|
@@ -648,7 +648,7 @@ func WithMounts(daemon *Daemon, c *container.Container) coci.SpecOpts {
|
|
|
// "mount" when we bind-mount. The reason for this is that at the point
|
|
// "mount" when we bind-mount. The reason for this is that at the point
|
|
|
// when runc sets up the root filesystem, it is already inside a user
|
|
// when runc sets up the root filesystem, it is already inside a user
|
|
|
// namespace, and thus cannot change any flags that are locked.
|
|
// namespace, and thus cannot change any flags that are locked.
|
|
|
- if daemon.configStore.RemappedRoot != "" {
|
|
|
|
|
|
|
+ if daemon.configStore.RemappedRoot != "" || sys.RunningInUserNS() {
|
|
|
unprivOpts, err := getUnprivilegedMountFlags(m.Source)
|
|
unprivOpts, err := getUnprivilegedMountFlags(m.Source)
|
|
|
if err != nil {
|
|
if err != nil {
|
|
|
return err
|
|
return err
|
Tibor Vass