Regression on mounting /sys in user namespaces

**rkt**

```
rkt Version: 1.4.0+git94709b4
appc Version: 0.7.4
Go Version: go1.5.3
Go OS/Arch: linux/amd64
Features: -TPM
```

**Kernel**

```
Linux 4.4.6-301.fc23.x86_64+debug x86_64
```

**systemd**

```
systemd 222
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN
```

**What did you do?**

```
$ make functional-check GO_TEST_FUNC_ARGS='-run TestUser'
```

**What did you expect to see?**

It works.

**What did you see instead?**

```
=== RUN   TestUserns
--- FAIL: TestUserns (10.26s)
...
        Error: Mounting "/sys" on "opt/stage2/rkt-inspect/rootfs/sys" failed: Invalid argument
```

**Explanation**

Regression from https://github.com/coreos/rkt/pull/2386

For security reasons, recent Linux kernels do not allow to bind-mount something non-recursively if it would give read-write access to other subdirectories mounted as read-only.

**Solution**

Either revert https://github.com/coreos/rkt/pull/2386 or test if we are in a separate user namespace by reading /proc/1/uid_map (see user_namespaces(7)) before doing the non-recursive bind mount on /sys.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Regression on mounting /sys in user namespaces #2490

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Regression on mounting /sys in user namespaces #2490

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions