sysbox icon indicating copy to clipboard operation
sysbox copied to clipboard
verified publisher icon nestybox

Fuse umount not working

Open Ratio2 opened this issue 2 years ago • 2 comments

Debian 12 Linux 6.1 Sysbox 0.6.2 Arch amd64

docker run -it --rm --runtime=sysbox-runc --device=/dev/fuse `docker build -q - << EOF
FROM debian
RUN apt-get update && \
	apt-get install -y --no-install-recommends systemd-sysv dbus kmod fuse gocryptfs && \
	echo 'root:123' | chpasswd && \
	mkdir /root/gocrypt /root/gocrypt-mnt && \
	/bin/echo -e '123\n123' | gocryptfs -init /root/gocrypt
STOPSIGNAL SIGRTMIN+3
ENTRYPOINT ["/sbin/init"]
EOF`

root@30511579335b:~# echo '123' | mount -t fuse.gocryptfs gocrypt gocrypt-mnt
Reading Password from stdin
Decrypting master key
Filesystem mounted and ready.
root@30511579335b:~# umount gocrypt-mnt
umount: /root/gocrypt-mnt: no mount point specified.
root@30511579335b:~# mount | grep gocrypt
/root/gocrypt on /root/gocrypt-mnt type fuse.gocryptfs (rw,relatime,user_id=0,group_id=0,max_read=131072)

Ratio2 avatar Aug 29 '23 13:08 Ratio2

I've been looking into this issue for a bit and it seems like sysbox-fs is unable to process the unmount request as the fuse mount is in a different namespace.

Specifically, it fails when checking whether sysbox can access the path of the unmount request: https://github.com/nestybox/sysbox-fs/blob/4c2bc153f33af1bd30a227a14ecfc8174ff280d5/seccomp/tracer.go#L712-L716. The first error is thrown by os.Lstat inside isSymlink, but there are a few places where sysbox tries to grab some information about the mount.

pierrebeaucamp avatar Sep 06 '24 12:09 pierrebeaucamp

Thanks @Ratio2 for reporting the issue and @pierrebeaucamp for pin-pointing the problem code.

I was able to reproduce with the steps you listed above, so I can investigate what's going on.

sysbox-fs is unable to process the unmount request as the fuse mount is in a different namespace.

sysbox-fs should have handled that properly, but there must be a bug somewhere. It's strange because mount/unmounts of other filesystems work fine inside the container:

root@a999080302fd:~# pwd
/root

root@a999080302fd:~# mkdir tmp
root@a999080302fd:~# mount -t tmpfs tmpfs tmp
root@a999080302fd:~# mount | grep /root/tmp
tmpfs on /root/tmp type tmpfs (rw,relatime,uid=165536,gid=165536,inode64)

root@a999080302fd:~# umount tmp
root@a999080302fd:~# mount | grep /root/tmp

I'll take a look, thanks again!

ctalledo avatar Sep 23 '24 21:09 ctalledo