Commit Graph

6160 Commits

Author SHA1 Message Date
Kir Kolyshkin 18e286261e libct/nsenter: fix extra runc re-exec on tmpfs
After adding some debug info to cloned_binary.c I found out that
is_self_cloned() is not working right when runc binary is on tmpfs,
resulting in one extra re-exec of runc.

With some added debug:

	$ mkdir bin
	$ sudo mount -t tmpfs tmp bin
	$ sudo cp runc bin
	$ sudo ./bin/runc --debug exec xxx true
	DEBU[0000] nsexec[763590]: => is_self_cloned
	DEBU[0000] nsexec[763590]: got seals 1 (want 15)
	DEBU[0000] nsexec[763590]: <= is_self_cloned, is_cloned = 0
	DEBU[0000] nsexec[763590]: try_bindfd: 5
	DEBU[0000] nsexec[763590]: re-exec itself...
	DEBU[0000] nsexec[763590]: => is_self_cloned
	DEBU[0000] nsexec[763590]: got seals 1 (want 15)
	DEBU[0000] nsexec[763590]: <= is_self_cloned, is_cloned = 0
	DEBU[0000] nsexec[763590]: try_bindfd: -1
	DEBU[0000] nsexec[763590]: fallback to make_execfd: 5
	DEBU[0000] nsexec[763590]: re-exec itself...
	DEBU[0000] nsexec[763590]: => is_self_cloned
	DEBU[0000] nsexec[763590]: got seals 15 (want 15)
	DEBU[0000] nsexec[763590]: <= is_self_cloned, is_cloned = 1

From the above, it is seen that
 - `is_self_cloned` returns 0,
 - `try_bindfd` is called and succeeds,
 - runc re-execs itself,
 - the second call to `is_self_cloned` returns 0 again (because GET_SEALS returns 1),
 - runc falls back to `make_execfd`, and re-execs again,
 - finally, the third `is_self_cloned` returns 1.

I guess that the code relied on the following (quoting fcntl(2)):

> Currently, file seals can be applied only to a file descriptor
> returned by memfd_create(2) (if the MFD_ALLOW_SEALING was employed).
> On other filesystems, all fcntl() operations that operate on seals
> will return EINVAL.

It looks like in case of a file on tmpfs it returns 1 (F_SEAL_SEAL).

With the fix:

	DEBU[0000] nsexec[768367]: => is_self_cloned
	DEBU[0000] nsexec[768367]: got seals 1 (want 15)
	DEBU[0000] nsexec[768367]: no CLONED_BINARY_ENV
	DEBU[0000] nsexec[768367]: <= is_self_cloned, is_cloned = 0
	DEBU[0000] nsexec[768367]: try_bindfd: 5
	DEBU[0000] nsexec[768367]: re-exec itself...
	DEBU[0000] nsexec[768367]: => is_self_cloned
	DEBU[0000] nsexec[768367]: got seals 1 (want 15)
	DEBU[0000] nsexec[768367]: fstatfs says ro = 1
	DEBU[0000] nsexec[768367]: fstat says nlink = 1
	DEBU[0000] nsexec[768367]: <= is_self_cloned, is_cloned = 1

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-27 08:42:11 -08:00
Sebastiaan van Stijn eddf35e546 Merge pull request #3349 from kolyshkin/list-nits
runc list: fix race with runc delete + nits
2022-01-27 10:30:16 +01:00
Sebastiaan van Stijn ca03eb7c1c Merge pull request #3352 from kolyshkin/misc
Misc nits
2022-01-27 10:24:58 +01:00
Kir Kolyshkin 6e1d476aad runc: remove --criu option
This was introduced in an initial commit, back in the day when criu was
a highly experimental thing. Today it's not; most users who need it have
it packaged by their distro vendor.

The usual way to run a binary is to look it up in directories listed in
$PATH. This is flexible enough and allows for multiple scenarios (custom
binaries, extra binaries, etc.). This is the way criu should be run.

Make --criu a hidden option (thus removing it from help). Remove the
option from man pages, integration tests, etc. Remove all traces of
CriuPath from data structures.

Add a warning that --criu is ignored and will be removed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-26 20:25:56 -08:00
Kir Kolyshkin 485e6c84e7 Fix some revive warnings
This is needed since the future commits will touch this code, and then
the lint-extra CI job complains.

> libcontainer/factory.go#L245
> var-naming: var fdsJson should be fdsJSON (revive)

and

> libcontainer/init_linux.go#L181
> error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)

and

> notify_socket.go#L94
> receiver-naming: receiver name n should be consistent with previous receiver name s for notifySocket (revive)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-26 19:14:14 -08:00
Kir Kolyshkin bb6a838876 libct: initContainer: rename Id -> ID
Since the next commit is going to touch this structure, our CI
(lint-extra) is about to complain about improperly named field:

>  Warning: var-naming: struct field ContainerId should be ContainerID (revive)

Make it happy.

Brought to use by gopls rename.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-26 18:59:47 -08:00
Kir Kolyshkin 1b14d97484 libct/configs: rm Windows TODO
It's clear at this point that runc won't support Windows.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-26 18:59:47 -08:00
Kir Kolyshkin 76c398f89d libct/README: rm Cgroupfs
This method was removed earlier by commit 097c6d7425,
but the documentation was not updated. Fix it.

Fixes: 097c6d7425
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-26 18:59:47 -08:00
Kir Kolyshkin 0fec1c2d8c libct: Mount: rm {Pre,Post}mountCmds
Those were added by commit 59c5c3ac0 back in Apr 2015, but AFAICS were
never used and are obsoleted by more generic container hooks (initially
added by commit 05567f2c94 in Sep 2015).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-26 15:51:55 -08:00
Kir Kolyshkin dffb8db7e1 libct: handleCriuConfigurationFile: use utils.SearchLabels
The utils.Annotations was used here before only because it made it
possible to distinguish between "key not found" and "empty value" cases.

With the previous commit, utils.SearchLabels can do that, and so it
makes sense to use it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-26 14:01:11 -08:00
Kir Kolyshkin 3d86d31b9f libct/utils: SearchLabels: optimize
Using strings.Split generates temporary strings for GC to collect.
Rewrite the function to not do that.

Also, add a second return value, so that the caller can distinguish
between an empty value found and no key found cases.

Fix the test accordingly.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-26 14:01:11 -08:00
Mrunal Patel 403cda19e4 Merge pull request #3326 from kolyshkin/go118beta
ci: add go 1.18beta1
2022-01-25 16:01:25 -08:00
Kir Kolyshkin 1a3ee4966c list: use Info(), fix race with delete
Since commit 551629417 we can (and should) use Info() to get access to
file stat. Do this.

While going over directory entries, a parallel runc delete can remove
an entry, and with the current code it results in a fatal error (which
was not observed in practice, but looks quite possible). To fix,
add a special case to continue on ErrNotExist.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-25 15:34:04 -08:00
Kir Kolyshkin 095929b15e list: getContainers: less indentation
Instead of a huge if {} block, use continue.

Best reviewed with --ignore-all-space.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-25 15:31:54 -08:00
Mrunal Patel a1727ef58c Merge pull request #3345 from kolyshkin/rodev
Fix working with read-only /dev
2022-01-25 13:27:36 -08:00
Sebastiaan van Stijn a934123d21 Merge pull request #3319 from kolyshkin/chown-not-needed
libct: Create: rm unneeded chown
2022-01-24 14:55:09 +01:00
Akihiro Suda c9ad96f63e Merge pull request #3335 from kolyshkin/mount-prop-empty-key
libct/specconv: rm empty key from mountPropagationMapping
2022-01-24 16:29:58 +09:00
Akihiro Suda a2805a31e1 Merge pull request #3339 from kolyshkin/rtd-faster-followup
libct/intelrdt: explain why mountinfo is required
2022-01-24 16:29:37 +09:00
Akihiro Suda 4ebd33aa6a Merge pull request #3346 from opencontainers/dependabot/go_modules/github.com/cilium/ebpf-0.8.0
build(deps): bump github.com/cilium/ebpf from 0.7.0 to 0.8.0
2022-01-24 16:28:33 +09:00
dependabot[bot] cb36410868 build(deps): bump github.com/cilium/ebpf from 0.7.0 to 0.8.0
Bumps [github.com/cilium/ebpf](https://github.com/cilium/ebpf) from 0.7.0 to 0.8.0.
- [Release notes](https://github.com/cilium/ebpf/releases)
- [Commits](https://github.com/cilium/ebpf/compare/v0.7.0...v0.8.0)

---
updated-dependencies:
- dependency-name: github.com/cilium/ebpf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-24 04:15:07 +00:00
Kir Kolyshkin 146c8c0c62 libct: fixStdioPermissions: ignore EROFS
In case of a read-only /dev, it's better to move on and let whatever is
run in a container to handle any possible errors.

This solves runc exec for a user with read-only /dev.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-21 17:53:03 -08:00
Kir Kolyshkin 18c4760aed libct: fixStdioPermissions: skip chown if not needed
Since we already called fstat, we know the current file uid. In case it
is the same as the one we want it to be, there's no point in trying
chown.

Remove the specific /dev/null check, as the above also covers it
(comparing /dev/null uid with itself is true).

This also fixes runc exec with read-only /dev for root user.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-21 17:46:10 -08:00
Kir Kolyshkin b7fdb68848 libct: fixStdioPermissions: minor refactoring
Use os/file Chown method instead of bare unix.Fchown as it already have
access to underlying fd, and produces nice-looking errors. This allows
us to remove our error wrapping and some linter annotations.

We still use unix.Fstat since os.Stat access to os-specific fields
like uid/gid is not very straightforward. The only change here is to use
file name (rather than fd) in the error text.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-21 17:39:50 -08:00
Aleksa Sarai 2a62093dbb merge branch 'pr-3344'
Kir Kolyshkin (2):
  CHANGELOG: add #3306
  CHANGELOG.md: nit

LGTMs: AkihiroSuda cyphar
Closes #3344
2022-01-21 16:54:29 +11:00
Kir Kolyshkin 2eb6ac5347 CHANGELOG: add #3306
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-20 18:47:52 -08:00
Kir Kolyshkin e4d23d50fa CHANGELOG.md: nit
The 1.1.0 "Changed" heading level is not proper.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-20 18:42:21 -08:00
Kir Kolyshkin 5e201e7ce2 libct/intelrdt: explain why mountinfo is required
For the Nth time I wanted to replace parsing mountinfo with
statfs and the check for superblock magic, but it is not possible
since some code relies of mount options check which can only
be obtained via mountinfo.

Add a note about it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-20 10:36:45 -08:00
Sebastiaan van Stijn 62133e3840 Merge pull request #3306 from kolyshkin/rdt-faster
Faster Intel RDT init if the feature is unavailable
2022-01-19 11:24:41 +01:00
Aleksa Sarai 17543edd15 merge branch 'pr-3338'
Aleksa Sarai (2):
  VERSION: back to development
  VERSION: release runc v1.1.0

LGTMs: AkihiroSuda thaJeztah hqhq
Closes #3338
2022-01-18 09:44:11 +11:00
Aleksa Sarai d7f7b22a85 VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-01-17 19:16:33 +11:00
Aleksa Sarai 067aaf8548 VERSION: release runc v1.1.0
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.1.0
2022-01-17 19:16:31 +11:00
Kir Kolyshkin c45eed9a4a libct/specconv: rm empty key from mountPropagationMapping
It is a tad cleaner this way.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-07 11:22:22 -08:00
Akihiro Suda c83abc503d Merge pull request #3331 from kolyshkin/nsenter-unsup
Refuse to build runc without nsenter
2022-01-05 14:18:02 +09:00
Kir Kolyshkin c0e300f109 Refuse to build runc without nsenter
Commit 4d1d6185ab added this
nsenter_unsupported.go file in order for nsenter to be a valid (but
empty, non-functional) Go package on unsupported platforms.

As a result, runc can be build successfully without CGO, which results
in a non-working and hard-to-debug binary (see issue 3330).

As the functionality of being able to compile a package which is
definitely not working is questionable, and I can't think of any use
cases, let's remove the file.

With this, runc can no longer be build without CGO:

	[kir@kir-rhat runc]$ CGO_ENABLED=0 make runc
	go build -trimpath "-buildmode=pie"  -tags "seccomp" -ldflags "-X main.gitCommit=v1.0.0-452-g00f56786-dirty -X main.version=1.1.0-rc.1+dev " -o runc .
	go build github.com/opencontainers/runc/libcontainer/nsenter: build constraints exclude all Go files in /home/kir/go/src/github.com/opencontainers/runc/libcontainer/nsenter

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-04 15:49:41 -08:00
Akihiro Suda 00f56786bb Merge pull request #3328 from opencontainers/dependabot/go_modules/github.com/checkpoint-restore/go-criu/v5-5.3.0
build(deps): bump github.com/checkpoint-restore/go-criu/v5 from 5.2.0 to 5.3.0
2021-12-23 11:00:22 +09:00
dependabot[bot] e155b3322c build(deps): bump github.com/checkpoint-restore/go-criu/v5
Bumps [github.com/checkpoint-restore/go-criu/v5](https://github.com/checkpoint-restore/go-criu) from 5.2.0 to 5.3.0.
- [Release notes](https://github.com/checkpoint-restore/go-criu/releases)
- [Commits](https://github.com/checkpoint-restore/go-criu/compare/v5.2.0...v5.3.0)

---
updated-dependencies:
- dependency-name: github.com/checkpoint-restore/go-criu/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-12-22 04:18:26 +00:00
Kir Kolyshkin b5cb405629 ci: add go 1.18beta1
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-15 17:20:09 -08:00
Kir Kolyshkin 907aefd43c libct: StartInitialization: fix %w related warning
(on Go 1.18 this is actually an error)

> libcontainer/factory_linux.go:341:10: fmt.Errorf format %w has arg e of wrong type interface{}

Unfortunately, fixing it results in an errorlint warning:

> libcontainer/factory_linux.go#L344 non-wrapping format verb for fmt.Errorf. Use `%w` to format errors (errorlint)

so we have to silence that one.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-15 17:20:09 -08:00
Akihiro Suda 81044ad7c9 Merge pull request #3325 from kolyshkin/rm-go115
libct/cg: rm go 1.15 compatibility
2021-12-15 11:39:50 +09:00
Kir Kolyshkin 5c7e898186 libct/cg: rm go 1.15 compatibility
Since commit 12e99a0f8d we do require Go >= 1.16, so this file
is no longer needed.

Also, this actually ensures that go >= 1.16 is used (otherwise
libcontainer/cgroups/getallpids.go won't compile).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-14 13:08:47 -08:00
Aleksa Sarai 7113a40898 merge branch 'pr-3323'
Aleksa Sarai (2):
  VERSION: back to development
  VERSION: release v1.1.0-rc.1

LGTMs: AkihiroSuda kolyshkin
Closes #3323
2021-12-14 15:27:16 +11:00
Aleksa Sarai 4773769ce1 VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-12-14 14:23:02 +11:00
Aleksa Sarai 55df1fc4c8 VERSION: release v1.1.0-rc.1
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.1.0-rc.1
2021-12-14 14:23:00 +11:00
Kir Kolyshkin 6c1e2ecc20 Merge pull request #3320 from cyphar/changelog
CHANGELOG: add an in-repo changelog file
2021-12-13 12:51:14 -08:00
Aleksa Sarai a8f9d5defc CHANGELOG: add an in-repo changelog file
This will make releases much simpler. I've back-filled the changelog
with everything since runc 1.0.0 (there's not much point going further
back than that).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-12-13 13:22:11 +11:00
Kir Kolyshkin 024adbb1b9 libct: Create: rm unneeded chown
Commit 7cfb107f2c started using unix.Geteuid(), unix.Getegid() as
uid/gid argument for chown. It seems that it should have removed chown
entirely, since, according to mkdir(2),

> The newly created directory will be owned by the effective user ID of
> the process. If the directory containing the file has the
> set-group-ID bit set, or if the filesystem is mounted with BSD
> group semantics (mount -o bsdgroups or, synonymously mount -o grpid),
> the new directory will inherit the group ownership from its parent;
> otherwise it will be > owned by the effective group ID of the process.

So, the only effect of the chown after mkdir is ignoring the sgid bit
on the parent directory (which is probably not the right thing to do).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-10 18:49:25 -08:00
Aleksa Sarai 7e792c9236 merge branch 'pr-3301'
Kir Kolyshkin (1):
  libct/utils: ResolveRootfs: remove

LGTMs: AkihiroSuda cyphar
Closes #3301
2021-12-09 23:11:12 +11:00
Akihiro Suda 4e56a2b35e Merge pull request #3313 from kolyshkin/int-nits
libct/int: minor improvements
2021-12-09 19:20:59 +09:00
Aleksa Sarai e7dfcc93af Merge pull request #3314 from kolyshkin/seccomp-2.5.3
release: update libseccomp to 2.5.3, minor script fixes
2021-12-09 20:36:54 +11:00
Kir Kolyshkin 6d2067a4bf script/seccomp.sh: fix argc check
This check was always broken, and it slipped through the cracks because
we never run it without additional architectures now.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-09 00:59:47 -08:00