Commit Graph

6750 Commits

Author SHA1 Message Date
Akihiro Suda 313ec8bcab Merge pull request #4176 from cyphar/cyphar-gpg-key
keyring: update key expiries
2024-01-23 21:18:51 +09:00
lfbzhm 4baaf18cfd Merge pull request #4172 from kinvolk/rata/runc-dmz
Fix runc-dmz error printing
2024-01-22 18:01:27 +08:00
Aleksa Sarai 093c83e13e keyring: update AkihiroSuda key expiry
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-22 16:16:17 +11:00
Aleksa Sarai 34eceb21e2 keyring: update cyphar@cyphar.com key expiry
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-22 16:15:52 +11:00
Rodrigo Campos fe95a2a06a tests/integration: Test exec failures
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-01-21 15:35:46 +01:00
Rodrigo Campos 8afeccc827 libct/dmz: Print execve() errors
This error code is using functions that are present in nolibc too.

When using nolibc, the error is printed like:

	exec /runc.armel: errno=8

When using libc, as its perror() implementation translates the errno to
a message, it is printed like:

	exec /runc.armel: exec format error

Note that when using libc, the error is printed in the same way as
before.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-01-21 15:35:46 +01:00
Akihiro Suda 10754b3d68 Merge pull request #4126 from ChHapp/patch-1
check-config.sh: Add CONFIG_NETFILTER_XT_MATCH_COMMENT to check
2024-01-18 11:28:53 +09:00
Akihiro Suda 0c5a735355 Merge pull request #4167 from opencontainers/dependabot/go_modules/golang.org/x/net-0.20.0
build(deps): bump golang.org/x/net from 0.19.0 to 0.20.0
2024-01-09 15:48:28 +09:00
dependabot[bot] b1e3c3c75c build(deps): bump golang.org/x/net from 0.19.0 to 0.20.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.19.0 to 0.20.0.
- [Commits](https://github.com/golang/net/compare/v0.19.0...v0.20.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-09 04:20:08 +00:00
Christian Happ 2a473a7630 Add CONFIG_NETFILTER_XT_MATCH_COMMENT to check
It seems that newer podman versions need the kernel comment flag too.

By podman run, iptables using -m comment in the iptables-command to add the corresponding network rules.

Signed-off-by: Christian Happ <Christian.Happ@jumo.net>
2024-01-08 12:00:08 +01:00
Aleksa Sarai cbd852b330 merge #4152 into opencontainers/runc:main
Akihiro Suda (1):
  script/check-config.sh: check CONFIG_CHECKPOINT_RESTORE

Kir Kolyshkin (4):
  script/check-config.sh: check CONFIG_BLK_CGROUP_IOCOST
  scripts/check-config: fix kernel version checks
  script/check-config: disable colors
  scripts/check-config: don't check MEMCG_SWAP on newer kernels

LGTMs: AkihiroSuda cyphar
2024-01-08 09:50:14 +11:00
Aleksa Sarai c255024a82 merge #4146 into opencontainers/runc:main
Akihiro Suda (1):
  TestCheckpoint: skip on ErrCriuMissingFeatures

LGTMs: cyphar kolyshkin lifubang
2024-01-07 00:32:33 +11:00
dependabot[bot] ab146f2335 Merge pull request #4161 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.16.0 2024-01-05 09:36:48 +00:00
Aleksa Sarai 03f46d7185 merge #4159 into opencontainers/runc:main
lfbzhm (2):
  we have implemented idmapped-mounts with no limitations
  we have supported rsvd hugetlb cgroup

LGTMs: AkihiroSuda cyphar
2024-01-05 20:08:27 +11:00
dependabot[bot] e1e3ca02d9 build(deps): bump golang.org/x/sys from 0.15.0 to 0.16.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.15.0 to 0.16.0.
- [Commits](https://github.com/golang/sys/compare/v0.15.0...v0.16.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-05 04:27:10 +00:00
lfbzhm f4f282c259 Merge pull request #4151 from lengrongfu/fix/scheudle-validate
fix scheduler validate
2024-01-05 11:30:06 +08:00
lengrongfu 68438ba272 fix scheduler validate
Signed-off-by: lengrongfu <lenronfu@gmail.com>
2024-01-05 09:50:41 +08:00
lfbzhm 55c9d6bf01 we have implemented idmapped-mounts with no limitations
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-01-04 19:24:21 +08:00
lfbzhm e90d8cb8fe we have supported rsvd hugetlb cgroup
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-01-04 19:24:21 +08:00
Akihiro Suda 827c707823 Merge pull request #4139 from lifubang/fix-clean-remap-rootfs
remove remap-rootfs bin when running make clean
2024-01-04 17:36:08 +09:00
lfbzhm 35988abe20 Merge pull request #4157 from kinvolk/rata/idmap-errormsg
libct: Improve error msg when idmap is not supported
2023-12-29 22:48:53 +08:00
Rodrigo Campos a7c3e07c8f libct: Improve error msg when idmap is not supported
This gives a more clear error message when idmap mounts are not
supported on the source filesystem. For example, a k8s user will see
this now in kubectl describe pod:

	  Warning  Failed     2s (x2 over 4s)  kubelet, 127.0.0.1  Error: failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: failed to fulfil mount request: failed to set MOUNT_ATTR_IDMAP on /var/lib/kubelet/pods/f037a704-742c-40fe-8dbf-17ed9225c4df/volumes/kubernetes.io~empty-dir/hugepage: invalid argument (maybe the source filesystem doesn't support idmap mounts on this kernel?): unknown

This gives a hint on where to look at.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-12-28 14:15:24 +01:00
Akihiro Suda c48c428b1d Merge pull request #4155 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.32.0
build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0
2023-12-26 03:30:33 +09:00
dependabot[bot] 43306be3f0 build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0
Bumps google.golang.org/protobuf from 1.31.0 to 1.32.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-25 04:35:41 +00:00
Kir Kolyshkin 5a4f52178d script/check-config.sh: check CONFIG_BLK_CGROUP_IOCOST
For `io.weight`

Co-authored-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-12-20 10:07:43 -08:00
Kir Kolyshkin d87366f019 scripts/check-config: fix kernel version checks
Looking at the code, I found out that kernel_lt function was actually
doing le ("less than or equal") rather than lt ("less than") operation.
Let's fix this and do exactly what the name says.

A bigger issue is, the function use was not consistent (some uses
implied "less than or equal").

To fix the usage, find out all relevant kernel commits and kernel
versions that have them (the latter is done using "git describe
--contains $sha"), and fix the wrong cases. While at it, add references
to all these kernel commits for the future generations of
check-config.sh hackers.

Also, add kernel_ge function which is the opposite of kernel_lt,
and document both.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-12-20 10:07:43 -08:00
Akihiro Suda 7f65cc75c7 script/check-config.sh: check CONFIG_CHECKPOINT_RESTORE
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-12-20 10:07:43 -08:00
Kir Kolyshkin 6aa4c1a13e script/check-config: disable colors
...when the stdout is not a terminal, and also when NO_COLOR environment
variable is set to any non-empty value (as per no-color.org).

Co-authored-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-12-20 10:06:52 -08:00
Kir Kolyshkin b94b559058 scripts/check-config: don't check MEMCG_SWAP on newer kernels
Kernel commit e55b9f96860f (which made its way into Linux v6.1-rc1)
removes CONFIG_MEMCG_SWAP entirely, so there's no sense to check for in
on newer kernels.

Make the check conditional.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-12-19 17:28:32 -08:00
Akihiro Suda 3f4a73d632 TestCheckpoint: skip on ErrCriuMissingFeatures
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-12-19 18:47:03 +09:00
lfbzhm c811308582 remove remap-rootfs bin when running make clean
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2023-12-18 07:20:50 +00:00
lfbzhm 0bbb7e9fcf move the target 'clean' next to 'all'
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2023-12-18 07:20:50 +00:00
Akihiro Suda 29222735a7 Merge pull request #4150 from lifubang/fix-int64err
fix a (u|g)IDMappings type value convertion error
2023-12-18 15:49:02 +09:00
lfbzhm d08ba9ca89 fix a (u|g)IDMappings type value convertion error
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2023-12-18 05:36:10 +00:00
lfbzhm 371ff9c5e7 Merge pull request #3985 from cyphar/idmap-generic
libcontainer: remove all mount logic from nsexec
2023-12-18 13:10:45 +08:00
dependabot[bot] 3878ef5657 Merge pull request #4148 from opencontainers/dependabot/github_actions/actions/upload-artifact-4 2023-12-15 12:09:05 +00:00
dependabot[bot] 7b655782bf build(deps): bump actions/upload-artifact from 3 to 4
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-15 04:57:18 +00:00
lfbzhm a31262c1e3 Merge pull request #4134 from cyphar/ns-path-regression
specconv: temporarily allow userns path and mapping if they match
2023-12-14 12:39:02 +08:00
Aleksa Sarai 482e56379a configs: make id mappings int64 to better handle 32-bit
Using ints for all of our mapping structures means that a 32-bit binary
errors out when trying to parse /proc/self/*id_map:

  failed to cache mappings for userns: failed to parse uid_map of userns /proc/1/ns/user:
  parsing id map failed: invalid format in line "         0          0 4294967295": integer overflow on token 4294967295

This issue was unearthed by commit 1912d5988b ("*: actually support
joining a userns with a new container") but the underlying issue has
been present since the docker/libcontainer days.

In theory, switching to uint32 (to match the spec) instead of int64
would also work, but keeping everything signed seems much less
error-prone. It's also important to note that a mapping might be too
large for an int on 32-bit, so we detect this during the mapping.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 12:14:32 +11:00
Aleksa Sarai fa93c8b05b tests: mounts: add some tests to check mount ordering
Our previous implementation of idmapped mounts and bind-mount sources
would open all of the source paths before we did any mounts, meaning
that mounts using sources from inside the container rootfs would not be
correct.

This has been fixed with the new on-demand system, and so add some
regression tests.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:43 +11:00
Aleksa Sarai 3b57e45cbf mount: add support for ridmap and idmap
ridmap indicates that the id mapping should be applied recursively (only
really relevant for rbind mount entries), and idmap indicates that it
should not be applied recursively (the default). If no mappings are
specified for the mount, we use the userns configuration of the
container. This matches the behaviour in the currently-unreleased
runtime-spec.

This includes a minor change to the state.json serialisation format, but
because there has been no released version of runc with commit
fbf183c6f8 ("Add uid and gid mappings to mounts"), we can safely make
this change without affecting running containers. Doing it this way
makes it much easier to handle m.IsIDMapped() and indicating that a
mapping has been specified.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:42 +11:00
Aleksa Sarai 7795ca4668 specconv: handle recursive attribute clearing more consistently
If a user specifies a configuration like "rro, rrw", we should have
similar behaviour to "ro, rw" where we clear the previous flags so that
the last specified flag takes precendence.

Fixes: 382eba4354 ("Support recursive mount attrs ("rro", "rnosuid", "rnodev", ...)")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:42 +11:00
Aleksa Sarai cdff09ab87 rootfs: fix 'can we mount on top of /proc' check
Our previous test for whether we can mount on top of /proc incorrectly
assumed that it would only be called with bind-mount sources. This meant
that having a non bind-mount entry for a pseudo-filesystem (like
overlayfs) with a dummy source set to /proc on the host would let you
bypass the check, which could easily lead to security issues.

In addition, the check should be applied more uniformly to all mount
types, so fix that as well. And add some tests for some of the tricky
cases to make sure we protect against them properly.

Fixes: 331692baa7 ("Only allow proc mount if it is procfs")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:42 +11:00
Aleksa Sarai 8e8b136c49 tree-wide: use /proc/thread-self for thread-local state
With the idmap work, we will have a tainted Go thread in our
thread-group that has a different mount namespace to the other threads.
It seems that (due to some bad luck) the Go scheduler tends to make this
thread the thread-group leader in our tests, which results in very
baffling failures where /proc/self/mountinfo produces gibberish results.

In order to avoid this, switch to using /proc/thread-self for everything
that is thread-local. This primarily includes switching all file
descriptor paths (CLONE_FS), all of the places that check the current
cgroup (technically we never will run a single runc thread in a separate
cgroup, but better to be safe than sorry), and the aforementioned
mountinfo code. We don't need to do anything for the following because
the results we need aren't thread-local:

 * Checks that certain namespaces are supported by stat(2)ing
   /proc/self/ns/...

 * /proc/self/exe and /proc/self/cmdline are not thread-local.

 * While threads can be in different cgroups, we do not do this for the
   runc binary (or libcontainer) and thus we do not need to switch to
   the thread-local version of /proc/self/cgroups.

 * All of the CLONE_NEWUSER files are not thread-local because you
   cannot set the usernamespace of a single thread (setns(CLONE_NEWUSER)
   is blocked for multi-threaded programs).

Note that we have to use runtime.LockOSThread when we have an open
handle to a tid-specific procfs file that we are operating on multiple
times. Go can reschedule us such that we are running on a different
thread and then kill the original thread (causing -ENOENT or similarly
confusing errors). This is not strictly necessary for most usages of
/proc/thread-self (such as using /proc/thread-self/fd/$n directly) since
only operating on the actual inodes associated with the tid requires
this locking, but because of the pre-3.17 fallback for CentOS, we have
to do this in most cases.

In addition, CentOS's kernel is too old for /proc/thread-self, which
requires us to emulate it -- however in rootfs_linux.go, we are in the
container pid namespace but /proc is the host's procfs. This leads to
the incredibly frustrating situation where there is no way (on pre-4.1
Linux) to figure out which /proc/self/task/... entry refers to the
current tid. We can just use /proc/self in this case.

Yes this is all pretty ugly. I also wish it wasn't necessary.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:41 +11:00
Aleksa Sarai a04d88ec73 vendor: update to github.com/moby/sys/mountinfo@v0.7.1
The primary change is a switch to using /proc/thread-self, which is
needed for when we add a CLONE_FS thread to runc.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:41 +11:00
Aleksa Sarai 5ae88daf06 idmap: allow arbitrary idmap mounts regardless of userns configuration
With the rework of nsexec.c to handle MOUNT_ATTR_IDMAP in our Go code we
can now handle arbitrary mappings without issue, so remove the primary
artificial limit of mappings (must use the same mapping as the
container's userns) and add some tests.

We still only support idmap mounts for bind-mounts because configuring
mappings for other filesystems would require switching our entire mount
machinery to the new mount API. The current design would easily allow
for this but we would need to convert new mount options entirely to the
fsopen/fsconfig/fsmount API. This can be done in the future.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:41 +11:00
Aleksa Sarai ba0b5e2698 libcontainer: remove all mount logic from nsexec
With open_tree(OPEN_TREE_CLONE), it is possible to implement both the
id-mapped mounts and bind-mount source file descriptor logic entirely in
Go without requiring any complicated handling from nsexec.

However, implementing it the naive way (do the OPEN_TREE_CLONE in the
host namespace before the rootfs is set up -- which is what the existing
implementation did) exposes issues in how mount ordering (in particular
when handling mount sources from inside the container rootfs, but also
in relation to mount propagation) was handled for idmapped mounts and
bind-mount sources. In order to solve this problem completely, it is
necessary to spawn a thread which joins the container mount namespace
and provides mountfds when requested by the rootfs setup code (ensuring
that the mount order and mount propagation of the source of the
bind-mount are handled correctly). While the need to join the mount
namespace leads to other complicated (such as with the usage of
/proc/self -- fixed in a later patch) the resulting code is still
reasonable and is the only real way to solve the issue.

This allows us to reduce the amount of C code we have in nsexec, as well
as simplifying a whole host of places that were made more complicated
with the addition of id-mapped mounts and the bind sourcefd logic.
Because we join the container namespace, we can continue to use regular
O_PATH file descriptors for non-id-mapped bind-mount sources (which
means we don't have to raise the kernel requirement for that case).

In addition, we can easily add support for id-mappings that don't match
the container's user namespace. The approach taken here is to use Go's
officially supported mechanism for spawning a process in a user
namespace, but (ab)use PTRACE_TRACEME to avoid actually having to exec a
different process. The most efficient way to implement this would be to
do clone() in cgo directly to run a function that just does
kill(getpid(), SIGSTOP) -- we can always switch to that if it turns out
this approach is too slow. It should be noted that the included
micro-benchmark seems to indicate this is Fast Enough(TM):

  goos: linux
  goarch: amd64
  pkg: github.com/opencontainers/runc/libcontainer/userns
  cpu: Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz
  BenchmarkSpawnProc
  BenchmarkSpawnProc-8        1670            770065 ns/op

Fixes: fda12ab101 ("Support idmap mounts on volumes")
Fixes: 9c444070ec ("Open bind mount sources from the host userns")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:40 +11:00
Aleksa Sarai ebcef3e651 specconv: temporarily allow userns path and mapping if they match
It turns out that the error added in commit 09822c3da8 ("configs:
disallow ambiguous userns and timens configurations") causes issues with
containerd and CRIO because they pass both userns mappings and a userns
path.

These configurations are broken, but to avoid the regression in this one
case, output a warning to tell the user that the configuration is
incorrect but we will continue to use it if and only if the configured
mappings are identical to the mappings of the provided namespace.

Fixes: 09822c3da8 ("configs: disallow ambiguous userns and timens configurations")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-10 20:49:43 +11:00
dependabot[bot] 99f7fa1413 Merge pull request #4135 from opencontainers/dependabot/github_actions/actions/setup-go-5 2023-12-07 07:56:45 +00:00
dependabot[bot] e66ba70f50 build(deps): bump actions/setup-go from 4 to 5
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4 to 5.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-07 04:18:24 +00:00