95 lines
3.0 KiB
Diff
95 lines
3.0 KiB
Diff
|
From c5f152a9dc851e0297f63a73c3e59890da135352 Mon Sep 17 00:00:00 2001
|
||
|
|
From: zhangsong34 <zhangsong34@huawei.com>
|
||
|
|
Date: Fri, 19 Oct 2018 10:53:33 +0800
|
||
|
|
Subject: [PATCH 65/94] runc: support namespaced kernel params can be
|
||
|
|
changed in system container
|
||
|
|
|
||
|
|
reason:support namespaced kernel files can be written in container,
|
||
|
|
when docker run a system container specify '--ns-change-opt' param,
|
||
|
|
net or ipc namespaced kernel params can be changed in this container.
|
||
|
|
|
||
|
|
Conflicts:
|
||
|
|
libcontainer/rootfs_linux.go
|
||
|
|
script/runc-euleros.spec
|
||
|
|
|
||
|
|
Change-Id: I051b274117abd9745a27577e14a23c906ff7cca3
|
||
|
|
Signed-off-by: jingrui <jingrui@huawei.com>
|
||
|
|
---
|
||
|
|
libcontainer/rootfs_linux.go | 26 ++++++++++++++++++++++++++
|
||
|
|
libcontainer/standard_init_linux.go | 8 ++++++++
|
||
|
|
2 files changed, 34 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
|
||
|
|
index 7cf5edd..38bdd1b 100644
|
||
|
|
--- a/libcontainer/rootfs_linux.go
|
||
|
|
+++ b/libcontainer/rootfs_linux.go
|
||
|
|
@@ -160,6 +160,9 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {
|
||
|
|
|
||
|
|
switch m.Device {
|
||
|
|
case "proc", "sysfs":
|
||
|
|
+ if strings.HasPrefix(m.Destination, "/proc/sys/") {
|
||
|
|
+ return nil
|
||
|
|
+ }
|
||
|
|
if err := os.MkdirAll(dest, 0755); err != nil {
|
||
|
|
return err
|
||
|
|
}
|
||
|
|
@@ -729,6 +732,29 @@ func readonlyPath(path string) error {
|
||
|
|
return syscall.Mount(path, path, "", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_RDONLY|syscall.MS_REC, "")
|
||
|
|
}
|
||
|
|
|
||
|
|
+// remountReadWrite will bind over the top of an existing path and ensure that it is read-write.
|
||
|
|
+func remountReadWrite(path string) error {
|
||
|
|
+ for i := 0; i < 5; i++ {
|
||
|
|
+ if err := syscall.Mount("", path, "", syscall.MS_REMOUNT, ""); err != nil && !os.IsNotExist(err) {
|
||
|
|
+ switch err {
|
||
|
|
+ case syscall.EINVAL:
|
||
|
|
+ // Probably not a mountpoint, use bind-mount
|
||
|
|
+ if err := syscall.Mount(path, path, "", syscall.MS_BIND, ""); err != nil {
|
||
|
|
+ return err
|
||
|
|
+ }
|
||
|
|
+ return syscall.Mount(path, path, "", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_REC|defaultMountFlags, "")
|
||
|
|
+ case syscall.EBUSY:
|
||
|
|
+ time.Sleep(100 * time.Millisecond)
|
||
|
|
+ continue
|
||
|
|
+ default:
|
||
|
|
+ return err
|
||
|
|
+ }
|
||
|
|
+ }
|
||
|
|
+ return nil
|
||
|
|
+ }
|
||
|
|
+ return fmt.Errorf("unable to mount %s as readwrite max retries reached", path)
|
||
|
|
+}
|
||
|
|
+
|
||
|
|
// remountReadonly will remount an existing mount point and ensure that it is read-only.
|
||
|
|
func remountReadonly(m *configs.Mount) error {
|
||
|
|
var (
|
||
|
|
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
|
||
|
|
index 484ba42..18506af 100644
|
||
|
|
--- a/libcontainer/standard_init_linux.go
|
||
|
|
+++ b/libcontainer/standard_init_linux.go
|
||
|
|
@@ -6,6 +6,7 @@ import (
|
||
|
|
"fmt"
|
||
|
|
"os"
|
||
|
|
"os/exec"
|
||
|
|
+ "strings"
|
||
|
|
"syscall"
|
||
|
|
"time"
|
||
|
|
|
||
|
|
@@ -117,6 +118,13 @@ func (l *linuxStandardInit) Init() error {
|
||
|
|
return err
|
||
|
|
}
|
||
|
|
}
|
||
|
|
+ for _, m := range l.config.Config.Mounts {
|
||
|
|
+ if m.Flags&syscall.MS_RDONLY == 0 && m.Device == "proc" && strings.HasPrefix(m.Destination, "/proc/sys/") {
|
||
|
|
+ if err := remountReadWrite(m.Destination); err != nil {
|
||
|
|
+ return err
|
||
|
|
+ }
|
||
|
|
+ }
|
||
|
|
+ }
|
||
|
|
for _, path := range l.config.Config.MaskPaths {
|
||
|
|
if err := maskPath(path); err != nil {
|
||
|
|
return err
|
||
|
|
--
|
||
|
|
2.7.4.3
|
||
|
|
|