Fix for host mount ns containers#3996
Merged
lifubang merged 2 commits intoopencontainers:mainfrom Aug 29, 2023
Merged
Conversation
This comment was marked as outdated.
This comment was marked as outdated.
Contributor
Author
|
OK I think I have a test case now. Let's see if it works in CI. |
kolyshkin
force-pushed
the
double-hooks
branch
2 times, most recently
from
d96e8f9 to
c7bab9e
Compare
If the container does not have own mount namespace configured (i.e. it shares the mount namespace with the host), its "prestart" (obsoleted) and "createRuntime" hooks are called twice, and its cgroups and Intel RDT settings are also applied twice. The code being removed was originally added by commit 2f27649 ("Move pre-start hooks after container mounts", Feb 17 2016). At that time, the syncParentHooks() was called from setupRootfs(), which was only used when the container config has mount namespace (NEWNS) enabled. Later, commit 244c9fc ("*: console rewrite", Jun 4 2016) spli the relevant part of setupRootfs() into prepareRootfs(). It was still called conditionally (only if mount namespace was enabled). Finally, commit 91ca331 ("chroot when no mount namespaces is provided", Jan 25 2018) removed the above condition, meaning prepareRootfs(), and thus syncParentHooks(), is now called for any container. Meaning, the special case for when mount namespace is not enabled is no longer needed. Remove it. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
kolyshkin
force-pushed
the
double-hooks
branch
from
c7bab9e to
e852523
Compare
mrunalp
approved these changes
Aug 28, 2023
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
If the container does not have own mount namespace configured (i.e. it shares the mount namespace with the host), its "prestart" (obsoleted) and "createRuntime" hooks are called twice, and its cgroups and Intel RDT settings are also applied twice.
The code being removed was originally added by commit 2f27649 ("Move pre-start hooks after container mounts", Feb 17 2016). At that time, the syncParentHooks() was called from setupRootfs(), which was only used when the container config has mount namespace (NEWNS) enabled.
Later, commit 244c9fc ("*: console rewrite", Jun 4 2016) spli the relevant part of setupRootfs() into prepareRootfs(). It was still called conditionally (only if mount namespace was enabled).
Finally, commit 91ca331 ("chroot when no mount namespaces is provided", Jan 25 2018) removed the above condition, meaning prepareRootfs(), and thus syncParentHooks(), is now called for any container.
Meaning, the special case for when mount namespace is not enabled is no longer needed.
Remove it.
Add a test case.