use nsenter to touch file

barpilot · Dec 3, 2018 · 7088dac · 7088dac
1 parent 34a17b2
commit 7088dac
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 11 deletions.
diff --git a/cmd/root.go b/cmd/root.go
@@ -19,6 +19,7 @@ import (
 	"log"
 	"math/rand"
 	"os"
+	"os/exec"
 	"time"
 
 	"github.com/capnm/sysinfo"
@@ -115,10 +116,30 @@ func root(cmd *cobra.Command, args []string) {
 
 	tick := delaytick.New(source, delay)
 	for range tick {
-		_, err := os.OpenFile(rebootSentinel, os.O_RDONLY|os.O_CREATE, 0666)
-		if err != nil {
-			log.Fatal(err)
+		if touchSentinel() {
+			log.Printf("File %s touched", rebootSentinel)
+		} else {
+			log.Printf("Error when touching %s", rebootSentinel)
+		}
+	}
+}
+
+func touchSentinel() bool {
+	// Relies on hostPID:true and privileged:true to enter host mount space
+	sentinelCmd := exec.Command("/usr/bin/nsenter", "-m/proc/1/ns/mnt", "--", "/usr/bin/touch", rebootSentinel)
+	if err := sentinelCmd.Run(); err != nil {
+		switch err := err.(type) {
+		case *exec.ExitError:
+			// We assume a non-zero exit code means 'reboot not required', but of course
+			// the user could have misconfigured the sentinel command or something else
+			// went wrong during its execution. In that case, not entering a reboot loop
+			// is the right thing to do, and we are logging stdout/stderr of the command
+			// so it should be obvious what is wrong.
+			return false
+		default:
+			// Something was grossly misconfigured, such as the command path being wrong.
+			log.Fatalf("Error invoking sentinel command: %v", err)
 		}
-		log.Printf("File %s touched", rebootSentinel)
 	}
+	return true
 }
diff --git a/daemonset.yaml b/daemonset.yaml
@@ -14,20 +14,16 @@ spec:
       labels:
         name: kured-toujours
     spec:
+      hostPID: true # Facilitate entering the host mount namespace via init
       containers:
       - name: kured-toujours
         image: barpilot/kured-toujours:0.0.1
         args: ["--period", "168h"]
+        securityContext:
+          privileged: true # Give permission to nsenter /proc/1/ns/mnt
         resources:
           limits:
             memory: 20Mi
           requests:
             cpu: 10m
             memory: 5Mi
-        volumeMounts:
-        - name: run
-          mountPath: /var/run
-      volumes:
-      - name: run
-        hostPath:
-          path: /var/run