summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAkihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>2021-07-15 17:11:06 +0900
committerAkihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>2021-07-15 17:25:09 +0900
commite73d4829900c4ef47ffca4be306ef84b944aa9c2 (patch)
treea796dc3225927ef4c11ca4cbd320cc071946bff9
parent9d98f56a64852d3bf9d3b27ad6e1ac3e3ebb6622 (diff)
downloadpodman-e73d4829900c4ef47ffca4be306ef84b944aa9c2.tar.gz
podman-e73d4829900c4ef47ffca4be306ef84b944aa9c2.tar.bz2
podman-e73d4829900c4ef47ffca4be306ef84b944aa9c2.zip
CNI-in-slirp4netns: fix bind-mount for /run/systemd/resolve/stub-resolv.conf
Fix issue 10929 : `[Regression in 3.2.0] CNI-in-slirp4netns DNS gets broken when running a rootful container after running a rootless container` When /etc/resolv.conf on the host is a symlink to /run/systemd/resolve/stub-resolv.conf, we have to mount an empty filesystem on /run/systemd/resolve in the child namespace, so as to isolate the directory from the host mount namespace. Otherwise our bind-mount for /run/systemd/resolve/stub-resolv.conf is unmounted when systemd-resolved unlinks and recreates /run/systemd/resolve/stub-resolv.conf on the host. [NO TESTS NEEDED] Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
-rw-r--r--libpod/networking_linux.go15
1 files changed, 15 insertions, 0 deletions
diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go
index 48b0c495c..15639aac4 100644
--- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go
@@ -177,6 +177,21 @@ func (r *RootlessCNI) Do(toRun func() error) error {
if err != nil {
return err
}
+ logrus.Debugf("The actual path of /etc/resolv.conf on the host is %q", resolvePath)
+ // When /etc/resolv.conf on the host is a symlink to /run/systemd/resolve/stub-resolv.conf,
+ // we have to mount an empty filesystem on /run/systemd/resolve in the child namespace,
+ // so as to isolate the directory from the host mount namespace.
+ //
+ // Otherwise our bind-mount for /run/systemd/resolve/stub-resolv.conf is unmounted
+ // when systemd-resolved unlinks and recreates /run/systemd/resolve/stub-resolv.conf on the host.
+ // see: https://github.com/containers/podman/issues/10929
+ if strings.HasPrefix(resolvePath, "/run/systemd/resolve/") {
+ rsr := r.getPath("/run/systemd/resolve")
+ err = unix.Mount("", rsr, "tmpfs", unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV, "")
+ if err != nil {
+ return errors.Wrapf(err, "failed to mount tmpfs on %q for rootless cni", rsr)
+ }
+ }
if strings.HasPrefix(resolvePath, "/run/") {
resolvePath = r.getPath(resolvePath)
err = os.MkdirAll(filepath.Dir(resolvePath), 0700)