Browse code
Make plugins dir private.
This prevents mounts in the plugins dir from leaking into other
namespaces which can prevent removal (`device or resource busy`),
particularly on older kernels.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Brian Goff authored on 2017/08/03 05:45:12Showing 4 changed files
| ... | ... |
@@ -105,6 +105,11 @@ func NewManager(config ManagerConfig) (*Manager, error) {
|
| 105 | 105 |
if err := os.MkdirAll(manager.tmpDir(), 0700); err != nil {
|
| 106 | 106 |
return nil, errors.Wrapf(err, "failed to mkdir %v", manager.tmpDir()) |
| 107 | 107 |
} |
| 108 |
+ |
|
| 109 |
+ if err := setupRoot(manager.config.Root); err != nil {
|
|
| 110 |
+ return nil, err |
|
| 111 |
+ } |
|
| 112 |
+ |
|
| 108 | 113 |
var err error |
| 109 | 114 |
manager.containerdClient, err = config.Executor.Client(manager) // todo: move to another struct |
| 110 | 115 |
if err != nil {
|
| ... | ... |
@@ -162,6 +162,13 @@ func shutdownPlugin(p *v2.Plugin, c *controller, containerdClient libcontainerd. |
| 162 | 162 |
} |
| 163 | 163 |
} |
| 164 | 164 |
|
| 165 |
+func setupRoot(root string) error {
|
|
| 166 |
+ if err := mount.MakePrivate(root); err != nil {
|
|
| 167 |
+ return errors.Wrap(err, "error setting plugin manager root to private") |
|
| 168 |
+ } |
|
| 169 |
+ return nil |
|
| 170 |
+} |
|
| 171 |
+ |
|
| 165 | 172 |
func (pm *Manager) disable(p *v2.Plugin, c *controller) error {
|
| 166 | 173 |
if !p.IsEnabled() {
|
| 167 | 174 |
return fmt.Errorf("plugin %s is already disabled", p.Name())
|
| ... | ... |
@@ -190,6 +197,7 @@ func (pm *Manager) Shutdown() {
|
| 190 | 190 |
shutdownPlugin(p, c, pm.containerdClient) |
| 191 | 191 |
} |
| 192 | 192 |
} |
| 193 |
+ mount.Unmount(pm.config.Root) |
|
| 193 | 194 |
} |
| 194 | 195 |
|
| 195 | 196 |
func (pm *Manager) upgradePlugin(p *v2.Plugin, configDigest digest.Digest, blobsums []digest.Digest, tmpRootFSDir string, privileges *types.PluginPrivileges) (err error) {
|