On Mon, Jan 17, 2022 at 01:43:52PM +0000, cgel.zte@xxxxxxxxx wrote: > From: Zhang Yunkai <zhang.yunkai@xxxxxxxxxx> > > If using container platforms such as Docker, upon initialization it > wants to use pivot_root() so that currently mounted devices do not > propagate to containers. An example of value in this is that > a USB device connected prior to the creation of a containers on the > host gets disconnected after a container is created; if the > USB device was mounted on containers, but already removed and > umounted on the host, the mount point will not go away until all > containers unmount the USB device. > > Another reason for container platforms such as Docker to use pivot_root > is that upon initialization the net-namspace is mounted under > /var/run/docker/netns/ on the host by dockerd. Without pivot_root > Docker must either wait to create the network namespace prior to > the creation of containers or simply deal with leaking this to each > container. > > pivot_root is supported if the rootfs is a initrd or block device, but > it's not supported if the rootfs uses an initramfs (tmpfs). This means > container platforms today must resort to using block devices if > they want to pivot_root from the rootfs. A workaround to use chroot() > is not a clean viable option given every container will have a > duplicate of every mount point on the host. Sorry if this was already answered. My understanding is that you have initramfs with docker installed on it and with one or more container images packed there. And the desire is to use this initramfs to run docker containers and for that you need to enable pivot_root for initramfs. Have you tried packing docker and the containers to a block image that can be loop-mounted from the initramfs? Then you can chroot to that loop mounted filesystem and there pivot_root will be available for docker. > In order to support using container platforms such as Docker on > all the supported rootfs types we must extend Linux to support > pivot_root on initramfs as well. This patch does the work to do > just that. -- Sincerely yours, Mike.