[workspacekit] Add ring2 enclave support

gitpod-io · Oct 21, 2021 · a996c98 · a996c98
1 parent 264331a
commit a996c98
Show file tree

Hide file tree

Showing 3 changed files with 66 additions and 0 deletions.
diff --git a/components/common-go/nsenter/utils.go b/components/common-go/nsenter/utils.go
@@ -75,6 +75,7 @@ func Run(pid int, args []string, addFD []*os.File, enterNamespace ...Namespace)
 
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
+	cmd.Stdin = os.Stdin
 	err := cmd.Run()
 	if err != nil {
 		return xerrors.Errorf("cannot run handler: %w", err)

diff --git a/components/workspacekit/cmd/nsenter.go b/components/workspacekit/cmd/nsenter.go
@@ -0,0 +1,52 @@
+// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License-AGPL.txt in the project root for license information.
+
+package cmd
+
+import (
+	"log"
+	"os"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/sys/unix"
+
+	"github.com/gitpod-io/gitpod/common-go/nsenter"
+)
+
+var nsenterOpts struct {
+	Target  int
+	MountNS bool
+}
+
+var nsenterCmd = &cobra.Command{
+	Use:     "nsenter <cmd> <args ...>",
+	Short:   "enters namespaces and executes the arg",
+	Args:    cobra.MinimumNArgs(1),
+	Aliases: []string{"handler"},
+	Run: func(_ *cobra.Command, args []string) {
+		if os.Getenv("_LIBNSENTER_INIT") != "" {
+			err := unix.Exec(args[0], args, os.Environ())
+			if err != nil {
+				log.Fatalf("cannot exec: %v", err)
+			}
+			return
+		}
+
+		var ns []nsenter.Namespace
+		if nsenterOpts.MountNS {
+			ns = append(ns, nsenter.NamespaceMount)
+		}
+		err := nsenter.Run(nsenterOpts.Target, args, nil, ns...)
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(nsenterCmd)
+
+	nsenterCmd.Flags().IntVar(&nsenterOpts.Target, "target", 0, "target PID")
+	nsenterCmd.Flags().BoolVar(&nsenterOpts.MountNS, "mount", false, "enter mount namespace")
+}
diff --git a/components/workspacekit/cmd/rings.go b/components/workspacekit/cmd/rings.go
@@ -18,6 +18,7 @@ import (
 	"os/signal"
 	"path/filepath"
 	"runtime"
+	"strconv"
 	"strings"
 	"syscall"
 	"time"
@@ -479,6 +480,18 @@ var ring1Cmd = &cobra.Command{
 			}()
 		}
 
+		if enclave := os.Getenv("WORKSPACEKIT_RING2_ENCLAVE"); enclave != "" {
+			ecmd := exec.Command("/proc/self/exe", append([]string{"nsenter", "--target", strconv.Itoa(cmd.Process.Pid), "--mount"}, strings.Fields(enclave)...)...)
+			ecmd.Stdout = os.Stdout
+			ecmd.Stderr = os.Stderr
+
+			err := ecmd.Start()
+			if err != nil {
+				log.WithError(err).WithField("cmd", enclave).Error("cannot run enclave")
+				return
+			}
+		}
+
 		go func() {
 			err := lift.ServeLift(ctx, lift.DefaultSocketPath)
 			if err != nil {