Merge pull request #1978 from mlaventure/ctr-no-pivot-root

Add no-pivot flag to ctr

cmd/ctr/commands/run/run.go

@@ -199,7 +199,8 @@ var Command = cli.Command{
 		if context.Bool("rm") && !detach {
 			defer container.Delete(ctx, containerd.WithSnapshotCleanup)
 		}
-		task, err := tasks.NewTask(ctx, client, container, context.String("checkpoint"), tty, context.Bool("null-io"))
+		opts := getNewTaskOpts(context)
+		task, err := tasks.NewTask(ctx, client, container, context.String("checkpoint"), tty, context.Bool("null-io"), opts...)
 		if err != nil {
 			return err
 		}

cmd/ctr/commands/run/run_unix.go

@@ -16,6 +16,9 @@ func init() {
 	Command.Flags = append(Command.Flags, cli.BoolFlag{
 		Name:  "rootfs",
 		Usage: "use custom rootfs that is not managed by containerd snapshotter",
+	}, cli.BoolFlag{
+		Name:  "no-pivot",
+		Usage: "disable use of pivot-root (linux only)",
 	})
 }
 
@@ -75,3 +78,10 @@ func newContainer(ctx gocontext.Context, client *containerd.Client, context *cli
 	cOpts = append([]containerd.NewContainerOpts{containerd.WithNewSpec(opts...)}, cOpts...)
 	return client.NewContainer(ctx, id, cOpts...)
 }
+
+func getNewTaskOpts(context *cli.Context) []containerd.NewTaskOpts {
+	if context.Bool("no-pivot") {
+		return []containerd.NewTaskOpts{containerd.WithNoPivotRoot}
+	}
+	return nil
+}

cmd/ctr/commands/run/run_windows.go

@@ -82,3 +82,7 @@ func newContainer(ctx gocontext.Context, client *containerd.Client, context *cli
 		// TODO(mlaventure): containerd.WithImage(image),
 	)
 }
+
+func getNewTaskOpts(_ *cli.Context) []containerd.NewTaskOpts {
+	return nil
+}

cmd/ctr/commands/tasks/start.go

@@ -41,9 +41,11 @@ var startCommand = cli.Command{
 			return err
 		}
 
-		tty := spec.Process.Terminal
-
-		task, err := NewTask(ctx, client, container, "", tty, context.Bool("null-io"))
+		var (
+			tty  = spec.Process.Terminal
+			opts = getNewTaskOpts(context)
+		)
+		task, err := NewTask(ctx, client, container, "", tty, context.Bool("null-io"), opts...)
 		if err != nil {
 			return err
 		}

cmd/ctr/commands/tasks/tasks_unix.go

@@ -12,9 +12,17 @@ import (
 	"github.com/containerd/containerd/cio"
 	"github.com/containerd/containerd/log"
 	"github.com/pkg/errors"
+	"github.com/urfave/cli"
 	"golang.org/x/sys/unix"
 )
 
+func init() {
+	startCommand.Flags = append(startCommand.Flags, cli.BoolFlag{
+		Name:  "no-pivot",
+		Usage: "disable use of pivot-root (linux only)",
+	})
+}
+
 // HandleConsoleResize resizes the console
 func HandleConsoleResize(ctx gocontext.Context, task resizer, con console.Console) error {
 	// do an initial resize of the console
@@ -43,7 +51,7 @@ func HandleConsoleResize(ctx gocontext.Context, task resizer, con console.Consol
 }
 
 // NewTask creates a new task
-func NewTask(ctx gocontext.Context, client *containerd.Client, container containerd.Container, checkpoint string, tty, nullIO bool) (containerd.Task, error) {
+func NewTask(ctx gocontext.Context, client *containerd.Client, container containerd.Container, checkpoint string, tty, nullIO bool, opts ...containerd.NewTaskOpts) (containerd.Task, error) {
 	stdio := cio.NewCreator(cio.WithStdio)
 	if checkpoint == "" {
 		ioCreator := stdio
@@ -56,11 +64,19 @@ func NewTask(ctx gocontext.Context, client *containerd.Client, container contain
 			}
 			ioCreator = cio.NullIO
 		}
-		return container.NewTask(ctx, ioCreator)
+		return container.NewTask(ctx, ioCreator, opts...)
 	}
 	im, err := client.GetImage(ctx, checkpoint)
 	if err != nil {
 		return nil, err
 	}
-	return container.NewTask(ctx, stdio, containerd.WithTaskCheckpoint(im))
+	opts = append(opts, containerd.WithTaskCheckpoint(im))
+	return container.NewTask(ctx, stdio, opts...)
+}
+
+func getNewTaskOpts(context *cli.Context) []containerd.NewTaskOpts {
+	if context.Bool("no-pivot") {
+		return []containerd.NewTaskOpts{containerd.WithNoPivotRoot}
+	}
+	return nil
 }

cmd/ctr/commands/tasks/tasks_windows.go

@@ -9,6 +9,7 @@ import (
 	"github.com/containerd/containerd/cio"
 	"github.com/containerd/containerd/log"
 	"github.com/pkg/errors"
+	"github.com/urfave/cli"
 )
 
 // HandleConsoleResize resizes the console
@@ -41,7 +42,7 @@ func HandleConsoleResize(ctx gocontext.Context, task resizer, con console.Consol
 }
 
 // NewTask creates a new task
-func NewTask(ctx gocontext.Context, client *containerd.Client, container containerd.Container, _ string, tty, nullIO bool) (containerd.Task, error) {
+func NewTask(ctx gocontext.Context, client *containerd.Client, container containerd.Container, _ string, tty, nullIO bool, opts ...containerd.NewTaskOpts) (containerd.Task, error) {
 	ioCreator := cio.NewCreator(cio.WithStdio)
 	if tty {
 		ioCreator = cio.NewCreator(cio.WithStdio, cio.WithTerminal)
@@ -54,3 +55,7 @@ func NewTask(ctx gocontext.Context, client *containerd.Client, container contain
 	}
 	return container.NewTask(ctx, ioCreator)
 }
+
+func getNewTaskOpts(_ *cli.Context) []containerd.NewTaskOpts {
+	return nil
+}

container_opts_unix.go

@@ -15,6 +15,7 @@ import (
 	"github.com/containerd/containerd/content"
 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/images"
+	"github.com/containerd/containerd/linux/runctypes"
 	"github.com/containerd/containerd/mount"
 	"github.com/containerd/containerd/platforms"
 	"github.com/gogo/protobuf/proto"
@@ -205,3 +206,19 @@ func incrementFS(root string, uidInc, gidInc uint32) filepath.WalkFunc {
 		return os.Lchown(path, u, g)
 	}
 }
+
+// WithNoPivotRoot instructs the runtime not to you pivot_root
+func WithNoPivotRoot(_ context.Context, _ *Client, info *TaskInfo) error {
+	if info.Options == nil {
+		info.Options = &runctypes.CreateOptions{
+			NoPivotRoot: true,
+		}
+		return nil
+	}
+	copts, ok := info.Options.(*runctypes.CreateOptions)
+	if !ok {
+		return errors.New("invalid options type, expected runctypes.CreateOptions")
+	}
+	copts.NoPivotRoot = true
+	return nil
+}