Debian Bug report logs - #623913
schroot: Please support read-only bind-mounts

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stefano Rivera <stefanor@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: schroot: Please support read-only bind-mounts

Date: Sun, 24 Apr 2011 12:30:25 +0200

Package: schroot
Version: 1.4.21-1+b1
Severity: wishlist

Linux supports read-only bind-mounts, but they can only be made
read-only after bind-mounting, not during.
i.e.
mount --bind /foo /bar
mount -o remount,ro /bar

I hacked support for this into my schroot installation by running the
following after schroot-mount in 10mount:
sed -nre 's/([^ \t]*).*ro,bind.*/\1/ p' "$FSTAB" \
    | while read ro_mountpoint; do
	info "Remounting $ro_mountpoint read-only" 
	mount -o remount,ro "$CHROOT_MOUNT_LOCATION/$ro_mountpoint"
done

But it would be really nice if schroot-mount supported it.

SR

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_ZA.UTF-8, LC_CTYPE=en_ZA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages schroot depends on:
ii  libboost-filesystem1.46.1     1.46.1-3   filesystem operations (portable pa
ii  libboost-program-options1.46. 1.46.1-3   program options library for C++
ii  libboost-regex1.46.1          1.46.1-3   regular expression library for C++
ii  libboost-system1.46.1         1.46.1-3   Operating system (e.g. diagnostics
ii  libc6                         2.11.2-11  Embedded GNU C Library: Shared lib
ii  libgcc1                       1:4.6.0-2  GCC support library
ii  liblockdev1                   1.0.3-1.4  Run-time shared library for lockin
ii  libpam0g                      1.1.2-2    Pluggable Authentication Modules l
ii  libstdc++6                    4.6.0-2    The GNU Standard C++ Library v3
ii  libuuid1                      2.17.2-9.1 Universally Unique ID library
ii  schroot-common                1.4.21-1   common files for schroot

schroot recommends no packages.

Versions of packages schroot suggests:
pn  aufs-modules | unionfs-m <none>          (no description available)
ii  btrfs-tools              0.19+20101101-1 Checksumming Copy on Write Filesys
ii  debootstrap              1.0.29          Bootstrap a basic Debian system
pn  lvm2                     <none>          (no description available)
ii  unzip                    6.0-4           De-archiver for .zip files

-- Configuration Files:
/etc/schroot/default/fstab changed:
/proc		/proc		none    rw,rbind        0       0
/sys		/sys		none    rw,rbind        0       0
/dev            /dev            none    rw,rbind        0       0
/home		/home		none	ro,bind		0	0
/home/stefanor/deb /home/stefanor/deb none rw,bind	0	0
/tmp		/tmp		none	rw,bind		0	0

/etc/schroot/setup.d/10mount changed:
set -e
. "$SETUP_DATA_DIR/common-data"
. "$SETUP_DATA_DIR/common-functions"
if [ -f "$CHROOT_SCRIPT_CONFIG" ]; then
    . "$CHROOT_SCRIPT_CONFIG"
elif [ "$STATUS" = "ok" ]; then
    fatal "script-config file '$CHROOT_SCRIPT_CONFIG' does not exist"
fi
do_mount()
{
    info "Mounting $2 on $3"
    if [ ! -d "$3" ]; then
	mkdir -p "$3"
    fi
    if [ ! -d "$3" ]; then
	fatal "$3 does not exist, and could not be created"
    fi
    info "$MOUNT_VERBOSE $1 $2 $3"
    mount $MOUNT_VERBOSE $1 "$2" "$3"
}
do_umount_all()
{
    if [ -d "$1" ]; then
	# Note that flock is used here to prevent races reading
	# /proc/mounts, which on current (Linux 2.6.32) kernels is
	# racy.  If other processes are mounting or unmounting
	# filesystems as we read it, we can miss mount entries due to
	# the file changing as we read it.  This needs fixing in the
	# kernel, but an exclusive lock surrounding the
	# schroot-listmounts invocation is a partial fix.  This
	# prevents racing when multiple schroot processes are running.
	# Note that this does not prevent the problem when programs
	# other than schroot mount and unmount filesystems (since they
	# don't create the lock).
	( flock 9
	    mounts="$("$LIBEXEC_DIR/schroot-listmounts" -m "$1")"
	    if [ "x$mounts" != 'x' ]; then
		echo "$mounts" |
		while read mountloc; do
                    info "Unmounting $mountloc"
		    umount "$mountloc" || exit 1
		done || exit 1
	    fi
	) 9>"/var/lock/schroot-umount"
    else
	warn "Mount location $1 no longer exists; skipping unmount"
    fi
}
do_mount_fs_union()
{
    # Prepare mount options (branch config) for union type
    if [ -z "$CHROOT_UNION_MOUNT_OPTIONS" ]; then
	case $CHROOT_UNION_TYPE in
	    unionfs)
		CHROOT_UNION_MOUNT_OPTIONS="dirs=${CHROOT_UNION_OVERLAY_DIRECTORY}=rw,${CHROOT_UNION_UNDERLAY_DIRECTORY}=ro"
		;;
	    aufs)
		CHROOT_UNION_MOUNT_OPTIONS="br:${CHROOT_UNION_OVERLAY_DIRECTORY}:${CHROOT_UNION_UNDERLAY_DIRECTORY}=ro"
		;;
	esac
    fi
    info "Using '$CHROOT_UNION_TYPE' for filesystem union"
    # Try mounting fs
    mount -t "$CHROOT_UNION_TYPE" -o "$CHROOT_UNION_MOUNT_OPTIONS" "$CHROOT_NAME" "$1"
}
if [ "$VERBOSE" = "verbose" ]; then
    MOUNT_VERBOSE="-v"
fi
if [ "$CHROOT_TYPE" = "directory" ] \
    || [ "$CHROOT_TYPE" = "file" ] \
    || [ "$CHROOT_TYPE" = "loopback" ] \
    || [ "$CHROOT_TYPE" = "block-device" ] \
    || [ "$CHROOT_TYPE" = "lvm-snapshot" ] \
    || [ "$CHROOT_TYPE" = "btrfs-snapshot" ]; then
    if [ "${CHROOT_UNION_TYPE:-none}" != "none" ]; then
	CREATE_UNION="yes"
    else
	CREATE_UNION="no"
    fi
    if [ $STAGE = "setup-start" ] || [ $STAGE = "setup-recover" ]; then
	case "$HOST_OS" in
	    freebsd* | k*bsd*-gnu) :
		BINDOPT="-t nullfs"
		;;
	    *):
		BINDOPT="--bind"
		;;
	esac
	if [ "$CHROOT_TYPE" = "directory" ]; then
	    CHROOT_MOUNT_OPTIONS="$BINDOPT $CHROOT_MOUNT_OPTIONS"
	    CHROOT_MOUNT_DEVICE="$CHROOT_DIRECTORY"
	    if [ ! -d "$CHROOT_DIRECTORY" ]; then
		fatal "Directory '$CHROOT_DIRECTORY' does not exist"
	    fi
	elif [ "$CHROOT_TYPE" = "file" ]; then
	    CHROOT_MOUNT_OPTIONS="$BINDOPT $CHROOT_MOUNT_OPTIONS"
	    CHROOT_MOUNT_DEVICE="${CHROOT_FILE_UNPACK_DIR}/${SESSION_ID}"
	elif [ "$CHROOT_TYPE" = "block-device" ]; then
	    if [ ! "$DEVTYPE" "$CHROOT_DEVICE" ]; then
		fatal "Device '$CHROOT_DEVICE' does not exist"
	    fi
	elif [ "$CHROOT_TYPE" = "btrfs-snapshot" ]; then
	    CHROOT_MOUNT_OPTIONS="$BINDOPT $CHROOT_MOUNT_OPTIONS"
	    CHROOT_MOUNT_DEVICE="$CHROOT_BTRFS_SNAPSHOT_NAME"
	elif [ "$CHROOT_TYPE" = "loopback" ]; then
	    if [ ! -f "$CHROOT_FILE" ]; then
	    	fatal "File '$CHROOT_FILE' does not exist"
	    fi
	    case "$HOST_OS" in
		freebsd* | k*bsd*-gnu):
		    LOOP_DEVICE="/dev/$(/sbin/mdconfig -a -t vnode -f "$CHROOT_FILE")"
		    CHROOT_MOUNT_DEVICE="$LOOP_DEVICE"
		    ;;
		*):
		    LOOP_DEVICE="$(/sbin/losetup -j "$CHROOT_FILE" | sed -e 's/:.*$//')"
		    if [ -z "$LOOP_DEVICE" ]; then
			CHROOT_MOUNT_DEVICE="$CHROOT_FILE"
			CHROOT_MOUNT_OPTIONS="-o loop $CHROOT_MOUNT_OPTIONS"
		    else
			CHROOT_MOUNT_DEVICE="$LOOP_DEVICE"
		    fi
		    ;;
	    esac
	fi
        if [ ! -d "$CHROOT_MOUNT_LOCATION" ]; then
	    mkdir -p "$CHROOT_MOUNT_LOCATION"
        fi
	if [ ! -d "$CHROOT_MOUNT_LOCATION" ]; then
	    fatal "$CHROOT_MOUNT_LOCATION does not exist, and could not be created"
	fi
	# If recovering, we want to remount all filesystems to ensure
	# a sane state.
	if [ $STAGE = "setup-recover" ]; then
	    if [ "$CREATE_UNION" = "yes" ]; then
		do_umount_all "$CHROOT_UNION_UNDERLAY_DIRECTORY"
	    fi
	    do_umount_all "$CHROOT_MOUNT_LOCATION"
	fi
	if [ "$CREATE_UNION" = "yes" ]; then
	    do_mount "$CHROOT_MOUNT_OPTIONS" "$CHROOT_MOUNT_DEVICE" "$CHROOT_UNION_UNDERLAY_DIRECTORY"
	    do_mount_fs_union "$CHROOT_MOUNT_LOCATION"
	else
	    do_mount "$CHROOT_MOUNT_OPTIONS" "$CHROOT_MOUNT_DEVICE" "$CHROOT_MOUNT_LOCATION"
	fi
	if [ -n "$FSTAB" ]; then
	    if [ -f "$FSTAB" ]; then
		"$LIBEXEC_DIR/schroot-mount" $MOUNT_VERBOSE \
		    -f "$FSTAB" -m "$CHROOT_PATH"
		sed -nre 's/([^ \t]*).*ro,bind.*/\1/ p' "$FSTAB" \
		    | while read ro_mountpoint; do
			info "Remounting $ro_mountpoint read-only" 
			mount -o remount,ro "$CHROOT_MOUNT_LOCATION/$ro_mountpoint"
		done
	    else
		fatal "fstab file '$FSTAB' does not exist"
	    fi
	fi
    elif [ $STAGE = "setup-stop" ]; then
	do_umount_all "$CHROOT_MOUNT_LOCATION"
	if [ "$CREATE_UNION" = "yes" ]; then
	    do_umount_all "$CHROOT_UNION_UNDERLAY_DIRECTORY"
	fi
	# Purge mount location.
	# The contents of file chroots are purged separately, because
	# we might want to repack the contents.
	if echo "$CHROOT_MOUNT_LOCATION" | grep -q "^$MOUNT_DIR/"; then
	    if [ -d "$CHROOT_MOUNT_LOCATION" ]; then
		rmdir "$CHROOT_MOUNT_LOCATION"
	    fi
	fi
    fi
fi


-- no debconf information

Message #10 received at 623913@bugs.debian.org (full text, mbox, reply):

From: Robert Pendell <shinji@elite-systems.org>

To: 623913@bugs.debian.org

Subject: RE: Wishlist bug 623913

Date: Tue, 2 Aug 2011 22:43:29 -0400

[Message part 1 (text/plain, inline)]

The sed line is bugged and doesn't work as expected.  It's pulling the first
column but that only works if it happens to be the second column.  You
really need to pull the second column directly.  I have a very crude version
that works but it's could be done better another way.

                grep -v '#' "$FSTAB" | grep ro | grep bind | awk '{$1=$1}1'
\
                    | tr -s ' ' | sed 's/\( \+\)/ /g' | cut -d' ' -f2 \
                    | while read ro_mountpoint; do
                        echo "Remounting $ro_mountpoint read-only"
                        mount -o remount,ro
"$CHROOT_MOUNT_LOCATION$ro_mountpoint"
                done

It runs the file through 3 greps.  One to eliminate commented lines and the
next two reduce it to read-only binds only.  Note that the bind and ro
parameter order won't matter because it isn't matching ro,bind.  It just
matching ro then bind.  The next 3 parts are a weird series of awk, tr, and
sed that work quite well to remove extra spaces and convert tabs to spaces
for the cut command that finishes it off to select only the second field.
The other change was to replace the info command with echo so I can see it
in the shell and remove the / between $CHROOT_MOUNT_LOCATION and
$ro_mountpoint.

Like I said I'm sure there is a much more elegant way to do this but it
works well for me.

Robert Pendell
shinji@elite-systems.org
CAcert Assurer
"A perfect world is one of chaos."

[Message part 2 (text/html, inline)]

Message #15 received at 623913@bugs.debian.org (full text, mbox, reply):

From: Ralf Jung <post@ralfj.de>

To: 623913@bugs.debian.org

Subject: schroot: Please support read-only bind-mounts

Date: Sat, 22 Feb 2014 11:42:11 +0100

Hi,

this would indeed be a great feature. It would also be interesting to be
able to make the chroot "root" mount (which is not controlled by the
fstab file) read-only. Furthermore, there are additional interesting
flags that can be set for bind mounts, but only with a remount - think
of nosuid, noexec.

Kind regards
Ralf

Message #20 received at 623913@bugs.debian.org (full text, mbox, reply):

From: Roger Leigh <rleigh@codelibre.net>

To: Ralf Jung <post@ralfj.de>, 623913@bugs.debian.org

Subject: Re: [buildd-tools-devel] Bug#623913: schroot: Please support read-only bind-mounts

Date: Sun, 23 Feb 2014 20:08:59 +0000

On Sat, Feb 22, 2014 at 11:42:11AM +0100, Ralf Jung wrote:
> this would indeed be a great feature. It would also be interesting to be
> able to make the chroot "root" mount (which is not controlled by the
> fstab file) read-only.

I recall that there's a reason why "ro,bind" doesn't work directly--you
have to do two bind mounts to get it properly read-only.  Is that
correct?  What's the recommended sequence to make this work properly?
If we see "ro" and "bind" in the mount options, we can probably
special-case it; but if it's doable directly in the fstab file, that
would be even better.  can you do it with two entries?

> Furthermore, there are additional interesting
> flags that can be set for bind mounts, but only with a remount - think
> of nosuid, noexec.

Definitely.  If we can do this as for ro, that sounds like a good idea.

WRT the "root" mount, this will vary depending upon the chroot type.
For example, we have mount options for LVM-snapshot and block-device
type chroots already.  We don't for btrfs, but we could potentially
remount the subvolume.  Other non-mountable types might be unpacked
directly on /var, in which case we would have to do bind mount on
to of the mount trickery?


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux    http://people.debian.org/~rleigh/
 `. `'   schroot and sbuild  http://alioth.debian.org/projects/buildd-tools
   `-    GPG Public Key      F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800

Message #25 received at 623913@bugs.debian.org (full text, mbox, reply):

From: Ralf Jung <post@ralfj.de>

To: Roger Leigh <rleigh@codelibre.net>, 623913@bugs.debian.org

Subject: Re: [buildd-tools-devel] Bug#623913: schroot: Please support read-only bind-mounts

Date: Sun, 23 Feb 2014 23:06:26 +0100

Hi,

> I recall that there's a reason why "ro,bind" doesn't work
> directly--you have to do two bind mounts to get it properly
> read-only.  Is that correct?  What's the recommended sequence to make
> this work properly? If we see "ro" and "bind" in the mount options,
> we can probably special-case it; but if it's doable directly in the
> fstab file, that would be even better.  can you do it with two
> entries?
I don't know the reason, why a normal mount does not work. But the
following works:
mount -o bind /original /mounted
mount -o remount,bind,ro /mounted
Options are only applied when re-mounting. Adding the same entry to the
fstab twice does not work.

> Definitely.  If we can do this as for ro, that sounds like a good
> idea.
> 
> WRT the "root" mount, this will vary depending upon the chroot type. 
> For example, we have mount options for LVM-snapshot and block-device 
> type chroots already.  We don't for btrfs, but we could potentially 
> remount the subvolume.  Other non-mountable types might be unpacked 
> directly on /var, in which case we would have to do bind mount on to
> of the mount trickery?
I am using "directory" chroots, which are bind-mounted into
/var/lib/schroot/mount, so it should work for them as well. I just don't
have a way to configure this. Of course if the chroot is in a tar-file
and unpacked, this cannot work. One could bind-mount the folder on
itself though, and then re-mount it read-only...^^
For now, I went with a solution that "works for me" (TM) without being
particularly elegant: Add [1] to setup.d and [2] into my profile directory.

[1]
http://www.ralfj.de/git/schsh.git/blob/HEAD:/schroot/setup.d/80schsh-hardening
[2]
http://www.ralfj.de/git/schsh.git/blob/HEAD:/schroot/schsh/schsh-hardening

A proper solution would probably be to patch schroot-mount to check if
the "ro" option is present (or any option other than rw and bind, for
that matter), and then do a re-mount immediately after the mount. Plus
some patches in setup.d/10mount for the root case...

Kind regards
Ralf

Message #30 received at 623913@bugs.debian.org (full text, mbox, reply):

From: Chris Fester <camaronut@gmail.com>

To: 623913@bugs.debian.org

Subject: Re: [buildd-tools-devel] Bug#623913: schroot: Please support read-only bind-mounts

Date: Fri, 5 Sep 2014 11:56:00 -0500

[Message part 1 (text/plain, inline)]

Hi all,

I looked at the source code for schroot, and found that a mount command was
being forked/exec'd for every line in the fstab file.  I was able to get ro
bind mounts working with two entries in the fstab file.  Examples:

/sandboxes/rev3disks/platform   /home/Platform            none    ro,bind
      0       0
/sandboxes/rev3disks/sdk          /home/SDK                 none    ro,bind
        0       0

#The lines below are necessary to change the bind mount to readonly
/home/Platform   /home/Platform            none    remount,ro,bind
0       0
/home/SDK         /home/SDK                 none    remount,ro,bind
0       0

The key was to make sure you specify bind even when doing the remount.
 Stumbled on that while reading the mount man page.

The output of schroot still warns that the dirs are rw, but a check of
/proc/mounts outside of the sandbox confirms they've been properly
remounted ro.

Thanks for all the great work with schroot!  It solves many of my build
problems!

Chris Fester

-- 
Oh, meltdown... It's one of these annoying buzzwords. We prefer to call it
an unrequested fission surplus.
-- Mr. Burns, The Simpsons

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.