Draft
Conversation
Today the way UDS mounts are done has several problems: 1. They're done before the other container mounts are setup, so it risks them getting shadowed. 2. They're not done in the containers namespaces, so they have a chance to follow a symlink to the VMs rootfs somewhere (/container/rootfs/var/run -> /run in the root of the VM). This change modifies the logic to setup UDS mounts in a temporary holding place first, and then bind them into place so that they're done at the same time as the other container mounts. One extra thing this change does is gets rid of the runtime support for UDS mounts. This was originally exposed as I wasn't sure if the container UDS -> host UDS flow would work otherwise, but this works fine today, and we lose the ability to do the runtime mounts in the containers ns'.
Member
Author
|
We still need a "secure join" style mount that resolves symlinks to the containers rootfs and not to their actual absolute path. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #256
Today the way UDS mounts are done has several problems:
This change modifies the logic to setup UDS mounts in a temporary holding place first, and then bind them into place so that they're done at the same time as the other container mounts.
One extra thing this change does is gets rid of the runtime support for UDS mounts. This was originally exposed as I wasn't sure if the container UDS -> host UDS flow would work otherwise, but this works fine today, and we lose the ability to do the runtime mounts in the containers ns'.