fix an error caused by fd reuse race when starting runc init #4452
Conversation
lifubang
force-pushed
the
fix-fd-reuse-race
branch
3 times, most recently
from
dca6564
to
37302c5
Compare
|
Related: it would be nice to finish https://go-review.googlesource.com/c/go/+/515799 |
Yes, but this logic is very complex, maybe need more time to test. Another thing I want to know, the closed fd 6/7 is opened and closed by whom? I printed the first 6 fds: Maybe by go runtime? |
lifubang
force-pushed
the
fix-fd-reuse-race
branch
from
37302c5
to
e502359
Compare
lifubang
force-pushed
the
fix-fd-reuse-race
branch
5 times, most recently
from
c9ed140
to
ddc70a3
Compare
There is a race situation when we are opening a file, if there is a small fd was closed at that time, maybe it will be reused by safeExe. Because of Go stdlib fds shuffling bug, if the fd of safeExe is too small, go stdlib will dup3 it to another fd, or dup3 a other fd to this fd, then it will cause the fd type cmd.Path refers to a random path, and it can lead to an error "permission denied" when starting the process. Please see opencontainers#4294 and <golang/go#61751>. So we should not use the original fd of safeExe, but use the fd after shuffled by Go stdlib. Because Go stdlib will guarantee this fd refers to the correct file. Signed-off-by: lfbzhm <lifubang@acmcoder.com>
lifubang
force-pushed
the
fix-fd-reuse-race
branch
from
ddc70a3
to
e669926
Compare
Yes, another ugly place: runc/libcontainer/container_linux.go Line 563 in e669926 We should set a correct valut to exePath at this line, but it's hard to move the patch code to this place. Because append some files to p.ExtraFiles will cause more problems.It indeed seems that it's the simplest way to fix the bug at this time. |
|
Yeah, it would be nice if Go supported |
| // So we should not use the original fd of safeExe, but use the fd after | ||
| // shuffled by Go stdlib. Because Go stdlib will guarantee this fd refers to | ||
| // the correct file. | ||
| cmd.Path = "/proc/self/fd/" + strconv.Itoa(stdioFdCount+len(cmd.ExtraFiles)-1) |
There was a problem hiding this comment.
Super nit: I think it would be slightly more clear if we add a comment here: https://github.com/opencontainers/runc/blob/main/libcontainer/container_linux.go#L563 saying we will override it later.
Also, IMHO having this in a function and just calling it from https://github.com/opencontainers/runc/blob/main/libcontainer/container_linux.go#L563 seems slightly better. But I don't know if it feels safer, due to this nasty bug, to do it way later when we won't have a small fd number (to be extra cautious).
In any case, this is very subjective and if the code as is feels better, I'm completely fine. And even if we want to add it, this can be a follow-up PR.
Fixes: #4294
There is a race situation when we are opening a file, if there is a
small fd was closed at that time, maybe it will be reused by safeExe.
Because of Go stdlib fds shuffling bug, if the fd of safeExe is too
small, go stdlib will dup3 it to another fd, or dup3 a other fd to this
fd, then it will cause the fd type cmd.Path refers to a random path,
and it can lead to an error "permission denied" when starting the process.
Please see #4294 and golang/go#61751.
So we should not use the original fd of safeExe, but use the fd after
shuffled by Go stdlib. Because Go stdlib will guarantee this fd refers to
the correct file.
Signed-off-by: lfbzhm lifubang@acmcoder.com