git.ipfire.org Git - thirdparty/systemd.git/commit

nspawn: mount temporary visible procfs and sysfs instance

In order to mount procfs and sysfs in an unprivileged container the
kernel requires that a fully visible instance is already present in the
target mount namespace. Mount one here so the inner child can mount its
own instances. Later we umount the temporary instances created here
before we actually exec the payload. Since the rootfs is shared the
umount will propagate into the container. Note, the inner child wouldn't
be able to unmount the instances on its own since it doesn't own the
originating mount namespace. IOW, the outer child needs to do this.

So far nspawn didn't run into this issue because it used MS_MOVE which
meant that the shadow mount tree pinned a procfs and sysfs instance
which the kernel would find. The shadow mount tree is gone with proper
pivot_root() semantics.

Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>

author	Christian Brauner <brauner@kernel.org>
	Mon, 28 Nov 2022 11:36:47 +0000 (12:36 +0100)
committer	Christian Brauner (Microsoft) <brauner@kernel.org>
	Mon, 5 Dec 2022 17:34:25 +0000 (18:34 +0100)
commit	b71a0192c040f585397cfc6fc2ca025bf839733d
tree	0c880be80f885c92d71ee05383b9656ad626c550	tree \| snapshot
parent	57c10a5650f6bb7180f3bec31a3f24239a81be39	commit \| diff

src/nspawn/nspawn-mount.c		diff \| blob \| blame \| history
src/nspawn/nspawn-mount.h		diff \| blob \| blame \| history
src/nspawn/nspawn.c		diff \| blob \| blame \| history