oci: bind mount /sys with --userns=(auto|pod:)

when using --userns=auto or --userns=pod, we should bind mount /sys from the host instead of creating a new /sys in the container, otherwise we rely on the fallback provided by crun, which might not be available in other runtimes. Also, in the last version of crun the fallback is stricter than it used to be before and it uses a recursive bind mount through the new mount API. That can be missing on old kernel. Closes: https://github.com/containers/crun/issues/1131 [NO NEW TESTS NEEDED] to trigger the failure, we need a specific combination of kernel, libc and OCI runtime. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-06-24 11:28:24 +08:00 · 2023-02-03 17:16:19 +01:00
parent 3654a26421
commit aa0d4b2661
1 changed files with 1 additions and 1 deletions
--- a/pkg/specgen/generate/oci_linux.go
+++ b/pkg/specgen/generate/oci_linux.go
@ -83,7 +83,7 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
 	addCgroup := true

 	isRootless := rootless.IsRootless()
-	isNewUserns := s.UserNS.IsContainer() || s.UserNS.IsPath() || s.UserNS.IsPrivate()
+	isNewUserns := s.UserNS.IsContainer() || s.UserNS.IsPath() || s.UserNS.IsPrivate() || s.UserNS.IsPod() || s.UserNS.IsAuto()

 	canMountSys := canMountSys(isRootless, isNewUserns, s)