From 0c2821d6f2de692d105e50a399daa65169697cca Mon Sep 17 00:00:00 2001
From: Brian Goff <cpuguy83@gmail.com>
Date: Wed, 2 Aug 2017 16:45:12 -0400
Subject: [PATCH] Make plugins dir private.

This prevents mounts in the plugins dir from leaking into other
namespaces which can prevent removal (`device or resource busy`),
particularly on older kernels.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
---
 plugin/manager.go         | 5 +++++
 plugin/manager_linux.go   | 8 ++++++++
 plugin/manager_solaris.go | 2 ++
 plugin/manager_windows.go | 2 ++
 4 files changed, 17 insertions(+)

diff --git a/plugin/manager.go b/plugin/manager.go
index 6cfa430aab..2281dfdd6c 100644
--- a/plugin/manager.go
+++ b/plugin/manager.go
@@ -105,6 +105,11 @@ func NewManager(config ManagerConfig) (*Manager, error) {
 	if err := os.MkdirAll(manager.tmpDir(), 0700); err != nil {
 		return nil, errors.Wrapf(err, "failed to mkdir %v", manager.tmpDir())
 	}
+
+	if err := setupRoot(manager.config.Root); err != nil {
+		return nil, err
+	}
+
 	var err error
 	manager.containerdClient, err = config.Executor.Client(manager) // todo: move to another struct
 	if err != nil {
diff --git a/plugin/manager_linux.go b/plugin/manager_linux.go
index 98370daca6..301b12c814 100644
--- a/plugin/manager_linux.go
+++ b/plugin/manager_linux.go
@@ -162,6 +162,13 @@ func shutdownPlugin(p *v2.Plugin, c *controller, containerdClient libcontainerd.
 	}
 }
 
+func setupRoot(root string) error {
+	if err := mount.MakePrivate(root); err != nil {
+		return errors.Wrap(err, "error setting plugin manager root to private")
+	}
+	return nil
+}
+
 func (pm *Manager) disable(p *v2.Plugin, c *controller) error {
 	if !p.IsEnabled() {
 		return fmt.Errorf("plugin %s is already disabled", p.Name())
@@ -190,6 +197,7 @@ func (pm *Manager) Shutdown() {
 			shutdownPlugin(p, c, pm.containerdClient)
 		}
 	}
+	mount.Unmount(pm.config.Root)
 }
 
 func (pm *Manager) upgradePlugin(p *v2.Plugin, configDigest digest.Digest, blobsums []digest.Digest, tmpRootFSDir string, privileges *types.PluginPrivileges) (err error) {
diff --git a/plugin/manager_solaris.go b/plugin/manager_solaris.go
index 72ccae72d3..ac03d6e639 100644
--- a/plugin/manager_solaris.go
+++ b/plugin/manager_solaris.go
@@ -26,3 +26,5 @@ func (pm *Manager) restore(p *v2.Plugin) error {
 // Shutdown plugins
 func (pm *Manager) Shutdown() {
 }
+
+func setupRoot(root string) error { return nil }
diff --git a/plugin/manager_windows.go b/plugin/manager_windows.go
index 4469a671f7..56a7ee3ece 100644
--- a/plugin/manager_windows.go
+++ b/plugin/manager_windows.go
@@ -28,3 +28,5 @@ func (pm *Manager) restore(p *v2.Plugin) error {
 // Shutdown plugins
 func (pm *Manager) Shutdown() {
 }
+
+func setupRoot(root string) error { return nil }