diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2021-01-15 13:38:30 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-01-15 13:38:30 -0500 |
commit | 53ecda298150038d67f466c834ec3b87b3a678e5 (patch) | |
tree | 70cdf3e7388c9343d48a496d67fbb605f8a4abd4 /pkg/specgen | |
parent | 0400dc0a0017a8347e47b32c411e65531b0f4af4 (diff) | |
parent | 2c328a4ac12262771861b2be6522acbfa5bbadb6 (diff) | |
download | podman-53ecda298150038d67f466c834ec3b87b3a678e5.tar.gz podman-53ecda298150038d67f466c834ec3b87b3a678e5.tar.bz2 podman-53ecda298150038d67f466c834ec3b87b3a678e5.zip |
Merge pull request #8949 from giuseppe/sysfs-for-rootless
specgen: improve heuristic for /sys bind mount
Diffstat (limited to 'pkg/specgen')
-rw-r--r-- | pkg/specgen/generate/oci.go | 39 |
1 files changed, 21 insertions, 18 deletions
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go index 7dc32a314..e62131244 100644 --- a/pkg/specgen/generate/oci.go +++ b/pkg/specgen/generate/oci.go @@ -138,10 +138,23 @@ func makeCommand(ctx context.Context, s *specgen.SpecGenerator, img *image.Image return finalCommand, nil } +// canMountSys is a best-effort heuristic to detect whether mounting a new sysfs is permitted in the container +func canMountSys(isRootless, isNewUserns bool, s *specgen.SpecGenerator) bool { + if s.NetNS.IsHost() && (isRootless || isNewUserns) { + return false + } + if isNewUserns { + switch s.NetNS.NSMode { + case specgen.Slirp, specgen.Private, specgen.NoNetwork, specgen.Bridge: + return true + default: + return false + } + } + return true +} + func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runtime, rtc *config.Config, newImage *image.Image, mounts []spec.Mount, pod *libpod.Pod, finalCmd []string) (*spec.Spec, error) { - var ( - inUserNS bool - ) cgroupPerm := "ro" g, err := generate.New("linux") if err != nil { @@ -151,23 +164,11 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt g.RemoveMount("/dev/shm") g.HostSpecific = true addCgroup := true - canMountSys := true isRootless := rootless.IsRootless() - if isRootless { - inUserNS = true - } - if !s.UserNS.IsHost() { - if s.UserNS.IsContainer() || s.UserNS.IsPath() { - inUserNS = true - } - if s.UserNS.IsPrivate() { - inUserNS = true - } - } - if inUserNS && s.NetNS.NSMode != specgen.NoNetwork { - canMountSys = false - } + isNewUserns := s.UserNS.IsContainer() || s.UserNS.IsPath() || s.UserNS.IsPrivate() + + canMountSys := canMountSys(isRootless, isNewUserns, s) if s.Privileged && canMountSys { cgroupPerm = "rw" @@ -232,6 +233,8 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt g.AddMount(devPts) } + inUserNS := isRootless || isNewUserns + if inUserNS && s.IpcNS.IsHost() { g.RemoveMount("/dev/mqueue") devMqueue := spec.Mount{ |