Merge pull request #3614 from giuseppe/rootless-fresh-sys-mount-if-possible

openshift-merge-robot · web-flow · commit e3283ab9c424 · 2021-11-04T17:21:02.000+01:00
rootless: do not bind mount /sys if not needed
diff --git a/run_linux.go b/run_linux.go
@@ -2164,6 +2164,13 @@ func setupRootlessSpecChanges(spec *specs.Spec, bundleDir string, shmSize string
 		return err
 	}
 
+	// If the container has a network namespace, we can create a fresh /sys mount
+	for _, ns := range spec.Linux.Namespaces {
+		if ns.Type == specs.NetworkNamespace {
+			return nil
+		}
+	}
+
 	// Replace /sys with a read-only bind mount.
 	mounts := []specs.Mount{
 		{
diff --git a/tests/namespaces.bats b/tests/namespaces.bats
@@ -50,6 +50,11 @@ load helpers
   run_buildah run $RUNOPTS --net=host "$ctr" readlink /proc/self/ns/net
   expect_output "$mynetns"
 
+  # Check that we are not bind mounting /sys from the host with --net=container
+  host_sys=$(grep "/sys " /proc/self/mountinfo | cut -d ' ' -f 3)
+  run_buildah run $RUNOPTS --net=container "$ctr" sh -c 'grep "/sys " /proc/self/mountinfo | cut -d " " -f 3'
+  assert "$output" != "$host_sys"
+
   # Create a container that doesn't use that mapping.
   run_buildah from --signature-policy ${TESTSDIR}/policy.json --quiet alpine
   ctr="$output"

Original file line number	Diff line number	Diff line change
`@@ -2164,6 +2164,13 @@ func setupRootlessSpecChanges(spec *specs.Spec, bundleDir string, shmSize string`
`2164`	`2164`	`return err`
`2165`	`2165`	`}`
`2166`	`2166`
	`2167`	`+ // If the container has a network namespace, we can create a fresh /sys mount`
	`2168`	`+ for _, ns := range spec.Linux.Namespaces {`
	`2169`	`+ if ns.Type == specs.NetworkNamespace {`
	`2170`	`+ return nil`
	`2171`	`+ }`
	`2172`	`+ }`
	`2173`	`+`
`2167`	`2174`	`// Replace /sys with a read-only bind mount.`
`2168`	`2175`	`mounts := []specs.Mount{`
`2169`	`2176`	`{`