runtime: add support for readonly sandbox bindmounts

If specified, sandbox_bind_mounts identifies host paths to be mounted (ro) into the sandboxes shared path. This is only valid if filesystem sharing is utilized. The provided path(s) will be bindmounted (ro) into the shared fs directory on the host, and thus mapped into the guest. If defaults are utilized, these mounts should be available in the guest at `/var/run/kata-containers/shared/containers/sandbox-mounts` These will not be exposed to the container workloads, and are only added for potential guest-services to consume (example: expose certs into the guest that are available on the host). Fixes: #1464 Signed-off-by: Eric Ernst <eric.g.ernst@gmail.com>
2026-01-07 00:14:21 +01:00 · 2021-02-09 22:00:53 -08:00
parent acc4bc57f4
commit 48ed8f3c4a
8 changed files with 158 additions and 0 deletions
--- a/src/runtime/virtcontainers/kata_agent.go
+++ b/src/runtime/virtcontainers/kata_agent.go
@@ -55,6 +55,8 @@ const (
 	// path to vfio devices
 	vfioPath = "/dev/vfio/"

+	sandboxMountsDir = "sandbox-mounts"
+
 	// enable debug console
 	kernelParamDebugConsole           = "agent.debug_console"
 	kernelParamDebugConsoleVPort      = "agent.debug_console_vport"
@@ -379,6 +381,50 @@ func (k *kataAgent) internalConfigure(h hypervisor, id string, config interface{
 	return nil
 }

+func setupSandboxBindMounts(sandbox *Sandbox) error {
+	if len(sandbox.config.SandboxBindMounts) == 0 {
+		return nil
+	}
+
+	// Create subdirectory in host shared path for sandbox mounts
+	sandboxMountDir := filepath.Join(getMountPath(sandbox.id), sandboxMountsDir)
+	sandboxShareDir := filepath.Join(getSharePath(sandbox.id), sandboxMountsDir)
+	if err := os.MkdirAll(sandboxMountDir, DirMode); err != nil {
+		return fmt.Errorf("Creating sandbox shared mount directory: %v: %w", sandboxMountDir, err)
+	}
+
+	for _, m := range sandbox.config.SandboxBindMounts {
+		mountDest := filepath.Join(sandboxMountDir, filepath.Base(m))
+		// bind-mount each sandbox mount that's defined into the sandbox mounts dir
+		if err := bindMount(context.Background(), m, mountDest, true, "private"); err != nil {
+			return fmt.Errorf("Mounting sandbox directory: %v to %v: %w", m, mountDest, err)
+		}
+
+		mountDest = filepath.Join(sandboxShareDir, filepath.Base(m))
+		if err := remountRo(context.Background(), mountDest); err != nil {
+			return fmt.Errorf("remount sandbox directory: %v to %v: %w", m, mountDest, err)
+		}
+
+	}
+
+	return nil
+}
+
+func cleanupSandboxBindMounts(sandbox *Sandbox) error {
+	if len(sandbox.config.SandboxBindMounts) == 0 {
+		return nil
+	}
+
+	for _, m := range sandbox.config.SandboxBindMounts {
+		mountPath := filepath.Join(getMountPath(sandbox.id), sandboxMountsDir, filepath.Base(m))
+		if err := syscall.Unmount(mountPath, syscall.MNT_DETACH|UmountNoFollow); err != nil {
+			return fmt.Errorf("Unmounting observe directory: %v: %w", mountPath, err)
+		}
+	}
+
+	return nil
+}
+
 func (k *kataAgent) configure(h hypervisor, id, sharePath string, config interface{}) error {
 	err := k.internalConfigure(h, id, config)
 	if err != nil {
@@ -441,6 +487,11 @@ func (k *kataAgent) setupSharedPath(sandbox *Sandbox) error {
 		return err
 	}

+	// Setup sandbox bindmounts, if specified:
+	if err := setupSandboxBindMounts(sandbox); err != nil {
+		return err
+	}
+
 	return nil
 }

@@ -2099,6 +2150,10 @@ func (k *kataAgent) markDead() {
 }

 func (k *kataAgent) cleanup(s *Sandbox) {
+	if err := cleanupSandboxBindMounts(s); err != nil {
+		k.Logger().WithError(err).Errorf("failed to cleanup observability logs bindmount")
+	}
+
 	// Unmount shared path
 	path := getSharePath(s.id)
 	k.Logger().WithField("path", path).Infof("cleanup agent")
--- a/src/runtime/virtcontainers/pkg/oci/utils.go
+++ b/src/runtime/virtcontainers/pkg/oci/utils.go
@@ -122,6 +122,9 @@ type RuntimeConfig struct {
 	//Determines kata processes are managed only in sandbox cgroup
 	SandboxCgroupOnly bool

+	//Paths to be bindmounted RO into the guest.
+	SandboxBindMounts []string
+
 	//Experimental features enabled
 	Experimental []exp.Feature

@@ -964,6 +967,7 @@ func SandboxConfig(ocispec specs.Spec, runtime RuntimeConfig, bundlePath, cid, c
 		SystemdCgroup: systemdCgroup,

 		SandboxCgroupOnly: runtime.SandboxCgroupOnly,
+		SandboxBindMounts: runtime.SandboxBindMounts,

 		DisableGuestSeccomp: runtime.DisableGuestSeccomp,

--- a/src/runtime/virtcontainers/sandbox.go
+++ b/src/runtime/virtcontainers/sandbox.go
@@ -116,6 +116,9 @@ type SandboxConfig struct {

 	DisableGuestSeccomp bool

+	// SandboxBindMounts - list of paths to mount into guest
+	SandboxBindMounts []string
+
 	// Experimental features enabled
 	Experimental []exp.Feature