From 0cc79a6ff6f340907b57974f0992fe9689d42ff2 Mon Sep 17 00:00:00 2001
From: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Date: Mon, 8 Jan 2018 18:35:02 -0800
Subject: [PATCH] Add no-pivot flag to ctr

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
---
 cmd/ctr/commands/run/run.go             |  3 ++-
 cmd/ctr/commands/run/run_unix.go        | 10 ++++++++++
 cmd/ctr/commands/run/run_windows.go     |  4 ++++
 cmd/ctr/commands/tasks/start.go         |  8 +++++---
 cmd/ctr/commands/tasks/tasks_unix.go    | 22 +++++++++++++++++++---
 cmd/ctr/commands/tasks/tasks_windows.go |  7 ++++++-
 container_opts_unix.go                  | 17 +++++++++++++++++
 7 files changed, 63 insertions(+), 8 deletions(-)

diff --git a/cmd/ctr/commands/run/run.go b/cmd/ctr/commands/run/run.go
index 6dc25a26c..c1990cc20 100644
--- a/cmd/ctr/commands/run/run.go
+++ b/cmd/ctr/commands/run/run.go
@@ -199,7 +199,8 @@ var Command = cli.Command{
 		if context.Bool("rm") && !detach {
 			defer container.Delete(ctx, containerd.WithSnapshotCleanup)
 		}
-		task, err := tasks.NewTask(ctx, client, container, context.String("checkpoint"), tty, context.Bool("null-io"))
+		opts := getNewTaskOpts(context)
+		task, err := tasks.NewTask(ctx, client, container, context.String("checkpoint"), tty, context.Bool("null-io"), opts...)
 		if err != nil {
 			return err
 		}
diff --git a/cmd/ctr/commands/run/run_unix.go b/cmd/ctr/commands/run/run_unix.go
index 3facf7ad5..bf25092a2 100644
--- a/cmd/ctr/commands/run/run_unix.go
+++ b/cmd/ctr/commands/run/run_unix.go
@@ -16,6 +16,9 @@ func init() {
 	Command.Flags = append(Command.Flags, cli.BoolFlag{
 		Name:  "rootfs",
 		Usage: "use custom rootfs that is not managed by containerd snapshotter",
+	}, cli.BoolFlag{
+		Name:  "no-pivot",
+		Usage: "disable use of pivot-root (linux only)",
 	})
 }
 
@@ -75,3 +78,10 @@ func newContainer(ctx gocontext.Context, client *containerd.Client, context *cli
 	cOpts = append([]containerd.NewContainerOpts{containerd.WithNewSpec(opts...)}, cOpts...)
 	return client.NewContainer(ctx, id, cOpts...)
 }
+
+func getNewTaskOpts(context *cli.Context) []containerd.NewTaskOpts {
+	if context.Bool("no-pivot") {
+		return []containerd.NewTaskOpts{containerd.WithNoPivotRoot}
+	}
+	return nil
+}
diff --git a/cmd/ctr/commands/run/run_windows.go b/cmd/ctr/commands/run/run_windows.go
index a85d16a4f..a8eff9381 100644
--- a/cmd/ctr/commands/run/run_windows.go
+++ b/cmd/ctr/commands/run/run_windows.go
@@ -82,3 +82,7 @@ func newContainer(ctx gocontext.Context, client *containerd.Client, context *cli
 		// TODO(mlaventure): containerd.WithImage(image),
 	)
 }
+
+func getNewTaskOpts(_ *cli.Context) []containerd.NewTaskOpts {
+	return nil
+}
diff --git a/cmd/ctr/commands/tasks/start.go b/cmd/ctr/commands/tasks/start.go
index df09a9b9a..0fe8f0699 100644
--- a/cmd/ctr/commands/tasks/start.go
+++ b/cmd/ctr/commands/tasks/start.go
@@ -41,9 +41,11 @@ var startCommand = cli.Command{
 			return err
 		}
 
-		tty := spec.Process.Terminal
-
-		task, err := NewTask(ctx, client, container, "", tty, context.Bool("null-io"))
+		var (
+			tty  = spec.Process.Terminal
+			opts = getNewTaskOpts(context)
+		)
+		task, err := NewTask(ctx, client, container, "", tty, context.Bool("null-io"), opts...)
 		if err != nil {
 			return err
 		}
diff --git a/cmd/ctr/commands/tasks/tasks_unix.go b/cmd/ctr/commands/tasks/tasks_unix.go
index 2a1d5e832..89be7afee 100644
--- a/cmd/ctr/commands/tasks/tasks_unix.go
+++ b/cmd/ctr/commands/tasks/tasks_unix.go
@@ -12,9 +12,17 @@ import (
 	"github.com/containerd/containerd/cio"
 	"github.com/containerd/containerd/log"
 	"github.com/pkg/errors"
+	"github.com/urfave/cli"
 	"golang.org/x/sys/unix"
 )
 
+func init() {
+	startCommand.Flags = append(startCommand.Flags, cli.BoolFlag{
+		Name:  "no-pivot",
+		Usage: "disable use of pivot-root (linux only)",
+	})
+}
+
 // HandleConsoleResize resizes the console
 func HandleConsoleResize(ctx gocontext.Context, task resizer, con console.Console) error {
 	// do an initial resize of the console
@@ -43,7 +51,7 @@ func HandleConsoleResize(ctx gocontext.Context, task resizer, con console.Consol
 }
 
 // NewTask creates a new task
-func NewTask(ctx gocontext.Context, client *containerd.Client, container containerd.Container, checkpoint string, tty, nullIO bool) (containerd.Task, error) {
+func NewTask(ctx gocontext.Context, client *containerd.Client, container containerd.Container, checkpoint string, tty, nullIO bool, opts ...containerd.NewTaskOpts) (containerd.Task, error) {
 	stdio := cio.NewCreator(cio.WithStdio)
 	if checkpoint == "" {
 		ioCreator := stdio
@@ -56,11 +64,19 @@ func NewTask(ctx gocontext.Context, client *containerd.Client, container contain
 			}
 			ioCreator = cio.NullIO
 		}
-		return container.NewTask(ctx, ioCreator)
+		return container.NewTask(ctx, ioCreator, opts...)
 	}
 	im, err := client.GetImage(ctx, checkpoint)
 	if err != nil {
 		return nil, err
 	}
-	return container.NewTask(ctx, stdio, containerd.WithTaskCheckpoint(im))
+	opts = append(opts, containerd.WithTaskCheckpoint(im))
+	return container.NewTask(ctx, stdio, opts...)
+}
+
+func getNewTaskOpts(context *cli.Context) []containerd.NewTaskOpts {
+	if context.Bool("no-pivot") {
+		return []containerd.NewTaskOpts{containerd.WithNoPivotRoot}
+	}
+	return nil
 }
diff --git a/cmd/ctr/commands/tasks/tasks_windows.go b/cmd/ctr/commands/tasks/tasks_windows.go
index 93ca166e1..843ac72bf 100644
--- a/cmd/ctr/commands/tasks/tasks_windows.go
+++ b/cmd/ctr/commands/tasks/tasks_windows.go
@@ -9,6 +9,7 @@ import (
 	"github.com/containerd/containerd/cio"
 	"github.com/containerd/containerd/log"
 	"github.com/pkg/errors"
+	"github.com/urfave/cli"
 )
 
 // HandleConsoleResize resizes the console
@@ -41,7 +42,7 @@ func HandleConsoleResize(ctx gocontext.Context, task resizer, con console.Consol
 }
 
 // NewTask creates a new task
-func NewTask(ctx gocontext.Context, client *containerd.Client, container containerd.Container, _ string, tty, nullIO bool) (containerd.Task, error) {
+func NewTask(ctx gocontext.Context, client *containerd.Client, container containerd.Container, _ string, tty, nullIO bool, opts ...containerd.NewTaskOpts) (containerd.Task, error) {
 	ioCreator := cio.NewCreator(cio.WithStdio)
 	if tty {
 		ioCreator = cio.NewCreator(cio.WithStdio, cio.WithTerminal)
@@ -54,3 +55,7 @@ func NewTask(ctx gocontext.Context, client *containerd.Client, container contain
 	}
 	return container.NewTask(ctx, ioCreator)
 }
+
+func getNewTaskOpts(_ *cli.Context) []containerd.NewTaskOpts {
+	return nil
+}
diff --git a/container_opts_unix.go b/container_opts_unix.go
index 9d5225a91..deda0f70f 100644
--- a/container_opts_unix.go
+++ b/container_opts_unix.go
@@ -15,6 +15,7 @@ import (
 	"github.com/containerd/containerd/content"
 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/images"
+	"github.com/containerd/containerd/linux/runctypes"
 	"github.com/containerd/containerd/mount"
 	"github.com/containerd/containerd/platforms"
 	"github.com/gogo/protobuf/proto"
@@ -205,3 +206,19 @@ func incrementFS(root string, uidInc, gidInc uint32) filepath.WalkFunc {
 		return os.Lchown(path, u, g)
 	}
 }
+
+// WithNoPivotRoot instructs the runtime not to you pivot_root
+func WithNoPivotRoot(_ context.Context, _ *Client, info *TaskInfo) error {
+	if info.Options == nil {
+		info.Options = &runctypes.CreateOptions{
+			NoPivotRoot: true,
+		}
+		return nil
+	}
+	copts, ok := info.Options.(*runctypes.CreateOptions)
+	if !ok {
+		return errors.New("invalid options type, expected runctypes.CreateOptions")
+	}
+	copts.NoPivotRoot = true
+	return nil
+}