enter the sandbox when hyper_setup_container_rootfs()

Signed-off-by: Lai Jiangshan <[email protected]>

Author: laijs

src/container.c

@@ -269,8 +269,8 @@ static int container_setup_mount(struct hyper_container *container)
 	hyper_mkdir("./dev", 0755);
 	hyper_mkdir("./lib/modules", 0755);
 
-	// mount proc filesystem when the container init process running in the pidns of podinit
-	if (mount("sysfs", "./sys", "sysfs", MS_NOSUID| MS_NODEV| MS_NOEXEC, NULL) < 0 ||
+	if (mount("proc", "./proc", "proc", MS_NOSUID| MS_NODEV| MS_NOEXEC, NULL) < 0 ||
+	    mount("sysfs", "./sys", "sysfs", MS_NOSUID| MS_NODEV| MS_NOEXEC, NULL) < 0 ||
 	    mount("devtmpfs", "./dev", "devtmpfs", MS_NOSUID, NULL) < 0) {
 		perror("mount basic filesystem for container failed");
 		return -1;
@@ -512,6 +512,11 @@ static int hyper_setup_container_rootfs(void *data)
 	int setup_dns;
 	uint32_t type;
 
+	if (hyper_enter_sandbox(arg->pod, -1) < 0) {
+		perror("enter sandbox failed");
+		goto fail;
+	}
+
 	if (hyper_rescan_scsi() < 0) {
 		fprintf(stdout, "rescan scsi failed\n");
 		goto fail;

src/exec.c

@@ -8,7 +8,6 @@
 #include <sys/ioctl.h>
 #include <sys/wait.h>
 #include <sys/socket.h>
-#include <sys/mount.h>
 #include <dirent.h>
 #include <sched.h>
 #include <errno.h>
@@ -519,12 +518,6 @@ static int hyper_do_exec_cmd(struct hyper_exec *exec, struct hyper_pod *pod, int
 		goto out;
 	}
 
-	/* already in pidns & mntns of container, mount proc filesystem */
-	if (exec->init && mount("proc", "/proc", "proc", MS_NOSUID| MS_NODEV| MS_NOEXEC, NULL) < 0) {
-		perror("fail to mount proc filesystem for container");
-		goto out;
-	}
-
 	// set early env. the container env config can overwrite it
 	setenv("HOME", "/root", 1);
 	setenv("HOSTNAME", pod->hostname, 1);