8b365117a2
Mounting as MS_SLAVE here breaks use cases which want to use rootPropagation=shared in order to expose mounts to the host (and other containers binding the same subtree), mounting as e.g. MS_SHARED is pointless in this context so just remove. Having done this we also need to arrange to manually clean up the mounts on delete, so do so. Note that runc will also setup root as required by rootPropagation, defaulting to MS_PRIVATE. Fixes #1132. Signed-off-by: Ian Campbell <ian.campbell@docker.com>
95 lines
2.7 KiB
Go
95 lines
2.7 KiB
Go
package main
|
|
|
|
import (
|
|
"net"
|
|
"os"
|
|
"os/signal"
|
|
"syscall"
|
|
|
|
"google.golang.org/grpc"
|
|
"google.golang.org/grpc/credentials"
|
|
|
|
"golang.org/x/net/context"
|
|
|
|
"github.com/containerd/containerd/reaper"
|
|
"github.com/containerd/containerd/sys"
|
|
runc "github.com/containerd/go-runc"
|
|
"github.com/pkg/errors"
|
|
)
|
|
|
|
// setupSignals creates a new signal handler for all signals and sets the shim as a
|
|
// sub-reaper so that the container processes are reparented
|
|
func setupSignals() (chan os.Signal, error) {
|
|
signals := make(chan os.Signal, 2048)
|
|
signal.Notify(signals)
|
|
// make sure runc is setup to use the monitor
|
|
// for waiting on processes
|
|
runc.Monitor = reaper.Default
|
|
// set the shim as the subreaper for all orphaned processes created by the container
|
|
if err := sys.SetSubreaper(1); err != nil {
|
|
return nil, err
|
|
}
|
|
return signals, nil
|
|
}
|
|
|
|
func newServer() *grpc.Server {
|
|
return grpc.NewServer(grpc.Creds(NewUnixSocketCredentils(0, 0)))
|
|
}
|
|
|
|
type unixSocketCredentials struct {
|
|
uid int
|
|
gid int
|
|
serverName string
|
|
}
|
|
|
|
func NewUnixSocketCredentils(uid, gid int) credentials.TransportCredentials {
|
|
return &unixSocketCredentials{uid, gid, "locahost"}
|
|
}
|
|
|
|
func (u *unixSocketCredentials) ClientHandshake(ctx context.Context, addr string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
|
|
return nil, nil, errors.New("ClientHandshake is not supported by unixSocketCredentials")
|
|
}
|
|
|
|
func (u *unixSocketCredentials) ServerHandshake(c net.Conn) (net.Conn, credentials.AuthInfo, error) {
|
|
uc, ok := c.(*net.UnixConn)
|
|
if !ok {
|
|
return nil, nil, errors.New("unixSocketCredentials only supports unix socket")
|
|
}
|
|
|
|
f, err := uc.File()
|
|
if err != nil {
|
|
return nil, nil, errors.Wrap(err, "unixSocketCredentials: failed to retrieve connection underlying fd")
|
|
}
|
|
pcred, err := syscall.GetsockoptUcred(int(f.Fd()), syscall.SOL_SOCKET, syscall.SO_PEERCRED)
|
|
if err != nil {
|
|
return nil, nil, errors.Wrap(err, "unixSocketCredentials: failed to retrieve socket peer credentials")
|
|
}
|
|
|
|
if (u.uid != -1 && uint32(u.uid) != pcred.Uid) || (u.gid != -1 && uint32(u.gid) != pcred.Gid) {
|
|
return nil, nil, errors.New("unixSocketCredentials: invalid credentials")
|
|
}
|
|
|
|
return c, u, nil
|
|
}
|
|
|
|
func (u *unixSocketCredentials) Info() credentials.ProtocolInfo {
|
|
return credentials.ProtocolInfo{
|
|
SecurityProtocol: "unix-socket-peer-creds",
|
|
SecurityVersion: "1.0",
|
|
ServerName: u.serverName,
|
|
}
|
|
}
|
|
|
|
func (u *unixSocketCredentials) Clone() credentials.TransportCredentials {
|
|
return &unixSocketCredentials{u.uid, u.gid, u.serverName}
|
|
}
|
|
|
|
func (u *unixSocketCredentials) OverrideServerName(serverName string) error {
|
|
u.serverName = serverName
|
|
return nil
|
|
}
|
|
|
|
func (u *unixSocketCredentials) AuthType() string {
|
|
return "unix-socket-peer-creds"
|
|
}
|