Skip to content

fix: reject / as the -v destination in nerdctl run for Docker com…#4954

Open
haytok wants to merge 1 commit into
containerd:mainfrom
haytok:validate-mount-destination-not-root
Open

fix: reject / as the -v destination in nerdctl run for Docker com…#4954
haytok wants to merge 1 commit into
containerd:mainfrom
haytok:validate-mount-destination-not-root

Conversation

@haytok

@haytok haytok commented Jun 8, 2026

Copy link
Copy Markdown
Member

…patibility

In the current implementation, when specifying / as the destination of the -v option in the nerdctl run command, the following error occurs but the container is created.

> sudo nerdctl run -d --name nginx -v ./:/ nginx
FATA[0000] failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: unable to apply apparmor profile: apparmor failed to apply profile: open /proc/thread-self/attr/exec: no such file or directory

> sudo nerdctl ps -a
CONTAINER ID    IMAGE                             COMMAND                   CREATED          STATUS     PORTS    NAMES
0f880e0e68f8    docker.io/library/nginx:latest    "/docker-entrypoint.…"    5 seconds ago    Created             nginx

However, in the same situation, Docker fails to create the container.

$ docker run -d --name stop -v ./:/ nginx
docker: Error response from daemon: invalid volume specification: '/Users/haytok/workspace:/': invalid mount config for type "bind": invalid specification: destination can't be '/'

$ docker ps -a
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES

Therefore, this commit fixes the behavior so that the container creation fails when / is specified as the destination of the -v option for compatibility with Docker.

@haytok
fix: reject / as the -v destination in nerdctl run for Docker com…
4d5bb2c 
…patibility

In the current implementation, when specifying `/` as the destination of the
`-v` option in the nerdctl run command, the following error occurs but the
container is created.

```bash
> sudo nerdctl run -d --name nginx -v ./:/ nginx
FATA[0000] failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: unable to apply apparmor profile: apparmor failed to apply profile: open /proc/thread-self/attr/exec: no such file or directory

> sudo nerdctl ps -a
CONTAINER ID    IMAGE                             COMMAND                   CREATED          STATUS     PORTS    NAMES
0f880e0e68f8    docker.io/library/nginx:latest    "/docker-entrypoint.…"    5 seconds ago    Created             nginx
```

However, in the same situation, Docker fails to create the container.

```bash
$ docker run -d --name stop -v ./:/ nginx
docker: Error response from daemon: invalid volume specification: '/Users/haytok/workspace:/': invalid mount config for type "bind": invalid specification: destination can't be '/'

$ docker ps -a
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES
```

Therefore, this commit fixes the behavior so that the container creation
fails when `/` is specified as the destination of the `-v` option for
compatibility with Docker.

Signed-off-by: Hayato Kiwata <dev@haytok.jp>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@sathiraumesh sathiraumesh sathiraumesh approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@haytok @sathiraumesh