Revert "mount: allow bind-mounting a file to a file" #225
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This reverts commit 3993009. That commit would create directories and files as needed, following the original which would create directories as needed. Both this commit and the original, with MkdirAll, were a mistake, because different users, at different times, could conflict. E.g., a ubuntu container might have a directory named /etc/ssh/x, and an alpine container might have a file named /etc/ssh/x, and in each case, with this code, one would modify the local root in a way which would break the other one. Since we now routinely run different docker images on the same node at the same time, this modification, and the original code, are unacceptable. Should you need a file named, e.g., /etc/resolv.conf, that you can bind over, there are a few options: o modify the initramfs to include /etc/resolv.conf, and bind over that o append a cpio with the desired contents of the initramfs to use on boot o run a cpu command which sets up the desired directory structure. Recall that one can omit /etc from the namespace of a cpu command, allowing one to modify the node's /etc; or, /etc should be visible in /tmp/local/etc. I.e., /tmp/cpu/local has the local file system; or, you can have a simple statically linked program which does the work, and run a cpu with a minimal namespace to set that up. It's a shame that this is so complex, but it goes back to Linux's not very good design for private namespaces. Linux private name spaces are bit of a hack on top of mount, whereas Plan 9's namespaces are implemented via a namespace walking mechanism in the kernel. Signed-off-by: Ronald G Minnich <rminnich@gmail.com>
Lencerf
approved these changes
Jul 28, 2023
brho
approved these changes
Jul 28, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This reverts commit 3993009.
That commit would create directories and files as needed, following the original which would create directories as needed.
Both this commit and the original, with MkdirAll, were a mistake, because different users, at different times, could conflict.
E.g., a ubuntu container might have a directory named /etc/ssh/x, and an alpine container might have a file named /etc/ssh/x, and in each case, with this code, one would modify the local root in a way which would break the other one. Since we now routinely run different docker images on the same node at the same time, this modification, and the original code, are unacceptable.
Should you need a file named, e.g., /etc/resolv.conf, that you can bind over, there are a few options:
o modify the initramfs to include /etc/resolv.conf, and bind over that o append a cpio with the desired contents of the initramfs to
use on boot
o run a cpu command which sets up the desired directory structure.
Recall that one can omit /etc from the namespace of a cpu
command, allowing one to modify the node's /etc; or, /etc
should be visible in /tmp/local/etc.
I.e., /tmp/cpu/local has the local file system; or, you can have a simple statically linked program which does the work, and run a cpu with a minimal namespace to set that up.
It's a shame that this is so complex, but it goes back to Linux's not very good design for private namespaces. Linux private name spaces are bit of a hack on top of mount, whereas Plan 9's namespaces are implemented via a namespace walking mechanism in the kernel.