From f795e215b4074e7a40574617866d98337d51127f Mon Sep 17 00:00:00 2001 From: Diptanu Choudhury Date: Sun, 12 Jun 2016 15:41:31 +0200 Subject: [PATCH] Setting a flag to indicate whether fs isolation is indeed happening --- client/driver/executor/executor.go | 52 +++++++++++++++--------- client/driver/executor/executor_linux.go | 7 +--- 2 files changed, 33 insertions(+), 26 deletions(-) diff --git a/client/driver/executor/executor.go b/client/driver/executor/executor.go index 59cc29eafb6..1bb028213f3 100644 --- a/client/driver/executor/executor.go +++ b/client/driver/executor/executor.go @@ -176,11 +176,12 @@ type UniversalExecutor struct { ctx *ExecutorContext command *ExecCommand - pids map[int]*nomadPid - pidLock sync.RWMutex - taskDir string - exitState *ProcessState - processExited chan interface{} + pids map[int]*nomadPid + pidLock sync.RWMutex + taskDir string + exitState *ProcessState + processExited chan interface{} + fsIsolationEnforced bool lre *logging.FileRotator lro *logging.FileRotator @@ -244,26 +245,11 @@ func (e *UniversalExecutor) LaunchCmd(command *ExecCommand, ctx *ExecutorContext } e.ctx.TaskEnv.Build() - // Look up the binary path and make it executable - absPath, err := e.lookupBin(ctx.TaskEnv.ReplaceEnv(command.Cmd)) - if err != nil { - return nil, err - } - - if err := e.makeExecutable(absPath); err != nil { - return nil, err - } - - e.cmd.Path = absPath // configuring the chroot, cgroup and enters the plugin process in the // chroot if err := e.configureIsolation(); err != nil { return nil, err } - // Set the commands arguments - e.cmd.Args = append([]string{e.cmd.Path}, ctx.TaskEnv.ParseAndReplace(command.Args)...) - e.cmd.Env = ctx.TaskEnv.EnvList() - // Apply ourselves into the cgroup. The executor MUST be in the cgroup // before the user task is started, otherwise we are subject to a fork // attack in which a process escapes isolation by immediately forking. @@ -278,6 +264,32 @@ func (e *UniversalExecutor) LaunchCmd(command *ExecCommand, ctx *ExecutorContext e.cmd.Stdout = e.lro e.cmd.Stderr = e.lre + // Look up the binary path and make it executable + absPath, err := e.lookupBin(ctx.TaskEnv.ReplaceEnv(command.Cmd)) + if err != nil { + return nil, err + } + + if err := e.makeExecutable(absPath); err != nil { + return nil, err + } + + path := absPath + + // Determine the path to run as it may have to be relative to the chroot. + if e.fsIsolationEnforced { + rel, err := filepath.Rel(e.taskDir, path) + if err != nil { + return nil, err + } + path = rel + } + + // Set the commands arguments + e.cmd.Path = path + e.cmd.Args = append([]string{e.cmd.Path}, ctx.TaskEnv.ParseAndReplace(command.Args)...) + e.cmd.Env = ctx.TaskEnv.EnvList() + // Start the process if err := e.cmd.Start(); err != nil { return nil, err diff --git a/client/driver/executor/executor_linux.go b/client/driver/executor/executor_linux.go index 087594ae2c3..1140e3005c7 100644 --- a/client/driver/executor/executor_linux.go +++ b/client/driver/executor/executor_linux.go @@ -247,12 +247,7 @@ func (e *UniversalExecutor) configureChroot() error { return err } - rel, err := filepath.Rel(e.taskDir, e.cmd.Path) - if err != nil { - return err - } - e.cmd.Path = rel - + e.fsIsolationEnforced = true return nil }