From 07802a19dc5475fad17fc29cd87b1ee587d83a8f Mon Sep 17 00:00:00 2001 From: Yushuo Date: Thu, 9 Feb 2023 17:05:06 +0800 Subject: [PATCH] runtime-rs: handle sys_dir bind volume For some cases, users will mount system directories as bind volume. We should not bind mount these kind of directories in the host as it does not make sense. Fixes: #6299 Signed-off-by: Yushuo --- .../crates/resource/src/volume/mod.rs | 1 + .../resource/src/volume/share_fs_volume.rs | 37 +++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/src/runtime-rs/crates/resource/src/volume/mod.rs b/src/runtime-rs/crates/resource/src/volume/mod.rs index 7a603c601f..2868ddee37 100644 --- a/src/runtime-rs/crates/resource/src/volume/mod.rs +++ b/src/runtime-rs/crates/resource/src/volume/mod.rs @@ -20,6 +20,7 @@ use crate::share_fs::ShareFs; use self::hugepage::{get_huge_page_limits_map, get_huge_page_option}; const BIND: &str = "bind"; + #[async_trait] pub trait Volume: Send + Sync { fn get_volume_mount(&self) -> Result>; diff --git a/src/runtime-rs/crates/resource/src/volume/share_fs_volume.rs b/src/runtime-rs/crates/resource/src/volume/share_fs_volume.rs index 95bc2edfbf..f3f70424dd 100644 --- a/src/runtime-rs/crates/resource/src/volume/share_fs_volume.rs +++ b/src/runtime-rs/crates/resource/src/volume/share_fs_volume.rs @@ -17,6 +17,8 @@ use super::Volume; use crate::share_fs::{MountedInfo, ShareFs, ShareFsVolumeConfig}; use kata_types::mount; +const SYS_MOUNT_PREFIX: [&str; 2] = ["/proc", "/sys"]; + // copy file to container's rootfs if filesystem sharing is not supported, otherwise // bind mount it in the shared directory. // Ignore /dev, directories and all other device files. We handle @@ -229,6 +231,7 @@ impl Volume for ShareFsVolume { pub(crate) fn is_share_fs_volume(m: &oci::Mount) -> bool { (m.r#type == "bind" || m.r#type == mount::KATA_EPHEMERAL_VOLUME_TYPE) && !is_host_device(&m.destination) + && !is_system_mount(&m.source) } fn is_host_device(dest: &str) -> bool { @@ -252,6 +255,20 @@ fn is_host_device(dest: &str) -> bool { false } +// Skip mounting certain system paths("/sys/*", "/proc/*") +// from source on the host side into the container as it does not +// make sense to do so. +// Agent will support this kind of bind mount. +fn is_system_mount(src: &str) -> bool { + for p in SYS_MOUNT_PREFIX { + let sub_dir_p = format!("{}/", p); + if src == p || src.contains(sub_dir_p.as_str()) { + return true; + } + } + false +} + // Note, don't generate random name, attaching rafs depends on the predictable name. pub fn generate_mount_path(id: &str, file_name: &str) -> String { let mut nid = String::from(id); @@ -265,3 +282,23 @@ pub fn generate_mount_path(id: &str, file_name: &str) -> String { format!("{}-{}-{}", nid, uid, file_name) } + +#[cfg(test)] +mod test { + use super::*; + + #[test] + fn test_is_system_mount() { + let sys_dir = "/sys"; + let proc_dir = "/proc"; + let sys_sub_dir = "/sys/fs/cgroup"; + let proc_sub_dir = "/proc/cgroups"; + let not_sys_dir = "/root"; + + assert!(is_system_mount(sys_dir)); + assert!(is_system_mount(proc_dir)); + assert!(is_system_mount(sys_sub_dir)); + assert!(is_system_mount(proc_sub_dir)); + assert!(!is_system_mount(not_sys_dir)); + } +}