Commit Graph

5465 Commits

Author SHA1 Message Date
Kir Kolyshkin 015fa29afd Revert "Revert "Makefile: rm go 1.13 workaround""
This reverts commit 1a659bc68e,
essentially reinstating commit d0cbef576f.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-27 01:41:47 -07:00
Kir Kolyshkin 4071c3cd57 Merge pull request #3104 from adrianreber/2021-07-20-vagrant
Do not use Vagrant for CentOS 7/8
2021-07-26 15:31:55 -07:00
Adrian Reber 9f656dbb11 Do not use Vagrant for CentOS 7/8
As Cirrus CI does not provide a real terminal this uses the same
'ssh -tt' workaround as the Vagrant setup. This sets up the
CentOS 7 and 8 to allow SSH as root to localhost so that we can run
all the tests via 'ssh -tt'.

Not going through vagrant reduces CI times for CentOS 7 and 8 from 6
minutes to 4 minutes.

Signed-off-by: Adrian Reber <areber@redhat.com>
2021-07-23 09:23:23 +02:00
Kir Kolyshkin d448016486 tests/rootless.sh: fixup for "update rt" test
Without this, the test case fails with

> Writing 1000000 to /sys/fs/cgroup/cpu,cpuacct/runc-cgroups-integration-test/cpu.rt_period_us
> /tmp/bats-run-106836/bats.116418.src: line 548: /sys/fs/cgroup/cpu,cpuacct/runc-cgroups-integration-test/cpu.rt_period_us: Permission denied

Since we do not currently have a setup to test this, this went
unnoticed (can be seen in RHEL8 though).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Adrian Reber <areber@redhat.com>
2021-07-23 09:23:23 +02:00
Kir Kolyshkin 86af524866 tests/int: fix "update rt period and runtime" for rootless
Since commit f09a3e1b8d, the value passed on to read starts with
a slash, resulting in the first element of the array to be empty.

As a result, the test tries to write to the top-level cgroup, which
fails when rootless:

> # Writing 1000000 to /sys/fs/cgroup/cpu,cpuacct//cpu.rt_period_us
> # /tmp/bats-run-106184/bats.115768.src: line 548: /sys/fs/cgroup/cpu,cpuacct//cpu.rt_period_us: Permission denied

To fix, remove the leading slash.

An alternative fix would be to do "for ((i = 1;" instead of "i = 0", but
that seems less readable.

Fixes: f09a3e1b8d
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-23 09:23:23 +02:00
Kir Kolyshkin 713748d4a8 Merge pull request #3103 from AkihiroSuda/remove-abandoned-policy
README.md: remove abandoned versioning policy
2021-07-21 13:02:02 -07:00
Akihiro Suda cc0b16444f README.md: remove abandoned versioning policy
"`runc` X.Y.Z should implement the X.Y version of the specification." is no longer correct.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-21 14:05:35 +09:00
Kir Kolyshkin 6e210a1d53 Merge pull request #3088 from AkihiroSuda/cirrus
Use Cirrus CI for Vagrant tests
2021-07-19 18:22:10 -07:00
Akihiro Suda 87bfd20fbd Evaluate Cirrus CI for Vagrant tests
ref: issue 3078

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-18 20:32:40 +09:00
Mrunal Patel 2749f1f18b Merge pull request #3082 from kolyshkin/freeze-less
cgroups: Set: fix freeze, avoid unnecessary freeze from systemd v1
2021-07-15 18:51:26 -04:00
Kir Kolyshkin a71102624d libct/cg/sd: add TestPodSkipDevicesUpdate
TestPodSkipDevicesUpdate checks that updating a pod having SkipDevices: true
does not result in spurious "permission denied" errors in a container
running under the pod. The test is somewhat similar in nature to the
@test "update devices [minimal transition rules]" in tests/integration,
but uses a pod.

This tests the validity of freezeBeforeSet in v1.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-15 00:07:22 -07:00
Kir Kolyshkin 52dd96db6b libct/cg/sd: TestFreezePodCgroup: rm explicit freeze
This was initially added by commit 3e5c199708 because Set (with
r.Freezer = Frozen) was not able to freeze a container.

Now (see a few previous commits) Set can do the freeze, so the explicit
Freeze is no longer needed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-15 00:07:19 -07:00
Kir Kolyshkin f2db87986c libct/cg/sd/v1: Set: avoid unnecessary freeze/thaw
Introduce freezeBeforeSet, which contains the logic of figuring out
whether we need to freeze/thaw around setting systemd unit properties.

In particular, if SkipDevices is set, and the current unit properties
allow all devices, there is no need to freeze and thaw, as systemd
won't write any device rules in this case.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-15 00:07:10 -07:00
Kir Kolyshkin 5dc3260431 libct/int/TestFreeze: test freeze/thaw via Set
In addition to freezing and thawing a container via Pause/Resume,
there is a way to also do so via Set.

This way was broken though and is being fixed by a few preceding
commits. The test is added to make sure this is fixed and won't regress.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-14 23:42:35 -07:00
Kir Kolyshkin af1688a544 libct/int: allow subtests
The t.Name() usage in libcontainer/integration prevented subtests
to be used, since in such case it returns a string containing "/",
and thus it can't be used to name a container.

Fix this by replacing slashes with underscores where appropriate.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-14 23:42:35 -07:00
Kir Kolyshkin 67cfd3d400 libct/cg/sd/v1: Set: don't overwrite r.Freezer
m.Freeze method changes m.cgroups.Resources.Freezer field, which should
not be done while we're temporarily freezing the cgroup in Set. If this
field is changed, and r == m.cgroups.Resources (as it often happens),
this results in inability to freeze the container using Set().

To fix, add and use a method which does not change r.Freezer field.

A test case for the bug will be added separately.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-14 23:42:35 -07:00
Aleksa Sarai 8de0a5c836 merge branch 'pr-3089'
Kir Kolyshkin (1):
  ci/gha: run on release-* branches after a push

LGTMs: mrunalp cyphar
Closes #3089
2021-07-15 12:38:50 +10:00
Kir Kolyshkin d02b0061d2 ci/gha: run on release-* branches after a push
A CI is needed after PR merges.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-14 09:42:10 -07:00
Akihiro Suda fceadf2386 Merge pull request #3055 from cyphar/cgroup-bpf-replace-selinux
cgroupv2: ebpf: ignore inaccessible existing programs
2021-07-14 11:31:07 +09:00
Aleksa Sarai 57e3c54182 cgroupv2: ebpf: ignore inaccessible existing programs
This is necessary in order for runc to be able to configure device
cgroups with --systemd-cgroup on distributions that have very strict
SELinux policies such as openSUSE MicroOS[1].

The core issue here is that systemd is adding its own BPF policy that
has an SELinux label such that runc cannot interact with it. In order to
work around this, we can just ignore the policy -- in theory this
behaviour is not correct but given that the most obvious case
(--systemd-cgroup) will still handle updates correctly, this logic is
reasonable.

[1]: https://bugzilla.suse.com/show_bug.cgi?id=1182428

Fixes: d0f2c25f52 ("cgroup2: devices: replace all existing filters when attaching")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-07-14 11:17:19 +10:00
Aleksa Sarai fe518a0678 vendor: update github.com/cilium/ebpf
We need to update the eBPF library so that we can get the raw syscall
errors from bpf(2) syscalls using errors.Is.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-07-14 11:17:15 +10:00
Aleksa Sarai 2c01cec8ac merge branch 'pr-3067'
Odin Ugedal (2):
  libct/cg/sd: Don't freeze cgroup on cgroup v2 Set
  Update device update tests

LGTMs: kolyshkin mrunalp cyphar
Closes #3067
2021-07-13 12:59:29 +10:00
Mrunal Patel dc3236f957 Merge pull request #3070 from kolyshkin/unconvert
ci: enable unconvert linter, fix its warnings
2021-07-12 16:47:14 -04:00
Akihiro Suda 3a041e9654 Merge pull request #3081 from kolyshkin/carry-3065
Make cgroup freezer only care about current control group (carry #3065)
2021-07-12 13:09:40 +09:00
Qiang Huang 9493bb8268 Merge pull request #3041 from kolyshkin/rtd-cleanups
libcontainer/intelrdt: cleanups
2021-07-10 11:54:43 +08:00
Mrunal Patel 4f3fab9bfe Merge pull request #3069 from odinuge/devices-caps
tests/int/dev: add CAP_SYSLOG to /dev/kmsg tests
2021-07-09 17:23:07 -04:00
Kir Kolyshkin 497e4032bd Merge pull request #3058 from kinvolk/rata/nsexec-close-bug
libcontainer: Don't close already closed fds and bail on close(2) failures
2021-07-09 11:35:36 -07:00
Odin Ugedal 3e5c199708 libct/cg/sd: Add freezer tests
This test the issues fixed by the two preceding commits.

Co-Authored-By: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Odin Ugedal <odin@uged.al>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-08 19:32:39 -07:00
Odin Ugedal 294c4866ea libct/cg/fs/freezer.GetState: report current cgroup state
If a control group is frozen, all its descendants will report FROZEN
in freezer.state cgroup file.

OTOH cgroup v2 cgroup.freeze is not reporting the cgroup as frozen
unless it is frozen directly (i.e. not via an ancestor).

Fix the discrepancy between v1 and v2 drivers behavior by
looking into freezer.self_freezing cgroup file, which, according
to kernel documentation, will show 1 iff the cgroup was frozen directly.

Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Odin Ugedal <odin@uged.al>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-08 19:32:08 -07:00
Aleksa Sarai 262f294a2a merge branch 'pr-3062'
Kir Kolyshkin (3):
  libct/user: use []byte more, avoid allocations
  libct/user: ParseGroupFilter: use TrimSpace
  libct/user: fix parsing long /etc/group lines

LGTMs: AkihiroSuda cyphar
Closes #3062
2021-07-08 17:10:26 +10:00
Kir Kolyshkin ccf6a94f95 Merge pull request #3045 from anmaxvl/retry-unix-eintr
retry unix.EINTR for container init process
2021-07-07 18:25:17 -07:00
Odin Ugedal f33be7cc98 libct/cg/sd: Don't freeze cgroup on cgroup v2 Set
Since device updates in cgroup v2 are atomic for systemd, there is no
need to freeze the processes before running the updates.

Signed-off-by: Odin Ugedal <odin@uged.al>
2021-07-07 22:44:08 +02:00
Odin Ugedal d41a273dae Update device update tests
Run device update tests on cgroup v2, and add a test verifying that we
don't allow access to devices when we don't intend to.

Signed-off-by: Odin Ugedal <odin@uged.al>
2021-07-07 22:44:08 +02:00
Kir Kolyshkin be1d5f83c0 ci: enable unconvert linter, fix its warnings
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-07 10:42:48 -07:00
Odin Ugedal 6be088d69d tests/int/dev: add CAP_SYSLOG to /dev/kmsg tests
Add CAP_SYSLOG to ensure that /dev/kmsg can be accesses on systems where
the sysctl kernel.dmesg_restrict = 1.

Signed-off-by: Odin Ugedal <odin@uged.al>
2021-07-07 15:44:16 +02:00
Kir Kolyshkin 71a3756b19 Merge pull request #3063 from cyphar/filepath-securejoin-update
deps: update to github.com/cyphar/filepath-securejoin@v0.2.3
2021-07-06 15:13:22 -07:00
Aleksa Sarai 9f2a1f4df1 deps: update to github.com/cyphar/filepath-securejoin@v0.2.3
The main change is the switch to Go 1.13-style "%w" error wrapping,
dropping one of the github.com/pkg/errors dependencies we have left.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-07-04 21:24:12 +10:00
Kir Kolyshkin 24d5daf54d libct/user: fix parsing long /etc/group lines
Lines in /etc/group longer than 64 characters breaks the current
implementation of group parser. This is caused by bufio.Scanner
buffer limit.

Fix by re-using the fix for a similar problem in golang os/user,
namely https://go-review.googlesource.com/c/go/+/283601.

Add some tests.

Co-authored-by: Andrey Bokhanko <andreybokhanko@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-02 13:19:42 -07:00
Kir Kolyshkin 226dfab0bc libct/user: ParseGroupFilter: use TrimSpace
Same as in other places (other parsers here, as well as golang os/user
parser and glibc parser all tolerate extra space at BOL and EOL).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-02 12:25:51 -07:00
Kir Kolyshkin 120e3a77d8 libct/user: use []byte more, avoid allocations
Every []byte to string conversion results in a new allocation.
Avoid some by using []byte more.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-02 12:25:45 -07:00
Rodrigo Campos 83776dd8b3 libcontainer: Bail on close(2) failures
Don't ignore close(2) return code, rather bail if there is any
unexpected failures. By checking the close return code we make sure we
don't introduce the same bug (closing an already closed fd) I've fixed
in the previous patch.

As a side note, we are not handling in this patch when close(2) returns
EINTR and the go runtime, since go 1.14, sends SIGURG to preempt
goroutines. This should not happen here though, as nsenter is guaranteed
to be executed before the go runtime starts.

Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-07-02 16:43:25 +02:00
Rodrigo Campos 7d479e6beb libcontainer: Don't close fds already closed
This was closed in the child[1], before calling clone_parent (so runc
INIT will have this fd closed too), there is no point closing it again.

This was not causing issues because we ignore the return code of
close(2) and no one was opening a new fd between both calls to close.
However, with the new patches that I'm working on (PR #2576), this
problem is no longer inocuos: we do open a new fd in that PR, sometimes
that fd is allocated between the two close(2) calls and, as the lowest
fd is allocated to the new fd, sometimes the second close ends up
incorrectly closing this new fd.

Before it was not a problem in practice, but it was incorrect
nevertheless.

This seems to be long standing bug, present since at least 2018
(a54316bae), when SYNC_GRANDCHILD was introduced.

[1]: https://github.com/opencontainers/runc/blob/5547b5774f71f75a088e7432fa961778750a0fbd/libcontainer/nsenter/nsexec.c#L888

Co-authored-by: Alban Crequy <alban@kinvolk.io>
Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-07-02 15:55:11 +02:00
Maksim An e39ad65059 retry unix.EINTR for container init process
When running a script from an azure file share interrupted syscall
occurs quite frequently, to remedy this add retries around execve
syscall, when EINTR is returned.

Signed-off-by: Maksim An <maksiman@microsoft.com>
2021-06-30 22:22:31 -07:00
Akihiro Suda 5547b5774f Merge pull request #3033 from kolyshkin/rm-own-errors
libcontainer: rm own error system
2021-07-01 13:47:27 +09:00
Kir Kolyshkin 4e56bb446a Merge pull request #3053 from kailun-qin/consolidate-utils
libct/rootfs: consolidate utils imports
2021-06-30 15:54:05 -07:00
Kailun Qin c508a7bc0a libct/rootfs: consolidate utils imports
Signed-off-by: Kailun Qin <kailun.qin@intel.com>
2021-06-30 06:49:38 -04:00
Akihiro Suda b12e6bcaa2 Merge pull request #3051 from kolyshkin/test-int-fix-unshare
tests/int/no_pivot: fixup for new kernels
2021-06-30 11:45:47 +09:00
Kir Kolyshkin 1bbeadae72 tests/int/no_pivot: fix for new kernels
The test is failing like this:

	not ok 70 runc run --no-pivot must not expose bare /proc
	# (in test file tests/integration/no_pivot.bats, line 20)
	#   `[[ "$output" == *"mount: permission denied"* ]]' failed
	# runc spec (status=0):
	#
	# runc run --no-pivot test_no_pivot (status=1):
	# unshare: write error: Operation not permitted

Apparently, a recent kernel commit db2e718a47984b9d prevents
root from doing unshare -r unless it has CAP_SETFPCAP.

Add the capability for this specific test.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-29 13:31:54 -07:00
Akihiro Suda 24aff17be2 Merge pull request #3048 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.27.1
build(deps): bump google.golang.org/protobuf from 1.26.0 to 1.27.1
2021-06-29 13:36:47 +09:00
Kir Kolyshkin 0229a77a80 libcontainer/intelrdt: privatize some ids
These are not used anywhere outside of the package
(I have also checked the only external user of the package
(github.com/google/cadvisor).

No changes other than changing the case. The following
identifiers are now private:

 * IntelRdtTasks
 * NewLastCmdError
 * NewStats

Brought to you by gorename.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-28 12:45:28 -07:00