Add MS_BIND|MS_REC to the mount of /proc
#17574
Conversation
Despite the usual meanings of these flags, this isn't actually a bind mount for `proc`, which doesn't appear to be documented anywhere. Otherwise it fails if there are any other mounts under the host `/proc`. I think this is due to the behavior documented on the `mount(2)` manpage for bind mounting: > EINVAL In an unprivileged mount namespace (i.e., a mount namespace > owned by a user namespace that was created by an unprivileged user), a > bind mount operation (MS_BIND) was attempted without specifying > (MS_REC), which would have revealed the filesystem tree underneath > one of the submounts of the directory being bound. I ended up in this scenario with docker and `--gpus all` (with some additional flags to make it work even without the `--gpus all`).
sgowroji
added
team-Local-Exec
|
Hi @bsilver8192, Can you please fix the above buildkite errors. Thanks! |
|
For anybody else from the future: if your container is privileged, Looks like there's ongoing kernel-side work for a " The tests fail because I completely broke it, and there's no way to do what I was hoping for. My comments in the code about this not being a bind mount are wrong, it's a bind mount so it exposes host PIDs and that breaks stuff. I can work around this by mounting a fully-unmasked |
Despite the usual meanings of these flags, this isn't actually a bind mount forEDIT: This is wrong, it is a bind mount, which means this doesn't work.proc, which doesn't appear to be documented anywhere.Otherwise it fails if there are any other mounts under the host
/proc. I think this is due to the behavior documented on themount(2)manpage for bind mounting:I ended up in this scenario with docker and
--gpus all(with some additional flags to make it work even without the--gpus all).