client: support no_pivot_root in exec driver configuration

hashicorp · Feb 13, 2020 · d9a3df2 · d9a3df2
1 parent af59190
commit d9a3df2
Show file tree

Hide file tree

Showing 17 changed files with 268 additions and 216 deletions.
diff --git a/client/logmon/proto/logmon.pb.go b/client/logmon/proto/logmon.pb.go
diff --git a/drivers/docker/docklog/proto/docker_logger.pb.go b/drivers/docker/docklog/proto/docker_logger.pb.go
diff --git a/drivers/exec/driver.go b/drivers/exec/driver.go
@@ -59,7 +59,12 @@ var (
 	}
 
 	// configSpec is the hcl specification returned by the ConfigSchema RPC
-	configSpec = hclspec.NewObject(map[string]*hclspec.Spec{})
+	configSpec = hclspec.NewObject(map[string]*hclspec.Spec{
+		"no_pivot_root": hclspec.NewDefault(
+			hclspec.NewAttr("no_pivot_root", "bool", false),
+			hclspec.NewLiteral("false"),
+		),
+	})
 
 	// taskConfigSpec is the hcl specification for the driver config section of
 	// a task within a job. It is returned in the TaskConfigSchema RPC
@@ -88,6 +93,9 @@ type Driver struct {
 	// event can be broadcast to all callers
 	eventer *eventer.Eventer
 
+	// config is the driver configuration set by the SetConfig RPC
+	config *Config
+
 	// nomadConfig is the client config from nomad
 	nomadConfig *base.ClientDriverConfig
 
@@ -111,6 +119,13 @@ type Driver struct {
 	fingerprintLock    sync.Mutex
 }
 
+// Config is the driver configuration set by the SetConfig RPC call
+type Config struct {
+	// NoPivotRoot disables the use of pivot_root, useful when the root partition
+	// is on ramdisk
+	NoPivotRoot bool `codec:"no_pivot_root"`
+}
+
 // TaskConfig is the driver configuration of a task within a job
 type TaskConfig struct {
 	Command string   `codec:"command"`
@@ -171,6 +186,14 @@ func (d *Driver) ConfigSchema() (*hclspec.Spec, error) {
 }
 
 func (d *Driver) SetConfig(cfg *base.Config) error {
+	var config Config
+	if len(cfg.PluginConfig) != 0 {
+		if err := base.MsgPackDecode(cfg.PluginConfig, &config); err != nil {
+			return err
+		}
+	}
+
+	d.config = &config
 	if cfg != nil && cfg.AgentConfig != nil {
 		d.nomadConfig = cfg.AgentConfig.Driver
 	}
@@ -352,6 +375,7 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 		Env:              cfg.EnvList(),
 		User:             user,
 		ResourceLimits:   true,
+		NoPivotRoot:      d.config.NoPivotRoot,
 		Resources:        cfg.Resources,
 		TaskDir:          cfg.TaskDir().Dir,
 		StdoutPath:       cfg.StdoutPath,

diff --git a/drivers/shared/executor/client.go b/drivers/shared/executor/client.go
@@ -41,6 +41,7 @@ func (c *grpcExecutorClient) Launch(cmd *ExecCommand) (*ProcessState, error) {
 		TaskDir:            cmd.TaskDir,
 		ResourceLimits:     cmd.ResourceLimits,
 		BasicProcessCgroup: cmd.BasicProcessCgroup,
+		NoPivotRoot:        cmd.NoPivotRoot,
 		Mounts:             drivers.MountsToProto(cmd.Mounts),
 		Devices:            drivers.DevicesToProto(cmd.Devices),
 		NetworkIsolation:   drivers.NetworkIsolationSpecToProto(cmd.NetworkIsolation),

diff --git a/drivers/shared/executor/executor.go b/drivers/shared/executor/executor.go
@@ -121,6 +121,11 @@ type ExecCommand struct {
 	// Using the cgroup does allow more precise cleanup of processes.
 	BasicProcessCgroup bool
 
+	// NoPivotRoot disables using pivot_root for isolation, useful when the root
+	// partition is on a ramdisk which does not support pivot_root,
+	// see man 2 pivot_root
+	NoPivotRoot bool
+
 	// Mounts are the host paths to be be made available inside rootfs
 	Mounts []*drivers.MountConfig
 

diff --git a/drivers/shared/executor/executor_linux.go b/drivers/shared/executor/executor_linux.go
@@ -573,6 +573,9 @@ func configureIsolation(cfg *lconfigs.Config, command *ExecCommand) error {
 	// set the new root directory for the container
 	cfg.Rootfs = command.TaskDir
 
+	// disable pivot_root if set in the driver's configuration
+	cfg.NoPivotRoot = command.NoPivotRoot
+
 	// launch with mount namespace
 	cfg.Namespaces = lconfigs.Namespaces{
 		{Type: lconfigs.NEWNS},