github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-24 14:32:33 +00:00
Code Issues Projects Releases Wiki Activity

Jailer: re-mount jailerRoot with exec

Browse Source 
The default chrootBaseDir "/run/vc" in many distributions is mounted
with `noexec` flag, which will bring 'permission denied' error
when running kata-containers with jailer.
Therefore, we decided to remount the jailerRoot dir with exec when setting
up a new firecracker sandbox and umount it when cleaning up.

Fixes: #2511

Signed-off-by: Penny Zheng <penny.zheng@arm.com>
This commit is contained in:
Penny Zheng 2020-03-12 08:50:27 +00:00
parent 9d3022a85a
commit 13390df005
2 changed files with 58 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
virtcontainers/fc.go
View File

@ -331,19 +331,7 @@ func (fc *firecracker) fcInit(timeout int) error {
span, _ := fc.trace("fcInit") span, _ := fc.trace("fcInit")
defer span.Finish() defer span.Finish()
// Fetch sandbox network to be able to access it from the sandbox structure. var err error
err := os.MkdirAll(fc.jailerRoot, DirMode)
if err != nil {
return err
}
defer func() {
if err != nil {
if err := os.RemoveAll(fc.vmPath); err != nil {
fc.Logger().WithError(err).Error("Fail to clean up vm directory")
}
}
}()
//FC version set and check //FC version set and check
if fc.info.Version, err = fc.getVersionNumber(); err != nil { if fc.info.Version, err = fc.getVersionNumber(); err != nil {
return err return err
@ -497,6 +485,24 @@ func (fc *firecracker) createJailedDrive(name string) (string, error) {
return r, nil return r, nil
} }
// when running with jailer, firecracker binary will firstly be copied into fc.jailerRoot,
// and then being executed there. Therefore we need to ensure fc.JailerRoot has exec permissions.
func (fc *firecracker) fcRemountJailerRootWithExec() error {
if err := bindMount(context.Background(), fc.jailerRoot, fc.jailerRoot, false, "shared"); err != nil {
fc.Logger().WithField("JailerRoot", fc.jailerRoot).Errorf("bindMount failed: %v", err)
return err
}
// /run is normally mounted with rw, nosuid(MS_NOSUID), relatime(MS_RELATIME), noexec(MS_NOEXEC).
// we re-mount jailerRoot to deliberately leave out MS_NOEXEC.
if err := remount(context.Background(), syscall.MS_NOSUID|syscall.MS_RELATIME, fc.jailerRoot); err != nil {
fc.Logger().WithField("JailerRoot", fc.jailerRoot).Errorf("Re-mount failed: %v", err)
return err
}
return nil
}
func (fc *firecracker) fcJailResource(src, dst string) (string, error) { func (fc *firecracker) fcJailResource(src, dst string) (string, error) {
if src == "" || dst == "" { if src == "" || dst == "" {
return "", fmt.Errorf("fcJailResource: invalid jail locations: src:%v, dst:%v", return "", fmt.Errorf("fcJailResource: invalid jail locations: src:%v, dst:%v",
@ -645,8 +651,23 @@ func (fc *firecracker) fcListenToFifo(fifoName string) (string, error) {
} }
func (fc *firecracker) fcInitConfiguration() error { func (fc *firecracker) fcInitConfiguration() error {
err := os.MkdirAll(fc.jailerRoot, DirMode)
if err != nil {
return err
}
defer func() {
if err != nil {
if err := os.RemoveAll(fc.vmPath); err != nil {
fc.Logger().WithError(err).Error("Fail to clean up vm directory")
}
}
}()
if fc.config.JailerPath != "" { if fc.config.JailerPath != "" {
fc.jailed = true fc.jailed = true
if err := fc.fcRemountJailerRootWithExec(); err != nil {
return nil
}
} }
fc.fcSetVMBaseConfig(int64(fc.config.MemorySize), fc.fcSetVMBaseConfig(int64(fc.config.MemorySize),
@ -801,6 +822,12 @@ func (fc *firecracker) cleanupJail() {
fc.umountResource(fcLogFifo) fc.umountResource(fcLogFifo)
fc.umountResource(fcMetricsFifo) fc.umountResource(fcMetricsFifo)
fc.umountResource(defaultFcConfig) fc.umountResource(defaultFcConfig)
// if running with jailer, we also need to umount fc.jailerRoot
if fc.config.JailerPath != "" {
if err := syscall.Unmount(fc.jailerRoot, syscall.MNT_DETACH); err != nil {
fc.Logger().WithField("JailerRoot", fc.jailerRoot).WithError(err).Error("Failed to umount")
}
}
fc.Logger().WithField("cleaningJail", fc.vmPath).Info() fc.Logger().WithField("cleaningJail", fc.vmPath).Info()
if err := os.RemoveAll(fc.vmPath); err != nil { if err := os.RemoveAll(fc.vmPath); err != nil {

18
virtcontainers/mount.go
View File

@ -309,6 +309,24 @@ func bindMount(ctx context.Context, source, destination string, readonly bool, p
return nil return nil
} }
// An existing mount may be remounted by specifying `MS_REMOUNT` in
// mountflags.
// This allows you to change the mountflags of an existing mount.
// The mountflags should match the values used in the original mount() call,
// except for those parameters that you are trying to change.
func remount(ctx context.Context, mountflags uintptr, src string) error {
absSrc, err := filepath.EvalSymlinks(src)
if err != nil {
return fmt.Errorf("Could not resolve symlink for %s", src)
}
if err := syscall.Mount(absSrc, absSrc, "", syscall.MS_REMOUNT|mountflags, ""); err != nil {
return fmt.Errorf("remount %s failed: %v", absSrc, err)
}
return nil
}
// bindMountContainerRootfs bind mounts a container rootfs into a 9pfs shared // bindMountContainerRootfs bind mounts a container rootfs into a 9pfs shared
// directory between the guest and the host. // directory between the guest and the host.
func bindMountContainerRootfs(ctx context.Context, sharedDir, sandboxID, cID, cRootFs string, readonly bool) error { func bindMountContainerRootfs(ctx context.Context, sharedDir, sandboxID, cID, cRootFs string, readonly bool) error {