Remove mount namespace from shim

crosbymichael · crosbymichael · commit fd2e3cd326b5 · 2017-12-01T17:35:14.000-05:00
Signed-off-by: Michael Crosby &lt;crosbymichael@gmail.com&gt;
diff --git a/cmd/containerd-stress/main.go b/cmd/containerd-stress/main.go
@@ -211,8 +211,8 @@ func (w *worker) runContainer(ctx context.Context, id string) error {
 	// fix up cgroups path for a default config
 	w.spec.Linux.CgroupsPath = filepath.Join("/", "stress", id)
 	c, err := w.client.NewContainer(ctx, id,
-		containerd.WithSpec(w.spec),
 		containerd.WithNewSnapshot(id, w.image),
+		containerd.WithSpec(w.spec, oci.WithUsername("games")),
 	)
 	if err != nil {
 		return err
diff --git a/linux/bundle.go b/linux/bundle.go
@@ -75,10 +75,10 @@ type bundle struct {
 type ShimOpt func(*bundle, string, *runctypes.RuncOptions) (shim.Config, client.Opt)
 
 // ShimRemote is a ShimOpt for connecting and starting a remote shim
-func ShimRemote(shimBinary, daemonAddress, cgroup string, nonewns, debug bool, exitHandler func()) ShimOpt {
+func ShimRemote(shimBinary, daemonAddress, cgroup string, debug bool, exitHandler func()) ShimOpt {
 	return func(b *bundle, ns string, ropts *runctypes.RuncOptions) (shim.Config, client.Opt) {
 		return b.shimConfig(ns, ropts),
-			client.WithStart(shimBinary, b.shimAddress(ns), daemonAddress, cgroup, nonewns, debug, exitHandler)
+			client.WithStart(shimBinary, b.shimAddress(ns), daemonAddress, cgroup, debug, exitHandler)
 	}
 }
 
diff --git a/linux/runtime.go b/linux/runtime.go
@@ -78,17 +78,6 @@ type Config struct {
 	NoShim bool `toml:"no_shim"`
 	// Debug enable debug on the shim
 	ShimDebug bool `toml:"shim_debug"`
-	// ShimNoMountNS prevents the runtime from putting shims into their own mount namespace.
-	//
-	// Putting the shim in its own mount namespace ensure that any mounts made
-	// by it in order to get the task rootfs ready will be undone regardless
-	// on how the shim dies.
-	//
-	// NOTE: This should only be used in kernel older than 3.18 to avoid shims
-	// from causing a DoS in their parent namespace due to having a copy of
-	// mounts previously there which would prevent unlink, rename and remove
-	// operations on those mountpoints.
-	ShimNoMountNS bool `toml:"shim_no_newns"`
 }
 
 // New returns a configured runtime
@@ -226,8 +215,7 @@ func (r *Runtime) Create(ctx context.Context, id string, opts runtime.CreateOpts
 				}).Warn("failed to clen up after killed shim")
 			}
 		}
-		shimopt = ShimRemote(r.config.Shim, r.address, cgroup,
-			r.config.ShimNoMountNS, r.config.ShimDebug, exitHandler)
+		shimopt = ShimRemote(r.config.Shim, r.address, cgroup, r.config.ShimDebug, exitHandler)
 	}
 
 	s, err := bundle.NewShimClient(ctx, namespace, shimopt, ropts)
diff --git a/linux/shim/client/client.go b/linux/shim/client/client.go
@@ -34,7 +34,7 @@ var empty = &ptypes.Empty{}
 type Opt func(context.Context, shim.Config) (shimapi.ShimService, io.Closer, error)
 
 // WithStart executes a new shim process
-func WithStart(binary, address, daemonAddress, cgroup string, nonewns, debug bool, exitHandler func()) Opt {
+func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHandler func()) Opt {
 	return func(ctx context.Context, config shim.Config) (_ shimapi.ShimService, _ io.Closer, err error) {
 		socket, err := newSocket(address)
 		if err != nil {
@@ -47,7 +47,7 @@ func WithStart(binary, address, daemonAddress, cgroup string, nonewns, debug boo
 		}
 		defer f.Close()
 
-		cmd := newCommand(binary, daemonAddress, nonewns, debug, config, f)
+		cmd := newCommand(binary, daemonAddress, debug, config, f)
 		ec, err := reaper.Default.Start(cmd)
 		if err != nil {
 			return nil, nil, errors.Wrapf(err, "failed to start shim")
@@ -87,7 +87,7 @@ func WithStart(binary, address, daemonAddress, cgroup string, nonewns, debug boo
 	}
 }
 
-func newCommand(binary, daemonAddress string, nonewns, debug bool, config shim.Config, socket *os.File) *exec.Cmd {
+func newCommand(binary, daemonAddress string, debug bool, config shim.Config, socket *os.File) *exec.Cmd {
 	selfExe, err := os.Executable()
 	if err != nil {
 		panic(err)
@@ -117,7 +117,7 @@ func newCommand(binary, daemonAddress string, nonewns, debug bool, config shim.C
 	// make sure the shim can be re-parented to system init
 	// and is cloned in a new mount namespace because the overlay/filesystems
 	// will be mounted by the shim
-	cmd.SysProcAttr = getSysProcAttr(nonewns)
+	cmd.SysProcAttr = getSysProcAttr()
 	cmd.ExtraFiles = append(cmd.ExtraFiles, socket)
 	if debug {
 		cmd.Stdout = os.Stdout
diff --git a/linux/shim/client/client_linux.go b/linux/shim/client/client_linux.go
@@ -10,14 +10,10 @@ import (
 	"github.com/pkg/errors"
 )
 
-func getSysProcAttr(nonewns bool) *syscall.SysProcAttr {
-	attr := syscall.SysProcAttr{
+func getSysProcAttr() *syscall.SysProcAttr {
+	return &syscall.SysProcAttr{
 		Setpgid: true,
 	}
-	if !nonewns {
-		attr.Cloneflags = syscall.CLONE_NEWNS
-	}
-	return &attr
 }
 
 func setCgroup(cgroupPath string, cmd *exec.Cmd) error {
diff --git a/linux/shim/client/client_unix.go b/linux/shim/client/client_unix.go
@@ -7,7 +7,7 @@ import (
 	"syscall"
 )
 
-func getSysProcAttr(nonewns bool) *syscall.SysProcAttr {
+func getSysProcAttr() *syscall.SysProcAttr {
 	return &syscall.SysProcAttr{
 		Setpgid: true,
 	}
diff --git a/oci/spec_opts_windows.go b/oci/spec_opts_windows.go
@@ -60,3 +60,11 @@ func WithTTY(width, height int) SpecOpts {
 		return nil
 	}
 }
+
+// WithUsername sets the username on the process
+func WithUsername(username string) SpecOpts {
+	return func(ctx context.Context, client Client, c *containers.Container, s *specs.Spec) error {
+		s.Process.User.Username = username
+		return nil
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -75,10 +75,10 @@ type bundle struct {`
`75`	`75`	`type ShimOpt func(bundle, string, runctypes.RuncOptions) (shim.Config, client.Opt)`
`76`	`76`
`77`	`77`	`// ShimRemote is a ShimOpt for connecting and starting a remote shim`
`78`		`-func ShimRemote(shimBinary, daemonAddress, cgroup string, nonewns, debug bool, exitHandler func()) ShimOpt {`
	`78`	`+func ShimRemote(shimBinary, daemonAddress, cgroup string, debug bool, exitHandler func()) ShimOpt {`
`79`	`79`	`return func(b bundle, ns string, ropts runctypes.RuncOptions) (shim.Config, client.Opt) {`
`80`	`80`	`return b.shimConfig(ns, ropts),`
`81`		`- client.WithStart(shimBinary, b.shimAddress(ns), daemonAddress, cgroup, nonewns, debug, exitHandler)`
	`81`	`+ client.WithStart(shimBinary, b.shimAddress(ns), daemonAddress, cgroup, debug, exitHandler)`
`82`	`82`	`}`
`83`	`83`	`}`
`84`	`84`
Original file line number	Diff line number	Diff line change
`@@ -10,14 +10,10 @@ import (`
`10`	`10`	`"github.com/pkg/errors"`
`11`	`11`	`)`
`12`	`12`
`13`		`-func getSysProcAttr(nonewns bool) *syscall.SysProcAttr {`
`14`		`- attr := syscall.SysProcAttr{`
	`13`	`+func getSysProcAttr() *syscall.SysProcAttr {`
	`14`	`+ return &syscall.SysProcAttr{`
`15`	`15`	`Setpgid: true,`
`16`	`16`	`}`
`17`		`- if !nonewns {`
`18`		`- attr.Cloneflags = syscall.CLONE_NEWNS`
`19`		`- }`
`20`		`- return &attr`
`21`	`17`	`}`
`22`	`18`
`23`	`19`	`func setCgroup(cgroupPath string, cmd *exec.Cmd) error {`
Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ import (`
`7`	`7`	`"syscall"`
`8`	`8`	`)`
`9`	`9`
`10`		`-func getSysProcAttr(nonewns bool) *syscall.SysProcAttr {`
	`10`	`+func getSysProcAttr() *syscall.SysProcAttr {`
`11`	`11`	`return &syscall.SysProcAttr{`
`12`	`12`	`Setpgid: true,`
`13`	`13`	`}`
Original file line number	Diff line number	Diff line change
`@@ -60,3 +60,11 @@ func WithTTY(width, height int) SpecOpts {`
`60`	`60`	`return nil`
`61`	`61`	`}`
`62`	`62`	`}`
	`63`	`+`
	`64`	`+// WithUsername sets the username on the process`
	`65`	`+func WithUsername(username string) SpecOpts {`
	`66`	`+ return func(ctx context.Context, client Client, c containers.Container, s specs.Spec) error {`
	`67`	`+ s.Process.User.Username = username`
	`68`	`+ return nil`
	`69`	`+ }`
	`70`	`+}`