Skip to content

Allow update-ldcache hook to work when pivot-root is not supported#1174

Merged
elezar merged 1 commit intoNVIDIA:mainfrom
elezar:no-pivot-root
Nov 20, 2025
Merged

Allow update-ldcache hook to work when pivot-root is not supported#1174
elezar merged 1 commit intoNVIDIA:mainfrom
elezar:no-pivot-root

Conversation

@elezar
Copy link
Member

@elezar elezar commented Jul 2, 2025

The changes made to run the update-ldcache hook in an isolated namespace were implemented using a pivot_root. This is, however, not supported in all use cases -- most notably in kata-containers where runc is typically invoked with the --no-pivot option.

This change attempts to detect when pivot_root is not supported and use the same move mount operation as implemented by runc in this case.

@elezar elezar self-assigned this Jul 2, 2025
@coveralls
Copy link

coveralls commented Jul 2, 2025
edited
Loading

Pull Request Test Coverage Report for Build 16070359030

Details

  • 0 of 128 (0.0%) changed or added relevant lines in 4 files are covered.
  • 3 unchanged lines in 3 files lost coverage.
  • Overall coverage decreased (-0.2%) to 32.903%
Changes Missing Coverage Covered Lines Changed/Added Lines %
cmd/nvidia-cdi-hook/create-soname-symlinks/soname-symlinks.go 0 2 0.0%
cmd/nvidia-cdi-hook/update-ldcache/update-ldcache.go 0 2 0.0%
internal/ldconfig/ldconfig.go 0 57 0.0%
internal/ldconfig/ldconfig_linux.go 0 67 0.0%
Files with Coverage Reduction New Missed Lines %
cmd/nvidia-cdi-hook/create-soname-symlinks/soname-symlinks.go 1 0.0%
cmd/nvidia-cdi-hook/update-ldcache/update-ldcache.go 1 0.0%
internal/ldconfig/ldconfig.go 1 0.0%
Totals Coverage Status
Change from base Build 16054869452: -0.2%
Covered Lines: 4381
Relevant Lines: 13315
💛 - Coveralls

This comment was marked as outdated.

Sign in to view

ArangoGutierrez
ArangoGutierrez requested changes Jul 2, 2025
View reviewed changes
@elezar elezar requested a review from ArangoGutierrez July 4, 2025 11:40
@elezar elezar mentioned this pull request Jul 7, 2025
Closed
ArangoGutierrez
ArangoGutierrez reviewed Jul 8, 2025
View reviewed changes
Copy link
Collaborator

@ArangoGutierrez ArangoGutierrez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - Just 2 NIT's

internal/ldconfig/ldconfig_linux.go Outdated
Comment on lines +104 to +105
// msMoveRoot is used
// filesystem, and everything else is cleaned up.
Copy link
Collaborator

@ArangoGutierrez ArangoGutierrez Jul 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Can we enhance this comment?

Copilot AI reviewed Aug 12, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements a fallback mechanism for the update-ldcache hook to work in environments where pivot_root is not supported (e.g., kata-containers with --no-pivot option). The changes detect when pivot_root is unavailable and use an alternative move mount operation similar to runc's implementation.

Key changes:

  • Added pivot_root support detection by checking if the root filesystem is mounted as "rootfs"
  • Implemented msMoveRoot as an alternative to pivot_root using move mount operations
  • Refactored the ldconfig API to use flag-based argument parsing instead of positional parameters

Reviewed Changes

Copilot reviewed 5 out of 104 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
internal/ldconfig/ldconfig.go Refactored constructor to use flag parsing, added pivot_root detection logic
internal/ldconfig/ldconfig_linux.go Added msMoveRoot implementation, improved mountProc security
internal/ldconfig/ldconfig_other.go Added stub msMoveRoot function for non-Linux platforms
cmd/nvidia-cdi-hook/update-ldcache/update-ldcache.go Updated to use new ldconfig constructor API
cmd/nvidia-cdi-hook/create-soname-symlinks/soname-symlinks.go Updated to use new ldconfig constructor API

@elezar
Copy link
Member Author

elezar commented Aug 20, 2025

Note that the following is related: moby/moby#50755 (comment)

@elezar elezar mentioned this pull request Nov 3, 2025
Closed
@elezar elezar added this to the v1.19.0 milestone Nov 18, 2025
zvonkok
zvonkok approved these changes Nov 20, 2025
View reviewed changes
Copy link

@zvonkok zvonkok left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, tested on latest Kata release.

@elezar
Allow update-ldcache to work when pivot-root is not supported
241743c 
This change updates the update-ldcache logic to use an alternative to
pivot-root when this is not supported. This includes cases where the
root filesystem is in a ramfs (e.g. when running from the kata-agent).

Signed-off-by: Evan Lezar <elezar@nvidia.com>
@elezar elezar merged commit 0a0b6a7 into NVIDIA:main Nov 20, 2025
8 checks passed
@elezar elezar deleted the no-pivot-root branch November 20, 2025 21:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@zvonkok zvonkok zvonkok approved these changes

@ArangoGutierrez ArangoGutierrez ArangoGutierrez approved these changes

Assignees

@elezar elezar

Labels

None yet

Projects

None yet

Milestone

v1.19.0

Development

Successfully merging this pull request may close these issues.

5 participants

@elezar @coveralls @zvonkok @ArangoGutierrez