memfd-bind: mention that overlayfs obviates the need for it

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This commit is contained in:
Aleksa Sarai
2024-11-04 20:47:07 +11:00
parent 9bc42d61bb
commit aa505bfa89
+12 -1
View File
@@ -1,6 +1,15 @@
## memfd-bind ##
`runc` normally has to make a binary copy of itself when constructing a
> **NOTE**: Since runc 1.2.0, runc will now use a private overlayfs mount to
> protect the runc binary. This protection is far more light-weight than
> memfd-bind, and for most users this should obviate the need for `memfd-bind`
> entirely. Rootless containers will still make a memfd copy (unless you are
> using `runc` itself inside a user namespace -- a-la
> [`rootlesskit`][rootlesskit]), but `memfd-bind` is not particularly useful
> for rootless container users anyway (see [Caveats](#Caveats) for more
> details).
`runc` sometimes has to make a binary copy of itself when constructing a
container process in order to defend against certain container runtime attacks
such as CVE-2019-5736.
@@ -38,6 +47,8 @@ much memory usage they can use:
container process setup takes up about 10MB per process spawned inside the
container by runc (both pid1 and `runc exec`).
[rootlesskit]: https://github.com/rootless-containers/rootlesskit
### Caveats ###
There are several downsides with using `memfd-bind` on the `runc` binary: