containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improve setupSystemd, grab mount options from the host 

fixes #7661

Signed-off-by: Andy Librian <andylibrian@gmail.com>
This commit is contained in:
Andy Librian 2020-10-24 15:50:33 +07:00
parent 228396a99d
commit 6779c1cfc2
1 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
libpod/container_internal_linux.go
View File

@ -698,11 +698,31 @@ func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) erro
} }
g.AddMount(systemdMnt) g.AddMount(systemdMnt)
} else { } else {
mountOptions := []string{"bind", "rprivate"}
var statfs unix.Statfs_t
if err := unix.Statfs("/sys/fs/cgroup/systemd", &statfs); err != nil {
mountOptions = append(mountOptions, "nodev", "noexec", "nosuid")
} else {
if statfs.Flags&unix.MS_NODEV == unix.MS_NODEV {
mountOptions = append(mountOptions, "nodev")
}
if statfs.Flags&unix.MS_NOEXEC == unix.MS_NOEXEC {
mountOptions = append(mountOptions, "noexec")
}
if statfs.Flags&unix.MS_NOSUID == unix.MS_NOSUID {
mountOptions = append(mountOptions, "nosuid")
}
if statfs.Flags&unix.MS_RDONLY == unix.MS_RDONLY {
mountOptions = append(mountOptions, "ro")
}
}
systemdMnt := spec.Mount{ systemdMnt := spec.Mount{
Destination: "/sys/fs/cgroup/systemd", Destination: "/sys/fs/cgroup/systemd",
Type: "bind", Type: "bind",
Source: "/sys/fs/cgroup/systemd", Source: "/sys/fs/cgroup/systemd",
Options: []string{"bind", "nodev", "noexec", "nosuid", "rprivate"}, Options: mountOptions,
} }
g.AddMount(systemdMnt) g.AddMount(systemdMnt)
g.AddLinuxMaskedPaths("/sys/fs/cgroup/systemd/release_agent") g.AddLinuxMaskedPaths("/sys/fs/cgroup/systemd/release_agent")