Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

linux: drop check for /proc as invalid dest #1832

Merged
merged 1 commit into from
Sep 4, 2018
Merged

linux: drop check for /proc as invalid dest #1832

merged 1 commit into from
Sep 4, 2018

Conversation

giuseppe
Copy link
Member

@giuseppe giuseppe commented Jun 29, 2018
edited
Loading

it is now allowed to bind mount /proc when the PID namespace is shared
with the host.

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

@rhatdan
Copy link
Contributor

rhatdan commented Jun 29, 2018

@giuseppe Looks like you missed some function calls in tests.

@giuseppe giuseppe force-pushed the runc-drop-invalid-proc-destination-with-chroot branch from 3da0739 to da6be08 Compare June 29, 2018 15:27
@giuseppe giuseppe mentioned this pull request Jun 29, 2018
Closed
@giuseppe
Copy link
Member Author

tests fixed!

@giuseppe
Copy link
Member Author

giuseppe commented Jul 5, 2018

/cc @mrunalp @cyphar @crosbymichael

mrunalp
mrunalp approved these changes Jul 9, 2018
View reviewed changes
Copy link
Contributor

@mrunalp mrunalp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rhatdan
Copy link
Contributor

rhatdan commented Jul 9, 2018

@opencontainers/runc-maintainers PTAL

@giuseppe
Copy link
Member Author

giuseppe commented Aug 7, 2018

@dqminh would you mind to take a quick look at this patch as well? :-)

@giuseppe giuseppe force-pushed the runc-drop-invalid-proc-destination-with-chroot branch from da6be08 to de879c7 Compare August 27, 2018 10:30
@giuseppe giuseppe changed the title linux: drop check for /proc as invalid dest with chroot linux: drop check for /proc as invalid dest Aug 27, 2018
@giuseppe giuseppe force-pushed the runc-drop-invalid-proc-destination-with-chroot branch 2 times, most recently from 89bba2e to 638fdda Compare August 27, 2018 10:31
@giuseppe giuseppe mentioned this pull request Aug 27, 2018
Closed
@giuseppe giuseppe force-pushed the runc-drop-invalid-proc-destination-with-chroot branch from 638fdda to cc44090 Compare August 27, 2018 11:06
giuseppe added a commit to giuseppe/libpod that referenced this pull request Aug 27, 2018
@giuseppe
rootless: fix --pid=host
a9f9d40 
Unfortunately this is not enough to get it working as runc doesn't
allow to bind mount /proc.

Depends on: opencontainers/runc#1832

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
rh-atomic-bot pushed a commit to containers/podman that referenced this pull request Aug 27, 2018
@giuseppe @rh-atomic-bot
rootless: fix --pid=host
5f0a1c1 
Unfortunately this is not enough to get it working as runc doesn't
allow to bind mount /proc.

Depends on: opencontainers/runc#1832

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #1349
Approved by: rhatdan
@mrunalp
Copy link
Contributor

mrunalp commented Aug 29, 2018

@cyphar @crosbymichael @dqminh PTAL

crosbymichael
crosbymichael reviewed Aug 29, 2018
View reviewed changes
libcontainer/rootfs_linux.go Outdated
@@ -53,7 +53,7 @@ func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig) (err error) {
}
}

if err := mountToRootfs(m, config.Rootfs, config.MountLabel); err != nil {
if err := mountToRootfs(m, config.Rootfs, config.MountLabel, config.Namespaces.Contains(configs.NEWNS)); err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are you using NEWNS here when the description of the PR talks about NEWPID?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry that was a leftover of a cleanup. The patch was originally written to address only the "chroot" case but I've changed it to address also another problem: /proc could not be bind mounted from the host. This is useful for rootless containers when the PID namespace is shared with the host (and the container cannot mount a new /proc).

I've pushed a new version which is much simpler now.

@giuseppe giuseppe force-pushed the runc-drop-invalid-proc-destination-with-chroot branch from cc44090 to fe0d9b1 Compare August 29, 2018 21:26
@giuseppe
linux: drop check for /proc as invalid dest
636b664 
it is now allowed to bind mount /proc.  This is useful for rootless
containers when the PID namespace is shared with the host.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe giuseppe force-pushed the runc-drop-invalid-proc-destination-with-chroot branch from fe0d9b1 to 636b664 Compare August 30, 2018 07:56
@crosbymichael
Copy link
Member

crosbymichael commented Sep 4, 2018
edited by caniszczyk
Loading

LGTM

Approved with PullApprove

1 similar comment
@mrunalp
Copy link
Contributor

mrunalp commented Sep 4, 2018
edited by caniszczyk
Loading

LGTM

Approved with PullApprove

@mrunalp mrunalp merged commit 9cda583 into opencontainers:master Sep 4, 2018
@crosbymichael crosbymichael mentioned this pull request Sep 23, 2019
Closed
@cyphar cyphar mentioned this pull request Sep 23, 2019
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@crosbymichael crosbymichael crosbymichael left review comments

@mrunalp mrunalp mrunalp approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@giuseppe @rhatdan @mrunalp @crosbymichael