rootless: fix --pid=host

Fix #297

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

Author: AkihiroSuda

cmd/nerdctl/run.go

@@ -23,6 +23,7 @@ import (
 	"fmt"
 	"net/url"
 	"os"
+	"path"
 	"path/filepath"
 	"strings"
 
@@ -48,6 +49,7 @@ import (
 	"github.com/containerd/nerdctl/pkg/netutil"
 	"github.com/containerd/nerdctl/pkg/netutil/nettype"
 	"github.com/containerd/nerdctl/pkg/portutil"
+	"github.com/containerd/nerdctl/pkg/rootlessutil"
 	"github.com/containerd/nerdctl/pkg/strutil"
 	"github.com/containerd/nerdctl/pkg/taskutil"
 	"github.com/docker/cli/opts"
@@ -495,6 +497,9 @@ func runAction(clicontext *cli.Context) error {
 			return fmt.Errorf("Invalid pid namespace. Set --pid=host to enable host pid namespace.")
 		} else {
 			opts = append(opts, oci.WithHostNamespace(specs.PIDNamespace))
+			if rootlessutil.IsRootless() {
+				opts = append(opts, withBindMountHostProcfs)
+			}
 		}
 	}
 
@@ -669,6 +674,36 @@ func generateRootfsOpts(ctx context.Context, client *containerd.Client, cliconte
 	return opts, cOpts, ensured, nil
 }
 
+// withBindMountHostProcfs replaces procfs mount with rbind.
+// Required for --pid=host on rootless.
+//
+// https://github.com/moby/moby/pull/41893/files
+// https://github.com/containers/podman/blob/v3.0.0-rc1/pkg/specgen/generate/oci.go#L248-L257
+func withBindMountHostProcfs(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {
+	for i, m := range s.Mounts {
+		if path.Clean(m.Destination) == "/proc" {
+			newM := specs.Mount{
+				Destination: "/proc",
+				Type:        "bind",
+				Source:      "/proc",
+				Options:     []string{"rbind", "nosuid", "noexec", "nodev"},
+			}
+			s.Mounts[i] = newM
+		}
+	}
+
+	// Remove ReadonlyPaths for /proc/*
+	newROP := s.Linux.ReadonlyPaths[:0]
+	for _, x := range s.Linux.ReadonlyPaths {
+		x = path.Clean(x)
+		if !strings.HasPrefix(x, "/proc/") {
+			newROP = append(newROP, x)
+		}
+	}
+	s.Linux.ReadonlyPaths = newROP
+	return nil
+}
+
 func withCustomResolvConf(src string) func(context.Context, oci.Client, *containers.Container, *oci.Spec) error {
 	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {
 		s.Mounts = append(s.Mounts, specs.Mount{

cmd/nerdctl/run_mount.go

@@ -39,6 +39,8 @@ import (
 	"github.com/urfave/cli/v2"
 )
 
+// generateMountOpts generates volume-related mount opts.
+// Other mounts such as procfs mount are not handled here.
 func generateMountOpts(clicontext *cli.Context, ctx context.Context, client *containerd.Client, ensuredImage *imgutil.EnsuredImage) ([]oci.SpecOpts, []string, error) {
 	volStore, err := getVolumeStore(clicontext)
 	if err != nil {

cmd/nerdctl/run_test.go

@@ -21,6 +21,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"testing"
 
@@ -181,3 +182,10 @@ func TestRunEnvFile(t *testing.T) {
 	base.Cmd("run", "--rm", "--env-file", path1, "--env-file", path2, testutil.AlpineImage, "sh", "-c", "echo $TESTKEY1").AssertOutContains("TESTVAL1")
 	base.Cmd("run", "--rm", "--env-file", path1, "--env-file", path2, testutil.AlpineImage, "sh", "-c", "echo $TESTKEY2").AssertOutContains("TESTVAL2")
 }
+
+func TestRunPidHost(t *testing.T) {
+	base := testutil.NewBase(t)
+	pid := os.Getpid()
+
+	base.Cmd("run", "--rm", "--pid=host", testutil.AlpineImage, "ps", "auxw").AssertOutContains(strconv.Itoa(pid))
+}