10:38 a.m.
When running commands in the mounted guest (using the "command" API, and
APIs based on it), provide the /dev/null from the appliance as open fd
for stdin. Commands usually assume stdin is open if they didn't close
it explicitly, so this should avoid crashes or misbehavings due to that.
---
daemon/command.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/daemon/command.c b/daemon/command.c
index 1593de9..b2d84ca 100644
--- a/daemon/command.c
+++ b/daemon/command.c
@@ -23,6 +23,8 @@
#include <stdbool.h>
#include <string.h>
#include <sys/stat.h>
+#include <sys/types.h>
+#include <fcntl.h>
#include "guestfs_protocol.h"
#include "daemon.h"
@@ -242,7 +244,7 @@ do_command (char *const *argv)
{
char *out;
CLEANUP_FREE char *err = NULL;
- int r;
+ int r, fd, flags;
CLEANUP_BIND_STATE struct bind_state bind_state = { .mounted = false };
CLEANUP_RESOLVER_STATE struct resolver_state resolver_state =
{ .mounted = false };
@@ -259,6 +261,17 @@ do_command (char *const *argv)
return NULL;
}
+ /* Provide /dev/null as stdin for the command, since we want
+ * to make sure processes have an open stdin, and it is not
+ * possible to rely on the guest to provide it (Linux guests
+ * get /dev dynamically populated at runtime by udev).
+ */
+ fd = open ("/dev/null", O_RDONLY|O_CLOEXEC);
+ if (fd == -1) {
+ reply_with_perror ("/dev/null");
+ return NULL;
+ }
+
if (bind_mount (&bind_state) == -1)
return NULL;
if (enable_network) {
@@ -266,8 +279,10 @@ do_command (char *const *argv)
return NULL;
}
+ flags = COMMAND_FLAG_CHROOT_COPY_FILE_TO_STDIN | fd;
+
CHROOT_IN;
- r = commandv (&out, &err, (const char * const *) argv);
+ r = commandvf (&out, &err, flags, (const char * const *) argv);
CHROOT_OUT;
free_bind_state (&bind_state);
--
2.1.0
5:58 a.m.
On Thu, Nov 19, 2015 at 05:38:25PM +0100, Pino Toscano wrote:
When running commands in the mounted guest (using the
"command" API, and
APIs based on it), provide the /dev/null from the appliance as open fd
for stdin. Commands usually assume stdin is open if they didn't close
it explicitly, so this should avoid crashes or misbehavings due to that.
---
daemon/command.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/daemon/command.c b/daemon/command.c
index 1593de9..b2d84ca 100644
--- a/daemon/command.c
+++ b/daemon/command.c
@@ -23,6 +23,8 @@
#include <stdbool.h>
#include <string.h>
#include <sys/stat.h>
+#include <sys/types.h>
+#include <fcntl.h>
#include "guestfs_protocol.h"
#include "daemon.h"
@@ -242,7 +244,7 @@ do_command (char *const *argv)
{
char *out;
CLEANUP_FREE char *err = NULL;
- int r;
+ int r, fd, flags;
CLEANUP_BIND_STATE struct bind_state bind_state = { .mounted = false };
CLEANUP_RESOLVER_STATE struct resolver_state resolver_state =
{ .mounted = false };
@@ -259,6 +261,17 @@ do_command (char *const *argv)
return NULL;
}
+ /* Provide /dev/null as stdin for the command, since we want
+ * to make sure processes have an open stdin, and it is not
+ * possible to rely on the guest to provide it (Linux guests
+ * get /dev dynamically populated at runtime by udev).
+ */
+ fd = open ("/dev/null", O_RDONLY|O_CLOEXEC);
+ if (fd == -1) {
+ reply_with_perror ("/dev/null");
+ return NULL;
+ }
+
if (bind_mount (&bind_state) == -1)
return NULL;
if (enable_network) {
@@ -266,8 +279,10 @@ do_command (char *const *argv)
return NULL;
}
+ flags = COMMAND_FLAG_CHROOT_COPY_FILE_TO_STDIN | fd;
+
CHROOT_IN;
- r = commandv (&out, &err, (const char * const *) argv);
+ r = commandvf (&out, &err, flags, (const char * const *) argv);
CHROOT_OUT;
free_bind_state (&bind_state);
Looks good. How about naming the variable 'dev_null_fd' or something,
so we know it's not just a temporary file descriptor variable?
Anyway, ACK.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/
8:06 a.m.
On Friday 20 November 2015 11:58:25 Richard W.M. Jones wrote:
On Thu, Nov 19, 2015 at 05:38:25PM +0100, Pino Toscano wrote:
> When running commands in the mounted guest (using the "command" API, and
> APIs based on it), provide the /dev/null from the appliance as open fd
> for stdin. Commands usually assume stdin is open if they didn't close
> it explicitly, so this should avoid crashes or misbehavings due to that.
> ---
> daemon/command.c | 19 +++++++++++++++++--
> 1 file changed, 17 insertions(+), 2 deletions(-)
>
> diff --git a/daemon/command.c b/daemon/command.c
> index 1593de9..b2d84ca 100644
> --- a/daemon/command.c
> +++ b/daemon/command.c
> @@ -23,6 +23,8 @@
> #include <stdbool.h>
> #include <string.h>
> #include <sys/stat.h>
> +#include <sys/types.h>
> +#include <fcntl.h>
>
> #include "guestfs_protocol.h"
> #include "daemon.h"
> @@ -242,7 +244,7 @@ do_command (char *const *argv)
> {
> char *out;
> CLEANUP_FREE char *err = NULL;
> - int r;
> + int r, fd, flags;
> CLEANUP_BIND_STATE struct bind_state bind_state = { .mounted = false };
> CLEANUP_RESOLVER_STATE struct resolver_state resolver_state =
> { .mounted = false };
> @@ -259,6 +261,17 @@ do_command (char *const *argv)
> return NULL;
> }
>
> + /* Provide /dev/null as stdin for the command, since we want
> + * to make sure processes have an open stdin, and it is not
> + * possible to rely on the guest to provide it (Linux guests
> + * get /dev dynamically populated at runtime by udev).
> + */
> + fd = open ("/dev/null", O_RDONLY|O_CLOEXEC);
> + if (fd == -1) {
> + reply_with_perror ("/dev/null");
> + return NULL;
> + }
> +
> if (bind_mount (&bind_state) == -1)
> return NULL;
> if (enable_network) {
> @@ -266,8 +279,10 @@ do_command (char *const *argv)
> return NULL;
> }
>
> + flags = COMMAND_FLAG_CHROOT_COPY_FILE_TO_STDIN | fd;
> +
> CHROOT_IN;
> - r = commandv (&out, &err, (const char * const *) argv);
> + r = commandvf (&out, &err, flags, (const char * const *) argv);
> CHROOT_OUT;
>
> free_bind_state (&bind_state);
Looks good. How about naming the variable 'dev_null_fd' or something,
so we know it's not just a temporary file descriptor variable?
Makes sense, pushed with the suggested correction.
Thanks,
--
Pino Toscano
8:59 a.m.
On Thu, Nov 19, 2015 at 05:38:25PM +0100, Pino Toscano wrote:
When running commands in the mounted guest (using the
"command" API, and
APIs based on it), provide the /dev/null from the appliance as open fd
for stdin. Commands usually assume stdin is open if they didn't close
it explicitly, so this should avoid crashes or misbehavings due to that.
This does not look right.
+ /* Provide /dev/null as stdin for the command, since we want
+ * to make sure processes have an open stdin, and it is not
+ * possible to rely on the guest to provide it (Linux guests
+ * get /dev dynamically populated at runtime by udev).
+ */
+ fd = open ("/dev/null", O_RDONLY|O_CLOEXEC);
+ if (fd == -1) {
+ reply_with_perror ("/dev/null");
+ return NULL;
+ }
+
I disagree with this (see below).
if (bind_mount (&bind_state) == -1)
return NULL;
nit: this leaks the fd on error, but it may not matter much.
if (enable_network) {
@@ -266,8 +279,10 @@ do_command (char *const *argv)
return NULL;
}
nit: same.
+ flags = COMMAND_FLAG_CHROOT_COPY_FILE_TO_STDIN | fd;
+
CHROOT_IN;
- r = commandv (&out, &err, (const char * const *) argv);
+ r = commandvf (&out, &err, flags, (const char * const *) argv);
CHROOT_OUT;
free_bind_state (&bind_state);
According to the analysis in
https://bugzilla.redhat.com/show_bug.cgi?id=1280029 the problem was that
the target program was being executed in a chroot which did not have
/dev/null populated, hence the open in commandrvf failed and the process
was left without fd 0.
commandrvf does the following in the child:
close (0);
if (flag_copy_stdin) {
dup2 (flag_copy_fd, STDIN_FILENO);
} else {
/* Set stdin to /dev/null (ignore failure) */
ignore_value (open ("/dev/null", O_RDONLY|O_CLOEXEC));
}
[..]
execvp (argv[0], (void *) argv);
First observation is that regardless of whether this open("/dev/null", ..)
succeeds, there is no fd 0 in the process after execvp due to O_CLOEXEC.
So, chances are the chroot did have /dev/null, but the fd simply got closed.
I would argue that /dev has to be at least partially populated for anything
that gets executed in the chroot. At the very least special nodes like null,
zero and {u,}random are needed.
CHROOT_IN/OUT around commandvf are definitely problematic. chroot should be
done in the child, which also removes the need to chroot out in the
parent.
Assuming populated /dev is problematic/not feasible, at the very least
the open(/dev/null) should be performed in the child just prior to
chroot.
Current patch seems to work around shortcomings of the current API.
Side content:
if (flag_copy_stdin) close (flag_copy_fd);
waitpid (pid, NULL, 0);
return -1;
but some lines below there is:
if (flag_copy_stdin && close (flag_copy_fd) == -1) {
perror ("close");
return -1;
}
/* Get the exit status of the command. */
if (waitpid (pid, &r, 0) != pid) {
perror ("waitpid");
return -1;
}
close() does not return an error unless extraterrestial circumstances occur,
and even then the fd is no longer in use by the process. As such, I would argue
checking for errors here is not necessary. Note that prior sample does not check.
In case an error was returned, the code fails to waitpid() for the child.
--
Mateusz Guzik
9:16 a.m.
On Tuesday 01 December 2015 15:59:56 Mateusz Guzik wrote:
On Thu, Nov 19, 2015 at 05:38:25PM +0100, Pino Toscano wrote:
> When running commands in the mounted guest (using the "command" API, and
> APIs based on it), provide the /dev/null from the appliance as open fd
> for stdin. Commands usually assume stdin is open if they didn't close
> it explicitly, so this should avoid crashes or misbehavings due to that.
This does not look right.
> + /* Provide /dev/null as stdin for the command, since we want
> + * to make sure processes have an open stdin, and it is not
> + * possible to rely on the guest to provide it (Linux guests
> + * get /dev dynamically populated at runtime by udev).
> + */
> + fd = open ("/dev/null", O_RDONLY|O_CLOEXEC);
> + if (fd == -1) {
> + reply_with_perror ("/dev/null");
> + return NULL;
> + }
> +
I disagree with this (see below).
> if (bind_mount (&bind_state) == -1)
> return NULL;
nit: this leaks the fd on error, but it may not matter much.
> if (enable_network) {
> @@ -266,8 +279,10 @@ do_command (char *const *argv)
> return NULL;
> }
>
nit: same.
Both these leaks need to be fixed, thanks for reporting them.
> + flags = COMMAND_FLAG_CHROOT_COPY_FILE_TO_STDIN | fd;
> +
> CHROOT_IN;
> - r = commandv (&out, &err, (const char * const *) argv);
> + r = commandvf (&out, &err, flags, (const char * const *) argv);
> CHROOT_OUT;
>
> free_bind_state (&bind_state);
According to the analysis in
https://bugzilla.redhat.com/show_bug.cgi?id=1280029 the problem was that
the target program was being executed in a chroot which did not have
/dev/null populated, hence the open in commandrvf failed and the process
was left without fd 0.
commandrvf does the following in the child:
close (0);
if (flag_copy_stdin) {
dup2 (flag_copy_fd, STDIN_FILENO);
} else {
/* Set stdin to /dev/null (ignore failure) */
ignore_value (open ("/dev/null", O_RDONLY|O_CLOEXEC));
}
[..]
execvp (argv[0], (void *) argv);
First observation is that regardless of whether this open("/dev/null", ..)
succeeds, there is no fd 0 in the process after execvp due to O_CLOEXEC.
Correct, so O_CLOEXEC could be dropped in this case.
So, chances are the chroot did have /dev/null, but the fd simply got
closed.
No, the actual issue was that there was nothing at all in the /dev of
guest, so open failed.
I would argue that /dev has to be at least partially populated for
anything
that gets executed in the chroot. At the very least special nodes like null,
zero and {u,}random are needed.
We do not assume anything about guests, which could be Linux with a
static /dev (rare these days), but also non-Linux guests, including
Windows.
CHROOT_IN/OUT around commandvf are definitely problematic. chroot
should be
done in the child, which also removes the need to chroot out in the
parent.
That could be another way to make the command* functions in the daemon
safer, which wouldn't solve the issue of this email thread: even if you
fork and then chroot, the guest has nothing in /dev, so you cannot
open /dev/null at that point. This means you still need to carry on an
open /dev/null from the appliance.
Assuming populated /dev is problematic/not feasible, at the very
least
the open(/dev/null) should be performed in the child just prior to
chroot.
See above.
Current patch seems to work around shortcomings of the current API.
Side content:
if (flag_copy_stdin) close (flag_copy_fd);
waitpid (pid, NULL, 0);
return -1;
This is done only in the main "while (quit < 2)" loop, and only on
error there, which will return with -1.
but some lines below there is:
if (flag_copy_stdin && close (flag_copy_fd) == -1) {
perror ("close");
return -1;
}
/* Get the exit status of the command. */
if (waitpid (pid, &r, 0) != pid) {
perror ("waitpid");
return -1;
}
close() does not return an error unless extraterrestial circumstances occur,
and even then the fd is no longer in use by the process. As such, I would argue
checking for errors here is not necessary. Note that prior sample does not check.
The code for flag_copy_stdin & flag_copy_fd is unrelated to the bit
quoted above, see above for the explanation.
In case an error was returned, the code fails to waitpid() for the
child.
This needs to be fixed indeed.
Thanks,
--
Pino Toscano
10:05 a.m.
On Tue, Dec 01, 2015 at 04:16:57PM +0100, Pino Toscano wrote:
On Tuesday 01 December 2015 15:59:56 Mateusz Guzik wrote:
> I would argue that /dev has to be at least partially populated for anything
> that gets executed in the chroot. At the very least special nodes like null,
> zero and {u,}random are needed.
We do not assume anything about guests, which could be Linux with a
static /dev (rare these days), but also non-Linux guests, including
Windows.
I have to confess to ignorance about this project, I only found it after
seeing a suspicious commit in dnf.
However, your description does not look right. The code seems to assume
it is possible to execve binaries in a chroot, which for practical
purposes means linux binaries. Further, do_command sets up
/etc/resolv.conf for the "guest".
My argument is that executing linux binaries in an environment without
properly populated /dev is a recipe for trouble and will one day come
back with weird failures or improperly constructed images.
> CHROOT_IN/OUT around commandvf are definitely problematic.
chroot should be
> done in the child, which also removes the need to chroot out in the
> parent.
That could be another way to make the command* functions in the daemon
safer, which wouldn't solve the issue of this email thread: even if you
fork and then chroot, the guest has nothing in /dev, so you cannot
open /dev/null at that point. This means you still need to carry on an
open /dev/null from the appliance.
> Assuming populated /dev is problematic/not feasible, at the very least
> the open(/dev/null) should be performed in the child just prior to
> chroot.
See above.
The issue would be solved in a less hackish manner. If the process is
not chrooted, it can open /dev/null. So you fork, open /dev/null and
only then proceed to chroot.
But as noted earlier, unpopulated /dev seems to be the real bug here.
> Current patch seems to work around shortcomings of the current
API.
>
> Side content:
> if (flag_copy_stdin) close (flag_copy_fd);
> waitpid (pid, NULL, 0);
> return -1;
This is done only in the main "while (quit < 2)" loop, and only on
error there, which will return with -1.
> but some lines below there is:
> if (flag_copy_stdin && close (flag_copy_fd) == -1) {
> perror ("close");
> return -1;
> }
>
> /* Get the exit status of the command. */
> if (waitpid (pid, &r, 0) != pid) {
> perror ("waitpid");
> return -1;
> }
>
>
> close() does not return an error unless extraterrestial circumstances occur,
> and even then the fd is no longer in use by the process. As such, I would argue
> checking for errors here is not necessary. Note that prior sample does not check.
The code for flag_copy_stdin & flag_copy_fd is unrelated to the bit
quoted above, see above for the explanation.
The point was that cleanup is duplicated and inconsistent.
--
Mateusz Guzik
10:50 a.m.
On Tue, Dec 01, 2015 at 05:05:50PM +0100, Mateusz Guzik wrote:
On Tue, Dec 01, 2015 at 04:16:57PM +0100, Pino Toscano wrote:
> On Tuesday 01 December 2015 15:59:56 Mateusz Guzik wrote:
> > I would argue that /dev has to be at least partially populated for anything
> > that gets executed in the chroot. At the very least special nodes like null,
> > zero and {u,}random are needed.
>
> We do not assume anything about guests, which could be Linux with a
> static /dev (rare these days), but also non-Linux guests, including
> Windows.
>
I have to confess to ignorance about this project, I only found it after
seeing a suspicious commit in dnf.
However, your description does not look right. The code seems to assume
it is possible to execve binaries in a chroot, which for practical
purposes means linux binaries. Further, do_command sets up
/etc/resolv.conf for the "guest".
My argument is that executing linux binaries in an environment without
properly populated /dev is a recipe for trouble and will one day come
back with weird failures or improperly constructed images.
I realized said programs typically require at least /proc, which
prompted me to look around a little bit more.
do_command apart from setting up /etc/resolv.conf calls bind_mount,
which will bind several filesystems into the chroot. The list includes
/dev.
I cannot test it, but it would seem relevant directories in chroot are
populated just fine, which would suggest that /dev/null is there when
the chrooted child is trying to open it and it is closed after exec due
to the O_CLOEXEC flag.
If chroot's /dev is indeed empty, the bind_mount actions failed or were
undone in some way, which would be a bug.
As a side note bind_mount only notes the failure to bind something, as
opposed to bailing out. Seems like a dangerous behaviour - whatever is
executing in there may need this data and weirdly error much later if,
say, /sys was not provided.
Similar remark goes to:
ignore_value (open ("/dev/null", O_RDONLY|O_CLOEXEC));
It's such a basic part of the setup that a failure here indicates
something is wrong. The code should return an error instead of
proceeding to execute the binary.
> > CHROOT_IN/OUT around commandvf are definitely problematic.
chroot should be
> > done in the child, which also removes the need to chroot out in the
> > parent.
>
> That could be another way to make the command* functions in the daemon
> safer, which wouldn't solve the issue of this email thread: even if you
> fork and then chroot, the guest has nothing in /dev, so you cannot
> open /dev/null at that point. This means you still need to carry on an
> open /dev/null from the appliance.
>
> > Assuming populated /dev is problematic/not feasible, at the very least
> > the open(/dev/null) should be performed in the child just prior to
> > chroot.
>
> See above.
>
The issue would be solved in a less hackish manner. If the process is
not chrooted, it can open /dev/null. So you fork, open /dev/null and
only then proceed to chroot.
But as noted earlier, unpopulated /dev seems to be the real bug here.
> > Current patch seems to work around shortcomings of the current API.
> >
> > Side content:
> > if (flag_copy_stdin) close (flag_copy_fd);
> > waitpid (pid, NULL, 0);
> > return -1;
>
> This is done only in the main "while (quit < 2)" loop, and only on
> error there, which will return with -1.
>
> > but some lines below there is:
> > if (flag_copy_stdin && close (flag_copy_fd) == -1) {
> > perror ("close");
> > return -1;
> > }
> >
> > /* Get the exit status of the command. */
> > if (waitpid (pid, &r, 0) != pid) {
> > perror ("waitpid");
> > return -1;
> > }
> >
> >
> > close() does not return an error unless extraterrestial circumstances occur,
> > and even then the fd is no longer in use by the process. As such, I would
argue
> > checking for errors here is not necessary. Note that prior sample does not
check.
>
> The code for flag_copy_stdin & flag_copy_fd is unrelated to the bit
> quoted above, see above for the explanation.
>
The point was that cleanup is duplicated and inconsistent.
--
Mateusz Guzik
6:33 a.m.
On Tue, Dec 01, 2015 at 05:05:51PM +0100, Mateusz Guzik wrote:
My argument is that executing linux binaries in an environment
without
properly populated /dev is a recipe for trouble and will one day come
back with weird failures or improperly constructed images.
They'd hardly work at all. Luckily the code also bind-mounts /dev
(and /sys and other things) from the appliance into the chroot first.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
10:58 a.m.
On Tue, Dec 01, 2015 at 03:59:56PM +0100, Mateusz Guzik wrote:
CHROOT_IN/OUT around commandvf are definitely problematic. chroot
should be
done in the child, which also removes the need to chroot out in the
parent.
The CHROOT_IN/OUT business does need to be rewritten. Every
instance where we currently do something like:
CHROOT_IN;
r = stat (fd, &statbuf);
CHROOT_OUT
[https://github.com/libguestfs/libguestfs/blob/master/daemon/stat.c#L93-L95]
should instead be forking a subprocess, chrooting in the subprocess,
and doing the system call in the subprocess.
The problem which makes it not so easy is that instead of using a nice
local variable, we would have to pass back the result from a
subprocess to the parent process (the pair (r, statbuf) in the above
example).
So that means .. a pipe, and serializing the result down the pipe.
The good news is that since this all runs on the same machine in the
same compiled program, it's quite acceptable to dump a C struct into
the pipe.
But it's still a lot of work .. patches welcome of course.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html
11:29 a.m.
On Tue, Dec 01, 2015 at 04:58:11PM +0000, Richard W.M. Jones wrote:
On Tue, Dec 01, 2015 at 03:59:56PM +0100, Mateusz Guzik wrote:
> CHROOT_IN/OUT around commandvf are definitely problematic. chroot should be
> done in the child, which also removes the need to chroot out in the
> parent.
The CHROOT_IN/OUT business does need to be rewritten. Every
instance where we currently do something like:
CHROOT_IN;
r = stat (fd, &statbuf);
CHROOT_OUT
Ouch. Fortunately commandvf change should be easy.
[https://github.com/libguestfs/libguestfs/blob/master/daemon/stat.c#L93-L95]
should instead be forking a subprocess, chrooting in the subprocess,
and doing the system call in the subprocess.
The problem which makes it not so easy is that instead of using a nice
local variable, we would have to pass back the result from a
subprocess to the parent process (the pair (r, statbuf) in the above
example).
So that means .. a pipe, and serializing the result down the pipe.
The good news is that since this all runs on the same machine in the
same compiled program, it's quite acceptable to dump a C struct into
the pipe.
But it's still a lot of work .. patches welcome of course.
This looks very problematic.
CHROOT_OUT is mere chroot ("."), which suggests that that cwd for
virt-builder is "/". This means anything using aforementioned construct
has to use absolute paths, otherwise it looks names up against the real
"/". For current code it would make sense to somewhow check if all
passed paths are absolute (if not by code inspection, one can try to
cook up a systemtap script to verify such behaviour in-between chroots).
As for a solution, forking off a process which chroots is definitely on
the right track. However, I would argue what's really needed here is the
following: at the start, a container is created, the child gets in. Execs,
file system operations, just about everything has to be a request sent
to the child over e.g. a unix socket, but pipes could work too.
Filesystems in the container would not be fully populated (see: /dev/mem
& friends), but only have 'container-friendly' files.
That's definitely a lot of work and I'm not up to the task.
Regardless, commandvf vs chroot usage can be improved without said
significant work.
--
Mateusz Guzik
11:50 a.m.
On Tue, Dec 01, 2015 at 06:29:01PM +0100, Mateusz Guzik wrote:
CHROOT_OUT is mere chroot ("."), which suggests that that
cwd for
virt-builder is "/". This means anything using aforementioned construct
has to use absolute paths, otherwise it looks names up against the real
"/". For current code it would make sense to somewhow check if all
passed paths are absolute (if not by code inspection, one can try to
cook up a systemtap script to verify such behaviour in-between chroots).
As for a solution, forking off a process which chroots is definitely on
the right track. However, I would argue what's really needed here is the
following: at the start, a container is created, the child gets in. Execs,
file system operations, just about everything has to be a request sent
to the child over e.g. a unix socket, but pipes could work too.
I think you're hinting at a security issue, but I don't think there is
one in virt-builder, since firstly we trust the templates and the
command line (hence there is no "attacker" in the virt-builder
scenario), and secondly everything runs inside a virtual machine, so
this putative virt-builder attacker can only take over the appliance,
and would be stopped by the protections we place around the appliance
(sVirt and so on).
However it certainly is worth hardening the way we run commands. A
container approach has another advantage too: that any processes
started up by (eg) dnf/yum are "captured" in the container and can be
conveniently killed off when the command exits. This is in fact an
existing source of bugs (https://bugzilla.redhat.com/1195881).
Filesystems in the container would not be fully populated (see:
/dev/mem
& friends), but only have 'container-friendly' files.
That's definitely a lot of work and I'm not up to the task.
Right - patches welcome!
Regardless, commandvf vs chroot usage can be improved without said
significant work.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
3277
days inactive
3290
days old
10 comments
3 participants
participants (3)
-
Mateusz Guzik -
Pino Toscano -
Richard W.M. Jones