FC: jailer failed when importing new flag "--config-file"

When we used jailer to launch firecracker, kata container failed due to the following causes: 1. new flag `--config-file` belongs to the jailed firecracker, so, adhering to the `end of command options` convention, we need to give `--config-file` a prefix `--`. 2. The path of the config file(`fcConfig.json`) should be also relative to the jailed firecracker. 3. Since we do the configuration before func `fcInit` now, we also need to bring `jailer check` ahead. 4. The config file should be umounted and cleaned up. Fixes: #2362 Signed-off-by: Penny Zheng <penny.zheng@arm.com>
2025-06-25 06:52:13 +00:00 · 2019-12-18 09:02:18 +00:00 · 2019-12-18 09:02:18 +00:00 · 09198eed84
commit 09198eed84
parent a198efcf1d
1 changed files with 15 additions and 6 deletions
--- a/virtcontainers/fc.go
+++ b/virtcontainers/fc.go
@ -303,6 +303,7 @@ func (fc *firecracker) newFireClient() *client.Firecracker {
 func (fc *firecracker) vmRunning() bool {
 	resp, err := fc.client().Operations.DescribeInstance(nil)
 	if err != nil {
+		fc.Logger().WithError(err).Error("getting vm status failed")
 		return false
 	}

@ -380,10 +381,6 @@ func (fc *firecracker) fcInit(timeout int) error {
 	span, _ := fc.trace("fcInit")
 	defer span.Finish()

-	if fc.config.JailerPath != "" {
-		fc.jailed = true
-	}
-
 	// Fetch sandbox network to be able to access it from the sandbox structure.
 	var networkNS NetworkNamespace
 	if fc.store != nil {
@ -417,7 +414,11 @@ func (fc *firecracker) fcInit(timeout int) error {
 	}

 	var cmd *exec.Cmd
-	args := []string{"--config-file", fc.fcConfigPath}
+	var args []string
+
+	if fc.fcConfigPath, err = fc.fcJailResource(fc.fcConfigPath, defaultFcConfig); err != nil {
+		return err
+	}

 	if !fc.config.Debug && fc.stateful {
 		args = append(args, "--daemonize")
@ -442,10 +443,13 @@ func (fc *firecracker) fcInit(timeout int) error {
 		if fc.netNSPath != "" {
 			args = append(args, "--netns", fc.netNSPath)
 		}
+		args = append(args, "--", "--config-file", fc.fcConfigPath)

 		cmd = exec.Command(fc.config.JailerPath, args...)
 	} else {
-		args = append(args, "--api-sock", fc.socketPath)
+		args = append(args,
+			"--api-sock", fc.socketPath,
+			"--config-file", fc.fcConfigPath)
 		cmd = exec.Command(fc.config.HypervisorPath, args...)
 	}

@ -706,6 +710,10 @@ func (fc *firecracker) fcListenToFifo(fifoName string) (string, error) {
 }

 func (fc *firecracker) fcInitConfiguration() error {
+	if fc.config.JailerPath != "" {
+		fc.jailed = true
+	}
+
 	fc.fcSetVMBaseConfig(int64(fc.config.MemorySize),
 		int64(fc.config.NumVCPUs), false)

@ -857,6 +865,7 @@ func (fc *firecracker) cleanupJail() {
 	fc.umountResource(fcRootfs)
 	fc.umountResource(fcLogFifo)
 	fc.umountResource(fcMetricsFifo)
+	fc.umountResource(defaultFcConfig)

 	fc.Logger().WithField("cleaningJail", fc.vmPath).Info()
 	if err := os.RemoveAll(fc.vmPath); err != nil {