wip npsnter using RawSyscall

Yolean · Jul 13, 2024 · 25676a8 · 25676a8
1 parent f66e952
commit 25676a8
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 19 deletions.
diff --git a/registry/node-update/daemonset.yaml b/registry/node-update/daemonset.yaml
@@ -19,12 +19,13 @@ spec:
         operator: Exists
       hostPID: true
       hostNetwork: true
-      securityContext:
-        runAsUser: 0
       containers:
       - name: config
         image: ghcr.io/yolean/ystack-registry-node-update:latest
         imagePullPolicy: Always
+        securityContext:
+          runAsUser: 0
+          privileged: true
         volumeMounts:
         - name: etc-containerd
           mountPath: /etc/containerd

diff --git a/registry/node-update/go.mod b/registry/node-update/go.mod
@@ -28,7 +28,7 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	golang.org/x/net v0.25.0 // indirect
 	golang.org/x/oauth2 v0.10.0 // indirect
-	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
 	golang.org/x/term v0.20.0 // indirect
 	golang.org/x/text v0.15.0 // indirect
 	golang.org/x/time v0.3.0 // indirect

diff --git a/registry/node-update/go.sum b/registry/node-update/go.sum
@@ -84,6 +84,8 @@ golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=

diff --git a/registry/node-update/main.go b/registry/node-update/main.go
@@ -7,9 +7,9 @@ import (
 	"log"
 	"os"
 	"os/exec"
+	"syscall"
 	"time"
 
-	"github.com/containernetworking/plugins/pkg/ns"
 	"github.com/txn2/txeh"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -67,21 +67,34 @@ func main() {
 	fmt.Printf("containerd config updated\n")
 
 	fmt.Printf("containerd restart\n")
-	if err = ns.WithNetNSPath(fmt.Sprintf("/proc/%d/ns/mnt", containerdTargetPid), func(_ ns.NetNS) error {
-		// Code to run inside the namespace
-		cmd := exec.Command("systemctl", "restart", "containerd")
-		cmd.Stdin = os.Stdin
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		if err := cmd.Run(); err != nil {
-			log.Fatalf("Failed to run command in namespace: %v", err)
-		}
-		return nil
-	}); err != nil {
-		log.Fatalf("Failed to enter namespaces: %v", err)
+	nsPath := fmt.Sprintf("/proc/%d/ns/mnt", containerdTargetPid)
+	nsFile, err := os.Open(nsPath)
+	if err != nil {
+		log.Fatalf("Failed to open namespace file: %v", err)
+	}
+	defer nsFile.Close()
+
+	// probably AMD64 only
+	const SYS_SETNS = 308
+	const CLONE_NEWNS = 0x00020000
+	if _, _, err := syscall.RawSyscall(SYS_SETNS, uintptr(nsFile.Fd()), uintptr(CLONE_NEWNS), 0); err != 0 {
+		fmt.Printf("Failed to set new namespace: %v\n", err)
+		return
 	}
+
+	cmd := exec.Command("systemctl", "restart", "containerd")
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		log.Fatalf("Failed to run command in namespace: %v", err)
+	}
+
 	fmt.Printf("containerd restarted\n")
 
+	// TODO initcontainer or not?
+	time.Sleep(10 * time.Hour)
+
 	clientconfig, err := rest.InClusterConfig()
 	if err != nil {
 		panic(err.Error())
@@ -106,7 +119,4 @@ func main() {
 
 	// TODO
 	// nsenter --mount=/proc/1/ns/mnt -- containerd config dump
-
-	// TODO initcontainer or not?
-	time.Sleep(10 * time.Hour)
 }