diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53-r1.ebuild similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53-r1.ebuild index 8daf9c2d3c..0a7f6c700e 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53-r1.ebuild @@ -44,6 +44,7 @@ src_unpack() { PATCHES=( "${FILESDIR}/0001-Delay-unshare-of-clone-newipc-for-selinux.patch" + "${FILESDIR}/0002-libcontainer-default-mount-propagation-correctly.patch" ) src_compile() { diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-libcontainer-default-mount-propagation-correctly.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-libcontainer-default-mount-propagation-correctly.patch new file mode 100644 index 0000000000..c284e9972d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-libcontainer-default-mount-propagation-correctly.patch @@ -0,0 +1,41 @@ +From db55cd4f29298ae08b20f92b8953735723ee2167 Mon Sep 17 00:00:00 2001 +From: Euan Kemp +Date: Fri, 22 Sep 2017 02:31:17 -0700 +Subject: [PATCH] libcontainer: default mount propagation correctly + +The code in prepareRoot (https://github.com/opencontainers/runc/blob/e385f67a0e45fa1d8ef8154e2aea5128ea1d331b/libcontainer/rootfs_linux.go#L599-L605) +attempts to default the rootfs mount to `rslave`. However, since the spec +conversion has already defaulted it to `rprivate`, that code doesn't +actually ever do anything. + +This changes the spec conversion code to accept "" and treat it as 0. + +Implicitly, this makes rootfs propagation default to `rslave`, which is +a part of fixing the moby bug https://github.com/moby/moby/issues/34672 + +Alternate implementatoins include changing this defaulting to be +`rslave` and removing the defaulting code in prepareRoot, or skipping +the mapping entirely for "", but I think this change is the cleanest of +those options. + +Signed-off-by: Euan Kemp +--- + libcontainer/specconv/spec_linux.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go +index 1575ae03..8a2947f6 100644 +--- a/libcontainer/specconv/spec_linux.go ++++ b/libcontainer/specconv/spec_linux.go +@@ -36,7 +36,7 @@ var mountPropagationMapping = map[string]int{ + "slave": syscall.MS_SLAVE, + "rshared": syscall.MS_SHARED | syscall.MS_REC, + "shared": syscall.MS_SHARED, +- "": syscall.MS_PRIVATE | syscall.MS_REC, ++ "": 0, + } + + var allowedDevices = []*configs.Device{ +-- +2.13.5 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild index 1e6c7b4f8e..bc05b480d6 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild @@ -65,7 +65,7 @@ RDEPEND=" >=app-arch/xz-utils-4.9 =app-emulation/containerd-0.2.9_p7[seccomp?] - =app-emulation/docker-runc-1.0.0_rc3_p53[apparmor?,seccomp?] + =app-emulation/docker-runc-1.0.0_rc3_p53-r1[apparmor?,seccomp?] app-emulation/docker-proxy container-init? ( >=sys-process/tini-0.13.1 ) "