public inbox for gentoo-catalyst@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-catalyst] [PATCH] catalyst: Restore root and cwd after exiting mount namespace
@ 2020-11-09 19:36 Felix Bier
  2020-11-14 16:40 ` Matt Turner
  0 siblings, 1 reply; 2+ messages in thread
From: Felix Bier @ 2020-11-09 19:36 UTC (permalink / raw
  To: gentoo-catalyst@lists.gentoo.org

This commit saves the file descriptor of /proc/self/{root,cwd}
before entering into the new mount namespace. When restoring the
previous mount namespace, it restores /proc/self/{root,cwd}
based on the saved file descriptors.

Without this change, catalyst cannot be run in a chroot when
using the recent changes regarding mount namespaces: After the
mount namespace has been exited, /proc/self/root points to the "/"
of the host system, not the "/" of the chroot. Therefore, the
cleanup phase of catalyst runs outside of the chroot.

The code is similar to how nsenter(1) sets root and cwd:
https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/tree/sys-utils/nsenter.c#n452

Tested in a Gentoo chroot and in Gentoo VM (non-chroot).

Signed-off-by: Felix Bier <felix.bier@rohde-schwarz.com>
---
 catalyst/context.py | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/catalyst/context.py b/catalyst/context.py
index 8a58f33d..01a6d930 100644
--- a/catalyst/context.py
+++ b/catalyst/context.py
@@ -16,11 +16,21 @@ def namespace(mount=False, uts=False, ipc=False, net=False, pid=False,
         (user,  "user"): None,
     }
 
+    dirs = {
+        "root": None,
+        "cwd":  None,
+    }
+
     # Save fds of current namespaces
     for ns in [ns for ns in namespaces if ns[0]]:
         fp = open(f"/proc/self/ns/{ns[1]}")
         namespaces[ns] = fp
 
+    # Save fds of current directories
+    if mount:
+        for d in dirs:
+            dirs[d] = os.open(f"/proc/self/{d}", os.O_RDONLY)
+
     simple_unshare(mount=mount, uts=uts, ipc=ipc, net=net, pid=pid, user=user,
                    hostname=hostname)
     try:
@@ -30,3 +40,15 @@ def namespace(mount=False, uts=False, ipc=False, net=False, pid=False,
             fp = namespaces[ns]
             setns(fp.fileno(), 0)
             fp.close()
+
+        if mount:
+            # Restore original root and cwd. Since we cannot directly chroot to
+            # a fd, first change the current directory to the fd of the
+            # original root, then chroot to "."
+
+            os.fchdir(dirs["root"])
+            os.chroot(".")
+            os.fchdir(dirs["cwd"])
+
+            for fd in dirs.values():
+                os.close(fd)
-- 
2.29.2



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [gentoo-catalyst] [PATCH] catalyst: Restore root and cwd after exiting mount namespace
  2020-11-09 19:36 [gentoo-catalyst] [PATCH] catalyst: Restore root and cwd after exiting mount namespace Felix Bier
@ 2020-11-14 16:40 ` Matt Turner
  0 siblings, 0 replies; 2+ messages in thread
From: Matt Turner @ 2020-11-14 16:40 UTC (permalink / raw
  To: gentoo-catalyst

On Mon, Nov 9, 2020 at 2:36 PM Felix Bier <Felix.Bier@rohde-schwarz.com> wrote:
>
> This commit saves the file descriptor of /proc/self/{root,cwd}
> before entering into the new mount namespace. When restoring the
> previous mount namespace, it restores /proc/self/{root,cwd}
> based on the saved file descriptors.
>
> Without this change, catalyst cannot be run in a chroot when
> using the recent changes regarding mount namespaces: After the
> mount namespace has been exited, /proc/self/root points to the "/"
> of the host system, not the "/" of the chroot. Therefore, the
> cleanup phase of catalyst runs outside of the chroot.
>
> The code is similar to how nsenter(1) sets root and cwd:
> https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/tree/sys-utils/nsenter.c#n452
>
> Tested in a Gentoo chroot and in Gentoo VM (non-chroot).
>
> Signed-off-by: Felix Bier <felix.bier@rohde-schwarz.com>

Very nice. Thanks a bunch!

I've committed all four patches, but not until I munged them: I
stripped out all the headers except From/Date/Subject (and modified
subject to remove [gentoo-catalyst], etc; then ran base64 -d on the
body. Only then could I get the patches to apply. I really don't
understand why. I've never had to do this before. Maybe you're sending
the patches from a branch with a bunch of other work on it?

I'd suggest making a fresh clone of catalyst and trying to apply the
patches yourself to see if you can determine what's going on.


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2020-11-14 16:41 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-11-09 19:36 [gentoo-catalyst] [PATCH] catalyst: Restore root and cwd after exiting mount namespace Felix Bier
2020-11-14 16:40 ` Matt Turner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox