libcontainer 0.0.4

Library for container control
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122

use super::{
    device::Device,
    mount::{Mount, MountOptions},
    symlink::Symlink,
    utils::default_devices,
};
use crate::syscall::{syscall::create_syscall, Syscall};
use anyhow::{bail, Context, Result};
use nix::mount::MsFlags;
use oci_spec::runtime::{Linux, Spec};
use std::path::Path;

/// Holds information about rootfs
pub struct RootFS {
    syscall: Box<dyn Syscall>,
}

impl Default for RootFS {
    fn default() -> Self {
        Self::new()
    }
}

impl RootFS {
    pub fn new() -> RootFS {
        RootFS {
            syscall: create_syscall(),
        }
    }

    pub fn prepare_rootfs(
        &self,
        spec: &Spec,
        rootfs: &Path,
        bind_devices: bool,
        cgroup_ns: bool,
    ) -> Result<()> {
        log::debug!("Prepare rootfs: {:?}", rootfs);
        let mut flags = MsFlags::MS_REC;
        let linux = spec.linux().as_ref().context("no linux in spec")?;

        match linux.rootfs_propagation().as_deref() {
            Some("shared") => flags |= MsFlags::MS_SHARED,
            Some("private") => flags |= MsFlags::MS_PRIVATE,
            Some("slave" | "unbindable") | None => flags |= MsFlags::MS_SLAVE,
            Some(uknown) => bail!("unknown rootfs_propagation: {}", uknown),
        }

        self.syscall
            .mount(None, Path::new("/"), None, flags, None)
            .context("failed to mount rootfs")?;

        let mounter = Mount::new();

        mounter
            .make_parent_mount_private(rootfs)
            .context("failed to change parent mount of rootfs private")?;

        log::debug!("mount root fs {:?}", rootfs);
        self.syscall.mount(
            Some(rootfs),
            rootfs,
            None,
            MsFlags::MS_BIND | MsFlags::MS_REC,
            None,
        )?;

        let global_options = MountOptions {
            root: rootfs,
            label: linux.mount_label().as_deref(),
            cgroup_ns,
        };

        if let Some(mounts) = spec.mounts() {
            for mount in mounts {
                mounter
                    .setup_mount(mount, &global_options)
                    .with_context(|| format!("failed to setup mount {:#?}", mount))?;
            }
        }

        let symlinker = Symlink::new();
        symlinker
            .setup_kcore_symlink(rootfs)
            .context("failed to  setup kcore symlink")?;
        symlinker
            .setup_default_symlinks(rootfs)
            .context("failed to setup default symlinks")?;

        let devicer = Device::new();
        if let Some(added_devices) = linux.devices() {
            devicer.create_devices(
                rootfs,
                default_devices().iter().chain(added_devices),
                bind_devices,
            )
        } else {
            devicer.create_devices(rootfs, &default_devices(), bind_devices)
        }?;

        symlinker.setup_ptmx(rootfs)?;
        Ok(())
    }

    /// Change propagation type of rootfs as specified in spec.
    pub fn adjust_root_mount_propagation(&self, linux: &Linux) -> Result<()> {
        let rootfs_propagation = linux.rootfs_propagation().as_deref();
        let flags = match rootfs_propagation {
            Some("shared") => Some(MsFlags::MS_SHARED),
            Some("unbindable") => Some(MsFlags::MS_UNBINDABLE),
            _ => None,
        };

        if let Some(flags) = flags {
            log::debug!("make root mount {:?}", flags);
            self.syscall
                .mount(None, Path::new("/"), None, flags, None)?;
        }

        Ok(())
    }
}