Merge pull request #5133 from afbjorklund/tmpfs

Move root filesystem from rootfs to tmpfs

deploy/addons/gvisor/gvisor-config.toml

@@ -36,7 +36,7 @@ oom_score = 0
     max_container_log_line_size = 16384
     [plugins.cri.containerd]
       snapshotter = "overlayfs"
-      no_pivot = true
+      no_pivot = false
       [plugins.cri.containerd.default_runtime]
         runtime_type = "io.containerd.runtime.v1.linux"
         runtime_engine = ""

deploy/iso/minikube-iso/board/coreos/minikube/rootfs-overlay/init

@@ -0,0 +1,13 @@
+#!/bin/sh
+mkdir /sysroot
+# the value 90% borrowed from tcl via boot2docker
+mount -t tmpfs -o size=90% tmpfs /sysroot
+# copy from rootfs, to be able to do switch_root(8)
+tar -C / --exclude=sysroot -cf - . | tar -C /sysroot/ -xf -
+
+# devtmpfs does not get automounted for initramfs
+/bin/mount -t devtmpfs devtmpfs /sysroot/dev
+exec 0</sysroot/dev/console
+exec 1>/sysroot/dev/console
+exec 2>/sysroot/dev/console
+exec /sbin/switch_root /sysroot /sbin/init "$@"

deploy/iso/minikube-iso/package/containerd-bin/config.toml

@@ -36,7 +36,7 @@ oom_score = 0
     max_container_log_line_size = 16384
     [plugins.cri.containerd]
       snapshotter = "overlayfs"
-      no_pivot = true
+      no_pivot = false
       [plugins.cri.containerd.default_runtime]
         runtime_type = "io.containerd.runtime.v1.linux"
         runtime_engine = ""

deploy/iso/minikube-iso/package/crio-bin/crio.conf

@@ -92,7 +92,7 @@ grpc_max_recv_msg_size = 16777216
 default_runtime = "runc"
 
 # If true, the runtime will not use pivot_root, but instead use MS_MOVE.
-no_pivot = true
+no_pivot = false
 
 # Path to the conmon binary, used for monitoring the OCI runtime.
 conmon = "/usr/libexec/crio/conmon"

deploy/iso/minikube-iso/package/podman/buildah.profile

@@ -1,3 +0,0 @@
-# BUILDAH_NOPIVOT=true disables pivot_root in Buildah, using MS_MOVE instead.
-# (Buildah is used by Podman for building container images using a Dockerfile)
-export BUILDAH_NOPIVOT=true

deploy/iso/minikube-iso/package/podman/libpod.conf

@@ -1,2 +0,0 @@
-# Whether to use chroot instead of pivot_root in the runtime
-no_pivot_root = true

deploy/iso/minikube-iso/package/podman/podman.mk

@@ -29,8 +29,6 @@ endef
 
 define PODMAN_INSTALL_TARGET_CMDS
 	$(INSTALL) -Dm755 $(@D)/bin/podman $(TARGET_DIR)/usr/bin/podman
-	$(INSTALL) -Dm644 $(BR2_EXTERNAL_MINIKUBE_PATH)/package/podman/libpod.conf $(TARGET_DIR)/etc/containers/libpod.conf
-	$(INSTALL) -Dm644 $(BR2_EXTERNAL_MINIKUBE_PATH)/package/podman/buildah.profile $(TARGET_DIR)/etc/profile.d/podman.sh
 endef
 
 $(eval $(generic-package))

pkg/provision/buildroot.go

@@ -92,6 +92,13 @@ func (p *BuildrootProvisioner) GenerateDockerOptions(dockerPort int) (*provision
 	driverNameLabel := fmt.Sprintf("provider=%s", p.Driver.DriverName())
 	p.EngineOptions.Labels = append(p.EngineOptions.Labels, driverNameLabel)
 
+	noPivot := true
+	// Using pivot_root is not supported on fstype rootfs
+	if fstype, err := rootFileSystemType(p); err == nil {
+		log.Debugf("root file system type: %s", fstype)
+		noPivot = fstype == "rootfs"
+	}
+
 	engineConfigTmpl := `[Unit]
 Description=Docker Application Container Engine
 Documentation=https://docs.docker.com
@@ -101,8 +108,15 @@ Requires= minikube-automount.service docker.socket
 [Service]
 Type=notify
 
+`
+	if noPivot {
+		log.Warn("Using fundamentally insecure --no-pivot option")
+		engineConfigTmpl += `
 # DOCKER_RAMDISK disables pivot_root in Docker, using MS_MOVE instead.
 Environment=DOCKER_RAMDISK=yes
+`
+	}
+	engineConfigTmpl += `
 {{range .EngineOptions.Env}}Environment={{.}}
 {{end}}
 
@@ -160,6 +174,14 @@ WantedBy=multi-user.target
 	}, nil
 }
 
+func rootFileSystemType(p *BuildrootProvisioner) (string, error) {
+	fs, err := p.SSHCommand("df --output=fstype / | tail -n 1")
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(fs), nil
+}
+
 // Package installs a package
 func (p *BuildrootProvisioner) Package(name string, action pkgaction.PackageAction) error {
 	return nil