Add no pivot root support

crosbymichael · tonistiigi · commit 47f239706c57 · 2016-03-30T21:52:15.000-07:00
Signed-off-by: Michael Crosby &lt;crosbymichael@gmail.com&gt;
diff --git a/api/grpc/server/server.go b/api/grpc/server/server.go
@@ -38,6 +38,7 @@ func (s *apiServer) CreateContainer(ctx context.Context, c *types.CreateContaine
 	e.Stdout = c.Stdout
 	e.Stderr = c.Stderr
 	e.Labels = c.Labels
+	e.NoPivotRoot = c.NoPivotRoot
 	e.StartResponse = make(chan supervisor.StartResponse, 1)
 	createContainerConfigCheckpoint(e, c)
 	s.sv.SendTask(e)
diff --git a/api/grpc/types/api.pb.go b/api/grpc/types/api.pb.go
diff --git a/api/grpc/types/api.proto b/api/grpc/types/api.proto
@@ -35,6 +35,7 @@ message CreateContainerRequest {
 	string stdout = 5; // path to file where stdout will be written (optional)
 	string stderr = 6; // path to file where stderr will be written (optional)
 	repeated string labels = 7;
+	bool noPivotRoot = 8;
 }
 
 message CreateContainerResponse {
diff --git a/containerd-shim/process.go b/containerd-shim/process.go
@@ -116,11 +116,17 @@ func (p *process) start() error {
 		if p.checkpoint.UnixSockets {
 			add("--ext-unix-sk")
 		}
+		if p.state.NoPivotRoot {
+			add("--no-pivot")
+		}
 	} else {
 		args = append(args, "start",
 			"--bundle", p.bundle,
 			"--console", p.consolePath,
 		)
+		if p.state.NoPivotRoot {
+			args = append(args, "--no-pivot")
+		}
 	}
 	args = append(args,
 		"-d",
diff --git a/ctr/container.go b/ctr/container.go
@@ -124,6 +124,10 @@ var startCommand = cli.Command{
 			Value: &cli.StringSlice{},
 			Usage: "set labels for the container",
 		},
+		cli.BoolFlag{
+			Name:  "no-pivot",
+			Usage: "do not use pivot root",
+		},
 	},
 	Action: func(context *cli.Context) {
 		var (
@@ -149,13 +153,14 @@ var startCommand = cli.Command{
 			tty                  bool
 			c                    = getClient(context)
 			r                    = &types.CreateContainerRequest{
-				Id:         id,
-				BundlePath: bpath,
-				Checkpoint: context.String("checkpoint"),
-				Stdin:      s.stdin,
-				Stdout:     s.stdout,
-				Stderr:     s.stderr,
-				Labels:     context.StringSlice("label"),
+				Id:          id,
+				BundlePath:  bpath,
+				Checkpoint:  context.String("checkpoint"),
+				Stdin:       s.stdin,
+				Stdout:      s.stdout,
+				Stderr:      s.stderr,
+				Labels:      context.StringSlice("label"),
+				NoPivotRoot: context.Bool("no-pivot"),
 			}
 		)
 		restoreAndCloseStdin = func() {
diff --git a/runtime/container.go b/runtime/container.go
@@ -82,30 +82,42 @@ func NewStdio(stdin, stdout, stderr string) Stdio {
 	}
 }
 
+type ContainerOpts struct {
+	Root        string
+	ID          string
+	Bundle      string
+	Runtime     string
+	RuntimeArgs []string
+	Labels      []string
+	NoPivotRoot bool
+}
+
 // New returns a new container
-func New(root, id, bundle, runtimeName string, runtimeArgs, labels []string) (Container, error) {
+func New(opts ContainerOpts) (Container, error) {
 	c := &container{
-		root:        root,
-		id:          id,
-		bundle:      bundle,
-		labels:      labels,
+		root:        opts.Root,
+		id:          opts.ID,
+		bundle:      opts.Bundle,
+		labels:      opts.Labels,
 		processes:   make(map[string]*process),
-		runtime:     runtimeName,
-		runtimeArgs: runtimeArgs,
+		runtime:     opts.Runtime,
+		runtimeArgs: opts.RuntimeArgs,
+		noPivotRoot: opts.NoPivotRoot,
 	}
-	if err := os.Mkdir(filepath.Join(root, id), 0755); err != nil {
+	if err := os.Mkdir(filepath.Join(c.root, c.id), 0755); err != nil {
 		return nil, err
 	}
-	f, err := os.Create(filepath.Join(root, id, StateFile))
+	f, err := os.Create(filepath.Join(c.root, c.id, StateFile))
 	if err != nil {
 		return nil, err
 	}
 	defer f.Close()
 	if err := json.NewEncoder(f).Encode(state{
-		Bundle:      bundle,
-		Labels:      labels,
-		Runtime:     runtimeName,
-		RuntimeArgs: runtimeArgs,
+		Bundle:      c.bundle,
+		Labels:      c.labels,
+		Runtime:     c.runtime,
+		RuntimeArgs: c.runtimeArgs,
+		NoPivotRoot: opts.NoPivotRoot,
 	}); err != nil {
 		return nil, err
 	}
@@ -129,6 +141,7 @@ func Load(root, id string) (Container, error) {
 		labels:      s.Labels,
 		runtime:     s.Runtime,
 		runtimeArgs: s.RuntimeArgs,
+		noPivotRoot: s.NoPivotRoot,
 		processes:   make(map[string]*process),
 	}
 	dirs, err := ioutil.ReadDir(filepath.Join(root, id))
@@ -177,6 +190,7 @@ type container struct {
 	processes   map[string]*process
 	labels      []string
 	oomFds      []int
+	noPivotRoot bool
 }
 
 func (c *container) ID() string {
diff --git a/runtime/process_linux.go b/runtime/process_linux.go
@@ -39,5 +39,6 @@ func populateProcessStateForEncoding(config *processConfig, uid int, gid int) Pr
 		Stdout:      config.stdio.Stdout,
 		Stderr:      config.stdio.Stderr,
 		RuntimeArgs: config.c.runtimeArgs,
+		NoPivotRoot: config.c.noPivotRoot,
 	}
 }
diff --git a/runtime/runtime.go b/runtime/runtime.go
@@ -60,6 +60,7 @@ type state struct {
 	Stderr      string   `json:"stderr"`
 	Runtime     string   `json:"runtime"`
 	RuntimeArgs []string `json:"runtimeArgs"`
+	NoPivotRoot bool     `json:"noPivotRoot"`
 }
 
 type ProcessState struct {
@@ -69,6 +70,7 @@ type ProcessState struct {
 	Stdout      string   `json:"containerdStdout"`
 	Stderr      string   `json:"containerdStderr"`
 	RuntimeArgs []string `json:"runtimeArgs"`
+	NoPivotRoot bool     `json:"noPivotRoot"`
 
 	PlatformProcessState
 }
diff --git a/supervisor/create.go b/supervisor/create.go
@@ -16,11 +16,20 @@ type StartTask struct {
 	Stdin         string
 	StartResponse chan StartResponse
 	Labels        []string
+	NoPivotRoot   bool
 }
 
 func (s *Supervisor) start(t *StartTask) error {
 	start := time.Now()
-	container, err := runtime.New(s.stateDir, t.ID, t.BundlePath, s.runtime, s.runtimeArgs, t.Labels)
+	container, err := runtime.New(runtime.ContainerOpts{
+		Root:        s.stateDir,
+		ID:          t.ID,
+		Bundle:      t.BundlePath,
+		Runtime:     s.runtime,
+		RuntimeArgs: s.runtimeArgs,
+		Labels:      t.Labels,
+		NoPivotRoot: t.NoPivotRoot,
+	})
 	if err != nil {
 		return err
 	}

Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,7 @@ message CreateContainerRequest {`
`35`	`35`	`string stdout = 5; // path to file where stdout will be written (optional)`
`36`	`36`	`string stderr = 6; // path to file where stderr will be written (optional)`
`37`	`37`	`repeated string labels = 7;`
	`38`	`+ bool noPivotRoot = 8;`
`38`	`39`	`}`
`39`	`40`
`40`	`41`	`message CreateContainerResponse {`
Original file line number	Diff line number	Diff line change
`@@ -116,11 +116,17 @@ func (p *process) start() error {`
`116`	`116`	`if p.checkpoint.UnixSockets {`
`117`	`117`	`add("--ext-unix-sk")`
`118`	`118`	`}`
	`119`	`+ if p.state.NoPivotRoot {`
	`120`	`+ add("--no-pivot")`
	`121`	`+ }`
`119`	`122`	`} else {`
`120`	`123`	`args = append(args, "start",`
`121`	`124`	`"--bundle", p.bundle,`
`122`	`125`	`"--console", p.consolePath,`
`123`	`126`	`)`
	`127`	`+ if p.state.NoPivotRoot {`
	`128`	`+ args = append(args, "--no-pivot")`
	`129`	`+ }`
`124`	`130`	`}`
`125`	`131`	`args = append(args,`
`126`	`132`	`"-d",`
Original file line number	Diff line number	Diff line change
`@@ -39,5 +39,6 @@ func populateProcessStateForEncoding(config *processConfig, uid int, gid int) Pr`
`39`	`39`	`Stdout: config.stdio.Stdout,`
`40`	`40`	`Stderr: config.stdio.Stderr,`
`41`	`41`	`RuntimeArgs: config.c.runtimeArgs,`
	`42`	`+ NoPivotRoot: config.c.noPivotRoot,`
`42`	`43`	`}`
`43`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,7 @@ type state struct {`
`60`	`60`	Stderr string `json:"stderr"`
`61`	`61`	Runtime string `json:"runtime"`
`62`	`62`	RuntimeArgs []string `json:"runtimeArgs"`
	`63`	+ NoPivotRoot bool `json:"noPivotRoot"`
`63`	`64`	`}`
`64`	`65`
`65`	`66`	`type ProcessState struct {`
`@@ -69,6 +70,7 @@ type ProcessState struct {`
`69`	`70`	Stdout string `json:"containerdStdout"`
`70`	`71`	Stderr string `json:"containerdStderr"`
`71`	`72`	RuntimeArgs []string `json:"runtimeArgs"`
	`73`	+ NoPivotRoot bool `json:"noPivotRoot"`
`72`	`74`
`73`	`75`	`PlatformProcessState`
`74`	`76`	`}`