Commit Graph

6595 Commits

Author SHA1 Message Date
lifubang 109dcadd9d fix two typos
Signed-off-by: lifubang <lifubang@acmcoder.com>
2023-10-03 20:08:17 +08:00
Kir Kolyshkin ee45b9bf60 Merge pull request #4034 from AkihiroSuda/fix-goarm
script/lib.sh: set GOARM=5 for armel, GOARM=6 for armhf
2023-09-28 15:40:22 -07:00
Kir Kolyshkin 4d948b1e64 Merge pull request #4035 from Zheaoli/manjusaka/fix-docs
Update feature status in docs
2023-09-27 10:34:53 -07:00
Zheao Li 4b3b7e9973 docs/spec-conformance: update
Since PR 3876 was merged, let's remove time namespace from the list of unimplemented features.

Signed-off-by: Zheao Li <me@manjusaka.me>
2023-09-27 20:24:43 +08:00
Kir Kolyshkin 96a61d3bf0 Merge pull request #4030 from kinvolk/rata/smaller-runc-dmz
libct/dmz: Move comment out of the Makefile rule
2023-09-26 15:04:40 -07:00
Akihiro Suda 531e29e192 script/lib.sh: set GOARM=5 for armel, GOARM=6 for armhf
"armhf" means ARMv7 for Debian, ARMv6 for Raspbian.
ARMv6 is chosen here for compatibility.

https://wiki.debian.org/RaspberryPi

> Raspberry Pi OS builds a single image for all of the Raspberry families,
> so you will get an armhf 32-bit, hard floating-point system, but built
> for the ARMv6 ISA (with VFP2), unlike Debian's ARMv7 ISA (with VFP3)
> port.

Prior to this commit, the script was setting GOARM=6 for armel,
GOARM=7 for armhf.

Fix issue 4033

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-09-27 05:48:02 +09:00
Rodrigo Campos 9976be86b3 libct/dmz: Move comment out of the Makefile rule
Otherwise it is shown when compiling, like this:
	# We use the flags suggested in nolibc/nolibc.h, it makes the binary very small.
	gcc  -fno-asynchronous-unwind-tables -fno-ident -s -Os -nostdlib -lgcc -static -o runc-dmz _dmz.c
	strip -gs runc-dmz

Having it before the target is equally clear and will not be shown while
compiling.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-09-26 18:46:01 +02:00
Aleksa Sarai 1a8b5588a5 merge #4024 into opencontainers/runc:main
Rodrigo Campos (1):
  libct/dmz: Reduce the binary size using nolibc

LGTMs: AkihiroSuda cyphar
2023-09-27 02:21:59 +10:00
Rodrigo Campos 90f5da651a libct/dmz: Reduce the binary size using nolibc
Linux repo has under `tools/include/nolibc` very simple include files
that we can use to generate very small binaries that don't depend on
libc.

To make things even better, since Linux 6.6 it supports all the
architectures we support in runc, which is just beautiful.

The runc-dmz binary on x86_64 before this patch (on my debian host) was
taking 636K, with this patch it takes only 8K.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-09-26 14:55:04 +02:00
Akihiro Suda a32ad76da3 Merge pull request #4018 from jrife/main
Handle kmem.limit_in_bytes removal
2023-09-25 09:53:08 +09:00
Akihiro Suda f235fa6763 Merge pull request #3987 from cyphar/cloned-binary-rework
nsexec: cloned binary rework
2023-09-24 19:27:52 +09:00
Jordan Rife 99469eba3e Handle kmem.limit_in_bytes removal
kmem.limit_in_bytes has been removed in upstream linux and this patch
is queued to be backported to linux 6.1 stable:

- https://lore.kernel.org/linux-mm/20230705134434.GA156754@cmpxchg.org/T/
- https://www.spinics.net/lists/stable-commits/msg316619.html

Without this change to libcontainerd, GetStats() will return an error
on the latest kernel(s). A downstream effect is that Kubernetes's
kubelet does not start up. This fix was tested by ensuring that it
unblocks kubelet startup when running on the latest kernel.

Signed-off-by: Jordan Rife <jrife0@gmail.com>
2023-09-24 02:17:21 +00:00
Aleksa Sarai 90c8d36afe dmz: use sendfile(2) when cloning /proc/self/exe
This results in a 5-20% speedup of dmz.CloneBinary(), depending on the
machine.

io.Copy:

  goos: linux
  goarch: amd64
  pkg: github.com/opencontainers/runc/libcontainer/dmz
  cpu: Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz
  BenchmarkCloneBinary
  BenchmarkCloneBinary-8               139           8075074 ns/op
  PASS
  ok      github.com/opencontainers/runc/libcontainer/dmz 2.286s

unix.Sendfile:

  goos: linux
  goarch: amd64
  pkg: github.com/opencontainers/runc/libcontainer/dmz
  cpu: Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz
  BenchmarkCloneBinary
  BenchmarkCloneBinary-8               192           6382121 ns/op
  PASS
  ok      github.com/opencontainers/runc/libcontainer/dmz 2.415s

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:51:36 +10:00
Aleksa Sarai f8348f64ae tests: integration: add runc-dmz smoke tests
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:38:21 +10:00
Aleksa Sarai 6be763eeaa tests: integration: fix capability setting for CAP_DAC_OVERRIDE
Due to the way capabilities have to be set by runc, capabilities need to
be included in the inheritable and ambient sets anyway. Otherwise, the
container process would not have the correct privileges. This test only
functioned because adding CAP_DAC_OVERRIDE to the inherited,
permissible, and bounding sets means that only "runc init" has these
capabilities -- everything other than the bounding set is cleared on the
first execve(). This breaks with runc-dmz, but the behaviour was broken
from the outset.

Docker appears to not handle this properly at all (the logic for
capability sets changed with the introduction of ambient capabilities,
and while Docker was updated it seems the behaviour is still incorrect
for non-root users).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:38:20 +10:00
Aleksa Sarai b9a4727f54 contrib: memfd-bind: add helper for memfd-sealed-bind trick
This really isn't ideal but it can be used to avoid the largest issues
with the memfd-based runc binary protection. There are several caveats
with using this tool, see the help page for the new binary for details.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:38:20 +10:00
lifubang dac4171746 runc-dmz: reduce memfd binary cloning cost with small C binary
The idea is to remove the need for cloning the entire runc binary by
replacing the final execve() call of the container process with an
execve() call to a clone of a small C binary which just does an execve()
of its arguments.

This provides similar protection against CVE-2019-5736 but without
requiring a >10MB binary copy for each "runc init". When compiled with
musl, runc-dmz is 13kB (though unfortunately with glibc, it is 1.1MB
which is still quite large).

It should be noted that there is still a window where the container
processes could get access to the host runc binary, but because we set
ourselves as non-dumpable the container would need CAP_SYS_PTRACE (which
is not enabled by default in Docker) in order to get around the
proc_fd_access_allowed() checks. In addition, since Linux 4.10[1] the
kernel blocks access entirely for user namespaced containers in this
scenario. For those cases we cannot use runc-dmz, but most containers
won't have this issue.

This new runc-dmz binary can be opted out of at compile time by setting
the "runc_nodmz" buildtag, and at runtime by setting the RUNC_DMZ=legacy
environment variable. In both cases, runc will fall back to the classic
/proc/self/exe-based cloning trick. If /proc/self/exe is already a
sealed memfd (namely if the user is using contrib/cmd/memfd-bind to
create a persistent sealed memfd for runc), neither runc-dmz nor
/proc/self/exe cloning will be used because they are not necessary.

[1]: https://github.com/torvalds/linux/commit/bfedb589252c01fa505ac9f6f2a3d5d68d707ef4

Co-authored-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
[cyphar: address various review nits]
[cyphar: fix runc-dmz cross-compilation]
[cyphar: embed runc-dmz into runc binary and clone in Go code]
[cyphar: make runc-dmz optional, with fallback to /proc/self/exe cloning]
[cyphar: do not use runc-dmz when the container has certain privs]
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:38:19 +10:00
Aleksa Sarai e089db3b4a dmz: add fallbacks to handle noexec for O_TMPFILE and mktemp()
Previously, if /var/run was mounted noexec, our cloned binary logic
would not work if memfd_create(2) was not available because we would try
to exec a binary that is on a noexec filesystem.

We cannot guarantee there will be an executable filesystem on the system
(other than mounting one ourselves, which would cause a bunch of other
headaches) but we can at least try the obvious options (/tmp, /bin, and
/). If none of these work, we will have to fail.

Reported-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:13:19 +10:00
Aleksa Sarai 0e9a3358f8 nsexec: migrate memfd /proc/self/exe logic to Go code
This allow us to remove the amount of C code in runc quite
substantially, as well as removing a whole execve(2) from the nsexec
path because we no longer spawn "runc init" only to re-exec "runc init"
after doing the clone.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:13:18 +10:00
Aleksa Sarai 321aa20c49 scripts: add proper 386 and amd64 target triples and builds
We need these to match the Makefile detection of the right gcc for
runc-dmz, as well as making sure that everything builds properly for our
cross-i386 tests. While we're at it, add x86 to the list of build
targets for release builds (presumably nobody will use it, but since we
do test builds of this anyway it probably won't hurt).

In addition, clean up the handling of the native architecture build by
treating it the same as any other build (ensuring that building runc
from a different platform will work the same way regardless of the
native architecture). In practice, the build works the same way as
before.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:13:18 +10:00
Akihiro Suda 1d9b158056 Merge pull request #4017 from thaJeztah/migrate_libcontainer_user
Deprecate libcontainer/user, and migrate to github.com/moby/sys/user
2023-09-21 19:14:59 +09:00
Sebastiaan van Stijn d9ea71bf96 deprecate libcontainer/user
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-19 10:22:29 +02:00
Sebastiaan van Stijn ca32014adb migrate libcontainer/user to github.com/moby/sys/user
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-19 10:22:23 +02:00
Akihiro Suda 1614cab553 Merge pull request #4020 from lifubang/fix-ci-cs9oom
[CI] increase memory.max in cgroups.bats
2023-09-19 11:27:46 +09:00
lifubang 65a1074c75 increase memory.max in cgroups.bats
Signed-off-by: lifubang <lifubang@acmcoder.com>
2023-09-17 09:55:12 +08:00
lfbzhm a3a0ec48c4 Merge pull request #4013 from kinvolk/rata/relax-dst-path-rel
validator: Relax warning for not abs mount dst path
2023-09-12 19:19:40 +08:00
Rodrigo Campos b17c6f237d validator: Relax warning for not abs mount dst path
The runtime spec now allows relative mount dst paths, so remove the
comment saying we will switch this to an error later and change the
error messages to reflect that.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-09-11 16:02:41 +02:00
lfbzhm e897a16e1d Merge pull request #4012 from Juneezee/specconv/remove-redundant-nil-check
libct/specconv: remove redundant nil check
2023-09-09 07:32:23 +08:00
Eng Zer Jun c378602bf6 libct/specconv: remove redundant nil check
From the Go specification:

  "1. For a nil slice, the number of iterations is 0." [1]

Therefore, an additional nil check for before the loop is unnecessary.

[1]: https://go.dev/ref/spec#For_range

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2023-09-08 23:40:51 +08:00
dependabot[bot] dc886433d2 Merge pull request #4011 from opencontainers/dependabot/go_modules/github.com/cyphar/filepath-securejoin-0.2.4 2023-09-07 05:38:18 +00:00
dependabot[bot] c7ad2749fd build(deps): bump github.com/cyphar/filepath-securejoin
Bumps [github.com/cyphar/filepath-securejoin](https://github.com/cyphar/filepath-securejoin) from 0.2.3 to 0.2.4.
- [Release notes](https://github.com/cyphar/filepath-securejoin/releases)
- [Commits](https://github.com/cyphar/filepath-securejoin/compare/v0.2.3...v0.2.4)

---
updated-dependencies:
- dependency-name: github.com/cyphar/filepath-securejoin
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-07 04:30:28 +00:00
Akihiro Suda 6b8a45d16f Merge pull request #3749 from Zheaoli/manjusaka/carry-burst
[Carry #3205] libct/cg: add CFS bandwidth burst for CPU
2023-09-07 00:55:16 +09:00
Akihiro Suda f0eea9926a Merge pull request #4009 from opencontainers/dependabot/go_modules/golang.org/x/net-0.15.0
build(deps): bump golang.org/x/net from 0.14.0 to 0.15.0
2023-09-07 00:48:26 +09:00
Kailun Qin e1584831b6 libct/cg: add CFS bandwidth burst for CPU
Burstable CFS controller is introduced in Linux 5.14. This helps with
parallel workloads that might be bursty. They can get throttled even
when their average utilization is under quota. And they may be latency
sensitive at the same time so that throttling them is undesired.

This feature borrows time now against the future underrun, at the cost
of increased interference against the other system users, by introducing
cfs_burst_us into CFS bandwidth control to enact the cap on unused
bandwidth accumulation, which will then used additionally for burst.

The patch adds the support/control for CFS bandwidth burst.

runtime-spec: https://github.com/opencontainers/runtime-spec/pull/1120

Co-authored-by: Akihiro Suda <suda.kyoto@gmail.com>
Co-authored-by: Nadeshiko Manju <me@manjusaka.me>
Signed-off-by: Kailun Qin <kailun.qin@intel.com>
2023-09-06 23:23:30 +08:00
dependabot[bot] 1fe9447f65 build(deps): bump golang.org/x/net from 0.14.0 to 0.15.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.14.0 to 0.15.0.
- [Commits](https://github.com/golang/net/compare/v0.14.0...v0.15.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-06 04:09:10 +00:00
dependabot[bot] 319b2ba730 Merge pull request #4008 from opencontainers/dependabot/github_actions/actions/checkout-4 2023-09-06 01:21:12 +00:00
dependabot[bot] 2d0cd0b381 build(deps): bump actions/checkout from 3 to 4
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-05 04:50:22 +00:00
Akihiro Suda a0466dd76f Merge pull request #2868 from thaJeztah/userns_simplify
libcontainer/userns: simplify, and separate from "user" package.
2023-09-04 22:28:52 +09:00
Sebastiaan van Stijn d8e9ed3e08 libcontainer/userns: simplify, and separate from "user" package.
This makes libcontainer/userns self-dependent, largely returning to
the original implementation from lxc. The `uiMapInUserNS` is kept as
a separate function for unit-testing and fuzzing.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-04 10:57:48 +02:00
Akihiro Suda 3b47c5e8de Merge pull request #4006 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.12.0
build(deps): bump golang.org/x/sys from 0.11.0 to 0.12.0
2023-09-04 16:36:20 +09:00
dependabot[bot] 5f05b96ead build(deps): bump golang.org/x/sys from 0.11.0 to 0.12.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.11.0 to 0.12.0.
- [Commits](https://github.com/golang/sys/compare/v0.11.0...v0.12.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-04 04:09:40 +00:00
Kir Kolyshkin 8feecba2bb Merge pull request #4004 from hangscer8/fix_file_to_close
Fix File to Close
2023-09-01 10:45:40 -07:00
hang.jiang 937ca107c3 Fix File to Close
Signed-off-by: hang.jiang <hang.jiang@daocloud.io>
2023-09-01 16:17:13 +08:00
lfbzhm 24ae5c258c Merge pull request #3996 from kolyshkin/double-hooks
Fix for host mount ns containers
2023-08-29 10:28:08 +08:00
Kir Kolyshkin e852523885 tests/int: add a test for host mntns vs hooks
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-28 12:46:59 -07:00
Kir Kolyshkin 41778ddc2c Fix for host mount ns containers
If the container does not have own mount namespace configured (i.e. it
shares the mount namespace with the host), its "prestart" (obsoleted)
and "createRuntime" hooks are called twice, and its cgroups and Intel
RDT settings are also applied twice.

The code being removed was originally added by commit 2f2764984 ("Move
pre-start hooks after container mounts", Feb 17 2016). At that time,
the syncParentHooks() was called from setupRootfs(), which was only
used when the container config has mount namespace (NEWNS) enabled.

Later, commit 244c9fc426 ("*: console rewrite", Jun 4 2016) spli
the relevant part of setupRootfs() into prepareRootfs(). It was still
called conditionally (only if mount namespace was enabled).

Finally, commit 91ca331474 ("chroot when no mount namespaces is
provided", Jan 25 2018) removed the above condition, meaning
prepareRootfs(), and thus syncParentHooks(), is now called for any
container.

Meaning, the special case for when mount namespace is not enabled is no
longer needed.

Remove it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-28 12:45:39 -07:00
Kir Kolyshkin b322e31b4f Merge pull request #3997 from opencontainers/dependabot/github_actions/tim-actions/commit-message-checker-with-regex-0.3.2
build(deps): bump tim-actions/commit-message-checker-with-regex from 0.3.1 to 0.3.2
2023-08-28 12:32:34 -07:00
dependabot[bot] fe6f33b2c0 build(deps): bump tim-actions/commit-message-checker-with-regex
Bumps [tim-actions/commit-message-checker-with-regex](https://github.com/tim-actions/commit-message-checker-with-regex) from 0.3.1 to 0.3.2.
- [Release notes](https://github.com/tim-actions/commit-message-checker-with-regex/releases)
- [Commits](https://github.com/tim-actions/commit-message-checker-with-regex/compare/v0.3.1...v0.3.2)

---
updated-dependencies:
- dependency-name: tim-actions/commit-message-checker-with-regex
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-28 04:21:42 +00:00
Akihiro Suda 0a5cd69462 Merge pull request #3995 from kolyshkin/rm-unix-nolint
bump golangci-lint; remove nolint annotations for unix errno comparisons
2023-08-25 16:54:57 +09:00
lfbzhm 57617e3bec Merge pull request #3869 from kolyshkin/hooks-better-error
Better hooks errors and more tests
2023-08-25 11:42:56 +08:00