Nested tmpfs in /tmp

[bkauler]

Pflask does not mount a tmpfs on /tmp in the container. I did this, which works:

pflask --keepenv --mount=bind:/tmp/.X11-unix/X0:/tmp/.X11-unix/X0 --no-utsns --no-ipcns --no-netns --caps=all,-sys_admin,-sys_boot,-sys_chroot,-sys_ptrace,-sys_time,-sys_tty_config,-chown,-kill,-dac_override,-dac_read_search,-fowner,-setfcap,-setpcap,-net_admin,-mknod,-sys_module,-sys_nice,-sys_resource --no-userns --chroot=/mnt/sdc2/containers/sh0/container -- /ec-run sh0 sakura

...the relevant part is "--mount=bind:/tmp/.X11-unix/X0:/tmp/.X11-unix/X0", don't bother about the rest of the line.

However, what I would prefer is to mount a tmpfs on /tmp, then do the X0 bind:

pflask --keepenv --mount=tmp:/tmp --mount=bind:/tmp/.X11-unix/X0:/tmp/.X11-unix/X0 --no-utsns --no-ipcns --no-netns --caps=all,-sys_admin,-sys_boot,-sys_chroot,-sys_ptrace,-sys_time,-sys_tty_config,-chown,-kill,-dac_override,-dac_read_search,-fowner,-setfcap,-setpcap,-net_admin,-mknod,-sys_module,-sys_nice,-sys_resource --no-userns --chroot=/mnt/sdc2/containers/sh0/container -- /ec-run sh0 sakura
[✘] Could not create mount dest /mnt/sdc2/containers/sh0/container/tmp/.X11-unix/X0: No such file or directory
[✘] Child failed with code '1'

Am I being unrealistic here? Is this just the way it works, or could the code be made to accommodate what I have tried to do? I don't want to bind the entire host /tmp into the container.

[ghedo]

I think the problem is that the /tmp/.X11-unix directory needs to exist inside the container, but of course it doesn't because /tmp is a fresh tmpfs.

Having an option in pflask like --mkdir that creates directories before starting the program could solve this, but the implementation would be tricky because the directory needs to be created after the tmpfs is mounted, but before the bind is mounted so it would depend on the command-line arguments order.

I really don't have the time to dedicate to this unfortunately.

[bkauler]

Thanks for the feedback. Yes, I understood that, and everything was fine, until today, November 6! Suddenly, pflask has decided to mount a tmpfs on /tmp, without me telling it to, so now this fails:

pflask --mount=bind:/mnt/sdc2/home/shared:/shared-folder --keepenv --mount=bind:/tmp/.X11-unix/X1:/tmp/.X11-unix/X1 --no-netns --mount=bind:/dev/snd:/dev/snd --mount=bind:/dev/mixer:/dev/mixer --caps=all,-sys_admin,-sys_boot,-sys_chroot,-sys_ptrace,-sys_time,-sys_tty_config,-chown,-kill,-dac_override,-dac_read_search,-fowner,-setfcap,-setpcap,-net_admin,-mknod,-sys_module,-sys_nice,-sys_resource --no-userns --chroot=/mnt/sdc2/containers/racy/container --  /ec-run racy 
[✘] Could not create mount dest /mnt/sdc2/containers/racy/container/tmp/.X11-unix/X1: No such file or directory

Exactly the same thing worked up until today! Changing this part, it works:

--mount=bind:/tmp/.X11-unix:/tmp/.X11-unix

And then inside the container, I see that /tmp has been mounted:

# mount
aufs on / type aufs (rw,relatime,si=36702b801bf552b5)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
proc on /proc/sys type proc (ro,relatime)
sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)
tmpfs on /dev type tmpfs (rw,nosuid,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,mode=755)
cgroup on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime)
/dev/sdc2 on /shared-folder type ext4 (rw,relatime,block_validity,delalloc,barrier,user_xattr,acl)
tmpfs on /tmp/.X11-unix type tmpfs (rw,relatime,size=8140848k)
devtmpfs on /dev/snd type devtmpfs (rw,relatime,size=8152028k,nr_inodes=2038007,mode=755)
devtmpfs on /dev/mixer type devtmpfs (rw,relatime,size=8152028k,nr_inodes=2038007,mode=755)
devtmpfs on /dev/console type devtmpfs (rw,relatime,size=8152028k,nr_inodes=2038007,mode=755)
devtmpfs on /dev/tty type devtmpfs (rw,relatime,size=8152028k,nr_inodes=2038007,mode=755)
devtmpfs on /dev/full type devtmpfs (rw,relatime,size=8152028k,nr_inodes=2038007,mode=755)
devtmpfs on /dev/null type devtmpfs (rw,relatime,size=8152028k,nr_inodes=2038007,mode=755)
devtmpfs on /dev/zero type devtmpfs (rw,relatime,size=8152028k,nr_inodes=2038007,mode=755)
devtmpfs on /dev/random type devtmpfs (rw,relatime,size=8152028k,nr_inodes=2038007,mode=755)
devtmpfs on /dev/urandom type devtmpfs (rw,relatime,size=8152028k,nr_inodes=2038007,mode=755)
none on /dev/console type devpts (rw,noatime,gid=2,mode=620,ptmxmode=000)

As you are much more familiar than how how pflask works, can you think what might have made pflask mount /tmp?

[bkauler]

Bingo! Obviously, there had to be some difference between yesterday and today. I am booting my test builds of Linux off USB sticks, so I booted up "yesterdays" stick. Exactly the same invocation of pflask, running "mount" inside the container, there is this very significant difference:

tmpfs on /run type tmpfs (rw,nosuid,nodev,mode=755)

That is, pflask mounts tmpfs on /run, not /tmp. Ah, "todays" stick does not have the /run folder, so created that before starting the container.... yippee, now works, /run is mounted. not /tmp

So, this is a feature of pflask, not to be considered a bug?

Anyway, I'm a happy chappy now that it is working again. Thanks for pflask, it is a very elegant way to implement simple containers.

[bkauler]

An extra comment. The container that mounted /tmp does actually have /run, but it is a symlink into /tmp/run. There was no problem with this before, it is only today that pflask is insisting that /run be an actual folder not a symlink. Which is very odd.

[ghedo]

Well, there haven't been any changes to pflask since January, so I don't think pflask changed its behavior (and pflask itself doesn't mount anything on /tmp if you don't tell it to). Might be something else that changed though, systemd? linux?