oci: bind mount /sys with --userns=(auto|pod:)

when using --userns=auto or --userns=pod, we should bind mount /sys from the host instead of creating a new /sys in the container, otherwise we rely on the fallback provided by crun, which might not be available in other runtimes. Also, in the last version of crun the fallback is stricter than it used to be before and it uses a recursive bind mount through the new mount API. That can be missing on old kernel. Closes: containers/crun#1131 [NO NEW TESTS NEEDED] to trigger the failure, we need a specific combination of kernel, libc and OCI runtime. Signed-off-by: Giuseppe Scrivano <[email protected]>
openshift-cherrypick-robot · Feb 7, 2023 · 1d76a16 · 1d76a16
1 parent 7378b75
commit 1d76a16
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/pkg/specgen/generate/oci_linux.go b/pkg/specgen/generate/oci_linux.go
@@ -83,7 +83,7 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
 	addCgroup := true
 
 	isRootless := rootless.IsRootless()
-	isNewUserns := s.UserNS.IsContainer() || s.UserNS.IsPath() || s.UserNS.IsPrivate()
+	isNewUserns := s.UserNS.IsContainer() || s.UserNS.IsPath() || s.UserNS.IsPrivate() || s.UserNS.IsPod() || s.UserNS.IsAuto()
 
 	canMountSys := canMountSys(isRootless, isNewUserns, s)