Skip to content

Commit

Permalink
PR feedback
Browse files Browse the repository at this point in the history
Signed-off-by: Maksim An <maksiman@microsoft.com>
  • Loading branch information
anmaxvl committed Feb 17, 2022
1 parent ed606f5 commit a5d40c5
Show file tree
Hide file tree
Showing 13 changed files with 41 additions and 52 deletions.
3 changes: 1 addition & 2 deletions cmd/hooks/wait-paths/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,7 @@ func main() {
}
app.Action = run
if err := app.Run(os.Args); err != nil {
logrus.Errorf("%s", err)
os.Exit(1)
logrus.Fatalf("%s\n", err)
}
os.Exit(0)
}
Expand Down
2 changes: 1 addition & 1 deletion internal/devices/drivers.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ func InstallKernelDriver(ctx context.Context, vm *uvm.UtilityVM, driver string)
}
return closer, execPnPInstallDriver(ctx, vm, uvmPath)
}
uvmPathForShare := fmt.Sprintf(guestpath.LCOWGlobalMountPrefix, vm.UVMMountCounter())
uvmPathForShare := fmt.Sprintf(guestpath.LCOWGlobalMountPrefixFmt, vm.UVMMountCounter())
scsiCloser, err := vm.AddSCSI(ctx, driver, uvmPathForShare, true, false, []string{}, uvm.VMAccessTypeIndividual)
if err != nil {
return closer, fmt.Errorf("failed to add SCSI disk to utility VM for path %+v: %s", driver, err)
Expand Down
12 changes: 6 additions & 6 deletions internal/guestpath/paths.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,13 @@ const (
SandboxMountPrefix = "sandbox://"
// HugePagesMountPrefix is mount prefix used in container spec to mark a huge-pages mount
HugePagesMountPrefix = "hugepages://"
// LCOWMountPathPrefix is the path format in the LCOW UVM where non global mounts, such
// LCOWMountPathPrefixFmt is the path format in the LCOW UVM where non global mounts, such
// as Plan9 mounts are added
LCOWMountPathPrefix = "/mounts/m%d"
// LCOWGlobalMountPrefix is the path format in the LCOW UVM where global mounts are added
LCOWGlobalMountPrefix = "/run/mounts/m%d"
// WCOWGlobalMountPrefix is the path prefix format in the WCOW UVM where mounts are added
WCOWGlobalMountPrefix = "C:\\mounts\\m%d"
LCOWMountPathPrefixFmt = "/mounts/m%d"
// LCOWGlobalMountPrefixFmt is the path format in the LCOW UVM where global mounts are added
LCOWGlobalMountPrefixFmt = "/run/mounts/m%d"
// WCOWGlobalMountPrefixFmt is the path prefix format in the WCOW UVM where mounts are added
WCOWGlobalMountPrefixFmt = "C:\\mounts\\m%d"
// RootfsPath is part of the container's rootfs path
RootfsPath = "rootfs"
)
6 changes: 3 additions & 3 deletions internal/hcsoci/resources_lcow.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ func allocateLinuxResources(ctx context.Context, coi *createOptionsInternal, r *

if coi.HostingSystem != nil {
hostPath := mount.Source
uvmPathForShare := path.Join(containerRootInUVM, fmt.Sprintf(guestpath.LCOWMountPathPrefix, i))
uvmPathForShare := path.Join(containerRootInUVM, fmt.Sprintf(guestpath.LCOWMountPathPrefixFmt, i))
uvmPathForFile := uvmPathForShare

readOnly := false
Expand All @@ -81,7 +81,7 @@ func allocateLinuxResources(ctx context.Context, coi *createOptionsInternal, r *
l := log.G(ctx).WithField("mount", fmt.Sprintf("%+v", mount))
if mount.Type == "physical-disk" {
l.Debug("hcsshim::allocateLinuxResources Hot-adding SCSI physical disk for OCI mount")
uvmPathForShare = fmt.Sprintf(guestpath.LCOWGlobalMountPrefix, coi.HostingSystem.UVMMountCounter())
uvmPathForShare = fmt.Sprintf(guestpath.LCOWGlobalMountPrefixFmt, coi.HostingSystem.UVMMountCounter())
scsiMount, err := coi.HostingSystem.AddSCSIPhysicalDisk(ctx, hostPath, uvmPathForShare, readOnly, mount.Options)
if err != nil {
return errors.Wrapf(err, "adding SCSI physical disk mount %+v", mount)
Expand All @@ -92,7 +92,7 @@ func allocateLinuxResources(ctx context.Context, coi *createOptionsInternal, r *
coi.Spec.Mounts[i].Type = "none"
} else if mount.Type == "virtual-disk" {
l.Debug("hcsshim::allocateLinuxResources Hot-adding SCSI virtual disk for OCI mount")
uvmPathForShare = fmt.Sprintf(guestpath.LCOWGlobalMountPrefix, coi.HostingSystem.UVMMountCounter())
uvmPathForShare = fmt.Sprintf(guestpath.LCOWGlobalMountPrefixFmt, coi.HostingSystem.UVMMountCounter())

// if the scsi device is already attached then we take the uvm path that the function below returns
// that is where it was previously mounted in UVM
Expand Down
2 changes: 1 addition & 1 deletion internal/hcsoci/resources_wcow.go
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ func setupMounts(ctx context.Context, coi *createOptionsInternal, r *resources.R
}

if coi.HostingSystem != nil && schemaversion.IsV21(coi.actualSchemaVersion) {
uvmPath := fmt.Sprintf(guestpath.WCOWGlobalMountPrefix, coi.HostingSystem.UVMMountCounter())
uvmPath := fmt.Sprintf(guestpath.WCOWGlobalMountPrefixFmt, coi.HostingSystem.UVMMountCounter())
readOnly := false
for _, o := range mount.Options {
if strings.ToLower(o) == "ro" {
Expand Down
2 changes: 1 addition & 1 deletion internal/layers/layers.go
Original file line number Diff line number Diff line change
Expand Up @@ -291,7 +291,7 @@ func addLCOWLayer(ctx context.Context, vm *uvm.UtilityVM, layerPath string) (uvm
}

options := []string{"ro"}
uvmPath = fmt.Sprintf(guestpath.LCOWGlobalMountPrefix, vm.UVMMountCounter())
uvmPath = fmt.Sprintf(guestpath.LCOWGlobalMountPrefixFmt, vm.UVMMountCounter())
sm, err := vm.AddSCSI(ctx, layerPath, uvmPath, true, false, options, uvm.VMAccessTypeNoop)
if err != nil {
return "", fmt.Errorf("failed to add SCSI layer: %s", err)
Expand Down
21 changes: 8 additions & 13 deletions pkg/securitypolicy/securitypolicyenforcer.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,16 @@ import (
"os"
"path/filepath"
"regexp"
"runtime"
"strconv"
"strings"
"sync"

"github.com/google/go-cmp/cmp"
oci "github.com/opencontainers/runtime-spec/specs-go"

"github.com/Microsoft/hcsshim/internal/guestpath"
"github.com/Microsoft/hcsshim/internal/hooks"
"github.com/Microsoft/hcsshim/pkg/annotations"
"github.com/google/go-cmp/cmp"
oci "github.com/opencontainers/runtime-spec/specs-go"
)

type SecurityPolicyEnforcer interface {
Expand Down Expand Up @@ -470,15 +470,10 @@ func possibleIndexesForID(containerID string, mapping map[int]map[string]struct{
return possibles
}

func getContainerRootInUVM(id string) string {
switch runtime.GOOS {
case "windows":
return filepath.Join(guestpath.WCOWRootPrefixInUVM, id)
default:
return filepath.Join(guestpath.LCOWRootPrefixInUVM, id)
}
}

// EnforceExpectedMountsPolicy for StandardSecurityPolicyEnforcer injects a
// hooks.CreateRuntime hook into container spec and the hook ensures that
// the expected mounts appear prior container start. At the moment enforcement
// is expected to take place inside LCOW UVM.
func (pe *StandardSecurityPolicyEnforcer) EnforceExpectedMountsPolicy(containerID string, spec *oci.Spec) error {
pe.mutex.Lock()
defer pe.mutex.Unlock()
Expand Down Expand Up @@ -517,7 +512,7 @@ func (pe *StandardSecurityPolicyEnforcer) EnforceExpectedMountsPolicy(containerI
wp := ""
if strings.HasPrefix(mount, guestpath.SandboxMountPrefix) {
sandboxPath := strings.TrimPrefix(mount, guestpath.SandboxMountPrefix)
wp = filepath.Join(getContainerRootInUVM(sandboxID), "sandboxMounts", sandboxPath)
wp = filepath.Join(guestpath.LCOWRootPrefixInUVM, "sandboxMounts", sandboxPath)
} else {
// Find the corresponding sandbox mount and resolve the path inside UVM.
for _, m := range spec.Mounts {
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit a5d40c5

Please sign in to comment.