-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[workspacekit] Don't bogously filter proc mount targets #5139
Conversation
Codecov Report
@@ Coverage Diff @@
## main #5139 +/- ##
=======================================
+ Coverage 0 7.65% +7.65%
=======================================
Files 0 3 +3
Lines 0 588 +588
=======================================
+ Hits 0 45 +45
- Misses 0 540 +540
- Partials 0 3 +3
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
/approve |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just some nitpicking.
Otherwise it LGTM
61159fe
to
421bc1a
Compare
421bc1a
to
7157dcc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
LGTM label has been added. Git tree hash: b066d37d5d56913eacafa60f15c14eb48abf4841
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aledbf, leodido Associated issue: #5124 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
fixes #5124
This PR makes
workspacekit
handle the style of proc mounts we're seeing fromrunc
recently.There are several challenges involved:
/proc/self/...
which only makes sense in the context of the calling process. In such cases we replace the mount target with/proc/<targetPID>
as seen from ring1. Such a path does not exist in the mount namespace of ring2, where nsinsider will move the mount to, henceBy virtue of those two changes, a mount to something like
/proc/self/fd/7
works, because we first rewrite the path to/proc/<pid>/fd/7
and resolve the symlink.This PR also harmonises the handling of proc and sysfs mounts.
How to test
try a recent runc
sudo curl -o $(which runc) -L https://github.com/opencontainers/runc/releases/download/v1.0.1/runc.amd64 docker run --rm -it alpine:latest