libcontainer: default mount propagation correctly #1598
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The code in prepareRoot (https://github.com/opencontainers/runc/blob/e385f67a0e45fa1d8ef8154e2aea5128ea1d331b/libcontainer/rootfs_linux.go#L599-L605) attempts to default the rootfs mount to `rslave`. However, since the spec conversion has already defaulted it to `rprivate`, that code doesn't actually ever do anything. This changes the spec conversion code to accept "" and treat it as 0. Implicitly, this makes rootfs propagation default to `rslave`, which is a part of fixing the moby bug moby/moby#34672 Alternate implementatoins include changing this defaulting to be `rslave` and removing the defaulting code in prepareRoot, or skipping the mapping entirely for "", but I think this change is the cleanest of those options. Signed-off-by: Euan Kemp <euan.kemp@coreos.com>
euank
added a commit
to euank/coreos-overlay
that referenced
this pull request
Sep 22, 2017
Upstream as opencontainers/runc#1598 See discussion there and in linked issues for the full details.
euank
added a commit
to euank/coreos-overlay
that referenced
this pull request
Sep 22, 2017
Upstream as opencontainers/runc#1598 See discussion there and in linked issues for the full details.
|
#1500 fixes a related but not identical race that you can hit with LGTM, but there are bigger problems than just this piece of code. These issues are caused by an architectural issue with containerd (which came from Docker's design). The solution should be to make containerd spawn each runc in a separate mount namespace (with the rootfs mounts done inside the namespace) which will avoid leakage into other containers. Of course, this is not really possible at the moment due to the way the Docker/containerd split were set up. |
|
LGTM |
ChrisMcKenzie
pushed a commit
to ChrisMcKenzie/coreos-overlay
that referenced
this pull request
Dec 9, 2017
Upstream as opencontainers/runc#1598 See discussion there and in linked issues for the full details.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The code in prepareRoot (
runc/libcontainer/rootfs_linux.go
Lines 599 to 605 in e385f67
attempts to default the rootfs mount to
rslave. However, since the specconversion has already defaulted it to
rprivate, that code doesn'tactually ever do anything.
This changes the spec conversion code to accept "" and treat it as 0.
Implicitly, this makes rootfs propagation default to
rslave, which isa part of fixing the moby bug moby/moby#34672
Alternate implementatoins include changing this defaulting to be
rslaveand removing the defaulting code in prepareRoot, or skippingthe mapping entirely for "", but I think this change is the cleanest of
those options.
cc @cyphar, this is somewhat similar to #1500 and fixes a similar problem.