bugfix: container can not write cgroup with privileged

[Ace-Tang]

clear ro in mount option when container get privileged, make cgroup
writable, add test for it.

Signed-off-by: Ace-Tang [email protected]

Ⅰ. Describe what this PR did

Ⅱ. Does this pull request fix one issue?

fixes #2553

Ⅲ. Why don't you add test cases (unit test/integration test)? (你真的觉得不需要加测试吗？)

add test.

Ⅳ. Describe how to verify it

Ⅴ. Special notes for reviews

[codecov]

Codecov Report

Merging #2552 into master will increase coverage by 0.09%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #2552      +/-   ##
==========================================
+ Coverage   69.03%   69.13%   +0.09%     
==========================================
  Files         278      278              
  Lines       18581    18582       +1     
==========================================
+ Hits        12828    12847      +19     
+ Misses       4272     4264       -8     
+ Partials     1481     1471      -10

Flag	Coverage Δ
#criv1alpha1test	31.23% <100%> (-0.04%)	⬇️
#criv1alpha2test	35.57% <100%> (+0.11%)	⬆️
#integrationtest	40.64% <100%> (+0.07%)	⬆️
#nodee2etest	32.66% <100%> (+0.18%)	⬆️
#unittest	26.79% <0%> (-0.01%)	⬇️

Impacted Files	Coverage Δ
daemon/mgr/spec_mount.go	84.4% <100%> (+0.14%)	⬆️
apis/server/utils.go	71.15% <0%> (-3.85%)	⬇️
daemon/logger/jsonfile/utils.go	71.54% <0%> (-1.63%)	⬇️
daemon/mgr/container.go	58.44% <0%> (-0.43%)	⬇️
cri/v1alpha1/cri.go	60.59% <0%> (-0.34%)	⬇️
ctrd/container.go	58.81% <0%> (+0.39%)	⬆️
cri/v1alpha2/cri.go	68.83% <0%> (+1.1%)	⬆️
pkg/streams/utils.go	91.66% <0%> (+2.38%)	⬆️
cri/v1alpha2/cri_wrapper.go	65.59% <0%> (+2.39%)	⬆️
daemon/mgr/snapshot.go	94.2% <0%> (+4.34%)	⬆️
... and 1 more

[fuweid]

The if condition is duplicated with c.Assert(util.PartialEqual(res.Combined(), "Read-only file system"), check.IsNil) . I think that we can remove the if condition. WDYT?

[Ace-Tang]

Copy from other test in test/cli_run_with_privileged_test.go, author may think error stdout is not enough to judge error, I agree with he. But I do not mind to remove it.

[Ace-Tang]

If you do not mind, I will do this in next pr, and fix all tests in test/cli_run_with_privileged_test.go

[fuweid]

sure

[rudyfly]

I think we must refact the function setupMounts, there are a lot of unuse for loop. As your modify, can we change it like this:
before

	if c.HostConfig.Privileged {
		if !s.Root.Readonly {
			// Clear readonly for /sys.
			for i := range s.Mounts {
				if s.Mounts[i].Destination == "/sys" {
					clearReadonly(&s.Mounts[i])
				}
			}
		}
		// Clear readonly for cgroup
		for i := range s.Mounts {
			if s.Mounts[i].Type == "cgroup" {
				clearReadonly(&s.Mounts[i])
			}
		}
	}

change it:

	if c.HostConfig.Privileged {
		for i := range s.Mounts {
			// Clear readonly for /sys.
			if s.Mounts[i].Destination == "/sys" && !s.Root.Readonly {
				clearReadonly(&s.Mounts[i])
			}

			// Clear readonly for cgroup
			if s.Mounts[i].Type == "cgroup" {
				clearReadonly(&s.Mounts[i])
			}
		}
	}

As the same reason, we also can merge this for loop with above code. Can you refact this function?
@Ace-Tang

[rudyfly]

Need to merge unuse for loop.

[Ace-Tang]

@rudyfly , updated

[rudyfly]

LGTM

[fuweid]

LGTM