feat(container): runcell support

[sparkzky]

补充pivot_root等支持runcell运行的机制，初步支持容器运行

ps：现在主线运行runcell会报错，因此此分支暂时不会合并主线

[sparkzky]

@claude review

[chatgpt-codex-connector]

To use Codex here, create a Codex account and connect to github.

[sparkzky]

@claude review

[dragonos-community-ai-pr-reviewer]

Claude finished @sparkzky's task in 4m 48s —— View job

---

PR Review: feat(container): runcell support

Reviewer: Claude (deepseek-reasoner)

Status: ✅ Review completed

Summary

This PR implements container support through pivot_root system call, enhanced bind mounts, and improved filesystem operations. The changes are substantial and enable basic container functionality for runcell. Overall, the implementation is comprehensive but has some areas that need attention for correctness, maintainability, and security.

Positive Aspects

1. Complete pivot_root implementation - The new sys_pivot_root.rs implements Linux semantics including permission checks, path validation, mount point verification, and proper error handling.

2. bind_target_root mechanism - The addition of bind_target_root field to MountFS addresses DragonOS's bind mount differences from Linux, allowing containers to see bind-mounted rootfs contents correctly.

3. Enhanced umount2 for pivot_root scenarios - Special handling for umount2(".") after pivot_root is thoughtful and necessary for container teardown.

4. Proper capability checking - CAP_SYS_CHROOT requirement for pivot_root follows Linux security model.

5. Improved mknod support - Separate but valuable improvements to devfs and tmpfs mknod implementation.

Concerns and Issues

1. Hardcoded Container Paths

• File: kernel/src/filesystem/vfs/syscall/sys_pivot_root.rs:302
• Issue: get_mountfs() function contains hardcoded path prefix /tmp/runcell/containers/ for container-specific matching.
• Impact: This ties the kernel implementation to a specific userspace layout, reducing flexibility and creating implicit dependencies.
• Suggestion: Consider a more generic approach, such as tracking bind mount relationships in metadata or using mount flags/tags.

2. Unsafe Operations

• Files: mount.rs:339-342 (set_mount_flags), mnt.rs:99-116 (force_change_root_mountfs)
• Issue: Direct pointer manipulation via self as *const Self as *mut Self bypasses Rust's safety guarantees.
• Impact: These operations risk data races and memory safety issues if not properly synchronized.
• Suggestion: Restructure to use UnsafeCell or atomic operations where mutable shared state is truly needed. Add safety comments explaining invariants.

3. bind_target_root as Workaround

• Files: mount.rs:241-247, sys_mount.rs:490-505
• Issue: The bind_target_root mechanism exists because DragonOS's bind mount implementation differs from Linux (wraps entire filesystem vs. bind target directory).
• Impact: This creates architectural divergence from Linux that may cause compatibility issues with container runtimes expecting standard behavior.
• Suggestion: Consider aligning bind mount semantics with Linux long-term, but for now document this divergence clearly.

4. Error Handling Edge Cases

• File: sys_pivot_root.rs:335-357
• Issue: get_mountfs() has complex fallback logic that could return incorrect MountFS in edge cases (e.g., multiple filesystems with same name).
• Impact: Could lead to pivot_root operating on wrong mount point.
• Suggestion: Add more robust tracking of bind mount relationships, perhaps via mount IDs or parent-child references.

5. Magic Numbers and Limits

• File: sys_pivot_root.rs:381
• Issue: is_ancestor() has hardcoded limit of 1000 iterations.
• Impact: While reasonable, this could be a const with explanatory comment about preventing infinite loops in corrupt filesystems.

6. Incomplete Propagation Handling

• Observation: Mount propagation flags (MS_SHARED, MS_PRIVATE, etc.) are defined but propagation logic during pivot_root isn't fully reviewed.
• Suggestion: Ensure pivot_root properly handles propagation states, especially for shared subtrees.

Security Considerations

1. Capability checks: CAP_SYS_CHROOT check is present (good).
2. Path validation: User paths are properly validated and length-limited.
3. Permission checks: Directory execute permissions are checked for new_root and put_old.
4. Namespace isolation: Mount namespace interactions appear correct, but consider cross-namespace implications.

Testing Recommendations

Given the complexity of container filesystem operations:

1. Add unit tests for is_ancestor() and get_mountfs() logic.
2. Test edge cases: Same inode for new_root/put_old, nested bind mounts, symlinks in paths.
3. Verify umount2(".") after pivot_root with various mount propagation states.
4. Test container lifecycle: bind mount → pivot_root → process execution → umount cleanup.

Code Quality

1. Comments: Good Chinese documentation explaining Linux semantics and DragonOS differences.
2. Logging: Extensive debug logging (commented out) helpful for debugging.
3. Code structure: Well-organized with clear separation of concerns.

Final Assessment

This PR represents significant progress toward container support. The core functionality appears correct for basic use cases. The main issues are the hardcoded container paths and unsafe operations that should be addressed before merging.

Recommendation: Approve with requested changes for items 1-2 above. Items 3-6 are architectural considerations that can be addressed in follow-up PRs but should be documented.

---

Review completed. The implementation enables container support but needs minor fixes for production readiness.

[sparkzky]

当前获取根文件系统的方式有问题，获取到的是DragonOS的根文件系统，而不是容器的