mount: Reduce the mount points with namespace isolation

This patch can reduce load on systemd process, and increase the k8s deployment density when using go runtime. Fixes: #8758 Signed-off-by: Zhigang Wang <wangzhigang17@huawei.com> Signed-off-by: Liu Wenyuan <liuwenyuan9@huawei.com>
kata-containers · Jan 10, 2024 · b148e2b · b148e2b
1 parent 67b91c1
commit b148e2b
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/src/runtime/pkg/containerd-shim-v2/service.go b/src/runtime/pkg/containerd-shim-v2/service.go
@@ -191,6 +191,27 @@ func newCommand(ctx context.Context, id, containerdBinary, containerdAddress str
 	return cmd, nil
 }
 
+func setupMntNs() error {
+	err := unix.Unshare(unix.CLONE_NEWNS)
+	if err != nil {
+		return err
+	}
+
+	err = unix.Mount("", "/", "", unix.MS_REC|unix.MS_SLAVE, "")
+	if err != nil {
+		err = fmt.Errorf("failed to mount with slave: %v", err)
+		return err
+	}
+
+	err = unix.Mount("", "/", "", unix.MS_REC|unix.MS_SHARED, "")
+	if err != nil {
+		err = fmt.Errorf("failed to mount with shared: %v", err)
+		return err
+	}
+
+	return nil
+}
+
 // StartShim is a binary call that starts a kata shimv2 service which will
 // implement the ShimV2 APIs such as create/start/update etc containers.
 func (s *service) StartShim(ctx context.Context, opts cdshim.StartOpts) (_ string, retErr error) {
@@ -255,6 +276,10 @@ func (s *service) StartShim(ctx context.Context, opts cdshim.StartOpts) (_ strin
 		}
 	}
 
+	if err := setupMntNs(); err != nil {
+		return "", err
+	}
+
 	if err := cmd.Start(); err != nil {
 		return "", err
 	}