linux: add OPEN_TREE_NAMESPACE support

giuseppe · claude · giuseppe · commit 7440a1cecc83 · 2026-05-21T09:58:02.000+02:00
Use open_tree(OPEN_TREE_NAMESPACE) + setns(CLONE_NEWNS) to replace the traditional unshare(CLONE_NEWNS) + bind mount rootfs + pivot_root sequence. OPEN_TREE_NAMESPACE creates a new mount namespace with the rootfs as the root mount. setns() enters that namespace directly, so no bind mount or pivot_root is needed. The kernel automatically sets the process root and cwd to the new namespace's root when the old root is not reachable. On older kernels (< 7.0) or when OPEN_TREE_NAMESPACE is not supported, the code falls back to the traditional path. Closes: #2086 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
@@ -88,6 +88,10 @@
 #  define OPEN_TREE_CLOEXEC O_CLOEXEC
 #endif
 
+#ifndef OPEN_TREE_NAMESPACE
+#  define OPEN_TREE_NAMESPACE 2
+#endif
+
 #ifndef MOVE_MOUNT_F_EMPTY_PATH
 #  define MOVE_MOUNT_F_EMPTY_PATH 0x00000004
 #endif
@@ -162,6 +166,8 @@ struct private_data_s
   bool maskdir_bind_failed;
   bool maskdir_warned;
   bool joined_mount_ns;
+  bool needs_pivot;
+  bool no_pivot;
 };
 
 struct linux_namespace_s
@@ -940,6 +946,7 @@ fsopen_mount (const char *type, const char *source_name, const char *labeltype,
           if (eq)
             {
               *eq = '\0';
+
               ret = syscall_fsconfig (fsfd, FSCONFIG_SET_STRING, token, eq + 1, 0);
             }
           else
@@ -1496,7 +1503,7 @@ do_mount (libcrun_container_t *container, const char *source, int targetfd,
               }
 
               close_and_reset (&fd);
-              fd = openat (procfd, "self/root", O_PATH | O_CLOEXEC);
+              fd = open (get_private_data (container)->rootfs, O_PATH | O_CLOEXEC);
               if (UNLIKELY (fd < 0))
                 return crun_make_error (err, errno, "reopen rootfs after mount on /");
 
@@ -2696,6 +2703,25 @@ process_single_mount (libcrun_container_t *container, const char *rootfs,
               if (UNLIKELY (ret < 0))
                 return ret;
             }
+
+          if (is_empty_string (target))
+            {
+              cleanup_close int fd = -1;
+
+              fd = open (get_private_data (container)->rootfs, O_PATH | O_CLOEXEC);
+              if (UNLIKELY (fd < 0))
+                return crun_make_error (err, errno, "reopen rootfs after mount on /");
+
+              {
+                int tmp = dup (fd);
+                if (UNLIKELY (tmp < 0))
+                  return crun_make_error (err, errno, "dup");
+
+                TEMP_FAILURE_RETRY (close (get_private_data (container)->rootfsfd));
+                get_private_data (container)->rootfsfd = tmp;
+              }
+            }
+
           mounted = true;
 
           if (is_empty_string (target))
@@ -3154,10 +3180,6 @@ libcrun_set_mounts (struct container_entrypoint_s *entrypoint_args, libcrun_cont
         return ret;
     }
 
-  ret = do_finalize_notify_socket (container, err);
-  if (UNLIKELY (ret < 0))
-    return ret;
-
   if (def->process && def->process->cwd)
     {
       libcrun_error_t tmp_err = NULL;
@@ -3174,25 +3196,6 @@ libcrun_set_mounts (struct container_entrypoint_s *entrypoint_args, libcrun_cont
   return 0;
 }
 
-int
-libcrun_finalize_mounts (struct container_entrypoint_s *entrypoint_args, libcrun_container_t *container, const char *rootfs, libcrun_error_t *err)
-{
-  int ret;
-
-  ret = finalize_mounts (container, err);
-  if (UNLIKELY (ret < 0))
-    return ret;
-
-  // configure handler mounts for phase: HANDLER_CONFIGURE_AFTER_MOUNTS
-  ret = libcrun_container_notify_handler (entrypoint_args, HANDLER_CONFIGURE_AFTER_MOUNTS, container, rootfs, err);
-  if (UNLIKELY (ret < 0))
-    return crun_error_wrap (err, "failed configuring mounts for handler at phase: HANDLER_CONFIGURE_AFTER_MOUNTS");
-
-  close_and_reset (&(get_private_data (container)->rootfsfd));
-
-  return 0;
-}
-
 static int
 umount_or_hide (const char *target, libcrun_error_t *err)
 {
@@ -3250,6 +3253,83 @@ move_root (const char *rootfs, libcrun_error_t *err)
   return 0;
 }
 
+int
+libcrun_finalize_mounts (struct container_entrypoint_s *entrypoint_args, libcrun_container_t *container, const char *rootfs, libcrun_error_t *err)
+{
+  int ret;
+
+  // configure handler mounts for phase: HANDLER_CONFIGURE_AFTER_MOUNTS
+  ret = libcrun_container_notify_handler (entrypoint_args, HANDLER_CONFIGURE_AFTER_MOUNTS, container, rootfs, err);
+  if (UNLIKELY (ret < 0))
+    return crun_error_wrap (err, "failed configuring mounts for handler at phase: HANDLER_CONFIGURE_AFTER_MOUNTS");
+
+  close_and_reset (&(get_private_data (container)->rootfsfd));
+
+  if (get_private_data (container)->needs_pivot)
+    {
+      get_private_data (container)->needs_pivot = false;
+
+      if (get_private_data (container)->no_pivot)
+        {
+          ret = move_root (rootfs, err);
+          if (UNLIKELY (ret < 0))
+            return ret;
+        }
+      else
+        {
+          ret = do_pivot (container, rootfs, err);
+          if (UNLIKELY (ret < 0))
+            return ret;
+        }
+
+      ret = do_mount (container, NULL, -1, "/", NULL,
+                      get_private_data (container)->rootfs_propagation,
+                      NULL, LABEL_MOUNT, err);
+      if (UNLIKELY (ret < 0))
+        return ret;
+
+      ret = chdir ("/");
+      if (UNLIKELY (ret < 0))
+        return crun_make_error (err, errno, "chdir to `/`");
+    }
+
+  ret = do_finalize_notify_socket (container, err);
+  if (UNLIKELY (ret < 0))
+    return ret;
+
+  ret = finalize_mounts (container, err);
+  if (UNLIKELY (ret < 0))
+    return ret;
+
+  return 0;
+}
+
+static int
+maybe_open_tree_namespace (const char *rootfs, int *out_fd, libcrun_error_t *err)
+{
+  cleanup_close int rootfs_fd = -1;
+  int tree_fd;
+
+  *out_fd = -1;
+
+  rootfs_fd = open (rootfs, O_DIRECTORY | O_PATH | O_CLOEXEC);
+  if (UNLIKELY (rootfs_fd < 0))
+    return crun_make_error (err, errno, "open `%s`", rootfs);
+
+  tree_fd = syscall_open_tree (rootfs_fd, "",
+                               OPEN_TREE_NAMESPACE | OPEN_TREE_CLOEXEC
+                                   | AT_EMPTY_PATH | AT_RECURSIVE);
+  if (tree_fd < 0)
+    {
+      if (errno == EINVAL || errno == ENOSYS || errno == EPERM)
+        return 0;
+      return crun_make_error (err, errno, "open_tree `%s`", rootfs);
+    }
+
+  *out_fd = tree_fd;
+  return 0;
+}
+
 static struct libcrun_fd_map *
 get_fd_map (libcrun_container_t *container)
 {
@@ -3317,12 +3397,37 @@ open_mount_of_type (libcrun_container_t *container,
   return mnt_fd;
 }
 
+static bool
+can_use_open_tree_namespace (libcrun_container_t *container)
+{
+  runtime_spec_schema_config_schema *def = container->container_def;
+  struct libcrun_fd_map *mount_fds;
+  bool has_hooks = def->hooks
+                   && (def->hooks->prestart_len || def->hooks->create_runtime_len);
+  bool has_userns = get_private_data (container)->unshare_flags & CLONE_NEWUSER;
+  size_t i;
+
+  if (has_hooks || has_userns)
+    return false;
+
+  mount_fds = get_fd_map (container);
+  for (i = 0; i < def->mounts_len; i++)
+    {
+      if (mount_fds->fds[i] < 0)
+        return false;
+    }
+
+  return true;
+}
+
 static int
 setup_mount_namespace (libcrun_container_t *container, bool no_pivot, char **rootfs, libcrun_error_t *err)
 {
   runtime_spec_schema_config_schema *def = container->container_def;
   unsigned long rootfs_propagation = 0;
+  cleanup_close int tree_fd = -1;
   libcrun_error_t tmp_err = NULL;
+  bool use_open_tree = false;
   size_t i;
   int ret;
 
@@ -3334,25 +3439,6 @@ setup_mount_namespace (libcrun_container_t *container, bool no_pivot, char **roo
 
   get_private_data (container)->rootfs_propagation = rootfs_propagation;
 
-  if (! get_private_data (container)->joined_mount_ns)
-    {
-      ret = unshare (CLONE_NEWNS);
-      if (UNLIKELY (ret < 0))
-        return crun_make_error (err, errno, "unshare `CLONE_NEWNS`");
-    }
-
-  ret = do_mount (container, NULL, -1, "/", NULL, rootfs_propagation, NULL, LABEL_MOUNT, err);
-  if (UNLIKELY (ret < 0))
-    return ret;
-
-  ret = make_parent_mount_private (*rootfs, err);
-  if (UNLIKELY (ret < 0))
-    return ret;
-
-  ret = do_mount (container, *rootfs, -1, *rootfs, NULL, MS_BIND | MS_REC | MS_PRIVATE, NULL, LABEL_MOUNT, err);
-  if (UNLIKELY (ret < 0))
-    return ret;
-
   /* Pre-create mounts and cache paths before pivot_root,
      while the host file system is still reachable.  */
   for (i = 0; i < def->mounts_len; i++)
@@ -3442,6 +3528,65 @@ setup_mount_namespace (libcrun_container_t *container, bool no_pivot, char **roo
       mnt_fd = -1;
     }
 
+  if (! get_private_data (container)->joined_mount_ns
+      && can_use_open_tree_namespace (container))
+    use_open_tree = true;
+
+  if (use_open_tree)
+    {
+      ret = maybe_open_tree_namespace (*rootfs, &tree_fd, err);
+      if (UNLIKELY (ret < 0))
+        return ret;
+    }
+
+  if (tree_fd >= 0)
+    {
+      ret = setns (tree_fd, CLONE_NEWNS);
+      if (UNLIKELY (ret < 0))
+        return crun_make_error (err, errno, "setns `CLONE_NEWNS`");
+
+      ret = mount (NULL, "/", NULL, MS_REMOUNT | MS_BIND, NULL);
+      if (UNLIKELY (ret < 0))
+        return crun_make_error (err, errno, "remount `/`");
+
+      ret = do_mount (container, NULL, -1, "/", NULL, MS_REC | MS_PRIVATE, NULL, LABEL_MOUNT, err);
+      if (UNLIKELY (ret < 0))
+        return ret;
+
+      ret = do_mount (container, NULL, -1, "/", NULL, rootfs_propagation, NULL, LABEL_MOUNT, err);
+      if (UNLIKELY (ret < 0))
+        return ret;
+
+      get_private_data (container)->needs_pivot = false;
+      get_private_data (container)->no_pivot = no_pivot;
+      free (*rootfs);
+      *rootfs = xstrdup ("/");
+    }
+  else
+    {
+      if (! get_private_data (container)->joined_mount_ns)
+        {
+          ret = unshare (CLONE_NEWNS);
+          if (UNLIKELY (ret < 0))
+            return crun_make_error (err, errno, "unshare `CLONE_NEWNS`");
+        }
+
+      ret = do_mount (container, NULL, -1, "/", NULL, rootfs_propagation, NULL, LABEL_MOUNT, err);
+      if (UNLIKELY (ret < 0))
+        return ret;
+
+      ret = make_parent_mount_private (*rootfs, err);
+      if (UNLIKELY (ret < 0))
+        return ret;
+
+      ret = do_mount (container, *rootfs, -1, *rootfs, NULL, MS_BIND | MS_REC | MS_PRIVATE, NULL, LABEL_MOUNT, err);
+      if (UNLIKELY (ret < 0))
+        return ret;
+
+      get_private_data (container)->needs_pivot = true;
+      get_private_data (container)->no_pivot = no_pivot;
+    }
+
   /* Mount everything before pivot_root while host paths are still reachable.
      Use the pre-created fd when available, fall back to mount().  */
   ret = open (*rootfs, O_PATH | O_CLOEXEC);
@@ -3533,23 +3678,6 @@ setup_mount_namespace (libcrun_container_t *container, bool no_pivot, char **roo
       get_private_data (container)->maskdir_bind_failed = true;
     }
 
-  if (no_pivot)
-    {
-      ret = move_root (*rootfs, err);
-      if (UNLIKELY (ret < 0))
-        return ret;
-    }
-  else
-    {
-      ret = do_pivot (container, *rootfs, err);
-      if (UNLIKELY (ret < 0))
-        return ret;
-    }
-
-  ret = do_mount (container, NULL, -1, "/", NULL, rootfs_propagation, NULL, LABEL_MOUNT, err);
-  if (UNLIKELY (ret < 0))
-    return ret;
-
   return 0;
 }
 
@@ -3566,20 +3694,30 @@ libcrun_do_pivot_root (libcrun_container_t *container, bool no_pivot, char **roo
       ret = setup_mount_namespace (container, no_pivot, rootfs, err);
       if (UNLIKELY (ret < 0))
         return ret;
+
+      /* If setup_mount_namespace used OPEN_TREE_NAMESPACE, rootfs is
+         already set to "/".  Otherwise pivot_root is deferred until
+         after the mounts are created.  */
+      if (strcmp (*rootfs, "/") == 0)
+        {
+          ret = chdir ("/");
+          if (UNLIKELY (ret < 0))
+            return crun_make_error (err, errno, "chdir to `/`");
+        }
     }
   else
     {
       ret = chroot (*rootfs);
       if (UNLIKELY (ret < 0))
         return crun_make_error (err, errno, "chroot to `%s`", *rootfs);
-    }
 
-  ret = chdir ("/");
-  if (UNLIKELY (ret < 0))
-    return crun_make_error (err, errno, "chdir to `/`");
+      ret = chdir ("/");
+      if (UNLIKELY (ret < 0))
+        return crun_make_error (err, errno, "chdir to `/`");
 
-  free (*rootfs);
-  *rootfs = xstrdup ("/");
+      free (*rootfs);
+      *rootfs = xstrdup ("/");
+    }
 
   return 0;
 }
@@ -5175,7 +5313,6 @@ prepare_and_send_mount_mounts (libcrun_container_t *container, pid_t pid, int sy
           if (propagation == 0)
             propagation = MS_PRIVATE;
 
-          /* If the bind mount failed, do not fail here, but attempt to create it from within the container.  */
           mount_fd = get_bind_mount (-1, def->mounts[i]->source, recursive, false, nofollow, propagation, err);
           if (UNLIKELY (mount_fd < 0))
             crun_error_release (err);
