Skip to content

overlay: disable "rebase" capability when running in UserNS#13389

Merged
dmcgowan merged 1 commit into
containerd:mainfrom
AkihiroSuda:fix-13388
May 12, 2026
Merged

overlay: disable "rebase" capability when running in UserNS#13389
dmcgowan merged 1 commit into
containerd:mainfrom
AkihiroSuda:fix-13388

Conversation

@AkihiroSuda
Copy link
Copy Markdown
Member

@AkihiroSuda AkihiroSuda commented May 12, 2026

Fix #13388

[...]
May 12 16:57:23 kind-control-plane kubelet[257]:         failed to extract layer (application/vnd.docker.image.rootfs
.diff.tar sha256:6f1cdceb6a3146f0ccb986521156bef8a422cdbb0863396f7f751f575ba308f4) to overlayfs as "extract-920875437
-7QPF sha256:31e64620332e54e3e4fb246d8325ed2c9f1c2cc64a95f0bb23b4b7e82834c95a": failed to mount /var/lib/containerd/t
mpmounts/containerd-mount2180142388: mount source: "overlay", target: "/var/lib/containerd/tmpmounts/containerd-mount
2180142388", fstype: overlay, flags: 0, data: "upperdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/sn
apshots/279/fs", err: invalid argument
[...]

This was a regression introduced in PR #13115.

Copilot AI review requested due to automatic review settings May 12, 2026 17:17
@AkihiroSuda AkihiroSuda added area/cri Container Runtime Interface (CRI) cherry-pick/2.2.x Change to be cherry picked to release/2.2 branch cherry-pick/2.3.x Change to be cherry picked to release/2.3 labels May 12, 2026
@github-project-automation github-project-automation Bot moved this to Needs Triage in Pull Request Review May 12, 2026
@AkihiroSuda AkihiroSuda mentioned this pull request May 12, 2026
Open
@AkihiroSuda
Copy link
Copy Markdown
Member Author

AkihiroSuda commented May 12, 2026

/cherry-pick release/2.2
/cherry-pick release/2.3

@k8s-infra-cherrypick-robot
Copy link
Copy Markdown

k8s-infra-cherrypick-robot commented May 12, 2026

@AkihiroSuda: once the present PR merges, I will cherry-pick it on top of release/2.2, release/2.3 in new PRs and assign them to you.

Details

In response to this:

/cherry-pick release/2.2
/cherry-pick release/2.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Copilot AI reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a regression affecting rootless (UserNS) deployments by preventing the parallel-unpack overlayfs “bind mount -> overlay mount” workaround from running when containerd is executing inside a Linux user namespace. This avoids generating an overlay mount spec that later fails to mount with EINVAL during extraction (as reported in #13388), while keeping the workaround intact for the non-UserNS case introduced in #13115.

Changes:

  • Import github.com/moby/sys/userns in the unpacker.
  • Skip bindToOverlay(mounts) during parallel unpack for overlayfs when userns.RunningInUserNS() is true.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

dmcgowan
dmcgowan reviewed May 12, 2026
View reviewed changes
Comment thread core/unpack/unpacker.go Outdated
@AkihiroSuda
overlay: disable "rebase" capability when running in UserNS
65d75e9 
Fix issue 13388

```
[...]
May 12 16:57:23 kind-control-plane kubelet[257]:         failed to extract layer (application/vnd.docker.image.rootfs
.diff.tar sha256:6f1cdceb6a3146f0ccb986521156bef8a422cdbb0863396f7f751f575ba308f4) to overlayfs as "extract-920875437
-7QPF sha256:31e64620332e54e3e4fb246d8325ed2c9f1c2cc64a95f0bb23b4b7e82834c95a": failed to mount /var/lib/containerd/t
mpmounts/containerd-mount2180142388: mount source: "overlay", target: "/var/lib/containerd/tmpmounts/containerd-mount
2180142388", fstype: overlay, flags: 0, data: "upperdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/sn
apshots/279/fs", err: invalid argument
[...]
```

This was a regression introduced in PR 13115.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda AkihiroSuda changed the title core/unpack: disable bindToOverlay when running in UserNS overlay: disable "rebase" capability when running in UserNS May 12, 2026
@github-project-automation github-project-automation Bot moved this from Needs Triage to Review In Progress in Pull Request Review May 12, 2026
@dmcgowan dmcgowan enabled auto-merge May 12, 2026 18:31
@dmcgowan dmcgowan added this pull request to the merge queue May 12, 2026
Merged via the queue into containerd:main with commit 0ed0ec0 May 12, 2026
93 of 96 checks passed
@github-project-automation github-project-automation Bot moved this from Review In Progress to Done in Pull Request Review May 12, 2026
@k8s-infra-cherrypick-robot k8s-infra-cherrypick-robot mentioned this pull request May 12, 2026
Merged
@k8s-infra-cherrypick-robot
Copy link
Copy Markdown

k8s-infra-cherrypick-robot commented May 12, 2026

@AkihiroSuda: new pull request created: #13393

Details

In response to this:

/cherry-pick release/2.2
/cherry-pick release/2.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-infra-cherrypick-robot
Copy link
Copy Markdown

k8s-infra-cherrypick-robot commented May 12, 2026

@AkihiroSuda: new pull request created: #13394

Details

In response to this:

/cherry-pick release/2.2
/cherry-pick release/2.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-infra-cherrypick-robot k8s-infra-cherrypick-robot mentioned this pull request May 12, 2026
Merged
@austinvazquez austinvazquez added cherry-picked/2.2.x PR commits are cherry-picked into release/2.2 branch cherry-picked/2.3.x PR commits are cherry picked into release/2.3 branch and removed cherry-pick/2.2.x Change to be cherry picked to release/2.2 branch cherry-pick/2.3.x Change to be cherry picked to release/2.3 labels May 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@dmcgowan dmcgowan dmcgowan approved these changes

@henry118 henry118 henry118 approved these changes

@fuweid fuweid fuweid approved these changes

Assignees

No one assigned

Labels

area/cri Container Runtime Interface (CRI) area/rootless cherry-picked/2.2.x PR commits are cherry-picked into release/2.2 branch cherry-picked/2.3.x PR commits are cherry picked into release/2.3 branch size/XS

Projects

Pull Request Review
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[v2.2.3 regression] Rootless Kubernetes: failed to extract layer [...] err: invalid argument

8 participants

@AkihiroSuda @k8s-infra-cherrypick-robot @dmcgowan @henry118 @fuweid @k8s-ci-robot @austinvazquez