diff --git a/8561.patch b/8561.patch new file mode 100644 index 0000000..2a1fd76 --- /dev/null +++ b/8561.patch @@ -0,0 +1,77 @@ +From 95c45773d7dbca2880152de681c81f0a2afec99b Mon Sep 17 00:00:00 2001 +From: Matthew Heon +Date: Wed, 2 Dec 2020 15:01:46 -0500 +Subject: [PATCH] Do not mount sysfs as rootless in more cases + +We can't mount sysfs as rootless unless we manage the network +namespace. Problem: slirp4netns is now creating and managing a +network namespace separate from the OCI runtime, so we can't +mount sysfs in many circumstances. The `crun` OCI runtime will +automatically handle this by falling back to a bind mount, but +`runc` will not, so we didn't notice until RHEL gating tests ran +on the new branch. + +Signed-off-by: Matthew Heon +--- + pkg/specgen/generate/oci.go | 2 +- + test/e2e/run_memory_test.go | 6 +++--- + test/e2e/run_test.go | 2 +- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go +index 8454458a8a..9649873fd1 100644 +--- a/pkg/specgen/generate/oci.go ++++ b/pkg/specgen/generate/oci.go +@@ -165,7 +165,7 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt + inUserNS = true + } + } +- if inUserNS && s.NetNS.IsHost() { ++ if inUserNS && s.NetNS.NSMode != specgen.NoNetwork { + canMountSys = false + } + +diff --git a/test/e2e/run_memory_test.go b/test/e2e/run_memory_test.go +index b3913c1e62..ad3a2b54fd 100644 +--- a/test/e2e/run_memory_test.go ++++ b/test/e2e/run_memory_test.go +@@ -38,7 +38,7 @@ var _ = Describe("Podman run memory", func() { + var session *PodmanSessionIntegration + + if CGROUPSV2 { +- session = podmanTest.Podman([]string{"run", "--memory=40m", ALPINE, "sh", "-c", "cat /sys/fs/cgroup/$(sed -e 's|0::||' < /proc/self/cgroup)/memory.max"}) ++ session = podmanTest.Podman([]string{"run", "--memory=40m", "--net=none", ALPINE, "sh", "-c", "cat /sys/fs/cgroup/$(sed -e 's|0::||' < /proc/self/cgroup)/memory.max"}) + } else { + session = podmanTest.Podman([]string{"run", "--memory=40m", ALPINE, "cat", "/sys/fs/cgroup/memory/memory.limit_in_bytes"}) + } +@@ -55,7 +55,7 @@ var _ = Describe("Podman run memory", func() { + var session *PodmanSessionIntegration + + if CGROUPSV2 { +- session = podmanTest.Podman([]string{"run", "--memory-reservation=40m", ALPINE, "sh", "-c", "cat /sys/fs/cgroup/$(sed -e 's|0::||' < /proc/self/cgroup)/memory.low"}) ++ session = podmanTest.Podman([]string{"run", "--memory-reservation=40m", "--net=none", ALPINE, "sh", "-c", "cat /sys/fs/cgroup/$(sed -e 's|0::||' < /proc/self/cgroup)/memory.low"}) + } else { + session = podmanTest.Podman([]string{"run", "--memory-reservation=40m", ALPINE, "cat", "/sys/fs/cgroup/memory/memory.soft_limit_in_bytes"}) + } +@@ -81,7 +81,7 @@ var _ = Describe("Podman run memory", func() { + var session *PodmanSessionIntegration + + if CGROUPSV2 { +- session = podmanTest.Podman([]string{"run", "--memory-reservation=40m", ALPINE, "sh", "-c", "cat /sys/fs/cgroup/$(sed -e 's|0::||' < /proc/self/cgroup)/memory.low"}) ++ session = podmanTest.Podman([]string{"run", "--net=none", "--memory-reservation=40m", ALPINE, "sh", "-c", "cat /sys/fs/cgroup/$(sed -e 's|0::||' < /proc/self/cgroup)/memory.low"}) + } else { + session = podmanTest.Podman([]string{"run", "--memory-reservation=40m", ALPINE, "cat", "/sys/fs/cgroup/memory/memory.soft_limit_in_bytes"}) + } +diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go +index 0d65a3e596..5831bb2f9f 100644 +--- a/test/e2e/run_test.go ++++ b/test/e2e/run_test.go +@@ -1267,7 +1267,7 @@ USER mail` + It("podman run verify pids-limit", func() { + SkipIfCgroupV1("pids-limit not supported on cgroup V1") + limit := "4321" +- session := podmanTest.Podman([]string{"run", "--pids-limit", limit, "--rm", ALPINE, "cat", "/sys/fs/cgroup/pids.max"}) ++ session := podmanTest.Podman([]string{"run", "--pids-limit", limit, "--net=none", "--rm", ALPINE, "cat", "/sys/fs/cgroup/pids.max"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring(limit))