Commit Graph

6160 Commits

Author SHA1 Message Date
Kir Kolyshkin 4e65118d02 tests/int/helpers: gawk -> awk
We use awk in other 9 or so places, and here it's gawk.
Since this is on Linux, most probably awk is gawk.

So s/gawk/awk/.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-09-27 22:22:29 -07:00
Kir Kolyshkin 0ffb49dba0 tests/int: suppress bogus error
The situation when /sys/fs/cgroup/unified is not present normal and
should not result in anything on stderr. Suppress it.

Fixes: cc15b887a0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-09-27 22:22:29 -07:00
Kir Kolyshkin 4ff59f81fd Merge pull request #3607 from opencontainers/dependabot/go_modules/github.com/checkpoint-restore/go-criu/v6-6.2.0
build(deps): bump github.com/checkpoint-restore/go-criu/v6 from 6.1.0 to 6.2.0
2022-09-20 18:11:15 -07:00
dependabot[bot] 6fce0a1c67 build(deps): bump github.com/checkpoint-restore/go-criu/v6
Bumps [github.com/checkpoint-restore/go-criu/v6](https://github.com/checkpoint-restore/go-criu) from 6.1.0 to 6.2.0.
- [Release notes](https://github.com/checkpoint-restore/go-criu/releases)
- [Commits](https://github.com/checkpoint-restore/go-criu/compare/v6.1.0...v6.2.0)

---
updated-dependencies:
- dependency-name: github.com/checkpoint-restore/go-criu/v6
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-19 04:24:11 +00:00
Kir Kolyshkin e965e10c32 tests/int: do not set inheritable capabilities
Amends commit 98fe566c52 ("runc: do not set inheritable
capabilities").

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-09-15 11:49:32 -07:00
Mrunal Patel 91c0a7ac8d Merge pull request #3580 from kolyshkin/fix-seccomp-ssb
seccomp: do not ignore SPEC_ALLOW flag
2022-09-13 16:45:57 -07:00
Kir Kolyshkin 2e8b7a1283 Merge pull request #3586 from snprajwal/go-criu/v6
Upgrade go-criu to v6
2022-09-09 18:49:28 -07:00
dharmicksai 29a28848de Add check for CONFIG_CGROUP_BPF in check-config.sh
cgroup v2 requires CONFIG_CGROUP_BPF kernel option to be set
else runc can not start containers.

check-config.sh script checks if the CONFIG_CGROUP_BPF option
is set. The script checks if version of kernel is atleast
4.15 and cgroup v2 is being used before checking if the
CONFIG_CGROUP_BPF option is set.

Closes #3547

Signed-off-by: dharmicksai <dharmicksaik@gmail.com>
2022-09-08 14:28:47 +05:30
Prajwal S N 746f45807d deps: bump go-criu to v6
The v6.0.0 release of go-criu has deprecated the `rpc` package in favour
of the `crit` package. This commit provides the changes required to use
this version in runc.

Signed-off-by: Prajwal S N <prajwalnadig21@gmail.com>
2022-09-06 11:55:17 +05:30
Kir Kolyshkin bc13e33270 Merge pull request #3566 from opencontainers/dependabot/github_actions/actions/cache-3.0.8
build(deps): bump actions/cache from 3.0.7 to 3.0.8
2022-09-02 16:54:35 -07:00
Kir Kolyshkin 5808663ceb Merge pull request #3585 from opencontainers/dependabot/go_modules/github.com/docker/go-units-0.5.0
build(deps): bump github.com/docker/go-units from 0.4.0 to 0.5.0
2022-09-01 17:00:28 -07:00
dependabot[bot] 45041985e3 build(deps): bump github.com/docker/go-units from 0.4.0 to 0.5.0
Bumps [github.com/docker/go-units](https://github.com/docker/go-units) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/docker/go-units/releases)
- [Commits](https://github.com/docker/go-units/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: github.com/docker/go-units
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-01 04:15:34 +00:00
Kir Kolyshkin 26dc55ef1a seccomp: fix flag test to actually check the value
Add a debug print of seccomp flags value, so the test can check
those (without using something like strace, that is).

Amend the flags setting test with the numeric values expected, and the
logic to check those.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-30 19:16:08 -07:00
Kir Kolyshkin c7dc8b1fed libct/seccomp/patchbpf: support SPEC_ALLOW
Commit 58ea21daef added support for seccomp flags such as
SPEC_ALLOW, but it does not work as expected, because since commit
7a8d7162f9 we do not use libseccomp-golang's Load(), but
handle flags separately in patchbfp.

This fixes setting SPEC_ALLOW flag.

Add a comment to not forget to amend filterFlags when adding new flags.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-29 15:48:10 -07:00
dependabot[bot] 8206f5b2aa build(deps): bump actions/cache from 3.0.7 to 3.0.8
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.7 to 3.0.8.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.7...v3.0.8)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-23 04:19:26 +00:00
Kir Kolyshkin 4a51b04703 Merge pull request #3559 from kolyshkin/fix-dev-pts
Fix failed exec after systemctl daemon-reload
2022-08-18 15:03:31 -07:00
Kir Kolyshkin 58b1374f0a Fix failed exec after systemctl daemon-reload
A regression reported for runc v1.1.3 says that "runc exec -t" fails
after doing "systemctl daemon-reload":

> exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown

Apparently, with commit 7219387eb7 we are no longer adding
"DeviceAllow=char-pts rwm" rule (because os.Stat("char-pts") returns
ENOENT).

The bug can only be seen after "systemctl daemon-reload" because runc
also applies the same rules manually (by writing to devices.allow for
cgroup v1), and apparently reloading systemd leads to re-applying the
rules that systemd has (thus removing the char-pts access).

The fix is to do os.Stat only for "/dev" paths.

Also, emit a warning that the path was skipped. Since the original idea
was to emit less warnings, demote the level to debug.

Note this also fixes the issue of not adding "m" permission for block-*
and char-* devices.

A test case is added, which reliably fails before the fix
on both cgroup v1 and v2.

Fixes: https://github.com/opencontainers/runc/issues/3551
Fixes: 7219387eb7
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-18 14:41:16 -07:00
Akihiro Suda a98ad5e61d Merge pull request #3561 from kolyshkin/ci-codespell-2.2
ci: fix for codespell 2.2
2022-08-18 10:20:00 +09:00
Kir Kolyshkin df9e32bc6a ci: fix for codespell 2.2
Recently released codespell 2.2 adds some more false positives,
such as:

	./Makefile:78: ro ==> to, row, rob, rod, roe, rot
	./Makefile:88: ro ==> to, row, rob, rod, roe, rot
	./notify_socket.go:51: ro ==> to, row, rob, rod, roe, rot
	./LICENSE:128: complies ==> compiles
	./go.sum:59: BU ==> BY
	./types/features/features.go:17: ro ==> to, row, rob, rod, roe, rot
	./libcontainer/rootfs_linux.go:52: ro ==> to, row, rob, rod, roe, rot
	./libcontainer/rootfs_linux.go:166: ro ==> to, row, rob, rod, roe, rot
	....
	./tests/integration/cgroup_delegation.bats:38: inh ==> in
	...

To fix:
 - exclude go.sum;
 - add ro and complies to the list of ignored words;
 - s/inh/inherit in cgroup_delegation.bats.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-17 16:37:44 -07:00
Sebastiaan van Stijn 7b6f5153b8 Merge pull request #3514 from kolyshkin/go119
Add go 1.19, require go 1.18, drop go 1.17
2022-08-16 22:38:40 +02:00
Kir Kolyshkin 4ada984fb3 Merge pull request #3557 from opencontainers/dependabot/github_actions/actions/cache-3.0.7
build(deps): bump actions/cache from 3.0.5 to 3.0.7
2022-08-16 10:12:53 -07:00
Kir Kolyshkin b7dcdcecb4 Add go 1.19, require go 1.18, drop go 1.17
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-16 09:53:54 -07:00
Kir Kolyshkin 0f4bf2c840 ci/gha: bump golangci-lint to 1.48
This version works with go 1.19, i.e. it fixes
https://github.com/golangci/golangci-lint/issues/2922.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-16 09:53:54 -07:00
Kir Kolyshkin 45cc290f02 libct: fixes for godoc 1.19
Since Go 1.19, godoc recognizes lists, code blocks, headings etc. It
also reformats the sources making it more apparent that these features
are used.

Fix a few places where it misinterpreted the formatting (such as
indented vs unindented), and format the result using the gofumpt
from HEAD, which already incorporates gofmt 1.19 changes.

Some more fixes (and enhancements) might be required.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-16 09:53:54 -07:00
dependabot[bot] bf8d7c713b build(deps): bump actions/cache from 3.0.5 to 3.0.7
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.5 to 3.0.7.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.5...v3.0.7)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-13 16:56:03 +00:00
Akihiro Suda 480e1298d8 Merge pull request #3556 from kolyshkin/go119-fix-386
ci/gha: fix cross-386 job vs go 1.19
2022-08-13 11:49:35 +09:00
Kir Kolyshkin 589a9d5082 ci/gha: fix cross-386 job vs go 1.19
When golang 1.19 is used to build unit tests on 386, it fails like this:

 sudo -E PATH="$PATH" -- make GOARCH=386 CGO_ENABLED=1 localunittest
 <...>
 go test -timeout 3m -tags "seccomp"  -v ./...
 <...>
 # github.com/opencontainers/runc/libcontainer/capabilities.test
 runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel
 runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel
 runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel
 runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel
 runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel
 runtime/cgo(.text): relocation target __stack_chk_fail_local not defined
 runtime/cgo(.text): relocation target __stack_chk_fail_local not defined

The fix is to add CGO_CFLAGS=-fno-stack-protector.

See also:
 - https://github.com/docker-library/golang/pull/426
 - https://go.dev/issue/52919
 - https://go.dev/issue/54313
 - https://go-review.googlesource.com/c/go/+/421935

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-10 18:43:52 -07:00
Kir Kolyshkin 7e54290f11 Merge pull request #3530 from opencontainers/dependabot/go_modules/github.com/cilium/ebpf-0.9.1
build(deps): bump github.com/cilium/ebpf from 0.9.0 to 0.9.1
2022-08-04 15:38:07 -07:00
Akihiro Suda 2a14cecca3 Merge pull request #3543 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.28.1
build(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1
2022-08-04 09:25:09 +09:00
Aleksa Sarai bd69483df5 merge branch 'pr-3522'
Kir Kolyshkin (1):
  Fix error from runc run on noexec fs

LGTMs: AkihiroSuda thaJeztah cyphar
Closes #3522
2022-08-02 12:40:43 +10:00
dependabot[bot] 450dd3e237 build(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.28.0 to 1.28.1.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.28.0...v1.28.1)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-29 23:51:56 +00:00
Kir Kolyshkin f835196e80 Merge pull request #3531 from opencontainers/dependabot/go_modules/github.com/sirupsen/logrus-1.9.0
build(deps): bump github.com/sirupsen/logrus from 1.8.1 to 1.9.0
2022-07-29 16:51:08 -07:00
dependabot[bot] 6d00bf6cc3 build(deps): bump github.com/sirupsen/logrus from 1.8.1 to 1.9.0
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.8.1 to 1.9.0.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.8.1...v1.9.0)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-29 14:49:27 +00:00
Akihiro Suda d11f4d756e Merge pull request #3390 from kinvolk/alban_log
seccomp: add support for flags
2022-07-29 23:48:29 +09:00
Kir Kolyshkin 3a5294f039 Merge pull request #3485 from corhere/3181-rdt-init-without-cpuinfo
libct/intelrdt: skip reading /proc/cpuinfo
2022-07-28 12:38:05 -07:00
Cory Snider ea0bd78268 libct/intelrdt: check if available iff configured
Unless the container's runtime config has intelRdt configuration set,
any checks for whether Intel RDT is supported or the resctrl filesystem
is mounted are a waste of time as, per the OCI Runtime Spec, "the
runtime MUST NOT manipulate any resctrl pseudo-filesystems." And in the
likely case where Intel RDT is supported by both the hardware and
kernel but the resctrl filesystem is not mounted, these checks can get
expensive as the intelrdt package needs to parse mountinfo to check
whether the filesystem has been mounted to a non-standard path.
Optimize for the common case of containers with no intelRdt
configuration by only performing the checks when the container has opted
in.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-07-28 12:06:03 -07:00
Cory Snider 56daf36be2 libct/intelrdt: skip remove unless configured
The OCI runtime spec mandates "[i]f intelRdt is not set, the runtime
MUST NOT manipulate any resctrl pseudo-filesystems." Attempting to
delete files counts as manipulating, so stop doing that when the
container's RDT configuration is nil.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-07-28 12:06:03 -07:00
Cory Snider c156bde7cc libct/intelrdt: elide parsing mountinfo
The intelrdt package only needs to parse mountinfo to find the mount
point of the resctrl filesystem. Users are generally going to mount the
resctrl filesystem to the pre-created /sys/fs/resctrl directory, so
there is a common case where mountinfo parsing is not required. Optimize
for the common case with a fast path which checks both for the existence
of the /sys/fs/resctrl directory and whether the resctrl filesystem was
mounted to that path using a single statfs syscall.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-07-28 12:06:03 -07:00
Cory Snider 9f107489b0 libct/intelrdt: skip reading /proc/cpuinfo
Reading /proc/cpuinfo is a surprisingly expensive operation. Since
kernel version 4.12 [1], opening /proc/cpuinfo on an x86 system can
block for around 20 milliseconds while the kernel samples the current
CPU frequency. There is a very recent patch [2] which gets rid of the
delay, but has yet to make it into the mainline kenel. Regardless,
kernels for which opening /proc/cpuinfo takes 20ms will continue to be
run in production for years to come. libcontainer only opens
/proc/cpuinfo to read the processor feature flags so all the delays to
get an accurate snapshot of the CPU frequency are just wasted time.

If we wanted to, we could interrogate the CPU features directly from
userspace using the `CPUID` instruction. However, Intel and AMD CPUs
have flags in different positions for their analogous sub-features and
there are CPU quirks [3] which would need to be accounted for. Some
Haswell server CPUs support RDT/CAT but are missing the `CPUID` flags
advertising their support; the kernel checks for support on that
processor family by probing the the hardware using privileged
RDMSR/WRMSR instructions [4]. This sort of probing could not be
implemented in userspace so it would not be possible to check for RDT
feature support in userspace without false negatives on some hardware
configurations.

It looks like libcontainer reads the CPU feature flags as a kind of
optimization so that it can skip checking whether the kernel supports an
RDT sub-feature if the hardware support is missing. As the kernel only
exposes subtrees in the `resctrl` filesystem for RDT sub-features with
hardware and kernel support, checking the CPU feature flags is redundant
from a correctness point of view. Remove the /proc/cpuinfo check as it
is an optimization which actually hurts performance.

[1]: https://unix.stackexchange.com/a/526679
[2]: https://lore.kernel.org/all/20220415161206.875029458@linutronix.de/
[3]: https://github.com/torvalds/linux/blob/7cf6a8a17f5b134b7e783c2d45c53298faef82a7/arch/x86/kernel/cpu/resctrl/core.c#L834-L851
[4]: https://github.com/torvalds/linux/blob/a6b450573b912316ad36262bfc70e7c3870c56d1/arch/x86/kernel/cpu/resctrl/core.c#L111-L153

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-07-28 12:06:03 -07:00
Cory Snider 13674f43d3 libct/intelrdt: delete IsMBAScEnabled()
This function is unused, and removing it simplifies the changes which
follow this commit.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-07-28 12:06:03 -07:00
dependabot[bot] d9a3acb9fc build(deps): bump github.com/cilium/ebpf from 0.9.0 to 0.9.1
Bumps [github.com/cilium/ebpf](https://github.com/cilium/ebpf) from 0.9.0 to 0.9.1.
- [Release notes](https://github.com/cilium/ebpf/releases)
- [Commits](https://github.com/cilium/ebpf/compare/v0.9.0...v0.9.1)

---
updated-dependencies:
- dependency-name: github.com/cilium/ebpf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-28 19:05:50 +00:00
Alban Crequy 58ea21daef seccomp: add support for flags
List of seccomp flags defined in runtime-spec:
* SECCOMP_FILTER_FLAG_TSYNC
* SECCOMP_FILTER_FLAG_LOG
* SECCOMP_FILTER_FLAG_SPEC_ALLOW

Note that runc does not apply SECCOMP_FILTER_FLAG_TSYNC. It does not
make sense to apply the seccomp filter on only one thread; other threads
will be terminated after exec anyway.

See similar commit in crun:
https://github.com/containers/crun/commit/fefabffa2816ea343068ed036a86944393db189a

Note that SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV (introduced by
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?id=c2aa2dfef243
in Linux 5.19-rc1) is not added yet because Linux 5.19 is not released
yet.

Signed-off-by: Alban Crequy <albancrequy@microsoft.com>
2022-07-28 16:25:26 +02:00
Alban Crequy c152e8310f go.mod: update runtime-spec
Signed-off-by: Alban Crequy <albancrequy@microsoft.com>
2022-07-28 16:25:26 +02:00
Aleksa Sarai 6f8cb8b4c1 merge branch 'pr-3539'
Kir Kolyshkin (1):
  CI: workaround CentOS Stream 9 criu issue

LGTMs: AkihiroSuda cyphar
Closes #3539
2022-07-28 21:15:14 +10:00
Kir Kolyshkin 4fd4af5b1c CI: workaround CentOS Stream 9 criu issue
Older criu builds fail to work properly on CentOS Stream 9 due to
changes in glibc's rseq.

Skip criu tests if an older criu version is found.

Fixes: https://github.com/opencontainers/runc/issues/3532

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-07-27 17:51:41 -07:00
Aleksa Sarai c0d44ea9fc merge branch 'pr-3523'
Kir Kolyshkin (1):
  CHANGELOG.md: forward-port 1.1.x changes

LGTMs: AkihiroSuda cyphar
Closes #3523
2022-07-20 14:26:51 +10:00
Kir Kolyshkin 93ad6a8513 Merge pull request #3528 from opencontainers/dependabot/github_actions/actions/cache-3.0.5
build(deps): bump actions/cache from 3.0.4 to 3.0.5
2022-07-14 11:42:51 -07:00
dependabot[bot] 5fd3d09e25 build(deps): bump actions/cache from 3.0.4 to 3.0.5
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.4...v3.0.5)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-14 04:15:30 +00:00
Kir Kolyshkin a776ec9c90 Merge pull request #3525 from zhsj/seccomp-arm64
tests: enable seccomp default action tests on arm
2022-07-11 13:49:34 -07:00
Kir Kolyshkin 7928a0ddf7 Merge pull request #3526 from zhsj/replace-hello-image
tests: replace local hello world bundle with busybox bundle
2022-07-11 13:48:34 -07:00