Commit Graph

7090 Commits

Author SHA1 Message Date
lifubang 34a928550f test join other container userns with selinux enabled
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-25 14:01:05 +08:00
lifubang c78f3f2ea0 libct/nsenter: become root after joining userns
Containerd pre-creates userns and netns before calling runc, which
results in the current code not working when SELinux is enabled,
resulting in the following error:

> runc create failed: unable to start container process: error during
container init: error mounting "mqueue" to rootfs at "/dev/mqueue":
setxattr /path/to/rootfs/dev/mqueue: operation not permitted

The solution is to become root in the user namespace right after
we join it.

Fixes #4466.

Co-authored-by: Wei Fu <fuweid89@gmail.com>
Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-25 13:40:49 +08:00
Akihiro Suda e37371ebd7 Merge pull request #4471 from kolyshkin/ci-12
ci: use Go 1.23
2024-10-23 17:11:15 +09:00
dependabot[bot] f22cee6634 Merge pull request #4460 from opencontainers/dependabot/go_modules/github.com/vishvananda/netlink-1.3.0 2024-10-23 07:55:40 +00:00
Aleksa Sarai b69954038c merge #4465 into opencontainers/runc:main
Kir Kolyshkin (1):
  libct: rm x/sys/execabs usage

LGTMs: AkihiroSuda cyphar
2024-10-23 18:52:54 +11:00
Kir Kolyshkin cbb9b309cd ci: use Go 1.23
Where we only use one Go version, let's use Go 1.23.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-23 00:04:17 -07:00
dependabot[bot] 69b3be763a build(deps): bump github.com/vishvananda/netlink from 1.1.0 to 1.3.0
Bumps [github.com/vishvananda/netlink](https://github.com/vishvananda/netlink) from 1.1.0 to 1.3.0.
- [Release notes](https://github.com/vishvananda/netlink/releases)
- [Commits](https://github.com/vishvananda/netlink/compare/v1.1.0...v1.3.0)

---
updated-dependencies:
- dependency-name: github.com/vishvananda/netlink
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-23 06:49:47 +00:00
Kir Kolyshkin d123e56739 Merge pull request #4467 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.35.1
build(deps): bump google.golang.org/protobuf from 1.33.0 to 1.35.1
2024-10-22 23:49:04 -07:00
Kir Kolyshkin eb2ff52ace libct: rm x/sys/execabs usage
Since Go 1.19, the same functionality is there in os/exec package.
As we require go 1.22 now, there's no need to have this.

This basically reverts commit 9258eac0 ("libct/start: use execabs for
newuidmap lookup").

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-22 23:45:18 -07:00
Kir Kolyshkin 891d8ff63b Merge pull request #4468 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.11.1
build(deps): bump github.com/opencontainers/selinux from 1.11.0 to 1.11.1
2024-10-22 23:43:57 -07:00
dependabot[bot] f20f273aff build(deps): bump github.com/opencontainers/selinux
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.11.0 to 1.11.1.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.11.0...v1.11.1)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-23 04:20:54 +00:00
dependabot[bot] 139789f1bd build(deps): bump google.golang.org/protobuf from 1.33.0 to 1.35.1
Bumps google.golang.org/protobuf from 1.33.0 to 1.35.1.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-23 04:20:52 +00:00
Akihiro Suda e98851de36 Merge pull request #4464 from opencontainers/dependabot/go_modules/github.com/urfave/cli-1.22.16
build(deps): bump github.com/urfave/cli from 1.22.14 to 1.22.16
2024-10-23 10:46:42 +09:00
Akihiro Suda 70efba8239 Merge pull request #4463 from opencontainers/dependabot/go_modules/github.com/moby/sys/mountinfo-0.7.2
build(deps): bump github.com/moby/sys/mountinfo from 0.7.1 to 0.7.2
2024-10-23 10:45:58 +09:00
dependabot[bot] 93db63ab52 build(deps): bump github.com/urfave/cli from 1.22.14 to 1.22.16
Bumps [github.com/urfave/cli](https://github.com/urfave/cli) from 1.22.14 to 1.22.16.
- [Release notes](https://github.com/urfave/cli/releases)
- [Changelog](https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md)
- [Commits](https://github.com/urfave/cli/compare/v1.22.14...v1.22.16)

---
updated-dependencies:
- dependency-name: github.com/urfave/cli
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-22 13:23:32 +00:00
dependabot[bot] af024b6c2b build(deps): bump github.com/moby/sys/mountinfo from 0.7.1 to 0.7.2
Bumps [github.com/moby/sys/mountinfo](https://github.com/moby/sys) from 0.7.1 to 0.7.2.
- [Release notes](https://github.com/moby/sys/releases)
- [Commits](https://github.com/moby/sys/compare/signal/v0.7.1...mountinfo/v0.7.2)

---
updated-dependencies:
- dependency-name: github.com/moby/sys/mountinfo
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-22 13:23:25 +00:00
Aleksa Sarai d545279974 merge #4458 into opencontainers/runc:main
Aleksa Sarai (2):
  VERSION: back to development
  VERSION: release v1.2.0

LGTMs: AkihiroSuda lifubang hqhq rata
2024-10-22 17:02:21 +11:00
Aleksa Sarai 42f9630578 VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-22 09:21:47 +11:00
Aleksa Sarai 0b9fa21be2 VERSION: release v1.2.0
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.2.0
2024-10-22 09:21:47 +11:00
Rodrigo Campos 5190d6124b Merge pull request #4452 from lifubang/fix-fd-reuse-race
fix an error caused by fd reuse race when starting runc init
2024-10-21 12:55:03 +02:00
Aleksa Sarai ca45a2c52d merge #4446 into opencontainers/runc:main
Aleksa Sarai (1):
  Revert "increase memory.max in cgroups.bats"

LGTMs: rata cyphar
2024-10-21 19:44:58 +11:00
lfbzhm 568231cc4e Revert "increase memory.max in cgroups.bats"
This reverts commit 65a1074c75.

We needed [1] because when we removed the bindfd logic in [2] we had not
yet moved the binary cloning logic to Go and thus it was necessary to
increase the memory limit in CI because the clone was happening after
joining the cgroup. However, [3] finally moved that code to Go and thus
the cloning is now done outside of the container's cgroup and thus is no
longer accounted as part of the container's memory usage at any point.

Now we can properly support running a simple container with lower memory
usage as we did before.

[1]: commit 65a1074c75 ("increase memory.max in cgroups.bats")
[2]: commit b999376fb2 ("nsenter: cloned_binary: remove bindfd logic entirely")
[3]: commit 0e9a3358f8 ("nsexec: migrate memfd /proc/self/exe logic to Go code")

Signed-off-by: lfbzhm <lifubang@acmcoder.com>
[cyphar: fixed commit messages]
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-21 19:34:41 +11:00
lfbzhm e669926691 fix an error caused by fd reuse race when starting runc init
There is a race situation when we are opening a file, if there is a
small fd was closed at that time, maybe it will be reused by safeExe.
Because of Go stdlib fds shuffling bug, if the fd of safeExe is too
small, go stdlib will dup3 it to another fd, or dup3 a other fd to this
fd, then it will cause the fd type cmd.Path refers to a random path,
and it can lead to an error "permission denied" when starting the process.
Please see #4294 and <https://github.com/golang/go/issues/61751>.
So we should not use the original fd of safeExe, but use the fd after
shuffled by Go stdlib. Because Go stdlib will guarantee this fd refers to
the correct file.

Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-10-21 06:53:44 +00:00
Akihiro Suda ca8ca3ce07 Merge pull request #4448 from cyphar/cloned-binary-overlayfs
dmz: use overlayfs to write-protect /proc/self/exe if possible
2024-10-21 04:11:33 +09:00
Akihiro Suda 08faf15106 Merge pull request #4429 from kolyshkin/cap-load
libct/cap: no need to load capabilities
2024-10-21 04:09:07 +09:00
Aleksa Sarai 515f09f7b1 dmz: use overlayfs to write-protect /proc/self/exe if possible
Commit b999376fb2 ("nsenter: cloned_binary: remove bindfd logic
entirely") removed the read-only bind-mount logic from our cloned binary
code because it wasn't really safe because a container with
CAP_SYS_ADMIN could remove the MS_RDONLY bit and get write access to
/proc/self/exe (even with user namespaces this could've been an issue
because it's not clear if the flags are locked).

However, copying a binary does seem to have a minor performance impact.
The only way to have no performance impact would be for the kernel to
block these write attempts, but barring that we could try to reduce the
overhead by coming up with a mount that cannot have it's read-only bits
cleared.

The "simplest" solution is to create a temporary overlayfs using
fsopen(2) which uses the directory where runc exists as a lowerdir,
ensuring that the container cannot access the underlying file -- and we
don't have to do any copies.

While fsopen(2) is not free because mount namespace cloning is usually
expensive (and so it seems like the difference would be marginal), some
basic performance testing seems to indicate there is a ~60% improvement
doing it this way and that it has effectively no overhead even when
compared to just using /proc/self/exe directly:

  % hyperfine --warmup 50 \
  >           "./runc-noclone run -b bundle ctr" \
  >           "./runc-overlayfs run -b bundle ctr" \
  >           "./runc-memfd run -b bundle ctr"

  Benchmark 1: ./runc-noclone run -b bundle ctr
    Time (mean ± σ):      13.7 ms ±   0.9 ms    [User: 6.0 ms, System: 10.9 ms]
    Range (min … max):    11.3 ms …  16.1 ms    184 runs

  Benchmark 2: ./runc-overlayfs run -b bundle ctr
    Time (mean ± σ):      13.9 ms ±   0.9 ms    [User: 6.2 ms, System: 10.8 ms]
    Range (min … max):    11.8 ms …  16.0 ms    180 runs

  Benchmark 3: ./runc-memfd run -b bundle ctr
    Time (mean ± σ):      22.6 ms ±   1.3 ms    [User: 5.7 ms, System: 20.7 ms]
    Range (min … max):    19.9 ms …  26.5 ms    114 runs

  Summary
    ./runc-noclone run -b bundle ctr ran
      1.01 ± 0.09 times faster than ./runc-overlayfs run -b bundle ctr
      1.65 ± 0.15 times faster than ./runc-memfd run -b bundle ctr

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-20 21:35:09 +11:00
Aleksa Sarai 8cfbccb6d9 tests: integration: add helper to check if we're in a userns
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-20 19:58:49 +11:00
lfbzhm 8bebdbafd8 Merge pull request #4456 from kolyshkin/misc-ci-cleanups
Misc tests/int cleanups
2024-10-18 21:29:53 +08:00
lfbzhm d1b0ae62a9 Merge pull request #4455 from kolyshkin/ci-hotfix
tests/int: skip "update memory vs CheckBeforeUpdate" on EL9
2024-10-18 21:26:32 +08:00
Kir Kolyshkin 54ef07d899 tests/int: skip "update memory vs CheckBeforeUpdate" on EL9
This test case is frequently hanging recently. Might be caused
by a recent kernel update from 5.14.0-427.33.1.el9_4.x86_64 to
5.14.0-427.37.1.el9_4.x86_64.

Could not reproduce locally.

Let's skip it for now.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-17 19:11:01 -07:00
Aleksa Sarai 2664c845c9 merge #4441 into opencontainers/runc:main
Kir Kolyshkin (1):
  libct: rm initWaiter

LGTMs: lifubang cyphar
2024-10-18 13:09:43 +11:00
Kir Kolyshkin ff7753636f tests/int: rm centos-7 exclusion
We no longer run tests on CentOS 7, so this is now useless.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-17 18:08:14 -07:00
Kir Kolyshkin 76a821fab7 tests/int: update info about EL9 kernel
The issue quoted is now fixed, so add some information about the fixed
kernel version, and remove links to older discussions about idmapped
mounts security.

We can actually remove all of it for now, but let's keep it. Change
the skip message to say which kernel is required.

Amends commit b460dc39.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-17 18:08:14 -07:00
Kir Kolyshkin b5bdf592f2 libct: rm initWaiter
This initWaiter logic was introduced by commit 4ecff8d9, but since the logic of
/proc/self/exe was moved out of runc init in commit 0e9a335, this
seems unnecessary to have initWaiter.

Remove it.

This essentially reverts commit 4ecff8d9.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-17 08:05:42 -07:00
Aleksa Sarai d82235c9d0 merge #4444 into opencontainers/runc:main
lifubang (1):
  dmz: cloned binary: set +x permissions when creating regular tmpfile

LGTMs: kolyshkin cyphar
2024-10-15 15:06:30 +11:00
Aleksa Sarai 798ba5cd11 merge #4428 into opencontainers/runc:main
Kir Kolyshkin (2):
  memfd-bind: more specific doc URL
  memfd-bind: fixup systemd unit file and README

LGTMs: rata cyphar
2024-10-15 15:04:22 +11:00
lifubang 9fa324c479 dmz: cloned binary: set +x permissions when creating regular tmpfile
While we did set +x when "sealing" regular temporary files, the "is
executable" checks were done before then and would thus fail, causing
the fallback to not work properly.

So just set +x after we create the file. We already have a O_RDWR handle
open when we do the chmod so we won't get permission issues when writing
to the file.

Fixes: e089db3b4a ("dmz: add fallbacks to handle noexec for O_TMPFILE and mktemp()")

Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-14 17:48:18 +08:00
Kir Kolyshkin eff6f049bc libct/cap: no need to load capabilities
We are not really interested in the capabilities of the current process,
so there is no need to load those.

This results in some performance improvement since now the capability
package don't have to parse /proc/self/status.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-09 12:08:44 -07:00
Aleksa Sarai 9112335fb2 merge #4350 into opencontainers/runc:main
Sebastiaan van Stijn (1):
  libcontainer/userns: migrate to github.com/moby/sys/userns

LGTMs: AkihiroSuda lifubang cyphar
2024-10-10 05:59:37 +11:00
Sebastiaan van Stijn 9b60a93cf3 libcontainer/userns: migrate to github.com/moby/sys/userns
The userns package was moved to the moby/sys/userns module
at commit 3778ae603c.

This patch deprecates the old location, and adds it as an alias
for the moby/sys/userns package.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-10-09 22:20:25 +08:00
lfbzhm 8bf5f0d441 Merge pull request #4430 from cyphar/securejoin-v0.3.4
go: update github.com/cyphar/filepath-securejoin to v0.3.4
2024-10-09 17:50:56 +08:00
Aleksa Sarai 1623cde125 go: update github.com/cyphar/filepath-securejoin to v0.3.4
This includes a fix to avoid doing import "testing" in non-_test.go
code.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-09 15:13:28 +11:00
Kir Kolyshkin 4fdd56169d memfd-bind: more specific doc URL
Let's point to the relevant README directly in the systemd unit file,
as it is hard to find in the whole nine yards of the runc repo.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-08 13:30:59 -07:00
Kir Kolyshkin 9e5545876e memfd-bind: fixup systemd unit file and README
The example of starting memfd-bind via systemd in README did not work
for me (Fedora 40, systemd 255):

	# systemctl status memfd-bind@/usr/bin/runc
	Invalid unit name "memfd-bind@/usr/bin/runc" escaped as "memfd-bind@-usr-bin-runc" (maybe you should use systemd-escape?).
	○ memfd-bind@-usr-bin-runc.service
	     Loaded: bad-setting (Reason: Unit memfd-bind@-usr-bin-runc.service has a bad unit file setting.)
	     Active: inactive (dead)
	       Docs: https://github.com/opencontainers/runc

So, let's use systemd-escape -p ("path") in the README example,
and use %f in the systemd unit file to prepend the slash to the
filename.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-08 13:30:08 -07:00
Kir Kolyshkin f2d56241d8 Merge pull request #4405 from amghazanfari/main
replace strings.SplitN with strings.Cut
2024-10-04 14:01:23 -07:00
Kir Kolyshkin 84529badb5 Merge pull request #4416 from amghazanfari/change_version
change go minimum version in README
2024-10-04 13:59:53 -07:00
Akihiro Suda db25439c60 Merge pull request #4417 from kolyshkin/fix-mount-leak
runc run: fix mount leak
2024-10-04 10:33:52 +09:00
Kir Kolyshkin 13a6f56097 runc run: fix mount leak
When preparing to mount container root, we need to make its parent mount
private (i.e. disable propagation), otherwise the new in-container
mounts are leaked to the host.

To find a parent mount, we use to read mountinfo and find the longest
entry which can be a parent of the container root directory.

Unfortunately, due to kernel bug in all Linux kernels older than v5.8
(see [1], [2]), sometimes mountinfo can't be read in its entirety. In
this case, getParentMount may occasionally return a wrong parent mount.

As a result, we do not change the mount propagation to private, and
container mounts are leaked.

Alas, we can not fix the kernel, and reading mountinfo a few times to
ensure its consistency (like it's done in, say, Kubernetes) does not
look like a good solution for performance reasons.

Fortunately, we don't need mountinfo. Let's just traverse the directory
tree, trying to remount it private until we find a mount point (any
error other than EINVAL means we just found it).

Fixes issue 2404.

[1]: https://github.com/kolyshkin/procfs-test
[2]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9f6c61f96f2d97cbb5f
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-02 13:58:27 -07:00
lfbzhm c611a2146d Merge pull request #4421 from cyphar/filepath-securejoin-0.3.3
vendor: update github.com/cyphar/filepath-securejoin to v0.3.3
2024-10-01 08:21:39 +08:00
Aleksa Sarai b096459a07 vendor: update github.com/cyphar/filepath-securejoin to v0.3.3
This fixes issues we had with spurious MkdirAll failures.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-30 16:26:42 +02:00