gramine
gramine copied to clipboard
gramineproject
Support for `/proc/self/mountinfo`
Description of the feature
For some software, such as Elasticsearch, it relies on /proc/self/mountinfo to detect certain features of the file system. The detailed code is as follows: https://github.com/elastic/elasticsearch/blob/9584d10078d156e62736ad58aea1985252b889d4/server/src/main/java/org/elasticsearch/env/ESFileStore.java#L43
How can Gramine support /proc/self/mountinfo? If code needs to be added to enable this feature for Gramine, what should be done?
Why Gramine should implement it?
Running Elasticsearch on Gramine.
fyi @bronzeMe
using passthrough is working, if completely secure or making sense im not sure of:
[[fs.mounts]]
path = "/proc/mounts"
uri = "file:/proc/mounts"
[[fs.mounts]]
path = "/proc/sys/vm/max_map_count"
uri = "file:/proc/sys/vm/max_map_count"
This is unlikely to be secure or correct.
Security: The app will trust this info which will be fully host-controlled if you just passthrough it. Correctness: This config provides information about the host filesystem, which is completely unrelated to the virtual filesystem inside Gramine.
This is unlikely to be secure or correct.
Security: The app will trust this info which will be fully host-controlled if you just passthrough it. Correctness: This config provides information about the host filesystem, which is completely unrelated to the virtual filesystem inside Gramine.
Would it be better to then just mount a static checksummed file instead? That would make the elastic and java check succeed.
Yes, assuming you put meaningful data inside (corresponding to what's actually mounted inside Gramine).