[1.2] drop runc-dmz solution according to overlay solution#4487
Closed
lifubang wants to merge 7 commits intoopencontainers:mainfrom
Closed
[1.2] drop runc-dmz solution according to overlay solution#4487lifubang wants to merge 7 commits intoopencontainers:mainfrom
lifubang wants to merge 7 commits intoopencontainers:mainfrom
Conversation
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Containerd pre-creates userns and netns before calling runc, which results in the current code not working when SELinux is enabled, resulting in the following error: > runc create failed: unable to start container process: error during container init: error mounting "mqueue" to rootfs at "/dev/mqueue": setxattr /path/to/rootfs/dev/mqueue: operation not permitted The solution is to become root in the user namespace right after we join it. Fixes opencontainers#4466. Co-authored-by: Wei Fu <fuweid89@gmail.com> Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com> Co-authored-by: Aleksa Sarai <cyphar@cyphar.com> Signed-off-by: lifubang <lifubang@acmcoder.com> (cherry picked from commit c78f3f2) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: lifubang <lifubang@acmcoder.com> (cherry picked from commit 34a9285) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
[1.2] libct/nsenter: become root after joining userns
Since Go 1.19, the same functionality is there in os/exec package. As we require go 1.22 now, there's no need to have this. This basically reverts commit 9258eac ("libct/start: use execabs for newuidmap lookup"). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> (cherry picked from commit eb2ff52) Signed-off-by: Austin Vazquez <macedonv@amazon.com>
…-eb2ff52ace1775ad667ca900b2e57e7d698e3484-to-1.2 [1.2] libct: rm x/sys/execabs usage
Because we have the overlay solution, we can drop runc-dmz binary solution since it has too many limitations. Signed-off-by: lifubang <lifubang@acmcoder.com> (cherry picked from commit 871057d) Signed-off-by: lifubang <lifubang@acmcoder.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport #4482
Because we have the overlay solution, we can drop runc-dmz binary solution since it has too many limitations.
The original post is here: #4450 (comment)
Because of there are many commits about runc-dmz binary solution, so doing git revert action is very hard, let's drop these code line by line.