[ws-daemon] Support proc mounts using open_tree/move_mount

Author: Christian Weichel

components/docker-up/runc-facade/main.go

@@ -35,62 +35,25 @@ func main() {
 		log.WithError(err).Fatal("runc not found")
 	}
 
-	var runcDirect bool
+	var useFacade bool
 	for _, arg := range os.Args {
-		if arg == "-v" || arg == "--version" {
-			runcDirect = true
+		if arg == "create" {
+			useFacade = true
 			break
 		}
 	}
-	if runcDirect {
-		err = syscall.Exec(runcPath, os.Args, os.Environ())
-		if err != nil {
-			panic(err)
-		}
-	}
 
-	switch os.Args[0] {
-	case cmdMountProc:
-		err = mountProc()
-	case cmdUnmountProc:
-		err = unmountProc()
-	default:
-		err = runc(runcPath)
+	if useFacade {
+		err = createAndRunc(runcPath)
+	} else {
+		err = syscall.Exec(runcPath, os.Args, os.Environ())
 	}
 	if err != nil {
 		log.WithError(err).Fatal("failed")
 	}
 }
 
-func mountProc() error {
-	wd, err := os.Getwd()
-	if err != nil {
-		return err
-	}
-
-	err = ioutil.WriteFile("/tmp/runc-facade-mount", []byte(wd+"\n"+fmt.Sprint(os.Args)), 0644)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func unmountProc() error {
-	wd, err := os.Getwd()
-	if err != nil {
-		return err
-	}
-
-	err = ioutil.WriteFile("/tmp/runc-facade-unmount", []byte(wd), 0644)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func runc(runcPath string) error {
+func createAndRunc(runcPath string) error {
 	fc, err := ioutil.ReadFile("config.json")
 	if err != nil {
 		return fmt.Errorf("cannot read config.json: %w", err)

components/workspacekit/BUILD.yaml

@@ -20,4 +20,18 @@ packages:
       config:
         commands:
           - ["sh", "-c", "curl -L https://github.com/seccomp/libseccomp/releases/download/v2.5.1/libseccomp-2.5.1.tar.gz | tar xz"]
-          - ["sh", "-c", "cd libseccomp-2.5.1 && ./configure --prefix=$PWD/../lib && make && make install"]
+          - ["sh", "-c", "cd libseccomp-2.5.1 && ./configure --prefix=$PWD/../lib && make && make install"]
+    - name: lib
+      type: go
+      srcs:
+        - go.mod
+        - go.sum
+        - "pkg/**/*.go"
+        - "pkg/**/*.c"
+      deps:
+        - components/common-go:lib
+        - components/ws-daemon-api/go:lib
+        - components/content-service-api/go:lib
+      config:
+        packaging: library
+        dontTest: true

components/workspacekit/cmd/handler-mount.go

@@ -218,7 +218,7 @@ var ring1Cmd = &cobra.Command{
 		unix.Prctl(unix.PR_SET_PDEATHSIG, uintptr(unix.SIGKILL), 0, 0, 0)
 		runtime.UnlockOSThread()
 
-		tmpdir, err := ioutil.TempDir("", "supervisor")
+		ring2Root, err := ioutil.TempDir("", "supervisor")
 		if err != nil {
 			log.WithError(err).Fatal("cannot create tempdir")
 		}
@@ -243,7 +243,7 @@ var ring1Cmd = &cobra.Command{
 			{Target: "/tmp", Source: "tmpfs", FSType: "tmpfs"},
 		}
 		for _, m := range mnts {
-			dst := filepath.Join(tmpdir, m.Target)
+			dst := filepath.Join(ring2Root, m.Target)
 			_ = os.MkdirAll(dst, 0644)
 
 			if m.Source == "" {
@@ -281,7 +281,7 @@ var ring1Cmd = &cobra.Command{
 			Pdeathsig:  syscall.SIGKILL,
 			Cloneflags: syscall.CLONE_NEWNS | syscall.CLONE_NEWPID,
 		}
-		cmd.Dir = tmpdir
+		cmd.Dir = ring2Root
 		cmd.Stdin = os.Stdin
 		cmd.Stdout = os.Stdout
 		cmd.Stderr = os.Stderr
@@ -294,31 +294,28 @@ var ring1Cmd = &cobra.Command{
 		sigc := sigproxy.ForwardAllSignals(context.Background(), cmd.Process.Pid)
 		defer sigproxysignal.StopCatch(sigc)
 
-		procLoc := filepath.Join(tmpdir, "proc")
+		procLoc := filepath.Join(ring2Root, "proc")
 		err = os.MkdirAll(procLoc, 0755)
 		if err != nil {
 			log.WithError(err).Error("cannot mount proc")
 			failed = true
 			return
 		}
-		resp, err := client.MountProc(ctx, &daemonapi.MountProcRequest{
-			Pid: int64(cmd.Process.Pid),
+		_, err = client.MountProc(ctx, &daemonapi.MountProcRequest{
+			Target: procLoc,
+			Pid:    int64(cmd.Process.Pid),
 		})
 		if err != nil {
 			log.WithError(err).Error("cannot mount proc")
 			failed = true
 			return
 		}
 
-		// TODO(cw): this mount doesn't work because we need to be in the ring2 mount namespace.
-		// Use nsenter/mount handler to do this.
-		err = unix.Mount(resp.Location, procLoc, "", unix.MS_MOVE, "")
-		if err != nil {
-			log.WithError(err).WithFields(map[string]interface{}{"loc": resp.Location, "dest": procLoc}).Error("cannot move proc mount")
-			failed = true
-			return
-		}
-
+		// We have to wait for ring2 to come back to us and connect to the socket we've passed along.
+		// There's a chance that ring2 crashes or misbehaves, so we don't want to wait forever, hence
+		// the someone complicated "accept" logic below.
+		// If there's a deadline that can be set somewhere that we've missed, we should be using that
+		// one instead.
 		incoming := make(chan net.Conn, 1)
 		errc := make(chan error, 1)
 		go func() {
@@ -364,7 +361,7 @@ var ring1Cmd = &cobra.Command{
 		log.Info("signaling to child process")
 		_, err = msgutil.MarshalToWriter(ring2Conn, ringSyncMsg{
 			Stage:  1,
-			Rootfs: tmpdir,
+			Rootfs: ring2Root,
 		})
 		if err != nil {
 			log.WithError(err).Error("cannot send ring sync msg to ring2")
@@ -383,7 +380,15 @@ var ring1Cmd = &cobra.Command{
 		if scmpfd == 0 {
 			log.Warn("received 0 as ring2 seccomp fd - syscall handling is broken")
 		} else {
-			stp, errchan := seccomp.Handle(scmpfd, cmd.Process.Pid, client)
+			handler := &seccomp.InWorkspaceHandler{
+				FD:          scmpfd,
+				Daemon:      client,
+				Ring2PID:    cmd.Process.Pid,
+				Ring2Rootfs: ring2Root,
+				BindEvents:  make(chan seccomp.BindEvent),
+			}
+
+			stp, errchan := seccomp.Handle(scmpfd, handler)
 			defer close(stp)
 			go func() {
 				t := time.NewTicker(10 * time.Millisecond)
@@ -505,14 +510,18 @@ var ring2Cmd = &cobra.Command{
 		// our seccomp filter, and tell our parent about it.
 		scmpFd, err := seccomp.LoadFilter()
 		if err != nil {
-			log.WithError(err).Warn("cannot load seccomp filter - syscall handling will be broken")
+			log.WithError(err).Error("cannot load seccomp filter - syscall handling would be broken")
+			failed = true
+			return
 		}
 		connf, err := conn.File()
 		if err != nil {
 			log.WithError(err).Error("cannot get parent socket fd")
 			failed = true
 			return
 		}
+		defer connf.Close()
+
 		sktfd := int(connf.Fd())
 		err = unix.Sendmsg(sktfd, nil, unix.UnixRights(int(scmpFd)), nil, 0)
 		connf.Close()
@@ -534,6 +543,7 @@ var ring2Cmd = &cobra.Command{
 			failed = true
 			return
 		}
+
 		err = unix.Exec(ring2Opts.SupervisorPath, []string{"supervisor", "run", "--inns"}, os.Environ())
 		if err != nil {
 			log.WithError(err).WithField("cmd", ring2Opts.SupervisorPath).Error("cannot exec")

components/workspacekit/cmd/handler.go

@@ -7,6 +7,7 @@ replace github.com/seccomp/libseccomp-golang => github.com/kinvolk/libseccomp-go
 require (
 	github.com/gitpod-io/gitpod/common-go v0.0.0-00010101000000-000000000000
 	github.com/gitpod-io/gitpod/ws-daemon/api v0.0.0-00010101000000-000000000000
+	github.com/moby/sys/mountinfo v0.4.0
 	github.com/rootless-containers/rootlesskit v0.11.1
 	github.com/seccomp/libseccomp-golang v0.9.1
 	github.com/spf13/cobra v1.1.1

components/workspacekit/cmd/rings.go

@@ -79,7 +79,10 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/fatih/gomodifytags v1.13.0/go.mod h1:TbUyEjH1Zo0GkJd2Q52oVYqYcJ0eGNqG8bsiOb75P9c=
+github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
@@ -226,6 +229,7 @@ github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS4
 github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/moby/sys/mountinfo v0.4.0 h1:1KInV3Huv18akCu58V7lzNlt+jFmqlu1EaErnEHE/VM=
 github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
 github.com/moby/vpnkit v0.4.0/go.mod h1:KyjUrL9cb6ZSNNAUwZfqRjhwwgJ3BJN+kXh0t43WTUQ=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -451,6 +455,7 @@ golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxb
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20180824175216-6c1c5e93cdc1/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

components/workspacekit/go.mod

@@ -6,7 +6,6 @@ package main
 
 import (
 	"github.com/gitpod-io/gitpod/workspacekit/cmd"
-	_ "github.com/gitpod-io/gitpod/workspacekit/pkg/nsenter"
 )
 
 func main() {