87 lines
3.0 KiB
Diff
87 lines
3.0 KiB
Diff
From 0d04d291e8b9dcee0fcdf4b757e41d0e77b1491f Mon Sep 17 00:00:00 2001
|
|
From: zhangsong34 <zhangsong34@huawei.com>
|
|
Date: Fri, 19 Oct 2018 10:53:33 +0800
|
|
Subject: [PATCH] runc:support namespaced kernel params can be changed in
|
|
system container
|
|
|
|
reason:support namespaced kernel files can be written in container,
|
|
when docker run a system container specify '--ns-change-opt' param,
|
|
net or ipc namespaced kernel params can be changed in this container.
|
|
|
|
Conflicts:
|
|
libcontainer/rootfs_linux.go
|
|
script/runc-euleros.spec
|
|
|
|
Change-Id: I051b274117abd9745a27577e14a23c906ff7cca3
|
|
Signed-off-by: jingrui <jingrui@huawei.com>
|
|
---
|
|
libcontainer/rootfs_linux.go | 26 ++++++++++++++++++++++++++
|
|
libcontainer/standard_init_linux.go | 7 +++++++
|
|
2 files changed, 33 insertions(+)
|
|
|
|
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
|
|
index 54520ad..e7de071 100644
|
|
--- a/libcontainer/rootfs_linux.go
|
|
+++ b/libcontainer/rootfs_linux.go
|
|
@@ -435,6 +435,9 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
|
|
} else if !fi.IsDir() {
|
|
return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device)
|
|
}
|
|
+ if strings.HasPrefix(m.Destination, "/proc/sys/") {
|
|
+ return nil
|
|
+ }
|
|
if err := os.MkdirAll(dest, 0o755); err != nil {
|
|
return err
|
|
}
|
|
@@ -1033,6 +1036,29 @@ func readonlyPath(path string) error {
|
|
return nil
|
|
}
|
|
|
|
+// remountReadWrite will bind over the top of an existing path and ensure that it is read-write.
|
|
+func remountReadWrite(path string) error {
|
|
+ for i := 0; i < 5; i++ {
|
|
+ if err := syscall.Mount("", path, "", syscall.MS_REMOUNT, ""); err != nil && !os.IsNotExist(err) {
|
|
+ switch err {
|
|
+ case syscall.EINVAL:
|
|
+ // Probably not a mountpoint, use bind-mount
|
|
+ if err := syscall.Mount(path, path, "", syscall.MS_BIND, ""); err != nil {
|
|
+ return err
|
|
+ }
|
|
+ return syscall.Mount(path, path, "", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_REC|defaultMountFlags, "")
|
|
+ case syscall.EBUSY:
|
|
+ time.Sleep(100 * time.Millisecond)
|
|
+ continue
|
|
+ default:
|
|
+ return err
|
|
+ }
|
|
+ }
|
|
+ return nil
|
|
+ }
|
|
+ return fmt.Errorf("unable to mount %s as readwrite max retries reached", path)
|
|
+}
|
|
+
|
|
// remountReadonly will remount an existing mount point and ensure that it is read-only.
|
|
func remountReadonly(m *configs.Mount) error {
|
|
var (
|
|
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
|
|
index eaa73ba..84883c2 100644
|
|
--- a/libcontainer/standard_init_linux.go
|
|
+++ b/libcontainer/standard_init_linux.go
|
|
@@ -141,6 +141,13 @@ func (l *linuxStandardInit) Init() error {
|
|
return fmt.Errorf("can't make %q read-only: %w", path, err)
|
|
}
|
|
}
|
|
+ for _, m := range l.config.Config.Mounts {
|
|
+ if m.Flags&syscall.MS_RDONLY == 0 && m.Device == "proc" && strings.HasPrefix(m.Destination, "/proc/sys/") {
|
|
+ if err := remountReadWrite(m.Destination); err != nil {
|
|
+ return err
|
|
+ }
|
|
+ }
|
|
+ }
|
|
for _, path := range l.config.Config.MaskPaths {
|
|
if err := maskPath(path, l.config.Config.MountLabel); err != nil {
|
|
return fmt.Errorf("can't mask path %s: %w", path, err)
|
|
--
|
|
2.33.0
|
|
|