runsc: create a new proc mount if the sandbox process is running in a new pidns
PiperOrigin-RevId: 229971902 Change-Id: Ief4fac731e839ef092175908de9375d725eaa3aa
This commit is contained in:
parent
8d7c10e908
commit
c063a1350f
|
@ -75,6 +75,9 @@ type Boot struct {
|
||||||
|
|
||||||
// startSyncFD is the file descriptor to synchronize runsc and sandbox.
|
// startSyncFD is the file descriptor to synchronize runsc and sandbox.
|
||||||
startSyncFD int
|
startSyncFD int
|
||||||
|
|
||||||
|
// pidns is set if the sanadbox is in its own pid namespace.
|
||||||
|
pidns bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// Name implements subcommands.Command.Name.
|
// Name implements subcommands.Command.Name.
|
||||||
|
@ -103,6 +106,7 @@ func (b *Boot) SetFlags(f *flag.FlagSet) {
|
||||||
f.BoolVar(&b.console, "console", false, "set to true if the sandbox should allow terminal ioctl(2) syscalls")
|
f.BoolVar(&b.console, "console", false, "set to true if the sandbox should allow terminal ioctl(2) syscalls")
|
||||||
f.BoolVar(&b.applyCaps, "apply-caps", false, "if true, apply capabilities defined in the spec to the process")
|
f.BoolVar(&b.applyCaps, "apply-caps", false, "if true, apply capabilities defined in the spec to the process")
|
||||||
f.BoolVar(&b.setUpRoot, "setup-root", false, "if true, set up an empty root for the process")
|
f.BoolVar(&b.setUpRoot, "setup-root", false, "if true, set up an empty root for the process")
|
||||||
|
f.BoolVar(&b.pidns, "pidns", false, "if true, the sandbox is in its own PID namespace")
|
||||||
f.IntVar(&b.cpuNum, "cpu-num", 0, "number of CPUs to create inside the sandbox")
|
f.IntVar(&b.cpuNum, "cpu-num", 0, "number of CPUs to create inside the sandbox")
|
||||||
f.Uint64Var(&b.totalMem, "total-memory", 0, "sets the initial amount of total memory to report back to the container")
|
f.Uint64Var(&b.totalMem, "total-memory", 0, "sets the initial amount of total memory to report back to the container")
|
||||||
f.IntVar(&b.userLogFD, "user-log-fd", 0, "file descriptor to write user logs to. 0 means no logging.")
|
f.IntVar(&b.userLogFD, "user-log-fd", 0, "file descriptor to write user logs to. 0 means no logging.")
|
||||||
|
@ -121,7 +125,7 @@ func (b *Boot) Execute(_ context.Context, f *flag.FlagSet, args ...interface{})
|
||||||
debug.SetTraceback("all")
|
debug.SetTraceback("all")
|
||||||
|
|
||||||
if b.setUpRoot {
|
if b.setUpRoot {
|
||||||
if err := setUpChroot(); err != nil {
|
if err := setUpChroot(b.pidns); err != nil {
|
||||||
Fatalf("error setting up chroot: %v", err)
|
Fatalf("error setting up chroot: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -42,7 +42,7 @@ func mountInChroot(chroot, src, dst, typ string, flags uint32) error {
|
||||||
|
|
||||||
// setUpChroot creates an empty directory with runsc mounted at /runsc and proc
|
// setUpChroot creates an empty directory with runsc mounted at /runsc and proc
|
||||||
// mounted at /proc.
|
// mounted at /proc.
|
||||||
func setUpChroot() error {
|
func setUpChroot(pidns bool) error {
|
||||||
// We are a new mount namespace, so we can use /tmp as a directory to
|
// We are a new mount namespace, so we can use /tmp as a directory to
|
||||||
// construct a new root.
|
// construct a new root.
|
||||||
chroot := os.TempDir()
|
chroot := os.TempDir()
|
||||||
|
@ -59,9 +59,16 @@ func setUpChroot() error {
|
||||||
return fmt.Errorf("error mounting tmpfs in choot: %v", err)
|
return fmt.Errorf("error mounting tmpfs in choot: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if pidns {
|
||||||
|
flags := uint32(syscall.MS_NOSUID | syscall.MS_NODEV | syscall.MS_NOEXEC | syscall.MS_RDONLY)
|
||||||
|
if err := mountInChroot(chroot, "proc", "/proc", "proc", flags); err != nil {
|
||||||
|
return fmt.Errorf("error mounting proc in chroot: %v", err)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
if err := mountInChroot(chroot, "/proc", "/proc", "bind", syscall.MS_BIND|syscall.MS_RDONLY|syscall.MS_REC); err != nil {
|
if err := mountInChroot(chroot, "/proc", "/proc", "bind", syscall.MS_BIND|syscall.MS_RDONLY|syscall.MS_REC); err != nil {
|
||||||
return fmt.Errorf("error mounting proc in chroot: %v", err)
|
return fmt.Errorf("error mounting proc in chroot: %v", err)
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if err := mountInChroot(chroot, specutils.ExePath, chrootBinPath, "bind", syscall.MS_BIND|syscall.MS_RDONLY); err != nil {
|
if err := mountInChroot(chroot, specutils.ExePath, chrootBinPath, "bind", syscall.MS_BIND|syscall.MS_RDONLY); err != nil {
|
||||||
return fmt.Errorf("error mounting runsc in chroot: %v", err)
|
return fmt.Errorf("error mounting runsc in chroot: %v", err)
|
||||||
|
|
|
@ -458,6 +458,7 @@ func (s *Sandbox) createSandboxProcess(spec *specs.Spec, conf *boot.Config, bund
|
||||||
} else {
|
} else {
|
||||||
log.Infof("Sandbox will be started in a new PID namespace")
|
log.Infof("Sandbox will be started in a new PID namespace")
|
||||||
nss = append(nss, specs.LinuxNamespace{Type: specs.PIDNamespace})
|
nss = append(nss, specs.LinuxNamespace{Type: specs.PIDNamespace})
|
||||||
|
cmd.Args = append(cmd.Args, "--pidns=true")
|
||||||
}
|
}
|
||||||
|
|
||||||
// Joins the network namespace if network is enabled. the sandbox talks
|
// Joins the network namespace if network is enabled. the sandbox talks
|
||||||
|
|
Loading…
Reference in New Issue