runc icon indicating copy to clipboard operation
runc copied to clipboard

Published 20 hours ago verified publisher icon opencontainers

[1.2] fix rootfs propagation mode to shared / unbindable

Open rata opened this issue 5 months ago • 1 comments

(cherry picked from commit 04be81b6a3db3e9967ea83b39d8742f130110914) Backport of https://github.com/opencontainers/runc/pull/4724 to release-1.2 branch. Original description follows.

This PR adds support for applying mount propagation settings (MS_SHARED or MS_UNBINDABLE) to the container root based on the value of config.RootPropagation. We apply mount propagation after executing pivot_root and rootfsParentMountPrivate

Fixes https://github.com/opencontainers/runc/issues/1755

Related: https://github.com/opencontainers/runc/pull/1815 https://github.com/youki-dev/youki/issues/3141

Signed-off-by: Yusuke Sakurai [email protected]

rata avatar Jun 20 '25 14:06 rata

Hmm, I was not aware we're going to make another 1.2.x release. If we are, though, it's going to be 1.2.7 which already have some stuff merged.

kolyshkin avatar Jun 20 '25 17:06 kolyshkin

@kolyshkin In the release policy we said we will be quite flexible in what classifies for backport to n-1, I'd like to backport when it's simple or makes sense. Also, 1.2 is widely used in Azure, checking quickly it seems in google Container optimized OS too.

Do you prefer to avoid backports to 1.2 for some reason?

rata avatar Jul 02 '25 13:07 rata

@kolyshkin friendly ping?

rata avatar Jul 14 '25 10:07 rata

@kolyshkin In the release policy we said we will be quite flexible in what classifies for backport to n-1, I'd like to backport when it's simple or makes sense. Also, 1.2 is widely used in Azure, checking quickly it seems in google Container optimized OS too.

Do you prefer to avoid backports to 1.2 for some reason?

Not directly, no. What I prefer (being practical and lazy) is maintaining one less branch (meaning I'd love users to switch to v1.3 sooner). If we backport all fixes to v1.2 there's never an incentive to switch to v1.3. Also, making more 1.2 releases may result in thinking that v1.3 is somehow not quite ready, which is not true to my best knowledge.

Our release policy says (note "latest-1" means v1.2.x now):

latest-1 will only receive security fixes and significant bug fixes (what bug fixes are "significant" are down to the maintainer's judgement, but maintainers should err on the side of reducing the number of backports at this stage). At this stage, users of latest-1 are encouraged to start planning the migration to the latest release of runc (as well as reporting any issues they may find).

I guess I'm OK with this PR as it is (as this is indeed a significant bug fix), just don't want too much backports in general, for the reasons outlined above.

kolyshkin avatar Jul 15 '25 02:07 kolyshkin

Also, we need a backport of https://github.com/opencontainers/runc/pull/4806 to release-1.2 to fix CI.

kolyshkin avatar Jul 15 '25 02:07 kolyshkin

@kolyshkin thanks, rebased! Let's see if CI is green now :crossed_fingers:

rata avatar Jul 16 '25 10:07 rata