volume: allow a prefix for all bind mounts

giuseppe · giuseppe · commit 1fc7510329f9 · 2018-04-06T13:42:24.000+02:00
Introduce a new config --bind-mount-prefix=PREFIX that adds a prefix to the source for every bind mount. This allows Docker to run inside of a container, and be able to see the host rootfs. As an example: running Docker with --bind-mount-prefix=/host, will convert: docker run -v /var/lib/mariadb:/var/lib/mariadb ... to: docker run -v /host/var/lib/mariadb:/var/lib/mariadb ... Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> (cherry picked from commit 38e1b7d)
diff --git a/contrib/completion/bash/docker b/contrib/completion/bash/docker
@@ -1865,6 +1865,7 @@ _docker_daemon() {
 		--add-runtime
 		--api-cors-header
 		--authorization-plugin
+                --bind-mount-prefix
 		--bip
 		--block-registry
 		--bridge -b
diff --git a/daemon/config_unix.go b/daemon/config_unix.go
@@ -38,6 +38,7 @@ type Config struct {
 	SeccompProfile       string                   `json:"seccomp-profile,omitempty"`
 	SigCheck             bool                     `json:"signature-verification"`
 	EnableSecrets        bool                     `json:"enable-secrets"`
+	BindMountPrefix      string                   `json:"bind-mount-prefix"`
 }
 
 // bridgeConfig stores all the bridge driver specific
@@ -93,6 +94,7 @@ func (config *Config) InstallFlags(flags *pflag.FlagSet) {
 	flags.StringVar(&config.SeccompProfile, "seccomp-profile", "", "Path to seccomp profile")
 	flags.BoolVar(&config.SigCheck, "signature-verification", true, "Check image's signatures on pull")
 	flags.BoolVar(&config.EnableSecrets, "enable-secrets", true, "Enable Secrets")
+	flags.StringVar(&config.BindMountPrefix, "bind-mount-prefix", "", "Specify a prefix to prepend to the source of a bind mount")
 
 	config.attachExperimentalFlags(flags)
 }
diff --git a/daemon/volumes_unix.go b/daemon/volumes_unix.go
@@ -43,7 +43,7 @@ func (daemon *Daemon) setupMounts(c *container.Container) ([]container.Mount, er
 			return nil, err
 		}
 		rootUID, rootGID := daemon.GetRemappedUIDGID()
-		path, err := m.Setup(c.MountLabel, rootUID, rootGID)
+		path, err := m.Setup(daemon.configStore.BindMountPrefix, c.MountLabel, rootUID, rootGID)
 		if err != nil {
 			return nil, err
 		}
diff --git a/docs/reference/commandline/dockerd.md b/docs/reference/commandline/dockerd.md
@@ -25,6 +25,7 @@ Options:
       --add-runtime value                     Register an additional OCI compatible runtime (default [])
       --api-cors-header string                Set CORS headers in the Engine API
       --authorization-plugin value            Authorization plugins to load (default [])
+      --bind-mount-prefix                     Specify a prefix to prepend to the source of a bind mount
       --bip string                            Specify network bridge IP
   -b, --bridge string                         Attach containers to a network bridge
       --cgroup-parent string                  Set parent cgroup for all containers
diff --git a/man/dockerd.8.md b/man/dockerd.8.md
@@ -11,6 +11,7 @@ dockerd - Enable daemon mode
 [**--api-cors-header**=[=*API-CORS-HEADER*]]
 [**--authorization-plugin**[=*[]*]]
 [**-b**|**--bridge**[=*BRIDGE*]]
+[**--bind-mount-prefix[=*PREFIX*]]
 [**--bip**[=*BIP*]]
 [**--block-registry**[=*[]*]]
 [**--cgroup-parent**[=*[]*]]
@@ -133,6 +134,9 @@ $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-ru
   Attach containers to a pre\-existing network bridge; use 'none' to disable
   container networking
 
+**--bind-mount-prefix**=""
+  Specify a prefix to use for the source of the bind mounts.
+
 **--bip**=""
   Use the provided CIDR notation address for the dynamically created bridge
   (docker0); Mutually exclusive of \-b
diff --git a/volume/volume.go b/volume/volume.go
@@ -9,6 +9,7 @@ import (
 
 	mounttypes "github.com/docker/docker/api/types/mount"
 	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/symlink"
 	"github.com/docker/docker/pkg/stringid"
 	"github.com/opencontainers/runc/libcontainer/label"
 	"github.com/pkg/errors"
@@ -124,23 +125,28 @@ type MountPoint struct {
 
 // Setup sets up a mount point by either mounting the volume if it is
 // configured, or creating the source directory if supplied.
-func (m *MountPoint) Setup(mountLabel string, rootUID, rootGID int) (path string, err error) {
+func (m *MountPoint) Setup(prefix, mountLabel string, rootUID, rootGID int) (path string, err error) {
+	symlinkRoot := prefix
+	if symlinkRoot == "" {
+		symlinkRoot = "/"
+	}
+	sourcePath, err := symlink.FollowSymlinkInScope(filepath.Join(prefix, m.Source), symlinkRoot)
+	if err != nil {
+		path = ""
+		err = errors.Wrapf(err, "error evaluating symlink from mount source '%s'", m.Source)
+		return
+	}
+
 	defer func() {
 		if err == nil {
 			if label.RelabelNeeded(m.Mode) {
-				sourcePath, err := filepath.EvalSymlinks(m.Source)
-				if err != nil {
-					path = ""
-					err = errors.Wrapf(err, "error evaluating symlink from mount source '%s'", m.Source)
-					return
-				}
 				err = label.Relabel(sourcePath, mountLabel, label.IsShared(m.Mode))
 				if err == syscall.ENOTSUP {
 					err = nil
 				}
 				if err != nil {
 					path = ""
-					err = errors.Wrapf(err, "error setting label on mount source '%s'", m.Source)
+					err = errors.Wrapf(err, "error setting label on mount source '%s'", sourcePath)
 					return
 				}
 			}
@@ -162,19 +168,19 @@ func (m *MountPoint) Setup(mountLabel string, rootUID, rootGID int) (path string
 	if len(m.Source) == 0 {
 		return "", fmt.Errorf("Unable to setup mount point, neither source nor volume defined")
 	}
-	// system.MkdirAll() produces an error if m.Source exists and is a file (not a directory),
+	// system.MkdirAll() produces an error if source exists and is a file (not a directory),
 	if m.Type == mounttypes.TypeBind {
-		// idtools.MkdirAllNewAs() produces an error if m.Source exists and is a file (not a directory)
+		// idtools.MkdirAllNewAs() produces an error if source exists and is a file (not a directory)
 		// also, makes sure that if the directory is created, the correct remapped rootUID/rootGID will own it
-		if err := idtools.MkdirAllNewAs(m.Source, 0755, rootUID, rootGID); err != nil {
+		if err := idtools.MkdirAllNewAs(sourcePath, 0755, rootUID, rootGID); err != nil {
 			if perr, ok := err.(*os.PathError); ok {
 				if perr.Err != syscall.ENOTDIR {
-					return "", errors.Wrapf(err, "error while creating mount source path '%s'", m.Source)
+					return "", errors.Wrapf(err, "error while creating mount source path '%s'", sourcePath)
 				}
 			}
 		}
 	}
-	return m.Source, nil
+	return sourcePath, nil
 }
 
 // Path returns the path of a volume in a mount point.

Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,7 @@ type Config struct {`
`38`	`38`	SeccompProfile string `json:"seccomp-profile,omitempty"`
`39`	`39`	SigCheck bool `json:"signature-verification"`
`40`	`40`	EnableSecrets bool `json:"enable-secrets"`
	`41`	+ BindMountPrefix string `json:"bind-mount-prefix"`
`41`	`42`	`}`
`42`	`43`
`43`	`44`	`// bridgeConfig stores all the bridge driver specific`
`@@ -93,6 +94,7 @@ func (config Config) InstallFlags(flags pflag.FlagSet) {`
`93`	`94`	`flags.StringVar(&config.SeccompProfile, "seccomp-profile", "", "Path to seccomp profile")`
`94`	`95`	`flags.BoolVar(&config.SigCheck, "signature-verification", true, "Check image's signatures on pull")`
`95`	`96`	`flags.BoolVar(&config.EnableSecrets, "enable-secrets", true, "Enable Secrets")`
	`97`	`+ flags.StringVar(&config.BindMountPrefix, "bind-mount-prefix", "", "Specify a prefix to prepend to the source of a bind mount")`
`96`	`98`
`97`	`99`	`config.attachExperimentalFlags(flags)`
`98`	`100`	`}`
Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ func (daemon Daemon) setupMounts(c container.Container) ([]container.Mount, er`
`43`	`43`	`return nil, err`
`44`	`44`	`}`
`45`	`45`	`rootUID, rootGID := daemon.GetRemappedUIDGID()`
`46`		`- path, err := m.Setup(c.MountLabel, rootUID, rootGID)`
	`46`	`+ path, err := m.Setup(daemon.configStore.BindMountPrefix, c.MountLabel, rootUID, rootGID)`
`47`	`47`	`if err != nil {`
`48`	`48`	`return nil, err`
`49`	`49`	`}`