From 5ede64d63fec0b9d4cf921b6f8fb946e65287538 Mon Sep 17 00:00:00 2001 From: Brian Goff Date: Mon, 16 Oct 2017 13:49:31 -0400 Subject: [PATCH] Use rslave instead of rprivate in chrootarchive With `rprivate` there exists a race where a reference to a mount has propagated to the new namespace, when `rprivate` is set the parent namespace is not able to remove the mount due to that reference. With `rslave` unmounts will propagate correctly into the namespace and prevent the sort of transient errors that are possible with `rprivate`. This is a similar fix to https://github.com/opencontainers/runc/pull/1500/commits/117c92745bd098bf05a69489b7b78cac6364e1d0 Signed-off-by: Brian Goff --- pkg/chrootarchive/chroot_linux.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/pkg/chrootarchive/chroot_linux.go b/pkg/chrootarchive/chroot_linux.go index ebc3b84466..958e06cf8d 100644 --- a/pkg/chrootarchive/chroot_linux.go +++ b/pkg/chrootarchive/chroot_linux.go @@ -26,8 +26,13 @@ func chroot(path string) (err error) { return fmt.Errorf("Error creating mount namespace before pivot: %v", err) } - // make everything in new ns private - if err := mount.MakeRPrivate("/"); err != nil { + // Make everything in new ns slave. + // Don't use `private` here as this could race where the mountns gets a + // reference to a mount and an unmount from the host does not propagate, + // which could potentially cause transient errors for other operations, + // even though this should be relatively small window here `slave` should + // not cause any problems. + if err := mount.MakeRSlave("/"); err != nil { return err }