Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mount static kmod as /usr/local/sbin/modprobe #4037

Merged
merged 3 commits into from
Jun 6, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions packages/containerd/containerd-cri-base-json
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,15 @@ oci-defaults = { version = "v1", helpers = ["oci_defaults"] }
"mode=755",
"size=65536k"
]
},
{
"destination": "/usr/local/sbin/modprobe",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have we confirmed this will be used instead of the provided modprobe for containers that include it? Do we know where this path related in the default PATH for these containers?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The linked script in the description printed the default PATH in the container images. For all of them /usr/local/sbin is the first path in the list.

Copy link
Contributor Author

@vigh-m vigh-m Jun 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup! Along with that, I also validated loading and unloading a kernel module on all the container images + cilium in that script and did not see any unexpected failures.

"source": "/usr/bin/kmod",
"options": [
"exec",
"bind",
"ro"
]
}
],
"linux": {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
From e35f5eeeaa4c7b9ec1ae0720fc7de0fc4d43e02f Mon Sep 17 00:00:00 2001
From: Arnaldo Garcia Rincon <agarrcia@amazon.com>
Date: Thu, 30 May 2024 14:38:33 +0000
Subject: [PATCH] oci: inject kmod in all containers

Append a new mount to the default spec created for Linux containers

Signed-off-by: Arnaldo Garcia Rincon <agarrcia@amazon.com>
vigh-m marked this conversation as resolved.
Show resolved Hide resolved
Signed-off-by: Vighnesh Maheshwari <vighmah@amazon.com>
---
oci/defaults.go | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/oci/defaults.go b/oci/defaults.go
index c3dae8b..2e90cfa 100644
--- a/oci/defaults.go
+++ b/oci/defaults.go
@@ -100,6 +100,12 @@ func DefaultLinuxSpec() specs.Spec {
Source: "shm",
Options: []string{"nosuid", "noexec", "nodev", "mode=1777"},
},
+ {
+ Destination: "/usr/local/sbin/modprobe",
+ Type: "bind",
+ Source: "/usr/bin/kmod",
+ Options: []string{"exec", "bind", "ro"},
+ },
},
Linux: &specs.Linux{
MaskedPaths: []string{
--
2.44.0
1 change: 1 addition & 0 deletions packages/docker-engine/docker-engine.spec
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ Source100: prepare-var-lib-docker.service
Source1000: clarify.toml

Patch0001: 0001-Change-default-capabilities-using-daemon-config.patch
Patch0002: 0002-oci-inject-kmod-in-all-containers.patch

BuildRequires: git
BuildRequires: %{_cross_os}glibc-devel
Expand Down
6 changes: 6 additions & 0 deletions sources/host-ctr/cmd/host-ctr/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -896,6 +896,12 @@ func withPrivilegedMounts() oci.SpecOpts {
Source: "/mnt",
Type: "bind",
},
{
Options: []string{"bind", "ro", "exec"},
Destination: "/usr/local/sbin/modprobe",
Source: "/usr/bin/kmod",
Type: "bind",
},
})
}

Expand Down
Loading