Merge pull request #818 from Random-Liu/cherrypick-#816

Random-Liu · web-flow · commit 164ac36534e8 · 2018-06-15T15:48:07.000-07:00
Fix double /dev/shm mount.
diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go
@@ -777,6 +777,10 @@ func defaultRuntimeSpec(id string) (*runtimespec.Spec, error) {
 		if mount.Destination == "/run" {
 			continue
 		}
+		// CRI plugin handles `/dev/shm` itself.
+		if mount.Destination == "/dev/shm" {
+			continue
+		}
 		mounts = append(mounts, mount)
 	}
 	spec.Mounts = mounts
diff --git a/pkg/server/sandbox_run.go b/pkg/server/sandbox_run.go
@@ -388,6 +388,14 @@ func (c *criService) generateSandboxContainerSpec(id string, config *runtime.Pod
 		g.RemoveLinuxNamespace(string(runtimespec.IPCNamespace)) // nolint: errcheck
 	}
 
+	// It's fine to generate the spec before the sandbox /dev/shm
+	// is actually created.
+	sandboxDevShm := c.getSandboxDevShm(id)
+	if nsOptions.GetIpc() == runtime.NamespaceMode_NODE {
+		sandboxDevShm = devShm
+	}
+	g.AddBindMount(sandboxDevShm, devShm, []string{"rbind", "ro"})
+
 	selinuxOpt := securityContext.GetSelinuxOptions()
 	processLabel, mountLabel, err := initSelinuxOpts(selinuxOpt)
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -777,6 +777,10 @@ func defaultRuntimeSpec(id string) (*runtimespec.Spec, error) {`
`777`	`777`	`if mount.Destination == "/run" {`
`778`	`778`	`continue`
`779`	`779`	`}`
	`780`	+ // CRI plugin handles `/dev/shm` itself.
	`781`	`+ if mount.Destination == "/dev/shm" {`
	`782`	`+ continue`
	`783`	`+ }`
`780`	`784`	`mounts = append(mounts, mount)`
`781`	`785`	`}`
`782`	`786`	`spec.Mounts = mounts`