Skip to content

[1.1] Allow mounting of /proc/sys/kernel/ns_last_pid #3493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 27, 2022
Merged

[1.1] Allow mounting of /proc/sys/kernel/ns_last_pid #3493

merged 1 commit into from
May 27, 2022

Conversation

@cyphar
Copy link
Member

@cyphar cyphar commented May 26, 2022

Backport of #3451.

@cyphar cyphar marked this pull request as ready for review May 26, 2022 22:57
@cyphar cyphar added the backport/1.1-pr A backport PR to release-1.1 label May 26, 2022
@cyphar cyphar added this to the 1.1.3 milestone May 26, 2022
@dsouzai @cyphar
Allow mounting of /proc/sys/kernel/ns_last_pid
51649a7 
The CAP_CHECKPOINT_RESTORE linux capability provides the ability to
update /proc/sys/kernel/ns_last_pid. However, because this file is under
/proc, and by default both K8s and CRI-O specify that /proc/sys should
be mounted as Read-Only, by default even with the capability specified,
a process will not be able to write to ns_last_pid.

To get around this, a pod author can specify a volume mount and a
hostpath to bind-mount /proc/sys/kernel/ns_last_pid. However, runc does
not allow specifying mounts under /proc.

This commit adds /proc/sys/kernel/ns_last_pid to the validProcMounts
string array to enable a pod author to mount ns_last_pid as read-write.
The default remains unchanged; unless explicitly requested as a volume
mount, ns_last_pid will remain read-only regardless of whether or not
CAP_CHECKPOINT_RESTORE is specified.

Signed-off-by: Irwin D'Souza <[email protected]>
kolyshkin
kolyshkin approved these changes May 27, 2022
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@AkihiroSuda AkihiroSuda merged commit 131222d into opencontainers:release-1.1 May 27, 2022
@kolyshkin kolyshkin mentioned this pull request May 27, 2022
Merged
@cyphar cyphar deleted the 1.1-ns_last_pid branch May 27, 2022 02:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kolyshkin kolyshkin kolyshkin approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees

No one assigned

Labels

backport/1.1-pr A backport PR to release-1.1

Projects

None yet

Milestone

1.1.3

Development

Successfully merging this pull request may close these issues.

4 participants

@cyphar @kolyshkin @AkihiroSuda @dsouzai