[20.10 backport] containerd fixes for BuildKit #2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When running tests on any modern distro, this assumption will work. If we need to make it work with kernels where we don't append this option it will require some more involved changes. Signed-off-by: Phil Estes <[email protected]> (cherry picked from commit 85d9fe3e8ce823894fc47122f46da0dfabd9c657) Signed-off-by: Sebastiaan van Stijn <[email protected]>
The "userxattr" option is needed for mounting overlayfs inside a user namespace with kernel >= 5.11. The "userxattr" option is NOT needed for the initial user namespace (aka "the host"). Also, Ubuntu (since circa 2015) and Debian (since 10) with kernel < 5.11 can mount the overlayfs in a user namespace without the "userxattr" option. The corresponding kernel commit: 2d2f2d7322ff43e0fe92bf8cccdc0b09449bf2e1 > ovl: user xattr > > Optionally allow using "user.overlay." namespace instead of "trusted.overlay." > ... > Disable redirect_dir and metacopy options, because these would allow privilege escalation through direct manipulation of the > "user.overlay.redirect" or "user.overlay.metacopy" xattrs. Fix issue 5060 Signed-off-by: Akihiro Suda <[email protected]> (cherry picked from commit 9ade247b38b5a685244e1391c86ff41ab109556e) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Tonis Tiigi <[email protected]> (cherry picked from commit bf323c5bdd5c9bdd2f957e03c4cdaa43e4c1c5a6) Signed-off-by: Sebastiaan van Stijn <[email protected]>
|
@AkihiroSuda @tonistiigi PTAL (I'll vendor this into the 20.10 branch in moby if this looks good) |
AkihiroSuda
approved these changes
Sep 1, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This applies the same fixes that were vendored in BuildKit through moby/buildkit@2617f12 (moby/buildkit#2014). At the time we didn't want to vendor from a fork in Moby, but now that we already have a fork in place, we may as well backport these fixes.
Relates to:
Invalid cross-device linkcontainerd/containerd#5060Invalid cross-device linkmoby#42055Applying the changes that were added to Akihiro's fork;
containerd/containerd@0edc412...AkihiroSuda:containerd:48f85a131bb8bb114f486f40cebfe1ba2fef653c
Backports: