-
Notifications
You must be signed in to change notification settings - Fork 341
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong directory when using a tenant container and w/ a mount namespace #2751
Comments
I figured it out. If you're running from an initramfs (e.g. as part of an initrd program) with no "real" filesystem, you need to use I might do a PR that detects this niche case if it's of any interest. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm unable to use a tenant container for executing commands in a container because, as soon as
setns(mnt_ns)
is called, the tenant'scontainer_init_process
ends up in/
of my host.The situation is different from most usage of
libcontainer
:init
program/newroot
) andchroot
there so thatpivot_root
will work in the future (else it returnsEINVAL
because called from aninitramfs
, consistent with the docs)init
process directly, not by invoking theyouki
CLIMuch debug logging later: I found that after calling
apply_rest_namespaces
, my current directory shifts to the root/
outside of my dummy bind mount. To be clear, the directory listing aftersetns
returns["/", "/newroot"]
. I'm expecting the process to "be" in/containers/my-container/rootfs
.Logs I added
Main container:
Tenant:
I don't understand how that's happening. I tried changing various settings and code in my
youki
fork, but I can't get it to do anything else. I've confirmed that the process is getting a different mount namespace based on its inode. I've tried spawning threads to better isolatelibcontainer
operations (and all the syscalls it is making), but that didn't change anything.At this point I'm wondering if this is happening because of the weird bind mount I'm making from my initrd program. It could also be related to the fact that I'm creating containers all from the same process.
I'm using the default
oci_spec::Spec
with minimal changes to support host networking (#2745).This is all leading to this exec error because it can't find the
uname
program I'm trying to run (rightly slow, it's not in the right mount namespace!):The text was updated successfully, but these errors were encountered: