[workspacekit] Don't bogously filter proc mount targets #5139
Conversation
Codecov Report
@@ Coverage Diff @@
## main #5139 +/- ##
=======================================
+ Coverage 0 7.65% +7.65%
=======================================
Files 0 3 +3
Lines 0 588 +588
=======================================
+ Hits 0 45 +45
- Misses 0 540 +540
- Partials 0 3 +3
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
|
/approve |
csweichel
force-pushed
the
cw/fix-runc-proc-mount
branch
from
61159fe
to
421bc1a
Compare
csweichel
force-pushed
the
cw/fix-runc-proc-mount
branch
from
421bc1a
to
7157dcc
Compare
|
LGTM label has been added. Git tree hash: b066d37d5d56913eacafa60f15c14eb48abf4841
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aledbf, leodido Associated issue: #5124 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
fixes #5124
This PR makes
workspacekithandle the style of proc mounts we're seeing fromruncrecently.There are several challenges involved:
/proc/self/...which only makes sense in the context of the calling process. In such cases we replace the mount target with/proc/<targetPID>as seen from ring1. Such a path does not exist in the mount namespace of ring2, where nsinsider will move the mount to, henceBy virtue of those two changes, a mount to something like
/proc/self/fd/7works, because we first rewrite the path to/proc/<pid>/fd/7and resolve the symlink.This PR also harmonises the handling of proc and sysfs mounts.
How to test
try a recent runc
sudo curl -o $(which runc) -L https://github.com/opencontainers/runc/releases/download/v1.0.1/runc.amd64 docker run --rm -it alpine:latest