diff --git a/cmd/hooks/wait-paths/main.go b/cmd/hooks/wait-paths/main.go index 228dd69fdf..70d4ff9e36 100644 --- a/cmd/hooks/wait-paths/main.go +++ b/cmd/hooks/wait-paths/main.go @@ -38,8 +38,7 @@ func main() { } app.Action = run if err := app.Run(os.Args); err != nil { - logrus.Errorf("%s", err) - os.Exit(1) + logrus.Fatalf("%s\n", err) } os.Exit(0) } diff --git a/internal/devices/drivers.go b/internal/devices/drivers.go index 008e1c739c..0dae33c963 100644 --- a/internal/devices/drivers.go +++ b/internal/devices/drivers.go @@ -46,7 +46,7 @@ func InstallKernelDriver(ctx context.Context, vm *uvm.UtilityVM, driver string) } return closer, execPnPInstallDriver(ctx, vm, uvmPath) } - uvmPathForShare := fmt.Sprintf(guestpath.LCOWGlobalMountPrefix, vm.UVMMountCounter()) + uvmPathForShare := fmt.Sprintf(guestpath.LCOWGlobalMountPrefixFmt, vm.UVMMountCounter()) scsiCloser, err := vm.AddSCSI(ctx, driver, uvmPathForShare, true, false, []string{}, uvm.VMAccessTypeIndividual) if err != nil { return closer, fmt.Errorf("failed to add SCSI disk to utility VM for path %+v: %s", driver, err) diff --git a/internal/guestpath/paths.go b/internal/guestpath/paths.go index a40e03985b..62bbfeb636 100644 --- a/internal/guestpath/paths.go +++ b/internal/guestpath/paths.go @@ -12,13 +12,13 @@ const ( SandboxMountPrefix = "sandbox://" // HugePagesMountPrefix is mount prefix used in container spec to mark a huge-pages mount HugePagesMountPrefix = "hugepages://" - // LCOWMountPathPrefix is the path format in the LCOW UVM where non global mounts, such + // LCOWMountPathPrefixFmt is the path format in the LCOW UVM where non global mounts, such // as Plan9 mounts are added - LCOWMountPathPrefix = "/mounts/m%d" - // LCOWGlobalMountPrefix is the path format in the LCOW UVM where global mounts are added - LCOWGlobalMountPrefix = "/run/mounts/m%d" - // WCOWGlobalMountPrefix is the path prefix format in the WCOW UVM where mounts are added - WCOWGlobalMountPrefix = "C:\\mounts\\m%d" + LCOWMountPathPrefixFmt = "/mounts/m%d" + // LCOWGlobalMountPrefixFmt is the path format in the LCOW UVM where global mounts are added + LCOWGlobalMountPrefixFmt = "/run/mounts/m%d" + // WCOWGlobalMountPrefixFmt is the path prefix format in the WCOW UVM where mounts are added + WCOWGlobalMountPrefixFmt = "C:\\mounts\\m%d" // RootfsPath is part of the container's rootfs path RootfsPath = "rootfs" ) diff --git a/internal/hcsoci/resources_lcow.go b/internal/hcsoci/resources_lcow.go index 6bd3fb3b52..d438738c28 100644 --- a/internal/hcsoci/resources_lcow.go +++ b/internal/hcsoci/resources_lcow.go @@ -67,7 +67,7 @@ func allocateLinuxResources(ctx context.Context, coi *createOptionsInternal, r * if coi.HostingSystem != nil { hostPath := mount.Source - uvmPathForShare := path.Join(containerRootInUVM, fmt.Sprintf(guestpath.LCOWMountPathPrefix, i)) + uvmPathForShare := path.Join(containerRootInUVM, fmt.Sprintf(guestpath.LCOWMountPathPrefixFmt, i)) uvmPathForFile := uvmPathForShare readOnly := false @@ -81,7 +81,7 @@ func allocateLinuxResources(ctx context.Context, coi *createOptionsInternal, r * l := log.G(ctx).WithField("mount", fmt.Sprintf("%+v", mount)) if mount.Type == "physical-disk" { l.Debug("hcsshim::allocateLinuxResources Hot-adding SCSI physical disk for OCI mount") - uvmPathForShare = fmt.Sprintf(guestpath.LCOWGlobalMountPrefix, coi.HostingSystem.UVMMountCounter()) + uvmPathForShare = fmt.Sprintf(guestpath.LCOWGlobalMountPrefixFmt, coi.HostingSystem.UVMMountCounter()) scsiMount, err := coi.HostingSystem.AddSCSIPhysicalDisk(ctx, hostPath, uvmPathForShare, readOnly, mount.Options) if err != nil { return errors.Wrapf(err, "adding SCSI physical disk mount %+v", mount) @@ -92,7 +92,7 @@ func allocateLinuxResources(ctx context.Context, coi *createOptionsInternal, r * coi.Spec.Mounts[i].Type = "none" } else if mount.Type == "virtual-disk" { l.Debug("hcsshim::allocateLinuxResources Hot-adding SCSI virtual disk for OCI mount") - uvmPathForShare = fmt.Sprintf(guestpath.LCOWGlobalMountPrefix, coi.HostingSystem.UVMMountCounter()) + uvmPathForShare = fmt.Sprintf(guestpath.LCOWGlobalMountPrefixFmt, coi.HostingSystem.UVMMountCounter()) // if the scsi device is already attached then we take the uvm path that the function below returns // that is where it was previously mounted in UVM diff --git a/internal/hcsoci/resources_wcow.go b/internal/hcsoci/resources_wcow.go index 66bfc3e0d9..fa22c8047e 100644 --- a/internal/hcsoci/resources_wcow.go +++ b/internal/hcsoci/resources_wcow.go @@ -142,7 +142,7 @@ func setupMounts(ctx context.Context, coi *createOptionsInternal, r *resources.R } if coi.HostingSystem != nil && schemaversion.IsV21(coi.actualSchemaVersion) { - uvmPath := fmt.Sprintf(guestpath.WCOWGlobalMountPrefix, coi.HostingSystem.UVMMountCounter()) + uvmPath := fmt.Sprintf(guestpath.WCOWGlobalMountPrefixFmt, coi.HostingSystem.UVMMountCounter()) readOnly := false for _, o := range mount.Options { if strings.ToLower(o) == "ro" { diff --git a/internal/layers/layers.go b/internal/layers/layers.go index fd63377f72..0334076365 100644 --- a/internal/layers/layers.go +++ b/internal/layers/layers.go @@ -291,7 +291,7 @@ func addLCOWLayer(ctx context.Context, vm *uvm.UtilityVM, layerPath string) (uvm } options := []string{"ro"} - uvmPath = fmt.Sprintf(guestpath.LCOWGlobalMountPrefix, vm.UVMMountCounter()) + uvmPath = fmt.Sprintf(guestpath.LCOWGlobalMountPrefixFmt, vm.UVMMountCounter()) sm, err := vm.AddSCSI(ctx, layerPath, uvmPath, true, false, options, uvm.VMAccessTypeNoop) if err != nil { return "", fmt.Errorf("failed to add SCSI layer: %s", err) diff --git a/pkg/securitypolicy/securitypolicyenforcer.go b/pkg/securitypolicy/securitypolicyenforcer.go index 6519fb78be..e646c87aca 100644 --- a/pkg/securitypolicy/securitypolicyenforcer.go +++ b/pkg/securitypolicy/securitypolicyenforcer.go @@ -6,16 +6,16 @@ import ( "os" "path/filepath" "regexp" - "runtime" "strconv" "strings" "sync" + "github.com/google/go-cmp/cmp" + oci "github.com/opencontainers/runtime-spec/specs-go" + "github.com/Microsoft/hcsshim/internal/guestpath" "github.com/Microsoft/hcsshim/internal/hooks" "github.com/Microsoft/hcsshim/pkg/annotations" - "github.com/google/go-cmp/cmp" - oci "github.com/opencontainers/runtime-spec/specs-go" ) type SecurityPolicyEnforcer interface { @@ -470,15 +470,10 @@ func possibleIndexesForID(containerID string, mapping map[int]map[string]struct{ return possibles } -func getContainerRootInUVM(id string) string { - switch runtime.GOOS { - case "windows": - return filepath.Join(guestpath.WCOWRootPrefixInUVM, id) - default: - return filepath.Join(guestpath.LCOWRootPrefixInUVM, id) - } -} - +// EnforceExpectedMountsPolicy for StandardSecurityPolicyEnforcer injects a +// hooks.CreateRuntime hook into container spec and the hook ensures that +// the expected mounts appear prior container start. At the moment enforcement +// is expected to take place inside LCOW UVM. func (pe *StandardSecurityPolicyEnforcer) EnforceExpectedMountsPolicy(containerID string, spec *oci.Spec) error { pe.mutex.Lock() defer pe.mutex.Unlock() @@ -517,7 +512,7 @@ func (pe *StandardSecurityPolicyEnforcer) EnforceExpectedMountsPolicy(containerI wp := "" if strings.HasPrefix(mount, guestpath.SandboxMountPrefix) { sandboxPath := strings.TrimPrefix(mount, guestpath.SandboxMountPrefix) - wp = filepath.Join(getContainerRootInUVM(sandboxID), "sandboxMounts", sandboxPath) + wp = filepath.Join(guestpath.LCOWRootPrefixInUVM, "sandboxMounts", sandboxPath) } else { // Find the corresponding sandbox mount and resolve the path inside UVM. for _, m := range spec.Mounts { diff --git a/test/vendor/github.com/Microsoft/hcsshim/internal/devices/drivers.go b/test/vendor/github.com/Microsoft/hcsshim/internal/devices/drivers.go index 008e1c739c..0dae33c963 100644 --- a/test/vendor/github.com/Microsoft/hcsshim/internal/devices/drivers.go +++ b/test/vendor/github.com/Microsoft/hcsshim/internal/devices/drivers.go @@ -46,7 +46,7 @@ func InstallKernelDriver(ctx context.Context, vm *uvm.UtilityVM, driver string) } return closer, execPnPInstallDriver(ctx, vm, uvmPath) } - uvmPathForShare := fmt.Sprintf(guestpath.LCOWGlobalMountPrefix, vm.UVMMountCounter()) + uvmPathForShare := fmt.Sprintf(guestpath.LCOWGlobalMountPrefixFmt, vm.UVMMountCounter()) scsiCloser, err := vm.AddSCSI(ctx, driver, uvmPathForShare, true, false, []string{}, uvm.VMAccessTypeIndividual) if err != nil { return closer, fmt.Errorf("failed to add SCSI disk to utility VM for path %+v: %s", driver, err) diff --git a/test/vendor/github.com/Microsoft/hcsshim/internal/guestpath/paths.go b/test/vendor/github.com/Microsoft/hcsshim/internal/guestpath/paths.go index a40e03985b..62bbfeb636 100644 --- a/test/vendor/github.com/Microsoft/hcsshim/internal/guestpath/paths.go +++ b/test/vendor/github.com/Microsoft/hcsshim/internal/guestpath/paths.go @@ -12,13 +12,13 @@ const ( SandboxMountPrefix = "sandbox://" // HugePagesMountPrefix is mount prefix used in container spec to mark a huge-pages mount HugePagesMountPrefix = "hugepages://" - // LCOWMountPathPrefix is the path format in the LCOW UVM where non global mounts, such + // LCOWMountPathPrefixFmt is the path format in the LCOW UVM where non global mounts, such // as Plan9 mounts are added - LCOWMountPathPrefix = "/mounts/m%d" - // LCOWGlobalMountPrefix is the path format in the LCOW UVM where global mounts are added - LCOWGlobalMountPrefix = "/run/mounts/m%d" - // WCOWGlobalMountPrefix is the path prefix format in the WCOW UVM where mounts are added - WCOWGlobalMountPrefix = "C:\\mounts\\m%d" + LCOWMountPathPrefixFmt = "/mounts/m%d" + // LCOWGlobalMountPrefixFmt is the path format in the LCOW UVM where global mounts are added + LCOWGlobalMountPrefixFmt = "/run/mounts/m%d" + // WCOWGlobalMountPrefixFmt is the path prefix format in the WCOW UVM where mounts are added + WCOWGlobalMountPrefixFmt = "C:\\mounts\\m%d" // RootfsPath is part of the container's rootfs path RootfsPath = "rootfs" ) diff --git a/test/vendor/github.com/Microsoft/hcsshim/internal/hcsoci/resources_lcow.go b/test/vendor/github.com/Microsoft/hcsshim/internal/hcsoci/resources_lcow.go index 6bd3fb3b52..d438738c28 100644 --- a/test/vendor/github.com/Microsoft/hcsshim/internal/hcsoci/resources_lcow.go +++ b/test/vendor/github.com/Microsoft/hcsshim/internal/hcsoci/resources_lcow.go @@ -67,7 +67,7 @@ func allocateLinuxResources(ctx context.Context, coi *createOptionsInternal, r * if coi.HostingSystem != nil { hostPath := mount.Source - uvmPathForShare := path.Join(containerRootInUVM, fmt.Sprintf(guestpath.LCOWMountPathPrefix, i)) + uvmPathForShare := path.Join(containerRootInUVM, fmt.Sprintf(guestpath.LCOWMountPathPrefixFmt, i)) uvmPathForFile := uvmPathForShare readOnly := false @@ -81,7 +81,7 @@ func allocateLinuxResources(ctx context.Context, coi *createOptionsInternal, r * l := log.G(ctx).WithField("mount", fmt.Sprintf("%+v", mount)) if mount.Type == "physical-disk" { l.Debug("hcsshim::allocateLinuxResources Hot-adding SCSI physical disk for OCI mount") - uvmPathForShare = fmt.Sprintf(guestpath.LCOWGlobalMountPrefix, coi.HostingSystem.UVMMountCounter()) + uvmPathForShare = fmt.Sprintf(guestpath.LCOWGlobalMountPrefixFmt, coi.HostingSystem.UVMMountCounter()) scsiMount, err := coi.HostingSystem.AddSCSIPhysicalDisk(ctx, hostPath, uvmPathForShare, readOnly, mount.Options) if err != nil { return errors.Wrapf(err, "adding SCSI physical disk mount %+v", mount) @@ -92,7 +92,7 @@ func allocateLinuxResources(ctx context.Context, coi *createOptionsInternal, r * coi.Spec.Mounts[i].Type = "none" } else if mount.Type == "virtual-disk" { l.Debug("hcsshim::allocateLinuxResources Hot-adding SCSI virtual disk for OCI mount") - uvmPathForShare = fmt.Sprintf(guestpath.LCOWGlobalMountPrefix, coi.HostingSystem.UVMMountCounter()) + uvmPathForShare = fmt.Sprintf(guestpath.LCOWGlobalMountPrefixFmt, coi.HostingSystem.UVMMountCounter()) // if the scsi device is already attached then we take the uvm path that the function below returns // that is where it was previously mounted in UVM diff --git a/test/vendor/github.com/Microsoft/hcsshim/internal/hcsoci/resources_wcow.go b/test/vendor/github.com/Microsoft/hcsshim/internal/hcsoci/resources_wcow.go index 66bfc3e0d9..fa22c8047e 100644 --- a/test/vendor/github.com/Microsoft/hcsshim/internal/hcsoci/resources_wcow.go +++ b/test/vendor/github.com/Microsoft/hcsshim/internal/hcsoci/resources_wcow.go @@ -142,7 +142,7 @@ func setupMounts(ctx context.Context, coi *createOptionsInternal, r *resources.R } if coi.HostingSystem != nil && schemaversion.IsV21(coi.actualSchemaVersion) { - uvmPath := fmt.Sprintf(guestpath.WCOWGlobalMountPrefix, coi.HostingSystem.UVMMountCounter()) + uvmPath := fmt.Sprintf(guestpath.WCOWGlobalMountPrefixFmt, coi.HostingSystem.UVMMountCounter()) readOnly := false for _, o := range mount.Options { if strings.ToLower(o) == "ro" { diff --git a/test/vendor/github.com/Microsoft/hcsshim/internal/layers/layers.go b/test/vendor/github.com/Microsoft/hcsshim/internal/layers/layers.go index fd63377f72..0334076365 100644 --- a/test/vendor/github.com/Microsoft/hcsshim/internal/layers/layers.go +++ b/test/vendor/github.com/Microsoft/hcsshim/internal/layers/layers.go @@ -291,7 +291,7 @@ func addLCOWLayer(ctx context.Context, vm *uvm.UtilityVM, layerPath string) (uvm } options := []string{"ro"} - uvmPath = fmt.Sprintf(guestpath.LCOWGlobalMountPrefix, vm.UVMMountCounter()) + uvmPath = fmt.Sprintf(guestpath.LCOWGlobalMountPrefixFmt, vm.UVMMountCounter()) sm, err := vm.AddSCSI(ctx, layerPath, uvmPath, true, false, options, uvm.VMAccessTypeNoop) if err != nil { return "", fmt.Errorf("failed to add SCSI layer: %s", err) diff --git a/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/securitypolicyenforcer.go b/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/securitypolicyenforcer.go index 6519fb78be..e646c87aca 100644 --- a/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/securitypolicyenforcer.go +++ b/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/securitypolicyenforcer.go @@ -6,16 +6,16 @@ import ( "os" "path/filepath" "regexp" - "runtime" "strconv" "strings" "sync" + "github.com/google/go-cmp/cmp" + oci "github.com/opencontainers/runtime-spec/specs-go" + "github.com/Microsoft/hcsshim/internal/guestpath" "github.com/Microsoft/hcsshim/internal/hooks" "github.com/Microsoft/hcsshim/pkg/annotations" - "github.com/google/go-cmp/cmp" - oci "github.com/opencontainers/runtime-spec/specs-go" ) type SecurityPolicyEnforcer interface { @@ -470,15 +470,10 @@ func possibleIndexesForID(containerID string, mapping map[int]map[string]struct{ return possibles } -func getContainerRootInUVM(id string) string { - switch runtime.GOOS { - case "windows": - return filepath.Join(guestpath.WCOWRootPrefixInUVM, id) - default: - return filepath.Join(guestpath.LCOWRootPrefixInUVM, id) - } -} - +// EnforceExpectedMountsPolicy for StandardSecurityPolicyEnforcer injects a +// hooks.CreateRuntime hook into container spec and the hook ensures that +// the expected mounts appear prior container start. At the moment enforcement +// is expected to take place inside LCOW UVM. func (pe *StandardSecurityPolicyEnforcer) EnforceExpectedMountsPolicy(containerID string, spec *oci.Spec) error { pe.mutex.Lock() defer pe.mutex.Unlock() @@ -517,7 +512,7 @@ func (pe *StandardSecurityPolicyEnforcer) EnforceExpectedMountsPolicy(containerI wp := "" if strings.HasPrefix(mount, guestpath.SandboxMountPrefix) { sandboxPath := strings.TrimPrefix(mount, guestpath.SandboxMountPrefix) - wp = filepath.Join(getContainerRootInUVM(sandboxID), "sandboxMounts", sandboxPath) + wp = filepath.Join(guestpath.LCOWRootPrefixInUVM, "sandboxMounts", sandboxPath) } else { // Find the corresponding sandbox mount and resolve the path inside UVM. for _, m := range spec.Mounts {