cmd/create, cmd/initContainer: Mount the devpts file system at runtime

debarshiray · debarshiray · commit 0e68dc9cb8d1 · 2023-03-07T20:34:35.000+01:00
Anything that's specified during 'podman create ...' gets statically baked into the container's configuration, and is either difficult or impossible to change afterwards. This means that Toolbx containers created with older versions of Toolbx keep diverging from those created with newer versions. Hence, making it complicated to keep older containers working with newer Toolbx. Mounting the devpts file system at runtime as part of the Toolbx container's entry point will make it possible to update the attributes of the mount, if necessary, for both existing and newly created containers. For what it's worth, this does alter the mount options by removing 'context'. With 'podman create --mount type=devpts,destination=/dev/pts' it was: $ mount | grep ... devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime, context="system_u:object_r:container_file_t:s0:c1022,c1023", gid=100005,mode=620,ptmxmode=666) Now with 'mount -t devpts -o noexec,nosuid,gid=5,mode=620,ptmxmode=666' it is: $ mount | grep devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel, gid=100005,mode=620,ptmxmode=666) containers#1016
diff --git a/src/cmd/create.go b/src/cmd/create.go
@@ -245,15 +245,6 @@ func createContainer(container, image, release, authFile string, showCommandToEn
 
 	runtimeDirectoryMountArg := runtimeDirectory + ":" + runtimeDirectory
 
-	logrus.Debug("Checking if 'podman create' supports '--mount type=devpts'")
-
-	var devPtsMount []string
-
-	if podman.CheckVersion("2.1.0") {
-		logrus.Debug("'podman create' supports '--mount type=devpts'")
-		devPtsMount = []string{"--mount", "type=devpts,destination=/dev/pts"}
-	}
-
 	var usernsArg string
 	if currentUser.Uid == "0" {
 		usernsArg = "host"
@@ -404,11 +395,6 @@ func createContainer(container, image, release, authFile string, showCommandToEn
 		"--hostname", "toolbox",
 		"--ipc", "host",
 		"--label", "com.github.containers.toolbox=true",
-	}...)
-
-	createArgs = append(createArgs, devPtsMount...)
-
-	createArgs = append(createArgs, []string{
 		"--name", container,
 		"--network", "host",
 		"--no-hosts",
diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go
@@ -256,6 +256,10 @@ func initContainer(cmd *cobra.Command, args []string) error {
 		}
 	}
 
+	if err := mountDevPts(); err != nil {
+		return err
+	}
+
 	if utils.PathExists("/etc/krb5.conf.d") && !utils.PathExists("/etc/krb5.conf.d/kcm_default_ccache") {
 		logrus.Debug("Setting KCM as the default Kerberos credential cache")
 
@@ -522,6 +526,48 @@ func mountBind(containerPath, source, flags string) error {
 	return nil
 }
 
+func mountDevPts() error {
+	optionsArgs := []string{
+		"noexec",
+		"nosuid",
+	}
+
+	const ttyGroup = "tty"
+	logrus.Debugf("Looking up group %s", ttyGroup)
+
+	if _, err := user.LookupGroup(ttyGroup); err != nil {
+		logrus.Debugf("Looking up group %s failed: %s", ttyGroup, err)
+	} else {
+		const optionsGIDArg = "gid=" + ttyGroup
+		optionsArgs = append(optionsArgs, []string{
+			optionsGIDArg,
+		}...)
+	}
+
+	optionsArgs = append(optionsArgs, []string{
+		"mode=620",
+		"ptmxmode=666",
+	}...)
+
+	optionsArg := strings.Join(optionsArgs, ",")
+
+	const devPtsFS = "devpts"
+	const devPtsMountPoint = "/dev/pts"
+
+	mountArgs := []string{
+		"--types", devPtsFS,
+		"--options", optionsArg,
+		devPtsFS,
+		devPtsMountPoint,
+	}
+
+	if err := shell.Run("mount", nil, nil, nil, mountArgs...); err != nil {
+		return fmt.Errorf("failed to mount a %s file system at %s: %w", devPtsFS, devPtsMountPoint, err)
+	}
+
+	return nil
+}
+
 // redirectPath serves for creating symbolic links for crucial system
 // configuration files to their counterparts on the host's file system.
 //
