[patch v4] Allow for unpriviledged nested containers
Florian Weimer
fweimer@redhat.com
Wed Mar 9 10:43:09 GMT 2022
* DJ Delorie via Libc-alpha:
> If the build itself is run in a container, we may not be able to
> fully set up a nested container for test-container testing.
> Notably is the mounting of /proc, since it's critical that it
> be mounted from within the same PID namespace as its users, and
> thus cannot be bind mounted from outside the container like other
> mounts.
>
> With this patch, test-container may not be able to mount /proc
> but will run the test anyway, since most containerized tests
> do not require /proc. The few that do may predicate that,
> and support for such is also added.
We should not run tests without /proc by default based on some test
environment property. This will only lead to difficult-to-diagnose
errors.
Have you tried dropping CLONE_NEWPID and bind-mounting /proc outside the
test container? (I forgot what came out of the previous discussion.)
We already bind-mount other things, so we know that this will work. But
we have to drop CLONE_NEWPID so that the mounted /proc instance matches
the test container namespace.
Thanks,
Florian
More information about the Libc-alpha
mailing list