github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #851 from yanxuean/support-no-pivot

Browse Source 
support no_pivot option for runc
This commit is contained in:
Lantao Liu 2018-07-19 20:31:38 -07:00 committed by GitHub
commit 42a98de252
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/config.md
View File

@ -38,6 +38,9 @@ The explanation and default value of each configuration item are as follows:
# snapshotter is the snapshotter used by containerd. # snapshotter is the snapshotter used by containerd.
snapshotter = "overlayfs" snapshotter = "overlayfs"
# no_pivot disables pivot-root (linux only), required when running a container in a RamDisk with runc
no_pivot = false
# "plugins.cri.containerd.default_runtime" is the runtime to use in containerd. # "plugins.cri.containerd.default_runtime" is the runtime to use in containerd.
[plugins.cri.containerd.default_runtime] [plugins.cri.containerd.default_runtime]
# runtime_type is the runtime type to use in containerd e.g. io.containerd.runtime.v1.linux # runtime_type is the runtime type to use in containerd e.g. io.containerd.runtime.v1.linux

3
pkg/config/config.go
View File

@ -37,6 +37,8 @@ type ContainerdConfig struct {
DefaultRuntime Runtime `toml:"default_runtime" json:"defaultRuntime"` DefaultRuntime Runtime `toml:"default_runtime" json:"defaultRuntime"`
// UntrustedWorkloadRuntime is a runtime to run untrusted workloads on it. // UntrustedWorkloadRuntime is a runtime to run untrusted workloads on it.
UntrustedWorkloadRuntime Runtime `toml:"untrusted_workload_runtime" json:"untrustedWorkloadRuntime"` UntrustedWorkloadRuntime Runtime `toml:"untrusted_workload_runtime" json:"untrustedWorkloadRuntime"`
// NoPivot disables pivot-root (linux only), required when running a container in a RamDisk with runc
NoPivot bool `toml:"no_pivot" json:"noPivot"`
} }
// CniConfig contains toml config related to cni // CniConfig contains toml config related to cni
@ -148,6 +150,7 @@ func DefaultConfig() PluginConfig {
Engine: "", Engine: "",
Root: "", Root: "",
}, },
NoPivot: false,
}, },
StreamServerAddress: "", StreamServerAddress: "",
StreamServerPort: "10010", StreamServerPort: "10010",

6
pkg/server/container_start.go
View File

@ -108,7 +108,11 @@ func (c *criService) startContainer(ctx context.Context,
return cntr.IO, nil return cntr.IO, nil
} }
task, err := container.NewTask(ctx, ioCreation) var taskOpts []containerd.NewTaskOpts
if c.config.NoPivot {
taskOpts = append(taskOpts, containerd.WithNoPivotRoot)
}
task, err := container.NewTask(ctx, ioCreation, taskOpts...)
if err != nil { if err != nil {
return errors.Wrap(err, "failed to create containerd task") return errors.Wrap(err, "failed to create containerd task")
} }

7
pkg/server/sandbox_run.go
View File

@ -293,8 +293,13 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
// Create sandbox task in containerd. // Create sandbox task in containerd.
log.Tracef("Create sandbox container (id=%q, name=%q).", log.Tracef("Create sandbox container (id=%q, name=%q).",
id, name) id, name)
var taskOpts []containerd.NewTaskOpts
if c.config.NoPivot {
taskOpts = append(taskOpts, containerd.WithNoPivotRoot)
}
// We don't need stdio for sandbox container. // We don't need stdio for sandbox container.
task, err := container.NewTask(ctx, containerdio.NullIO) task, err := container.NewTask(ctx, containerdio.NullIO, taskOpts...)
if err != nil { if err != nil {
return status, errors.Wrap(err, "failed to create containerd task") return status, errors.Wrap(err, "failed to create containerd task")
} }