From 835cfc3b4a14c3721085325e41ea855492ed377d Mon Sep 17 00:00:00 2001
From: yanxuean <yan.xuean@zte.com.cn>
Date: Mon, 16 Jul 2018 13:54:49 +0800
Subject: [PATCH] support no_pivot option for runc

Signed-off-by: yanxuean <yan.xuean@zte.com.cn>
---
 docs/config.md                | 3 +++
 pkg/config/config.go          | 3 +++
 pkg/server/container_start.go | 6 +++++-
 pkg/server/sandbox_run.go     | 7 ++++++-
 4 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/docs/config.md b/docs/config.md
index 1f5c30e5d..4eb2815b7 100644
--- a/docs/config.md
+++ b/docs/config.md
@@ -38,6 +38,9 @@ The explanation and default value of each configuration item are as follows:
     # snapshotter is the snapshotter used by containerd.
     snapshotter = "overlayfs"
 
+    # no_pivot disables pivot-root (linux only), required when running a container in a RamDisk with runc
+    no_pivot = false
+
     # "plugins.cri.containerd.default_runtime" is the runtime to use in containerd.
     [plugins.cri.containerd.default_runtime]
       # runtime_type is the runtime type to use in containerd e.g. io.containerd.runtime.v1.linux
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 8ec2be834..4c93d8cff 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -37,6 +37,8 @@ type ContainerdConfig struct {
 	DefaultRuntime Runtime `toml:"default_runtime" json:"defaultRuntime"`
 	// UntrustedWorkloadRuntime is a runtime to run untrusted workloads on it.
 	UntrustedWorkloadRuntime Runtime `toml:"untrusted_workload_runtime" json:"untrustedWorkloadRuntime"`
+	// NoPivot disables pivot-root (linux only), required when running a container in a RamDisk with runc
+	NoPivot bool `toml:"no_pivot" json:"noPivot"`
 }
 
 // CniConfig contains toml config related to cni
@@ -132,6 +134,7 @@ func DefaultConfig() PluginConfig {
 				Engine: "",
 				Root:   "",
 			},
+			NoPivot: false,
 		},
 		StreamServerAddress:     "",
 		StreamServerPort:        "10010",
diff --git a/pkg/server/container_start.go b/pkg/server/container_start.go
index ed4b8b43f..a4467c4bd 100644
--- a/pkg/server/container_start.go
+++ b/pkg/server/container_start.go
@@ -108,7 +108,11 @@ func (c *criService) startContainer(ctx context.Context,
 		return cntr.IO, nil
 	}
 
-	task, err := container.NewTask(ctx, ioCreation)
+	var taskOpts []containerd.NewTaskOpts
+	if c.config.NoPivot {
+		taskOpts = append(taskOpts, containerd.WithNoPivotRoot)
+	}
+	task, err := container.NewTask(ctx, ioCreation, taskOpts...)
 	if err != nil {
 		return errors.Wrap(err, "failed to create containerd task")
 	}
diff --git a/pkg/server/sandbox_run.go b/pkg/server/sandbox_run.go
index fbc8e2da9..a3019a1b8 100644
--- a/pkg/server/sandbox_run.go
+++ b/pkg/server/sandbox_run.go
@@ -293,8 +293,13 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
 		// Create sandbox task in containerd.
 		log.Tracef("Create sandbox container (id=%q, name=%q).",
 			id, name)
+
+		var taskOpts []containerd.NewTaskOpts
+		if c.config.NoPivot {
+			taskOpts = append(taskOpts, containerd.WithNoPivotRoot)
+		}
 		// We don't need stdio for sandbox container.
-		task, err := container.NewTask(ctx, containerdio.NullIO)
+		task, err := container.NewTask(ctx, containerdio.NullIO, taskOpts...)
 		if err != nil {
 			return status, errors.Wrap(err, "failed to create containerd task")
 		}