Commit Graph

6285 Commits

Author SHA1 Message Date
Akihiro Suda 17922e3612 Merge pull request #3800 from kolyshkin/fp-ch
CHANGELOG: forward-port 1.1.4 and 1.1.5 changes
2023-04-03 18:12:10 +09:00
Kir Kolyshkin ba618705f8 Merge pull request #3797 from kolyshkin/enter-pid
libct/cg: rm EnterPid
2023-03-31 13:01:39 -07:00
Kir Kolyshkin 9f32ce6a2d CHANGELOG: forward-port 1.1.4 and 1.1.5 changes
...from the tip of release-1.1 branch (commit 060a61c69d).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-30 19:46:53 -07:00
Kir Kolyshkin 73acc77be5 libct/cg: rm EnterPid
Since commit 39914db679 this function is not used by runc (see
that commit to learn why this function is not that good).

I was not able to find any external users either.

Since it's not a good function, with no users, and it is rather trivial,
let's remove it right away (rather than mark as deprecated).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-31 13:33:00 +11:00
Kir Kolyshkin 4ff4904603 Makefile: add verify-changelog as release dependency
... as a way to maybe catch some CHANGELOG.md bugs at the last moment.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 54cfb25d69)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-30 19:11:31 -07:00
Kir Kolyshkin b2fc0a589c verify-changelog: allow non-ASCII
Previously (see commit 91fa032da4) we found a few issues
using this check, but apparently the CHANGELOG.md is in UTF-8, and
the recently added quote is breaking this, so remove.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 7b3ac330f7)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-30 19:11:11 -07:00
Kir Kolyshkin 8edf478e34 Merge pull request #3798 from kolyshkin/fix-mount-test
Fix mount test
2023-03-30 18:32:27 -07:00
Kir Kolyshkin 370e3be202 tests/int/mounts: only check non-shadowed mounts
This fixes a bogus failure in "ro cgroup" test cases when running as
rootless.

The test finds the following mount that is not read-only:

> cgroup2 /sys/fs/cgroup/unified cgroup2 rw,nosuid,nodev,noexec,relatime,nsdelegate 0 0

This happens because:

1. runc spec --rootless adds an rbind /sys mounts, so we have all the
   /sys/fs/cgroup/XXX mounts inside the container;

2. Those /sys/fs/cgroup/XXX mounts are shadowed by the /sys/fs/cgroup
   tmpfs mount created by mountCgroupV1().

This means that this mount is shadowed, inaccessible, and it can not be
unshadowed, thus it should not be checked.

The fix is to check whether the directory exists, to exclude such
shadowed mounts.

NOTE that item 2 comes from commit ff692f289b60e19b3079cb; before it, we
had the whole hierarchy of host /sys/fs/cgroup visible (though not
writable -- because rootless) from inside of any rootless container.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-30 14:45:14 -07:00
Kir Kolyshkin a37109ce02 tests/int/mount: fix issues with ro cgroup test
Fix the following issues with the "ro /sys/fs/cgroup" test:

1. Disable bogus SC2016 warning from shellcheck.

2. Split the test into two -- with and without cgroupns. This is done
   because not all systems have cgroupns available (so the "+cgroupns"
   test will be skipped).

3. This splitting resulted in a few more bogus shellcheck warnings that
   we have to suppress -- due to a known bug in shellcheck (see [1]).

4. s/mount/mounts/ in the test name, because in case of cgroup v1 there
   are multiple mounts.

[1] https://github.com/koalaman/shellcheck/issues/2431

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-30 14:44:03 -07:00
Qiang Huang 0d62b950e6 Merge pull request from GHSA-m8cg-xc2p-r3fc
rootless: fix /sys/fs/cgroup mounts
2023-03-29 14:18:15 +08:00
Akihiro Suda 7f3f4bee8a Merge pull request #3753 from kolyshkin/user-exec
Fix runc run "permission denied" when rootless
2023-03-29 00:39:12 +09:00
Akihiro Suda 2b221a6ab7 Merge pull request #3787 from kolyshkin/rec-fixup
mountToRootfs: minor refactor
2023-03-28 12:53:38 +09:00
Kir Kolyshkin 8293ef2e74 tests/int: test for CAP_DAC_OVERRIDE
This is a test case for issue reported as #3715. In short, even if a
(non-root) user that the container is run as does not have execute
permission bit set for the executable, it should still work in case runc
has the CAP_DAC_OVERRIDE capability set.

Note that since the upstream golang is also broken (see [1]), this test
will fail for Go 1.20 and 1.20.1 (fix is in Go 1.20.2 as per [2]).

[1] https://go.dev/issue/58552
[2] https://go-review.googlesource.com/c/go/+/469956

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-27 15:16:15 -07:00
Kir Kolyshkin 8491d33482 Fix runc run "permission denied" when rootless
Since commit 957d97bcf4 was made to fix issue [7],
a few things happened:

- a similar functionality appeared in go 1.20 [1], so the issue
  mentioned in the comment (being removed) is no longer true;
- a bug in runc was found [2], which also affects go [3];
- the bug was fixed in go 1.21 [4] and 1.20.2 [5];
- a similar fix was made to x/sys/unix.Faccessat [6].

The essense of [2] is, even if a (non-root) user that the container is
run as does not have execute permission bit set for the executable, it
should still work in case runc has the CAP_DAC_OVERRIDE capability set.

To fix this [2] without reintroducing the older bug [7]:
- drop own Eaccess implementation;
- use the one from x/sys/unix for Go 1.19 (depends on [6]);
- do not use anything when Go 1.20+ is used.

NOTE it is virtually impossible to fix the bug [2] when Go 1.20 or Go
1.20.1 is used because of [3].

A test case is added by a separate commit.

Fixes: #3715.

[1] https://go-review.googlesource.com/c/go/+/414824
[2] https://github.com/opencontainers/runc/issues/3715
[3] https://go.dev/issue/58552
[4] https://go-review.googlesource.com/c/go/+/468735
[5] https://go-review.googlesource.com/c/go/+/469956
[6] https://go-review.googlesource.com/c/sys/+/468877
[7] https://github.com/opencontainers/runc/issues/3520

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-27 15:15:48 -07:00
Kir Kolyshkin 99a337f66d Dockefile: bump go go 1.20
Go 1.20.2 has an important fix to an issue described in [1].

Switch from using Go 1.19 from Dockerfile, which is used for release
binaries and some CI.

[1] https://github.com/golang/go/issues/58624

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-27 15:13:43 -07:00
Kir Kolyshkin 3e3db2883b Merge pull request #3778 from kolyshkin/skip-flaky-ce7
libct/cg/dev: skip flaky test of CentOS 7
2023-03-27 13:39:36 -07:00
Kir Kolyshkin da98076c97 mountToRootfs: minor refactor
The setRecAttr is only called for "bind" case, as cases end with a
return statement. Indeed, recursive mount attributes only make sense for
bind mounts.

Move the code to under case "bind" to improve readability. No change in
logic.

Fixes: 382eba4354
Reported-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-27 12:47:05 -07:00
Akihiro Suda da5047c5d8 Merge pull request #3781 from yanggangtony/fix-typo
fix wrong notes for `const MaxNameLen`
2023-03-26 07:02:40 +09:00
Akihiro Suda 948ef27c7a Merge pull request #3773 from kolyshkin/no-symlinks
Prohibit /proc and /sys to be symlinks
2023-03-25 22:58:27 +09:00
Kir Kolyshkin a7a836effa libct/cg/dev: skip flaky test of CentOS 7
There is some kind of a race in CentOS 7 which sometimes result in one
of these tests failing like this:

    systemd_test.go:136: mkdir /sys/fs/cgroup/hugetlb/system.slice/system-runc_test_pods.slice: no such file or directory

or

    systemd_test.go:187: open /sys/fs/cgroup/cpuset/system.slice/system-runc_test_pods.slice/cpuset.mems: no such file or directory

As this is only happening on CentOS 7, let's skip this test on this
platform.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-22 20:01:39 -07:00
yanggang 65df6b91b9 fix wrong notes for const MaxNameLen
Signed-off-by: yanggang <gang.yang@daocloud.io>
2023-03-23 10:31:15 +08:00
Akihiro Suda efad7a3b80 Merge pull request #3735 from kolyshkin/int-fix-flake
libct/int: make TestFdLeaks more robust
2023-03-21 06:15:43 +09:00
Kir Kolyshkin e67dc399ba Merge pull request #3739 from AkihiroSuda/fix-acl
specconv: avoid mapping "acl" to MS_POSIXACL
2023-03-20 14:15:15 -07:00
Akihiro Suda f08b4a9c43 Merge pull request #3775 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.30.0
build(deps): bump google.golang.org/protobuf from 1.29.1 to 1.30.0
2023-03-18 19:15:44 +09:00
Kir Kolyshkin 0d72adf96d Prohibit /proc and /sys to be symlinks
Commit 3291d66b98 introduced a check for /proc and /sys, making sure
the destination (dest) is a directory (and not e.g. a symlink).

Later, a hunk from commit 0ca91f44f switched from using filepath.Join
to SecureJoin for dest. As SecureJoin follows and resolves symlinks,
the check whether dest is a symlink no longer works.

To fix, do the check without/before using SecureJoin.

Add integration tests to make sure we won't regress.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-17 11:03:44 -07:00
Kir Kolyshkin c6624e66b2 Merge pull request #3772 from kolyshkin/retry-unshare
nsexec: retry unshare on EINVAL
2023-03-17 09:54:14 -07:00
dependabot[bot] 8f0d0c4dc8 build(deps): bump google.golang.org/protobuf from 1.29.1 to 1.30.0
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.29.1 to 1.30.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.29.1...v1.30.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-17 05:00:52 +00:00
Kir Kolyshkin cecb039d24 nsexec: retry unshare on EINVAL
Older kernels may return EINVAL on unshare when a process is reading
runc's /proc/$PID/status or /proc/$PID/maps. This was fixed by kernel
commit 12c641ab8270f ("unshare: Unsharing a thread does not require
unsharing a vm") in Linuxt  v4.3.

For CentOS 7, the fix was backported to CentOS 7.7 (kernel 3.10.0-1062).

To work around this kernel bug, let's retry on EINVAL a few times.

Reported-by: zzyyzte <zhang.yu58@zte.com.cn>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-16 10:45:02 -07:00
Kir Kolyshkin 206008ab9c Merge pull request #3767 from AkihiroSuda/fix-issue-template-config
.github/ISSUE_TEMPLATE/config.yml: fix contact links
2023-03-16 10:41:23 -07:00
Kir Kolyshkin 784f583884 Merge pull request #3771 from opencontainers/dependabot/github_actions/actions/setup-go-4
build(deps): bump actions/setup-go from 3 to 4
2023-03-16 10:35:09 -07:00
dependabot[bot] e3cf217cf1 build(deps): bump actions/setup-go from 3 to 4
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-16 05:11:04 +00:00
Akihiro Suda b3a68fe77b Merge pull request #3769 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.29.1
build(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1
2023-03-16 09:40:59 +09:00
dependabot[bot] a7046b8387 build(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.29.0 to 1.29.1.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.29.0...v1.29.1)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-15 05:10:21 +00:00
Akihiro Suda df4eae457b rootless: fix /sys/fs/cgroup mounts
It was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons:

1. when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared
   (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl)
2. or, when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro`
   (e.g., `runc spec --rootless`; this condition is very rare)

A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host.
Other users's cgroup hierarchies are not affected.

To fix the issue, this commit does:
1. Remount `/sys/fs/cgroup` to apply `MS_RDONLY` when it is being bind-mounted
2. Mask `/sys/fs/cgroup` when the bind source is unavailable

Fix CVE-2023-25809 (GHSA-m8cg-xc2p-r3fc)

Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-03-14 14:16:25 +09:00
Akihiro Suda afeffb7ea8 .github/ISSUE_TEMPLATE/config.yml: fix contact links
`contact_links` without `about` properties are not shown in
https://github.com/opencontainers/runc/issues/new/choose

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-03-10 09:45:41 +09:00
Akihiro Suda d5be3e2605 Merge pull request #3766 from AkihiroSuda/issue-template
Add `.github/ISSUE_TEMPLATE/config.yml`
2023-03-10 09:36:44 +09:00
Kir Kolyshkin 4ec7b90489 Merge pull request #3764 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.29.0
build(deps): bump google.golang.org/protobuf from 1.28.1 to 1.29.0
2023-03-09 14:46:39 -08:00
Akihiro Suda 7d940bdf99 Add .github/ISSUE_TEMPLATE/config.yml
After merging this PR, the "Report a security vulnerability" button
will appear in "New issue" screen.

Demo: https://github.com/containerd/nerdctl/issues

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-03-10 00:03:41 +09:00
dependabot[bot] 6b41f8ed26 build(deps): bump google.golang.org/protobuf from 1.28.1 to 1.29.0
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.28.1 to 1.29.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.28.1...v1.29.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-09 04:59:44 +00:00
Kir Kolyshkin 6d0261c1ac Merge pull request #3757 from opencontainers/dependabot/go_modules/golang.org/x/net-0.8.0
build(deps): bump golang.org/x/net from 0.7.0 to 0.8.0
2023-03-07 11:00:03 -08:00
dependabot[bot] 6faef164f5 build(deps): bump golang.org/x/net from 0.7.0 to 0.8.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.7.0 to 0.8.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.7.0...v0.8.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-06 05:03:16 +00:00
Kir Kolyshkin 69225fa919 Merge pull request #3724 from kinvolk/rata/nsexec-fixes
nsexec: Remove bogus kill to stage_2_pid
2023-03-01 15:50:00 -08:00
Kir Kolyshkin 58c192a1be Merge pull request #3661 from Wang-squirrel/dev1
Add support for umask when exec container
2023-02-27 19:33:03 -08:00
Wang-squirrel 7b4c3fc111 Add support for umask when exec container
Signed-off-by: WangXiaoSong <wang.xiaosong1@zte.com.cn>
2023-02-23 10:04:47 +08:00
Kir Kolyshkin f2e71b085d libct/int: make TestFdLeaks more robust
The purpose of this test is to check that there are no extra file
descriptors left open after repeated calls to runContainer. In fact,
the first call to runContainer leaves a few file descriptors opened,
and this is by design.

Previously, this test relied on two things:
1. some other tests were run before it (and thus all such opened-once
   file descriptors are already opened);
2.  explicitly excluding fd opened to /sys/fs/cgroup.

Now, if we run this test separately, it will fail (because of 1 above).
The same may happen if the tests are run in a random order.

To fix this, add a container run before collection the initial fd list,
so those fds that are opened once are included and won't be reported.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-02-22 02:58:47 -08:00
Kir Kolyshkin be7e03940f libct/int: wording nits
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-02-22 02:58:47 -08:00
Kir Kolyshkin 7c75e84e22 libc/int: add/use runContainerOk wrapper
This is to de-duplicate the code that checks that err is nil
and that the exit code is zero.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-02-22 02:58:47 -08:00
Kir Kolyshkin 5a0642d6fd Merge pull request #3728 from AITsygunka/3727-bug-fix
Fix runc crushes when parsing invalid JSON specification file
2023-02-22 02:57:20 -08:00
Akihiro Suda 71f8b2af5c Merge pull request #3734 from kinvolk/rata/nsexec-add-debug-log
nsexec: Add debug logs to send mount sources
2023-02-22 13:19:06 +09:00
Akihiro Suda 7d4fde26f8 Merge pull request #3716 from AkihiroSuda/spec-v1.1.0-rc.1
go:mod: runtime-spec v1.1.0-rc.1; add docs/spec-conformance.md
2023-02-22 09:23:41 +09:00