From 25676a8a2fa3c0e7dbd6ab51380f7f4ecd0d736e Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Sat, 13 Jul 2024 17:12:44 +0200 Subject: [PATCH] wip npsnter using RawSyscall --- registry/node-update/daemonset.yaml | 5 ++-- registry/node-update/go.mod | 2 +- registry/node-update/go.sum | 2 ++ registry/node-update/main.go | 42 ++++++++++++++++++----------- 4 files changed, 32 insertions(+), 19 deletions(-) diff --git a/registry/node-update/daemonset.yaml b/registry/node-update/daemonset.yaml index 00f32af..5d4e015 100644 --- a/registry/node-update/daemonset.yaml +++ b/registry/node-update/daemonset.yaml @@ -19,12 +19,13 @@ spec: operator: Exists hostPID: true hostNetwork: true - securityContext: - runAsUser: 0 containers: - name: config image: ghcr.io/yolean/ystack-registry-node-update:latest imagePullPolicy: Always + securityContext: + runAsUser: 0 + privileged: true volumeMounts: - name: etc-containerd mountPath: /etc/containerd diff --git a/registry/node-update/go.mod b/registry/node-update/go.mod index 311966b..e5b4fb0 100644 --- a/registry/node-update/go.mod +++ b/registry/node-update/go.mod @@ -28,7 +28,7 @@ require ( github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect golang.org/x/net v0.25.0 // indirect golang.org/x/oauth2 v0.10.0 // indirect - golang.org/x/sys v0.21.0 // indirect + golang.org/x/sys v0.22.0 // indirect golang.org/x/term v0.20.0 // indirect golang.org/x/text v0.15.0 // indirect golang.org/x/time v0.3.0 // indirect diff --git a/registry/node-update/go.sum b/registry/node-update/go.sum index d90e572..e9eaf43 100644 --- a/registry/node-update/go.sum +++ b/registry/node-update/go.sum @@ -84,6 +84,8 @@ golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= +golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= diff --git a/registry/node-update/main.go b/registry/node-update/main.go index 29150c4..83a4b7a 100644 --- a/registry/node-update/main.go +++ b/registry/node-update/main.go @@ -7,9 +7,9 @@ import ( "log" "os" "os/exec" + "syscall" "time" - "github.com/containernetworking/plugins/pkg/ns" "github.com/txn2/txeh" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -67,21 +67,34 @@ func main() { fmt.Printf("containerd config updated\n") fmt.Printf("containerd restart\n") - if err = ns.WithNetNSPath(fmt.Sprintf("/proc/%d/ns/mnt", containerdTargetPid), func(_ ns.NetNS) error { - // Code to run inside the namespace - cmd := exec.Command("systemctl", "restart", "containerd") - cmd.Stdin = os.Stdin - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - if err := cmd.Run(); err != nil { - log.Fatalf("Failed to run command in namespace: %v", err) - } - return nil - }); err != nil { - log.Fatalf("Failed to enter namespaces: %v", err) + nsPath := fmt.Sprintf("/proc/%d/ns/mnt", containerdTargetPid) + nsFile, err := os.Open(nsPath) + if err != nil { + log.Fatalf("Failed to open namespace file: %v", err) + } + defer nsFile.Close() + + // probably AMD64 only + const SYS_SETNS = 308 + const CLONE_NEWNS = 0x00020000 + if _, _, err := syscall.RawSyscall(SYS_SETNS, uintptr(nsFile.Fd()), uintptr(CLONE_NEWNS), 0); err != 0 { + fmt.Printf("Failed to set new namespace: %v\n", err) + return } + + cmd := exec.Command("systemctl", "restart", "containerd") + cmd.Stdin = os.Stdin + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + if err := cmd.Run(); err != nil { + log.Fatalf("Failed to run command in namespace: %v", err) + } + fmt.Printf("containerd restarted\n") + // TODO initcontainer or not? + time.Sleep(10 * time.Hour) + clientconfig, err := rest.InClusterConfig() if err != nil { panic(err.Error()) @@ -106,7 +119,4 @@ func main() { // TODO // nsenter --mount=/proc/1/ns/mnt -- containerd config dump - - // TODO initcontainer or not? - time.Sleep(10 * time.Hour) }