!2526 [feature]add no pivot root support

From: @taotao-sauce Reviewed-by: @xuxuepeng, @liuxu180400617 Signed-off-by: @xuxuepeng
openeuler-mirror · Nov 8, 2024 · 4115887 · 4115887
2 parents 3ab6068 + 3a925ea
commit 4115887
Show file tree

Hide file tree

Showing 11 changed files with 71 additions and 0 deletions.
diff --git a/cmake/options.cmake b/cmake/options.cmake
@@ -168,6 +168,13 @@ if (ENABLE_NATIVE_NETWORK OR ENABLE_GRPC)
     set(ENABLE_NETWORK 1)
 endif()
 
+option(ENABLE_NO_PIVOT_ROOT "Enable no pivot root" ON)
+if (ENABLE_NO_PIVOT_ROOT STREQUAL "ON")
+    add_definitions(-DENABLE_NO_PIVOT_ROOT)
+    set(ENABLE_NO_PIVOT_ROOT 1)
+    message("${Green}--  Enable no pivot root${ColourReset}")
+endif()
+
 option(ENABLE_PLUGIN "enable plugin module" OFF)
 if (ENABLE_PLUGIN STREQUAL "ON")
 	add_definitions(-DENABLE_PLUGIN=1)

diff --git a/src/cmd/isula/base/create.c b/src/cmd/isula/base/create.c
@@ -1292,6 +1292,10 @@ static isula_host_config_t *request_pack_host_config(const struct client_argumen
     hostconfig->publish_all = args->custom_conf.publish_all;
 #endif
 
+#ifdef ENABLE_NO_PIVOT_ROOT
+    hostconfig->no_pivot_root = args->custom_conf.no_pivot_root;
+#endif
+
     return hostconfig;
 
 error_out:
@@ -1750,6 +1754,9 @@ int cmd_create_main(int argc, const char **argv)
         COMMON_OPTIONS(g_cmd_create_args)
 #ifdef ENABLE_NATIVE_NETWORK
         CREATE_NETWORK_OPTIONS(g_cmd_create_args)
+#endif
+#ifdef ENABLE_NO_PIVOT_ROOT
+        NO_PIVOT_ROOT_OPTIONS(g_cmd_create_args)
 #endif
     };
 

diff --git a/src/cmd/isula/base/create.h b/src/cmd/isula/base/create.h
@@ -39,6 +39,17 @@ extern "C" {
 #define USERNS_OPT(cmdargs)
 #endif
 
+#ifdef ENABLE_NO_PIVOT_ROOT
+#define NO_PIVOT_ROOT_OPTIONS(cmdargs)          \
+    { CMD_OPT_TYPE_BOOL,                        \
+        false,                                  \
+        "no-pivot",                        \
+        0,                                      \
+        &(cmdargs).custom_conf.no_pivot_root,   \
+        "disable use of pivot-root (oci runtime only)", \
+        NULL },
+#endif
+
 #define CREATE_OPTIONS(cmdargs)                                                                                                                                   \
     {                                                                                                                                                             \
         CMD_OPT_TYPE_BOOL,                                                                                                                                        \

diff --git a/src/cmd/isula/base/run.c b/src/cmd/isula/base/run.c
@@ -150,6 +150,9 @@ int cmd_run_main(int argc, const char **argv)
         CREATE_EXTEND_OPTIONS(g_cmd_run_args) RUN_OPTIONS(g_cmd_run_args)
 #ifdef ENABLE_NATIVE_NETWORK
         CREATE_NETWORK_OPTIONS(g_cmd_run_args)
+#endif
+#ifdef ENABLE_NO_PIVOT_ROOT
+        NO_PIVOT_ROOT_OPTIONS(g_cmd_run_args)
 #endif
     };
     isula_libutils_default_log_config(argv[0], &lconf);

diff --git a/src/cmd/isula/client_arguments.h b/src/cmd/isula/client_arguments.h
@@ -237,6 +237,10 @@ struct custom_configs {
     /* publish a container's port to the host */
     char **publish;
 #endif
+
+#ifdef ENABLE_NO_PIVOT_ROOT
+    bool no_pivot_root;
+#endif
 };
 
 struct args_cgroup_resources {

diff --git a/src/cmd/isula/isula_host_spec.c b/src/cmd/isula/isula_host_spec.c
@@ -1729,6 +1729,11 @@ int generate_hostconfig(const isula_host_config_t *srcconfig, char **hostconfigs
 #ifdef ENABLE_NATIVE_NETWORK
     dstconfig->port_bindings = srcconfig->port_bindings;
 #endif
+
+#ifdef ENABLE_NO_PIVOT_ROOT
+    dstconfig->no_pivot_root = srcconfig->no_pivot_root;
+#endif
+
     *hostconfigstr = host_config_generate_json(dstconfig, &ctx, &err);
 #ifdef ENABLE_NATIVE_NETWORK
     dstconfig->port_bindings = NULL;

diff --git a/src/cmd/isula/isula_host_spec.h b/src/cmd/isula/isula_host_spec.h
@@ -163,6 +163,10 @@ typedef struct isula_host_config {
     bool publish_all;
     defs_map_string_object_port_bindings *port_bindings;
 #endif
+
+#ifdef ENABLE_NO_PIVOT_ROOT
+    bool no_pivot_root;
+#endif
 } isula_host_config_t;
 
 int generate_hostconfig(const isula_host_config_t *srcconfig, char **hostconfigstr);

diff --git a/src/cmd/isulad-shim/process.c b/src/cmd/isulad-shim/process.c
@@ -1298,6 +1298,12 @@ static void get_runtime_cmd(process_t *p, const char *log_path, const char *pid_
         params[i++] = "create";
         params[i++] = "--bundle";
         params[i++] = p->bundle;
+#ifdef ENABLE_NO_PIVOT_ROOT
+        if (getenv("ISULAD_RAMDISK") != NULL || p->state->no_pivot_root) {
+            params[i++] = "--no-pivot";
+        }
+#endif
+
     }
     params[i++] = "--pid-file";
     params[i++] = pid_path;

diff --git a/src/daemon/modules/api/runtime_api.h b/src/daemon/modules/api/runtime_api.h
@@ -84,6 +84,7 @@ typedef struct _rt_create_params_t {
     bool tty;
     bool open_stdin;
     const char *task_addr;
+    bool no_pivot_root;
 } rt_create_params_t;
 
 typedef struct _rt_start_params_t {

diff --git a/src/daemon/modules/runtime/isula/isula_rt_ops.c b/src/daemon/modules/runtime/isula/isula_rt_ops.c
@@ -1209,6 +1209,9 @@ int rt_isula_create(const char *id, const char *runtime, const rt_create_params_
     p.runtime_args_len = runtime_args_len;
     p.attach_socket = attach_socket;
     p.systemd_cgroup = conf_get_systemd_cgroup();
+#ifdef ENABLE_NO_PIVOT_ROOT
+    p.no_pivot_root = params->no_pivot_root;
+#endif
     copy_process(&p, config->process);
     copy_annotations(&p, config->annotations);
 

diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c
@@ -743,6 +743,23 @@ static int do_oci_spec_update(const char *id, oci_runtime_spec *oci_spec, contai
     return 0;
 }
 
+static bool pack_no_pivot_root(const container_t *cont)
+{
+    size_t i = 0;
+    bool ret = false;
+
+    ret = cont->hostconfig->no_pivot_root;
+    if (cont->common_config->config->annotations != NULL) {
+        for (i = 0; i < cont->common_config->config->annotations->len; i++) {
+            if (strcmp(cont->common_config->config->annotations->keys[i], "ISULAD_RAMDISK") == 0) {
+                ret = true;
+                break;
+            }
+        }
+    }
+    return ret;
+}
+
 static int do_start_container(container_t *cont, const char *console_fifos[], bool reset_rm, pid_ppid_info_t *pid_info)
 {
     int ret = 0;
@@ -906,6 +923,9 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
     create_params.exit_fifo = exit_fifo;
     create_params.tty = tty;
     create_params.open_stdin = open_stdin;
+#ifdef ENABLE_NO_PIVOT_ROOT
+    create_params.no_pivot_root = pack_no_pivot_root(cont);
+#endif
 #ifdef ENABLE_CRI_API_V1
     if (cont->common_config->sandbox_info != NULL) {
         create_params.task_addr = cont->common_config->sandbox_info->task_address;