Still running through the messages gmail's spam filter false positived on...
On 2/1/21 7:02 AM, Yi-yo Chiang via Toybox wrote: > mount, mount and their friends usually require root permission, so let's skip > these when not running as root! Longer term I want to run the mount test under the "make root" target (see scripts/mkroot.sh) which builds a linux kernel targeted to QEMU and packages up a defconfig toybox root filesystem with a simple init script. Tests like mount, modprobe, and ifconfig need a defined system to work in: it's not just running them as root, it's also what resources are available and where can I do with them? (Do I have this dev node, module, or interface?) The QEMU system can provide known layouts. Long ago I wrote up an explanation of the 4 filesystem categories on my old livejournal, and I copied it into the www/doc directory of toybox a while back: http://landley.net/toybox/doc/mount.txt Except I wrote all that up _before_ containers happened, which added a while scope and lifetime thing (mount namespaces). And it doesn't mention bind mounts, mount --move, pivot_root (and the reason containers use pivot_root instead of chroot)... If you're wondering how I know all this stuff, the answer is I tried to do crazy stuff that didn't woork, I asked Linus about it: https://ipfs.io/ipfs/QmdA5WkDNALetBn4iFeSepHjdLGJdxPBwZyY47ir1bZGAK/comp/linux/pivot_root.html And then other people poked me about more stuff over the years: https://landley.net/notes-2011.html#02-06-2011 Rob P.S. The reason containers pivot_root() is if you're root in a chroot you can mkdir("sub"); chroot("sub"); chdir("../../../../../../../../.."); chroot(".") and be out of the chroot. Except that the OTHER thing pivot_root does is iterate through every process in the tree and change any "." and "/" that points into the old directory to the new directory, yes including kernel threads, so you can umount the old filesystem without it being pinned by active processes using it, and that's kind of heavyweight for a container so they added some heuristic but it's still really dangerous to do because if you haven't set up your new namespace right when you do a pivot_root your entire system will freeze as every process suddenly has its global filesystem context edited and gets Confused... Did I mention I have a todo item to write a "contain" command that creates and manipulates simple containers? Alas I've had that todo item for 11 years and haven't done it yet, busy with other things... tl;dr writing a proper mount.test is on the todo list. _______________________________________________ Toybox mailing list [email protected] http://lists.landley.net/listinfo.cgi/toybox-landley.net
