diff options
author | Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> | 2021-07-15 17:11:06 +0900 |
---|---|---|
committer | Paul Holzinger <pholzing@redhat.com> | 2021-07-15 18:18:38 +0200 |
commit | e54a513b964872e693a4582aaae7f9f4d7c098fb (patch) | |
tree | bae8cb6080eb7bfddb7a55725076d39658a85d03 | |
parent | 1469af265a197e1ede25eab2ba8faf1e3f3396da (diff) | |
download | podman-e54a513b964872e693a4582aaae7f9f4d7c098fb.tar.gz podman-e54a513b964872e693a4582aaae7f9f4d7c098fb.tar.bz2 podman-e54a513b964872e693a4582aaae7f9f4d7c098fb.zip |
CNI-in-slirp4netns: fix bind-mount for /run/systemd/resolve/stub-resolv.conf
Fix issue 10929 : `[Regression in 3.2.0] CNI-in-slirp4netns DNS gets broken when running a rootful container after running a rootless container`
When /etc/resolv.conf on the host is a symlink to /run/systemd/resolve/stub-resolv.conf,
we have to mount an empty filesystem on /run/systemd/resolve in the child namespace,
so as to isolate the directory from the host mount namespace.
Otherwise our bind-mount for /run/systemd/resolve/stub-resolv.conf is unmounted
when systemd-resolved unlinks and recreates /run/systemd/resolve/stub-resolv.conf on the host.
[NO TESTS NEEDED]
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
-rw-r--r-- | libpod/networking_linux.go | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go index c200698c2..09f0dae00 100644 --- a/libpod/networking_linux.go +++ b/libpod/networking_linux.go @@ -177,6 +177,21 @@ func (r *RootlessCNI) Do(toRun func() error) error { if err != nil { return err } + logrus.Debugf("The actual path of /etc/resolv.conf on the host is %q", resolvePath) + // When /etc/resolv.conf on the host is a symlink to /run/systemd/resolve/stub-resolv.conf, + // we have to mount an empty filesystem on /run/systemd/resolve in the child namespace, + // so as to isolate the directory from the host mount namespace. + // + // Otherwise our bind-mount for /run/systemd/resolve/stub-resolv.conf is unmounted + // when systemd-resolved unlinks and recreates /run/systemd/resolve/stub-resolv.conf on the host. + // see: https://github.com/containers/podman/issues/10929 + if strings.HasPrefix(resolvePath, "/run/systemd/resolve/") { + rsr := r.getPath("/run/systemd/resolve") + err = unix.Mount("", rsr, "tmpfs", unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV, "") + if err != nil { + return errors.Wrapf(err, "failed to mount tmpfs on %q for rootless cni", rsr) + } + } if strings.HasPrefix(resolvePath, "/run/") { resolvePath = r.getPath(resolvePath) err = os.MkdirAll(filepath.Dir(resolvePath), 0700) |