mount /sys and /sys/fs/cgroup in rootless to work around runc panic

Signed-off-by: Cory Bennett <cbennett@netflix.com>
moby · Oct 2, 2020 · 4b51fbd · 4b51fbd
1 parent d1a14ae
commit 4b51fbd
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 19 deletions.
diff --git a/client/build_test.go b/client/build_test.go
@@ -268,12 +268,6 @@ func testClientGatewayContainerCancelOnRelease(t *testing.T, sb integration.Sand
 // process together all started via `Exec` into the same container.
 // We are mimicing: `echo testing | cat | cat > /tmp/foo && cat /tmp/foo`
 func testClientGatewayContainerExecPipe(t *testing.T, sb integration.Sandbox) {
-	if sb.Rootless() {
-		// TODO fix this
-		// We get `panic: cannot statfs cgroup root` from runc when when running
-		// this test with runc-rootless, no idea why.
-		t.Skip("Skipping oci-rootless for cgroup error")
-	}
 	requiresLinux(t)
 
 	ctx := context.TODO()
@@ -468,12 +462,6 @@ func testClientGatewayContainerPID1Fail(t *testing.T, sb integration.Sandbox) {
 // testClientGatewayContainerPID1Exit is testing that all process started
 // via `Exec` are shutdown when the primary pid1 process exits
 func testClientGatewayContainerPID1Exit(t *testing.T, sb integration.Sandbox) {
-	if sb.Rootless() {
-		// TODO fix this
-		// We get `panic: cannot statfs cgroup root` when running this test
-		// with runc-rootless
-		t.Skip("Skipping runc-rootless for cgroup error")
-	}
 	requiresLinux(t)
 
 	ctx := context.TODO()
@@ -550,12 +538,6 @@ func testClientGatewayContainerPID1Exit(t *testing.T, sb integration.Sandbox) {
 // testClientGatewayContainerMounts is testing mounts derived from various
 // llb.States
 func testClientGatewayContainerMounts(t *testing.T, sb integration.Sandbox) {
-	if sb.Rootless() {
-		// TODO fix this
-		// We get `panic: cannot statfs cgroup root` when running this test
-		// with runc-rootless
-		t.Skip("Skipping runc-rootless for cgroup error")
-	}
 	requiresLinux(t)
 
 	ctx := context.TODO()

diff --git a/util/rootless/specconv/specconv_linux.go b/util/rootless/specconv/specconv_linux.go
@@ -7,7 +7,6 @@ import (
 )
 
 // ToRootless converts spec to be compatible with "rootless" runc.
-// * Remove /sys mount
 // * Remove cgroups
 //
 // See docs/rootless.md for the supported runc revision.
@@ -24,6 +23,12 @@ func ToRootless(spec *specs.Spec) error {
 	//
 	// For buildkit usecase, we suppose we don't need to provide /sys to
 	// containers and remove /sys mount as a workaround.
+	//
+	// Oct 2020 Update: We now need /sys for exec'ing into a container
+	// via gateway. To remove this need there is an open issue on Runc:
+	// https://github.com/opencontainers/runc/issues/2573
+	// Buildkit discussion thread here:
+	// https://github.com/moby/buildkit/pull/1627#discussion_r482641300
 	var mounts []specs.Mount
 	for _, mount := range spec.Mounts {
 		if strings.HasPrefix(mount.Destination, "/sys") {
@@ -33,6 +38,18 @@ func ToRootless(spec *specs.Spec) error {
 	}
 	spec.Mounts = mounts
 
+	spec.Mounts = append(spec.Mounts, specs.Mount{
+		Destination: "/sys",
+		Type:        "none",
+		Source:      "/sys",
+		Options:     []string{"bind", "nosuid", "noexec", "nodev", "ro"},
+	}, specs.Mount{
+		Destination: "/sys/fs/cgroup",
+		Type:        "none",
+		Source:      "/sys/fs/cgroup",
+		Options:     []string{"bind", "nosuid", "noexec", "nodev", "ro"},
+	})
+
 	// Remove cgroups so as to avoid `container_linux.go:337: starting container process caused "process_linux.go:280: applying cgroup configuration for process caused \"mkdir /sys/fs/cgroup/cpuset/buildkit: permission denied\""`
 	spec.Linux.Resources = nil
 	spec.Linux.CgroupsPath = ""