We use cookies to ensure you get the best experience on our website
Halaman utama Jelajahi Bantuan
Daftar Masuk
0ct0pu5
/
moby
1
0
Fork 0
Berkas Masalah 0 Permintaan Tarik 0 Wiki
Jelajahi Sumber

lxc: Work around lxc-start need for private mounts

lxc-start requires / to be mounted private, otherwise the changes
it does inside the container (both mounts and unmounts) will propagate
out to the host.

We work around this by starting up lxc-start in its own namespace where
we set / to rprivate.

Unfortunately go can't really execute any code between clone and exec,
so we can't do this in a nice way. Instead we have a horrible hack that
use the unshare command, the shell and the mount command...
Alexander Larsson 12 tahun lalu
induk
d80be57c15
melakukan
e40f5c7cb9
2 mengubah file dengan 31 tambahan dan 1 penghapusan
Tampilan Split Tampilkan Statistik Diff
  1. 16 1
      container.go
  2. 15 0
      utils.go

+ 16 - 1
container.go
Tampilan Berkas 

@@ -747,6 +747,7 @@ func (container *Container) Start(hostConfig *HostConfig) error {
 
 	}
 
 
 	params := []string{
 
+		"lxc-start",
 
 		"-n", container.ID,
 
 		"-f", container.lxcConfigPath(),
 
 		"--",
 
@@ -795,7 +796,21 @@ func (container *Container) Start(hostConfig *HostConfig) error {
 
 	params = append(params, "--", container.Path)
 
 	params = append(params, container.Args...)
 
 
-	container.cmd = exec.Command("lxc-start", params...)
 
+	if RootIsShared() {
 
+		// lxc-start really needs / to be private, or all kinds of stuff break
 
+		// What we really want is to clone into a new namespace and then
 
+		// mount / MS_REC|MS_PRIVATE, but since we can't really clone or fork
 
+		// without exec in go we have to do this horrible shell hack...
 
+		shellString :=
 
+			"mount --make-rprivate /; exec " +
 
+			utils.ShellQuoteArguments(params)
 
+
 
+		params = []string{
 
+			"unshare", "-m", "--", "/bin/sh", "-c",	shellString,
 
+		}
 
+	}
 
+
 
+	container.cmd = exec.Command(params[0], params[1:]...)
 
 
 	// Setup logging of stdout and stderr to disk
 
 	if err := container.runtime.LogToDisk(container.stdout, container.logPath("json"), "stdout"); err != nil {

+ 15 - 0
utils.go
Tampilan Berkas 

@@ -2,6 +2,7 @@ package docker
 
 
 import (
 
 	"fmt"
 
+	"io/ioutil"
 
 	"strings"
 
 )
 
 
@@ -167,3 +168,17 @@ func parseLxcOpt(opt string) (string, string, error) {
 
 	}
 
 	return strings.TrimSpace(parts[0]), strings.TrimSpace(parts[1]), nil
 
 }
 
+
 
+func RootIsShared() bool {
 
+	if data, err := ioutil.ReadFile("/proc/self/mountinfo"); err == nil {
 
+		for _, line := range strings.Split(string(data), "\n") {
 
+			cols := strings.Split(line, " ")
 
+			if cols[3] == "/" && cols[4] == "/" {
 
+				return strings.HasPrefix(cols[6], "shared")
 
+			}
 
+		}
 
+	}
 
+
 
+	// No idea, probably safe to assume so
 
+	return true
 
+}

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5