Commit Graph

6270 Commits

Author SHA1 Message Date
Akihiro Suda 2b221a6ab7 Merge pull request #3787 from kolyshkin/rec-fixup
mountToRootfs: minor refactor
2023-03-28 12:53:38 +09:00
Kir Kolyshkin 3e3db2883b Merge pull request #3778 from kolyshkin/skip-flaky-ce7
libct/cg/dev: skip flaky test of CentOS 7
2023-03-27 13:39:36 -07:00
Kir Kolyshkin da98076c97 mountToRootfs: minor refactor
The setRecAttr is only called for "bind" case, as cases end with a
return statement. Indeed, recursive mount attributes only make sense for
bind mounts.

Move the code to under case "bind" to improve readability. No change in
logic.

Fixes: 382eba4354
Reported-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-27 12:47:05 -07:00
Akihiro Suda da5047c5d8 Merge pull request #3781 from yanggangtony/fix-typo
fix wrong notes for `const MaxNameLen`
2023-03-26 07:02:40 +09:00
Akihiro Suda 948ef27c7a Merge pull request #3773 from kolyshkin/no-symlinks
Prohibit /proc and /sys to be symlinks
2023-03-25 22:58:27 +09:00
Kir Kolyshkin a7a836effa libct/cg/dev: skip flaky test of CentOS 7
There is some kind of a race in CentOS 7 which sometimes result in one
of these tests failing like this:

    systemd_test.go:136: mkdir /sys/fs/cgroup/hugetlb/system.slice/system-runc_test_pods.slice: no such file or directory

or

    systemd_test.go:187: open /sys/fs/cgroup/cpuset/system.slice/system-runc_test_pods.slice/cpuset.mems: no such file or directory

As this is only happening on CentOS 7, let's skip this test on this
platform.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-22 20:01:39 -07:00
yanggang 65df6b91b9 fix wrong notes for const MaxNameLen
Signed-off-by: yanggang <gang.yang@daocloud.io>
2023-03-23 10:31:15 +08:00
Akihiro Suda efad7a3b80 Merge pull request #3735 from kolyshkin/int-fix-flake
libct/int: make TestFdLeaks more robust
2023-03-21 06:15:43 +09:00
Kir Kolyshkin e67dc399ba Merge pull request #3739 from AkihiroSuda/fix-acl
specconv: avoid mapping "acl" to MS_POSIXACL
2023-03-20 14:15:15 -07:00
Akihiro Suda f08b4a9c43 Merge pull request #3775 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.30.0
build(deps): bump google.golang.org/protobuf from 1.29.1 to 1.30.0
2023-03-18 19:15:44 +09:00
Kir Kolyshkin 0d72adf96d Prohibit /proc and /sys to be symlinks
Commit 3291d66b98 introduced a check for /proc and /sys, making sure
the destination (dest) is a directory (and not e.g. a symlink).

Later, a hunk from commit 0ca91f44f switched from using filepath.Join
to SecureJoin for dest. As SecureJoin follows and resolves symlinks,
the check whether dest is a symlink no longer works.

To fix, do the check without/before using SecureJoin.

Add integration tests to make sure we won't regress.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-17 11:03:44 -07:00
Kir Kolyshkin c6624e66b2 Merge pull request #3772 from kolyshkin/retry-unshare
nsexec: retry unshare on EINVAL
2023-03-17 09:54:14 -07:00
dependabot[bot] 8f0d0c4dc8 build(deps): bump google.golang.org/protobuf from 1.29.1 to 1.30.0
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.29.1 to 1.30.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.29.1...v1.30.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-17 05:00:52 +00:00
Kir Kolyshkin cecb039d24 nsexec: retry unshare on EINVAL
Older kernels may return EINVAL on unshare when a process is reading
runc's /proc/$PID/status or /proc/$PID/maps. This was fixed by kernel
commit 12c641ab8270f ("unshare: Unsharing a thread does not require
unsharing a vm") in Linuxt  v4.3.

For CentOS 7, the fix was backported to CentOS 7.7 (kernel 3.10.0-1062).

To work around this kernel bug, let's retry on EINVAL a few times.

Reported-by: zzyyzte <zhang.yu58@zte.com.cn>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-16 10:45:02 -07:00
Kir Kolyshkin 206008ab9c Merge pull request #3767 from AkihiroSuda/fix-issue-template-config
.github/ISSUE_TEMPLATE/config.yml: fix contact links
2023-03-16 10:41:23 -07:00
Kir Kolyshkin 784f583884 Merge pull request #3771 from opencontainers/dependabot/github_actions/actions/setup-go-4
build(deps): bump actions/setup-go from 3 to 4
2023-03-16 10:35:09 -07:00
dependabot[bot] e3cf217cf1 build(deps): bump actions/setup-go from 3 to 4
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-16 05:11:04 +00:00
Akihiro Suda b3a68fe77b Merge pull request #3769 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.29.1
build(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1
2023-03-16 09:40:59 +09:00
dependabot[bot] a7046b8387 build(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.29.0 to 1.29.1.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.29.0...v1.29.1)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-15 05:10:21 +00:00
Akihiro Suda afeffb7ea8 .github/ISSUE_TEMPLATE/config.yml: fix contact links
`contact_links` without `about` properties are not shown in
https://github.com/opencontainers/runc/issues/new/choose

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-03-10 09:45:41 +09:00
Akihiro Suda d5be3e2605 Merge pull request #3766 from AkihiroSuda/issue-template
Add `.github/ISSUE_TEMPLATE/config.yml`
2023-03-10 09:36:44 +09:00
Kir Kolyshkin 4ec7b90489 Merge pull request #3764 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.29.0
build(deps): bump google.golang.org/protobuf from 1.28.1 to 1.29.0
2023-03-09 14:46:39 -08:00
Akihiro Suda 7d940bdf99 Add .github/ISSUE_TEMPLATE/config.yml
After merging this PR, the "Report a security vulnerability" button
will appear in "New issue" screen.

Demo: https://github.com/containerd/nerdctl/issues

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-03-10 00:03:41 +09:00
dependabot[bot] 6b41f8ed26 build(deps): bump google.golang.org/protobuf from 1.28.1 to 1.29.0
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.28.1 to 1.29.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.28.1...v1.29.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-09 04:59:44 +00:00
Kir Kolyshkin 6d0261c1ac Merge pull request #3757 from opencontainers/dependabot/go_modules/golang.org/x/net-0.8.0
build(deps): bump golang.org/x/net from 0.7.0 to 0.8.0
2023-03-07 11:00:03 -08:00
dependabot[bot] 6faef164f5 build(deps): bump golang.org/x/net from 0.7.0 to 0.8.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.7.0 to 0.8.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.7.0...v0.8.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-06 05:03:16 +00:00
Kir Kolyshkin 69225fa919 Merge pull request #3724 from kinvolk/rata/nsexec-fixes
nsexec: Remove bogus kill to stage_2_pid
2023-03-01 15:50:00 -08:00
Kir Kolyshkin 58c192a1be Merge pull request #3661 from Wang-squirrel/dev1
Add support for umask when exec container
2023-02-27 19:33:03 -08:00
Wang-squirrel 7b4c3fc111 Add support for umask when exec container
Signed-off-by: WangXiaoSong <wang.xiaosong1@zte.com.cn>
2023-02-23 10:04:47 +08:00
Kir Kolyshkin f2e71b085d libct/int: make TestFdLeaks more robust
The purpose of this test is to check that there are no extra file
descriptors left open after repeated calls to runContainer. In fact,
the first call to runContainer leaves a few file descriptors opened,
and this is by design.

Previously, this test relied on two things:
1. some other tests were run before it (and thus all such opened-once
   file descriptors are already opened);
2.  explicitly excluding fd opened to /sys/fs/cgroup.

Now, if we run this test separately, it will fail (because of 1 above).
The same may happen if the tests are run in a random order.

To fix this, add a container run before collection the initial fd list,
so those fds that are opened once are included and won't be reported.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-02-22 02:58:47 -08:00
Kir Kolyshkin be7e03940f libct/int: wording nits
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-02-22 02:58:47 -08:00
Kir Kolyshkin 7c75e84e22 libc/int: add/use runContainerOk wrapper
This is to de-duplicate the code that checks that err is nil
and that the exit code is zero.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-02-22 02:58:47 -08:00
Kir Kolyshkin 5a0642d6fd Merge pull request #3728 from AITsygunka/3727-bug-fix
Fix runc crushes when parsing invalid JSON specification file
2023-02-22 02:57:20 -08:00
Akihiro Suda 71f8b2af5c Merge pull request #3734 from kinvolk/rata/nsexec-add-debug-log
nsexec: Add debug logs to send mount sources
2023-02-22 13:19:06 +09:00
Akihiro Suda 7d4fde26f8 Merge pull request #3716 from AkihiroSuda/spec-v1.1.0-rc.1
go:mod: runtime-spec v1.1.0-rc.1; add docs/spec-conformance.md
2023-02-22 09:23:41 +09:00
Andrey Tsygunka 97ea1255ed Fix runc crushes when parsing invalid JSON
Signed-off-by: Andrey Tsygunka <dreamsider@mail.ru>
2023-02-16 15:45:19 +03:00
Kir Kolyshkin 537645fd52 Merge pull request #3747 from opencontainers/dependabot/go_modules/golang.org/x/net-0.7.0
build(deps): bump golang.org/x/net from 0.6.0 to 0.7.0
2023-02-15 17:31:13 -08:00
dependabot[bot] b3b0bde69b build(deps): bump golang.org/x/net from 0.6.0 to 0.7.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.6.0 to 0.7.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.6.0...v0.7.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-15 04:59:08 +00:00
Akihiro Suda 4e3699c74c Merge pull request #3746 from crazy-max/fix-static-pie
Makefile: fix typo in LDFLAGS_STATIC
2023-02-15 11:35:09 +09:00
CrazyMax 2e44a20280 Makefile: fix typo in LDFLAGS_STATIC
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-02-14 21:27:26 +01:00
Kir Kolyshkin b199fb2e3f Merge pull request #3573 from chuanchang/add_tests_for_capabilities
tests: add tests for capabilities
2023-02-13 17:49:54 -08:00
Akihiro Suda 514ea70993 Merge pull request #3740 from kinvolk/rata/fix-basename-test
tests: Fix weird error on centos-9
2023-02-11 22:52:10 +09:00
Akihiro Suda 92a4ccb84e specconv: avoid mapping "acl" to MS_POSIXACL
From https://github.com/torvalds/linux/commit/caaef1ba8c9ee7a54b53dd8bf4bb7e8658185583 :

> In fact SB_POSIXACL is an internal flag, and accepting MS_POSIXACL on
> the mount(2) interface is possibly a bug.

Fix issue 3738

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-02-11 22:50:41 +09:00
Rodrigo Campos 2adeb6f952 nsexec: Remove bogus kill to stage_2_pid
stage_2_pid is not yet assigned, so this kills the PID -1, but as
the sane_kill() wrapper is just a nop in that case. Just remove these
calls to kill stage_2_pid before it is cloned/assigned.

I've checked by executing the error paths that no binary is left by mistake.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-02-10 16:07:51 +01:00
Rodrigo Campos 4d0a60ca7f tests: Fix weird error on centos-9
centos-9 unit test sometimes fails with:

	=== RUN   TestPodSkipDevicesUpdate
	    systemd_test.go:114: container stderr not empty: basename: missing operand
	        Try 'basename --help' for more information.
	--- FAIL: TestPodSkipDevicesUpdate (0.11s)

I'm not sure why the container output is an error in basename. It seems
likely that the bashrc in that distro is kind of broken. Let's just run
a sleep command and forget about bash.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-02-10 14:49:56 +01:00
Rodrigo Campos 2ca3d230e2 nsexec: Add debug logs to send mount sources
I was adding it to new code I was writing, and for completeness I added
to this case too.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-02-10 08:25:08 -03:00
Akihiro Suda e412b4e88c docs: add docs/spec-conformance.md
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-02-10 12:10:18 +09:00
Akihiro Suda 787fcf09e7 go.mod: github.com/opencontainers/runtime-spec v1.1.0-rc.1
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-02-10 12:10:14 +09:00
Kir Kolyshkin 5c2a1a0191 Merge pull request #3733 from opencontainers/dependabot/go_modules/golang.org/x/net-0.6.0
build(deps): bump golang.org/x/net from 0.5.0 to 0.6.0
2023-02-09 18:05:27 -08:00
Kir Kolyshkin aa21df97d0 Merge pull request #3732 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.11.0
build(deps): bump github.com/opencontainers/selinux from 1.10.2 to 1.11.0
2023-02-09 18:03:54 -08:00