Commit 784c4d8b1b1e66f8c45e8b889613f4982f525b2b
Committed by
Linus Torvalds
Linus Torvalds
1 parent
2a1b2dc0c8
Exists in
master
and in
20 other branches
Document usage of multiple-instances of devpts
Changelog [v2]: - Add note indicating strict isolation is not possible unless all mounts of devpts use the 'newinstance' mount option. Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com> Signed-off-by: Alan Cox <alan@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Showing 1 changed file with 132 additions and 0 deletions Side-by-side Diff
Documentation/filesystems/devpts.txt
| 1 | + | |
| 2 | +To support containers, we now allow multiple instances of devpts filesystem, | |
| 3 | +such that indices of ptys allocated in one instance are independent of indices | |
| 4 | +allocated in other instances of devpts. | |
| 5 | + | |
| 6 | +To preserve backward compatibility, this support for multiple instances is | |
| 7 | +enabled only if: | |
| 8 | + | |
| 9 | + - CONFIG_DEVPTS_MULTIPLE_INSTANCES=y, and | |
| 10 | + - '-o newinstance' mount option is specified while mounting devpts | |
| 11 | + | |
| 12 | +IOW, devpts now supports both single-instance and multi-instance semantics. | |
| 13 | + | |
| 14 | +If CONFIG_DEVPTS_MULTIPLE_INSTANCES=n, there is no change in behavior and | |
| 15 | +this referred to as the "legacy" mode. In this mode, the new mount options | |
| 16 | +(-o newinstance and -o ptmxmode) will be ignored with a 'bogus option' message | |
| 17 | +on console. | |
| 18 | + | |
| 19 | +If CONFIG_DEVPTS_MULTIPLE_INSTANCES=y and devpts is mounted without the | |
| 20 | +'newinstance' option (as in current start-up scripts) the new mount binds | |
| 21 | +to the initial kernel mount of devpts. This mode is referred to as the | |
| 22 | +'single-instance' mode and the current, single-instance semantics are | |
| 23 | +preserved, i.e PTYs are common across the system. | |
| 24 | + | |
| 25 | +The only difference between this single-instance mode and the legacy mode | |
| 26 | +is the presence of new, '/dev/pts/ptmx' node with permissions 0000, which | |
| 27 | +can safely be ignored. | |
| 28 | + | |
| 29 | +If CONFIG_DEVPTS_MULTIPLE_INSTANCES=y and 'newinstance' option is specified, | |
| 30 | +the mount is considered to be in the multi-instance mode and a new instance | |
| 31 | +of the devpts fs is created. Any ptys created in this instance are independent | |
| 32 | +of ptys in other instances of devpts. Like in the single-instance mode, the | |
| 33 | +/dev/pts/ptmx node is present. To effectively use the multi-instance mode, | |
| 34 | +open of /dev/ptmx must be a redirected to '/dev/pts/ptmx' using a symlink or | |
| 35 | +bind-mount. | |
| 36 | + | |
| 37 | +Eg: A container startup script could do the following: | |
| 38 | + | |
| 39 | + $ chmod 0666 /dev/pts/ptmx | |
| 40 | + $ rm /dev/ptmx | |
| 41 | + $ ln -s pts/ptmx /dev/ptmx | |
| 42 | + $ ns_exec -cm /bin/bash | |
| 43 | + | |
| 44 | + # We are now in new container | |
| 45 | + | |
| 46 | + $ umount /dev/pts | |
| 47 | + $ mount -t devpts -o newinstance lxcpts /dev/pts | |
| 48 | + $ sshd -p 1234 | |
| 49 | + | |
| 50 | +where 'ns_exec -cm /bin/bash' calls clone() with CLONE_NEWNS flag and execs | |
| 51 | +/bin/bash in the child process. A pty created by the sshd is not visible in | |
| 52 | +the original mount of /dev/pts. | |
| 53 | + | |
| 54 | +User-space changes | |
| 55 | +------------------ | |
| 56 | + | |
| 57 | +In multi-instance mode (i.e '-o newinstance' mount option is specified at least | |
| 58 | +once), following user-space issues should be noted. | |
| 59 | + | |
| 60 | +1. If -o newinstance mount option is never used, /dev/pts/ptmx can be ignored | |
| 61 | + and no change is needed to system-startup scripts. | |
| 62 | + | |
| 63 | +2. To effectively use multi-instance mode (i.e -o newinstance is specified) | |
| 64 | + administrators or startup scripts should "redirect" open of /dev/ptmx to | |
| 65 | + /dev/pts/ptmx using either a bind mount or symlink. | |
| 66 | + | |
| 67 | + $ mount -t devpts -o newinstance devpts /dev/pts | |
| 68 | + | |
| 69 | + followed by either | |
| 70 | + | |
| 71 | + $ rm /dev/ptmx | |
| 72 | + $ ln -s pts/ptmx /dev/ptmx | |
| 73 | + $ chmod 666 /dev/pts/ptmx | |
| 74 | + or | |
| 75 | + $ mount -o bind /dev/pts/ptmx /dev/ptmx | |
| 76 | + | |
| 77 | +3. The '/dev/ptmx -> pts/ptmx' symlink is the preferred method since it | |
| 78 | + enables better error-reporting and treats both single-instance and | |
| 79 | + multi-instance mounts similarly. | |
| 80 | + | |
| 81 | + But this method requires that system-startup scripts set the mode of | |
| 82 | + /dev/pts/ptmx correctly (default mode is 0000). The scripts can set the | |
| 83 | + mode by, either | |
| 84 | + | |
| 85 | + - adding ptmxmode mount option to devpts entry in /etc/fstab, or | |
| 86 | + - using 'chmod 0666 /dev/pts/ptmx' | |
| 87 | + | |
| 88 | +4. If multi-instance mode mount is needed for containers, but the system | |
| 89 | + startup scripts have not yet been updated, container-startup scripts | |
| 90 | + should bind mount /dev/ptmx to /dev/pts/ptmx to avoid breaking single- | |
| 91 | + instance mounts. | |
| 92 | + | |
| 93 | + Or, in general, container-startup scripts should use: | |
| 94 | + | |
| 95 | + mount -t devpts -o newinstance -o ptmxmode=0666 devpts /dev/pts | |
| 96 | + if [ ! -L /dev/ptmx ]; then | |
| 97 | + mount -o bind /dev/pts/ptmx /dev/ptmx | |
| 98 | + fi | |
| 99 | + | |
| 100 | + When all devpts mounts are multi-instance, /dev/ptmx can permanently be | |
| 101 | + a symlink to pts/ptmx and the bind mount can be ignored. | |
| 102 | + | |
| 103 | +5. A multi-instance mount that is not accompanied by the /dev/ptmx to | |
| 104 | + /dev/pts/ptmx redirection would result in an unusable/unreachable pty. | |
| 105 | + | |
| 106 | + mount -t devpts -o newinstance lxcpts /dev/pts | |
| 107 | + | |
| 108 | + immediately followed by: | |
| 109 | + | |
| 110 | + open("/dev/ptmx") | |
| 111 | + | |
| 112 | + would create a pty, say /dev/pts/7, in the initial kernel mount. | |
| 113 | + But /dev/pts/7 would be invisible in the new mount. | |
| 114 | + | |
| 115 | +6. The permissions for /dev/pts/ptmx node should be specified when mounting | |
| 116 | + /dev/pts, using the '-o ptmxmode=%o' mount option (default is 0000). | |
| 117 | + | |
| 118 | + mount -t devpts -o newinstance -o ptmxmode=0644 devpts /dev/pts | |
| 119 | + | |
| 120 | + The permissions can be later be changed as usual with 'chmod'. | |
| 121 | + | |
| 122 | + chmod 666 /dev/pts/ptmx | |
| 123 | + | |
| 124 | +7. A mount of devpts without the 'newinstance' option results in binding to | |
| 125 | + initial kernel mount. This behavior while preserving legacy semantics, | |
| 126 | + does not provide strict isolation in a container environment. i.e by | |
| 127 | + mounting devpts without the 'newinstance' option, a container could | |
| 128 | + get visibility into the 'host' or root container's devpts. | |
| 129 | + | |
| 130 | + To workaround this and have strict isolation, all mounts of devpts, | |
| 131 | + including the mount in the root container, should use the newinstance | |
| 132 | + option. |