Integrate drive mounts with jailer.

The primary change required is for the Jailer to support exposing regular files
to the jail in addition to the pre-existing support for block devices.

Signed-off-by: Erik Sipsma <[email protected]>

Author: sipsma

runtime/jailer.go

@@ -47,9 +47,10 @@ type jailer interface {
 	// firecracker.Opt to be passed into firecracker.NewMachine which will allow
 	// for the VM to be jailed.
 	BuildJailedMachine(cfg *Config, machineCfg *firecracker.Config, vmID string) ([]firecracker.Opt, error)
-	// ExposeDeviceToJail will expose the given device provided by the snapshotter
-	// to the jailed filesystem
-	ExposeDeviceToJail(path string) error
+	// ExposeFileToJail will expose the given file to the jailed filesystem, including
+	// regular files and block devices. An error is returned if provided a path to a file
+	// with type that is not supported.
+	ExposeFileToJail(path string) error
 	// JailPath is used to return the directory we are supposed to be working in.
 	JailPath() vm.Dir
 	// StubDrivesOptions will return a set of options used to create a new stub

runtime/noop_jailer.go

@@ -63,8 +63,8 @@ func (j noopJailer) JailPath() vm.Dir {
 	return j.shimDir
 }
 
-func (j noopJailer) ExposeDeviceToJail(path string) error {
-	j.logger.Debug("noop operation for ExposeDeviceToJail")
+func (j noopJailer) ExposeFileToJail(path string) error {
+	j.logger.Debug("noop operation for ExposeFileToJail")
 	return nil
 }
 

runtime/runc_jailer.go

@@ -253,33 +253,49 @@ func (j runcJailer) StubDrivesOptions() []stubDrivesOpt {
 	}
 }
 
-// ExposeDeviceToJail will inspect the given file, srcDevicePath, and based on the
+// ExposeFileToJail will inspect the given file, srcPath, and based on the
 // file type, proper handling will occur to ensure that the file is visible in
 // the jail. For block devices we will use mknod to create the device and then
-// set the correct permissions to ensure visibility in the jail.
-func (j runcJailer) ExposeDeviceToJail(srcDevicePath string) error {
+// set the correct permissions to ensure visibility in the jail. Regular files
+// will be copied into the jail.
+func (j runcJailer) ExposeFileToJail(srcPath string) error {
 	uid := j.uid
 	gid := j.gid
 
 	stat := syscall.Stat_t{}
-	if err := syscall.Stat(srcDevicePath, &stat); err != nil {
+	if err := syscall.Stat(srcPath, &stat); err != nil {
 		return err
 	}
 
 	// Checks file type using S_IFMT which is the bit mask for the file type.
-	// Here we only care about block devices, ie S_IFBLK.  If it is a block type
-	// we will manually call mknod and create that device.
-	if (stat.Mode & syscall.S_IFMT) == syscall.S_IFBLK {
-		path := filepath.Join(j.RootPath(), filepath.Dir(srcDevicePath))
-		if err := mkdirAllWithPermissions(path, 0700, uid, gid); err != nil {
+	switch stat.Mode & syscall.S_IFMT {
+	case syscall.S_IFBLK:
+		parentDir := filepath.Join(j.RootPath(), filepath.Dir(srcPath))
+		if err := mkdirAllWithPermissions(parentDir, 0700, uid, gid); err != nil {
 			return err
 		}
 
-		dst := filepath.Join(path, filepath.Base(srcDevicePath))
+		dst := filepath.Join(parentDir, filepath.Base(srcPath))
 		if err := exposeBlockDeviceToJail(dst, int(stat.Rdev), int(uid), int(gid)); err != nil {
 			return err
 		}
-	} else {
+
+	case syscall.S_IFREG:
+		parentDir := filepath.Join(j.RootPath(), filepath.Dir(srcPath))
+		if err := mkdirAllWithPermissions(parentDir, 0700, uid, gid); err != nil {
+			return err
+		}
+
+		dst := filepath.Join(parentDir, filepath.Base(srcPath))
+		if err := copyFile(srcPath, dst, os.FileMode(stat.Mode)); err != nil {
+			return err
+		}
+
+		if err := os.Chown(dst, int(uid), int(gid)); err != nil {
+			return err
+		}
+
+	default:
 		return fmt.Errorf("unsupported mode: %v", stat.Mode)
 	}
 

runtime/service.go

@@ -524,6 +524,11 @@ func (s *service) createVM(requestCtx context.Context, request *proto.CreateVMRe
 
 func (s *service) mountDrives(requestCtx context.Context, driveMounts []*proto.FirecrackerDriveMount) error {
 	for _, driveMount := range driveMounts {
+		err := s.jailer.ExposeFileToJail(driveMount.HostPath)
+		if err != nil {
+			return errors.Wrapf(err, "failed to expose drive mount host path to jail %s", driveMount.HostPath)
+		}
+
 		driveID, err := s.stubDriveHandler.PatchStubDrive(requestCtx, s.machine, driveMount.HostPath)
 		if err != nil {
 			return errors.Wrapf(err, "failed to patch drive mount stub")
@@ -768,7 +773,7 @@ func (s *service) Create(requestCtx context.Context, request *taskAPI.CreateTask
 	}
 
 	for _, mnt := range request.Rootfs {
-		if err := s.jailer.ExposeDeviceToJail(mnt.Source); err != nil {
+		if err := s.jailer.ExposeFileToJail(mnt.Source); err != nil {
 			return nil, errors.Wrapf(err, "failed to expose mount to jail %v", mnt.Source)
 		}
 

runtime/service_integ_test.go

@@ -833,7 +833,9 @@ func TestCreateTooManyContainers_Isolated(t *testing.T) {
 }
 
 func TestDriveMount_Isolated(t *testing.T) {
-	prepareIntegTest(t)
+	prepareIntegTest(t, func(cfg *Config) {
+		cfg.JailerConfig.RuncBinaryPath = "/usr/local/bin/runc"
+	})
 
 	testTimeout := 120 * time.Second
 	ctx, cancel := context.WithTimeout(namespaces.WithNamespace(context.Background(), defaultNamespace), testTimeout)
@@ -845,7 +847,7 @@ func TestDriveMount_Isolated(t *testing.T) {
 	fcClient, err := fcClient.New(containerdSockPath + ".ttrpc")
 	require.NoError(t, err, "failed to create fccontrol client")
 
-	image, err := alpineImage(ctx, ctrdClient, naiveSnapshotterName)
+	image, err := alpineImage(ctx, ctrdClient, defaultSnapshotterName())
 	require.NoError(t, err, "failed to get alpine image")
 
 	vmID := "test-drive-mount"
@@ -903,8 +905,9 @@ func TestDriveMount_Isolated(t *testing.T) {
 	}
 
 	_, err = fcClient.CreateVM(ctx, &proto.CreateVMRequest{
-		VMID:        vmID,
-		DriveMounts: vmDriveMounts,
+		VMID:         vmID,
+		DriveMounts:  vmDriveMounts,
+		JailerConfig: &proto.JailerConfig{},
 	})
 	require.NoError(t, err, "failed to create vm")
 
@@ -913,7 +916,7 @@ func TestDriveMount_Isolated(t *testing.T) {
 
 	newContainer, err := ctrdClient.NewContainer(ctx,
 		containerName,
-		containerd.WithSnapshotter(naiveSnapshotterName),
+		containerd.WithSnapshotter(defaultSnapshotterName()),
 		containerd.WithNewSnapshot(snapshotName, image),
 		containerd.WithNewSpec(
 			oci.WithProcessArgs("/bin/sh", "-c", strings.Join(append(ctrCatCommands,