diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2021-01-15 13:38:30 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-01-15 13:38:30 -0500 |
| commit | 53ecda298150038d67f466c834ec3b87b3a678e5 (patch) | |
| tree | 70cdf3e7388c9343d48a496d67fbb605f8a4abd4 | |
| parent | 0400dc0a0017a8347e47b32c411e65531b0f4af4 (diff) | |
| parent | 2c328a4ac12262771861b2be6522acbfa5bbadb6 (diff) | |
| download | podman-53ecda298150038d67f466c834ec3b87b3a678e5.tar.gz podman-53ecda298150038d67f466c834ec3b87b3a678e5.tar.bz2 podman-53ecda298150038d67f466c834ec3b87b3a678e5.zip | |
Merge pull request #8949 from giuseppe/sysfs-for-rootless
specgen: improve heuristic for /sys bind mount
| -rw-r--r-- | pkg/specgen/generate/oci.go | 39 | ||||
| -rw-r--r-- | test/e2e/run_ns_test.go | 8 |
2 files changed, 29 insertions, 18 deletions
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go index 7dc32a314..e62131244 100644 --- a/pkg/specgen/generate/oci.go +++ b/pkg/specgen/generate/oci.go @@ -138,10 +138,23 @@ func makeCommand(ctx context.Context, s *specgen.SpecGenerator, img *image.Image return finalCommand, nil } +// canMountSys is a best-effort heuristic to detect whether mounting a new sysfs is permitted in the container +func canMountSys(isRootless, isNewUserns bool, s *specgen.SpecGenerator) bool { + if s.NetNS.IsHost() && (isRootless || isNewUserns) { + return false + } + if isNewUserns { + switch s.NetNS.NSMode { + case specgen.Slirp, specgen.Private, specgen.NoNetwork, specgen.Bridge: + return true + default: + return false + } + } + return true +} + func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runtime, rtc *config.Config, newImage *image.Image, mounts []spec.Mount, pod *libpod.Pod, finalCmd []string) (*spec.Spec, error) { - var ( - inUserNS bool - ) cgroupPerm := "ro" g, err := generate.New("linux") if err != nil { @@ -151,23 +164,11 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt g.RemoveMount("/dev/shm") g.HostSpecific = true addCgroup := true - canMountSys := true isRootless := rootless.IsRootless() - if isRootless { - inUserNS = true - } - if !s.UserNS.IsHost() { - if s.UserNS.IsContainer() || s.UserNS.IsPath() { - inUserNS = true - } - if s.UserNS.IsPrivate() { - inUserNS = true - } - } - if inUserNS && s.NetNS.NSMode != specgen.NoNetwork { - canMountSys = false - } + isNewUserns := s.UserNS.IsContainer() || s.UserNS.IsPath() || s.UserNS.IsPrivate() + + canMountSys := canMountSys(isRootless, isNewUserns, s) if s.Privileged && canMountSys { cgroupPerm = "rw" @@ -232,6 +233,8 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt g.AddMount(devPts) } + inUserNS := isRootless || isNewUserns + if inUserNS && s.IpcNS.IsHost() { g.RemoveMount("/dev/mqueue") devMqueue := spec.Mount{ diff --git a/test/e2e/run_ns_test.go b/test/e2e/run_ns_test.go index 51657cb1e..29d2d4395 100644 --- a/test/e2e/run_ns_test.go +++ b/test/e2e/run_ns_test.go @@ -105,6 +105,14 @@ var _ = Describe("Podman run ns", func() { Expect(session).To(ExitWithError()) }) + It("podman run mounts fresh cgroup", func() { + session := podmanTest.Podman([]string{"run", fedoraMinimal, "grep", "cgroup", "/proc/self/mountinfo"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + output := session.OutputToString() + Expect(output).ToNot(ContainSubstring("..")) + }) + It("podman run --ipc=host --pid=host", func() { SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") cmd := exec.Command("ls", "-l", "/proc/self/ns/pid") |