Quoting Johannes Schauer Marin Rodrigues (2023-02-09 11:03:05)
> Quoting Helmut Grohne (2023-02-05 21:23:18)
> > * It must be possible to mount proc in the unshared user+mount+pid
> > namespace.
> > - This should always work but may be restricted by the container
> > technology for some reason.
> > - Test case: unshare -U -m -p -f -r --mount-proc true
> > - Paul tried this in the operational lxc containers. Successfully.
> > - I tried this in a local autopkgtest-unstable lxc container.
> > Successfully (unprivileged).
> > - Johannes reported that this would be the step that fails.
>
> as a datapoint, on salsaci this happens:
>
> + runuser -u debci -- unshare -U -m -p -f -r --mount-proc true
> unshare: mount /proc failed: Operation not permitted
>
> Next I'm trying just to bind-mount /proc... lets see...
I now followed a more structured approach and tried the following six variants
under `runuser -u user -- unshare -U -m -p -f -r` in QEMU, salsaci as well as
debci:
1) `mount -t proc proc $tmp` -- the correct way to mount /proc, aka the way
that debootstrap mounts /proc
2) --mount-proc as an argument to the unshare command
3) `mount -t proc -o nosuid,nodev,noexec proc $tmp` which results in the same
mount syscall as the --mount-proc argument to the unshare command
4) `mount -o bind /proc $tmp` just bind mount /proc into the chroot
5) `mount -o bind,ro /proc $tmp` maybe bind-mounting read-only is doing
something different?
6) `mount -o rbind /proc $tmp` lets just throw this in for good measure and
see what happens. According to the mount man page, there is no read-only
variant for recursive bind mounting.
The following table displays whether the command worked or failed with outputs
like:
wrong fs type, bad option, bad superblock on /proc, missing codepage or
helper program, or other error
or:
mount point not mounted or bad option
Even when performing the mount syscall manually I found no way to get better
error output about what is actually not working...
QEMU salsaci debci
1 yes no yes
2 yes no yes
3 yes no yes
4 no no no
5 no no no
6 yes yes yes
Do you see what I see? Apparently a recursive bind-mount of /proc works on
salsaci! I already tried this out in mmdebstrap and by using rbind I can
successfully run mmdebstrap in unshare mode on salsaci. So the secret of
bind-mounting proc in a privileged docker container is to use --rbind.
Thanks!
cheers, josch
