github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

CRI: change the /dev/shm mount options in Sandbox.

Browse Source 
All containers except the pause container, mount `/dev/shm" with flags
`nosuid,nodev,noexec`. So change mount options for pause container to
keep consistence.
This also helps to solve issues of failing to mount `/dev/shm` when
pod/container level user namespace is enabled.

Fixes: #6911

Signed-off-by: Jiang Liu <gerry@linux.alibaba.com>
Signed-off-by: Lei Wang <wllenyj@linux.alibaba.com>
This commit is contained in:
wllenyj 2022-05-10 01:11:23 +08:00
parent a62a95789c
commit 42a386c816
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/cri/server/sandbox_run_linux.go
View File

@ -103,12 +103,15 @@ func (c *criService) sandboxContainerSpec(id string, config *runtime.PodSandboxC
} }
// Remove the default /dev/shm mount from defaultMounts, it is added in oci/mounts.go. // Remove the default /dev/shm mount from defaultMounts, it is added in oci/mounts.go.
specOpts = append(specOpts, oci.WithoutMounts(devShm)) specOpts = append(specOpts, oci.WithoutMounts(devShm))
// In future the when user-namespace is enabled, the `nosuid, nodev, noexec` flags are
// required, otherwise the remount will fail with EPERM. Just use them unconditionally,
// they are nice to have anyways.
specOpts = append(specOpts, oci.WithMounts([]runtimespec.Mount{ specOpts = append(specOpts, oci.WithMounts([]runtimespec.Mount{
{ {
Source: sandboxDevShm, Source: sandboxDevShm,
Destination: devShm, Destination: devShm,
Type: "bind", Type: "bind",
Options: []string{"rbind", "ro"}, Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
}, },
// Add resolv.conf for katacontainers to setup the DNS of pod VM properly. // Add resolv.conf for katacontainers to setup the DNS of pod VM properly.
{ {