Remove mount namespace from shim

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-12-01 15:33:54 -05:00 · 2017-12-01 15:33:54 -05:00 · fd2e3cd326
commit fd2e3cd326
parent 07d4154515
7 changed files with 19 additions and 27 deletions
--- a/cmd/containerd-stress/main.go
+++ b/cmd/containerd-stress/main.go
@ -211,8 +211,8 @@ func (w *worker) runContainer(ctx context.Context, id string) error {
 	// fix up cgroups path for a default config
 	w.spec.Linux.CgroupsPath = filepath.Join("/", "stress", id)
 	c, err := w.client.NewContainer(ctx, id,
 		containerd.WithSpec(w.spec),
 		containerd.WithNewSnapshot(id, w.image),
 		containerd.WithSpec(w.spec, oci.WithUsername("games")),
 	)
 	if err != nil {
 		return err
--- a/linux/bundle.go
+++ b/linux/bundle.go
@ -75,10 +75,10 @@ type bundle struct {
 type ShimOpt func(*bundle, string, *runctypes.RuncOptions) (shim.Config, client.Opt)
 // ShimRemote is a ShimOpt for connecting and starting a remote shim
-func ShimRemote(shimBinary, daemonAddress, cgroup string, nonewns, debug bool, exitHandler func()) ShimOpt {
+func ShimRemote(shimBinary, daemonAddress, cgroup string, debug bool, exitHandler func()) ShimOpt {
 	return func(b *bundle, ns string, ropts *runctypes.RuncOptions) (shim.Config, client.Opt) {
 		return b.shimConfig(ns, ropts),
-			client.WithStart(shimBinary, b.shimAddress(ns), daemonAddress, cgroup, nonewns, debug, exitHandler)
+			client.WithStart(shimBinary, b.shimAddress(ns), daemonAddress, cgroup, debug, exitHandler)
 	}
 }
--- a/linux/runtime.go
+++ b/linux/runtime.go
@ -78,17 +78,6 @@ type Config struct {
 	NoShim bool `toml:"no_shim"`
 	// Debug enable debug on the shim
 	ShimDebug bool `toml:"shim_debug"`
 	// ShimNoMountNS prevents the runtime from putting shims into their own mount namespace.
 	//
 	// Putting the shim in its own mount namespace ensure that any mounts made
 	// by it in order to get the task rootfs ready will be undone regardless
 	// on how the shim dies.
 	//
 	// NOTE: This should only be used in kernel older than 3.18 to avoid shims
 	// from causing a DoS in their parent namespace due to having a copy of
 	// mounts previously there which would prevent unlink, rename and remove
 	// operations on those mountpoints.
 	ShimNoMountNS bool `toml:"shim_no_newns"`
 }
 // New returns a configured runtime
@ -226,8 +215,7 @@ func (r *Runtime) Create(ctx context.Context, id string, opts runtime.CreateOpts
 				}).Warn("failed to clen up after killed shim")
 			}
 		}
-		shimopt = ShimRemote(r.config.Shim, r.address, cgroup,
+		shimopt = ShimRemote(r.config.Shim, r.address, cgroup, r.config.ShimDebug, exitHandler)
 			r.config.ShimNoMountNS, r.config.ShimDebug, exitHandler)
 	}
 	s, err := bundle.NewShimClient(ctx, namespace, shimopt, ropts)
--- a/linux/shim/client/client.go
+++ b/linux/shim/client/client.go
@ -34,7 +34,7 @@ var empty = &ptypes.Empty{}
 type Opt func(context.Context, shim.Config) (shimapi.ShimService, io.Closer, error)
 // WithStart executes a new shim process
-func WithStart(binary, address, daemonAddress, cgroup string, nonewns, debug bool, exitHandler func()) Opt {
+func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHandler func()) Opt {
 	return func(ctx context.Context, config shim.Config) (_ shimapi.ShimService, _ io.Closer, err error) {
 		socket, err := newSocket(address)
 		if err != nil {
@ -47,7 +47,7 @@ func WithStart(binary, address, daemonAddress, cgroup string, nonewns, debug boo
 		}
 		defer f.Close()
-		cmd := newCommand(binary, daemonAddress, nonewns, debug, config, f)
+		cmd := newCommand(binary, daemonAddress, debug, config, f)
 		ec, err := reaper.Default.Start(cmd)
 		if err != nil {
 			return nil, nil, errors.Wrapf(err, "failed to start shim")
@ -87,7 +87,7 @@ func WithStart(binary, address, daemonAddress, cgroup string, nonewns, debug boo
 	}
 }
-func newCommand(binary, daemonAddress string, nonewns, debug bool, config shim.Config, socket *os.File) *exec.Cmd {
+func newCommand(binary, daemonAddress string, debug bool, config shim.Config, socket *os.File) *exec.Cmd {
 	selfExe, err := os.Executable()
 	if err != nil {
 		panic(err)
@ -117,7 +117,7 @@ func newCommand(binary, daemonAddress string, nonewns, debug bool, config shim.C
 	// make sure the shim can be re-parented to system init
 	// and is cloned in a new mount namespace because the overlay/filesystems
 	// will be mounted by the shim
-	cmd.SysProcAttr = getSysProcAttr(nonewns)
+	cmd.SysProcAttr = getSysProcAttr()
 	cmd.ExtraFiles = append(cmd.ExtraFiles, socket)
 	if debug {
 		cmd.Stdout = os.Stdout
--- a/linux/shim/client/client_linux.go
+++ b/linux/shim/client/client_linux.go
@ -10,14 +10,10 @@ import (
 	"github.com/pkg/errors"
 )
-func getSysProcAttr(nonewns bool) *syscall.SysProcAttr {
+func getSysProcAttr() *syscall.SysProcAttr {
-	attr := syscall.SysProcAttr{
+	return &syscall.SysProcAttr{
 		Setpgid: true,
 	}
 	if !nonewns {
 		attr.Cloneflags = syscall.CLONE_NEWNS
 	}
 	return &attr
 }
 func setCgroup(cgroupPath string, cmd *exec.Cmd) error {
--- a/linux/shim/client/client_unix.go
+++ b/linux/shim/client/client_unix.go
@ -7,7 +7,7 @@ import (
 	"syscall"
 )
-func getSysProcAttr(nonewns bool) *syscall.SysProcAttr {
+func getSysProcAttr() *syscall.SysProcAttr {
 	return &syscall.SysProcAttr{
 		Setpgid: true,
 	}
--- a/oci/spec_opts_windows.go
+++ b/oci/spec_opts_windows.go
@ -60,3 +60,11 @@ func WithTTY(width, height int) SpecOpts {
 		return nil
 	}
 }
 // WithUsername sets the username on the process
 func WithUsername(username string) SpecOpts {
 	return func(ctx context.Context, client Client, c *containers.Container, s *specs.Spec) error {
 		s.Process.User.Username = username
 		return nil
 	}
 }