Skip to content

linux: drop check for /proc as invalid dest#1832

Merged
mrunalp merged 1 commit intoopencontainers:masterfrom
giuseppe:runc-drop-invalid-proc-destination-with-chroot
Sep 4, 2018
Merged

linux: drop check for /proc as invalid dest#1832
mrunalp merged 1 commit intoopencontainers:masterfrom
giuseppe:runc-drop-invalid-proc-destination-with-chroot

Conversation

@giuseppe
Copy link
Copy Markdown
Member

@giuseppe giuseppe commented Jun 29, 2018
edited
Loading

it is now allowed to bind mount /proc when the PID namespace is shared
with the host.

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

@rhatdan
Copy link
Copy Markdown
Contributor

rhatdan commented Jun 29, 2018

@giuseppe Looks like you missed some function calls in tests.

@giuseppe giuseppe force-pushed the runc-drop-invalid-proc-destination-with-chroot branch from 3da0739 to da6be08 Compare June 29, 2018 15:27
@giuseppe giuseppe mentioned this pull request Jun 29, 2018
Closed
@giuseppe
Copy link
Copy Markdown
Member Author

giuseppe commented Jun 29, 2018

tests fixed!

@giuseppe
Copy link
Copy Markdown
Member Author

giuseppe commented Jul 5, 2018

/cc @mrunalp @cyphar @crosbymichael

mrunalp
mrunalp approved these changes Jul 9, 2018
View reviewed changes
Copy link
Copy Markdown
Contributor

@mrunalp mrunalp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rhatdan
Copy link
Copy Markdown
Contributor

rhatdan commented Jul 9, 2018

@opencontainers/runc-maintainers PTAL

@giuseppe
Copy link
Copy Markdown
Member Author

giuseppe commented Aug 7, 2018

@dqminh would you mind to take a quick look at this patch as well? :-)

@giuseppe giuseppe force-pushed the runc-drop-invalid-proc-destination-with-chroot branch from da6be08 to de879c7 Compare August 27, 2018 10:30
@giuseppe giuseppe changed the title linux: drop check for /proc as invalid dest with chroot linux: drop check for /proc as invalid dest Aug 27, 2018
@giuseppe giuseppe force-pushed the runc-drop-invalid-proc-destination-with-chroot branch 2 times, most recently from 89bba2e to 638fdda Compare August 27, 2018 10:31
@giuseppe giuseppe mentioned this pull request Aug 27, 2018
Closed
@giuseppe giuseppe force-pushed the runc-drop-invalid-proc-destination-with-chroot branch from 638fdda to cc44090 Compare August 27, 2018 11:06
giuseppe added a commit to giuseppe/libpod that referenced this pull request Aug 27, 2018
@giuseppe
rootless: fix --pid=host
a9f9d40 
Unfortunately this is not enough to get it working as runc doesn't
allow to bind mount /proc.

Depends on: opencontainers/runc#1832

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
rh-atomic-bot pushed a commit to containers/podman that referenced this pull request Aug 27, 2018
@giuseppe @rh-atomic-bot
rootless: fix --pid=host
5f0a1c1 
Unfortunately this is not enough to get it working as runc doesn't
allow to bind mount /proc.

Depends on: opencontainers/runc#1832

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #1349
Approved by: rhatdan
@mrunalp
Copy link
Copy Markdown
Contributor

mrunalp commented Aug 29, 2018

@cyphar @crosbymichael @dqminh PTAL

crosbymichael
crosbymichael reviewed Aug 29, 2018
View reviewed changes
Comment thread libcontainer/rootfs_linux.go Outdated
}

if err := mountToRootfs(m, config.Rootfs, config.MountLabel); err != nil {
if err := mountToRootfs(m, config.Rootfs, config.MountLabel, config.Namespaces.Contains(configs.NEWNS)); err != nil {
Copy link
Copy Markdown
Member

@crosbymichael crosbymichael Aug 29, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are you using NEWNS here when the description of the PR talks about NEWPID?

Copy link
Copy Markdown
Member Author

@giuseppe giuseppe Aug 29, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry that was a leftover of a cleanup. The patch was originally written to address only the "chroot" case but I've changed it to address also another problem: /proc could not be bind mounted from the host. This is useful for rootless containers when the PID namespace is shared with the host (and the container cannot mount a new /proc).

I've pushed a new version which is much simpler now.

@giuseppe giuseppe force-pushed the runc-drop-invalid-proc-destination-with-chroot branch from cc44090 to fe0d9b1 Compare August 29, 2018 21:26
@giuseppe
linux: drop check for /proc as invalid dest
636b664 
it is now allowed to bind mount /proc.  This is useful for rootless
containers when the PID namespace is shared with the host.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe giuseppe force-pushed the runc-drop-invalid-proc-destination-with-chroot branch from fe0d9b1 to 636b664 Compare August 30, 2018 07:56
@crosbymichael
Copy link
Copy Markdown
Member

crosbymichael commented Sep 4, 2018
edited by caniszczyk
Loading

LGTM

Approved with PullApprove

1 similar comment
@mrunalp
Copy link
Copy Markdown
Contributor

mrunalp commented Sep 4, 2018
edited by caniszczyk
Loading

LGTM

Approved with PullApprove

@mrunalp mrunalp merged commit 9cda583 into opencontainers:master Sep 4, 2018
@crosbymichael crosbymichael mentioned this pull request Sep 23, 2019
Closed
@cyphar cyphar mentioned this pull request Sep 23, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crosbymichael crosbymichael crosbymichael left review comments

@mrunalp mrunalp mrunalp approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@giuseppe @rhatdan @mrunalp @crosbymichael