From a76bbde4320591399cd94392ab39650737ee4e13 Mon Sep 17 00:00:00 2001
From: Aditi Ghag <aditi@cilium.io>
Date: Wed, 7 Jul 2021 15:11:20 -0700
Subject: [PATCH] install/kubernetes: Remove `sh` and `mount` dependency from
 init container

The mount-cgroup init container runs a mount command on the underlying
host using `nsenter`. However, certain distros like Talos don't have `sh`
or `mount` utilities available. Hence, move the logic to check and mount
cgroup2 fs to a statically linked Go program binary.

Fixes: fa8bea45562f ("cilium-daemonset: Fix ineffective socket-lb caused by incorrect cgroup2 fs mount")

Signed-off-by: Aditi Ghag <aditi@cilium.io>
---
 Makefile                                      |  2 +-
 .../templates/cilium-agent-daemonset.yaml     | 15 +++++---
 tools/Makefile                                |  4 +--
 tools/mount/.gitignore                        |  1 +
 tools/mount/Makefile                          | 27 ++++++++++++++
 tools/mount/main.go                           | 35 +++++++++++++++++++
 6 files changed, 76 insertions(+), 8 deletions(-)
 create mode 100644 tools/mount/.gitignore
 create mode 100644 tools/mount/Makefile
 create mode 100644 tools/mount/main.go

diff --git a/Makefile b/Makefile
index 0e2cd762c1084..ac8bc1d53b04a 100644
--- a/Makefile
+++ b/Makefile
@@ -12,7 +12,7 @@ debug: all
 
 include Makefile.defs
 
-SUBDIRS_CILIUM_CONTAINER := proxylib envoy bpf cilium daemon cilium-health bugtool
+SUBDIRS_CILIUM_CONTAINER := proxylib envoy bpf cilium daemon cilium-health bugtool tools/mount
 SUBDIRS := $(SUBDIRS_CILIUM_CONTAINER) operator plugins tools hubble-relay
 
 SUBDIRS_CILIUM_CONTAINER += plugins/cilium-cni
diff --git a/install/kubernetes/cilium/templates/cilium-agent-daemonset.yaml b/install/kubernetes/cilium/templates/cilium-agent-daemonset.yaml
index e347919ed83c0..2afa11abca5ef 100644
--- a/install/kubernetes/cilium/templates/cilium-agent-daemonset.yaml
+++ b/install/kubernetes/cilium/templates/cilium-agent-daemonset.yaml
@@ -382,19 +382,24 @@ spec:
         env:
           - name: CGROUP_ROOT
             value: {{ .Values.cgroup.hostRoot }}
+          - name: BIN_PATH
+            value: {{ .Values.cni.binPath }}
         command:
-          - nsenter
-          - --cgroup=/hostproc/1/ns/cgroup
-          - --mount=/hostproc/1/ns/mnt
-          - --
           - sh
           - -c
-          - 'mount | grep "$CGROUP_ROOT type cgroup2" || { echo "Mounting cgroup filesystem..."; mount -t cgroup2 none $CGROUP_ROOT; }'
+          # The statically linked Go program binary is invoked to avoid any
+          # dependency on utilities like sh and mount that can be missing on certain
+          # distros installed on the underlying host. Copy the binary to the
+          # same directory where we install cilium cni plugin so that exec permissions
+          # are available.
+          - 'cp /usr/bin/cilium-mount /hostbin/cilium-mount && nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; rm /hostbin/cilium-mount'
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}{{ if .Values.image.useDigest }}@{{ .Values.image.digest }}{{ end }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         volumeMounts:
           - mountPath: /hostproc
             name: hostproc
+          - mountPath: /hostbin
+            name: cni-path
         securityContext:
           privileged: true
 {{- end }}
diff --git a/tools/Makefile b/tools/Makefile
index 4e0e16cc6e5ce..96076de0e05d3 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -1,9 +1,9 @@
-# Copyright 2017-2019 Authors of Cilium
+# Copyright 2017-2021 Authors of Cilium
 # SPDX-License-Identifier: Apache-2.0
 
 include ../Makefile.defs
 
-SUBDIRS := alignchecker maptool
+SUBDIRS := alignchecker maptool mount
 
 .PHONY: all $(SUBDIRS) clean install
 
diff --git a/tools/mount/.gitignore b/tools/mount/.gitignore
new file mode 100644
index 0000000000000..b58e33064bda0
--- /dev/null
+++ b/tools/mount/.gitignore
@@ -0,0 +1 @@
+cilium-mount
diff --git a/tools/mount/Makefile b/tools/mount/Makefile
new file mode 100644
index 0000000000000..5f75c95d549f9
--- /dev/null
+++ b/tools/mount/Makefile
@@ -0,0 +1,27 @@
+# Copyright 2021 Authors of Cilium
+# SPDX-License-Identifier: Apache-2.0
+
+include ../../Makefile.defs
+
+TARGET := cilium-mount
+
+.PHONY: all $(TARGET) $(SUBDIRS) clean install
+
+all: $(TARGET)
+
+$(TARGET):
+	@$(ECHO_GO)
+	$(QUIET)$(GO_BUILD) -o $@
+
+clean:
+	@$(ECHO_CLEAN)
+	-$(QUIET)rm -f $(TARGET)
+	$(QUIET)$(GO_CLEAN)
+
+install:
+	$(QUIET)$(INSTALL) -m 0755 -d $(DESTDIR)$(BINDIR)
+	$(QUIET)$(INSTALL) -m 0755 $(TARGET) $(DESTDIR)$(BINDIR)
+
+install-binary: install
+
+install-bash-completion:
diff --git a/tools/mount/main.go b/tools/mount/main.go
new file mode 100644
index 0000000000000..f1cbb1c2bb82d
--- /dev/null
+++ b/tools/mount/main.go
@@ -0,0 +1,35 @@
+//  Copyright 2021 Authors of Cilium
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/cilium/cilium/pkg/cgroups"
+)
+
+func main() {
+	if len(os.Args) != 2 {
+		fmt.Fprintf(os.Stderr, "usage: %s <cgroup-mount-point> \n\n", os.Args[0])
+		os.Exit(1)
+	}
+
+	cgroupMountPoint := os.Args[1]
+	// This program is executed by an init container so we purposely don't
+	// exit with any error codes. In case of errors, the function will log warnings,
+	// but we don't block cilium agent pod from running.
+	cgroups.CheckOrMountCgrpFS(cgroupMountPoint)
+}