Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chroot.setupChrootBindMounts: pay more attention to flags #5083

Merged
merged 1 commit into from
Oct 23, 2023

Conversation

nalind
Copy link
Member

@nalind nalind commented Oct 10, 2023

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

Pay better attention to nodev/noexec/nosuid/readonly flags on bind, overlay, and tmpfs mounts. Stop quietly adding "nodev" when it isn't asked for.

How to verify it

New integration test!

Which issue(s) this PR fixes:

This fixes certain failures I've been seeing while attempting to get OpenShift's builds working in unprivileged user namespaces, where the builder uses buildah as a library and specifies that secrets by bind-mounted for RUN instructions using nodev/noexec/nosuid/ro, where the builder has to be just a bit more careful because, once you untangle the user namespace ID mappings, it doesn't actually own the underlying content.

Special notes for your reviewer:

Once merged, I'm going to want to cherry pick this to the 1.32 branch for use in OpenShift.

Does this PR introduce a user-facing change?

None

@openshift-ci openshift-ci bot added do-not-merge/work-in-progress kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. approved labels Oct 10, 2023
@nalind nalind force-pushed the chroot-mount-flags branch from 20bce70 to f9cf345 Compare October 10, 2023 22:15
@packit-as-a-service
Copy link

Ephemeral COPR build failed. @containers/packit-build please check.

@nalind nalind force-pushed the chroot-mount-flags branch 4 times, most recently from 0f7d741 to 4f42384 Compare October 11, 2023 22:05
Copy link
Collaborator

@flouthoc flouthoc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smoke test is failing.

@nalind nalind force-pushed the chroot-mount-flags branch from 4f42384 to bbacc87 Compare October 12, 2023 12:47
@rhatdan
Copy link
Member

rhatdan commented Oct 12, 2023

LGTM

@nalind
Copy link
Member Author

nalind commented Oct 12, 2023

Guys, you really need to be reading the Special notes for your reviewer: part of the description.

@rhatdan
Copy link
Member

rhatdan commented Oct 12, 2023

I like side-eye

@nalind nalind force-pushed the chroot-mount-flags branch 3 times, most recently from 44f4f97 to 613df06 Compare October 12, 2023 17:48
@nalind nalind force-pushed the chroot-mount-flags branch from 613df06 to c697d9a Compare October 19, 2023 22:59
@nalind
Copy link
Member Author

nalind commented Oct 19, 2023

/retitle chroot.setupChrootBindMounts: pay more attention to flags
/unhold

@openshift-ci openshift-ci bot changed the title WIP: chroot.setupChrootBindMounts: pay more attention to flags chroot.setupChrootBindMounts: pay more attention to flags Oct 19, 2023
Pay better attention to dev/nodev/exec/noexec/suid/nosuid/ro/rw flags on
bind, overlay, and tmpfs mounts when any of them are specified.  Stop
quietly adding "nodev" when it isn't asked for.

Signed-off-by: Nalin Dahyabhai <[email protected]>
@nalind nalind force-pushed the chroot-mount-flags branch from c697d9a to 2a3a956 Compare October 20, 2023 13:47
@rhatdan
Copy link
Member

rhatdan commented Oct 21, 2023

LGTM
@flouthoc @giuseppe @vrothberg PTAL

Copy link
Collaborator

@flouthoc flouthoc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 23, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: flouthoc, nalind, vrothberg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [flouthoc,nalind,vrothberg]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot merged commit 5f5c1d5 into containers:main Oct 23, 2023
35 checks passed
@nalind nalind deleted the chroot-mount-flags branch October 23, 2023 14:49
@nalind
Copy link
Member Author

nalind commented Oct 23, 2023

/cherry-pick release-1.32

@openshift-cherrypick-robot

@nalind: only containers org members may request cherry picks. You can still do the cherry-pick manually.

In response to this:

/cherry-pick release-1.32

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@vrothberg
Copy link
Member

/cherry-pick release-1.32

@vrothberg
Copy link
Member

Is the bot misbehaving?

@openshift-cherrypick-robot

@vrothberg: new pull request created: #5099

In response to this:

/cherry-pick release-1.32

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@nalind
Copy link
Member Author

nalind commented Oct 23, 2023

Is the bot misbehaving?

I suspect it got tripped up because my membership in the organization was set to Private, unlike yours, which is Public. I've just toggled mine to match.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
approved kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm locked - please file new issue/PR
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants