Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1868221

Summary: Missing /etc/mtab symlink in CRI-O containers
Product: OpenShift Container Platform Reporter: Robin Cernin <rcernin>
Component: NodeAssignee: Qi Wang <qiwan>
Node sub component: CRI-O QA Contact: MinLi <minmli>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: aos-bugs, dornelas, dwalsh, jokerman, mburke, m.lange, nagrawal, qiwan, tsweeney
Version: 4.3.z   
Target Milestone: ---   
Target Release: 4.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Cri-o does not symlink the /proc/mounts to /etc/mtab Consequence: No symlink /etc/mtab is not compatible with docker. Fix: Cri-o add symlink /etc/mtab to /proc/mounts. Result: Users can check the mounts from /etc/mtab inside the containers.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-18 17:28:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1186913    

Description Robin Cernin 2020-08-12 03:24:45 UTC 
In OpenShift Container Platform 3.11 we are using Docker container technology.

And Docker adds this symbolic link for `/etc/mtab` to all containers everytime if the Dockerfile doesn't contain the entry for symlink.

[https://github.com/moby/moby/blob/b3e9f7b13b0f0c414fa6253e1f17a86b2cff68b5/daemon/initlayer/setup_unix.go#L20
](https://github.com/moby/moby/blob/b3e9f7b13b0f0c414fa6253e1f17a86b2cff68b5/daemon/initlayer/setup_unix.go#L20)
~~~
// Setup populates a directory with mountpoints suitable
// for bind-mounting things into the container.
//
// This extra layer is used by all containers as the top-most ro layer. It protects
// the container from unwanted side-effects on the rw layer.
func Setup(initLayerFs containerfs.ContainerFS, rootIdentity idtools.Identity) error {
	// Since all paths are local to the container, we can just extract initLayerFs.Path()
	initLayer := initLayerFs.Path()

	for pth, typ := range map[string]string{
		"/dev/pts":         "dir",
		"/dev/shm":         "dir",
		"/proc":            "dir",
		"/sys":             "dir",
		"/.dockerenv":      "file",
		"/etc/resolv.conf": "file",
		"/etc/hosts":       "file",
		"/etc/hostname":    "file",
		"/dev/console":     "file",
		"/etc/mtab":        "/proc/mounts",
	}

~~~

The CRI-O doesn't seems to do it.

Upstream Issue: https://github.com/cri-o/cri-o/issues/2036
Comment 1 Seth Jennings 2020-08-12 14:20:15 UTC 
https://github.com/cri-o/cri-o/issues/2036#issuecomment-488674544
Comment 6 Qi Wang 2021-03-18 19:08:20 UTC 

No update this sprint
Comment 7 Qi Wang 2021-04-09 19:55:02 UTC 
Did not get completed this sprint.
Comment 8 Markus Lange 2021-06-10 11:19:49 UTC 
Hi,

can you estimate when a fix for this problem will be available and will it be backported to all supported versions? We ran in this problem and we are currently running OCP 4.7.12 and want to stay at 4.7.x until EOL.

best regards
Comment 9 Tom Sweeney 2021-06-10 14:09:06 UTC 
Qi, any ETA on the fix?
Comment 10 Qi Wang 2021-06-25 18:52:03 UTC 
I will start working on this issue, so the ETA will be 4.9.
Comment 11 Qi Wang 2021-08-04 21:53:04 UTC 
Status set to MODIFIED, https://github.com/cri-o/cri-o/pull/5051 just merged.
Comment 13 MinLi 2021-08-25 08:16:52 UTC 
verified with version : 4.9.0-0.nightly-2021-08-25-010624

create a pod using image httpd:latest, and run command in this container:
# ls -l /etc/mtab
lrwxrwxrwx. 1 root root 12 Aug 25 08:09 /etc/mtab -> /proc/mounts
# ls -l /proc/mounts
lrwxrwxrwx. 1 root root 11 Aug 25 08:10 /proc/mounts -> self/mounts
Comment 15 Michael Burke 2021-09-30 21:13:53 UTC 
Qi -- Can you take a look at my proposed release note for this BZ? I saw your doc text and made a few changes to match our style. I want to make sure i didn't change the meaning. Thank you in advance.

Michael

* Previously, in containers, CRI-O did not create a symlink from `/proc/mounts` file to the `/etc/mtab` file. As a consequence, the mount functions within the container did not work. CRI-O now adds the symlink. As a result, users the mount functions are working as expected within containers.
Comment 16 Qi Wang 2021-10-01 15:59:41 UTC 
(In reply to Michael Burke from comment #15)
> Qi -- Can you take a look at my proposed release note for this BZ? I saw
> your doc text and made a few changes to match our style. I want to make sure
> i didn't change the meaning. Thank you in advance.
> 
> Michael
> 
> * Previously, in containers, CRI-O did not create a symlink from
> `/proc/mounts` file to the `/etc/mtab` file. As a consequence, the mount
> functions within the container did not work. CRI-O now adds the symlink. As
> a result, users the mount functions are working as expected within
> containers.

"the mount functions within the container did not work" this is not correct. The mount functions have no issues. The consequence is to allow users to check the list of the mounted devices in the /etc/mtab file.
Comment 17 Michael Burke 2021-10-01 18:04:20 UTC 
Qi --Thank you for the clarification! 

Michael
Comment 19 errata-xmlrpc 2021-10-18 17:28:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759