Our devices were being created from the parent of container's init, because we
need to be still outside container context to do it. However, this creates
quite an annoyance, because those bind mounts will show up in the host
/proc/mounts.
Turns out, we don't really need to do it from the root side. We can do it from
the container side provided we do it before we chroot - and then the host side
fs is still visible.
The fact that we join a mount namespace will act to keep those mounts totally
private, and exempt us from cleaning it up.
Signed-off-by: Glauber Costa <glom...@openvz.org>
---
src/lib/hooks_ct.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/lib/hooks_ct.c b/src/lib/hooks_ct.c
index daa85ed..7bc9814 100644
--- a/src/lib/hooks_ct.c
+++ b/src/lib/hooks_ct.c
@@ -306,6 +306,10 @@ static int _env_create(void *data)
*/
close(arg->userns_p);
+ if (arg->h->can_join_userns) {
+ create_devices(arg->h, arg->veid, arg->res->fs.root);
+ }
+
ret = ct_chroot(arg->res->fs.root);
/* Probably means chroot failed */
if (ret)
@@ -438,10 +442,6 @@ static int ct_env_create(struct arg_start *arg)
}
arg->userns_p = userns_p[0];
- if (arg->h->can_join_userns) {
- create_devices(arg->h, arg->veid, arg->res->fs.root);
- }
-
ret = clone(_env_create, child_stack, clone_flags, arg);
close(userns_p[0]);
if (ret < 0) {
--
1.7.11.7
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
