From 768155c60c8979f0b76373a15b46884be0743576 Mon Sep 17 00:00:00 2001 From: openeuler-iSula Date: Wed, 25 Dec 2019 16:01:46 +0800 Subject: [PATCH] remount lxcfs cgroup path readonly in container Signed-off-by: openeuler-iSula --- hack/isulad-lxcfs-toolkit.spec | 2 +- hooks/lxcfs-hook/execmount.go | 2 +- libmount/container_work.go | 17 +++++++++++++++++ libmount/libmount.go | 6 ++++-- libmount/nsexec/nsexec.go | 1 + remountcmd.go | 2 +- 6 files changed, 25 insertions(+), 5 deletions(-) diff --git a/hack/isulad-lxcfs-toolkit.spec b/hack/isulad-lxcfs-toolkit.spec index 301f791..22bdd55 100644 --- a/hack/isulad-lxcfs-toolkit.spec +++ b/hack/isulad-lxcfs-toolkit.spec @@ -4,7 +4,7 @@ #Basic Information Name: isulad-lxcfs-toolkit Version: 0.3 -Release: 14 +Release: 15 Summary: toolkit for lxcfs to remount a running isulad License: Mulan PSL v1 Source0: %{name}.tar.gz diff --git a/hooks/lxcfs-hook/execmount.go b/hooks/lxcfs-hook/execmount.go index 1aec5df..76194f7 100644 --- a/hooks/lxcfs-hook/execmount.go +++ b/hooks/lxcfs-hook/execmount.go @@ -50,7 +50,7 @@ func prestartMountHook(pid int, rootfs string) error { valueMountPaths = append(valueMountPaths, fmt.Sprintf("/var/lib/lxc/lxcfs/proc/%s", value.Name())) } - if err := libmount.NsExecMount(strconv.Itoa(pid), valueMountPaths, valuePaths); err != nil { + if err := libmount.NsExecMount(strconv.Itoa(pid), rootfs, valueMountPaths, valuePaths); err != nil { isulad_lxcfs_log.Errorf("mount %v into container error: %v", valueMountPaths, err) return err } diff --git a/libmount/container_work.go b/libmount/container_work.go index 8d57b31..bcdef6f 100644 --- a/libmount/container_work.go +++ b/libmount/container_work.go @@ -25,6 +25,10 @@ import ( "github.com/docker/docker/pkg/reexec" ) +var ( + lxcfsPath = "/var/lib/lxc/lxcfs/cgroup" +) + func init() { reexec.Register(nsexec.NsEnterReexecName, WorkInContainer) } @@ -94,6 +98,14 @@ func doMount(pipe *os.File) error { if err := json.NewDecoder(pipe).Decode(&mount); err != nil { return err } + + // remount lxcfs cgroup path readonly + if err := syscall.Mount(mount.Rootfs+lxcfsPath, mount.Rootfs+lxcfsPath, "none", syscall.MS_BIND, ""); err != nil { + return err + } + if err := syscall.Mount(mount.Rootfs+lxcfsPath, mount.Rootfs+lxcfsPath, "none", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_RDONLY, ""); err != nil { + return err + } for i := 0; i < len(mount.SrcPaths) && i < len(mount.DestPaths); i++ { if err := syscall.Mount(mount.SrcPaths[i], mount.DestPaths[i], "none", syscall.MS_BIND, ""); err != nil { return err @@ -114,5 +126,10 @@ func doUmount(pipe *os.File) error { } } } + if err := syscall.Unmount(lxcfsPath, 0); err != nil { + if !strings.Contains(err.Error(), "invalid argument") { + return err + } + } return nil } diff --git a/libmount/libmount.go b/libmount/libmount.go index b49c39f..edf6f4c 100644 --- a/libmount/libmount.go +++ b/libmount/libmount.go @@ -18,9 +18,11 @@ import ( ) // NsExecMount exec mount in container namespace -func NsExecMount(pid string, srcPaths []string, destPaths []string) error { +func NsExecMount(pid string, rootfs string, srcPaths []string, destPaths []string) error { driver := nsexec.NewDefaultNsDriver() - mount := &nsexec.Mount{} + mount := &nsexec.Mount{ + Rootfs: rootfs, + } for i := 0; i < len(srcPaths) && i < len(destPaths); i++ { mount.SrcPaths = append(mount.SrcPaths, srcPaths[i]) mount.DestPaths = append(mount.DestPaths, destPaths[i]) diff --git a/libmount/nsexec/nsexec.go b/libmount/nsexec/nsexec.go index c68fb25..683e2e2 100644 --- a/libmount/nsexec/nsexec.go +++ b/libmount/nsexec/nsexec.go @@ -41,6 +41,7 @@ const ( // Mount is mount argument type Mount struct { + Rootfs string SrcPaths []string DestPaths []string } diff --git a/remountcmd.go b/remountcmd.go index d3395e5..5c6342d 100644 --- a/remountcmd.go +++ b/remountcmd.go @@ -254,7 +254,7 @@ func remountToContainer(initMountns, initUserns, containerid string, pid string, isulad_lxcfs_log.Errorf("unmount %v for container error: %v", valuePaths, err) } - if err := libmount.NsExecMount(pid, valueMountPaths, valuePaths); err != nil { + if err := libmount.NsExecMount(pid, "", valueMountPaths, valuePaths); err != nil { isulad_lxcfs_log.Errorf("mount %v into container %s error: %v", valueMountPaths, containerid, err) return err } -- Gitee