-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revert "Bindmount the sysfs into our root_dir" #97
Conversation
It turns out that we can't bindmount `sysfs` if we're using the unprivileged executor, which is our favorite executor to use. X-ref: nestybox/sysbox#67 (comment) This reverts commit a58ccf0.
@DilumAluthge @Keno I just pushed through a new version of UserNSSandbox_jll and found that this commit broke our ability to use unprivileged user namespaces. Apparently the Linux kernel puts restrictions on who can mount |
This version introduced a bug for some important users, let's yank it. X-ref: staticfloat/Sandbox.jl#97
Hmm, but that's about mounting the sysfs directly. Here we're just bindmounting, which should always be allowed. |
Okay you prompted me to look a bit deeper,
So it looks like the first mount passes, but when we try to remount, it fails. I guess that's not surprising since we're asking for things like |
I suspect you are correct that the issue is MS_NODEV. Try dropping that: https://github.com/torvalds/linux/blob/952923ddc01120190dcf671e7b354364ce1d1362/fs/namespace.c#L2569-L2571 |
We need MS_NODEV, because that code path prevents us from clearing it on remount. In addition, we need to preserve |
Ah, good catch. |
I'll have a look at fixing this, by parsing procfs (fdinfo and mountinfo) according to that TODO. |
Yank bad UserNSSandbox_jll version This version introduced a bug for some important users, let's yank it. X-ref: staticfloat/Sandbox.jl#97 Co-authored-by: Dilum Aluthge <dilum@aluthge.com>
It turns out that we can't bindmount
sysfs
if we're using theunprivileged executor, which is our favorite executor to use.
X-ref: nestybox/sysbox#67 (comment)
This reverts commit a58ccf0.