Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Detach the hostfs version of /sys #183
Conversation
|
Hi, I can confirm that if I "umount --lazy /var/lib/snapd/hostfs/sys" in there, it fixes subsequent docker runs. NB: Zygmunt considers removing /proc and /dev too, and I can confirm that lazy unmounting /var/lib/snapd/hostfs/dev and /var/lib/snapd/hostfs/proc works there too, and docker keeps working. Cheers,
|
| @@ -495,6 +495,16 @@ static void sc_bootstrap_mount_namespace(const struct sc_mount_config *config) | ||
| die("cannot perform operation: mount --make-rslave %s", | ||
| SC_HOSTFS_DIR); | ||
| } | ||
| + // Detach the hostfs version of sysfs. Some software may want to inspect | ||
| + // the mount table to look for a particular filesystem. If that said | ||
| + // software unlucklily picks the hostfs "version" of. The prominent example |
jdstrand
Nov 18, 2016
•
Contributor
Typo: 'unlucklily'. This comment is phrased weird. How about:
// Detach the redundant hostfs version of sysfs since it shows up in the mount
// table and software inspecting the mount table may become confused (eg,
// docker and LP: #162601).
zyga
merged commit 0ea07b5
into
master
Nov 21, 2016
1 check passed
continuous-integration/travis-ci/pr
The Travis CI build passed
Details
zyga
deleted the
no-2nd-sysfs
branch
Nov 23, 2016
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
zyga commentedNov 18, 2016
This patch detaches (aka umount --lazy) or umount2(1) with MNT_DETACH
flag the second sysfs that is visible from /var/lib/snapd/hostfs/sys
after the pivot_root call.
This is done so that the hostfs is more empty (second sysfs is not
really needed as we can always re-associated with pid-1 ns to get back
to the outer view) and so that certain application (cough docker
cough) that actually scan the mount table for sysfs don't find the
wrong one. The "wrong" one works exactly the same as /sys but is denied
by apparmor profiles.
Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com