gvisor icon indicating copy to clipboard operation
gvisor copied to clipboard
verified publisher icon google

fs: mount namespace within runsc doesn't seem to work

Open yoshiat opened this issue 6 years ago • 5 comments

From @AkihiroSuda here. The context is that he has been looking into running BuildKit on UML/gVisor on Docker on real Linux kernel. And BuiltKit needs to invoke runc or gVisor. As running runc may require more syscalls (and options) to be supported, he thought BuildKit could run by replacing runc with unshare -m chroot if gVisor supports it.

$ docker run -it --rm --runtime=runsc alpine \
/ # unshare --uts --ipc --net --pid --user echo hi \
hi
/ # unshare --mount echo hi
unshare: can't mount none on / (flags:0x44000): Bad address
/ #

Before going down this path, he got stuck with the lack of MS_BIND|MS_REC support which should be tracked in #179.

yoshiat avatar May 01 '19 05:05 yoshiat

Yes, most other namespaces are implemented but not mount namespaces. It will follow after the major file system refactor in progress.

amscanne avatar May 01 '19 06:05 amscanne

vfs2 is the default. Can it be implemented now? I can poke it, if needed.

pkit avatar Jul 08 '22 15:07 pkit

@nixprime WDYT?

kevinGC avatar Jul 13 '22 17:07 kevinGC

@kevinGC it seems like it has some TODO here https://github.com/google/gvisor/blob/5ffcc1f799e31eba3a95d7e2f251ee111656520c/pkg/sentry/kernel/task_clone.go#L128

pkit avatar Jul 16 '22 13:07 pkit

Ah, bind mounts are not there too. Probably needs bind mounts first...

pkit avatar Jul 16 '22 13:07 pkit