Merge release-20210309.0-39-g5c4f4ed9e (automated)

2021-03-18 18:17:07 +00:00 · 2021-03-18 18:17:07 +00:00 · d3a3fe04cc
parent 8a3f44a54f 5c4f4ed9eb
commit d3a3fe04cc
5 changed files with 13 additions and 14 deletions
--- a/runsc/boot/controller.go
+++ b/runsc/boot/controller.go
@ -400,7 +400,7 @@ func (cm *containerManager) Restore(o *RestoreOpts, _ *struct{}) error {

 	// Set up the restore environment.
 	ctx := k.SupervisorContext()
-	mntr := newContainerMounter(cm.l.root.spec, cm.l.root.goferFDs, cm.l.k, cm.l.mountHints)
+	mntr := newContainerMounter(cm.l.root.spec, cm.l.root.goferFDs, cm.l.k, cm.l.mountHints, kernel.VFS2Enabled)
 	if kernel.VFS2Enabled {
 		ctx, err = mntr.configureRestore(ctx, cm.l.root.conf)
 		if err != nil {
--- a/runsc/boot/fs.go
+++ b/runsc/boot/fs.go
@ -103,14 +103,14 @@ func addOverlay(ctx context.Context, conf *config.Config, lower *fs.Inode, name

 // compileMounts returns the supported mounts from the mount spec, adding any
 // mandatory mounts that are required by the OCI specification.
-func compileMounts(spec *specs.Spec) []specs.Mount {
+func compileMounts(spec *specs.Spec, vfs2Enabled bool) []specs.Mount {
 	// Keep track of whether proc and sys were mounted.
 	var procMounted, sysMounted, devMounted, devptsMounted bool
 	var mounts []specs.Mount

 	// Mount all submounts from the spec.
 	for _, m := range spec.Mounts {
-		if !specutils.IsSupportedDevMount(m) {
+		if !vfs2Enabled && !specutils.IsVFS1SupportedDevMount(m) {
 			log.Warningf("ignoring dev mount at %q", m.Destination)
 			continue
 		}
@ -572,10 +572,10 @@ type containerMounter struct {
 	hints *podMountHints
 }

-func newContainerMounter(spec *specs.Spec, goferFDs []*fd.FD, k *kernel.Kernel, hints *podMountHints) *containerMounter {
+func newContainerMounter(spec *specs.Spec, goferFDs []*fd.FD, k *kernel.Kernel, hints *podMountHints, vfs2Enabled bool) *containerMounter {
 	return &containerMounter{
 		root:   spec.Root,
-		mounts: compileMounts(spec),
+		mounts: compileMounts(spec, vfs2Enabled),
 		fds:    fdDispenser{fds: goferFDs},
 		k:      k,
 		hints:  hints,
--- a/runsc/boot/loader.go
+++ b/runsc/boot/loader.go
@ -752,7 +752,7 @@ func (l *Loader) createContainerProcess(root bool, cid string, info *containerIn
 	// Setup the child container file system.
 	l.startGoferMonitor(cid, info.goferFDs)

-	mntr := newContainerMounter(info.spec, info.goferFDs, l.k, l.mountHints)
+	mntr := newContainerMounter(info.spec, info.goferFDs, l.k, l.mountHints, kernel.VFS2Enabled)
 	if root {
 		if err := mntr.processHints(info.conf, info.procArgs.Credentials); err != nil {
 			return nil, nil, nil, err
--- a/runsc/cmd/gofer.go
+++ b/runsc/cmd/gofer.go
@ -346,7 +346,7 @@ func setupRootFS(spec *specs.Spec, conf *config.Config) error {
 // creates directories as needed.
 func setupMounts(conf *config.Config, mounts []specs.Mount, root string) error {
 	for _, m := range mounts {
-		if m.Type != "bind" || !specutils.IsSupportedDevMount(m) {
+		if m.Type != "bind" || !specutils.IsVFS1SupportedDevMount(m) {
 			continue
 		}

@ -386,7 +386,7 @@ func setupMounts(conf *config.Config, mounts []specs.Mount, root string) error {
 func resolveMounts(conf *config.Config, mounts []specs.Mount, root string) ([]specs.Mount, error) {
 	cleanMounts := make([]specs.Mount, 0, len(mounts))
 	for _, m := range mounts {
-		if m.Type != "bind" || !specutils.IsSupportedDevMount(m) {
+		if m.Type != "bind" || !specutils.IsVFS1SupportedDevMount(m) {
 			cleanMounts = append(cleanMounts, m)
 			continue
 		}
--- a/runsc/specutils/specutils.go
+++ b/runsc/specutils/specutils.go
@ -334,14 +334,13 @@ func capsFromNames(names []string, skipSet map[linux.Capability]struct{}) (auth.

 // Is9PMount returns true if the given mount can be mounted as an external gofer.
 func Is9PMount(m specs.Mount) bool {
-	return m.Type == "bind" && m.Source != "" && IsSupportedDevMount(m)
+	return m.Type == "bind" && m.Source != "" && IsVFS1SupportedDevMount(m)
 }

-// IsSupportedDevMount returns true if the mount is a supported /dev mount.
-// Only mount that does not conflict with runsc default /dev mount is
-// supported.
-func IsSupportedDevMount(m specs.Mount) bool {
-	// These are devices exist inside sentry. See pkg/sentry/fs/dev/dev.go
+// IsVFS1SupportedDevMount returns true if m.Destination does not specify a
+// path that is hardcoded by VFS1's implementation of /dev.
+func IsVFS1SupportedDevMount(m specs.Mount) bool {
+	// See pkg/sentry/fs/dev/dev.go.
 	var existingDevices = []string{
 		"/dev/fd", "/dev/stdin", "/dev/stdout", "/dev/stderr",
 		"/dev/null", "/dev/zero", "/dev/full", "/dev/random",