Skip to content

Commit 047305a

Browse files
estespestesp
committed
Use real chroot if daemon is running in a user namespace
The namespace unshare+pivot root is not possible when running inside a user namespace, so fallback to the original "real" chroot code. Docker-DCO-1.1-Signed-off-by: Phil Estes <[email protected]>
1 parent 2f97082 commit 047305a

1 file changed

Lines changed: 5 additions & 0 deletions

File tree

chrootarchive/chroot_linux.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ import (
88
"syscall"
99

1010
"github.com/docker/docker/pkg/mount"
11+
rsystem "github.com/opencontainers/runc/libcontainer/system"
1112
)
1213

1314
// chroot on linux uses pivot_root instead of chroot
@@ -17,6 +18,10 @@ import (
1718
// Old root is removed after the call to pivot_root so it is no longer available under the new root.
1819
// This is similar to how libcontainer sets up a container's rootfs
1920
func chroot(path string) (err error) {
21+
// if the engine is running in a user namespace we need to use actual chroot
22+
if rsystem.RunningInUserNS() {
23+
return realChroot(path)
24+
}
2025
if err := syscall.Unshare(syscall.CLONE_NEWNS); err != nil {
2126
return fmt.Errorf("Error creating mount namespace before pivot: %v", err)
2227
}

0 commit comments

Comments
 (0)