From aa0d4b26612f902a299bedf38cc6e1cfc9412ecf Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 3 Feb 2023 17:16:19 +0100 Subject: [PATCH] oci: bind mount /sys with --userns=(auto|pod:) when using --userns=auto or --userns=pod, we should bind mount /sys from the host instead of creating a new /sys in the container, otherwise we rely on the fallback provided by crun, which might not be available in other runtimes. Also, in the last version of crun the fallback is stricter than it used to be before and it uses a recursive bind mount through the new mount API. That can be missing on old kernel. Closes: https://github.com/containers/crun/issues/1131 [NO NEW TESTS NEEDED] to trigger the failure, we need a specific combination of kernel, libc and OCI runtime. Signed-off-by: Giuseppe Scrivano --- pkg/specgen/generate/oci_linux.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/specgen/generate/oci_linux.go b/pkg/specgen/generate/oci_linux.go index 2c023a7e16..5be10f5aa2 100644 --- a/pkg/specgen/generate/oci_linux.go +++ b/pkg/specgen/generate/oci_linux.go @@ -83,7 +83,7 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt addCgroup := true isRootless := rootless.IsRootless() - isNewUserns := s.UserNS.IsContainer() || s.UserNS.IsPath() || s.UserNS.IsPrivate() + isNewUserns := s.UserNS.IsContainer() || s.UserNS.IsPath() || s.UserNS.IsPrivate() || s.UserNS.IsPod() || s.UserNS.IsAuto() canMountSys := canMountSys(isRootless, isNewUserns, s)