Deprecate docker-nested

Netflix · Feb 16, 2019 · 9bce993 · 9bce993
1 parent f36e9bb
commit 9bce993
Show file tree

Hide file tree

Showing 6 changed files with 3 additions and 141 deletions.
diff --git a/executor/runtime/docker/capabilities.go b/executor/runtime/docker/capabilities.go
@@ -1,6 +1,8 @@
 package docker
 
 import (
+	"errors"
+
 	"github.com/Netflix/titus-executor/executor/runtime/docker/seccomp"
 	runtimeTypes "github.com/Netflix/titus-executor/executor/runtime/types"
 	"github.com/docker/docker/api/types/container"
@@ -56,11 +58,7 @@ func setupAdditionalCapabilities(c *runtimeTypes.Container, hostCfg *container.H
 	}
 	// We can do this here because nested containers can do everything fuse containers can
 	if c.TitusInfo.GetAllowNestedContainers() {
-		apparmorProfile = "docker_nested"
-		seccompProfile = "nested-container.json"
-
-		c.Env["TINI_HANDOFF"] = trueString
-		c.Env["TINI_UNSHARE"] = trueString
+		return errors.New("Nested containers no longer supported")
 	}
 
 	hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, "apparmor:"+apparmorProfile)

diff --git a/executor/runtime/docker/capabilities_test.go b/executor/runtime/docker/capabilities_test.go
@@ -6,7 +6,6 @@ import (
 	"github.com/Netflix/titus-executor/api/netflix/titus"
 	runtimeTypes "github.com/Netflix/titus-executor/executor/runtime/types"
 	"github.com/docker/docker/api/types/container"
-	"github.com/gogo/protobuf/proto"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -41,41 +40,3 @@ func TestFuseProfile(t *testing.T) {
 	assert.Len(t, hostConfig.SecurityOpt, 2)
 	assert.Contains(t, hostConfig.SecurityOpt, "apparmor:docker_fuse")
 }
-
-func TestNestedContainerProfile(t *testing.T) {
-	c := runtimeTypes.Container{
-		Env: map[string]string{},
-		TitusInfo: &titus.ContainerInfo{
-			AllowNestedContainers: proto.Bool(true),
-		},
-	}
-	hostConfig := container.HostConfig{}
-
-	assert.NoError(t, setupAdditionalCapabilities(&c, &hostConfig))
-
-	assert.Contains(t, hostConfig.CapAdd, "SYS_ADMIN")
-	assert.Len(t, hostConfig.CapDrop, 0)
-	assert.Len(t, hostConfig.SecurityOpt, 2)
-	assert.Contains(t, hostConfig.SecurityOpt, "apparmor:docker_nested")
-
-}
-
-func TestFuseAndNestedContainerProfileProfile(t *testing.T) {
-	c := runtimeTypes.Container{
-		Env: map[string]string{},
-		TitusInfo: &titus.ContainerInfo{
-			AllowNestedContainers: proto.Bool(true),
-			PassthroughAttributes: map[string]string{
-				runtimeTypes.FuseEnabledParam: "true",
-			},
-		},
-	}
-	hostConfig := container.HostConfig{}
-
-	assert.NoError(t, setupAdditionalCapabilities(&c, &hostConfig))
-
-	assert.Contains(t, hostConfig.CapAdd, "SYS_ADMIN")
-	assert.Len(t, hostConfig.CapDrop, 0)
-	assert.Len(t, hostConfig.SecurityOpt, 2)
-	assert.Contains(t, hostConfig.SecurityOpt, "apparmor:docker-nested")
-}
diff --git a/executor/runtime/docker/docker.go b/executor/runtime/docker/docker.go
@@ -1684,10 +1684,6 @@ func (r *DockerRuntime) setupPostStartLogDirTiniHandleConnection2(parentCtx cont
 		return err
 	}
 
-	if err := setupContainerNesting(parentCtx, c, cred); err != nil {
-		log.Error("Unable to setup container nesting: ", err)
-		return err
-	}
 	/* This can be "broken" if the titus-executor crashes. The link will be dangling, and point to a
 	 * /proc/${PID}/fd/${FD}. It's not "bad", because Titus Task names should be unique
 	 */

diff --git a/executor/runtime/docker/docker_linux.go b/executor/runtime/docker/docker_linux.go
@@ -13,13 +13,9 @@ import (
 	"time"
 	"unsafe"
 
-	"io/ioutil"
-	"strings"
-
 	"github.com/Netflix/titus-executor/config"
 	runtimeTypes "github.com/Netflix/titus-executor/executor/runtime/types"
 	"github.com/coreos/go-systemd/dbus"
-	"github.com/hashicorp/go-multierror"
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
@@ -46,7 +42,6 @@ const (
 	sshdSystemdUnit            = "titus-sshd"
 	metricStartTimeout         = time.Minute
 	umountNoFollow             = 0x8
-	sysFsCgroup                = "/sys/fs/cgroup"
 )
 
 func getPeerInfo(unixConn *net.UnixConn) (ucred, error) {
@@ -186,38 +181,6 @@ func cleanupCgroups(cgroupPath string) error {
 	return nil
 }
 
-func setupContainerNesting(parentCtx context.Context, c *runtimeTypes.Container, cred ucred) error {
-	if !c.TitusInfo.GetAllowNestedContainers() {
-		return nil
-	}
-	cgroupPath := filepath.Join("/proc/", strconv.FormatInt(int64(cred.pid), 10), "cgroup")
-	cgroups, err := ioutil.ReadFile(cgroupPath) // nolint: gosec
-	if err != nil {
-		return err
-	}
-	var ret error
-	for _, line := range strings.Split(string(cgroups), "\n") {
-		cgroupInfo := strings.Split(strings.TrimSpace(line), ":")
-		if len(cgroupInfo) != 3 {
-			continue
-		}
-		controllerType := cgroupInfo[1]
-		if len(controllerType) == 0 {
-			continue
-		}
-		// This is to handle the name=systemd cgroup, we should probably parse /proc/mounts, but this is a little bit easier
-		controllerType = strings.TrimPrefix(controllerType, "name=")
-		controllerPath := cgroupInfo[2]
-		fsPath := filepath.Join(sysFsCgroup, controllerType, controllerPath)
-		err = os.Chown(fsPath, int(cred.uid), int(cred.gid))
-		if err != nil {
-			ret = multierror.Append(ret, err)
-		}
-	}
-
-	return ret
-}
-
 func setupOOMAdj(c *runtimeTypes.Container, cred ucred) error {
 	oomScore := 1000
 

diff --git a/executor/runtime/docker/docker_unsupported.go b/executor/runtime/docker/docker_unsupported.go
@@ -38,10 +38,6 @@ func cleanupCgroups(cgroupPath string) error {
 	return errUnsupported
 }
 
-func setupContainerNesting(parentCtx context.Context, c *runtimeTypes.Container, cred ucred) error {
-	return errUnsupported
-}
-
 func setupOOMAdj(c *runtimeTypes.Container, cred ucred) error {
 	return errUnsupported
 }
diff --git a/root/etc/apparmor.d/docker_nested b/root/etc/apparmor.d/docker_nested