Browse code
Use real chroot if daemon is running in a user namespace
The namespace unshare+pivot root is not possible when running inside a
user namespace, so fallback to the original "real" chroot code.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Phil Estes authored on 2016/08/13 05:31:01Showing 1 changed files
| ... | ... |
@@ -8,6 +8,7 @@ import ( |
| 8 | 8 |
"syscall" |
| 9 | 9 |
|
| 10 | 10 |
"github.com/docker/docker/pkg/mount" |
| 11 |
+ rsystem "github.com/opencontainers/runc/libcontainer/system" |
|
| 11 | 12 |
) |
| 12 | 13 |
|
| 13 | 14 |
// chroot on linux uses pivot_root instead of chroot |
| ... | ... |
@@ -17,6 +18,10 @@ import ( |
| 17 | 17 |
// Old root is removed after the call to pivot_root so it is no longer available under the new root. |
| 18 | 18 |
// This is similar to how libcontainer sets up a container's rootfs |
| 19 | 19 |
func chroot(path string) (err error) {
|
| 20 |
+ // if the engine is running in a user namespace we need to use actual chroot |
|
| 21 |
+ if rsystem.RunningInUserNS() {
|
|
| 22 |
+ return realChroot(path) |
|
| 23 |
+ } |
|
| 20 | 24 |
if err := syscall.Unshare(syscall.CLONE_NEWNS); err != nil {
|
| 21 | 25 |
return fmt.Errorf("Error creating mount namespace before pivot: %v", err)
|
| 22 | 26 |
} |