Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

idmapped mounts: should they be applied recursively? #1216

Closed
cyphar opened this issue Aug 5, 2023 · 0 comments · Fixed by #1222
Closed

idmapped mounts: should they be applied recursively? #1216

cyphar opened this issue Aug 5, 2023 · 0 comments · Fixed by #1222
Milestone
v1.2.0

Comments

@cyphar
Copy link
Member

cyphar commented Aug 5, 2023

The current text for idmapped mounts doesn't specify whether the attributes should be applied recursively or not (AT_RECURSIVE). At the moment, runc never passes AT_RECURSIVE. The two options I can see are:

  • Make rbind imply that the attribute should be recursive, since that's the only case where AT_RECURSIVE is necessary. (This would imply that it's always recursive.) The main downside is that a user wouldn't be able to opt-out of it, and runc's current behaviour would be spec in-compliant. But I suspect this is what most users would expect.
  • Make it configurable with a new mount option (ridmap, maybe) which can only be set if you have the uidMappings and gidMappings options enabled. The main downside is that the current rbind (which is counter-intuitive imho) would remain, but that would avoid any possible backwards-compatibility issues with runtime-spec 1.1.0.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.2.0
Development

Successfully merging a pull request may close this issue.

config: add idmap and ridmap mount options cyphar/runtime-spec
1 participant
@cyphar