From: Ignat Korchagin <email@example.com> To: Al Viro <firstname.lastname@example.org> Cc: email@example.com, linux-kernel <firstname.lastname@example.org>, kernel-team <email@example.com> Subject: Re: [PATCH] mnt: add support for non-rootfs initramfs Date: Thu, 5 Mar 2020 22:45:44 +0000 Message-ID: <CALrw=nF-0E2icB85aU6hDoGmukQ0Hp_b0Un0savTco=meQV4uw@mail.gmail.com> (raw) In-Reply-To: <20200305202124.GV23230@ZenIV.linux.org.uk> On Thu, Mar 5, 2020 at 8:21 PM Al Viro <firstname.lastname@example.org> wrote: > > On Thu, Mar 05, 2020 at 07:35:11PM +0000, Ignat Korchagin wrote: > > The main need for this is to support container runtimes on stateless Linux > > system (pivot_root system call from initramfs). > > > > Normally, the task of initramfs is to mount and switch to a "real" root > > filesystem. However, on stateless systems (booting over the network) it is just > > convenient to have your "real" filesystem as initramfs from the start. > > > > This, however, breaks different container runtimes, because they usually use > > pivot_root system call after creating their mount namespace. But pivot_root does > > not work from initramfs, because initramfs runs form rootfs, which is the root > > of the mount tree and can't be unmounted. > > > > One can solve this problem from userspace, but it is much more cumbersome. We > > either have to create a multilayered archive for initramfs, where the outer > > layer creates a tmpfs filesystem and unpacks the inner layer, switches root and > > does not forget to properly cleanup the old rootfs. Or we need to use keepinitrd > > kernel cmdline option, unpack initramfs to rootfs, run a script to create our > > target tmpfs root, unpack the same initramfs there, switch root to it and again > > properly cleanup the old root, thus unpacking the same archive twice and also > > wasting memory, because kernel stores compressed initramfs image indefinitely. > > > > With this change we can ask the kernel (by specifying nonroot_initramfs kernel > > cmdline option) to create a "leaf" tmpfs mount for us and switch root to it > > before the initramfs handling code, so initramfs gets unpacked directly into > > the "leaf" tmpfs with rootfs being empty and no need to clean up anything. > > IDGI. Why not simply this as the first thing from your userland: > mount("/", "/", NULL, MS_BIND | MS_REC, NULL); > chdir("/.."); > chroot("."); > 3 syscalls and you should be all set... (sorry for duplicate - didn't press "reply all" the first time) Container people really prefer pivot_root over chroot due to some security concerns around chroot. As far as my (probably limited) understanding goes, while the above approach will make it work, it will have the same security implications as just using chroot: we trick the system to perform pivot_root, however we don't get rid of the actual host root filesystem in the cloned namespace.
next prev parent reply index Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-03-05 19:35 Ignat Korchagin 2020-03-05 20:21 ` Al Viro 2020-03-05 22:45 ` Ignat Korchagin [this message] 2020-03-05 21:09 ` James Bottomley 2020-03-05 22:21 ` Arvind Sankar 2020-03-05 22:53 ` Ignat Korchagin 2020-03-11 14:01 ` Ignat Korchagin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to='CALrw=nF-0E2icB85aU6hDoGmukQ0Hp_b0Un0savTco=meQV4uw@mail.gmail.com' \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Linux-Fsdevel Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/linux-fsdevel/0 linux-fsdevel/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 linux-fsdevel linux-fsdevel/ https://lore.kernel.org/linux-fsdevel \ firstname.lastname@example.org public-inbox-index linux-fsdevel Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.linux-fsdevel AGPL code for this site: git clone https://public-inbox.org/public-inbox.git