This prevents mounts in the plugins dir from leaking into other
namespaces which can prevent removal (`device or resource busy`),
particularly on older kernels.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
... | ... |
@@ -105,6 +105,11 @@ func NewManager(config ManagerConfig) (*Manager, error) { |
105 | 105 |
if err := os.MkdirAll(manager.tmpDir(), 0700); err != nil { |
106 | 106 |
return nil, errors.Wrapf(err, "failed to mkdir %v", manager.tmpDir()) |
107 | 107 |
} |
108 |
+ |
|
109 |
+ if err := setupRoot(manager.config.Root); err != nil { |
|
110 |
+ return nil, err |
|
111 |
+ } |
|
112 |
+ |
|
108 | 113 |
var err error |
109 | 114 |
manager.containerdClient, err = config.Executor.Client(manager) // todo: move to another struct |
110 | 115 |
if err != nil { |
... | ... |
@@ -162,6 +162,13 @@ func shutdownPlugin(p *v2.Plugin, c *controller, containerdClient libcontainerd. |
162 | 162 |
} |
163 | 163 |
} |
164 | 164 |
|
165 |
+func setupRoot(root string) error { |
|
166 |
+ if err := mount.MakePrivate(root); err != nil { |
|
167 |
+ return errors.Wrap(err, "error setting plugin manager root to private") |
|
168 |
+ } |
|
169 |
+ return nil |
|
170 |
+} |
|
171 |
+ |
|
165 | 172 |
func (pm *Manager) disable(p *v2.Plugin, c *controller) error { |
166 | 173 |
if !p.IsEnabled() { |
167 | 174 |
return fmt.Errorf("plugin %s is already disabled", p.Name()) |
... | ... |
@@ -190,6 +197,7 @@ func (pm *Manager) Shutdown() { |
190 | 190 |
shutdownPlugin(p, c, pm.containerdClient) |
191 | 191 |
} |
192 | 192 |
} |
193 |
+ mount.Unmount(pm.config.Root) |
|
193 | 194 |
} |
194 | 195 |
|
195 | 196 |
func (pm *Manager) upgradePlugin(p *v2.Plugin, configDigest digest.Digest, blobsums []digest.Digest, tmpRootFSDir string, privileges *types.PluginPrivileges) (err error) { |