Skip to content

runtimetest: fix root readonly check#599

Merged
liangchenye merged 1 commit intoopencontainers:masterfrom
kinvolk-archives:alban/rootfs-readonly
Mar 14, 2018
Merged

runtimetest: fix root readonly check#599
liangchenye merged 1 commit intoopencontainers:masterfrom
kinvolk-archives:alban/rootfs-readonly

Conversation

@alban
Copy link
Contributor

@alban alban commented Mar 9, 2018

Instead of trying to write a file on the rootfs, check the "ro"
per-mount option on the root mountpoint. The rootfs might not be
readable despite spec.Root.Readonly being false. Example: the rootfs
belong to an unmapped uid.

Signed-off-by: Alban Crequy alban@kinvolk.io

@alban alban mentioned this pull request Mar 9, 2018
Merged
@wking
Copy link
Contributor

wking commented Mar 9, 2018

The rootfs might not be readable despite spec.Root.Readonly being false. Example: the rootfs belong to an unmapped uid.

Checking the spec again, it doesn't actually say anything about how the runtime should handle the readonly false and unset cases. So I'm in favor of something like:

if spec.Root.Readonly {
  err := testWriteAccess("/")
  if err == nil {
    return specerror.NewError(specerror.RootReadonlyImplement, fmt.Errorf("rootfs must be readonly"), rspec.Version)
} else {
  err := testWriteAccess("/")
  if err != nil {
    // print a Skip-level warning, which may depend on #594 or other *tap.T passing
  }
}

That way we don't have to have an opinion on unspecified implementation details (perhaps the runtime doesn't bother with a ro mount if it knows the ID mapping will cover read-only-ness?).

@alban alban force-pushed the alban/rootfs-readonly branch from 913f12d to c08563d Compare March 13, 2018 10:20
@alban
Copy link
Contributor Author

alban commented Mar 13, 2018

@wking what about this updated patch? I just skip the test on userns if spec.Root.Readonly == false, but still execute the test for validation/root_readonly_{false,true}.go.

I don't think I need to use *tap.T from #594 right now, it will just t.Pass() when err == nil. Do we actually have a "Skip-level warning"? Do you mean using "OPTIONAL"?

@wking
Copy link
Contributor

wking commented Mar 13, 2018

I just skip the test on userns if spec.Root.Readonly == false...

I agree that the unmapped user-namespace situation should not be a spec violation. But I don't see a need for special handling there, because I don't see spec grounds for this error at all. Do you?

I don't think I need to use *tap.T from #594 right now, it will just t.Pass() when err == nil. Do we actually have a "Skip-level warning"? Do you mean using "OPTIONAL"?

I don't think we can use OPTIONAL, or even MAY, unless we're quoting spec wording, and the spec has nothing in that line for unset/false readonly. So I'd be ok with just:

if spec.Root.Readonly {
   // what's in master now
} // no need to check the else case

But I also think that users may find this surprising, and a TAP skip or stderr log are places where we can warn the user "hey, you might have expected setting readonly false would give you a writeable root, but yours isn't writeable. This isn't a spec volation, but we wanted to let you know anyway.".

@alban
runtimetest: fix root readonly check
9e919c6 
The rootfs might not be readable despite spec.Root.Readonly being false
and that's not a spec violation. Example: the rootfs belong to an
unmapped uid.

This test is useful for validation/root_readonly_true.go

Delete validation/root_readonly_false.go since that's not a spec
violation.

Signed-off-by: Alban Crequy <alban@kinvolk.io>
@alban alban force-pushed the alban/rootfs-readonly branch from c08563d to 9e919c6 Compare March 13, 2018 13:38
@alban
Copy link
Contributor Author

alban commented Mar 13, 2018

I agree that the unmapped user-namespace situation should not be a spec violation. But I don't see a need for special handling there, because I don't see spec grounds for this error at all. Do you?

No, I don't.

I don't think we can use OPTIONAL, or even MAY, unless we're quoting spec wording, and the spec has nothing in that line for unset/false readonly. So I'd be ok with just:

Ok, I updated the patch that way. I also deleted validation/root_readonly_false.go since that would not test anything.

But I also think that users may find this surprising, and a TAP skip or stderr log are places where we can warn the user "hey, you might have expected setting readonly false would give you a writeable root, but yours isn't writeable. This isn't a spec volation, but we wanted to let you know anyway.".

That would be good indeed. I didn't do that in this PR because that would need more changes for the TAP skip.

@liangchenye
Copy link
Member

liangchenye commented Mar 14, 2018
edited by caniszczyk
Loading

LGTM

Approved with PullApprove

@liangchenye liangchenye merged commit cc1aa34 into opencontainers:master Mar 14, 2018
@alban alban deleted the alban/rootfs-readonly branch March 14, 2018 10:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@wking wking wking approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alban @wking @liangchenye