opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-07-04 18:27:33 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #25575 from giuseppe/test-not-safe-for-parallel

Browse Source 
libpod: improve createRootlessContainer
This commit is contained in:
openshift-merge-bot[bot]
2025-03-13 17:35:40 +00:00
committed by GitHub
parent 0e94821ba1 a2953dad10
commit 79e05ca199
1 changed files with 22 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
libpod/oci_conmon_linux.go
View File

@ -11,6 +11,7 @@ import (
"path/filepath" "path/filepath"
"runtime" "runtime"
"strings" "strings"
"sync"
runcconfig "github.com/opencontainers/runc/libcontainer/configs" runcconfig "github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/devices" "github.com/opencontainers/runc/libcontainer/devices"
@ -61,11 +62,17 @@ func (r *ConmonOCIRuntime) createRootlessContainer(ctr *Container, restoreOption
logrus.Errorf("Unable to reset the previous mount namespace: %q", err) logrus.Errorf("Unable to reset the previous mount namespace: %q", err)
} }
}() }()
mounts, err := pmount.GetMounts()
getMounts := sync.OnceValues(pmount.GetMounts)
// bind mount the containers' mount path to the path where the OCI runtime expects it to be
// if the container is already mounted at the expected path, do not cover the mountpoint.
if rootPath != "" && filepath.Clean(ctr.state.Mountpoint) != filepath.Clean(rootPath) {
mounts, err := getMounts()
if err != nil { if err != nil {
return 0, err return 0, err
} }
if rootPath != "" {
byMountpoint := make(map[string]*pmount.Info) byMountpoint := make(map[string]*pmount.Info)
for _, m := range mounts { for _, m := range mounts {
byMountpoint[m.Mountpoint] = m byMountpoint[m.Mountpoint] = m
@ -89,9 +96,6 @@ func (r *ConmonOCIRuntime) createRootlessContainer(ctr *Container, restoreOption
} }
} }
// bind mount the containers' mount path to the path where the OCI runtime expects it to be
// if the container is already mounted at the expected path, do not cover the mountpoint.
if filepath.Clean(ctr.state.Mountpoint) != filepath.Clean(rootPath) {
// do not propagate the bind mount on the parent mount namespace // do not propagate the bind mount on the parent mount namespace
if err := unix.Mount("", parentMount, "", unix.MS_SLAVE, ""); err != nil { if err := unix.Mount("", parentMount, "", unix.MS_SLAVE, ""); err != nil {
return 0, fmt.Errorf("failed to make %s slave: %w", parentMount, err) return 0, fmt.Errorf("failed to make %s slave: %w", parentMount, err)
@ -99,8 +103,6 @@ func (r *ConmonOCIRuntime) createRootlessContainer(ctr *Container, restoreOption
if err := unix.Mount(ctr.state.Mountpoint, rootPath, "", unix.MS_BIND, ""); err != nil { if err := unix.Mount(ctr.state.Mountpoint, rootPath, "", unix.MS_BIND, ""); err != nil {
return 0, fmt.Errorf("failed to bind mount %s to %s: %w", ctr.state.Mountpoint, rootPath, err) return 0, fmt.Errorf("failed to bind mount %s to %s: %w", ctr.state.Mountpoint, rootPath, err)
} }
}
if isShared { if isShared {
// we need to restore the shared propagation of the parent mount so that we don't break -v $SRC:$DST:shared in the container // we need to restore the shared propagation of the parent mount so that we don't break -v $SRC:$DST:shared in the container
// if $SRC is on the same mount as the root path // if $SRC is on the same mount as the root path
@ -118,6 +120,10 @@ func (r *ConmonOCIRuntime) createRootlessContainer(ctr *Container, restoreOption
if err != nil { if err != nil {
return 0, fmt.Errorf("cannot make /sys slave: %w", err) return 0, fmt.Errorf("cannot make /sys slave: %w", err)
} }
mounts, err := getMounts()
if err != nil {
return 0, err
}
for _, m := range mounts { for _, m := range mounts {
if !strings.HasPrefix(m.Mountpoint, "/sys/kernel") { if !strings.HasPrefix(m.Mountpoint, "/sys/kernel") {
continue continue