Adding link fifo handler

This fixes that fifo actually become visible to the jailer.

Signed-off-by: xibz <[email protected]>

Author: xibz

runtime/jailer.go

@@ -21,11 +21,12 @@ import (
 )
 
 const (
-	jailerFolder        = "jail"
-	firecrackerBinName  = "firecracker"
-	kernelImageFileName = "kernel-image"
-	jailerHandlerName   = "firecracker-containerd-jail-handler"
-	runcConfigPath      = "/etc/containerd/firecracker-runc-config.json"
+	jailerFolder          = "jail"
+	firecrackerBinName    = "firecracker"
+	kernelImageFileName   = "kernel-image"
+	jailerHandlerName     = "firecracker-containerd-jail-handler"
+	jailerFifoHandlerName = "firecracker-containerd-jail-fifo-handler"
+	runcConfigPath        = "/etc/containerd/firecracker-runc-config.json"
 
 	// JailingOn is used to signify whether or not jailing has been turned on
 	JailingOn = "on"
@@ -91,6 +92,13 @@ func (j jailer) RootPath() string {
 	return filepath.Join(j.jailPath, "rootfs")
 }
 
+func (j jailer) ContentsPath() string {
+	return filepath.Join(j.RootPath(), "var", "lib", "firecracker-containerd")
+}
+
+// BuildHandler will link the necessary files except for the fifos due to the
+// fifos needing to be created. Also, this will create the proper device nodes
+// needed by Firecracker
 func (j *jailer) BuildHandler(logger *logrus.Entry, cfg *Config, socketPath *string, vmID string) firecracker.Handler {
 	jailPath := j.JailPath()
 	rootPath := j.RootPath()
@@ -117,7 +125,7 @@ func (j *jailer) BuildHandler(logger *logrus.Entry, cfg *Config, socketPath *str
 				return errors.Wrapf(err, "failed to create device path: %v", devPath)
 			}
 
-			contentsPath := filepath.Join(rootPath, "var", "lib", "firecracker-containerd")
+			contentsPath := j.ContentsPath()
 			logger.Debugf("Creating firecracker contents path %v", contentsPath)
 			if err := os.MkdirAll(contentsPath, 0777); err != nil {
 				return errors.Wrapf(err, "failed to create contents path: %v", contentsPath)
@@ -181,6 +189,32 @@ func (j *jailer) BuildHandler(logger *logrus.Entry, cfg *Config, socketPath *str
 	}
 }
 
+// BuildLinkFifoHandler will return a new firecracker.Handler with the function
+// that will allow linking of the fifos making them visible to Firecracker.
+func (j jailer) BuildLinkFifoHandler() firecracker.Handler {
+	return firecracker.Handler{
+		Name: jailerFifoHandlerName,
+		Fn: func(ctx context.Context, m *firecracker.Machine) error {
+			contentsPath := j.ContentsPath()
+			fifoFileName := filepath.Base(m.Cfg.LogFifo)
+			newFifoPath := filepath.Join(contentsPath, fifoFileName)
+			if err := os.Link(m.Cfg.LogFifo, newFifoPath); err != nil {
+				return err
+			}
+			m.Cfg.LogFifo = newFifoPath
+
+			metricFifoFileName := filepath.Base(m.Cfg.MetricsFifo)
+			newMetricFifoPath := filepath.Join(contentsPath, metricFifoFileName)
+			if err := os.Link(m.Cfg.MetricsFifo, newMetricFifoPath); err != nil {
+				return err
+			}
+			m.Cfg.MetricsFifo = newMetricFifoPath
+
+			return nil
+		},
+	}
+}
+
 // createDevices will create a series of device nodes at the given path
 func createDevices(path string) error {
 	devices := []struct {

runtime/service.go

@@ -490,6 +490,7 @@ func (s *service) createVM(requestCtx context.Context, request *proto.CreateVMRe
 	}
 	if !s.config.DisableJailing {
 		handler := s.jailer.BuildHandler(s.logger, s.config, &s.machineConfig.SocketPath, s.vmID)
+		fifoHandler := s.jailer.BuildLinkFifoHandler()
 		client := firecracker.NewClient(s.machineConfig.SocketPath, s.logger, s.machineConfig.Debug)
 
 		opts = append(
@@ -498,6 +499,7 @@ func (s *service) createVM(requestCtx context.Context, request *proto.CreateVMRe
 			firecracker.WithClient(client),
 			func(m *firecracker.Machine) {
 				m.Handlers.FcInit = m.Handlers.FcInit.Prepend(handler)
+				m.Handlers.FcInit = m.Handlers.FcInit.AppendAfter(firecracker.CreateLogFilesHandlerName, fifoHandler)
 			},
 		)
 	}