From 2e0a50bde1061a34c3e8675441cfbd6f3724e29e Mon Sep 17 00:00:00 2001
From: Shishir Mahajan <smahajan@roblox.com>
Date: Tue, 12 Jan 2021 10:00:22 -0800
Subject: [PATCH] Change filesystem isolation to FSIsolationImage.

Signed-off-by: Shishir Mahajan <smahajan@roblox.com>
---
 containerd/containerd.go | 21 ++++++++++++---------
 containerd/driver.go     | 22 ++++++++++++----------
 2 files changed, 24 insertions(+), 19 deletions(-)

diff --git a/containerd/containerd.go b/containerd/containerd.go
index d0648a0..c32707a 100644
--- a/containerd/containerd.go
+++ b/containerd/containerd.go
@@ -36,9 +36,12 @@ type ContainerConfig struct {
 	ContainerName         string
 	ContainerSnapshotName string
 	NetworkNamespacePath  string
-	SecretsDir            string
-	TaskDir               string
-	AllocDir              string
+	SecretsDirSrc         string
+	TaskDirSrc            string
+	AllocDirSrc           string
+	SecretsDirDest        string
+	TaskDirDest           string
+	AllocDirDest          string
 	Env                   []string
 	MemoryLimit           int64
 	CPUShares             int64
@@ -165,20 +168,20 @@ func (d *Driver) createContainer(containerConfig *ContainerConfig, config *TaskC
 	}
 
 	// Setup "/secrets" (NOMAD_SECRETS_DIR) in the container.
-	if containerConfig.SecretsDir != "" {
-		secretsMount := buildMountpoint("bind", "/secrets", containerConfig.SecretsDir, []string{"rbind", "ro"})
+	if containerConfig.SecretsDirSrc != "" && containerConfig.SecretsDirDest != "" {
+		secretsMount := buildMountpoint("bind", containerConfig.SecretsDirDest, containerConfig.SecretsDirSrc, []string{"rbind", "rw"})
 		mounts = append(mounts, secretsMount)
 	}
 
 	// Setup "/local" (NOMAD_TASK_DIR) in the container.
-	if containerConfig.TaskDir != "" {
-		taskMount := buildMountpoint("bind", "/local", containerConfig.TaskDir, []string{"rbind", "ro"})
+	if containerConfig.TaskDirSrc != "" && containerConfig.TaskDirDest != "" {
+		taskMount := buildMountpoint("bind", containerConfig.TaskDirDest, containerConfig.TaskDirSrc, []string{"rbind", "rw"})
 		mounts = append(mounts, taskMount)
 	}
 
 	// Setup "/alloc" (NOMAD_ALLOC_DIR) in the container.
-	if containerConfig.AllocDir != "" {
-		allocMount := buildMountpoint("bind", "/alloc", containerConfig.AllocDir, []string{"rbind", "ro"})
+	if containerConfig.AllocDirSrc != "" && containerConfig.AllocDirDest != "" {
+		allocMount := buildMountpoint("bind", containerConfig.AllocDirDest, containerConfig.AllocDirSrc, []string{"rbind", "rw"})
 		mounts = append(mounts, allocMount)
 	}
 
diff --git a/containerd/driver.go b/containerd/driver.go
index 336452b..2159e39 100644
--- a/containerd/driver.go
+++ b/containerd/driver.go
@@ -29,6 +29,7 @@ import (
 	"github.com/hashicorp/go-hclog"
 	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/nomad/client/stats"
+	"github.com/hashicorp/nomad/client/taskenv"
 	"github.com/hashicorp/nomad/drivers/shared/eventer"
 	"github.com/hashicorp/nomad/plugins/base"
 	"github.com/hashicorp/nomad/plugins/drivers"
@@ -118,7 +119,7 @@ var (
 	capabilities = &drivers.Capabilities{
 		SendSignals:       true,
 		Exec:              true,
-		FSIsolation:       drivers.FSIsolationNone,
+		FSIsolation:       drivers.FSIsolationImage,
 		NetIsolationModes: []drivers.NetIsolationMode{drivers.NetIsolationModeGroup, drivers.NetIsolationModeTask},
 	}
 )
@@ -385,18 +386,19 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 		if skipOverride(key) {
 			continue
 		}
-		if key == "NOMAD_SECRETS_DIR" {
-			containerConfig.SecretsDir = val
-		}
-		if key == "NOMAD_TASK_DIR" {
-			containerConfig.TaskDir = val
-		}
-		if key == "NOMAD_ALLOC_DIR" {
-			containerConfig.AllocDir = val
-		}
 		containerConfig.Env = append(containerConfig.Env, fmt.Sprintf("%s=%s", key, val))
 	}
 
+	// Setup source paths for secrets, task and alloc directories.
+	containerConfig.SecretsDirSrc = cfg.TaskDir().SecretsDir
+	containerConfig.TaskDirSrc = cfg.TaskDir().LocalDir
+	containerConfig.AllocDirSrc = cfg.TaskDir().SharedAllocDir
+
+	// Setup destination paths for secrets, task and alloc directories.
+	containerConfig.SecretsDirDest = cfg.Env[taskenv.SecretsDir]
+	containerConfig.TaskDirDest = cfg.Env[taskenv.TaskLocalDir]
+	containerConfig.AllocDirDest = cfg.Env[taskenv.AllocDir]
+
 	containerConfig.ContainerSnapshotName = fmt.Sprintf("%s-snapshot", containerName)
 	if cfg.NetworkIsolation != nil && cfg.NetworkIsolation.Path != "" {
 		containerConfig.NetworkNamespacePath = cfg.NetworkIsolation.Path