mirror of
https://github.com/docker/cli.git
synced 2026-01-18 08:21:31 +03:00
a4a84bcafe
Instead of keeping all the old mounts in the container namespace and just using subtree as root we pivot_root so that the actual root in the namespace is the root we want, and then we unmount the previous mounts. This has multiple advantages: * The namespace mount tree is smaller (in the kernel) * If you break out of the chroot you could previously access the host filesystem. Now the host filesystem is fully invisible to the namespace. * We get rid of all unrelated mounts from the parent namespace, which means we don't hog these. This is important if we later switch to MS_PRIVATE instead of MS_SLAVE as otherwise these mounts would be impossible to unmount from the parent namespace. Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson) Upstream-commit: 5b5c884cc8266d0c2a56da0bc2df14cc9d5d85e8 Component: engine