diff --git a/hack/isulad-lxcfs-toolkit.spec b/hack/isulad-lxcfs-toolkit.spec index 301f7916e874ca85747d89670c7660908ec3070e..22bdd55970de1f8b0f3dc8f1b9171ec3d15b6a21 100644 --- a/hack/isulad-lxcfs-toolkit.spec +++ b/hack/isulad-lxcfs-toolkit.spec @@ -4,7 +4,7 @@ #Basic Information Name: isulad-lxcfs-toolkit Version: 0.3 -Release: 14 +Release: 15 Summary: toolkit for lxcfs to remount a running isulad License: Mulan PSL v1 Source0: %{name}.tar.gz diff --git a/hooks/lxcfs-hook/execmount.go b/hooks/lxcfs-hook/execmount.go index 1aec5df94c0bcd5b65ca98bffc965a4a63ffdb58..76194f75fd1c9e13b9bdca24f33696fc7f6a2a73 100644 --- a/hooks/lxcfs-hook/execmount.go +++ b/hooks/lxcfs-hook/execmount.go @@ -50,7 +50,7 @@ func prestartMountHook(pid int, rootfs string) error { valueMountPaths = append(valueMountPaths, fmt.Sprintf("/var/lib/lxc/lxcfs/proc/%s", value.Name())) } - if err := libmount.NsExecMount(strconv.Itoa(pid), valueMountPaths, valuePaths); err != nil { + if err := libmount.NsExecMount(strconv.Itoa(pid), rootfs, valueMountPaths, valuePaths); err != nil { isulad_lxcfs_log.Errorf("mount %v into container error: %v", valueMountPaths, err) return err } diff --git a/libmount/container_work.go b/libmount/container_work.go index 8d57b31b83f864db6c8af5450238ec63da90eb46..bcdef6f4e0c799324b0b1d98e92abb845a3fb7de 100644 --- a/libmount/container_work.go +++ b/libmount/container_work.go @@ -25,6 +25,10 @@ import ( "github.com/docker/docker/pkg/reexec" ) +var ( + lxcfsPath = "/var/lib/lxc/lxcfs/cgroup" +) + func init() { reexec.Register(nsexec.NsEnterReexecName, WorkInContainer) } @@ -94,6 +98,14 @@ func doMount(pipe *os.File) error { if err := json.NewDecoder(pipe).Decode(&mount); err != nil { return err } + + // remount lxcfs cgroup path readonly + if err := syscall.Mount(mount.Rootfs+lxcfsPath, mount.Rootfs+lxcfsPath, "none", syscall.MS_BIND, ""); err != nil { + return err + } + if err := syscall.Mount(mount.Rootfs+lxcfsPath, mount.Rootfs+lxcfsPath, "none", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_RDONLY, ""); err != nil { + return err + } for i := 0; i < len(mount.SrcPaths) && i < len(mount.DestPaths); i++ { if err := syscall.Mount(mount.SrcPaths[i], mount.DestPaths[i], "none", syscall.MS_BIND, ""); err != nil { return err @@ -114,5 +126,10 @@ func doUmount(pipe *os.File) error { } } } + if err := syscall.Unmount(lxcfsPath, 0); err != nil { + if !strings.Contains(err.Error(), "invalid argument") { + return err + } + } return nil } diff --git a/libmount/libmount.go b/libmount/libmount.go index b49c39f4d97d0d742615a7a2ac38b6253a35e1b4..edf6f4c6015b2ec5228156e159c702f1473a7d0b 100644 --- a/libmount/libmount.go +++ b/libmount/libmount.go @@ -18,9 +18,11 @@ import ( ) // NsExecMount exec mount in container namespace -func NsExecMount(pid string, srcPaths []string, destPaths []string) error { +func NsExecMount(pid string, rootfs string, srcPaths []string, destPaths []string) error { driver := nsexec.NewDefaultNsDriver() - mount := &nsexec.Mount{} + mount := &nsexec.Mount{ + Rootfs: rootfs, + } for i := 0; i < len(srcPaths) && i < len(destPaths); i++ { mount.SrcPaths = append(mount.SrcPaths, srcPaths[i]) mount.DestPaths = append(mount.DestPaths, destPaths[i]) diff --git a/libmount/nsexec/nsexec.go b/libmount/nsexec/nsexec.go index c68fb25b38142112959f77b47f8a3f05c212e78f..683e2e22976a1c613d66300765924e63eb6f8719 100644 --- a/libmount/nsexec/nsexec.go +++ b/libmount/nsexec/nsexec.go @@ -41,6 +41,7 @@ const ( // Mount is mount argument type Mount struct { + Rootfs string SrcPaths []string DestPaths []string } diff --git a/remountcmd.go b/remountcmd.go index d3395e5e81541881460402976684ec39da73de23..5c6342dc5186e51dee2b46353b075fe4d906c12c 100644 --- a/remountcmd.go +++ b/remountcmd.go @@ -254,7 +254,7 @@ func remountToContainer(initMountns, initUserns, containerid string, pid string, isulad_lxcfs_log.Errorf("unmount %v for container error: %v", valuePaths, err) } - if err := libmount.NsExecMount(pid, valueMountPaths, valuePaths); err != nil { + if err := libmount.NsExecMount(pid, "", valueMountPaths, valuePaths); err != nil { isulad_lxcfs_log.Errorf("mount %v into container %s error: %v", valueMountPaths, containerid, err) return err }