Runc should remount binds with correct options. #3801
Replies: 3 comments 3 replies
-
/cc @rata |
Beta Was this translation helpful? Give feedback.
-
I think we discussed this before in somewhere, and we wanted high-level runtimes to generate the proper config. |
Beta Was this translation helpful? Give feedback.
-
@vinayakankugoyal the mount of @AkihiroSuda Cool, if there is agreement on that, we can close this discussion :) |
Beta Was this translation helpful? Give feedback.
-
When user namespaces (userns) feature is enabled and a bind mount is created from the host to container, and the host filesystem where this files lives on the host is mounted with
nosuid, nodev, noexec
the bind mount will fail in the container if containerd doesn't have those options aswell.We discovered this issue while debugging #3770. We fixed this issue in
containerd
via containerd/containerd#8309, however we would like to discuss ifrunc
should implement remounting with the correct options in this case. As @rata pointed out in #3770 (comment): Crun already does this https://github.com/containers/crun/blob/main/src/libcrun/linux.c#L919-L946.Here is an example:-
On Google COS OS.
/etc/resolv.conf
is a symlink to/run/systemd/resolve/resolv.conf
If we look at the filesystem mount for /run
Without our fix above the runtime config (config.json) the bind mount for
/etc/resolv.conf
was specified as :-This error looks like
We fixed this by updating the options to add
nosuid, noexec, nodev
to the options.Not that just adding
nosuid, nodev
would also have worked because those were the options specified in thetmpfs
on/run
on the host.Beta Was this translation helpful? Give feedback.
All reactions