Skip to content

LinuxContainer: Modify UDS mount setup #261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

LinuxContainer: Modify UDS mount setup #261

wants to merge 1 commit into from

Conversation

dcantah
Copy link
Member

@dcantah dcantah commented Aug 11, 2025

Closes #256

Today the way UDS mounts are done has several problems:

  1. They're done before the other container mounts are setup, so it risks them getting shadowed.
  2. They're not done in the containers namespaces, so they have a chance to follow a symlink to the VMs rootfs somewhere (/container/rootfs/var/run -> /run in the root of the VM).

This change modifies the logic to setup UDS mounts in a temporary holding place first, and then bind them into place so that they're done at the same time as the other container mounts.

One extra thing this change does is gets rid of the runtime support for UDS mounts. This was originally exposed as I wasn't sure if the container UDS -> host UDS flow would work otherwise, but this works fine today, and we lose the ability to do the runtime mounts in the containers ns'.

@dcantah
LinuxContainer: Modify UDS mount setup
74043d9 
Today the way UDS mounts are done has several problems:

1. They're done before the other container mounts are setup, so
it risks them getting shadowed.
2. They're not done in the containers namespaces, so they have a chance
to follow a symlink to the VMs rootfs somewhere (/container/rootfs/var/run
-> /run in the root of the VM).

This change modifies the logic to setup UDS mounts in a temporary holding
place first, and then bind them into place so that they're done at the same
time as the other container mounts.

One extra thing this change does is gets rid of the runtime support for UDS
mounts. This was originally exposed as I wasn't sure if the container UDS ->
host UDS flow would work otherwise, but this works fine today, and we lose
the ability to do the runtime mounts in the containers ns'.
@dcantah dcantah marked this pull request as ready for review August 11, 2025 12:19
@dcantah dcantah requested a review from jglogan August 11, 2025 16:31
@dcantah dcantah marked this pull request as draft August 11, 2025 20:01
@dcantah
Copy link
Member Author

dcantah commented Aug 11, 2025

We still need a "secure join" style mount that resolves symlinks to the containers rootfs and not to their actual absolute path.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jglogan jglogan Awaiting requested review from jglogan

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug]: Can't mount a host socket when the mount target goes through a symlink.
1 participant
@dcantah