Improve setupSystemd, grab mount options from the host #8127
Conversation
libpod/container_internal_linux.go
Outdated
| @@ -38,6 +38,7 @@ import ( | |||
| "github.com/containers/storage/pkg/archive" | |||
| "github.com/containers/storage/pkg/idtools" | |||
| securejoin "github.com/cyphar/filepath-securejoin" | |||
| "github.com/moby/sys/mountinfo" | |||
There was a problem hiding this comment.
Could you use "github.com/containers/storage/pkg/mount"
There was a problem hiding this comment.
Ah, sure. I wasn't aware of that. I've just pushed the update. Let me know if I should squash the commits.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: andylibrian, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
andylibrian
force-pushed
the
grab-systemd-mount-flags-from-the-host-7661
branch
from
cf9e5a7 to
52cb6d9
Compare
libpod/container_internal_linux.go
Outdated
| } | ||
|
|
||
| if hostMount == nil { | ||
| return errors.New("/sys/fs/cgroup/systemd is not mounted on the host") |
There was a problem hiding this comment.
Can you make this errors.Wrapf(define.ErrInternal, "/sys/fs/cgroup/systemd is not mounted on the host") - we generally try to have all errors from Libpod wrap one of our defined errors whenever we can.
|
One nit otherwise LGTM |
|
Fix @mheon issue and LGTM |
|
I've just applied @mheon suggestion |
libpod/container_internal_linux.go
Outdated
| hostMounts, err := mount.GetMounts() | ||
| if err != nil { | ||
| return err | ||
| } | ||
|
|
||
| var hostMount *mount.Info | ||
| for _, m := range hostMounts { | ||
| if m != nil && m.Mountpoint == "/sys/fs/cgroup/systemd" { | ||
| hostMount = m | ||
| break | ||
| } | ||
| } | ||
|
|
||
| if hostMount == nil { | ||
| return errors.Wrapf(define.ErrInternal, "/sys/fs/cgroup/systemd is not mounted on the host") | ||
| } | ||
|
|
There was a problem hiding this comment.
this is a bit expensive.
Could we just use statfs("/sys/fs/cgroup/systemd") and read f_flags from there?
|
@andylibrian Could you make the change @giuseppe requested so we can get this merged. |
|
I've just pushed an update to use statfs to read the mount options. With if statfs.Flags&unix.MS_NODEV == unix.MS_NODEV {
mountOptions = append(mountOptions, "nodev")
}
if statfs.Flags&unix.MS_NOEXEC == unix.MS_NOEXEC {
mountOptions = append(mountOptions, "noexec")
}
if statfs.Flags&unix.MS_NOSUID == unix.MS_NOSUID {
mountOptions = append(mountOptions, "nosuid")
}
if statfs.Flags&unix.MS_RDONLY == unix.MS_RDONLY {
mountOptions = append(mountOptions, "ro")
}This works on |
| systemdMnt := spec.Mount{ | ||
| Destination: "/sys/fs/cgroup/systemd", | ||
| Type: "bind", | ||
| Source: "/sys/fs/cgroup/systemd", | ||
| Options: []string{"bind", "nodev", "noexec", "nosuid", "rprivate"}, | ||
| Options: mountOptions, |
There was a problem hiding this comment.
Yes. We should always add rprivate
libpod/container_internal_linux.go
Outdated
| @@ -668,11 +668,30 @@ func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) erro | |||
| } | |||
| g.AddMount(systemdMnt) | |||
| } else { | |||
| var statfs unix.Statfs_t | |||
| if err := unix.Statfs("/sys/fs/cgroup/systemd", &statfs); err != nil { | |||
| return errors.Wrapf(err, "/sys/fs/cgroup/systemd is not mounted on the host") | |||
There was a problem hiding this comment.
if it is not mounted, could we just use a set of default mount options?
There was a problem hiding this comment.
Does that make sense given that we're trying to mount the same directory into the container? It seems like we ought to fail if we can't actually mount the cgroups in.
fixes containers#7661 Signed-off-by: Andy Librian <[email protected]>
andylibrian
force-pushed
the
grab-systemd-mount-flags-from-the-host-7661
branch
from
701b64d to
6779c1c
Compare
|
I've just pushed the update as suggested, squashed into a single commit as requested. There is still a discussion about whether we should throw an error or fallback to default mount options in case systemd is not mounted. |
|
I think we're good to merge as-is; LGTM |
|
@containers/podman-maintainers PTAL |
|
/lgtm |
openshift-ci-robot
added
the
do-not-merge/hold
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
github-actions
bot
added
the
locked - please file new issue/PR
For systemd with cgroupsv1, the mount options is currenlty hard coded:
As discussed in PR #7640, we want to grab the mount options from the host.
fixes #7661
I'm not quite sure if there is any existing test that can hit cgroupsv1 only, to cover this scenario specifically.