*: allow to not use pivot_root
runc has a `--no-pivot` flag, that uses MS_MOVE instead. This patch set bubbles up a runtime config to enable using no-pivot globally. Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
This commit is contained in:
parent
0ff3580f05
commit
d6a44bf111
5 changed files with 29 additions and 2 deletions
|
@ -77,6 +77,9 @@ runtime_untrusted_workload = "{{ .RuntimeUntrustedWorkload }}"
|
||||||
# container runtime for all containers.
|
# container runtime for all containers.
|
||||||
default_workload_trust = "{{ .DefaultWorkloadTrust }}"
|
default_workload_trust = "{{ .DefaultWorkloadTrust }}"
|
||||||
|
|
||||||
|
# no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE
|
||||||
|
no_pivot = {{ .NoPivot }}
|
||||||
|
|
||||||
# conmon is the path to conmon binary, used for managing the runtime.
|
# conmon is the path to conmon binary, used for managing the runtime.
|
||||||
conmon = "{{ .Conmon }}"
|
conmon = "{{ .Conmon }}"
|
||||||
|
|
||||||
|
|
|
@ -104,6 +104,7 @@ static char *opt_runtime_path = NULL;
|
||||||
static char *opt_bundle_path = NULL;
|
static char *opt_bundle_path = NULL;
|
||||||
static char *opt_pid_file = NULL;
|
static char *opt_pid_file = NULL;
|
||||||
static bool opt_systemd_cgroup = false;
|
static bool opt_systemd_cgroup = false;
|
||||||
|
static bool opt_no_pivot = false;
|
||||||
static char *opt_exec_process_spec = NULL;
|
static char *opt_exec_process_spec = NULL;
|
||||||
static bool opt_exec = false;
|
static bool opt_exec = false;
|
||||||
static char *opt_log_path = NULL;
|
static char *opt_log_path = NULL;
|
||||||
|
@ -117,6 +118,7 @@ static GOptionEntry opt_entries[] =
|
||||||
{ "cid", 'c', 0, G_OPTION_ARG_STRING, &opt_cid, "Container ID", NULL },
|
{ "cid", 'c', 0, G_OPTION_ARG_STRING, &opt_cid, "Container ID", NULL },
|
||||||
{ "cuuid", 'u', 0, G_OPTION_ARG_STRING, &opt_cuuid, "Container UUID", NULL },
|
{ "cuuid", 'u', 0, G_OPTION_ARG_STRING, &opt_cuuid, "Container UUID", NULL },
|
||||||
{ "runtime", 'r', 0, G_OPTION_ARG_STRING, &opt_runtime_path, "Runtime path", NULL },
|
{ "runtime", 'r', 0, G_OPTION_ARG_STRING, &opt_runtime_path, "Runtime path", NULL },
|
||||||
|
{ "no-pivot", 0, 0, G_OPTION_ARG_NONE, &opt_no_pivot, "do not use pivot_root", NULL },
|
||||||
{ "bundle", 'b', 0, G_OPTION_ARG_STRING, &opt_bundle_path, "Bundle path", NULL },
|
{ "bundle", 'b', 0, G_OPTION_ARG_STRING, &opt_bundle_path, "Bundle path", NULL },
|
||||||
{ "pidfile", 'p', 0, G_OPTION_ARG_STRING, &opt_pid_file, "PID file", NULL },
|
{ "pidfile", 'p', 0, G_OPTION_ARG_STRING, &opt_pid_file, "PID file", NULL },
|
||||||
{ "systemd-cgroup", 's', 0, G_OPTION_ARG_NONE, &opt_systemd_cgroup, "Enable systemd cgroup manager", NULL },
|
{ "systemd-cgroup", 's', 0, G_OPTION_ARG_NONE, &opt_systemd_cgroup, "Enable systemd cgroup manager", NULL },
|
||||||
|
@ -1265,6 +1267,12 @@ int main(int argc, char *argv[])
|
||||||
NULL);
|
NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!opt_exec && opt_no_pivot) {
|
||||||
|
add_argv(runtime_argv,
|
||||||
|
"--no-pivot",
|
||||||
|
NULL);
|
||||||
|
}
|
||||||
|
|
||||||
if (csname != NULL) {
|
if (csname != NULL) {
|
||||||
add_argv(runtime_argv,
|
add_argv(runtime_argv,
|
||||||
"--console-socket", csname,
|
"--console-socket", csname,
|
||||||
|
|
|
@ -118,6 +118,9 @@ type RuntimeConfig struct {
|
||||||
// container runtime for all containers.
|
// container runtime for all containers.
|
||||||
DefaultWorkloadTrust string `toml:"default_workload_trust"`
|
DefaultWorkloadTrust string `toml:"default_workload_trust"`
|
||||||
|
|
||||||
|
// NoPivot instructs the runtime to not use `pivot_root`, but instead use `MS_MOVE`
|
||||||
|
NoPivot bool `toml:"no_pivot"`
|
||||||
|
|
||||||
// Conmon is the path to conmon binary, used for managing the runtime.
|
// Conmon is the path to conmon binary, used for managing the runtime.
|
||||||
Conmon string `toml:"conmon"`
|
Conmon string `toml:"conmon"`
|
||||||
|
|
||||||
|
|
|
@ -121,7 +121,7 @@ func New(config *Config) (*ContainerServer, error) {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
runtime, err := oci.New(config.Runtime, config.RuntimeUntrustedWorkload, config.DefaultWorkloadTrust, config.Conmon, config.ConmonEnv, config.CgroupManager, config.ContainerExitsDir, config.LogSizeMax)
|
runtime, err := oci.New(config.Runtime, config.RuntimeUntrustedWorkload, config.DefaultWorkloadTrust, config.Conmon, config.ConmonEnv, config.CgroupManager, config.ContainerExitsDir, config.LogSizeMax, config.NoPivot)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
15
oci/oci.go
15
oci/oci.go
|
@ -38,7 +38,15 @@ const (
|
||||||
)
|
)
|
||||||
|
|
||||||
// New creates a new Runtime with options provided
|
// New creates a new Runtime with options provided
|
||||||
func New(runtimeTrustedPath string, runtimeUntrustedPath string, trustLevel string, conmonPath string, conmonEnv []string, cgroupManager string, containerExitsDir string, logSizeMax int64) (*Runtime, error) {
|
func New(runtimeTrustedPath string,
|
||||||
|
runtimeUntrustedPath string,
|
||||||
|
trustLevel string,
|
||||||
|
conmonPath string,
|
||||||
|
conmonEnv []string,
|
||||||
|
cgroupManager string,
|
||||||
|
containerExitsDir string,
|
||||||
|
logSizeMax int64,
|
||||||
|
noPivot bool) (*Runtime, error) {
|
||||||
r := &Runtime{
|
r := &Runtime{
|
||||||
name: filepath.Base(runtimeTrustedPath),
|
name: filepath.Base(runtimeTrustedPath),
|
||||||
trustedPath: runtimeTrustedPath,
|
trustedPath: runtimeTrustedPath,
|
||||||
|
@ -49,6 +57,7 @@ func New(runtimeTrustedPath string, runtimeUntrustedPath string, trustLevel stri
|
||||||
cgroupManager: cgroupManager,
|
cgroupManager: cgroupManager,
|
||||||
containerExitsDir: containerExitsDir,
|
containerExitsDir: containerExitsDir,
|
||||||
logSizeMax: logSizeMax,
|
logSizeMax: logSizeMax,
|
||||||
|
noPivot: noPivot,
|
||||||
}
|
}
|
||||||
return r, nil
|
return r, nil
|
||||||
}
|
}
|
||||||
|
@ -64,6 +73,7 @@ type Runtime struct {
|
||||||
cgroupManager string
|
cgroupManager string
|
||||||
containerExitsDir string
|
containerExitsDir string
|
||||||
logSizeMax int64
|
logSizeMax int64
|
||||||
|
noPivot bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// syncInfo is used to return data from monitor process to daemon
|
// syncInfo is used to return data from monitor process to daemon
|
||||||
|
@ -161,6 +171,9 @@ func (r *Runtime) CreateContainer(c *Container, cgroupParent string) error {
|
||||||
if r.logSizeMax >= 0 {
|
if r.logSizeMax >= 0 {
|
||||||
args = append(args, "--log-size-max", fmt.Sprintf("%v", r.logSizeMax))
|
args = append(args, "--log-size-max", fmt.Sprintf("%v", r.logSizeMax))
|
||||||
}
|
}
|
||||||
|
if r.noPivot {
|
||||||
|
args = append(args, "--no-pivot")
|
||||||
|
}
|
||||||
if c.terminal {
|
if c.terminal {
|
||||||
args = append(args, "-t")
|
args = append(args, "-t")
|
||||||
} else if c.stdin {
|
} else if c.stdin {
|
||||||
|
|
Loading…
Reference in a new issue