kata-containers / runtime

Kata Containers version 1.x runtime (for version 2.x see https://github.com/kata-containers/kata-containers).
https://katacontainers.io/
Apache License 2.0
2.1k stars 375 forks source link

Root user can't have write access in Kata android container #1748

Closed zhiminghufighting closed 5 years ago

zhiminghufighting commented 5 years ago

Description of problem

After launched an android container based on kata, root user can't write/create file even the file owner is root with "drwxr-x--x" access right;

Expected result

root user can own the access right of whom the file owner is root;

Actual result

1) enter android container: 31bc2e1d785a:/ # ls acct init.environ.rc property_contexts android-entry init.houdini.rc root bugreports init.logs.rc sbin cache init.multidroid.rc sdcard charger init.multidroid_cloud.rc seapp_contexts config init.multidroid_cloud.usb.rc selinux_version d init.rc sepolicy data init.usb.configfs.rc service_contexts default.prop init.usb.rc storage dev init.zygote32.rc sys etc init.zygote64_32.rc system file_contexts.bin ipc ueventd.multidroid_cloud.rc fstab.multidroid_cloud mnt ueventd.rc init oem vendor init.crashlogd.rc proc 31bc2e1d785a:/ #

2) list the own/group owner/other user access right by "ls -l" 31bc2e1d785a:/ # ls -l total 6136 drwxr-xr-x 1 root root 17 2019-05-29 13:42 acct -rwxr-xr-x 1 root root 1266408 2018-11-15 07:24 android-entry lrwxrwxrwx 1 root root 50 2018-11-15 07:24 bugreports -> /data/user_de/0/com.android.shell/files/bugreports drwxr-xr-x 2 root root 6 2018-11-15 07:24 cache lrwxrwxrwx 1 root root 13 2018-11-15 07:24 charger -> /sbin/healthd drwxr-xr-x 2 root root 6 2018-11-15 07:24 config lrwxrwxrwx 1 root root 17 2018-11-15 07:24 d -> /sys/kernel/debug drwxr-x--x 34 root root 4096 2019-05-29 09:13 data -rw-r--r-- 1 root root 1160 2018-11-15 07:24 default.prop drwxr-xr-x 15 root root 2980 2019-05-29 13:42 dev drwxr-xr-x 1 root root 66 2019-05-29 13:42 etc -rw-r--r-- 1 root root 77090 2018-11-15 07:24 file_contexts.bin -rw-r--r-- 1 root root 113 2018-11-15 07:24 fstab.multidroid_cloud -rwxr-xr-x 1 root root 1468488 2018-11-15 07:24 init -rw-r--r-- 1 root root 647 2018-11-15 07:24 init.crashlogd.rc -rw-r--r-- 1 root root 887 2018-11-15 07:24 init.environ.rc -rw-r--r-- 1 root root 541 2018-11-15 07:24 init.houdini.rc -rw-r--r-- 1 root root 1557 2018-11-15 07:24 init.logs.rc -rwxr-xr-x 1 root root 1506 2018-11-15 07:24 init.multidroid.rc -rwxr-xr-x 1 root root 71 2018-11-15 07:24 init.multidroid_cloud.rc -rw-r--r-- 1 root root 4106 2018-11-15 07:24 init.multidroid_cloud.usb.rc -rwxr-xr-x 1 root root 27158 2018-11-15 07:24 init.rc -rw-r--r-- 1 root root 9283 2018-11-15 07:24 init.usb.configfs.rc -rwxr-xr-x 1 root root 5715 2018-11-15 07:24 init.usb.rc -rw-r--r-- 1 root root 411 2018-11-15 07:24 init.zygote32.rc -rw-r--r-- 1 root root 684 2018-11-15 07:24 init.zygote64_32.rc drwxr-xr-x 3 root root 20 2019-05-29 09:12 ipc drwxr-xr-x 10 root system 220 2019-05-29 13:42 mnt drwxr-xr-x 2 root root 6 2018-11-15 07:24 oem dr-xr-xr-x 84 root root 0 2019-05-29 13:42 proc -rw-r--r-- 1 root root 4745 2018-11-15 07:24 property_contexts drwxr-xr-x 2 root root 6 2018-11-15 07:24 root drwxr-xr-x 2 root root 65 2018-11-15 07:24 sbin lrwxrwxrwx 1 root root 21 2018-11-15 07:24 sdcard -> /storage/self/primary -rw-r--r-- 1 root root 758 2018-11-15 07:24 seapp_contexts -rw-r--r-- 1 root root 71 2018-11-15 07:24 selinux_version -rw-r--r-- 1 root root 178142 2018-11-15 07:24 sepolicy -rw-r--r-- 1 root root 11162 2018-11-15 07:24 service_contexts drwxr-xr-x 3 root root 60 2019-05-29 13:42 storage dr-xr-xr-x 11 root root 0 2019-05-29 13:42 sys drwxr-xr-x 17 root root 224 2018-11-15 07:24 system -rw-r--r-- 1 root root 272 2018-11-15 07:24 ueventd.multidroid_cloud.rc -rwxr-xr-x 1 root root 4853 2018-11-15 07:24 ueventd.rc lrwxrwxrwx 1 root root 14 2018-11-15 07:24 vendor -> /system/vendor

3) try to modify a file and report the error "sh: can't create test.txt: Read-only file system" 31bc2e1d785a:/data # ls adb app-private drm misc_ce security user anr backup local misc_de ss user_de app bootchart lost+found ota system app-asec cache media ota_package system_ce app-ephemeral dalvik-cache mediadrm property system_de app-lib data misc resource-cache tombstones 31bc2e1d785a:/data # echo 111 > test.txt sh: can't create test.txt: Read-only file system 1|31bc2e1d785a:/data # 1|31bc2e1d785a:/data # ls -l total 24 drwx------ 2 root root 6 2019-05-29 09:13 adb drwxrwxr-x 2 root root 52 2019-05-29 09:13 anr drwxrwx--x 4 root root 63 2019-05-29 09:13 app drwx------ 2 root root 6 2019-05-29 09:13 app-asec drwxrwx--x 2 root root 6 2019-05-29 09:12 app-ephemeral drwxrwx--x 2 root root 6 2019-05-29 09:13 app-lib drwxrwx--x 2 root root 6 2019-05-29 09:13 app-private drwx------ 3 root root 62 2019-05-29 09:12 backup drwxr-xr-x 2 root root 6 2019-05-29 09:13 bootchart drwxrwx--- 5 root root 56 2019-05-29 09:13 cache drwxrwx--x 4 root root 31 2019-05-29 09:12 dalvik-cache drwxr-x--x 59 root root 4096 2019-05-29 09:13 data drwxrwx--- 2 root root 6 2019-05-29 09:13 drm drwxr-x--x 3 root root 17 2019-05-29 09:12 local drwxrwx--- 2 root root 6 2019-05-29 09:12 lost+found drwxrwx--- 4 root root 26 2019-05-29 09:13 media drwxrwx--- 2 root root 6 2019-05-29 09:13 mediadrm drwxrwx--x 30 root root 4096 2019-05-29 09:13 misc drwxrwx--x 3 root root 15 2019-05-29 09:13 misc_ce drwxrwx--x 3 root root 15 2019-05-29 09:13 misc_de drwxrwx--x 2 root root 6 2019-05-29 09:12 ota drwxrwx--- 2 root root 6 2019-05-29 09:13 ota_package drwx------ 2 root root 241 2019-05-29 09:13 property drwxrwx--x 2 root root 6 2019-05-29 09:13 resource-cache drwx--x--x 2 root root 6 2019-05-29 09:13 security drwx------ 2 root root 6 2019-05-29 09:13 ss drwxrwxr-x 14 root root 4096 2019-05-29 09:12 system drwxrwx--- 3 root root 15 2019-05-29 09:13 system_ce drwxrwx--- 3 root root 15 2019-05-29 09:12 system_de drwxrwxr-x 2 root root 206 2019-05-29 09:12 tombstones drwx--x--x 2 root root 6 2019-05-29 09:12 user drwx--x--x 3 root root 15 2019-05-29 09:12 user_de

By the way, if i run the same android container image based on runc or run other Linux container image based on kata, there is no such access issue. I am not sure if there is related with 9pfs shared ro or build container rootfs to change it into read-only mode. I will check and verify this issue by code debugging.

Kata version :1.7.0

grahamwhaley commented 5 years ago

@zhiminghufighting - seeing the output of mount inside the container might give some clues as well. thx.

devimc commented 5 years ago

@zhiminghufighting for security reasons, in kata containers the rootfs is mounted as a read-only filesystem, hence you can't modify it. Fortunately you can re-mount it running mount -o remount,rw / /

zhiminghufighting commented 5 years ago

@grahamwhaley yes, i also think it is related with 'mount' operations. @devimc i have questions about "kata containers rootfs is mounted as a read-only filesystem:

  1. per my understanding, the 'mounted' actions is implemented by agent in kata guest VM, am i right?
  2. so i need to do the 'mount -o remount,rm / /' in the Kata guest VM shell, am i right?
  3. i see there are different properties for kataShared mount as below: A) in a centos container shell: Here the kataShared based on 9p is "rw". kataShared on / type 9p (rw,nodev,relatime,dirsync,mmap,access=client,trans=virtio)

[root@localhost ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 9cb629eda3ce android:NAe000032 "/android-entry -c 0…" 4 hours ago Up 4 hours 0.0.0.0:5555->5555/tcp android0 2eaa35d9fd64 centos "/bin/bash" 4 hours ago Up 4 hours musing_mahavira 93a0d1fb64e0 centos "/bin/bash" 5 hours ago Up 5 hours hopeful_chandrasekhar 5ceff5ce0746 centos "/bin/bash" 24 hours ago Up 24 hours cocky_easley [root@localhost ~]# docker exec -ti 2eaa sh sh-4.2# sh-4.2# sh-4.2# sh-4.2# ls anaconda-post.log dev home lib64 mnt proc run srv tmp var bin etc lib media opt root sbin sys usr sh-4.2# mount kataShared on / type 9p (rw,nodev,relatime,dirsync,mmap,access=client,trans=virtio) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) tmpfs on /dev type tmpfs (rw,nosuid,size=65536k,mode=755) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666) sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime) tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,relatime,mode=755) cgroup on /sys/fs/cgroup/systemd type cgroup (ro,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd) cgroup on /sys/fs/cgroup/freezer type cgroup (ro,nosuid,nodev,noexec,relatime,freezer) cgroup on /sys/fs/cgroup/cpuset type cgroup (ro,nosuid,nodev,noexec,relatime,cpuset) cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (ro,nosuid,nodev,noexec,relatime,cpu,cpuacct) cgroup on /sys/fs/cgroup/devices type cgroup (ro,nosuid,nodev,noexec,relatime,devices) cgroup on /sys/fs/cgroup/blkio type cgroup (ro,nosuid,nodev,noexec,relatime,blkio) cgroup on /sys/fs/cgroup/perf_event type cgroup (ro,nosuid,nodev,noexec,relatime,perf_event) cgroup on /sys/fs/cgroup/memory type cgroup (ro,nosuid,nodev,noexec,relatime,memory) cgroup on /sys/fs/cgroup/pids type cgroup (ro,nosuid,nodev,noexec,relatime,pids) cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (ro,nosuid,nodev,noexec,relatime,net_cls,net_prio) mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime) kataShared on /etc/resolv.conf type 9p (rw,nodev,relatime,dirsync,mmap,access=client,trans=virtio) kataShared on /etc/hostname type 9p (rw,nodev,relatime,dirsync,mmap,access=client,trans=virtio) kataShared on /etc/hosts type 9p (rw,nodev,relatime,dirsync,mmap,access=client,trans=virtio) shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k) devpts on /dev/console type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666) proc on /proc/bus type proc (ro,relatime) proc on /proc/fs type proc (ro,relatime) proc on /proc/irq type proc (ro,relatime) proc on /proc/sys type proc (ro,relatime) tmpfs on /proc/keys type tmpfs (rw,nosuid,size=65536k,mode=755) tmpfs on /proc/timer_list type tmpfs (rw,nosuid,size=65536k,mode=755) tmpfs on /proc/sched_debug type tmpfs (rw,nosuid,size=65536k,mode=755) tmpfs on /proc/scsi type tmpfs (ro,relatime) tmpfs on /sys/firmware type tmpfs (ro,relatime) sh-4.2#

B) in an android container shell: kataShared on / type 9p (ro,dirsync,relatime,mmap,access=client,trans=virtio) why it is "ro" instead of "rw" but they both are launched by the same command and kata settings?

[root@localhost ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 9cb629eda3ce android:NAe000032 "/android-entry -c 0…" 4 hours ago Up 4 hours 0.0.0.0:5555->5555/tcp android0 2eaa35d9fd64 centos "/bin/bash" 4 hours ago Up 4 hours musing_mahavira 93a0d1fb64e0 centos "/bin/bash" 5 hours ago Up 5 hours hopeful_chandrasekhar 5ceff5ce0746 centos "/bin/bash" 24 hours ago Up 24 hours cocky_easley [root@localhost ~]# docker exec -ti 9cb6 sh 9cb629eda3ce:/ # 9cb629eda3ce:/ # ls acct init.environ.rc property_contexts android-entry init.houdini.rc root bugreports init.logs.rc sbin cache init.multidroid.rc sdcard charger init.multidroid_cloud.rc seapp_contexts config init.multidroid_cloud.usb.rc selinux_version d init.rc sepolicy data init.usb.configfs.rc service_contexts default.prop init.usb.rc storage dev init.zygote32.rc sys etc init.zygote64_32.rc system file_contexts.bin ipc ueventd.multidroid_cloud.rc fstab.multidroid_cloud mnt ueventd.rc init oem vendor init.crashlogd.rc proc 9cb629eda3ce:/ # mount kataShared on / type 9p (ro,dirsync,relatime,mmap,access=client,trans=virtio) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) tmpfs on /dev type tmpfs (rw,nosuid,size=65536k,mode=755) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666) sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) tmpfs on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,relatime,mode=755) cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd) cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory) cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct) cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio) cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset) cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices) cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio) cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event) cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids) cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer) mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime) kataShared on /data type 9p (ro,dirsync,nodev,relatime,mmap,access=client,trans=virtio) kataShared on /ipc type 9p (ro,dirsync,nodev,relatime,mmap,access=client,trans=virtio) kataShared on /etc/resolv.conf type 9p (ro,dirsync,nodev,relatime,mmap,access=client,trans=virtio) kataShared on /etc/hostname type 9p (ro,dirsync,nodev,relatime,mmap,access=client,trans=virtio) kataShared on /etc/hosts type 9p (ro,dirsync,nodev,relatime,mmap,access=client,trans=virtio) shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k) tmpfs on /dev type tmpfs (rw,nosuid,relatime,mode=755) devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000) binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,relatime) tmpfs on /mnt type tmpfs (rw,relatime,mode=755,gid=1000) none on /dev/memcg type cgroup (rw,relatime,memory) none on /dev/cpuctl type cgroup (rw,relatime,cpu,cpuacct) none on /dev/cpuset type cgroup (rw,relatime,cpuset) tmpfs on /storage type tmpfs (rw,relatime,mode=755,gid=1000)

why they have different behavior with the same kata setting and same launching command?

devimc commented 5 years ago

@zhiminghufighting

per my understanding, the 'mounted' actions is implemented by agent in kata guest VM, am i right?

no, the guest kernel mounts the rootfs as a ro fs, you can check it in /proc/cmdline

so i need to do the 'mount -o remount,rm / /' in the Kata guest VM shell, am i right?

Yes

B) in an android container shell: kataShared on / type 9p (ro,dirsync,relatime,mmap,access=client,trans=virtio) why it is "ro" instead of "rw" but they both are launched by the same command and kata settings?

that's weird, are you using a custom kernel?

why they have different behavior with the same kata setting and same launching command?

good question ... :thinking:

zhiminghufighting commented 5 years ago

@devimc yes, i used customized kata guest kernel, but i just change the kernel config for some android depends on modular and never touch kernel cmdline.

grahamwhaley commented 5 years ago

@zhiminghufighting @devimc - you are trying to write to /data, yes - and from the mount output, we see:

kataShared on /data type 9p (ro,dirsync,nodev,relatime,mmap,access=client,trans=virtio)

So, that /data' is anro9p mount. I guess the question is, how is/data` being requested/passed in to the container - on the command line as a volume etc. etc. ?

zhiminghufighting commented 5 years ago

@devimc @grahamwhaley i setup debug console in the way by add "agent.debug" in cmdline and enter the cmd(mount -o remount,rw / )to try to remount kata guest rootfs as "rw" and get errors as below:

[root@localhost multidroid_cloud-aic-NAe000032]# [root@localhost multidroid_cloud-aic-NAe000032]# [root@localhost multidroid_cloud-aic-NAe000032]# [root@localhost multidroid_cloud-aic-NAe000032]# sudo socat "stdin,raw,echo=0,escape=0x11" "unix-connect:${console}" [ 471.210563] init: couldn't write 2626 to /dev/cpuset/camera-daemon/tasks: No such file or directory [ 476.315887] init: couldn't write 2655 to /dev/cpuset/camera-daemon/tasks: No such file or directory [ 481.404290] init: couldn't write 2684 to /dev/cpuset/camera-daemon/tasks: No such file or directory bin dev home lib64 media opt root sbin sys usr boot etc lib lost+found mnt proc run srv tmp var bash-4.2# [ 487.306680] init: cannot execve('/system/bin/mediaserver'): Exec format error bash-4.2# mount -o remount,rw / mount: 'kataShared' not user mountable in fstab 1|cloud:/ $ [ 492.385424] init: cannot execve('/system/bin/mediaserver'): Exec format error [ 506.331266] init: couldn't write 2830 to /dev/cpuset/camera-daemon/tasks: No such file or directory [ 511.416619] init: couldn't write 2859 to /dev/cpuset/camera-daemon/tasks: No such file or directory

And kata guest filesystem is still read-only and the cmd doesn't work for this issue.

As the comparison , i try the same cmd in the kata guest shell of centos or ubuntu container and they can work.

zhiminghufighting commented 5 years ago

@devimc @grahamwhaley @jodh-intel i check all the possibile code in kata-runtime for bindmount & kernel cmd paramter and make sure there is no 'ro' can be set in host side bindmount. The cmd(mount -o remount,rw /) doesn't work in kata guest VM shell too.

Is there any other ways to enable 'write' right for root user in a container? Is there possibility that 'ro' property is set by agent in guest VM?

Thanks in advance!

devimc commented 5 years ago

@zhiminghufighting

mount -o remount,rw /
mount: 'kataShared' not user mountable in fstab

you forgot the last /, try again mount -o remount,rw / /

zhiminghufighting commented 5 years ago

@grahamwhaley /data is passed into container by '-v' for some dependent lib of android app. @devimc thank a lot! I try again the cmd and find new error as below.

bash-4.2# bash-4.2# mount -o remount,rw / / mount: '/' not in /proc/mounts

127|cloud:/ $ bash-4.2# [95713.216696] init: cannot execve('/system/bin/drmserver'): Exec format error [95713.218291] init: cannot execve('/system/bin/debuggerd'): Exec format error bash-4.2# cat /proc/mounts kataShared / 9p ro,dirsync,relatime,mmap,access=client,trans=virtio 0 0 proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,size=65536k,mode=755 0 0 devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666 0 0 sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0 tmpfs /sys/fs/cgroup tmpfs rw,nosuid,nodev,noexec,relatime,mode=755 0 0 cgroup /sys/fs/cgroup/systemd cgroup rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd 0 0 cgroup /sys/fs/cgroup/pids cgroup rw,nosuid,nodev,noexec,relatime,pids 0 0 cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,nosuid,nodev,noexec,relatime,cpu,cpuacct 0 0 cgroup /sys/fs/cgroup/net_cls,net_prio cgroup rw,nosuid,nodev,noexec,relatime,net_cls,net_prio 0 0 cgroup /sys/fs/cgroup/blkio cgroup rw,nosuid,nodev,noexec,relatime,blkio 0 0 cgroup /sys/fs/cgroup/perf_event cgroup rw,nosuid,nodev,noexec,relatime,perf_event 0 0 cgroup /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0 cgroup /sys/fs/cgroup/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0 cgroup /sys/fs/cgroup/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset 0 0 cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0 mqueue /dev/mqueue mqueue rw,nosuid,nodev,noexec,relatime 0 0 kataShared /ipc 9p ro,dirsync,nodev,relatime,mmap,access=client,trans=virtio 0 0 kataShared /data 9p ro,dirsync,nodev,relatime,mmap,access=client,trans=virtio 0 0 kataShared /etc/resolv.conf 9p ro,dirsync,nodev,relatime,mmap,access=client,trans=virtio 0 0 kataShared /etc/hostname 9p ro,dirsync,nodev,relatime,mmap,access=client,trans=virtio 0 0 kataShared /etc/hosts 9p ro,dirsync,nodev,relatime,mmap,access=client,trans=virtio 0 0 shm /dev/shm tmpfs rw,nosuid,nodev,noexec,relatime,size=65536k 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0 devpts /dev/pts devpts rw,relatime,mode=600,ptmxmode=000 0 0 binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,relatime 0 0 tmpfs /mnt tmpfs rw,relatime,mode=755,gid=1000 0 0 none /dev/memcg cgroup rw,relatime,memory 0 0 none /dev/cpuctl cgroup rw,relatime,cpu,cpuacct 0 0 none /dev/cpuset cgroup rw,relatime,cpuset 0 0 tmpfs /storage tmpfs rw,relatime,mode=755,gid=1000 0 0

It is weird, there is no /dev/root / in /proc/mounts file.

jodh-intel commented 5 years ago

@zhiminghufighting - That looks very odd - I think you are seeing a mixture of the Android init system and systemd there. The "exec format error" suggests a mismatch between binaries and the host architecture (either bitness or totally different architectures).

It would really help us to help you if you could explain how we can recreate this issue with publically available images.

zhiminghufighting commented 5 years ago

@jodh-intel yes, it is weird. i agree with your analysis it is high possibility of mixture of android init system and system there. And i wonder why 9p mount share point is "ro" instead of "rw".

I have this image and related kata kernel image to reproduce such issue. Do you need to access my environment or i copy the android contaienr image + kata guest image to any test bed? Then you can reproduce it easily.

jodh-intel commented 5 years ago

@zhiminghufighting - I think what would be best would be instructions on this issue explaining how to create the sort of environment you are using:

I'm guessing it doesn't have to be exactly the same as the environment you are using (as that might have sensitive / customer information in it?) but I don't think anyone has tried running Kata with Android so the problems you are seeing are probably generic issues.

zhiminghufighting commented 5 years ago

@jodh-intel, there are many customization for this case.

  1. kata guest kata is reconfigure to enable vga;
  2. kata runtime is reconfigure to enable vga;
  3. kata runtime to patch for floppy device filtering error for some specific host os;
  4. kata guest luanching paramter is changed for GUI display;
  5. i rebuild an andriod container image from a new base and no such "ro" issue in the new image and the suusgestion provided by @devimc run well. A. old andriod image + docker runc is OK without "ro" issue; B. new based andriod image + docker runc & kata is OK without "ro" issue; C. old andriod image + kata is with "ro" issue; So i wonder why the same image is Ok in runc but there is "ro" issue in kata? And this is the only one image being found such weird issue. I dig into it and guess there must be some potential nasty flaw in somewhere related with contianer image build or kata code.

Thanks you all for great support! i will keep to dig in and need to get more usefull info then to discuss with you guys.

zhiminghufighting commented 5 years ago

@devimc @jodh-intel @egernst @grahamwhaley I get help from PRC local android team and find the root cause of this issue: android container will remount rootfs as ro in this container and create some folder and assign there different access right according to different directories for security purpose. That beyond of the coverage of kata code and docker file. So i will close this issue and thank you all!