specgen: improve heuristic for /sys bind mount #8949
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
FYI, our upstream CI did not catch any of these - it was the RHEL8 test suite that @edsantiago maintains. |
I see, the CI completed successfully. @edsantiago please let me know if there is any reproducer I can use |
|
@giuseppe I think this is the one where rootless podman failed almost every test with: Look in your aos-containers-internal mail archives for my email of 2020-11-05, subject "podman gating tests again", for a link to a log file. |
giuseppe
force-pushed
the
sysfs-for-rootless
branch
2 times, most recently
from
b8288c1 to
581ba43
Compare
giuseppe
changed the title
|
I am not really sure how to solve correctly this issue. The previous check was an obvious one as a bind mount is used with If we want it to work in all the cases though we'd have to check whether the target network namespace is owned by the target user namespace. The check is running too early (at I think crun does it correctly as it tries to mount sysfs and if it fails then it fallbacks to a bind mount, so the container engine doesn't have to worry to detect this case earlier. I wonder if we should add a new |
|
I think that seems like a sane solution. Can we also fix |
@kolyshkin do you think it is something runc could do? |
giuseppe
force-pushed
the
sysfs-for-rootless
branch
from
581ba43 to
4c84dd8
Compare
|
Deadline for 3.0 is tomorrow, so we don't have long for that, unfortunately. |
|
Though, since this is a bugfix, we can probably get it in later, as long as it's before the final release |
partially revert 95c4577 restrict the cases where /sys is bind mounted from the host. The heuristic doesn't detect all the cases where the bind mount is not necessary, but it is an improvement on the previous version where /sys was always bind mounted for rootless containers unless --net none was specified. Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe
force-pushed
the
sysfs-for-rootless
branch
from
4c84dd8 to
2c328a4
Compare
giuseppe
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
I am afraid this could introduce some regressions on RHEL and runc, we can deal with it later and better tune the heuristic |
|
/lgtm |
- stop: test --all and --ignore (containers#9051) - build: test /run/secrets (containers#8679, but see below) - sensitive mount points: deal with 'stat' failures - selinux: confirm useful diagnostics on unknown labels (containers#8946) The 'build' test is intended as a fix for containers#8679, in which 'podman build' does not mount secrets from mounts.conf. Unfortunately, as of this writing, 'podman build' does not pass the --default-mounts-file option to buildah, so there's no reasonable way to test this path. Still, we can at least confirm /run/secrets on 'podman run'. The /sys thing is related to containers#8949: RHEL8, rootless, cgroups v1. It's just a workaround to get gating tests to pass on RHEL. Signed-off-by: Ed Santiago <[email protected]>
- stop: test --all and --ignore (containers#9051) - build: test /run/secrets (containers#8679, but see below) - sensitive mount points: deal with 'stat' failures - selinux: confirm useful diagnostics on unknown labels (containers#8946) The 'build' test is intended as a fix for containers#8679, in which 'podman build' does not mount secrets from mounts.conf. Unfortunately, as of this writing, 'podman build' does not pass the --default-mounts-file option to buildah, so there's no reasonable way to test this path. Still, we can at least confirm /run/secrets on 'podman run'. The /sys thing is related to containers#8949: RHEL8, rootless, cgroups v1. It's just a workaround to get gating tests to pass on RHEL. Signed-off-by: Ed Santiago <[email protected]>
github-actions
bot
added
the
locked - please file new issue/PR
partially revert 95c4577
restrict the cases where /sys is bind mounted from the host.
The heuristic doesn't detect all the cases where the bind mount is not
necessary, but it is an improvement on the previous version where /sys
was always bind mounted for rootless containers unless --net none was
specified.
Signed-off-by: Giuseppe Scrivano [email protected]