Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion libcontainer/rootfs_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -1323,7 +1323,18 @@ func verifyDevNull(f *os.File) error {

// maskDir mounts a read-only tmpfs on top of the specified path.
func maskDir(path, mountLabel string) error {
return mount("tmpfs", path, "tmpfs", unix.MS_RDONLY, label.FormatMountLabel("nr_blocks=1,nr_inodes=1", mountLabel))
// On most kernels `nr_inodes=1` works fine. However, Ubuntu 20.04 (Focal) with
// the official 5.4 kernel carries a private patch in mm/shmem.c that rejects
// "nr_inodes<2", so let's keep `nr_inodes=2` here!
// For reference, search for "case Opt_nr_inodes" in:
// https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/plain/mm/shmem.c?h=Ubuntu-5.4.0-216.236
err := mount("tmpfs", path, "tmpfs", unix.MS_RDONLY, label.FormatMountLabel("nr_blocks=1,nr_inodes=2", mountLabel))
// We don't know whether some kernels will fail with "nr_inodes=2",
// so let's fall back to mount a tmpfs without this option.
if errors.Is(err, unix.EINVAL) {
err = mount("tmpfs", path, "tmpfs", unix.MS_RDONLY, label.FormatMountLabel("nr_blocks=1", mountLabel))
}
return err
}

// maskPaths masks the top of the specified paths inside a container to avoid
Expand Down
Loading