Fix updating /sys/fs/cgroup mount to 'rw'

[smira]

There were two bugs: Mount was matched by Type which is actually
cgroup, not sysfs. And the second problem was that copy of the value
was modified, not value in the slice.

Signed-off-by: Andrey Smirnov smirnov.andrey@gmail.com

[tonistiigi]

This should be for both sysfs and cgroup. There are actaally functions already WithWriteableSysfs, WithWriteableCgroupfs that you can just call.

[tonistiigi]

Or actually, there is WithPrivileged that should do all of this. Can clean up some handling in here.

[tonistiigi]

Also, add checks for these in the existing security tests in client_test while you're at it.

[smira]

@tonistiigi I'm not really an expert in all of these low-level mounts, but looks like oci.With... options should be applied before we do oci.GenerateSpec, and the code here is doing more of changes after the fact. Was your point that I should move all these more into oci.With... options instead of hand-rolled changes to oci.Spec after oci.GenerateSpec is called?

[smira]

As it seems it's not 100% the same what can be done with oci.With... vs. what is there in executor/oci/spec_unix.go.

[GordonTheTurtle]

Please sign your commits following these rules:
https://github.com/moby/moby/blob/master/CONTRIBUTING.md#sign-your-work
The easiest way to do this is to amend the last commit:

$ git clone -b "sysfs-cgroup-rw-fix" git@github.com:smira/buildkit.git somewhere
$ cd somewhere
$ git rebase -i HEAD~842361581128
editor opens
change each 'pick' to 'edit'
save the file and quit
$ git commit --amend -s --no-edit
$ git rebase --continue # and repeat the amend for each commit
$ git push -f

Amending updates the existing PR. You DO NOT need to open a new one.

[smira]

Updated with helpers, but only for rw re-mounts.

[tonistiigi]

nit: maybe just skip the test in rootless as this isn't expected behavior but current limitations

[smira]

thanks, updated

[tiborvass]

I tried to get the test to fail without the fix, but did not succeed.

[smira]

@tiborvass fails for me:

        require.go:794: 
            	Error Trace:	client_test.go:520
            	            				run.go:172
            	Error:      	Received unexpected error:
            	            	rpc error: code = Unknown desc = failed to build LLB: executor failed running [mkdir /sys/fs/cgroup/cpuset/securitytest]: process returned non-zero exit code: 1
            	            	failed to solve
            	            	github.com/moby/buildkit/client.(*Client).solve.func2
            	            		/src/client/solve.go:203
            	            	golang.org/x/sync/errgroup.(*Group).Go.func1
            	            		/src/vendor/golang.org/x/sync/errgroup/errgroup.go:58
            	            	runtime.goexit
            	            		/usr/local/go/src/runtime/asm_amd64.s:1337
            	Test:       	TestClientIntegration/TestSecurityModeSysfs/worker=containerd-1.0/secmode=insecure

[tiborvass]

Yes, user error, my bad.