1350712 – atomic mount document confuses users

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1350712 - atomic mount document confuses users

Summary: atomic mount document confuses users

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	atomic
Sub Component:
Version:	7.4
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Brent Baude
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-06-28 08:18 UTC by Alex Jia
Modified:	2016-11-04 09:06 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 09:06:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2628	0	normal	SHIPPED_LIVE	atomic bug fix and enhancement update	2016-11-03 18:17:14 UTC

Description Alex Jia 2016-06-28 08:18:00 UTC

Description of problem:
According to help document of atomic mount, the option --shared should be only supported by a container, but when you checked man page of atomic-mount, you will found as long as --live is not set, UUID or REPO refers to an image should be okay, in fact, I indeed can successfully mount an image w/ --shared option, however, it's a read-only mount permission, which can't be used by other images or containers.

Version-Release number of selected component (if applicable):

[cloud-user@atomic-host-001 atomic]$ sudo atomic host status
  TIMESTAMP (UTC)         VERSION     ID             OSNAME               REFSPEC                                                   
* 2016-06-18 15:21:12     7.2.5       9bfe1fb650     rhel-atomic-host     rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard

[cloud-user@atomic-host-001 atomic]$ rpm -q atomic docker
atomic-1.10.5-5.el7.x86_64
docker-1.10.3-44.el7.x86_64

[cloud-user@atomic-host-001 atomic]$ cat /etc/redhat-release 
Red Hat Enterprise Linux Atomic Host release 7.2

How reproducible:
always

Steps to Reproduce:
1. atomic mount -h
2. man atomic-mount     
3. docker pull busybox
4. atomic mount --shared <atomic_image_id> /mnt

Actual results:

[cloud-user@atomic-host-001 atomic]$ sudo docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

[cloud-user@atomic-host-001 atomic]$ sudo atomic images

  REPOSITORY          TAG      IMAGE ID       CREATED            VIRTUAL SIZE  
  docker.io/busybox   latest   sha256:2b8fd   2016-06-23 23:23   1.09 MB       

[cloud-user@atomic-host-001 atomic]$ sudo atomic mount --shared sha256:2b8fd /mnt

[cloud-user@atomic-host-001 atomic]$ sudo touch /mnt/tmp/test
touch: cannot touch ‘/mnt/tmp/test’: Read-only file system

[cloud-user@atomic-host-001 atomic]$ sudo grep mnt /proc/mounts 
/dev/mapper/docker-253:0-9197922-1bdd0508f7c1ecd5d49244fec5e355669697eb14a25068fda3f85affb354b384 /var/mnt xfs ro,context=system_u:object_r:usr_t:s0,nosuid,nodev,relatime,nouuid,attr2,inode64,sunit=1024,swidth=1024,noquota 0 0
/dev/mapper/docker-253:0-9197922-1bdd0508f7c1ecd5d49244fec5e355669697eb14a25068fda3f85affb354b384 /var/mnt xfs ro,context=system_u:object_r:usr_t:s0,nosuid,nodev,relatime,nouuid,attr2,inode64,sunit=1024,swidth=1024,noquota 0 0



# atomic mount -h
usage: atomic mount [-h] [-o OPTIONS] [--live | --shared] image mountpoint

positional arguments:
  image                 image/container id
  mountpoint            filesystem location to mount the image/container

optional arguments:
  -h, --help            show this help message and exit
  -o OPTIONS, --options OPTIONS
                        comma-separated list of mount options, defaults are
                        'ro,nodev,nosuid'
  --live                mount a running container 'live', allowing
                        modification of the contents.
  --shared              mount a container 'shared'. Mounts the container with
                        an SELinux label that other containers can read.

atomic mount attempts to mount a container image to a specified directory so
that its contents may be inspected.


# man atomic-mount| grep -A2 "image UUID"
       atomic  mount  attempts to mount the underlying filesystem of a container or image into the host filesystem. Accepts one of image UUID, container UUID, container NAME, or image REPO (optionally with
       registry and tag information).  If the given UUID or NAME is a container, and --live is not set, then atomic mount will create a snapshot of the container by committing it to a temporary  image  and
       spawning  a  temporary  container  from  that  image. If UUID or REPO refers to an image, then atomic mount will simply create a temporary container from the given image. All temporary artifacts are

Expected results:
only support --shared option for a container, and then it should be okay to fix document, if not, we should fix codes to support mount a shared image.

Additional info:

Comment 3 Daniel Walsh 2016-08-26 16:43:18 UTC

https://github.com/projectatomic/atomic/pull/563

Should fix this.

Comment 4 Daniel Walsh 2016-08-27 09:46:48 UTC

Fixed in atomic-1.12

Comment 6 Alex Jia 2016-09-19 04:53:06 UTC

(In reply to Daniel Walsh from comment #3)
> https://github.com/projectatomic/atomic/pull/563
> 
> Should fix this.

Daniel, just an confirmation, the --shared option only works for container images not containers, right? and when we mount container images w/ --shared option then other containers not container images can read(read-only?), right? thanks.

In addition, I have ever given a try for --shared w/ containers, it's also works, is it an expected result?

Comment 7 Daniel Walsh 2016-09-19 11:38:02 UTC

Not sure.  I think it will work with either. Since it creates a separate container based on the image.

Comment 8 Alex Jia 2016-09-21 16:57:07 UTC

# rpm -q atomic
atomic-1.12.3-2.el7.x86_64

# atomic mount -h | grep -A2 shared
usage: atomic mount [-h] [-o OPTIONS] [--live | --shared] image mountpoint

positional arguments:
--
  --shared              mount a container image 'shared'. Mounts the container
                        image with an SELinux label that other containers can
                        read.

# man atomic-mount | grep shared
       atomic mount [--live | --shared | [-o|--options OPTIONS]] [REGISTRY/]REPO[:TAG]|UUID|NAME DIRECTORY
       --shared Mount a container image with a shared SELinux label

Comment 10 errata-xmlrpc 2016-11-04 09:06:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2628.html

Note You need to log in before you can comment on or make changes to this bug.