With #4434, our pivot_root(2) code now works for the primary usecase for --no-pivot and so --no-pivot is now deprecated unless we find some new usecases that were not apparent before. pivot_root(2) is far more secure than chroot(2) (even with the hardenings we've added over the years).
Known users of --no-pivot:
If you found this issue from a warning printed by runc, please let us know more about your usecase in this issue (in particular, why do you use --no-pivot and does runc 1.2 without --no-pivot work for your usecase?).
With #4434, our
pivot_root(2)code now works for the primary usecase for--no-pivotand so--no-pivotis now deprecated unless we find some new usecases that were not apparent before.pivot_root(2)is far more secure thanchroot(2)(even with the hardenings we've added over the years).Known users of
--no-pivot:If you found this issue from a warning printed by runc, please let us know more about your usecase in this issue (in particular, why do you use
--no-pivotand does runc 1.2 without--no-pivotwork for your usecase?).