drivers/exec: bind mount /dev into rootfs

Restores pre-0.9 behavior, where Nomad makes /dev available to exec task. Switching to libcontainer, we accidentally made only a small subset available. Here, we err on the side of preserving behavior of 0.8, instead of going for the sensible route, where only a reasonable subset of devices is mounted by default and user can opt to request more.
2026-01-06 10:25:42 +03:00 · 2019-01-03 13:39:42 -05:00
parent 41d6635026
commit ff9a4a17e5
1 changed files with 6 additions and 25 deletions
--- a/drivers/shared/executor/executor_linux.go
+++ b/drivers/shared/executor/executor_linux.go
@@ -506,7 +506,9 @@ func configureIsolation(cfg *lconfigs.Config, command *ExecCommand) error {
 		"/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus",
 	}

-	cfg.Devices = lconfigs.DefaultAutoCreatedDevices
+	// we bind-mount /dev to preserve pre-0.9 behavior; so avoid setting up individual devices
+	cfg.Devices = []*lconfigs.Device{}
+
 	if len(command.Devices) > 0 {
 		devs, err := cmdDevices(command.Devices)
 		if err != nil {
@@ -517,11 +519,10 @@ func configureIsolation(cfg *lconfigs.Config, command *ExecCommand) error {

 	cfg.Mounts = []*lconfigs.Mount{
 		{
-			Source:      "tmpfs",
+			Source:      "/dev",
 			Destination: "/dev",
-			Device:      "tmpfs",
-			Flags:       syscall.MS_NOSUID | syscall.MS_STRICTATIME,
-			Data:        "mode=755",
+			Device:      "bind",
+			Flags:       syscall.MS_BIND | syscall.MS_RDONLY | syscall.MS_NOEXEC,
 		},
 		{
 			Source:      "proc",
@@ -529,26 +530,6 @@ func configureIsolation(cfg *lconfigs.Config, command *ExecCommand) error {
 			Device:      "proc",
 			Flags:       defaultMountFlags,
 		},
-		{
-			Source:      "devpts",
-			Destination: "/dev/pts",
-			Device:      "devpts",
-			Flags:       syscall.MS_NOSUID | syscall.MS_NOEXEC,
-			Data:        "newinstance,ptmxmode=0666,mode=0620,gid=5",
-		},
-		{
-			Device:      "tmpfs",
-			Source:      "shm",
-			Destination: "/dev/shm",
-			Data:        "mode=1777,size=65536k",
-			Flags:       defaultMountFlags,
-		},
-		{
-			Source:      "mqueue",
-			Destination: "/dev/mqueue",
-			Device:      "mqueue",
-			Flags:       defaultMountFlags,
-		},
 		{
 			Source:      "sysfs",
 			Destination: "/sys",