github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Properly mount base layers

Browse Source 
As opposed to a writable layer derived from a base layer, the volume
path of a base layer, once activated and prepared will not be a WCIFS
volume, but the actual path on disk to the snapshot. We cannot directly
mount this folder, as that would mean a client may gain access and
potentially damage important metadata files that would render the layer
unusabble.

For base layers we need to mount the Files folder which must exist in
any valid base windows-layer.

Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
This commit is contained in:
Gabriel Adrian Samfira 2023-04-02 08:35:34 -07:00
parent ca5605b4a2
commit d373ebc4de
2 changed files with 9 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
mount/mount_windows.go
View File

@ -99,6 +99,14 @@ func (m *Mount) mount(target string) (retErr error) {
return fmt.Errorf("failed to get volume path for layer %s: %w", m.Source, err)
}
if len(parentLayerPaths) == 0 {
// this is a base layer. It gets mounted without going through WCIFS. We need to mount the Files
// folder, not the actual source, or the client may inadvertently remove metadata files.
volume = filepath.Join(volume, "Files")
if _, err := os.Stat(volume); err != nil {
return fmt.Errorf("no Files folder in layer %s", layerID)
}
}
if err := bindfilter.ApplyFileBinding(target, volume, m.ReadOnly()); err != nil {
return fmt.Errorf("failed to set volume mount path for layer %s: %w", m.Source, err)
}

12
snapshots/windows/windows.go
View File

@ -319,16 +319,6 @@ func (s *snapshotter) mounts(sn storage.Snapshot, key string) []mount.Mount {
mountType := "windows-layer"
if len(sn.ParentIDs) == 0 {
// A mount of a parentless snapshot is a bind-mount.
mountType = "bind"
// If not being extracted into, then the bind-target is the
// "Files" subdirectory.
if !strings.Contains(key, snapshots.UnpackKeyPrefix) {
source = filepath.Join(source, "Files")
}
}
// error is not checked here, as a string array will never fail to Marshal
parentLayersJSON, _ := json.Marshal(parentLayerPaths)
parentLayersOption := mount.ParentLayerPathsFlag + string(parentLayersJSON)
@ -336,7 +326,7 @@ func (s *snapshotter) mounts(sn storage.Snapshot, key string) []mount.Mount {
options := []string{
roFlag,
}
if mountType != "bind" {
if len(sn.ParentIDs) != 0 {
options = append(options, parentLayersOption)
}
mounts := []mount.Mount{