From 83de20deb749b34d5cb06799e965ebf48e87cc77 Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Tue, 4 Mar 2014 12:44:08 +0100 Subject: [PATCH] libcontainer: Use pivot_root instead of chroot Instead of keeping all the old mounts in the container namespace and just using subtree as root we pivot_root so that the actual root in the namespace is the root we want, and then we unmount the previous mounts. This has multiple advantages: * The namespace mount tree is smaller (in the kernel) * If you break out of the chroot you could previously access the host filesystem. Now the host filesystem is fully invisible to the namespace. * We get rid of all unrelated mounts from the parent namespace, which means we don't hog these. This is important if we later switch to MS_PRIVATE instead of MS_SLAVE as otherwise these mounts would be impossible to unmount from the parent namespace. Docker-DCO-1.1-Signed-off-by: Alexander Larsson (github: alexlarsson) --- libcontainer/nsinit/mount.go | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/libcontainer/nsinit/mount.go b/libcontainer/nsinit/mount.go index 55c2655..9ae7ec4 100644 --- a/libcontainer/nsinit/mount.go +++ b/libcontainer/nsinit/mount.go @@ -5,6 +5,7 @@ package nsinit import ( "fmt" "github.com/dotcloud/docker/pkg/system" + "io/ioutil" "os" "path/filepath" "syscall" @@ -51,16 +52,29 @@ func setupNewMountNamespace(rootfs, console string, readonly bool) error { if err := system.Chdir(rootfs); err != nil { return fmt.Errorf("chdir into %s %s", rootfs, err) } - if err := system.Mount(rootfs, "/", "", syscall.MS_MOVE, ""); err != nil { - return fmt.Errorf("mount move %s into / %s", rootfs, err) + + pivotDir, err := ioutil.TempDir(rootfs, ".pivot_root") + if err != nil { + return fmt.Errorf("can't create pivot_root dir %s", pivotDir, err) } - if err := system.Chroot("."); err != nil { - return fmt.Errorf("chroot . %s", err) + if err := system.Pivotroot(rootfs, pivotDir); err != nil { + return fmt.Errorf("pivot_root %s", err) } if err := system.Chdir("/"); err != nil { return fmt.Errorf("chdir / %s", err) } + // path to pivot dir now changed, update + pivotDir = filepath.Join("/", filepath.Base(pivotDir)) + + if err := system.Unmount(pivotDir, syscall.MNT_DETACH); err != nil { + return fmt.Errorf("unmount pivot_root dir %s", err) + } + + if err := os.Remove(pivotDir); err != nil { + return fmt.Errorf("remove pivot_root dir %s", err) + } + system.Umask(0022) return nil