Don't use hard links in runc jailer

[kzys]

firecracker-containerd uses hard links in runc jailer. However making a hard link doesn't work if its destination and its source are in different partitions.

We need to either 1) document about the restriction or 2) use other mechanisms (bind-mount?).

[RoyceDavison]

@kzys To clarify this issue, do you mean this line of code use hard links?

[kzys]

Yes.

[RoyceDavison]

@kzys I am not sure if it is a good idea to use bind mount, as the implementation shown in PR#508, I think documenting the restriction is the best for now simply cause bind mounting opens so many security issues. It requires at least chmod w/ 0706 for granting permission which basically means everyone can read and write. I tried many different file modes which are smaller than 0706 such as 0700, 0701, none of them work. Without 0706 file mode, PutLogger will complain: Permission Denied.

msg="failed to create VM" error="failed to start the VM: [PUT /logger][400] putLoggerBadRequest  &{FaultMessage:Permission denied (os error 13)}" runtime=aws.firecracker vmID=vm-2

[kzys]

How about changing the owner of these files, rather than opening the read and write permissions to others?

[RoyceDavison]

How about changing the owner of these files, rather than opening the read and write permissions to others?

This line of code already changed the whole directory ownership. Do you mean change the ownership of the file as well?

[kzys]

Yes. In order to read a file, the file itself must be readable from the user.

In this below example, ec2-user/ is owned by ec2-user, but the file ec2-user/foobar is owned by root. So ec2-user cannot read the file.

[ec2-user@ip-172-31-25-68 tmp]$ ls -ld ec2-user
drwxrwxr-x 2 ec2-user ec2-user 20 May 17 17:34 ec2-user
[ec2-user@ip-172-31-25-68 tmp]$ ls -ld ec2-user/foobar
-rw--w---- 1 root ec2-user 0 May 17 17:34 ec2-user/foobar
[ec2-user@ip-172-31-25-68 tmp]$ cat ec2-user/foobar
cat: ec2-user/foobar: Permission denied
[ec2-user@ip-172-31-25-68 tmp]$