Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 10670e58174de17d42ecfe77e45f9826df8a6c74 / . / metropolis / node / core / mounts.go
blob: 8b23b72eff22c37bb36bc1df423d4a915b484e6a [file] [log] [blame]
Tim Windelschmidt6d33a432025-02-04 14:34:25 +0100[diff] [blame]1// Copyright The Monogon Project Authors.
Lorenz Brun3a99c592021-01-26 19:57:21 +0100[diff] [blame]2// SPDX-License-Identifier: Apache-2.0
Lorenz Brun3a99c592021-01-26 19:57:21 +0100[diff] [blame]3
4package main
5
6import (
7 "fmt"
Lorenz Brun3a99c592021-01-26 19:57:21 +0100[diff] [blame]8 "os"
Lorenz Brun3a99c592021-01-26 19:57:21 +0100[diff] [blame]9
Lorenz Brunfe6b5062024-07-02 16:32:35 +0000[diff] [blame]10 "github.com/opencontainers/runc/libcontainer/cgroups"
Lorenz Brun3a99c592021-01-26 19:57:21 +0100[diff] [blame]11 "golang.org/x/sys/unix"
Lorenz Brun3a99c592021-01-26 19:57:21 +0100[diff] [blame]12)
13
Serge Bazanski216fe7b2021-05-21 18:36:16 +0200[diff] [blame]14// setupMounts sets up basic mounts like sysfs, procfs, devtmpfs and cgroups.
15// This should be called early during init as a lot of processes depend on this
16// being available.
Serge Bazanskie803fc12022-01-25 14:58:24 +0100[diff] [blame]17func setupMounts() error {
Lorenz Brun3a99c592021-01-26 19:57:21 +0100[diff] [blame]18 // Set up target filesystems.
19 for _, el := range []struct {
20 dir string
21 fs string
22 flags uintptr
23 }{
24 {"/sys", "sysfs", unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV},
Lorenz Brun09c275b2021-03-30 12:47:09 +0200[diff] [blame]25 {"/sys/kernel/tracing", "tracefs", unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV},
Lorenz Brun6ef7f9b2021-10-21 13:02:40 +0200[diff] [blame]26 {"/sys/firmware/efi/efivars", "efivarfs", unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV},
Lorenz Brun1b2df232022-06-14 12:42:03 +0200[diff] [blame]27 {"/sys/fs/pstore", "pstore", unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV},
Lorenz Brun3a99c592021-01-26 19:57:21 +0100[diff] [blame]28 {"/proc", "proc", unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV},
29 {"/dev", "devtmpfs", unix.MS_NOEXEC | unix.MS_NOSUID},
30 {"/dev/pts", "devpts", unix.MS_NOEXEC | unix.MS_NOSUID},
Leopold Schabelc5e0dbd2024-07-24 13:18:45 +0000[diff] [blame]31 // Nothing in Metropolis currently uses /dev/shm, but it's required
32 // by containerd when the host IPC namespace is shared, which
33 // is required by "kubectl debug node/" and specific customer applications.
34 // https://github.com/monogon-dev/monogon/issues/305.
35 {"/dev/shm", "tmpfs", unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV},
Lorenz Brun3a99c592021-01-26 19:57:21 +0100[diff] [blame]36 } {
37 if err := os.MkdirAll(el.dir, 0755); err != nil {
38 return fmt.Errorf("could not make %s: %w", el.dir, err)
39 }
40 if err := unix.Mount(el.fs, el.dir, el.fs, el.flags, ""); err != nil {
41 return fmt.Errorf("could not mount %s on %s: %w", el.fs, el.dir, err)
42 }
43 }
44
Lorenz Brunfe6b5062024-07-02 16:32:35 +0000[diff] [blame]45 if err := unix.Mount("cgroup2", "/sys/fs/cgroup", "cgroup2", unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV, "nsdelegate,memory_recursiveprot"); err != nil {
Lorenz Brun3a99c592021-01-26 19:57:21 +0100[diff] [blame]46 panic(err)
47 }
Lorenz Brunfe6b5062024-07-02 16:32:35 +0000[diff] [blame]48 // Create main cgroup "everything" and move ourselves into it.
49 if err := os.Mkdir("/sys/fs/cgroup/everything", 0755); err != nil {
Lorenz Brun3a99c592021-01-26 19:57:21 +0100[diff] [blame]50 panic(err)
51 }
Lorenz Brunfe6b5062024-07-02 16:32:35 +0000[diff] [blame]52 if err := cgroups.WriteCgroupProc("/sys/fs/cgroup/everything", os.Getpid()); err != nil {
Lorenz Brun3a99c592021-01-26 19:57:21 +0100[diff] [blame]53 panic(err)
54 }
Lorenz Brun3a99c592021-01-26 19:57:21 +0100[diff] [blame]55 return nil
56}