Linux recently added the OPEN_TREE_NAMESPACE option to the open_tree() syscall which does two things:
- Combines
unshare(CLONE_NEWNS) and pivot_root() into a single syscall rather than two
- Only clones submounts within the specified newrootfs, reducing the need to recursively umount the oldrootfs during container setup.
The benefit of the first point is unclear for crun as it looks like its unshare and pivot root logic sits in separate areas, however the second point could potentially reduce the amount of setup crun needs to do as well taking the load of the kernel in needlessly copying lots of mounts that are destined to be umounted immediately.
afaik OPEN_TREE_NAMESPACE is only in Linux 7.0 so it is quite early to support.
Linux recently added the
OPEN_TREE_NAMESPACEoption to theopen_tree()syscall which does two things:unshare(CLONE_NEWNS)andpivot_root()into a single syscall rather than twoThe benefit of the first point is unclear for crun as it looks like its unshare and pivot root logic sits in separate areas, however the second point could potentially reduce the amount of setup crun needs to do as well taking the load of the kernel in needlessly copying lots of mounts that are destined to be umounted immediately.
afaik
OPEN_TREE_NAMESPACEis only in Linux 7.0 so it is quite early to support.