1868221 – Missing /etc/mtab symlink in CRI-O containers

Bug 1868221 - Missing /etc/mtab symlink in CRI-O containers

Summary: Missing /etc/mtab symlink in CRI-O containers

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Node
Sub Component:
Version:	4.3.z
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.9.0
Assignee:	Qi Wang
QA Contact:	MinLi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1186913
TreeView+	depends on / blocked

Reported:	2020-08-12 03:24 UTC by Robin Cernin
Modified:	2023-10-06 21:24 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: Cri-o does not symlink the /proc/mounts to /etc/mtab Consequence: No symlink /etc/mtab is not compatible with docker. Fix: Cri-o add symlink /etc/mtab to /proc/mounts. Result: Users can check the mounts from /etc/mtab inside the containers.
Clone Of:
Environment:
Last Closed:	2021-10-18 17:28:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	cri-o cri-o pull 5051	None	open	Bug 1868221: Add symlink /etc/mtab to container	2021-06-30 19:44:25 UTC
Red Hat Knowledge Base (Solution)	5313051	None	None	None	2020-08-12 03:24:45 UTC
Red Hat Product Errata	RHSA-2021:3759	None	None	None	2021-10-18 17:29:06 UTC

Description Robin Cernin 2020-08-12 03:24:45 UTC

In OpenShift Container Platform 3.11 we are using Docker container technology.

And Docker adds this symbolic link for `/etc/mtab` to all containers everytime if the Dockerfile doesn't contain the entry for symlink.

[https://github.com/moby/moby/blob/b3e9f7b13b0f0c414fa6253e1f17a86b2cff68b5/daemon/initlayer/setup_unix.go#L20
](https://github.com/moby/moby/blob/b3e9f7b13b0f0c414fa6253e1f17a86b2cff68b5/daemon/initlayer/setup_unix.go#L20)
~~~
// Setup populates a directory with mountpoints suitable
// for bind-mounting things into the container.
//
// This extra layer is used by all containers as the top-most ro layer. It protects
// the container from unwanted side-effects on the rw layer.
func Setup(initLayerFs containerfs.ContainerFS, rootIdentity idtools.Identity) error {
	// Since all paths are local to the container, we can just extract initLayerFs.Path()
	initLayer := initLayerFs.Path()

	for pth, typ := range map[string]string{
		"/dev/pts":         "dir",
		"/dev/shm":         "dir",
		"/proc":            "dir",
		"/sys":             "dir",
		"/.dockerenv":      "file",
		"/etc/resolv.conf": "file",
		"/etc/hosts":       "file",
		"/etc/hostname":    "file",
		"/dev/console":     "file",
		"/etc/mtab":        "/proc/mounts",
	}

~~~

The CRI-O doesn't seems to do it.

Upstream Issue: https://github.com/cri-o/cri-o/issues/2036

Comment 1 Seth Jennings 2020-08-12 14:20:15 UTC

https://github.com/cri-o/cri-o/issues/2036#issuecomment-488674544

Comment 6 Qi Wang 2021-03-18 19:08:20 UTC


No update this sprint

Comment 7 Qi Wang 2021-04-09 19:55:02 UTC

Did not get completed this sprint.

Comment 8 Markus Lange 2021-06-10 11:19:49 UTC

Hi,

can you estimate when a fix for this problem will be available and will it be backported to all supported versions? We ran in this problem and we are currently running OCP 4.7.12 and want to stay at 4.7.x until EOL.

best regards

Comment 9 Tom Sweeney 2021-06-10 14:09:06 UTC

Qi, any ETA on the fix?

Comment 10 Qi Wang 2021-06-25 18:52:03 UTC

I will start working on this issue, so the ETA will be 4.9.

Comment 11 Qi Wang 2021-08-04 21:53:04 UTC

Status set to MODIFIED, https://github.com/cri-o/cri-o/pull/5051 just merged.

Comment 13 MinLi 2021-08-25 08:16:52 UTC

verified with version : 4.9.0-0.nightly-2021-08-25-010624

create a pod using image httpd:latest, and run command in this container:
# ls -l /etc/mtab
lrwxrwxrwx. 1 root root 12 Aug 25 08:09 /etc/mtab -> /proc/mounts
# ls -l /proc/mounts
lrwxrwxrwx. 1 root root 11 Aug 25 08:10 /proc/mounts -> self/mounts

Comment 15 Michael Burke 2021-09-30 21:13:53 UTC

Qi -- Can you take a look at my proposed release note for this BZ? I saw your doc text and made a few changes to match our style. I want to make sure i didn't change the meaning. Thank you in advance.

Michael

* Previously, in containers, CRI-O did not create a symlink from `/proc/mounts` file to the `/etc/mtab` file. As a consequence, the mount functions within the container did not work. CRI-O now adds the symlink. As a result, users the mount functions are working as expected within containers.

Comment 16 Qi Wang 2021-10-01 15:59:41 UTC

(In reply to Michael Burke from comment #15)
> Qi -- Can you take a look at my proposed release note for this BZ? I saw
> your doc text and made a few changes to match our style. I want to make sure
> i didn't change the meaning. Thank you in advance.
> 
> Michael
> 
> * Previously, in containers, CRI-O did not create a symlink from
> `/proc/mounts` file to the `/etc/mtab` file. As a consequence, the mount
> functions within the container did not work. CRI-O now adds the symlink. As
> a result, users the mount functions are working as expected within
> containers.

"the mount functions within the container did not work" this is not correct. The mount functions have no issues. The consequence is to allow users to check the list of the mounted devices in the /etc/mtab file.

Comment 17 Michael Burke 2021-10-01 18:04:20 UTC

Qi --Thank you for the clarification! 

Michael

Comment 19 errata-xmlrpc 2021-10-18 17:28:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759

Note You need to log in before you can comment on or make changes to this bug.