From edea8f93a5b310c76cda13d4dddbaeb92fa8ae16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20F=20Bj=C3=B6rklund?= Date: Wed, 14 Aug 2019 21:18:38 +0200 Subject: [PATCH 1/4] Only use DOCKER_RAMDISK on fstype rootfs The docker configuration is determined at runtime, so make it work with both old rootfs and new tmpfs. --- pkg/provision/buildroot.go | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/pkg/provision/buildroot.go b/pkg/provision/buildroot.go index 9baa3791ca35..f0a2e9ca7f3a 100644 --- a/pkg/provision/buildroot.go +++ b/pkg/provision/buildroot.go @@ -92,6 +92,13 @@ func (p *BuildrootProvisioner) GenerateDockerOptions(dockerPort int) (*provision driverNameLabel := fmt.Sprintf("provider=%s", p.Driver.DriverName()) p.EngineOptions.Labels = append(p.EngineOptions.Labels, driverNameLabel) + noPivot := true + // Using pivot_root is not supported on fstype rootfs + if fstype, err := rootFileSystemType(p); err == nil { + log.Debugf("root file system type: %s", fstype) + noPivot = fstype == "rootfs" + } + engineConfigTmpl := `[Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com @@ -101,8 +108,14 @@ Requires= minikube-automount.service docker.socket [Service] Type=notify +` + if noPivot { + engineConfigTmpl += ` # DOCKER_RAMDISK disables pivot_root in Docker, using MS_MOVE instead. Environment=DOCKER_RAMDISK=yes +` + } + engineConfigTmpl += ` {{range .EngineOptions.Env}}Environment={{.}} {{end}} @@ -160,6 +173,14 @@ WantedBy=multi-user.target }, nil } +func rootFileSystemType(p *BuildrootProvisioner) (string, error) { + fs, err := p.SSHCommand("df --output=fstype / | tail -n 1") + if err != nil { + return "", err + } + return strings.TrimSpace(fs), nil +} + // Package installs a package func (p *BuildrootProvisioner) Package(name string, action pkgaction.PackageAction) error { return nil From a4c5992377905427fd7f07da04119fe015856fb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20F=20Bj=C3=B6rklund?= Date: Wed, 14 Aug 2019 22:49:39 +0200 Subject: [PATCH 2/4] Move root filesystem from rootfs to tmpfs --- .../board/coreos/minikube/rootfs-overlay/init | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100755 deploy/iso/minikube-iso/board/coreos/minikube/rootfs-overlay/init diff --git a/deploy/iso/minikube-iso/board/coreos/minikube/rootfs-overlay/init b/deploy/iso/minikube-iso/board/coreos/minikube/rootfs-overlay/init new file mode 100755 index 000000000000..d6f7a2987b29 --- /dev/null +++ b/deploy/iso/minikube-iso/board/coreos/minikube/rootfs-overlay/init @@ -0,0 +1,13 @@ +#!/bin/sh +mkdir /sysroot +# the value 90% borrowed from tcl via boot2docker +mount -t tmpfs -o size=90% tmpfs /sysroot +# copy from rootfs, to be able to do switch_root(8) +tar -C / --exclude=sysroot -cf - . | tar -C /sysroot/ -xf - + +# devtmpfs does not get automounted for initramfs +/bin/mount -t devtmpfs devtmpfs /sysroot/dev +exec 0/sysroot/dev/console +exec 2>/sysroot/dev/console +exec /sbin/switch_root /sysroot /sbin/init "$@" From ae8894c0cabe07b91caa5af4b220452cb26b17e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20F=20Bj=C3=B6rklund?= Date: Wed, 14 Aug 2019 23:50:24 +0200 Subject: [PATCH 3/4] Stop using no_pivot when not using rootfs --- deploy/addons/gvisor/gvisor-config.toml | 2 +- deploy/iso/minikube-iso/package/containerd-bin/config.toml | 2 +- deploy/iso/minikube-iso/package/crio-bin/crio.conf | 2 +- deploy/iso/minikube-iso/package/podman/buildah.profile | 3 --- deploy/iso/minikube-iso/package/podman/libpod.conf | 2 -- deploy/iso/minikube-iso/package/podman/podman.mk | 2 -- 6 files changed, 3 insertions(+), 10 deletions(-) delete mode 100644 deploy/iso/minikube-iso/package/podman/buildah.profile delete mode 100644 deploy/iso/minikube-iso/package/podman/libpod.conf diff --git a/deploy/addons/gvisor/gvisor-config.toml b/deploy/addons/gvisor/gvisor-config.toml index 034be8a4e57c..999ac0245856 100644 --- a/deploy/addons/gvisor/gvisor-config.toml +++ b/deploy/addons/gvisor/gvisor-config.toml @@ -36,7 +36,7 @@ oom_score = 0 max_container_log_line_size = 16384 [plugins.cri.containerd] snapshotter = "overlayfs" - no_pivot = true + no_pivot = false [plugins.cri.containerd.default_runtime] runtime_type = "io.containerd.runtime.v1.linux" runtime_engine = "" diff --git a/deploy/iso/minikube-iso/package/containerd-bin/config.toml b/deploy/iso/minikube-iso/package/containerd-bin/config.toml index ae7fe958038a..6a64bb6e5c90 100644 --- a/deploy/iso/minikube-iso/package/containerd-bin/config.toml +++ b/deploy/iso/minikube-iso/package/containerd-bin/config.toml @@ -36,7 +36,7 @@ oom_score = 0 max_container_log_line_size = 16384 [plugins.cri.containerd] snapshotter = "overlayfs" - no_pivot = true + no_pivot = false [plugins.cri.containerd.default_runtime] runtime_type = "io.containerd.runtime.v1.linux" runtime_engine = "" diff --git a/deploy/iso/minikube-iso/package/crio-bin/crio.conf b/deploy/iso/minikube-iso/package/crio-bin/crio.conf index 2d96ded019b8..be5b5505e4ee 100644 --- a/deploy/iso/minikube-iso/package/crio-bin/crio.conf +++ b/deploy/iso/minikube-iso/package/crio-bin/crio.conf @@ -92,7 +92,7 @@ grpc_max_recv_msg_size = 16777216 default_runtime = "runc" # If true, the runtime will not use pivot_root, but instead use MS_MOVE. -no_pivot = true +no_pivot = false # Path to the conmon binary, used for monitoring the OCI runtime. conmon = "/usr/libexec/crio/conmon" diff --git a/deploy/iso/minikube-iso/package/podman/buildah.profile b/deploy/iso/minikube-iso/package/podman/buildah.profile deleted file mode 100644 index 8ca368b053c1..000000000000 --- a/deploy/iso/minikube-iso/package/podman/buildah.profile +++ /dev/null @@ -1,3 +0,0 @@ -# BUILDAH_NOPIVOT=true disables pivot_root in Buildah, using MS_MOVE instead. -# (Buildah is used by Podman for building container images using a Dockerfile) -export BUILDAH_NOPIVOT=true diff --git a/deploy/iso/minikube-iso/package/podman/libpod.conf b/deploy/iso/minikube-iso/package/podman/libpod.conf deleted file mode 100644 index b5d19cd85190..000000000000 --- a/deploy/iso/minikube-iso/package/podman/libpod.conf +++ /dev/null @@ -1,2 +0,0 @@ -# Whether to use chroot instead of pivot_root in the runtime -no_pivot_root = true diff --git a/deploy/iso/minikube-iso/package/podman/podman.mk b/deploy/iso/minikube-iso/package/podman/podman.mk index 72867365981f..8450e7dfde0a 100644 --- a/deploy/iso/minikube-iso/package/podman/podman.mk +++ b/deploy/iso/minikube-iso/package/podman/podman.mk @@ -29,8 +29,6 @@ endef define PODMAN_INSTALL_TARGET_CMDS $(INSTALL) -Dm755 $(@D)/bin/podman $(TARGET_DIR)/usr/bin/podman - $(INSTALL) -Dm644 $(BR2_EXTERNAL_MINIKUBE_PATH)/package/podman/libpod.conf $(TARGET_DIR)/etc/containers/libpod.conf - $(INSTALL) -Dm644 $(BR2_EXTERNAL_MINIKUBE_PATH)/package/podman/buildah.profile $(TARGET_DIR)/etc/profile.d/podman.sh endef $(eval $(generic-package)) From eec1a06921aa51aba96b85868184b588d8cc47e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20F=20Bj=C3=B6rklund?= Date: Sat, 24 Aug 2019 16:16:11 +0200 Subject: [PATCH 4/4] Add warning that using --no-pivot is not secure It is only intended for compatibility with the old rootfs ISO, and not needed with the new tmpfs ISO. --- pkg/provision/buildroot.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/provision/buildroot.go b/pkg/provision/buildroot.go index f0a2e9ca7f3a..be32b4bf9d77 100644 --- a/pkg/provision/buildroot.go +++ b/pkg/provision/buildroot.go @@ -110,6 +110,7 @@ Type=notify ` if noPivot { + log.Warn("Using fundamentally insecure --no-pivot option") engineConfigTmpl += ` # DOCKER_RAMDISK disables pivot_root in Docker, using MS_MOVE instead. Environment=DOCKER_RAMDISK=yes