From 9207121ecaa5f68af7ceba5ff8ff414d312d2c87 Mon Sep 17 00:00:00 2001 From: iamwwc Date: Sat, 7 Sep 2019 18:56:03 +0800 Subject: [PATCH 1/8] =?UTF-8?q?=E6=9D=A5=E8=87=AA=20https://github.com/xia?= =?UTF-8?q?nlubird/mydocker/issues/41#issuecomment-478799767?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ``` // systemd 加入linux之后, mount namespace 就变成 shared by default, 所以你必须显示 //声明你要这个新的mount namespace独立。 syscall.Mount("", "/", "", syscall.MS_PRIVATE | syscall.MS_REC, "") defualtMountFlags := syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV syscall.Mount("proc", "/proc", "proc", uintptr(defualtMountFlags), "") ``` 开个分支测试,如果失败,那么虚拟机回滚 --- cmd/init.go | 39 +++++++++++++++++++++++---------------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/cmd/init.go b/cmd/init.go index 6c7a71f..0c5047c 100644 --- a/cmd/init.go +++ b/cmd/init.go @@ -14,8 +14,6 @@ import ( "github.com/urfave/cli" ) - - var InitCommand = cli.Command{ Name: "__DON'T__CALL__wwcdocker__init__", Usage: "Used in Container, User are forbidden to call this command", @@ -33,20 +31,9 @@ var InitCommand = cli.Command{ log.Error(err) return err } - pwd, err := os.Getwd() - if err != nil { - log.Errorf("Get current working directory error. %s", err) - return err - } - if err := container.PivotRoot(pwd); err != nil { - log.Errorf("Error when call pivotRoot %v", err) - return err - } - defaultMountFlags := syscall.MS_NOEXEC | syscall.MS_NODEV | syscall.MS_NOSUID - if err := syscall.Mount("proc", "/proc", "proc", uintptr(defaultMountFlags), ""); err != nil { - return fmt.Errorf("Fail to mount /proc fs in container process. Error: %v", err) - } - syscall.Mount("tmpfs", "/dev", "tmpfs", syscall.MS_NOSUID|syscall.MS_STRICTATIME, "mode=755") + + setUpMount() + cmdArrays := strings.Split(b, " ") absolutePath, err := exec.LookPath(cmdArrays[0]) args := cmdArrays[1:] @@ -64,3 +51,23 @@ var InitCommand = cli.Command{ Hidden: true, HideHelp: true, } + +func setUpMount() error { + pwd, err := os.Getwd() + if err != nil { + log.Errorf("Get current working directory error. %s", err) + return err + } + if err := container.PivotRoot(pwd); err != nil { + log.Errorf("Error when call pivotRoot %v", err) + return err + } + + syscall.Mount("", "/", "", syscall.MS_PRIVATE | syscall.MS_REC, "") + + defaultMountFlags := syscall.MS_NOEXEC | syscall.MS_NODEV | syscall.MS_NOSUID + if err := syscall.Mount("proc", "/proc", "proc", uintptr(defaultMountFlags), ""); err != nil { + return fmt.Errorf("Fail to mount /proc fs in container process. Error: %v", err) + } + return syscall.Mount("tmpfs", "/dev", "tmpfs", syscall.MS_NOSUID|syscall.MS_STRICTATIME, "mode=755") +} From 09d47c28ffabd11f82ed2f9f1f82f1c6d505d809 Mon Sep 17 00:00:00 2001 From: iamwwc Date: Sat, 7 Sep 2019 19:03:06 +0800 Subject: [PATCH 2/8] add --- cmd/init.go | 3 +++ container/process.go | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/cmd/init.go b/cmd/init.go index 0c5047c..68113ec 100644 --- a/cmd/init.go +++ b/cmd/init.go @@ -58,6 +58,9 @@ func setUpMount() error { log.Errorf("Get current working directory error. %s", err) return err } + + common.Exec("mount","--make-rprivate","/") + if err := container.PivotRoot(pwd); err != nil { log.Errorf("Error when call pivotRoot %v", err) return err diff --git a/container/process.go b/container/process.go index 08580d3..dc649a0 100644 --- a/container/process.go +++ b/container/process.go @@ -88,7 +88,7 @@ func NewFilePipe() (*os.File, *os.File, error) { func PivotRoot(rootfs string) error { // 可算被我找到了 // https://github.com/torvalds/linux/blob/d41a3effbb53b1bcea41e328d16a4d046a508381/fs/namespace.c#L3582 - if err := syscall.Mount(rootfs, rootfs, "bind", syscall.MS_BIND|syscall.MS_REC, ""); err != nil { + if err := syscall.Mount(rootfs, rootfs, "bind", syscall.MS_BIND|syscall.MS_REC | syscall.MS_PRIVATE, ""); err != nil { log.Errorf("Mount %s to itself error, %v", rootfs, err) return err } From d074e42c24d1c5c579e5128c82892fde1b69fe49 Mon Sep 17 00:00:00 2001 From: iamwwc Date: Sat, 7 Sep 2019 19:30:10 +0800 Subject: [PATCH 3/8] add --- cmd/init.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/cmd/init.go b/cmd/init.go index 68113ec..3c586dc 100644 --- a/cmd/init.go +++ b/cmd/init.go @@ -4,6 +4,7 @@ import ( "fmt" "os" "os/exec" + "path" "strings" "syscall" @@ -58,15 +59,20 @@ func setUpMount() error { log.Errorf("Get current working directory error. %s", err) return err } + base := path.Base(pwd) + + // common.Exec("mount","--make-rprivate","/") + if err := syscall.Mount("", base, "bind", syscall.MS_BIND|syscall.MS_REC|syscall.MS_PRIVATE, ""); err != nil { + log.Error(err) + return err + } - common.Exec("mount","--make-rprivate","/") - if err := container.PivotRoot(pwd); err != nil { log.Errorf("Error when call pivotRoot %v", err) return err } - syscall.Mount("", "/", "", syscall.MS_PRIVATE | syscall.MS_REC, "") + syscall.Mount("", "/", "", syscall.MS_PRIVATE|syscall.MS_REC, "") defaultMountFlags := syscall.MS_NOEXEC | syscall.MS_NODEV | syscall.MS_NOSUID if err := syscall.Mount("proc", "/proc", "proc", uintptr(defaultMountFlags), ""); err != nil { From 1d173c9ed4f7ea0a192e3625b7d1074b0ba405f0 Mon Sep 17 00:00:00 2001 From: iamwwc Date: Sat, 7 Sep 2019 19:48:39 +0800 Subject: [PATCH 4/8] add --- cmd/init.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cmd/init.go b/cmd/init.go index 3c586dc..8ab6b4c 100644 --- a/cmd/init.go +++ b/cmd/init.go @@ -59,14 +59,14 @@ func setUpMount() error { log.Errorf("Get current working directory error. %s", err) return err } - base := path.Base(pwd) + base := path.Dir(pwd) - // common.Exec("mount","--make-rprivate","/") if err := syscall.Mount("", base, "bind", syscall.MS_BIND|syscall.MS_REC|syscall.MS_PRIVATE, ""); err != nil { log.Error(err) return err } - + // common.Exec("mount","--make-rprivate","/") + if err := container.PivotRoot(pwd); err != nil { log.Errorf("Error when call pivotRoot %v", err) return err From 41c0905bf905c52bc85952b5e89fefc33499d355 Mon Sep 17 00:00:00 2001 From: iamwwc Date: Sat, 7 Sep 2019 19:49:39 +0800 Subject: [PATCH 5/8] add --- cmd/init.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/init.go b/cmd/init.go index 8ab6b4c..104844b 100644 --- a/cmd/init.go +++ b/cmd/init.go @@ -61,7 +61,7 @@ func setUpMount() error { } base := path.Dir(pwd) - if err := syscall.Mount("", base, "bind", syscall.MS_BIND|syscall.MS_REC|syscall.MS_PRIVATE, ""); err != nil { + if err := syscall.Mount(base, base, "bind", syscall.MS_BIND|syscall.MS_REC|syscall.MS_PRIVATE, ""); err != nil { log.Error(err) return err } From 0094170a366f70c6328d1035e5083744cbf5171b Mon Sep 17 00:00:00 2001 From: iamwwc Date: Sat, 7 Sep 2019 20:32:23 +0800 Subject: [PATCH 6/8] add --- cmd/init.go | 14 ++++++++------ container/process.go | 2 +- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/cmd/init.go b/cmd/init.go index 104844b..ce48ad7 100644 --- a/cmd/init.go +++ b/cmd/init.go @@ -59,20 +59,22 @@ func setUpMount() error { log.Errorf("Get current working directory error. %s", err) return err } - base := path.Dir(pwd) + // base := path.Dir(pwd) - if err := syscall.Mount(base, base, "bind", syscall.MS_BIND|syscall.MS_REC|syscall.MS_PRIVATE, ""); err != nil { - log.Error(err) - return err - } + // syscall.Mount(base, base, "bind", syscall.MS_BIND | syscall.MS_REC, "") + // if err := syscall.Mount("", base, "", syscall.MS_PRIVATE, ""); err != nil { + // log.Error(err) + // return err + // } + // common.Exec("mount","--make-rprivate","/") + syscall.Mount("", "/", "", syscall.MS_PRIVATE|syscall.MS_REC, "") if err := container.PivotRoot(pwd); err != nil { log.Errorf("Error when call pivotRoot %v", err) return err } - syscall.Mount("", "/", "", syscall.MS_PRIVATE|syscall.MS_REC, "") defaultMountFlags := syscall.MS_NOEXEC | syscall.MS_NODEV | syscall.MS_NOSUID if err := syscall.Mount("proc", "/proc", "proc", uintptr(defaultMountFlags), ""); err != nil { diff --git a/container/process.go b/container/process.go index dc649a0..08580d3 100644 --- a/container/process.go +++ b/container/process.go @@ -88,7 +88,7 @@ func NewFilePipe() (*os.File, *os.File, error) { func PivotRoot(rootfs string) error { // 可算被我找到了 // https://github.com/torvalds/linux/blob/d41a3effbb53b1bcea41e328d16a4d046a508381/fs/namespace.c#L3582 - if err := syscall.Mount(rootfs, rootfs, "bind", syscall.MS_BIND|syscall.MS_REC | syscall.MS_PRIVATE, ""); err != nil { + if err := syscall.Mount(rootfs, rootfs, "bind", syscall.MS_BIND|syscall.MS_REC, ""); err != nil { log.Errorf("Mount %s to itself error, %v", rootfs, err) return err } From 17d47f01e461a4494a0c76af2a17887c9959218e Mon Sep 17 00:00:00 2001 From: iamwwc Date: Sat, 7 Sep 2019 20:32:45 +0800 Subject: [PATCH 7/8] . --- cmd/init.go | 1 - 1 file changed, 1 deletion(-) diff --git a/cmd/init.go b/cmd/init.go index ce48ad7..b3120c1 100644 --- a/cmd/init.go +++ b/cmd/init.go @@ -4,7 +4,6 @@ import ( "fmt" "os" "os/exec" - "path" "strings" "syscall" From 43a176c0b37b43d36c77d719e99f97791f704a72 Mon Sep 17 00:00:00 2001 From: iamwwc Date: Sat, 7 Sep 2019 20:32:45 +0800 Subject: [PATCH 8/8] . MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 这是一个Rebase合并 全部的合并分别进行了测试,最后修复了 https://github.com/iamwwc/wwcdocker/issues/3 但 wwcdocker run -ti busybox sh 运行之后并不会获得 sh 进程直接会结束,需要在后续的commit中修复 --- cmd/init.go | 1 - 1 file changed, 1 deletion(-) diff --git a/cmd/init.go b/cmd/init.go index ce48ad7..b3120c1 100644 --- a/cmd/init.go +++ b/cmd/init.go @@ -4,7 +4,6 @@ import ( "fmt" "os" "os/exec" - "path" "strings" "syscall"