!1 iSulad-lxcfs-toolkit: remount lxcfs cgroup path readonly in container

Merge pull request !1 from openEuler-iSula/master
2019-12-25 16:54:00 +08:00 · 2019-12-25 16:54:00 +08:00 · 186fee3b59
commit 186fee3b59
parent 2e3e328707 768155c60c
6 changed files with 25 additions and 5 deletions
--- a/hack/isulad-lxcfs-toolkit.spec
+++ b/hack/isulad-lxcfs-toolkit.spec
@ -4,7 +4,7 @@
 #Basic Information
 Name:		isulad-lxcfs-toolkit
 Version:	0.3
-Release:	14
+Release:	15
 Summary:	toolkit for lxcfs to remount a running isulad
 License:	Mulan PSL v1		
 Source0:	%{name}.tar.gz
--- a/hooks/lxcfs-hook/execmount.go
+++ b/hooks/lxcfs-hook/execmount.go
@ -50,7 +50,7 @@ func prestartMountHook(pid int, rootfs string) error {
 		valueMountPaths = append(valueMountPaths, fmt.Sprintf("/var/lib/lxc/lxcfs/proc/%s", value.Name()))
 	}

-	if err := libmount.NsExecMount(strconv.Itoa(pid), valueMountPaths, valuePaths); err != nil {
+	if err := libmount.NsExecMount(strconv.Itoa(pid), rootfs, valueMountPaths, valuePaths); err != nil {
 		isulad_lxcfs_log.Errorf("mount %v into container error: %v", valueMountPaths, err)
 		return err
 	}
--- a/libmount/container_work.go
+++ b/libmount/container_work.go
@ -25,6 +25,10 @@ import (
 	"github.com/docker/docker/pkg/reexec"
 )

+var (
+    lxcfsPath = "/var/lib/lxc/lxcfs/cgroup"
+)
+
 func init() {
 	reexec.Register(nsexec.NsEnterReexecName, WorkInContainer)
 }
@ -94,6 +98,14 @@ func doMount(pipe *os.File) error {
 	if err := json.NewDecoder(pipe).Decode(&mount); err != nil {
 		return err
 	}
+
+    // remount lxcfs cgroup path readonly
+    if err := syscall.Mount(mount.Rootfs+lxcfsPath, mount.Rootfs+lxcfsPath, "none", syscall.MS_BIND, ""); err != nil {
+        return err
+    }
+    if err := syscall.Mount(mount.Rootfs+lxcfsPath, mount.Rootfs+lxcfsPath, "none", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_RDONLY, ""); err != nil {
+        return err
+    }
 	for i := 0; i < len(mount.SrcPaths) && i < len(mount.DestPaths); i++ {
 		if err := syscall.Mount(mount.SrcPaths[i], mount.DestPaths[i], "none", syscall.MS_BIND, ""); err != nil {
 			return err
@ -114,5 +126,10 @@ func doUmount(pipe *os.File) error {
 			}
 		}
 	}
+    if err := syscall.Unmount(lxcfsPath, 0); err != nil {
+        if !strings.Contains(err.Error(), "invalid argument") {
+            return err
+        }
+    }
 	return nil
 }
--- a/libmount/libmount.go
+++ b/libmount/libmount.go
@ -18,9 +18,11 @@ import (
 )

 // NsExecMount exec mount in container namespace
-func NsExecMount(pid string, srcPaths []string, destPaths []string) error {
+func NsExecMount(pid string, rootfs string, srcPaths []string, destPaths []string) error {
 	driver := nsexec.NewDefaultNsDriver()
-	mount := &nsexec.Mount{}
+	mount := &nsexec.Mount{
+        Rootfs: rootfs,
+    }
 	for i := 0; i < len(srcPaths) && i < len(destPaths); i++ {
 		mount.SrcPaths = append(mount.SrcPaths, srcPaths[i])
 		mount.DestPaths = append(mount.DestPaths, destPaths[i])
--- a/libmount/nsexec/nsexec.go
+++ b/libmount/nsexec/nsexec.go
@ -41,6 +41,7 @@ const (

 // Mount is mount argument
 type Mount struct {
+    Rootfs    string
 	SrcPaths  []string
 	DestPaths []string
 }
--- a/remountcmd.go
+++ b/remountcmd.go
@ -247,7 +247,7 @@ func remountToContainer(initMountns, initUserns, containerid string, pid string,
 		isulad_lxcfs_log.Errorf("unmount %v for container error: %v", valuePaths, err)
 	}

-	if err := libmount.NsExecMount(pid, valueMountPaths, valuePaths); err != nil {
+	if err := libmount.NsExecMount(pid, "", valueMountPaths, valuePaths); err != nil {
 		isulad_lxcfs_log.Errorf("mount %v into container %s error: %v", valueMountPaths, containerid, err)
 		return err
 	}