github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-17 14:58:16 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #8760 from fadecoder/reduce_go_runtime_mounts

Browse Source 
runtime: Reduce the mount points with namespace isolation
This commit is contained in:
Wenyuan Liu
2024-02-02 16:54:44 +08:00
committed by GitHub
parent d1a26ead94 9317e23df1
commit cb888516c1
1 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/runtime/pkg/containerd-shim-v2/service.go
View File

@@ -191,6 +191,27 @@ func newCommand(ctx context.Context, id, containerdBinary, containerdAddress str
return cmd, nil return cmd, nil
} }
func setupMntNs() error {
err := unix.Unshare(unix.CLONE_NEWNS)
if err != nil {
return err
}
err = unix.Mount("", "/", "", unix.MS_REC|unix.MS_SLAVE, "")
if err != nil {
err = fmt.Errorf("failed to mount with slave: %v", err)
return err
}
err = unix.Mount("", "/", "", unix.MS_REC|unix.MS_SHARED, "")
if err != nil {
err = fmt.Errorf("failed to mount with shared: %v", err)
return err
}
return nil
}
// StartShim is a binary call that starts a kata shimv2 service which will // StartShim is a binary call that starts a kata shimv2 service which will
// implement the ShimV2 APIs such as create/start/update etc containers. // implement the ShimV2 APIs such as create/start/update etc containers.
func (s *service) StartShim(ctx context.Context, opts cdshim.StartOpts) (_ string, retErr error) { func (s *service) StartShim(ctx context.Context, opts cdshim.StartOpts) (_ string, retErr error) {
@@ -255,6 +276,10 @@ func (s *service) StartShim(ctx context.Context, opts cdshim.StartOpts) (_ strin
} }
} }
if err := setupMntNs(); err != nil {
return "", err
}
if err := cmd.Start(); err != nil { if err := cmd.Start(); err != nil {
return "", err return "", err
} }