Skip to content

[release/2.0] Fix userns with container image VOLUME mounts that need copy #12241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fuweid merged 2 commits into from
Aug 27, 2025
Merged

[release/2.0] Fix userns with container image VOLUME mounts that need copy #12241

fuweid merged 2 commits into from
Aug 27, 2025

Conversation

@rata
Copy link
Contributor

@rata rata commented Aug 27, 2025

This backports: #12218

Fixes: #11852 in the 2.0 branch

rata added 2 commits August 27, 2025 11:58
@rata
cri: Fix userns with Dockerfile VOLUME mounts that need copy
b855c6e 
If a Dockerfile is using a `VOLUME` directive and the directory exists
in the rootfs, like in this example:

	FROM docker.io/library/alpine:latest
	VOLUME [ "/run" ]

The alpine container image already contains a "/run" directory. This
will force the code in WithVolumes() to copy its  content to the new
volume created for the VOLUME directive. This copies the content as well
as the ownership.

However, as we perform the mounts from the host POV without being inside
a userns, the idmap option will just shift the IDs in ways that will
screw up the ownerships when copied. We should only use the idmap option
when running the container inside a userns, so the ownerships are fine
(the userns will do a shift and the idmap another, to make it all seem
as if there was no UID/GID shift in the first place).

This PR does just that, remove the idmap option from mounts so we copy
the files without any ID transformations. It's simpler and easier to
reason about if we just don't mount with the idmap option here: all
files are copied just fine without ID transformations and ID
transformation is applied via the idmap option at mount time when
running the pod.

Also, note that `VOLUME` directives that refer to directories that don't
exist on the rootfs work fine (`VOLUME [ "/rata" ]` for example), as
there is no copy done in that case so the permissions weren't changed.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
(cherry picked from commit 41953f7)
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
@rata
integration: Add test for directives with userns
3212afc 
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
(cherry picked from commit f0ee598)
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
@github-project-automation github-project-automation bot moved this to Needs Triage in Pull Request Review Aug 27, 2025
@k8s-ci-robot
Copy link

k8s-ci-robot commented Aug 27, 2025

Hi @rata. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@dosubot dosubot bot added the area/cri Container Runtime Interface (CRI) label Aug 27, 2025
@rata rata mentioned this pull request Aug 27, 2025
Merged
@github-project-automation github-project-automation bot moved this from Needs Triage to Review In Progress in Pull Request Review Aug 27, 2025
@fuweid fuweid merged commit f98ddc5 into containerd:release/2.0 Aug 27, 2025
53 checks passed
@github-project-automation github-project-automation bot moved this from Review In Progress to Done in Pull Request Review Aug 27, 2025
@rata rata deleted the backport-userns-volume-fixes branch August 28, 2025 07:41
@austinvazquez austinvazquez mentioned this pull request Nov 5, 2025
Merged
@austinvazquez austinvazquez changed the title [release/2.0] Backport userns container image volume with copy-up fixes [release/2.0] Fix userns with container image VOLUME mounts that need copy Nov 5, 2025
mansikulkarni96 added a commit to mansikulkarni96/containerd that referenced this pull request Dec 4, 2025
@mansikulkarni96
Merge tag 'v2.0.7' into pull-v.2.1.0
ae3bb68 
containerd 2.0.7

Welcome to the v2.0.7 release of containerd!

The seventh patch release for containerd 2.0 includes various bug fixes and updates.

* **containerd**
  * [**GHSA-pwhc-rpq9-4c8w**](GHSA-pwhc-rpq9-4c8w)
  * [**GHSA-m6hq-p25p-ffr2**](GHSA-m6hq-p25p-ffr2)

* **runc**
  * [**GHSA-qw9x-cqr3-wc7r**](GHSA-qw9x-cqr3-wc7r)
  * [**GHSA-cgrx-mc8f-2prm**](GHSA-cgrx-mc8f-2prm)
  * [**GHSA-9493-h29p-rfm2**](GHSA-9493-h29p-rfm2)

* **Disable event subscriber during task cleanup** ([containerd#12406](containerd#12406))
* **Add SystemdCgroup to default runtime options** ([containerd#12254](containerd#12254))
* **Fix userns with container image VOLUME mounts that need copy** ([containerd#12241](containerd#12241))

* **Add dial timeout field to hosts toml configuration** ([containerd#12136](containerd#12136))

* **Update runc binary to v1.3.3** ([containerd#12479](containerd#12479))
* **Fix lost container logs from quickly closing io** ([containerd#12376](containerd#12376))
* **Create bootstrap.json with 0644 permission** ([containerd#12184](containerd#12184))
* **Fix pidfd leak in UnshareAfterEnterUserns** ([containerd#12178](containerd#12178))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

* Austin Vazquez
* Phil Estes
* Rodrigo Campos
* Wei Fu
* Akihiro Suda
* Derek McGowan
* Maksym Pavlenko
* ningmingxiao
* Kirtana Ashok
* Akhil Mohan
* Andrew Halaney
* Jin Dong
* Jose Fernandez
* Mike Baynton
* Philip Laine
* Swagat Bora
* wheat2018

<details><summary>56 commits</summary>
<p>

* Prepare release notes for v2.0.7 ([containerd#12482](containerd#12482))
  * [`4931e24f1`](containerd@4931e24) Prepare release notes for v2.0.7
  * [`205bc4f2d`](containerd@205bc4f) Update mailmap
  * [`5f708b76a`](containerd@5f708b7) Merge commit from fork
  * [`8cd112d82`](containerd@8cd112d) Fix directory permissions
  * [`05290b5bc`](containerd@05290b5) Merge commit from fork
  * [`4d1edf4ad`](containerd@4d1edf4) fix goroutine leak of container Attach
* Update runc binary to v1.3.3 ([containerd#12479](containerd#12479))
  * [`b46dc6a67`](containerd@b46dc6a) runc: Update runc binary to v1.3.3
* ci: bump Go 1.24.9; 1.25.3 ([containerd#12361](containerd#12361))
  * [`5e9c82178`](containerd@5e9c821) Update GHA runners to use latest images for basic binaries build
  * [`7f59248dc`](containerd@7f59248) Update GHA runners to use latest image for most jobs
  * [`e1373e8a8`](containerd@e1373e8) ci: bump Go 1.24.9, 1.25.3
  * [`e1a910a6a`](containerd@e1a910a) ci: bump Go 1.24.8; 1.25.2
  * [`fd04b7f17`](containerd@fd04b7f) move exclude-dirs to issues.exclude-dirs
  * [`b49377975`](containerd@b493779) update golangci-lint to v1.64.2
  * [`6e45022a1`](containerd@6e45022) build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0
  * [`09ce0f2a1`](containerd@09ce0f2) build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2
  * [`de63a740b`](containerd@de63a74) build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0
* Fix lost container logs from quickly closing io ([containerd#12376](containerd#12376))
  * [`f953ee8a3`](containerd@f953ee8) bugfix:fix container logs lost because io close too quickly
* CI: update Fedora to 43 ([containerd#12448](containerd#12448))
  * [`f6f15f513`](containerd@f6f15f5) CI: update Fedora to 43
* Disable event subscriber during task cleanup ([containerd#12406](containerd#12406))
  * [`2a2329cbd`](containerd@2a2329c) cri/server/podsandbox: disable event subscriber
* CI: skip ubuntu-24.04-arm on private repos ([containerd#12428](containerd#12428))
  * [`dfb954743`](containerd@dfb9547) CI: skip ubuntu-24.04-arm on private repos
* Remove additional fuzzers from instrumentation repo ([containerd#12420](containerd#12420))
  * [`f6b02f6bb`](containerd@f6b02f6) Remove additional fuzzers from CI
* runc:Update runc binary to v1.3.1 ([containerd#12275](containerd#12275))
  * [`75c13ee3f`](containerd@75c13ee) runc:Update runc binary to v1.3.1
* Add SystemdCgroup to default runtime options ([containerd#12254](containerd#12254))
  * [`427cdd06c`](containerd@427cdd0) add SystemdCgroup to default runtime options
* install-runhcs-shim: fetch target commit instead of tags ([containerd#12255](containerd#12255))
  * [`0b35e19fb`](containerd@0b35e19) install-runhcs-shim: fetch target commit instead of tags
* Fix userns with container image VOLUME mounts that need copy ([containerd#12241](containerd#12241))
  * [`3212afc2f`](containerd@3212afc) integration: Add test for directives with userns
  * [`b855c6e10`](containerd@b855c6e) cri: Fix userns with Dockerfile VOLUME mounts that need copy
* Fix overlayfs issues related to user namespace ([containerd#12223](containerd#12223))
  * [`05c0c99f4`](containerd@05c0c99) core/mount: Retry unmounting idmapped directories
  * [`afdede4ce`](containerd@afdede4) core/mount: Test cleanup of DoPrepareIDMappedOverlay()
  * [`47205f814`](containerd@47205f8) core/mount: Properly cleanup on doPrepareIDMappedOverlay errors
  * [`6f4abd970`](containerd@6f4abd9) core/mount: Don't call nil function on errors
  * [`a2f0d65d7`](containerd@a2f0d65) core/mount: Only idmap once per overlayfs, not per layer
  * [`1c32accd7`](containerd@1c32acc) Make ovl idmap mounts read-only
* ci: bump Go 1.23.12, 1.24.6 ([containerd#12187](containerd#12187))
  * [`9e72e91e6`](containerd@9e72e91) ci: bump Go 1.23.12, 1.24.6
* Create bootstrap.json with 0644 permission ([containerd#12184](containerd#12184))
  * [`009622e04`](containerd@009622e) fix: create bootstrap.json with 0644 permission
* Fix pidfd leak in UnshareAfterEnterUserns ([containerd#12178](containerd#12178))
  * [`5bec0a332`](containerd@5bec0a3) sys: fix pidfd leak in UnshareAfterEnterUserns
* Fix windows test failures ([containerd#12120](containerd#12120))
  * [`2a2488131`](containerd@2a24881) Fix intermittent test failures on Windows CIs
  * [`018470948`](containerd@0184709) Remove WS2025 from CIs due to regression
* Add dial timeout field to hosts toml configuration ([containerd#12136](containerd#12136))
  * [`b50cbbc98`](containerd@b50cbbc) Add dial timeout field to hosts toml configuration
</p>
</details>

This release has no dependency changes

Previous release can be found at [v2.0.6](https://github.com/containerd/containerd/releases/tag/v2.0.6)
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@estesp estesp estesp approved these changes

@fuweid fuweid fuweid approved these changes

Assignees

No one assigned

Labels

area/cri Container Runtime Interface (CRI) impact/changelog needs-ok-to-test size/L

Projects

Pull Request Review
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@rata @k8s-ci-robot @estesp @fuweid @dmcgowan