[pull] main from containerd:main

go.mod

@@ -59,7 +59,7 @@ require (
 	github.com/opencontainers/selinux v1.13.1
 	github.com/pelletier/go-toml/v2 v2.2.4
 	github.com/prometheus/client_golang v1.23.2
-	github.com/sirupsen/logrus v1.9.3
+	github.com/sirupsen/logrus v1.9.4
 	github.com/stretchr/testify v1.11.1
 	github.com/tchap/go-patricia/v2 v2.3.3
 	github.com/urfave/cli/v2 v2.27.7

go.sum

@@ -307,8 +307,8 @@ github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD
 github.com/sasha-s/go-deadlock v0.3.5 h1:tNCOEEDG6tBqrNDOX35j/7hL5FcFViG6awUGROb2NsU=
 github.com/sasha-s/go-deadlock v0.3.5/go.mod h1:bugP6EGbdGYObIlx7pUZtWqlvo8k9H6vCBBsiChJQ5U=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
-github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w=
+github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
 github.com/smallstep/pkcs7 v0.1.1 h1:x+rPdt2W088V9Vkjho4KtoggyktZJlMduZAtRHm68LU=
 github.com/smallstep/pkcs7 v0.1.1/go.mod h1:dL6j5AIz9GHjVEBTXtW+QliALcgM19RtXaTeyxI+AfA=
 github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
@@ -323,7 +323,6 @@ github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
@@ -462,7 +461,6 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

internal/fsmount/fsmount_linux.go

@@ -0,0 +1,150 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package fsmount
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/containerd/containerd/v2/core/mount"
+)
+
+var mountAttrFlags = map[string]struct {
+	clear bool
+	flag  int
+}{
+	"ro":            {false, unix.MOUNT_ATTR_RDONLY},
+	"rw":            {true, unix.MOUNT_ATTR_RDONLY},
+	"nosuid":        {false, unix.MOUNT_ATTR_NOSUID},
+	"suid":          {true, unix.MOUNT_ATTR_NOSUID},
+	"nodev":         {false, unix.MOUNT_ATTR_NODEV},
+	"dev":           {true, unix.MOUNT_ATTR_NODEV},
+	"noexec":        {false, unix.MOUNT_ATTR_NOEXEC},
+	"exec":          {true, unix.MOUNT_ATTR_NOEXEC},
+	"noatime":       {false, unix.MOUNT_ATTR_NOATIME},
+	"atime":         {true, unix.MOUNT_ATTR_NOATIME},
+	"nodiratime":    {false, unix.MOUNT_ATTR_NODIRATIME},
+	"diratime":      {true, unix.MOUNT_ATTR_NODIRATIME},
+	"relatime":      {false, unix.MOUNT_ATTR_RELATIME},
+	"norelatime":    {true, unix.MOUNT_ATTR_RELATIME},
+	"strictatime":   {false, unix.MOUNT_ATTR_STRICTATIME},
+	"nostrictatime": {true, unix.MOUNT_ATTR_STRICTATIME},
+}
+
+// Fsopen opens a filesystem context for configuration.
+func Fsopen(fsName string, flags int) (*os.File, error) {
+	flags |= unix.FSOPEN_CLOEXEC
+	fd, err := unix.Fsopen(fsName, flags)
+	if err != nil {
+		return nil, os.NewSyscallError("fsopen "+fsName, err)
+	}
+	return os.NewFile(uintptr(fd), "fscontext:"+fsName), nil
+}
+
+// fsmount creates a mount fd from a filesystem context.
+func fsmount(fsctx *os.File, flags, mountAttrs int) (*os.File, error) {
+	flags |= unix.FSMOUNT_CLOEXEC
+	fd, err := unix.Fsmount(int(fsctx.Fd()), flags, mountAttrs)
+	if err != nil {
+		return nil, os.NewSyscallError("fsmount "+fsctx.Name(), err)
+	}
+	return os.NewFile(uintptr(fd), "fsmount:"+fsctx.Name()), nil
+}
+
+// SupportsFsmount checks if the fsmount syscall is available (Linux 5.2+).
+func SupportsFsmount() bool {
+	fd, err := unix.Fsopen("__nonexistent__", unix.FSOPEN_CLOEXEC)
+	if err == unix.ENOSYS {
+		return false
+	}
+	if fd >= 0 {
+		unix.Close(fd)
+	}
+	return true
+}
+
+// Fsmount mounts the filesystem using the new mount API (fsopen/fsconfig/fsmount/move_mount).
+// This approach avoids the PAGE_SIZE limitation of traditional mount() syscall by setting
+// options individually via fsconfig() instead of passing them as a single string.
+func Fsmount(m mount.Mount, target string) error {
+	fsctx, err := Fsopen(m.Type, 0)
+	if err != nil {
+		return err
+	}
+	defer fsctx.Close()
+
+	// Check if "ro" option is present - must be set before source for read-only loop devices
+	roFlag := false
+	for _, o := range m.Options {
+		if o == "ro" {
+			roFlag = true
+			break
+		}
+	}
+	if roFlag {
+		if err := unix.FsconfigSetFlag(int(fsctx.Fd()), "ro"); err != nil {
+			return fmt.Errorf("failed to set ro flag: %w", err)
+		}
+	}
+
+	if err := unix.FsconfigSetString(int(fsctx.Fd()), "source", m.Source); err != nil {
+		return fmt.Errorf("failed to set source: %w", err)
+	}
+
+	var mountAttrs int
+	for _, o := range m.Options {
+		if f, ok := mountAttrFlags[o]; ok {
+			if f.clear {
+				mountAttrs &^= f.flag
+			} else {
+				mountAttrs |= f.flag
+			}
+			continue
+		}
+
+		// Handle key=value options
+		if key, val, ok := strings.Cut(o, "="); ok {
+			if err := unix.FsconfigSetString(int(fsctx.Fd()), key, val); err != nil {
+				return fmt.Errorf("failed to set string option %s=%s: %w", key, val, err)
+			}
+			continue
+		}
+
+		// Handle filesystem-specific flags
+		if err := unix.FsconfigSetFlag(int(fsctx.Fd()), o); err != nil {
+			return fmt.Errorf("failed to set flag %s: %w", o, err)
+		}
+	}
+
+	if err := unix.FsconfigCreate(int(fsctx.Fd())); err != nil {
+		return fmt.Errorf("failed to create fs: %w", err)
+	}
+
+	mfd, err := fsmount(fsctx, 0, mountAttrs)
+	if err != nil {
+		return fmt.Errorf("failed to fsmount: %w", err)
+	}
+	defer mfd.Close()
+
+	if err := unix.MoveMount(int(mfd.Fd()), "", unix.AT_FDCWD, target, unix.MOVE_MOUNT_F_EMPTY_PATH); err != nil {
+		return fmt.Errorf("failed to move mount: %w", err)
+	}
+	return nil
+}

plugins/mount/erofs/plugin_linux.go

@@ -24,11 +24,13 @@ import (
 	"strings"
 	"time"
 
+	"github.com/containerd/log"
 	"github.com/containerd/platforms"
 	"github.com/containerd/plugin"
 	"github.com/containerd/plugin/registry"
 
 	"github.com/containerd/containerd/v2/core/mount"
+	"github.com/containerd/containerd/v2/internal/fsmount"
 	"github.com/containerd/containerd/v2/plugins"
 	"github.com/containerd/errdefs"
 
@@ -64,7 +66,7 @@ func (erofsMountHandler) Mount(ctx context.Context, m mount.Mount, mp string, _
 	var err error = unix.ENOTBLK
 	if !forceloop {
 		// Try to use file-backed mount feature if available (Linux 6.12+) first
-		err = m.Mount(mp)
+		err = doMount(m, mp)
 	}
 	if errors.Is(err, unix.ENOTBLK) {
 		var loops []*os.File
@@ -96,9 +98,10 @@ func (erofsMountHandler) Mount(ctx context.Context, m mount.Mount, mp string, _
 					return mount.ActiveMount{}, err
 				}
 				m.Options[i] = "device=" + loop.Name()
+				loops = append(loops, loop)
 			}
 		}
-		err = m.Mount(mp)
+		err = doMount(m, mp)
 		if err != nil {
 			return mount.ActiveMount{}, err
 		}
@@ -114,6 +117,18 @@ func (erofsMountHandler) Mount(ctx context.Context, m mount.Mount, mp string, _
 	}, nil
 }
 
+func doMount(m mount.Mount, target string) error {
+	if err := fsmount.Fsmount(m, target); err != nil {
+		// Fall back to traditional mount() if fsmount syscall not available (Linux < 5.2)
+		if errors.Is(err, unix.ENOSYS) {
+			log.L.WithError(err).Debug("fsmount not available, falling back to traditional mount")
+			return m.Mount(target)
+		}
+		return err
+	}
+	return nil
+}
+
 func (erofsMountHandler) Unmount(ctx context.Context, path string) error {
 	return mount.Unmount(path, 0)
 }