Revert "crun: drop --no-pivot"

This reverts commit 31d1cf1. Closes: https://github.com/giuseppe/crun/issues/56 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
containers · Jul 25, 2019 · c8b470e · c8b470e
1 parent 3e23c39
commit c8b470e
Show file tree

Hide file tree

Showing 6 changed files with 54 additions and 8 deletions.
diff --git a/src/create.c b/src/create.c
@@ -34,7 +34,8 @@ enum
     OPTION_PID_FILE,
     OPTION_NO_SUBREAPER,
     OPTION_NO_NEW_KEYRING,
-    OPTION_PRESERVE_FDS
+    OPTION_PRESERVE_FDS,
+    OPTION_NO_PIVOT
   };
 
 static const char *bundle = NULL;
@@ -46,6 +47,7 @@ static struct argp_option options[] =
     {"bundle", 'b', 0, 0, "container bundle (default \".\")" },
     {"console-socket", OPTION_CONSOLE_SOCKET, "SOCKET", 0, "path to a socket that will receive the master end of the tty" },
     {"preserve-fds", OPTION_PRESERVE_FDS, 0, 0, "pass additional FDs to the container"},
+    {"no-pivot", OPTION_NO_PIVOT, 0, 0, "do not use pivot_root"},
     {"pid-file", OPTION_PID_FILE, "FILE", 0, "where to write the PID of the container"},
     {"no-subreaper", OPTION_NO_SUBREAPER, 0, 0, "do not create a subreaper process"},
     {"no-new-keyring", OPTION_NO_NEW_KEYRING, 0, 0, "keep the same session key"},
@@ -77,6 +79,10 @@ parse_opt (int key, char *arg, struct argp_state *state)
       crun_context.no_subreaper = true;
       break;
 
+    case OPTION_NO_PIVOT:
+      crun_context.no_pivot = true;
+      break;
+
     case OPTION_NO_NEW_KEYRING:
       crun_context.no_new_keyring = true;
       break;

diff --git a/src/libcrun/container.c b/src/libcrun/container.c
@@ -496,7 +496,7 @@ container_entrypoint_init (void *args, const char *notify_socket,
   if (UNLIKELY (ret < 0))
     return ret;
 
-  ret = libcrun_do_pivot_root (container, rootfs, err);
+  ret = libcrun_do_pivot_root (container, entrypoint_args->context->no_pivot, rootfs, err);
   if (UNLIKELY (ret < 0))
     return ret;
 

diff --git a/src/libcrun/container.h b/src/libcrun/container.h
@@ -43,6 +43,7 @@ struct libcrun_context_s
   bool no_subreaper;
   bool no_new_keyring;
   bool force_no_cgroup;
+  bool no_pivot;
 };
 
 enum

diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
@@ -1193,15 +1193,48 @@ libcrun_set_mounts (libcrun_container_t *container, const char *rootfs, libcrun_
   return 0;
 }
 
+static int
+move_root (libcrun_container_t *container, const char *rootfs, libcrun_error_t *err)
+{
+  int ret;
+
+  ret = chdir (rootfs);
+  if (UNLIKELY (ret < 0))
+    return crun_make_error (err, errno, "chdir to '%s'", rootfs);
+
+  ret = mount (rootfs, "/", "", MS_MOVE, "");
+  if (UNLIKELY (ret < 0))
+    return crun_make_error (err, errno, "mount MS_MOVE to '/'");
+
+  ret = chroot (".");
+  if (UNLIKELY (ret < 0))
+    return crun_make_error (err, errno, "chroot to '%s'", rootfs);
+
+  ret = chdir ("/");
+  if (UNLIKELY (ret < 0))
+    return crun_make_error (err, errno, "chdir to '%s'", rootfs);
+
+  return 0;
+}
+
 int
-libcrun_do_pivot_root (libcrun_container_t *container, const char *rootfs, libcrun_error_t *err)
+libcrun_do_pivot_root (libcrun_container_t *container, bool no_pivot, const char *rootfs, libcrun_error_t *err)
 {
   int ret;
   if (get_private_data (container)->unshare_flags & CLONE_NEWNS)
     {
-      ret = do_pivot (container, rootfs, err);
-      if (UNLIKELY (ret < 0))
-        return ret;
+      if (no_pivot)
+        {
+          ret = move_root (container, rootfs, err);
+          if (UNLIKELY (ret < 0))
+            return ret;
+        }
+      else
+        {
+          ret = do_pivot (container, rootfs, err);
+          if (UNLIKELY (ret < 0))
+            return ret;
+        }
 
       ret = do_mount (container, "", "/", "", get_private_data (container)->rootfs_propagation, "", 0, err);
       if (UNLIKELY (ret < 0))

diff --git a/src/libcrun/linux.h b/src/libcrun/linux.h
@@ -39,7 +39,7 @@ pid_t libcrun_run_linux_container (libcrun_container_t *container,
                                    libcrun_error_t *err);
 int get_notify_fd (libcrun_context_t *context, libcrun_container_t *container, int *notify_socket_out, libcrun_error_t *err);
 int libcrun_set_mounts (libcrun_container_t *container, const char *rootfs, libcrun_error_t *err);
-int libcrun_do_pivot_root (libcrun_container_t *container, const char *rootfs, libcrun_error_t *err);
+int libcrun_do_pivot_root (libcrun_container_t *container, bool no_pivot, const char *rootfs, libcrun_error_t *err);
 int libcrun_set_usernamespace (libcrun_container_t *container, pid_t pid, libcrun_error_t *err);
 int libcrun_set_caps (oci_container_process_capabilities *capabilities, uid_t uid, gid_t gid, int no_new_privileges, libcrun_error_t *err);
 int libcrun_set_rlimits (oci_container_process_rlimits_element **rlimits, size_t len, libcrun_error_t *err);

diff --git a/src/run.c b/src/run.c
@@ -36,7 +36,8 @@ enum
     OPTION_PID_FILE,
     OPTION_NO_SUBREAPER,
     OPTION_NO_NEW_KEYRING,
-    OPTION_PRESERVE_FDS
+    OPTION_PRESERVE_FDS,
+    OPTION_NO_PIVOT
   };
 
 static const char *bundle = NULL;
@@ -52,6 +53,7 @@ static struct argp_option options[] =
     {"pid-file", OPTION_PID_FILE, "FILE", 0, "where to write the PID of the container"},
     {"no-subreaper", OPTION_NO_SUBREAPER, 0, 0, "do not create a subreaper process"},
     {"no-new-keyring", OPTION_NO_NEW_KEYRING, 0, 0, "keep the same session key"},
+    {"no-pivot", OPTION_NO_PIVOT, 0, 0, "do not use pivot_root"},
     { 0 }
   };
 
@@ -90,6 +92,10 @@ parse_opt (int key, char *arg, struct argp_state *state)
       crun_context.pid_file = argp_mandatory_argument (arg, state);
       break;
 
+    case OPTION_NO_PIVOT:
+      crun_context.no_pivot = true;
+      break;
+
     case ARGP_KEY_NO_ARGS:
       libcrun_fail_with_error (0, "please specify a ID for the container");