Fix privileged container sysfs can't be rw because pod is ro by default

Signed-off-by: fengwei0328 <feng.wei8@zte.com.cn>
2025-01-17 14:29:53 +08:00
parent 67bb32a8b2
commit c7f64196fc
3 changed files with 120 additions and 0 deletions
--- a/internal/cri/server/podsandbox/sandbox_run.go
+++ b/internal/cri/server/podsandbox/sandbox_run.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"path/filepath"

 	"github.com/containerd/log"
 	"github.com/containerd/nri"
@@ -136,6 +137,7 @@ func (c *Controller) Start(ctx context.Context, id string) (cin sandbox.Controll
 	if err != nil {
 		return cin, fmt.Errorf("failed to generate sandbox container spec: %w", err)
 	}
+
 	log.G(ctx).WithField("podsandboxid", id).Debugf("sandbox container spec: %#+v", spew.NewFormatter(spec))

 	metadata.ProcessLabel = spec.Process.SelinuxLabel
@@ -155,6 +157,18 @@ func (c *Controller) Start(ctx context.Context, id string) (cin sandbox.Controll
 		// If privileged don't set selinux label, but we still record the MCS label so that
 		// the unused label can be freed later.
 		spec.Process.SelinuxLabel = ""
+		// If privileged is enabled, sysfs should have the rw attribute
+		for i, k := range spec.Mounts {
+			if filepath.Clean(k.Destination) == "/sys" {
+				for j, v := range spec.Mounts[i].Options {
+					if v == "ro" {
+						spec.Mounts[i].Options[j] = "rw"
+						break
+					}
+				}
+				break
+			}
+		}
 	}

 	// Generate spec options that will be applied to the spec later.