From 2eb5880d523e20242c365935f58a061352ddc57f Mon Sep 17 00:00:00 2001 From: lifubang Date: Mon, 29 Jun 2026 15:48:25 +0000 Subject: [PATCH 1/2] libct: Enforce nr_inodes=2 to fix Focal mount errors On most kernels `nr_inodes=1` works fine. However, Ubuntu 20.04 (Focal) with the official 5.4 kernel carries a private patch in mm/shmem.c that rejects "nr_inodes<2", so let's keep `nr_inodes=2` here! Signed-off-by: lifubang (cherry picked from commit feea25820e019d2073b370f629e15cc9bf8ae281) Signed-off-by: lifubang --- libcontainer/rootfs_linux.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go index d2a911d6c3c..63f14ba8165 100644 --- a/libcontainer/rootfs_linux.go +++ b/libcontainer/rootfs_linux.go @@ -1333,7 +1333,12 @@ func verifyDevNull(f *os.File) error { // maskDir mounts a read-only tmpfs on top of the specified path. func maskDir(path, mountLabel string) error { - return mount("tmpfs", path, "tmpfs", unix.MS_RDONLY, label.FormatMountLabel("nr_blocks=1,nr_inodes=1", mountLabel)) + // On most kernels `nr_inodes=1` works fine. However, Ubuntu 20.04 (Focal) with + // the official 5.4 kernel carries a private patch in mm/shmem.c that rejects + // "nr_inodes<2", so let's keep `nr_inodes=2` here! + // For reference, search for "case Opt_nr_inodes" in: + // https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/plain/mm/shmem.c?h=Ubuntu-5.4.0-216.236 + return mount("tmpfs", path, "tmpfs", unix.MS_RDONLY, label.FormatMountLabel("nr_blocks=1,nr_inodes=2", mountLabel)) } // maskPaths masks the top of the specified paths inside a container to avoid From ddefa96a951d5552d1447c783aad2f273fec6333 Mon Sep 17 00:00:00 2001 From: lifubang Date: Mon, 29 Jun 2026 11:08:08 +0000 Subject: [PATCH 2/2] libct: add a fallback for nr_inodes=2 We don't know whether some kernels will fail with "nr_inodes=2", so let's fall back to mount a tmpfs without "nr_inodes". Signed-off-by: lifubang (cherry picked from commit 79ac57770f9f156d6851fa7f27857cde591d23b4) Signed-off-by: lifubang --- libcontainer/rootfs_linux.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go index 63f14ba8165..041930ace96 100644 --- a/libcontainer/rootfs_linux.go +++ b/libcontainer/rootfs_linux.go @@ -1338,7 +1338,13 @@ func maskDir(path, mountLabel string) error { // "nr_inodes<2", so let's keep `nr_inodes=2` here! // For reference, search for "case Opt_nr_inodes" in: // https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/plain/mm/shmem.c?h=Ubuntu-5.4.0-216.236 - return mount("tmpfs", path, "tmpfs", unix.MS_RDONLY, label.FormatMountLabel("nr_blocks=1,nr_inodes=2", mountLabel)) + err := mount("tmpfs", path, "tmpfs", unix.MS_RDONLY, label.FormatMountLabel("nr_blocks=1,nr_inodes=2", mountLabel)) + // We don't know whether some kernels will fail with "nr_inodes=2", + // so let's fall back to mount a tmpfs without this option. + if errors.Is(err, unix.EINVAL) { + err = mount("tmpfs", path, "tmpfs", unix.MS_RDONLY, label.FormatMountLabel("nr_blocks=1", mountLabel)) + } + return err } // maskPaths masks the top of the specified paths inside a container to avoid