Commits on Oct 3, 2024

1. [1.1] runc run: fix mount leak …

   When preparing to mount container root, we need to make its parent mount
   private (i.e. disable propagation), otherwise the new in-container
   mounts are leaked to the host.
   
   To find a parent mount, we use to read mountinfo and find the longest
   entry which can be a parent of the container root directory.
   
   Unfortunately, due to kernel bug in all Linux kernels older than v5.8
   (see [1], [2]), sometimes mountinfo can't be read in its entirety. In
   this case, getParentMount may occasionally return a wrong parent mount.
   
   As a result, we do not change the mount propagation to private, and
   container mounts are leaked.
   
   Alas, we can not fix the kernel, and reading mountinfo a few times to
   ensure its consistency (like it's done in, say, Kubernetes) does not
   look like a good solution for performance reasons.
   
   Fortunately, we don't need mountinfo. Let's just traverse the directory
   tree, trying to remount it private until we find a mount point (any
   error other than EINVAL means we just found it).
   
   Fixes issue 2404.
   
   [1]: https://github.com/kolyshkin/procfs-test
   [2]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9f6c61f96f2d97cbb5f
   Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
   (cherry picked from commit 13a6f56)
   Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

   

   kolyshkin committed Oct 3, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for 65aa700
   • Browse repository at this point

   Copy the full SHA

   65aa700 View commit details

   Browse the repository at this point in the history