[13.4-stable] better isolation for eve user apps #4420
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add .gitignore file for pkg/pillar directory and include test artifacts and profiling results. Signed-off-by: Paul Gaiduk <[email protected]> (cherry picked from commit d1599b4)
Starting user apps containers by bind mounting xen-tools rootfs doesn't provide sufficient isolation when mounting other files on top of it. Example: when mounting other files on top of xen-tools rootfs, containerd will create stubs for those files in the original rootfs even though it's mounted read-only. To provide better isolation, we need to mount xen-tools rootfs into the container through overlayfs. For this we first create an empty snapshot in containerd which we will use for upper and work directories of the overlayfs. We then mount xen-tools rootfs into the root of the container and the stubs that are created by containerd are now in the snapshot instead of the original rootfs. Since the snapshot is created explicitly by us and protected from being garbage collected we also delete it explicitly when the container is deleted. Signed-off-by: Paul Gaiduk <[email protected]> (cherry picked from commit df0ce58)
ZFS snapshotter is not used in containerd, as the snapshotting for ZFS is done by the ZFS filesystem itself. This commit removes the ZFS snapshotter from the containerd configuration. Signed-off-by: Paul Gaiduk <[email protected]> (cherry picked from commit e352fd2)
europaul
requested review from
OhmSpectator,
rene,
rouming,
deitch and
eriknordmark
as code owners
OhmSpectator
approved these changes
Nov 4, 2024
|
@OhmSpectator let's wait for the Eden tests to finish |
yeah, sure... If they work =( |
|
@OhmSpectator I think the Eden tests are skipped because |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #4304