Don't bind-mount runsc into a sandbox mntns
PiperOrigin-RevId: 230437407 Change-Id: Id9d8ceeb018aad2fe317407c78c6ee0f4b47aa2b
This commit is contained in:
parent
ceb3dcfb72
commit
5f08f8fd81
|
@ -129,7 +129,6 @@ func (b *Boot) Execute(_ context.Context, f *flag.FlagSet, args ...interface{})
|
||||||
Fatalf("error setting up chroot: %v", err)
|
Fatalf("error setting up chroot: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
specutils.ExePath = "/runsc"
|
|
||||||
if !b.applyCaps {
|
if !b.applyCaps {
|
||||||
// Remove --setup-root arg to call myself.
|
// Remove --setup-root arg to call myself.
|
||||||
var args []string
|
var args []string
|
||||||
|
|
|
@ -24,10 +24,6 @@ import (
|
||||||
"gvisor.googlesource.com/gvisor/runsc/specutils"
|
"gvisor.googlesource.com/gvisor/runsc/specutils"
|
||||||
)
|
)
|
||||||
|
|
||||||
// chrootBinPath is the location inside the chroot where the runsc binary will
|
|
||||||
// be mounted.
|
|
||||||
const chrootBinPath = "/runsc"
|
|
||||||
|
|
||||||
// mountInChroot creates the destination mount point in the given chroot and
|
// mountInChroot creates the destination mount point in the given chroot and
|
||||||
// mounts the source.
|
// mounts the source.
|
||||||
func mountInChroot(chroot, src, dst, typ string, flags uint32) error {
|
func mountInChroot(chroot, src, dst, typ string, flags uint32) error {
|
||||||
|
@ -70,10 +66,6 @@ func setUpChroot(pidns bool) error {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := mountInChroot(chroot, specutils.ExePath, chrootBinPath, "bind", syscall.MS_BIND|syscall.MS_RDONLY); err != nil {
|
|
||||||
return fmt.Errorf("error mounting runsc in chroot: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := os.Chdir(chroot); err != nil {
|
if err := os.Chdir(chroot); err != nil {
|
||||||
return fmt.Errorf("error changing working directory: %v", err)
|
return fmt.Errorf("error changing working directory: %v", err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -80,13 +80,10 @@ func setCapsAndCallSelf(args []string, caps *specs.LinuxCapabilities) error {
|
||||||
if err := applyCaps(caps); err != nil {
|
if err := applyCaps(caps); err != nil {
|
||||||
return fmt.Errorf("applyCaps() failed: %v", err)
|
return fmt.Errorf("applyCaps() failed: %v", err)
|
||||||
}
|
}
|
||||||
binPath, err := specutils.BinPath()
|
binPath := specutils.ExePath
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
log.Infof("Execve %q again, bye!", binPath)
|
log.Infof("Execve %q again, bye!", binPath)
|
||||||
err = syscall.Exec(binPath, args, []string{})
|
err := syscall.Exec(binPath, args, []string{})
|
||||||
return fmt.Errorf("error executing %s: %v", binPath, err)
|
return fmt.Errorf("error executing %s: %v", binPath, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -105,7 +102,7 @@ func callSelfAsNobody(args []string) error {
|
||||||
return fmt.Errorf("error setting gid: %v", err)
|
return fmt.Errorf("error setting gid: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
binPath := "/runsc"
|
binPath := specutils.ExePath
|
||||||
|
|
||||||
log.Infof("Execve %q again, bye!", binPath)
|
log.Infof("Execve %q again, bye!", binPath)
|
||||||
err := syscall.Exec(binPath, args, []string{})
|
err := syscall.Exec(binPath, args, []string{})
|
||||||
|
|
|
@ -186,10 +186,7 @@ func (ex *Exec) Execute(_ context.Context, f *flag.FlagSet, args ...interface{})
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ex *Exec) execAndWait(waitStatus *syscall.WaitStatus) subcommands.ExitStatus {
|
func (ex *Exec) execAndWait(waitStatus *syscall.WaitStatus) subcommands.ExitStatus {
|
||||||
binPath, err := specutils.BinPath()
|
binPath := specutils.ExePath
|
||||||
if err != nil {
|
|
||||||
Fatalf("getting bin path: %v", err)
|
|
||||||
}
|
|
||||||
var args []string
|
var args []string
|
||||||
|
|
||||||
// The command needs to write a pid file so that execAndWait can tell
|
// The command needs to write a pid file so that execAndWait can tell
|
||||||
|
@ -219,6 +216,7 @@ func (ex *Exec) execAndWait(waitStatus *syscall.WaitStatus) subcommands.ExitStat
|
||||||
}
|
}
|
||||||
|
|
||||||
cmd := exec.Command(binPath, args...)
|
cmd := exec.Command(binPath, args...)
|
||||||
|
cmd.Args[0] = "runsc-exec"
|
||||||
|
|
||||||
// Exec stdio defaults to current process stdio.
|
// Exec stdio defaults to current process stdio.
|
||||||
cmd.Stdin = os.Stdin
|
cmd.Stdin = os.Stdin
|
||||||
|
|
|
@ -818,12 +818,10 @@ func (c *Container) createGoferProcess(spec *specs.Spec, conf *boot.Config, bund
|
||||||
args = append(args, fmt.Sprintf("--io-fds=%d", nextFD))
|
args = append(args, fmt.Sprintf("--io-fds=%d", nextFD))
|
||||||
}
|
}
|
||||||
|
|
||||||
binPath, err := specutils.BinPath()
|
binPath := specutils.ExePath
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
cmd := exec.Command(binPath, args...)
|
cmd := exec.Command(binPath, args...)
|
||||||
cmd.ExtraFiles = goferEnds
|
cmd.ExtraFiles = goferEnds
|
||||||
|
cmd.Args[0] = "runsc-gofer"
|
||||||
|
|
||||||
// Enter new namespaces to isolate from the rest of the system. Don't unshare
|
// Enter new namespaces to isolate from the rest of the system. Don't unshare
|
||||||
// cgroup because gofer is added to a cgroup in the caller's namespace.
|
// cgroup because gofer is added to a cgroup in the caller's namespace.
|
||||||
|
|
|
@ -292,10 +292,7 @@ func (s *Sandbox) createSandboxProcess(spec *specs.Spec, conf *boot.Config, bund
|
||||||
// starts at 3 because 0, 1, and 2 are taken by stdin/out/err.
|
// starts at 3 because 0, 1, and 2 are taken by stdin/out/err.
|
||||||
nextFD := 3
|
nextFD := 3
|
||||||
|
|
||||||
binPath, err := specutils.BinPath()
|
binPath := specutils.ExePath
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
cmd := exec.Command(binPath, conf.ToFlags()...)
|
cmd := exec.Command(binPath, conf.ToFlags()...)
|
||||||
cmd.SysProcAttr = &syscall.SysProcAttr{}
|
cmd.SysProcAttr = &syscall.SysProcAttr{}
|
||||||
|
|
||||||
|
|
|
@ -315,16 +315,6 @@ func IsSupportedDevMount(m specs.Mount) bool {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
// BinPath returns the real path to self, resolving symbolink links. This is done
|
|
||||||
// to make the process name appears as 'runsc', instead of 'exe'.
|
|
||||||
func BinPath() (string, error) {
|
|
||||||
binPath, err := filepath.EvalSymlinks(ExePath)
|
|
||||||
if err != nil {
|
|
||||||
return "", fmt.Errorf(`error resolving %q symlink: %v`, ExePath, err)
|
|
||||||
}
|
|
||||||
return binPath, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// ContainerdContainerTypeAnnotation is the OCI annotation set by
|
// ContainerdContainerTypeAnnotation is the OCI annotation set by
|
||||||
// containerd to indicate whether the container to create should have
|
// containerd to indicate whether the container to create should have
|
||||||
|
|
|
@ -26,8 +26,6 @@ import (
|
||||||
"os"
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"reflect"
|
|
||||||
"sort"
|
|
||||||
"strconv"
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
@ -73,16 +71,13 @@ func TestChroot(t *testing.T) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("error listing %q: %v", chroot, err)
|
t.Fatalf("error listing %q: %v", chroot, err)
|
||||||
}
|
}
|
||||||
if want, got := 2, len(fi); want != got {
|
if want, got := 1, len(fi); want != got {
|
||||||
t.Fatalf("chroot dir got %d entries, want %d", got, want)
|
t.Fatalf("chroot dir got %d entries, want %d", got, want)
|
||||||
}
|
}
|
||||||
|
|
||||||
// chroot dir is prepared by runsc and should contains only the executable
|
// chroot dir is prepared by runsc and should contains only /proc.
|
||||||
// and /proc.
|
if fi[0].Name() != "proc" {
|
||||||
files := []string{fi[0].Name(), fi[1].Name()}
|
t.Errorf("chroot got children %v, want %v", fi[0].Name(), "proc")
|
||||||
sort.Strings(files)
|
|
||||||
if want := []string{"proc", "runsc"}; !reflect.DeepEqual(files, want) {
|
|
||||||
t.Errorf("chroot got children %v, want %v", files, want)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
d.CleanUp()
|
d.CleanUp()
|
||||||
|
|
Loading…
Reference in New Issue