runc icon indicating copy to clipboard operation
runc copied to clipboard

Published 20 hours ago verified publisher icon opencontainers

Fix failed exec after systemctl daemon-reload

Open kolyshkin opened this issue 2 years ago • 0 comments

A regression reported for runc v1.1.3 says that after systemctl daemon-reload runc exec fails:

exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown

Apparently, with commit 7219387eb7db69b we are no longer adding "DeviceAllow=char-pts rwm" rule (because os.Stat("char-pts") returns ENOENT).

The bug can only be seen after "systemctl daemon-reload" because runc also applies the same rules manually (by writing to devices.allow for cgroup v1), and apparently reloading systemd leads to re-applying the rules that systemd has (thus removing the char-pts access).

The fix is to do os.Stat only for "/dev" paths.

Also, emit a warning that the path was skipped. Since the original idea was to emit less warnings, demote the level to debug.

Fixes: https://github.com/opencontainers/runc/issues/3551 Fixes: 7219387eb7db69b4dae740c9d37d973d9a735801

TODO:

  • [ ] add a regression test

kolyshkin avatar Aug 11 '22 01:08 kolyshkin