@@ -35,6 +35,7 @@ import (
3535 "github.com/moby/sys/mountinfo"
3636 "golang.org/x/sys/unix"
3737
38+ libcontaineruserns "github.com/opencontainers/runc/libcontainer/userns"
3839 "k8s.io/klog/v2"
3940 utilexec "k8s.io/utils/exec"
4041)
@@ -113,7 +114,7 @@ func (mounter *Mounter) hasSystemd() bool {
113114
114115// Map unix.Statfs mount flags ro, nodev, noexec, nosuid, noatime, relatime,
115116// nodiratime to mount option flag strings.
116- func getBindMountOptions (path string , statfs func (path string , buf * unix.Statfs_t ) (err error )) ([]string , error ) {
117+ func getUserNSBindMountOptions (path string , statfs func (path string , buf * unix.Statfs_t ) (err error )) ([]string , error ) {
117118 var s unix.Statfs_t
118119 var mountOpts []string
119120 if err := statfs (path , & s ); err != nil {
@@ -136,23 +137,32 @@ func getBindMountOptions(path string, statfs func(path string, buf *unix.Statfs_
136137 return mountOpts , nil
137138}
138139
139- // Performs a bind mount with the specified options, and then remounts
140- // the mount point with the same `nodev`, `nosuid`, `noexec`, `nosuid`, `noatime`,
141- // `relatime`, `nodiratime` options as the original mount point.
140+ // Do a bind mount including the needed remount for applying the bind opts.
141+ // If the remount fails and we are running in a user namespace
142+ // figure out if the source filesystem has the ro, nodev, noexec, nosuid,
143+ // noatime, relatime or nodiratime flag set and try another remount with the found flags.
142144func (mounter * Mounter ) bindMountSensitive (mounterPath string , mountCmd string , source string , target string , fstype string , bindOpts []string , bindRemountOpts []string , bindRemountOptsSensitive []string , mountFlags []string , systemdMountRequired bool ) error {
143- err := mounter .doMount (mounterPath , mountCmd , source , target , fstype , bindOpts , bindRemountOptsSensitive , mountFlags , systemdMountRequired )
145+ err := mounter .doMount (mounterPath , defaultMountCommand , source , target , fstype , bindOpts , bindRemountOptsSensitive , mountFlags , systemdMountRequired )
144146 if err != nil {
145147 return err
146148 }
147- // Check if the source has ro, nodev, noexec, nosuid, noatime, relatime,
148- // nodiratime flag...
149- fixMountOpts , err := getBindMountOptions (source , unix .Statfs )
150- if err != nil {
151- return & os.PathError {Op : "statfs" , Path : source , Err : err }
149+ err = mounter .doMount (mounterPath , defaultMountCommand , source , target , fstype , bindRemountOpts , bindRemountOptsSensitive , mountFlags , systemdMountRequired )
150+ if libcontaineruserns .RunningInUserNS () {
151+ if err == nil {
152+ return nil
153+ }
154+ // Check if the source has ro, nodev, noexec, nosuid, noatime, relatime,
155+ // nodiratime flag...
156+ fixMountOpts , err := getUserNSBindMountOptions (source , unix .Statfs )
157+ if err != nil {
158+ return & os.PathError {Op : "statfs" , Path : source , Err : err }
159+ }
160+ // ... and retry the mount with flags found above.
161+ bindRemountOpts = append (bindRemountOpts , fixMountOpts ... )
162+ return mounter .doMount (mounterPath , defaultMountCommand , source , target , fstype , bindRemountOpts , bindRemountOptsSensitive , mountFlags , systemdMountRequired )
163+ } else {
164+ return err
152165 }
153- // ... and retry the mount with flags found above.
154- bindRemountOpts = append (bindRemountOpts , fixMountOpts ... )
155- return mounter .doMount (mounterPath , mountCmd , source , target , fstype , bindRemountOpts , bindRemountOptsSensitive , mountFlags , systemdMountRequired )
156166}
157167
158168// Mount mounts source to target as fstype with given options. 'source' and 'fstype' must
0 commit comments