fix the cpuset and add pivot root

Author: pibigstar

README.md

@@ -57,4 +57,9 @@ mount -t cgroup -o none,name=cgroup-test cgroup-test ./cgroup-test
 > 只要将该进程的ID放到其`cgroup`的`tasks`里面即可
 ```bash
 echo "进程ID" >> cgroup/tasks 
+```
+
+- 导出容器
+```bash
+docker export -o busybox.tar 45c98e055883(容器ID)
 ```

cgroups/subsystem/cpu.go

@@ -9,6 +9,7 @@ import (
 )
 
 type CpuSubSystem struct {
+	apply bool
 }
 
 func (*CpuSubSystem) Name() string {
@@ -22,6 +23,7 @@ func (c *CpuSubSystem) Set(cgroupPath string, res *ResourceConfig) error {
 		return err
 	}
 	if res.CpuShare != "" {
+		c.apply = true
 		err = ioutil.WriteFile(path.Join(subsystemCgroupPath, "cpu.shares"), []byte(res.CpuShare), 0644)
 		if err != nil {
 			logrus.Errorf("failed to write file cpu.shares, err: %+v", err)
@@ -32,24 +34,26 @@ func (c *CpuSubSystem) Set(cgroupPath string, res *ResourceConfig) error {
 }
 
 func (c *CpuSubSystem) Remove(cgroupPath string) error {
-	subsystemCgroupPath, err := GetCgroupPath(c.Name(), cgroupPath, true)
+	subsystemCgroupPath, err := GetCgroupPath(c.Name(), cgroupPath, false)
 	if err != nil {
 		return err
 	}
 	return os.RemoveAll(subsystemCgroupPath)
 }
 
 func (c *CpuSubSystem) Apply(cgroupPath string, pid int) error {
-	subsystemCgroupPath, err := GetCgroupPath(c.Name(), cgroupPath, true)
-	if err != nil {
-		return err
-	}
+	if c.apply {
+		subsystemCgroupPath, err := GetCgroupPath(c.Name(), cgroupPath, false)
+		if err != nil {
+			return err
+		}
 
-	tasksPath := path.Join(subsystemCgroupPath, "tasks")
-	err = ioutil.WriteFile(tasksPath, []byte(strconv.Itoa(pid)), 0644)
-	if err != nil {
-		logrus.Errorf("write pid to tasks, path: %s, pid: %d, err: %v", tasksPath, pid, err)
-		return err
+		tasksPath := path.Join(subsystemCgroupPath, "tasks")
+		err = ioutil.WriteFile(tasksPath, []byte(strconv.Itoa(pid)), os.ModePerm)
+		if err != nil {
+			logrus.Errorf("write pid to tasks, path: %s, pid: %d, err: %v", tasksPath, pid, err)
+			return err
+		}
 	}
 	return nil
 }

cgroups/subsystem/cpuset.go

@@ -1,15 +1,15 @@
 package subsystem
 
 import (
+	"github.com/sirupsen/logrus"
 	"io/ioutil"
 	"os"
 	"path"
 	"strconv"
-
-	"github.com/sirupsen/logrus"
 )
 
 type CpuSetSubSystem struct {
+	apply bool
 }
 
 func (*CpuSetSubSystem) Name() string {
@@ -23,6 +23,7 @@ func (c *CpuSetSubSystem) Set(cgroupPath string, res *ResourceConfig) error {
 		return err
 	}
 	if res.CpuSet != "" {
+		c.apply = true
 		err := ioutil.WriteFile(path.Join(subsystemCgroupPath, "cpuset.cpus"), []byte(res.CpuSet), 0644)
 		if err != nil {
 			logrus.Errorf("failed to write file cpuset.cpus, err: %+v", err)
@@ -33,23 +34,25 @@ func (c *CpuSetSubSystem) Set(cgroupPath string, res *ResourceConfig) error {
 }
 
 func (c *CpuSetSubSystem) Remove(cgroupPath string) error {
-	subsystemCgroupPath, err := GetCgroupPath(c.Name(), cgroupPath, true)
+	subsystemCgroupPath, err := GetCgroupPath(c.Name(), cgroupPath, false)
 	if err != nil {
 		return err
 	}
 	return os.RemoveAll(subsystemCgroupPath)
 }
 
 func (c *CpuSetSubSystem) Apply(cgroupPath string, pid int) error {
-	subsystemCgroupPath, err := GetCgroupPath(c.Name(), cgroupPath, true)
-	if err != nil {
-		return err
-	}
-	tasksPath := path.Join(subsystemCgroupPath, "tasks")
-	err = ioutil.WriteFile(tasksPath, []byte(strconv.Itoa(pid)), 0644)
-	if err != nil {
-		logrus.Errorf("write pid to tasks, path: %s, pid: %d, err: %v", tasksPath, pid, err)
-		return err
+	if c.apply {
+		subsystemCgroupPath, err := GetCgroupPath(c.Name(), cgroupPath, false)
+		if err != nil {
+			return err
+		}
+		tasksPath := path.Join(subsystemCgroupPath, "tasks")
+		err = ioutil.WriteFile(tasksPath, []byte(strconv.Itoa(pid)), os.ModePerm)
+		if err != nil {
+			logrus.Errorf("write pid to tasks, path: %s, pid: %d, err: %v", tasksPath, pid, err)
+			return err
+		}
 	}
 	return nil
 }

cgroups/subsystem/memory.go

@@ -10,6 +10,7 @@ import (
 )
 
 type MemorySubSystem struct {
+	apply bool
 }
 
 func (*MemorySubSystem) Name() string {
@@ -23,6 +24,7 @@ func (m *MemorySubSystem) Set(cgroupPath string, res *ResourceConfig) error {
 		return err
 	}
 	if res.MemoryLimit != "" {
+		m.apply = true
 		// 设置cgroup内存限制，
 		// 将这个限制写入到cgroup对应目录的 memory.limit_in_bytes文件中即可
 		err := ioutil.WriteFile(path.Join(subsystemCgroupPath, "memory.limit_in_bytes"), []byte(res.MemoryLimit), 0644)
@@ -34,23 +36,25 @@ func (m *MemorySubSystem) Set(cgroupPath string, res *ResourceConfig) error {
 }
 
 func (m *MemorySubSystem) Remove(cgroupPath string) error {
-	subsystemCgroupPath, err := GetCgroupPath(m.Name(), cgroupPath, true)
+	subsystemCgroupPath, err := GetCgroupPath(m.Name(), cgroupPath, false)
 	if err != nil {
 		return err
 	}
 	return os.RemoveAll(subsystemCgroupPath)
 }
 
 func (m *MemorySubSystem) Apply(cgroupPath string, pid int) error {
-	subsystemCgroupPath, err := GetCgroupPath(m.Name(), cgroupPath, true)
-	if err != nil {
-		return err
-	}
-	tasksPath := path.Join(subsystemCgroupPath, "tasks")
-	err = ioutil.WriteFile(tasksPath, []byte(strconv.Itoa(pid)), 0644)
-	if err != nil {
-		logrus.Errorf("write pid to tasks, path: %s, pid: %d, err: %v", tasksPath, pid, err)
-		return err
+	if m.apply {
+		subsystemCgroupPath, err := GetCgroupPath(m.Name(), cgroupPath, false)
+		if err != nil {
+			return err
+		}
+		tasksPath := path.Join(subsystemCgroupPath, "tasks")
+		err = ioutil.WriteFile(tasksPath, []byte(strconv.Itoa(pid)), os.ModePerm)
+		if err != nil {
+			logrus.Errorf("write pid to tasks, path: %s, pid: %d, err: %v", tasksPath, pid, err)
+			return err
+		}
 	}
 	return nil
 }

cgroups/subsystem/subsystem.go

@@ -27,6 +27,7 @@ type Subystem interface {
 var (
 	Subsystems = []Subystem{
 		&MemorySubSystem{},
+		// 设置tasks时，这两个必须同时设置
 		&CpuSubSystem{},
 		&CpuSetSubSystem{},
 	}

cgroups/subsystem/util.go

@@ -2,7 +2,6 @@ package subsystem
 
 import (
 	"bufio"
-	"fmt"
 	"os"
 	"path"
 	"strings"
@@ -19,15 +18,13 @@ func GetCgroupPath(subsystem string, cgroupPath string, autoCreate bool) (string
 	}
 	cgroupTotalPath := path.Join(cgroupRootPath, cgroupPath)
 	_, err = os.Stat(cgroupTotalPath)
-	if err == nil || (autoCreate && os.IsNotExist(err)) {
-		if os.IsNotExist(err) {
-			if err := os.MkdirAll(cgroupTotalPath, 0755); err != nil {
-				return "", err
-			}
+	if err != nil && os.IsNotExist(err) {
+		if err := os.MkdirAll(cgroupTotalPath, 0755); err != nil {
+			return "", err
 		}
-		return cgroupTotalPath, nil
 	}
-	return "", fmt.Errorf("cgroup path error")
+
+	return cgroupTotalPath, nil
 }
 
 // 找到挂载了 subsystem 的hierarchy cgroup根节点所在的目录

container/init.go

@@ -5,6 +5,7 @@ import (
 	"io/ioutil"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"strings"
 	"syscall"
 
@@ -29,8 +30,7 @@ func RunContainerInitProcess() error {
 	// 在系统环境 PATH中寻找命令的绝对路径
 	path, err := exec.LookPath(cmdArray[0])
 	if err != nil {
-		logrus.Errorf("look %s path, err: %v", cmdArray[0], err)
-		return err
+		path = cmdArray[0]
 	}
 
 	err = syscall.Exec(path, cmdArray[0:], os.Environ())
@@ -60,13 +60,67 @@ func setUpMount() error {
 	if err != nil {
 		return err
 	}
+
+	err = pivotRoot()
+	if err != nil {
+		logrus.Errorf("pivot root, err: %v", err)
+		return err
+	}
+
 	//mount proc
 	defaultMountFlags := syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV
 	err = syscall.Mount("proc", "/proc", "proc", uintptr(defaultMountFlags), "")
 	if err != nil {
 		logrus.Errorf("mount proc, err: %v", err)
 		return err
 	}
+	// mount temfs, temfs是一种基于内存的文件系统
+	err = syscall.Mount("tmpfs", "/dev", "tmpfs", syscall.MS_NOSUID|syscall.MS_STRICTATIME, "mode=755")
+	if err != nil {
+		logrus.Errorf("mount tempfs, err: %v", err)
+		return err
+	}
 
 	return nil
 }
+
+// 改变当前root的文件系统
+func pivotRoot() error {
+	root, err := os.Getwd()
+	if err != nil {
+		return err
+	}
+	logrus.Infof("current location is %s", root)
+	/**
+	  为了使当前root的老 root 和新 root 不在同一个文件系统下，我们把root重新mount了一次
+	  bind mount是把相同的内容换了一个挂载点的挂载方法
+	*/
+	if err := syscall.Mount(root, root, "bind", syscall.MS_BIND|syscall.MS_REC, ""); err != nil {
+		return fmt.Errorf("mount rootfs to itself error: %v", err)
+	}
+	// 创建 rootfs/.pivot_root 存储 old_root
+	pivotDir := filepath.Join(root, ".pivot_root")
+	_, err = os.Stat(pivotDir)
+	if err != nil && os.IsNotExist(err) {
+		if err := os.Mkdir(pivotDir, 0777); err != nil {
+			return err
+		}
+	}
+	// pivot_root 到新的rootfs, 现在老的 old_root 是挂载在rootfs/.pivot_root
+	// 挂载点现在依然可以在mount命令中看到
+	if err := syscall.PivotRoot(root, pivotDir); err != nil {
+		return fmt.Errorf("pivot_root %v", err)
+	}
+	// 修改当前的工作目录到根目录
+	if err := syscall.Chdir("/"); err != nil {
+		return fmt.Errorf("chdir / %v", err)
+	}
+
+	pivotDir = filepath.Join("/", ".pivot_root")
+	// unmount rootfs/.pivot_root
+	if err := syscall.Unmount(pivotDir, syscall.MNT_DETACH); err != nil {
+		return fmt.Errorf("unmount pivot_root dir %v", err)
+	}
+	// 删除临时文件夹
+	return os.Remove(pivotDir)
+}

container/process.go

@@ -23,5 +23,7 @@ func NewParentProcess(tty bool) (*exec.Cmd, *os.File) {
 	cmd.ExtraFiles = []*os.File{
 		readPipe,
 	}
+	// 指定容器初始化后的工作目录
+	cmd.Dir = "/root/busybox"
 	return cmd, writePipe
 }

test/util/util_test.go

@@ -0,0 +1,27 @@
+package util
+
+import (
+	"os/exec"
+	"syscall"
+	"testing"
+)
+
+func TestLookPath(t *testing.T) {
+	// 寻找 ls 命令的绝对路径
+	path, err := exec.LookPath("ls")
+	if err != nil {
+		t.Error(err)
+	}
+	t.Logf("ls path: %s \n", path)
+}
+
+// 切换运行时目录
+func TestChangeRunDir(t *testing.T) {
+	err := syscall.Chdir("/root")
+	if err != nil {
+		t.Error(err)
+	}
+	cmd := exec.Command("pwd")
+	bs, _ := cmd.CombinedOutput()
+	t.Log(string(bs))
+}