From 0fb8c1bd205397ee2efd070dc525a17e9a787857 Mon Sep 17 00:00:00 2001 From: Zhigang Wang Date: Mon, 1 Jan 2024 21:51:25 +0800 Subject: [PATCH 5/5] mount: Reduce the mount points with namespace isolation This patch can reduce load on systemd process, and increase the k8s deployment density when using go runtime. Signed-off-by: Zhigang Wang Signed-off-by: Liu Wenyuan --- src/runtime/pkg/containerd-shim-v2/service.go | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/src/runtime/pkg/containerd-shim-v2/service.go b/src/runtime/pkg/containerd-shim-v2/service.go index 26d4c21..7b06429 100644 --- a/src/runtime/pkg/containerd-shim-v2/service.go +++ b/src/runtime/pkg/containerd-shim-v2/service.go @@ -191,6 +191,27 @@ func newCommand(ctx context.Context, id, containerdBinary, containerdAddress str return cmd, nil } +func setupMntNs() error { + err := unix.Unshare(unix.CLONE_NEWNS) + if err != nil { + return err + } + + err = unix.Mount("", "/", "", unix.MS_REC|unix.MS_SLAVE, "") + if err != nil { + err = fmt.Errorf("failed to mount with slave: %v", err) + return err + } + + err = unix.Mount("", "/", "", unix.MS_REC|unix.MS_SHARED, "") + if err != nil { + err = fmt.Errorf("failed to mount with shared: %v", err) + return err + } + + return nil +} + // StartShim is a binary call that starts a kata shimv2 service which will // implement the ShimV2 APIs such as create/start/update etc containers. func (s *service) StartShim(ctx context.Context, opts cdshim.StartOpts) (_ string, retErr error) { @@ -255,6 +276,10 @@ func (s *service) StartShim(ctx context.Context, opts cdshim.StartOpts) (_ strin } } + if err := setupMntNs(); err != nil { + return "", err + } + if err := cmd.Start(); err != nil { return "", err } -- 2.34.1