podman
272 строки · 8.1 Кб
1//go:build freebsd2// +build freebsd3package chroot5import (7"errors"8"fmt"9"io"10"io/fs"11"os"12"os/exec"13"path/filepath"14"strings"15"syscall"16"github.com/containers/buildah/pkg/jail"18"github.com/containers/storage/pkg/fileutils"19"github.com/containers/storage/pkg/mount"20"github.com/containers/storage/pkg/unshare"21"github.com/opencontainers/runtime-spec/specs-go"22"github.com/sirupsen/logrus"23"golang.org/x/sys/unix"24)25var (27rlimitsMap = map[string]int{28"RLIMIT_AS": unix.RLIMIT_AS,29"RLIMIT_CORE": unix.RLIMIT_CORE,30"RLIMIT_CPU": unix.RLIMIT_CPU,31"RLIMIT_DATA": unix.RLIMIT_DATA,32"RLIMIT_FSIZE": unix.RLIMIT_FSIZE,33"RLIMIT_MEMLOCK": unix.RLIMIT_MEMLOCK,34"RLIMIT_NOFILE": unix.RLIMIT_NOFILE,35"RLIMIT_NPROC": unix.RLIMIT_NPROC,36"RLIMIT_RSS": unix.RLIMIT_RSS,37"RLIMIT_STACK": unix.RLIMIT_STACK,38}39rlimitsReverseMap = map[int]string{}40)41type runUsingChrootSubprocOptions struct {43Spec *specs.Spec44BundlePath string45}46func setPlatformUnshareOptions(spec *specs.Spec, cmd *unshare.Cmd) error {48return nil49}50func setContainerHostname(name string) {52// On FreeBSD, we have to set this later when we create the53// jail below in createPlatformContainer54}55func setSelinuxLabel(spec *specs.Spec) error {57// Ignore this on FreeBSD58return nil59}60func setApparmorProfile(spec *specs.Spec) error {62// FreeBSD doesn't have apparmor`63return nil64}65func setCapabilities(spec *specs.Spec, keepCaps ...string) error {67// FreeBSD capabilities are nothing like Linux68return nil69}70func makeRlimit(limit specs.POSIXRlimit) unix.Rlimit {72return unix.Rlimit{Cur: int64(limit.Soft), Max: int64(limit.Hard)}73}74func createPlatformContainer(options runUsingChrootExecSubprocOptions) error {76path := options.Spec.Root.Path77jconf := jail.NewConfig()78jconf.Set("name", filepath.Base(path)+"-chroot")79jconf.Set("host.hostname", options.Spec.Hostname)80jconf.Set("persist", false)81jconf.Set("path", path)82jconf.Set("ip4", jail.INHERIT)83jconf.Set("ip6", jail.INHERIT)84jconf.Set("allow.raw_sockets", true)85jconf.Set("enforce_statfs", 1)86_, err := jail.CreateAndAttach(jconf)87if err != nil {88return fmt.Errorf("creating jail: %w", err)89}90return nil91}92// logNamespaceDiagnostics knows which namespaces we want to create.94// Output debug messages when that differs from what we're being asked to do.95func logNamespaceDiagnostics(spec *specs.Spec) {96// Nothing here for FreeBSD97}98func makeReadOnly(mntpoint string, flags uintptr) error {100var fs unix.Statfs_t101// Make sure it's read-only.102if err := unix.Statfs(mntpoint, &fs); err != nil {103return fmt.Errorf("checking if directory %q was bound read-only: %w", mntpoint, err)104}105return nil106}107func saveDir(spec *specs.Spec, path string) string {109id := filepath.Base(spec.Root.Path)110return filepath.Join(filepath.Dir(path), ".save-"+id)111}112func copyFile(source, dest string) error {114in, err := os.Open(source)115if err != nil {116return err117}118defer in.Close()119out, err := os.Create(dest)121if err != nil {122return err123}124defer out.Close()125_, err = io.Copy(out, in)127if err != nil {128return err129}130return out.Close()131}132type rename struct {134from, to string135}136// setupChrootBindMounts actually bind mounts things under the rootfs, and returns a138// callback that will clean up its work.139func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func() error, err error) {140renames := []rename{}141unmounts := []string{}142removes := []string{}143undoBinds = func() error {144for _, r := range renames {145if err2 := os.Rename(r.to, r.from); err2 != nil {146logrus.Warnf("pkg/chroot: error renaming %q to %q: %v", r.to, r.from, err2)147if err == nil {148err = err2149}150}151}152for _, path := range unmounts {153if err2 := mount.Unmount(path); err2 != nil {154logrus.Warnf("pkg/chroot: error unmounting %q: %v", spec.Root.Path, err2)155if err == nil {156err = err2157}158}159}160for _, path := range removes {161if err2 := os.Remove(path); err2 != nil {162logrus.Warnf("pkg/chroot: error removing %q: %v", path, err2)163if err == nil {164err = err2165}166}167}168return err169}170// Now mount all of those things to be under the rootfs's location in this172// mount namespace.173for _, m := range spec.Mounts {174// If the target is there, we can just mount it.175var srcinfo os.FileInfo176switch m.Type {177case "nullfs":178srcinfo, err = os.Stat(m.Source)179if err != nil {180return undoBinds, fmt.Errorf("examining %q for mounting in mount namespace: %w", m.Source, err)181}182}183target := filepath.Join(spec.Root.Path, m.Destination)184if err := fileutils.Exists(target); err != nil {185// If the target can't be stat()ted, check the error.186if !errors.Is(err, fs.ErrNotExist) {187return undoBinds, fmt.Errorf("examining %q for mounting in mount namespace: %w", target, err)188}189// The target isn't there yet, so create it, and make a190// note to remove it later.191// XXX: This was copied from the linux version which supports bind mounting files.192// Leaving it here since I plan to add this to FreeBSD's nullfs.193if m.Type != "nullfs" || srcinfo.IsDir() {194if err = os.MkdirAll(target, 0111); err != nil {195return undoBinds, fmt.Errorf("creating mountpoint %q in mount namespace: %w", target, err)196}197removes = append(removes, target)198} else {199if err = os.MkdirAll(filepath.Dir(target), 0111); err != nil {200return undoBinds, fmt.Errorf("ensuring parent of mountpoint %q (%q) is present in mount namespace: %w", target, filepath.Dir(target), err)201}202// Don't do this until we can support file mounts in nullfs203/*var file *os.File204if file, err = os.OpenFile(target, os.O_WRONLY|os.O_CREATE, 0); err != nil {205return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target)206}207file.Close()208removes = append(removes, target)*/209}210}211logrus.Debugf("mount: %v", m)212switch m.Type {213case "nullfs":214// Do the bind mount.215if !srcinfo.IsDir() {216logrus.Debugf("emulating file mount %q on %q", m.Source, target)217err := fileutils.Exists(target)218if err == nil {219save := saveDir(spec, target)220if err := fileutils.Exists(save); err != nil {221if errors.Is(err, fs.ErrNotExist) {222err = os.MkdirAll(save, 0111)223}224if err != nil {225return undoBinds, fmt.Errorf("creating file mount save directory %q: %w", save, err)226}227removes = append(removes, save)228}229savePath := filepath.Join(save, filepath.Base(target))230if err := fileutils.Exists(target); err == nil {231logrus.Debugf("moving %q to %q", target, savePath)232if err := os.Rename(target, savePath); err != nil {233return undoBinds, fmt.Errorf("moving %q to %q: %w", target, savePath, err)234}235renames = append(renames, rename{236from: target,237to: savePath,238})239}240} else {241removes = append(removes, target)242}243if err := copyFile(m.Source, target); err != nil {244return undoBinds, fmt.Errorf("copying %q to %q: %w", m.Source, target, err)245}246} else {247logrus.Debugf("bind mounting %q on %q", m.Destination, filepath.Join(spec.Root.Path, m.Destination))248if err := mount.Mount(m.Source, target, "nullfs", strings.Join(m.Options, ",")); err != nil {249return undoBinds, fmt.Errorf("bind mounting %q from host to %q in mount namespace (%q): %w", m.Source, m.Destination, target, err)250}251logrus.Debugf("bind mounted %q to %q", m.Source, target)252unmounts = append(unmounts, target)253}254case "devfs", "fdescfs", "tmpfs":255// Mount /dev, /dev/fd.256if err := mount.Mount(m.Source, target, m.Type, strings.Join(m.Options, ",")); err != nil {257return undoBinds, fmt.Errorf("mounting %q to %q in mount namespace (%q, %q): %w", m.Type, m.Destination, target, strings.Join(m.Options, ","), err)258}259logrus.Debugf("mounted a %q to %q", m.Type, target)260unmounts = append(unmounts, target)261}262}263return undoBinds, nil264}265// setPdeathsig sets a parent-death signal for the process267func setPdeathsig(cmd *exec.Cmd) {268if cmd.SysProcAttr == nil {269cmd.SysProcAttr = &syscall.SysProcAttr{}270}271cmd.SysProcAttr.Pdeathsig = syscall.SIGKILL272}273