we use `script` command to fake a terminal.
|
|
|
|
name: ci
|
|
on:
|
|
push:
|
|
tags:
|
|
- v*
|
|
branches:
|
|
- master
|
|
- release-*
|
|
pull_request:
|
|
|
|
env:
|
|
# Don't ignore C warnings. Note that the output of "go env CGO_CFLAGS" by default is "-g -O2", so we keep them.
|
|
CGO_CFLAGS: -g -O2 -Werror
|
|
|
|
jobs:
|
|
test:
|
|
runs-on: ubuntu-20.04
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
go-version: [1.16.x, 1.17.x]
|
|
rootless: ["rootless", ""]
|
|
race: ["-race", ""]
|
|
criu: [""]
|
|
include:
|
|
# Also test against latest criu-dev
|
|
- go-version: 1.17.x
|
|
rootless: ""
|
|
race: ""
|
|
criu: "criu-dev"
|
|
|
|
steps:
|
|
|
|
- name: checkout
|
|
uses: actions/checkout@v2
|
|
|
|
- name: install deps
|
|
if: matrix.criu == ''
|
|
env:
|
|
REPO: https://download.opensuse.org/repositories/devel:/tools:/criu/xUbuntu_20.04
|
|
run: |
|
|
# criu repo
|
|
curl -fSsl $REPO/Release.key | sudo apt-key add -
|
|
echo "deb $REPO/ /" | sudo tee /etc/apt/sources.list.d/criu.list
|
|
sudo apt update
|
|
sudo apt install libseccomp-dev criu sshfs
|
|
|
|
- name: install deps (criu ${{ matrix.criu }})
|
|
if: matrix.criu != ''
|
|
run: |
|
|
sudo apt -q update
|
|
sudo apt -q install libseccomp-dev sshfs \
|
|
libcap-dev libnet1-dev libnl-3-dev \
|
|
libprotobuf-c-dev libprotobuf-dev protobuf-c-compiler protobuf-compiler
|
|
git clone https://github.com/checkpoint-restore/criu.git ~/criu
|
|
(cd ~/criu && git checkout ${{ matrix.criu }} && sudo make install-criu)
|
|
rm -rf ~/criu
|
|
|
|
- name: install go ${{ matrix.go-version }}
|
|
uses: actions/setup-go@v2
|
|
with:
|
|
stable: '!contains(${{ matrix.go-version }}, "beta") && !contains(${{ matrix.go-version }}, "rc")'
|
|
go-version: ${{ matrix.go-version }}
|
|
|
|
- name: build
|
|
run: sudo -E PATH="$PATH" make EXTRA_FLAGS="${{ matrix.race }}" all
|
|
|
|
- name: install bats
|
|
uses: mig4/setup-bats@v1
|
|
with:
|
|
bats-version: 1.3.0
|
|
|
|
- name: unit test
|
|
if: matrix.rootless != 'rootless'
|
|
run: sudo -E PATH="$PATH" -- make TESTFLAGS="${{ matrix.race }}" localunittest
|
|
|
|
- name: add rootless user
|
|
if: matrix.rootless == 'rootless'
|
|
run: |
|
|
sudo useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
|
|
# Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh
|
|
ssh-keygen -t ecdsa -N "" -f $HOME/rootless.key
|
|
sudo mkdir -m 0700 -p /home/rootless/.ssh
|
|
sudo cp $HOME/rootless.key /home/rootless/.ssh/id_ecdsa
|
|
sudo cp $HOME/rootless.key.pub /home/rootless/.ssh/authorized_keys
|
|
sudo chown -R rootless.rootless /home/rootless
|
|
|
|
- name: integration test (fs driver)
|
|
run: sudo -E PATH="$PATH" script -e -c 'make local${{ matrix.rootless }}integration'
|
|
|
|
- name: integration test (systemd driver)
|
|
# can't use systemd driver with cgroupv1
|
|
if: matrix.rootless != 'rootless'
|
|
run: sudo -E PATH="$PATH" script -e -c 'make RUNC_USE_SYSTEMD=yes local${{ matrix.rootless }}integration'
|
|
|
|
# We need to continue support for 32-bit ARM.
|
|
# However, we do not have 32-bit ARM CI, so we use i386 for testing 32bit stuff.
|
|
# We are not interested in providing official support for i386.
|
|
cross-i386:
|
|
runs-on: ubuntu-20.04
|
|
|
|
steps:
|
|
|
|
- name: checkout
|
|
uses: actions/checkout@v2
|
|
|
|
- name: install deps
|
|
run: |
|
|
sudo dpkg --add-architecture i386
|
|
# add criu repo
|
|
sudo add-apt-repository -y ppa:criu/ppa
|
|
# apt-add-repository runs apt update so we don't have to.
|
|
|
|
# Due to a bug in apt, we have to update it first
|
|
# (see https://bugs.launchpad.net/ubuntu-cdimage/+bug/1871268)
|
|
sudo apt -q install apt
|
|
sudo apt -q install libseccomp-dev libseccomp-dev:i386 gcc-multilib criu
|
|
|
|
- name: install go
|
|
uses: actions/setup-go@v2
|
|
with:
|
|
go-version: 1.x # Latest stable
|
|
|
|
- name: unit test
|
|
# cgo is disabled by default when cross-compiling
|
|
run: sudo -E PATH="$PATH" -- make GOARCH=386 CGO_ENABLED=1 localunittest
|