runtime: add support for readonly sandbox bindmounts

If specified, sandbox_bind_mounts identifies host paths to be mounted (ro) into the sandboxes shared path. This is only valid if filesystem sharing is utilized. The provided path(s) will be bindmounted (ro) into the shared fs directory on the host, and thus mapped into the guest. If defaults are utilized, these mounts should be available in the guest at `/var/run/kata-containers/shared/containers/sandbox-mounts` These will not be exposed to the container workloads, and are only added for potential guest-services to consume (example: expose certs into the guest that are available on the host). Fixes: #1464 Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
2025-12-24 01:24:26 +01:00 · 2021-02-09 22:00:53 -08:00
parent acc4bc57f4
commit 48ed8f3c4a
8 changed files with 158 additions and 0 deletions
--- a/src/runtime/pkg/katautils/config.go
+++ b/src/runtime/pkg/katautils/config.go
@@ -10,6 +10,7 @@ import (
 	"errors"
 	"fmt"
 	"io/ioutil"
+	"path/filepath"
 	goruntime "runtime"
 	"strings"

@@ -136,6 +137,7 @@ type runtime struct {
 	DisableNewNetNs     bool     `toml:"disable_new_netns"`
 	DisableGuestSeccomp bool     `toml:"disable_guest_seccomp"`
 	SandboxCgroupOnly   bool     `toml:"sandbox_cgroup_only"`
+	SandboxBindMounts   []string `toml:"sandbox_bind_mounts"`
 	Experimental        []string `toml:"experimental"`
 	InterNetworkModel   string   `toml:"internetworking_model"`
 	EnablePprof         bool     `toml:"enable_pprof"`
@@ -1158,6 +1160,11 @@ func LoadConfiguration(configPath string, ignoreLogging, builtIn bool) (resolved
 		config.Experimental = append(config.Experimental, *feature)
 	}

+	if err = validateBindMounts(tomlConf.Runtime.SandboxBindMounts); err != nil {
+		return "", config, err
+	}
+	config.SandboxBindMounts = tomlConf.Runtime.SandboxBindMounts
+
 	if err := checkConfig(config); err != nil {
 		return "", config, err
 	}
@@ -1165,6 +1172,31 @@ func LoadConfiguration(configPath string, ignoreLogging, builtIn bool) (resolved
 	return resolved, config, nil
 }

+// Verify that bind mounts exist
+func validateBindMounts(mounts []string) error {
+	if len(mounts) == 0 {
+		return nil
+	}
+
+	bases := make(map[string]struct{})
+
+	for _, m := range mounts {
+		path, err := ResolvePath(m)
+		if err != nil {
+			return fmt.Errorf("sandbox-bindmounts: Failed to resolve path: %s: %v", m, err)
+		}
+
+		base := filepath.Base(path)
+		// check to make sure the base does not already exists.
+		if _, ok := bases[base]; !ok {
+			bases[base] = struct{}{}
+		} else {
+			return fmt.Errorf("sandbox-bindmounts: File %s has base that matches already specified bindmount", path)
+		}
+	}
+	return nil
+}
+
 func decodeConfig(configPath string) (tomlConfig, string, error) {
 	var (
 		resolved string