mirror of https://github.com/docker/docs.git
Merge pull request #4519 from crosbymichael/back-to-pivot-root
Use env var to toggle pivot root or ms_move
This commit is contained in:
Guillaume J. Charmes
commit
5b0ca89e2a
|
|
@ -5,6 +5,7 @@ import (
|
||||||
"github.com/dotcloud/docker/execdriver"
|
"github.com/dotcloud/docker/execdriver"
|
||||||
"github.com/dotcloud/docker/pkg/cgroups"
|
"github.com/dotcloud/docker/pkg/cgroups"
|
||||||
"github.com/dotcloud/docker/pkg/libcontainer"
|
"github.com/dotcloud/docker/pkg/libcontainer"
|
||||||
|
"os"
|
||||||
)
|
)
|
||||||
|
|
||||||
// createContainer populates and configures the container type with the
|
// createContainer populates and configures the container type with the
|
||||||
|
|
@ -44,6 +45,9 @@ func createContainer(c *execdriver.Command) *libcontainer.Container {
|
||||||
container.Cgroups.Memory = c.Resources.Memory
|
container.Cgroups.Memory = c.Resources.Memory
|
||||||
container.Cgroups.MemorySwap = c.Resources.MemorySwap
|
container.Cgroups.MemorySwap = c.Resources.MemorySwap
|
||||||
}
|
}
|
||||||
|
// check to see if we are running in ramdisk to disable pivot root
|
||||||
|
container.NoPivotRoot = os.Getenv("DOCKER_RAMDISK") != ""
|
||||||
|
|
||||||
return container
|
return container
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -13,6 +13,7 @@ type Context map[string]string
|
||||||
type Container struct {
|
type Container struct {
|
||||||
Hostname string `json:"hostname,omitempty"` // hostname
|
Hostname string `json:"hostname,omitempty"` // hostname
|
||||||
ReadonlyFs bool `json:"readonly_fs,omitempty"` // set the containers rootfs as readonly
|
ReadonlyFs bool `json:"readonly_fs,omitempty"` // set the containers rootfs as readonly
|
||||||
|
NoPivotRoot bool `json:"no_pivot_root,omitempty"` // this can be enabled if you are running in ramdisk
|
||||||
User string `json:"user,omitempty"` // user to execute the process as
|
User string `json:"user,omitempty"` // user to execute the process as
|
||||||
WorkingDir string `json:"working_dir,omitempty"` // current working directory
|
WorkingDir string `json:"working_dir,omitempty"` // current working directory
|
||||||
Env []string `json:"environment,omitempty"` // environment to set
|
Env []string `json:"environment,omitempty"` // environment to set
|
||||||
|
|
|
||||||
|
|
@ -51,7 +51,7 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
|
||||||
if err := system.ParentDeathSignal(); err != nil {
|
if err := system.ParentDeathSignal(); err != nil {
|
||||||
return fmt.Errorf("parent death signal %s", err)
|
return fmt.Errorf("parent death signal %s", err)
|
||||||
}
|
}
|
||||||
if err := setupNewMountNamespace(rootfs, console, container.ReadonlyFs); err != nil {
|
if err := setupNewMountNamespace(rootfs, console, container.ReadonlyFs, container.NoPivotRoot); err != nil {
|
||||||
return fmt.Errorf("setup mount namespace %s", err)
|
return fmt.Errorf("setup mount namespace %s", err)
|
||||||
}
|
}
|
||||||
if err := setupNetwork(container, context); err != nil {
|
if err := setupNetwork(container, context); err != nil {
|
||||||
|
|
|
||||||
|
|
@ -5,6 +5,7 @@ package nsinit
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"github.com/dotcloud/docker/pkg/system"
|
"github.com/dotcloud/docker/pkg/system"
|
||||||
|
"io/ioutil"
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"syscall"
|
"syscall"
|
||||||
|
|
@ -18,9 +19,12 @@ const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NOD
|
||||||
//
|
//
|
||||||
// There is no need to unmount the new mounts because as soon as the mount namespace
|
// There is no need to unmount the new mounts because as soon as the mount namespace
|
||||||
// is no longer in use, the mounts will be removed automatically
|
// is no longer in use, the mounts will be removed automatically
|
||||||
func setupNewMountNamespace(rootfs, console string, readonly bool) error {
|
func setupNewMountNamespace(rootfs, console string, readonly, noPivotRoot bool) error {
|
||||||
// mount as slave so that the new mounts do not propagate to the host
|
flag := syscall.MS_PRIVATE
|
||||||
if err := system.Mount("", "/", "", syscall.MS_SLAVE|syscall.MS_REC, ""); err != nil {
|
if noPivotRoot {
|
||||||
|
flag = syscall.MS_SLAVE
|
||||||
|
}
|
||||||
|
if err := system.Mount("", "/", "", uintptr(flag|syscall.MS_REC), ""); err != nil {
|
||||||
return fmt.Errorf("mounting / as slave %s", err)
|
return fmt.Errorf("mounting / as slave %s", err)
|
||||||
}
|
}
|
||||||
if err := system.Mount(rootfs, rootfs, "bind", syscall.MS_BIND|syscall.MS_REC, ""); err != nil {
|
if err := system.Mount(rootfs, rootfs, "bind", syscall.MS_BIND|syscall.MS_REC, ""); err != nil {
|
||||||
|
|
@ -50,6 +54,47 @@ func setupNewMountNamespace(rootfs, console string, readonly bool) error {
|
||||||
if err := system.Chdir(rootfs); err != nil {
|
if err := system.Chdir(rootfs); err != nil {
|
||||||
return fmt.Errorf("chdir into %s %s", rootfs, err)
|
return fmt.Errorf("chdir into %s %s", rootfs, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if noPivotRoot {
|
||||||
|
if err := rootMsMove(rootfs); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if err := rootPivot(rootfs); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
system.Umask(0022)
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// use a pivot root to setup the rootfs
|
||||||
|
func rootPivot(rootfs string) error {
|
||||||
|
pivotDir, err := ioutil.TempDir(rootfs, ".pivot_root")
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("can't create pivot_root dir %s", pivotDir, err)
|
||||||
|
}
|
||||||
|
if err := system.Pivotroot(rootfs, pivotDir); err != nil {
|
||||||
|
return fmt.Errorf("pivot_root %s", err)
|
||||||
|
}
|
||||||
|
if err := system.Chdir("/"); err != nil {
|
||||||
|
return fmt.Errorf("chdir / %s", err)
|
||||||
|
}
|
||||||
|
// path to pivot dir now changed, update
|
||||||
|
pivotDir = filepath.Join("/", filepath.Base(pivotDir))
|
||||||
|
if err := system.Unmount(pivotDir, syscall.MNT_DETACH); err != nil {
|
||||||
|
return fmt.Errorf("unmount pivot_root dir %s", err)
|
||||||
|
}
|
||||||
|
if err := os.Remove(pivotDir); err != nil {
|
||||||
|
return fmt.Errorf("remove pivot_root dir %s", err)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// use MS_MOVE and chroot to setup the rootfs
|
||||||
|
func rootMsMove(rootfs string) error {
|
||||||
if err := system.Mount(rootfs, "/", "", syscall.MS_MOVE, ""); err != nil {
|
if err := system.Mount(rootfs, "/", "", syscall.MS_MOVE, ""); err != nil {
|
||||||
return fmt.Errorf("mount move %s into / %s", rootfs, err)
|
return fmt.Errorf("mount move %s into / %s", rootfs, err)
|
||||||
}
|
}
|
||||||
|
|
@ -59,9 +104,6 @@ func setupNewMountNamespace(rootfs, console string, readonly bool) error {
|
||||||
if err := system.Chdir("/"); err != nil {
|
if err := system.Chdir("/"); err != nil {
|
||||||
return fmt.Errorf("chdir / %s", err)
|
return fmt.Errorf("chdir / %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
system.Umask(0022)
|
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue