cmd/create, cmd/initContainer: Mount the devpts file system at runtime

debarshiray · debarshiray · commit cf6db370b24e · 2023-03-08T00:20:44.000+01:00
Anything that's specified during 'podman create ...' gets statically baked into the container's configuration, and is either difficult or impossible to change afterwards. This means that Toolbx containers created with older versions of Toolbx keep diverging from those created with newer versions. Hence, making it complicated to keep older containers working with newer Toolbx. Mounting the devpts file system at runtime as part of the Toolbx container's entry point will make it possible to update the attributes of the mount, if necessary, for both existing and newly created containers. For what it's worth, this does alter the mount options by removing 'context'. With 'podman create --mount type=devpts,destination=/dev/pts' it was: $ mount | grep ... devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime, context="system_u:object_r:container_file_t:s0:c1022,c1023", gid=100005,mode=620,ptmxmode=666) Now with 'mount -t devpts -o noexec,nosuid,gid=5,mode=620,ptmxmode=666' it is: $ mount | grep devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel, gid=100005,mode=620,ptmxmode=666) #1016
diff --git a/doc/toolbox-init-container.1.md b/doc/toolbox-init-container.1.md
@@ -9,6 +9,7 @@ toolbox\-init\-container - Initialize a running container
                        *--home-link*
                        *--media-link*
                        *--mnt-link*
+                       *--mount-devpts*
                        *--shell SHELL*
                        *--uid UID*
                        *--user USER*
@@ -82,6 +83,10 @@ synchronized with their counterparts on the host, and various subsets of the
 host's file system hierarchy are always bind mounted to their corresponding
 locations inside the toolbox container.
 
+**--mount-devpts**
+
+Mount a `devpts` file system at `/dev/pts`.
+
 **--shell** SHELL
 
 Create a user inside the toolbox container whose login shell is SHELL. This
diff --git a/src/cmd/create.go b/src/cmd/create.go
@@ -245,15 +245,6 @@ func createContainer(container, image, release, authFile string, showCommandToEn
 
 	runtimeDirectoryMountArg := runtimeDirectory + ":" + runtimeDirectory
 
-	logrus.Debug("Checking if 'podman create' supports '--mount type=devpts'")
-
-	var devPtsMount []string
-
-	if podman.CheckVersion("2.1.0") {
-		logrus.Debug("'podman create' supports '--mount type=devpts'")
-		devPtsMount = []string{"--mount", "type=devpts,destination=/dev/pts"}
-	}
-
 	var usernsArg string
 	if currentUser.Uid == "0" {
 		usernsArg = "host"
@@ -390,6 +381,10 @@ func createContainer(container, image, release, authFile string, showCommandToEn
 	entryPoint = append(entryPoint, mediaLink...)
 	entryPoint = append(entryPoint, mntLink...)
 
+	entryPoint = append(entryPoint, []string{
+		"--mount-devpts",
+	}...)
+
 	createArgs := []string{
 		"--log-level", logLevelString,
 		"create",
@@ -404,11 +399,6 @@ func createContainer(container, image, release, authFile string, showCommandToEn
 		"--hostname", "toolbox",
 		"--ipc", "host",
 		"--label", "com.github.containers.toolbox=true",
-	}...)
-
-	createArgs = append(createArgs, devPtsMount...)
-
-	createArgs = append(createArgs, []string{
 		"--name", container,
 		"--network", "host",
 		"--no-hosts",
diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go
@@ -42,6 +42,7 @@ var (
 		mediaLink   bool
 		mntLink     bool
 		monitorHost bool
+		mountDevPts bool
 		shell       string
 		uid         int
 		user        string
@@ -114,6 +115,11 @@ func init() {
 		panic(panicMsg)
 	}
 
+	flags.BoolVar(&initContainerFlags.mountDevPts,
+		"mount-devpts",
+		false,
+		"Mount a devpts file system at /dev/pts")
+
 	flags.StringVar(&initContainerFlags.shell,
 		"shell",
 		"",
@@ -256,6 +262,12 @@ func initContainer(cmd *cobra.Command, args []string) error {
 		}
 	}
 
+	if initContainerFlags.mountDevPts {
+		if err := mountDevPts(); err != nil {
+			return err
+		}
+	}
+
 	if utils.PathExists("/etc/krb5.conf.d") && !utils.PathExists("/etc/krb5.conf.d/kcm_default_ccache") {
 		logrus.Debug("Setting KCM as the default Kerberos credential cache")
 
@@ -522,6 +534,48 @@ func mountBind(containerPath, source, flags string) error {
 	return nil
 }
 
+func mountDevPts() error {
+	optionsArgs := []string{
+		"noexec",
+		"nosuid",
+	}
+
+	const ttyGroup = "tty"
+	logrus.Debugf("Looking up group %s", ttyGroup)
+
+	if _, err := user.LookupGroup(ttyGroup); err != nil {
+		logrus.Debugf("Looking up group %s failed: %s", ttyGroup, err)
+	} else {
+		const optionsGIDArg = "gid=" + ttyGroup
+		optionsArgs = append(optionsArgs, []string{
+			optionsGIDArg,
+		}...)
+	}
+
+	optionsArgs = append(optionsArgs, []string{
+		"mode=620",
+		"ptmxmode=666",
+	}...)
+
+	optionsArg := strings.Join(optionsArgs, ",")
+
+	const devPtsFS = "devpts"
+	const devPtsMountPoint = "/dev/pts"
+
+	mountArgs := []string{
+		"--types", devPtsFS,
+		"--options", optionsArg,
+		devPtsFS,
+		devPtsMountPoint,
+	}
+
+	if err := shell.Run("mount", nil, nil, nil, mountArgs...); err != nil {
+		return fmt.Errorf("failed to mount a %s file system at %s: %w", devPtsFS, devPtsMountPoint, err)
+	}
+
+	return nil
+}
+
 // redirectPath serves for creating symbolic links for crucial system
 // configuration files to their counterparts on the host's file system.
 //
