runsc: Fix readonly filesystem causing failure to create containers.

For readonly filesystems specified via relative path, we were forgetting to mount relative to the container's bundle directory. PiperOrigin-RevId: 210483388 Change-Id: I84809fce4b1f2056d0e225547cb611add5f74177
author: Kevin Krakauer <krakauer@google.com> 2018-08-27 20:33:38 -0700
committer: Shentubot <shentubot@google.com> 2018-08-27 20:34:27 -0700
commit: a4529c1b5b485f6283367bfdc0e4228bbbd3e51f (patch)
tree: a8cdb2aec381e2ae0dda1f5dfbf6788147feb7b2 /runsc/container
parent: f0492d45aa31e32f8a04b13b7bf53e0161e1afb6 (diff)
2 files changed, 13 insertions, 9 deletions
diff --git a/runsc/container/BUILD b/runsc/container/BUILD
index cba418d0c..b86974d41 100644
--- a/runsc/container/BUILD
+++ b/runsc/container/BUILD
@@ -29,7 +29,6 @@ go_library(
         "//runsc/specutils",
         "@com_github_cenkalti_backoff//:go_default_library",
         "@com_github_opencontainers_runtime-spec//specs-go:go_default_library",
-        "@org_golang_x_sys//unix:go_default_library",
     ],
 )
 
diff --git a/runsc/container/fs.go b/runsc/container/fs.go
index 652f81bbf..c12f5c331 100644
--- a/runsc/container/fs.go
+++ b/runsc/container/fs.go
@@ -22,7 +22,6 @@ import (
 	"syscall"
 
 	specs "github.com/opencontainers/runtime-spec/specs-go"
-	"golang.org/x/sys/unix"
 	"gvisor.googlesource.com/gvisor/pkg/log"
 	"gvisor.googlesource.com/gvisor/runsc/boot"
 	"gvisor.googlesource.com/gvisor/runsc/specutils"
@@ -84,29 +83,29 @@ func setupFS(spec *specs.Spec, conf *boot.Config, bundleDir string) error {
 		}
 		srcfi, err := os.Stat(src)
 		if err != nil {
-			return err
+			return fmt.Errorf("failed to stat() mount source: %v", err)
 		}
 
 		// It's possible that 'm.Destination' follows symlinks inside the
 		// container.
 		dst, err := resolveSymlinks(spec.Root.Path, m.Destination)
 		if err != nil {
-			return err
+			return fmt.Errorf("failed to resolve symlinks: %v", err)
 		}
 
 		// Create mount point if it doesn't exits
 		if _, err := os.Stat(dst); os.IsNotExist(err) {
 			if srcfi.IsDir() {
 				if err := os.MkdirAll(dst, 0755); err != nil {
-					return err
+					return fmt.Errorf("failed to make mount directory %q: %v", dst, err)
 				}
 			} else {
 				if err := os.MkdirAll(filepath.Dir(dst), 0755); err != nil {
-					return err
+					return fmt.Errorf("failed to make mount directory for file %q: %v", filepath.Dir(dst), err)
 				}
 				f, err := os.OpenFile(dst, os.O_CREATE, 0755)
 				if err != nil {
-					return err
+					return fmt.Errorf("failed to open mount file %q: %v", dst, err)
 				}
 				f.Close()
 			}
@@ -116,7 +115,7 @@ func setupFS(spec *specs.Spec, conf *boot.Config, bundleDir string) error {
 		flags |= syscall.MS_BIND
 		log.Infof("Mounting src: %q, dst: %q, flags: %#x", src, dst, flags)
 		if err := syscall.Mount(src, dst, m.Type, uintptr(flags), ""); err != nil {
-			return err
+			return fmt.Errorf("failed to mount src: %q, dst: %q, flags: %#x, err: %v", src, dst, flags, err)
 		}
 	}
 
@@ -124,7 +123,13 @@ func setupFS(spec *specs.Spec, conf *boot.Config, bundleDir string) error {
 	if spec.Root.Readonly {
 		log.Infof("Remounting root as readonly: %q", spec.Root.Path)
 		flags := uintptr(syscall.MS_BIND | syscall.MS_REMOUNT | syscall.MS_RDONLY | syscall.MS_REC)
-		return unix.Mount(spec.Root.Path, spec.Root.Path, "bind", flags, "")
+		src := spec.Root.Path
+		if !filepath.IsAbs(src) {
+			src = filepath.Join(bundleDir, src)
+		}
+		if err := syscall.Mount(src, src, "bind", flags, ""); err != nil {
+			return fmt.Errorf("failed to remount root as readonly with source: %q, target: %q, flags: %#x, err: %v", spec.Root.Path, spec.Root.Path, flags, err)
+		}
 	}
 	return nil
 }
author	Kevin Krakauer <krakauer@google.com>	2018-08-27 20:33:38 -0700
committer	Shentubot <shentubot@google.com>	2018-08-27 20:34:27 -0700
commit	a4529c1b5b485f6283367bfdc0e4228bbbd3e51f (patch)
tree	a8cdb2aec381e2ae0dda1f5dfbf6788147feb7b2 /runsc/container
parent	f0492d45aa31e32f8a04b13b7bf53e0161e1afb6 (diff)