eaa5192856
It's a common scenario for admins and/or monitoring applications to mount in the daemon root dir into a container. When doing so all mounts get coppied into the container, often with private references. This can prevent removal of a container due to the various mounts that must be configured before a container is started (for example, for shared /dev/shm, or secrets) being leaked into another namespace, usually with private references. This is particularly problematic on older kernels (e.g. RHEL < 7.4) where a mount may be active in another namespace and attempting to remove a mountpoint which is active in another namespace fails. This change moves all container resource mounts into a common directory so that the directory can be made unbindable. What this does is prevents sub-mounts of this new directory from leaking into other namespaces when mounted with `rbind`... which is how all binds are handled for containers. Signed-off-by: Brian Goff <cpuguy83@gmail.com> |
||
---|---|---|
.. | ||
stream | ||
archive.go | ||
container.go | ||
container_linux.go | ||
container_notlinux.go | ||
container_unit_test.go | ||
container_unix.go | ||
container_windows.go | ||
env.go | ||
env_test.go | ||
health.go | ||
history.go | ||
memory_store.go | ||
memory_store_test.go | ||
monitor.go | ||
mounts_unix.go | ||
mounts_windows.go | ||
state.go | ||
state_test.go | ||
store.go | ||
view.go | ||
view_test.go |