nspawn: Stop overmounting /sys and /proc when a user namespace is used#40815
Draft
daandemeyer wants to merge 1 commit intosystemd:mainfrom
Draft
nspawn: Stop overmounting /sys and /proc when a user namespace is used#40815daandemeyer wants to merge 1 commit intosystemd:mainfrom
daandemeyer wants to merge 1 commit intosystemd:mainfrom
Conversation
When the container runs in a user namespace, we don't need to protect /proc and /sys by overmounting things. In fact this is actively harmful as it prevents nested systemd-nspawn from working as to mount procfs and sysfs in a container it cannot be overmounted or the kernel will refuse the mount. To make nesting possible, let's stop overmounting parts of /proc and /sys when user namespaces are in use.
YHNdnzj
reviewed
Feb 25, 2026
| return true; | ||
|
|
||
| r = namespace_is_init(NAMESPACE_USER); | ||
| if (r < 0 && !IN_SET(r, -EBADR, -ENOSYS)) |
Member
There was a problem hiding this comment.
how could this return EBADR? it's our internal struct data after all
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When the container runs in a user namespace, we don't need to protect /proc and /sys by overmounting things. In fact this is actively harmful as it prevents nested systemd-nspawn from working as to mount procfs and sysfs in a container it cannot be overmounted or the kernel will refuse the mount.
To make nesting possible, let's stop overmounting parts of /proc and /sys when user namespaces are in use.