mirror of
https://github.com/flatcar/scripts.git
synced 2025-08-22 06:51:26 +02:00
app-emulation/runc: apply mount propagation patch
Upstream as https://github.com/opencontainers/runc/pull/1598 See discussion there and in linked issues for the full details.
This commit is contained in:
parent
8e5538bab8
commit
6edec6a89c
@ -44,6 +44,7 @@ src_unpack() {
|
|||||||
|
|
||||||
PATCHES=(
|
PATCHES=(
|
||||||
"${FILESDIR}/0001-Delay-unshare-of-clone-newipc-for-selinux.patch"
|
"${FILESDIR}/0001-Delay-unshare-of-clone-newipc-for-selinux.patch"
|
||||||
|
"${FILESDIR}/0002-libcontainer-default-mount-propagation-correctly.patch"
|
||||||
)
|
)
|
||||||
|
|
||||||
src_compile() {
|
src_compile() {
|
@ -0,0 +1,41 @@
|
|||||||
|
From db55cd4f29298ae08b20f92b8953735723ee2167 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Euan Kemp <euan.kemp@coreos.com>
|
||||||
|
Date: Fri, 22 Sep 2017 02:31:17 -0700
|
||||||
|
Subject: [PATCH] libcontainer: default mount propagation correctly
|
||||||
|
|
||||||
|
The code in prepareRoot (https://github.com/opencontainers/runc/blob/e385f67a0e45fa1d8ef8154e2aea5128ea1d331b/libcontainer/rootfs_linux.go#L599-L605)
|
||||||
|
attempts to default the rootfs mount to `rslave`. However, since the spec
|
||||||
|
conversion has already defaulted it to `rprivate`, that code doesn't
|
||||||
|
actually ever do anything.
|
||||||
|
|
||||||
|
This changes the spec conversion code to accept "" and treat it as 0.
|
||||||
|
|
||||||
|
Implicitly, this makes rootfs propagation default to `rslave`, which is
|
||||||
|
a part of fixing the moby bug https://github.com/moby/moby/issues/34672
|
||||||
|
|
||||||
|
Alternate implementatoins include changing this defaulting to be
|
||||||
|
`rslave` and removing the defaulting code in prepareRoot, or skipping
|
||||||
|
the mapping entirely for "", but I think this change is the cleanest of
|
||||||
|
those options.
|
||||||
|
|
||||||
|
Signed-off-by: Euan Kemp <euan.kemp@coreos.com>
|
||||||
|
---
|
||||||
|
libcontainer/specconv/spec_linux.go | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
|
||||||
|
index 1575ae03..8a2947f6 100644
|
||||||
|
--- a/libcontainer/specconv/spec_linux.go
|
||||||
|
+++ b/libcontainer/specconv/spec_linux.go
|
||||||
|
@@ -36,7 +36,7 @@ var mountPropagationMapping = map[string]int{
|
||||||
|
"slave": syscall.MS_SLAVE,
|
||||||
|
"rshared": syscall.MS_SHARED | syscall.MS_REC,
|
||||||
|
"shared": syscall.MS_SHARED,
|
||||||
|
- "": syscall.MS_PRIVATE | syscall.MS_REC,
|
||||||
|
+ "": 0,
|
||||||
|
}
|
||||||
|
|
||||||
|
var allowedDevices = []*configs.Device{
|
||||||
|
--
|
||||||
|
2.13.5
|
||||||
|
|
@ -65,7 +65,7 @@ RDEPEND="
|
|||||||
>=app-arch/xz-utils-4.9
|
>=app-arch/xz-utils-4.9
|
||||||
|
|
||||||
=app-emulation/containerd-0.2.9_p7[seccomp?]
|
=app-emulation/containerd-0.2.9_p7[seccomp?]
|
||||||
=app-emulation/docker-runc-1.0.0_rc3_p53[apparmor?,seccomp?]
|
=app-emulation/docker-runc-1.0.0_rc3_p53-r1[apparmor?,seccomp?]
|
||||||
app-emulation/docker-proxy
|
app-emulation/docker-proxy
|
||||||
container-init? ( >=sys-process/tini-0.13.1 )
|
container-init? ( >=sys-process/tini-0.13.1 )
|
||||||
"
|
"
|
||||||
|
Loading…
x
Reference in New Issue
Block a user