Repository: mesos Updated Branches: refs/heads/master 1f06e8446 -> dfe9f51aa
Used more restrictive mount flags for host network bind mounts. In the CNI isolator, mount the network configuration files with the most restrictive mount flags to avoid getting trapped by user namespace unprivileged mount preconditions. Review: https://reviews.apache.org/r/64385/ Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/dfe9f51a Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/dfe9f51a Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/dfe9f51a Branch: refs/heads/master Commit: dfe9f51aa9f4ddc23c990a77bc53beab983b5c96 Parents: 1f06e84 Author: James Peach <[email protected]> Authored: Wed Dec 6 16:32:12 2017 -0800 Committer: James Peach <[email protected]> Committed: Wed Dec 6 17:05:02 2017 -0800 ---------------------------------------------------------------------- .../mesos/isolators/network/cni/cni.cpp | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/dfe9f51a/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp ---------------------------------------------------------------------- diff --git a/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp b/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp index 0eca067..61de16b 100644 --- a/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp +++ b/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp @@ -1906,6 +1906,14 @@ int NetworkCniIsolatorSetup::execute() return EXIT_FAILURE; } + // If we are in a user namespace, then our copy of the mount tree is + // marked unprivileged and the kernel will required us to propagate + // any additional flags from the underlying mount to the bind mount + // when we do the MS_RDONLY remount. To save the bother of reading + // the mount table to find the flags to propagate, we just always + // use the most restrictive flags here. + const int bindflags = MS_BIND | MS_NOEXEC | MS_NODEV | MS_NOSUID; + foreachpair (const string& file, const string& source, files) { // Do the bind mount for network files in the host filesystem if // the container joins non-host network since no process in the @@ -1952,7 +1960,7 @@ int NetworkCniIsolatorSetup::execute() source, file, None(), - MS_BIND, + bindflags, nullptr); if (mount.isError()) { cerr << "Failed to bind mount from '" << source << "' to '" @@ -1965,7 +1973,7 @@ int NetworkCniIsolatorSetup::execute() source, file, None(), - MS_RDONLY | MS_REMOUNT | MS_BIND, + MS_RDONLY | MS_REMOUNT | bindflags, nullptr); if (mount.isError()) { cerr << "Failed to remount bind mount as readonly from '" << source @@ -2015,7 +2023,7 @@ int NetworkCniIsolatorSetup::execute() source, target, None(), - MS_BIND, + bindflags, nullptr); if (mount.isError()) { @@ -2029,7 +2037,7 @@ int NetworkCniIsolatorSetup::execute() source, target, None(), - MS_RDONLY | MS_REMOUNT | MS_BIND, + MS_RDONLY | MS_REMOUNT | bindflags, nullptr); if (mount.isError()) { cerr << "Failed to remount bind mount as readonly from '" << source
