rootless: exec join the user+mount namespace #2569
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/retest |
giuseppe
force-pushed
the
rootless-fix-exec-with-user
branch
2 times, most recently
from
70ef3f1 to
b28bc9b
Compare
|
LGTM |
|
LGTM |
it is not enough to join the user namespace where the container is running. We also need to join the mount namespace so that we can correctly look-up inside of the container rootfs. This is necessary to lookup the mounted /etc/passwd file when --user is specified. Closes: containers#2566 Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe
force-pushed
the
rootless-fix-exec-with-user
branch
from
626bff1 to
6017641
Compare
| continue | ||
| } | ||
| return false, -1, errors.Errorf("dependency container %s is not running", ctr.ID()) | ||
| conmonPid, err := strconv.Atoi(string(data)) |
There was a problem hiding this comment.
Did we drop the pod == 0 check here, or is it handled in JoinDirectUserAndMountNS()
There was a problem hiding this comment.
it should fail as it is not running, but I am going to add it again as it is clearer to understand.
Thanks to catch it
|
/retest |
when we are creating a container that depends on another one, be sure we also join its mount namespace in addition to the user namespace. Closes: containers#2556 Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe
force-pushed
the
rootless-fix-exec-with-user
branch
from
6017641 to
081291c
Compare
|
/lgtm |
|
Sorry if this is the wrong place to ask, but is there a release schedule? I presume when everything in https://github.com/containers/libpod/pulls?q=is%3Apr+is%3Aopen+label%3A%22Release+Notes+1.2.0%22 is merged, this will make it into a release? |
|
@MarcoFalke no explicit schedule so far, aside from a general goal of making at least one release a month. I think we're looking to cut a 1.2 late next week or early the week after, once we land some more work from @baude related to healthchecks |
|
@MarcoFalke We usually release when major next features get to complete. Or when there is enough bug fixes to warrant it. Usually no less then every other month. But we don't have a schedule. |
|
This might have caused #2673 |
github-actions
bot
added
the
locked - please file new issue/PR
it is not enough to join the user namespace where the container is
running. We also need to join the mount namespace so that we can
correctly look-up inside of the container rootfs. This is necessary
to lookup the mounted /etc/passwd file when --user is specified.
Closes: #2566
Signed-off-by: Giuseppe Scrivano [email protected]