Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move root filesystem from rootfs to tmpfs #5133

Merged
merged 4 commits into from
Aug 26, 2019
Merged

Move root filesystem from rootfs to tmpfs #5133

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
edea8f9
Only use DOCKER_RAMDISK on fstype rootfs
afbjorklund Aug 14, 2019
a4c5992
Move root filesystem from rootfs to tmpfs
afbjorklund Aug 14, 2019
ae8894c
Stop using no_pivot when not using rootfs
afbjorklund Aug 14, 2019
eec1a06
Add warning that using --no-pivot is not secure
afbjorklund Aug 24, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion deploy/addons/gvisor/gvisor-config.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ oom_score = 0
max_container_log_line_size = 16384
[plugins.cri.containerd]
snapshotter = "overlayfs"
no_pivot = true
no_pivot = false
[plugins.cri.containerd.default_runtime]
runtime_type = "io.containerd.runtime.v1.linux"
runtime_engine = ""
Expand Down
13 changes: 13 additions & 0 deletions deploy/iso/minikube-iso/board/coreos/minikube/rootfs-overlay/init
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
#!/bin/sh
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For future archeologists, do you mind adding a quick comment describing why this file exists, and what it's intent is?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

future archeologists hahaha ! love it ! hello future archeologists from 2019 !

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Explaining init(1) ?

Or maybe what is the difference between this init and the normal one would be more appropriate. It doesn’t really help that the final /sbin/init is actually not init but just Lennart (systemd) posing

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I for one didn't realize this took the place of the system init, though it makes sense given the location.

It'd be nice to have an explanation of why data is being copied from one directory to another before exec'ing out to another init. =)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Settled for adding a reference to switch_root(8)

DESCRIPTION
switch_root moves already mounted /proc, /dev, /sys and /run to newroot and makes newroot the new root filesystem and starts init process.

WARNING: switch_root removes recursively all files and directories on the current root filesystem.

mkdir /sysroot
# the value 90% borrowed from tcl via boot2docker
mount -t tmpfs -o size=90% tmpfs /sysroot
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a comment explaining how you arrived at 90% being the correct choice here.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That’s easy, I stole it from tinycore (and boot2docker). 😀
I think it needs some space left, so using 100% won’t work. But we could probably get away with 95% since our VM is twice as big ? Can experiment with it

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's fine. Just mention that you have copied the number from elsewhere then. I was afraid it might have some magical principle to it.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll stick with 90%, until I know better. Will leave a reference to the original

# copy from rootfs, to be able to do switch_root(8)
tar -C / --exclude=sysroot -cf - . | tar -C /sysroot/ -xf -

# devtmpfs does not get automounted for initramfs
/bin/mount -t devtmpfs devtmpfs /sysroot/dev
exec 0</sysroot/dev/console
exec 1>/sysroot/dev/console
exec 2>/sysroot/dev/console
exec /sbin/switch_root /sysroot /sbin/init "$@"
2 changes: 1 addition & 1 deletion deploy/iso/minikube-iso/package/containerd-bin/config.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ oom_score = 0
max_container_log_line_size = 16384
[plugins.cri.containerd]
snapshotter = "overlayfs"
no_pivot = true
no_pivot = false
[plugins.cri.containerd.default_runtime]
runtime_type = "io.containerd.runtime.v1.linux"
runtime_engine = ""
Expand Down
2 changes: 1 addition & 1 deletion deploy/iso/minikube-iso/package/crio-bin/crio.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ grpc_max_recv_msg_size = 16777216
default_runtime = "runc"

# If true, the runtime will not use pivot_root, but instead use MS_MOVE.
no_pivot = true
no_pivot = false

# Path to the conmon binary, used for monitoring the OCI runtime.
conmon = "/usr/libexec/crio/conmon"
Expand Down
3 changes: 0 additions & 3 deletions deploy/iso/minikube-iso/package/podman/buildah.profile
View file
Open in desktop

This file was deleted.

2 changes: 0 additions & 2 deletions deploy/iso/minikube-iso/package/podman/libpod.conf
View file
Open in desktop

This file was deleted.

2 changes: 0 additions & 2 deletions deploy/iso/minikube-iso/package/podman/podman.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,6 @@ endef

define PODMAN_INSTALL_TARGET_CMDS
$(INSTALL) -Dm755 $(@D)/bin/podman $(TARGET_DIR)/usr/bin/podman
$(INSTALL) -Dm644 $(BR2_EXTERNAL_MINIKUBE_PATH)/package/podman/libpod.conf $(TARGET_DIR)/etc/containers/libpod.conf
$(INSTALL) -Dm644 $(BR2_EXTERNAL_MINIKUBE_PATH)/package/podman/buildah.profile $(TARGET_DIR)/etc/profile.d/podman.sh
endef

$(eval $(generic-package))
22 changes: 22 additions & 0 deletions pkg/provision/buildroot.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,13 @@ func (p *BuildrootProvisioner) GenerateDockerOptions(dockerPort int) (*provision
driverNameLabel := fmt.Sprintf("provider=%s", p.Driver.DriverName())
p.EngineOptions.Labels = append(p.EngineOptions.Labels, driverNameLabel)

noPivot := true
// Using pivot_root is not supported on fstype rootfs
if fstype, err := rootFileSystemType(p); err == nil {
log.Debugf("root file system type: %s", fstype)
noPivot = fstype == "rootfs"
}
afbjorklund marked this conversation as resolved.
Show resolved Hide resolved

engineConfigTmpl := `[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
Expand All @@ -101,8 +108,15 @@ Requires= minikube-automount.service docker.socket
[Service]
Type=notify

`
if noPivot {
log.Warn("Using fundamentally insecure --no-pivot option")
engineConfigTmpl += `
# DOCKER_RAMDISK disables pivot_root in Docker, using MS_MOVE instead.
Environment=DOCKER_RAMDISK=yes
`
}
engineConfigTmpl += `
{{range .EngineOptions.Env}}Environment={{.}}
{{end}}

Expand Down Expand Up @@ -160,6 +174,14 @@ WantedBy=multi-user.target
}, nil
}

func rootFileSystemType(p *BuildrootProvisioner) (string, error) {
fs, err := p.SSHCommand("df --output=fstype / | tail -n 1")
if err != nil {
return "", err
}
return strings.TrimSpace(fs), nil
}

// Package installs a package
func (p *BuildrootProvisioner) Package(name string, action pkgaction.PackageAction) error {
return nil
Expand Down