Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
According to help document of atomic mount, the option --shared should be only supported by a container, but when you checked man page of atomic-mount, you will found as long as --live is not set, UUID or REPO refers to an image should be okay, in fact, I indeed can successfully mount an image w/ --shared option, however, it's a read-only mount permission, which can't be used by other images or containers.
Version-Release number of selected component (if applicable):
[cloud-user@atomic-host-001 atomic]$ sudo atomic host status
TIMESTAMP (UTC) VERSION ID OSNAME REFSPEC
* 2016-06-18 15:21:12 7.2.5 9bfe1fb650 rhel-atomic-host rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
[cloud-user@atomic-host-001 atomic]$ rpm -q atomic docker
atomic-1.10.5-5.el7.x86_64
docker-1.10.3-44.el7.x86_64
[cloud-user@atomic-host-001 atomic]$ cat /etc/redhat-release
Red Hat Enterprise Linux Atomic Host release 7.2
How reproducible:
always
Steps to Reproduce:
1. atomic mount -h
2. man atomic-mount
3. docker pull busybox
4. atomic mount --shared <atomic_image_id> /mnt
Actual results:
[cloud-user@atomic-host-001 atomic]$ sudo docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[cloud-user@atomic-host-001 atomic]$ sudo atomic images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
docker.io/busybox latest sha256:2b8fd 2016-06-23 23:23 1.09 MB
[cloud-user@atomic-host-001 atomic]$ sudo atomic mount --shared sha256:2b8fd /mnt
[cloud-user@atomic-host-001 atomic]$ sudo touch /mnt/tmp/test
touch: cannot touch ‘/mnt/tmp/test’: Read-only file system
[cloud-user@atomic-host-001 atomic]$ sudo grep mnt /proc/mounts
/dev/mapper/docker-253:0-9197922-1bdd0508f7c1ecd5d49244fec5e355669697eb14a25068fda3f85affb354b384 /var/mnt xfs ro,context=system_u:object_r:usr_t:s0,nosuid,nodev,relatime,nouuid,attr2,inode64,sunit=1024,swidth=1024,noquota 0 0
/dev/mapper/docker-253:0-9197922-1bdd0508f7c1ecd5d49244fec5e355669697eb14a25068fda3f85affb354b384 /var/mnt xfs ro,context=system_u:object_r:usr_t:s0,nosuid,nodev,relatime,nouuid,attr2,inode64,sunit=1024,swidth=1024,noquota 0 0
# atomic mount -h
usage: atomic mount [-h] [-o OPTIONS] [--live | --shared] image mountpoint
positional arguments:
image image/container id
mountpoint filesystem location to mount the image/container
optional arguments:
-h, --help show this help message and exit
-o OPTIONS, --options OPTIONS
comma-separated list of mount options, defaults are
'ro,nodev,nosuid'
--live mount a running container 'live', allowing
modification of the contents.
--shared mount a container 'shared'. Mounts the container with
an SELinux label that other containers can read.
atomic mount attempts to mount a container image to a specified directory so
that its contents may be inspected.
# man atomic-mount| grep -A2 "image UUID"
atomic mount attempts to mount the underlying filesystem of a container or image into the host filesystem. Accepts one of image UUID, container UUID, container NAME, or image REPO (optionally with
registry and tag information). If the given UUID or NAME is a container, and --live is not set, then atomic mount will create a snapshot of the container by committing it to a temporary image and
spawning a temporary container from that image. If UUID or REPO refers to an image, then atomic mount will simply create a temporary container from the given image. All temporary artifacts are
Expected results:
only support --shared option for a container, and then it should be okay to fix document, if not, we should fix codes to support mount a shared image.
Additional info:
(In reply to Daniel Walsh from comment #3)
> https://github.com/projectatomic/atomic/pull/563
>
> Should fix this.
Daniel, just an confirmation, the --shared option only works for container images not containers, right? and when we mount container images w/ --shared option then other containers not container images can read(read-only?), right? thanks.
In addition, I have ever given a try for --shared w/ containers, it's also works, is it an expected result?
# rpm -q atomic
atomic-1.12.3-2.el7.x86_64
# atomic mount -h | grep -A2 shared
usage: atomic mount [-h] [-o OPTIONS] [--live | --shared] image mountpoint
positional arguments:
--
--shared mount a container image 'shared'. Mounts the container
image with an SELinux label that other containers can
read.
# man atomic-mount | grep shared
atomic mount [--live | --shared | [-o|--options OPTIONS]] [REGISTRY/]REPO[:TAG]|UUID|NAME DIRECTORY
--shared Mount a container image with a shared SELinux label
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHBA-2016-2628.html
Description of problem: According to help document of atomic mount, the option --shared should be only supported by a container, but when you checked man page of atomic-mount, you will found as long as --live is not set, UUID or REPO refers to an image should be okay, in fact, I indeed can successfully mount an image w/ --shared option, however, it's a read-only mount permission, which can't be used by other images or containers. Version-Release number of selected component (if applicable): [cloud-user@atomic-host-001 atomic]$ sudo atomic host status TIMESTAMP (UTC) VERSION ID OSNAME REFSPEC * 2016-06-18 15:21:12 7.2.5 9bfe1fb650 rhel-atomic-host rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard [cloud-user@atomic-host-001 atomic]$ rpm -q atomic docker atomic-1.10.5-5.el7.x86_64 docker-1.10.3-44.el7.x86_64 [cloud-user@atomic-host-001 atomic]$ cat /etc/redhat-release Red Hat Enterprise Linux Atomic Host release 7.2 How reproducible: always Steps to Reproduce: 1. atomic mount -h 2. man atomic-mount 3. docker pull busybox 4. atomic mount --shared <atomic_image_id> /mnt Actual results: [cloud-user@atomic-host-001 atomic]$ sudo docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES [cloud-user@atomic-host-001 atomic]$ sudo atomic images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE docker.io/busybox latest sha256:2b8fd 2016-06-23 23:23 1.09 MB [cloud-user@atomic-host-001 atomic]$ sudo atomic mount --shared sha256:2b8fd /mnt [cloud-user@atomic-host-001 atomic]$ sudo touch /mnt/tmp/test touch: cannot touch ‘/mnt/tmp/test’: Read-only file system [cloud-user@atomic-host-001 atomic]$ sudo grep mnt /proc/mounts /dev/mapper/docker-253:0-9197922-1bdd0508f7c1ecd5d49244fec5e355669697eb14a25068fda3f85affb354b384 /var/mnt xfs ro,context=system_u:object_r:usr_t:s0,nosuid,nodev,relatime,nouuid,attr2,inode64,sunit=1024,swidth=1024,noquota 0 0 /dev/mapper/docker-253:0-9197922-1bdd0508f7c1ecd5d49244fec5e355669697eb14a25068fda3f85affb354b384 /var/mnt xfs ro,context=system_u:object_r:usr_t:s0,nosuid,nodev,relatime,nouuid,attr2,inode64,sunit=1024,swidth=1024,noquota 0 0 # atomic mount -h usage: atomic mount [-h] [-o OPTIONS] [--live | --shared] image mountpoint positional arguments: image image/container id mountpoint filesystem location to mount the image/container optional arguments: -h, --help show this help message and exit -o OPTIONS, --options OPTIONS comma-separated list of mount options, defaults are 'ro,nodev,nosuid' --live mount a running container 'live', allowing modification of the contents. --shared mount a container 'shared'. Mounts the container with an SELinux label that other containers can read. atomic mount attempts to mount a container image to a specified directory so that its contents may be inspected. # man atomic-mount| grep -A2 "image UUID" atomic mount attempts to mount the underlying filesystem of a container or image into the host filesystem. Accepts one of image UUID, container UUID, container NAME, or image REPO (optionally with registry and tag information). If the given UUID or NAME is a container, and --live is not set, then atomic mount will create a snapshot of the container by committing it to a temporary image and spawning a temporary container from that image. If UUID or REPO refers to an image, then atomic mount will simply create a temporary container from the given image. All temporary artifacts are Expected results: only support --shared option for a container, and then it should be okay to fix document, if not, we should fix codes to support mount a shared image. Additional info: