rootfs: always pivot_root(2) and treat --no-pivot as a fallback

Despite the hardenings we've added to the MS_MOVE+chroot dance over the
years like commit 28a697c ("rootfs: umount all procfs and sysfs
with --no-pivot"), --no-pivot is fundamentally insecure and the primary
reason why people use it (to run containers from initramfs) can now be
done safely with pivot_root(2).

So we should always try to pivot_root(2) and give a warning to the user
that their configuration is insecure if we have to use the --no-pivot
fallback (users should not see this message in practice, because the
primary users that couldn't use pivot_root(2) now can and will
transparently use it if possible).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

Author: cyphar

libcontainer/rootfs_linux.go

@@ -202,10 +202,19 @@ func prepareRootfs(pipe *syncSocket, iConfig *initConfig) (err error) {
 		return err
 	}
 
-	if config.NoPivotRoot {
-		err = msMoveRoot(config.Rootfs)
-	} else if config.Namespaces.Contains(configs.NEWNS) {
+	if config.Namespaces.Contains(configs.NEWNS) {
 		err = pivotRoot(config.Rootfs)
+		if config.NoPivotRoot {
+			logrus.Warnf("--no-pivot is deprecated and may be removed or silently ignored in a future version of runc -- see <TODO> for more details")
+			if err != nil {
+				// Always try to do pivot_root(2) because it's safe, and only fallback
+				// to the unsafe MS_MOVE+chroot(2) dance if pivot_root(2) fails.
+				logrus.Warnf("your container failed to start with pivot_root(2) (%v) -- please open a bug report to let us know about your usecase", err)
+				err = msMoveRoot(config.Rootfs)
+			} else {
+				logrus.Warnf("despite setting --no-pivot, this container successfully started using pivot_root(2) -- consider removing the --no-pivot flag")
+			}
+		}
 	} else {
 		err = chroot()
 	}