Merge pull request #130 from LK4D4/cgroups_mount_fix

Cgroups mount fix

libcontainer/cgroups/utils.go

@@ -59,6 +59,7 @@ func FindCgroupMountpointDir() (string, error) {
 
 type Mount struct {
 	Mountpoint string
+	Root       string
 	Subsystems []string
 }
 
@@ -89,7 +90,7 @@ func GetCgroupMounts() ([]Mount, error) {
 	res := []Mount{}
 	for _, mount := range mounts {
 		if mount.Fstype == "cgroup" {
-			m := Mount{Mountpoint: mount.Mountpoint}
+			m := Mount{Mountpoint: mount.Mountpoint, Root: mount.Root}
 
 			for _, opt := range strings.Split(mount.VfsOpts, ",") {
 				if strings.HasPrefix(opt, cgroupNamePrefix) {

libcontainer/integration/exec_test.go

@@ -819,3 +819,72 @@ func TestSeccompNoChown(t *testing.T) {
 		t.Fatalf("running chown should result in an EPERM but got %q", s)
 	}
 }
+
+func TestMountCgroupRO(t *testing.T) {
+	if testing.Short() {
+		return
+	}
+	rootfs, err := newRootfs()
+	ok(t, err)
+	defer remove(rootfs)
+	config := newTemplateConfig(rootfs)
+
+	config.Mounts = append(config.Mounts, &configs.Mount{
+		Destination: "/sys/fs/cgroup",
+		Device:      "cgroup",
+		Flags:       defaultMountFlags | syscall.MS_RDONLY,
+	})
+
+	buffers, exitCode, err := runContainer(config, "", "mount")
+	if err != nil {
+		t.Fatalf("%s: %s", buffers, err)
+	}
+	if exitCode != 0 {
+		t.Fatalf("exit code not 0. code %d stderr %q", exitCode, buffers.Stderr)
+	}
+	mountInfo := buffers.Stdout.String()
+	lines := strings.Split(mountInfo, "\n")
+	for _, l := range lines {
+		if !strings.HasPrefix(l, "cgroup") {
+			continue
+		}
+		if !strings.Contains(l, "ro,nosuid,nodev,noexec") {
+			t.Fatalf("Mode expected to contain 'ro,nosuid,nodev,noexec': %s", l)
+		}
+	}
+}
+
+func TestMountCgroupRW(t *testing.T) {
+	t.Skip("This test is screwed because of dind")
+	if testing.Short() {
+		return
+	}
+	rootfs, err := newRootfs()
+	ok(t, err)
+	defer remove(rootfs)
+	config := newTemplateConfig(rootfs)
+
+	config.Mounts = append(config.Mounts, &configs.Mount{
+		Destination: "/sys/fs/cgroup",
+		Device:      "cgroup",
+		Flags:       defaultMountFlags,
+	})
+
+	buffers, exitCode, err := runContainer(config, "", "mount")
+	if err != nil {
+		t.Fatalf("%s: %s", buffers, err)
+	}
+	if exitCode != 0 {
+		t.Fatalf("exit code not 0. code %d stderr %q", exitCode, buffers.Stderr)
+	}
+	mountInfo := buffers.Stdout.String()
+	lines := strings.Split(mountInfo, "\n")
+	for _, l := range lines {
+		if !strings.HasPrefix(l, "cgroup") {
+			continue
+		}
+		if !strings.Contains(l, "rw,nosuid,nodev,noexec") {
+			t.Fatalf("Mode expected to contain 'rw,nosuid,nodev,noexec': %s", l)
+		}
+	}
+}

libcontainer/rootfs_linux.go

@@ -180,18 +180,22 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {
 			if err != nil {
 				return err
 			}
+			relDir, err := filepath.Rel(mm.Root, dir)
+			if err != nil {
+				return err
+			}
 			binds = append(binds, &configs.Mount{
 				Device:      "bind",
-				Source:      filepath.Join(mm.Mountpoint, dir),
+				Source:      filepath.Join(mm.Mountpoint, relDir),
 				Destination: filepath.Join(m.Destination, strings.Join(mm.Subsystems, ",")),
 				Flags:       syscall.MS_BIND | syscall.MS_REC | m.Flags,
 			})
 		}
 		tmpfs := &configs.Mount{
-			Device:      "tmpfs",
 			Source:      "tmpfs",
+			Device:      "tmpfs",
 			Destination: m.Destination,
-			Flags:       syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV,
+			Flags:       defaultMountFlags,
 		}
 		if err := mountToRootfs(tmpfs, rootfs, mountLabel); err != nil {
 			return err