diff --git a/cmd/containerd-stress/main.go b/cmd/containerd-stress/main.go index 4d236dcaf..ab48f8a19 100644 --- a/cmd/containerd-stress/main.go +++ b/cmd/containerd-stress/main.go @@ -211,8 +211,8 @@ func (w *worker) runContainer(ctx context.Context, id string) error { // fix up cgroups path for a default config w.spec.Linux.CgroupsPath = filepath.Join("/", "stress", id) c, err := w.client.NewContainer(ctx, id, - containerd.WithSpec(w.spec), containerd.WithNewSnapshot(id, w.image), + containerd.WithSpec(w.spec, oci.WithUsername("games")), ) if err != nil { return err diff --git a/linux/bundle.go b/linux/bundle.go index 136f2ccb7..629d7f5bf 100644 --- a/linux/bundle.go +++ b/linux/bundle.go @@ -75,10 +75,10 @@ type bundle struct { type ShimOpt func(*bundle, string, *runctypes.RuncOptions) (shim.Config, client.Opt) // ShimRemote is a ShimOpt for connecting and starting a remote shim -func ShimRemote(shimBinary, daemonAddress, cgroup string, nonewns, debug bool, exitHandler func()) ShimOpt { +func ShimRemote(shimBinary, daemonAddress, cgroup string, debug bool, exitHandler func()) ShimOpt { return func(b *bundle, ns string, ropts *runctypes.RuncOptions) (shim.Config, client.Opt) { return b.shimConfig(ns, ropts), - client.WithStart(shimBinary, b.shimAddress(ns), daemonAddress, cgroup, nonewns, debug, exitHandler) + client.WithStart(shimBinary, b.shimAddress(ns), daemonAddress, cgroup, debug, exitHandler) } } diff --git a/linux/runtime.go b/linux/runtime.go index 1ffaca11d..c2f964184 100644 --- a/linux/runtime.go +++ b/linux/runtime.go @@ -78,17 +78,6 @@ type Config struct { NoShim bool `toml:"no_shim"` // Debug enable debug on the shim ShimDebug bool `toml:"shim_debug"` - // ShimNoMountNS prevents the runtime from putting shims into their own mount namespace. - // - // Putting the shim in its own mount namespace ensure that any mounts made - // by it in order to get the task rootfs ready will be undone regardless - // on how the shim dies. - // - // NOTE: This should only be used in kernel older than 3.18 to avoid shims - // from causing a DoS in their parent namespace due to having a copy of - // mounts previously there which would prevent unlink, rename and remove - // operations on those mountpoints. - ShimNoMountNS bool `toml:"shim_no_newns"` } // New returns a configured runtime @@ -226,8 +215,7 @@ func (r *Runtime) Create(ctx context.Context, id string, opts runtime.CreateOpts }).Warn("failed to clen up after killed shim") } } - shimopt = ShimRemote(r.config.Shim, r.address, cgroup, - r.config.ShimNoMountNS, r.config.ShimDebug, exitHandler) + shimopt = ShimRemote(r.config.Shim, r.address, cgroup, r.config.ShimDebug, exitHandler) } s, err := bundle.NewShimClient(ctx, namespace, shimopt, ropts) diff --git a/linux/shim/client/client.go b/linux/shim/client/client.go index db59e2cee..1fb949e1d 100644 --- a/linux/shim/client/client.go +++ b/linux/shim/client/client.go @@ -34,7 +34,7 @@ var empty = &ptypes.Empty{} type Opt func(context.Context, shim.Config) (shimapi.ShimService, io.Closer, error) // WithStart executes a new shim process -func WithStart(binary, address, daemonAddress, cgroup string, nonewns, debug bool, exitHandler func()) Opt { +func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHandler func()) Opt { return func(ctx context.Context, config shim.Config) (_ shimapi.ShimService, _ io.Closer, err error) { socket, err := newSocket(address) if err != nil { @@ -47,7 +47,7 @@ func WithStart(binary, address, daemonAddress, cgroup string, nonewns, debug boo } defer f.Close() - cmd := newCommand(binary, daemonAddress, nonewns, debug, config, f) + cmd := newCommand(binary, daemonAddress, debug, config, f) ec, err := reaper.Default.Start(cmd) if err != nil { return nil, nil, errors.Wrapf(err, "failed to start shim") @@ -87,7 +87,7 @@ func WithStart(binary, address, daemonAddress, cgroup string, nonewns, debug boo } } -func newCommand(binary, daemonAddress string, nonewns, debug bool, config shim.Config, socket *os.File) *exec.Cmd { +func newCommand(binary, daemonAddress string, debug bool, config shim.Config, socket *os.File) *exec.Cmd { selfExe, err := os.Executable() if err != nil { panic(err) @@ -117,7 +117,7 @@ func newCommand(binary, daemonAddress string, nonewns, debug bool, config shim.C // make sure the shim can be re-parented to system init // and is cloned in a new mount namespace because the overlay/filesystems // will be mounted by the shim - cmd.SysProcAttr = getSysProcAttr(nonewns) + cmd.SysProcAttr = getSysProcAttr() cmd.ExtraFiles = append(cmd.ExtraFiles, socket) if debug { cmd.Stdout = os.Stdout diff --git a/linux/shim/client/client_linux.go b/linux/shim/client/client_linux.go index 03ebba00c..3125541ed 100644 --- a/linux/shim/client/client_linux.go +++ b/linux/shim/client/client_linux.go @@ -10,14 +10,10 @@ import ( "github.com/pkg/errors" ) -func getSysProcAttr(nonewns bool) *syscall.SysProcAttr { - attr := syscall.SysProcAttr{ +func getSysProcAttr() *syscall.SysProcAttr { + return &syscall.SysProcAttr{ Setpgid: true, } - if !nonewns { - attr.Cloneflags = syscall.CLONE_NEWNS - } - return &attr } func setCgroup(cgroupPath string, cmd *exec.Cmd) error { diff --git a/linux/shim/client/client_unix.go b/linux/shim/client/client_unix.go index b34cf4d36..0a24ce45f 100644 --- a/linux/shim/client/client_unix.go +++ b/linux/shim/client/client_unix.go @@ -7,7 +7,7 @@ import ( "syscall" ) -func getSysProcAttr(nonewns bool) *syscall.SysProcAttr { +func getSysProcAttr() *syscall.SysProcAttr { return &syscall.SysProcAttr{ Setpgid: true, } diff --git a/oci/spec_opts_windows.go b/oci/spec_opts_windows.go index 3605f8e48..796ad5598 100644 --- a/oci/spec_opts_windows.go +++ b/oci/spec_opts_windows.go @@ -60,3 +60,11 @@ func WithTTY(width, height int) SpecOpts { return nil } } + +// WithUsername sets the username on the process +func WithUsername(username string) SpecOpts { + return func(ctx context.Context, client Client, c *containers.Container, s *specs.Spec) error { + s.Process.User.Username = username + return nil + } +}