Commit Graph

7117 Commits

Author SHA1 Message Date
lfbzhm 5000f1697c Temporary set vagrant to 2.4.1-1
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-06 13:25:06 +00:00
Rodrigo Campos d9eecde965 Merge pull request #4505 from kolyshkin/fedora41
CI: bump Fedora 40 -> 41
2024-11-05 14:38:45 +01:00
Akihiro Suda 9ce7392b59 Vagrantfile.fedora: bump Fedora to 41
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-11-03 10:16:28 -08:00
Kir Kolyshkin 609e9a5134 Vagrantfile.fedora: stop using dnf shell
In Fedora 41, dnf5 is used and it does not have dnf shell. Let's use
old dnf update; dnf install instead. It is two transactions instead
of one, but dnf5 is faster.

While at it:
 - add `--setopt=tsflags=nodocs` as we don't need docs in CI;
 - change golang-go to golang as this is a new rpm name;
 - remove gcc as it is now required by golang-bin;
 - remove container-selinux, criu, fuse-sshfs, iptables from rpms
   as they are already installed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-11-03 10:15:36 -08:00
Kir Kolyshkin d6e6e7b7ed Merge pull request #4461 from opencontainers/dependabot/go_modules/golang.org/x/net-0.30.0
build(deps): bump golang.org/x/net from 0.24.0 to 0.30.0
2024-11-01 17:59:32 -07:00
dependabot[bot] 80c46d31c4 build(deps): bump golang.org/x/net from 0.24.0 to 0.30.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.24.0 to 0.30.0.
- [Commits](https://github.com/golang/net/compare/v0.24.0...v0.30.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-02 00:36:10 +00:00
Kir Kolyshkin fe461d8c23 Merge pull request #4462 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.26.0
build(deps): bump golang.org/x/sys from 0.22.0 to 0.26.0
2024-11-01 17:35:30 -07:00
Akihiro Suda 519a3f1d5c Merge pull request #4357 from kolyshkin/update-swap-v2
runc update: fix updating swap for cgroup v2
2024-11-02 01:54:00 +09:00
Rodrigo Campos bb6aeedaec Merge pull request #4440 from yangzhao02/main
Terminate execution for criu that does not meet version requirements
2024-11-01 15:04:03 +01:00
lfbzhm 82bf6d1cee Merge pull request #4490 from kolyshkin/nits22
Post overlay addition and dmz removal nits
2024-10-30 09:45:36 +08:00
Aleksa Sarai 867917d509 merge #4489 into opencontainers/runc:main
Kir Kolyshkin (1):
  CHANGELOG: add (forward-port) v1.1.15 changes

LGTMs: lifubang cyphar
2024-10-30 12:39:25 +11:00
Kir Kolyshkin 5586d7caa1 libct: rm obsoleted comment
This was added by commit f2f16213e when runc-dmz was still a thing.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-29 17:11:56 -07:00
Kir Kolyshkin f9fd70b7ff CHANGELOG: add (forward-port) v1.1.15 changes
Those are taken from commit bc20cb44.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-29 17:08:23 -07:00
Kir Kolyshkin 8cc7375447 libct: fix a comment
There is a typo in the comment (ClonedBinary should be CloneBinary), and
the code has changed a bit since then, and it makes more sense to refer
to CloneSelfExe now.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-29 16:57:42 -07:00
Kir Kolyshkin ee1bced18c script/check-config.sh: add OVERLAY_FS check
While this is used by the majority of upper container runtimes, it was
not needed for runc itself. Since commit 515f09f7 runc uses overlay,
too, so let's add a check for this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-29 16:57:25 -07:00
Aleksa Sarai 68bef803eb merge #4482 into opencontainers/runc:main
lifubang (1):
  drop runc-dmz solution according to overlay solution

LGTMs: AkihiroSuda cyphar
2024-10-29 18:14:18 +11:00
Aleksa Sarai f2ec540997 merge #4484 into opencontainers/runc:main
Akihiro Suda (1):
  docs: remove prompt symbols from shell snippets

LGTMs: kolyshkin cyphar
2024-10-29 11:58:35 +11:00
Akihiro Suda c8f5d033c2 docs: remove prompt symbols from shell snippets
Remove prompt symbols (`$`, `%`) for ease of copy-pasting

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-10-29 01:38:24 +09:00
lifubang 871057d863 drop runc-dmz solution according to overlay solution
Because we have the overlay solution, we can drop runc-dmz binary
solution since it has too many limitations.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-28 15:18:07 +00:00
Rodrigo Campos 4ad9f7fd36 Merge pull request #4432 from kolyshkin/exec-bench
libct/int: add exec benchmark
2024-10-25 10:48:26 +02:00
Aleksa Sarai 22106a4c66 merge #4473 into opencontainers/runc:main
lifubang:
  test join other container userns with selinux enabled
  libct/nsenter: become root after joining userns

LGTMs: AkihiroSuda cyphar
2024-10-25 18:22:08 +11:00
lifubang 34a928550f test join other container userns with selinux enabled
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-25 14:01:05 +08:00
lifubang c78f3f2ea0 libct/nsenter: become root after joining userns
Containerd pre-creates userns and netns before calling runc, which
results in the current code not working when SELinux is enabled,
resulting in the following error:

> runc create failed: unable to start container process: error during
container init: error mounting "mqueue" to rootfs at "/dev/mqueue":
setxattr /path/to/rootfs/dev/mqueue: operation not permitted

The solution is to become root in the user namespace right after
we join it.

Fixes #4466.

Co-authored-by: Wei Fu <fuweid89@gmail.com>
Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-25 13:40:49 +08:00
Kir Kolyshkin 1e674098f5 libct/int: add exec benchmark
This is a benchmark which checks how fast we can execute /bin/true
inside a container.

Results from my machine are below. As you can see, in default setup
about 70% of exec time is spent for CVE-2019-5736 (copying runc binary),
and using either RUNC_DMZ=true or memfd-bind helps a lot.

This can also be used for profiling (using -test.cpuprofile option).

=== Default setup ===

[kir@kir-tp1 integration]$ sudo ./integration.test -test.run xxx -test.v -test.benchtime 5s -test.count 5 -test.bench . .
goos: linux
goarch: amd64
pkg: github.com/opencontainers/runc/libcontainer/integration
cpu: 12th Gen Intel(R) Core(TM) i7-12800H
BenchmarkExecTrue
BenchmarkExecTrue-20    	     327	  24475677 ns/op
BenchmarkExecTrue-20    	     244	  25242718 ns/op
BenchmarkExecTrue-20    	     232	  26187174 ns/op
BenchmarkExecTrue-20    	     237	  26780030 ns/op
BenchmarkExecTrue-20    	     318	  18487219 ns/op
PASS

=== With DMZ enabled ===

[kir@kir-tp1 integration]$ sudo -E RUNC_DMZ=true ./integration.test -test.run xxx -test.v -test.benchtime 5s -test.count 5 -test.bench . .
goos: linux
goarch: amd64
pkg: github.com/opencontainers/runc/libcontainer/integration
cpu: 12th Gen Intel(R) Core(TM) i7-12800H
BenchmarkExecTrue
BenchmarkExecTrue-20    	     694	   8263744 ns/op
BenchmarkExecTrue-20    	     778	   8483228 ns/op
BenchmarkExecTrue-20    	     784	   8456018 ns/op
BenchmarkExecTrue-20    	     732	   8160239 ns/op
BenchmarkExecTrue-20    	     769	   8236972 ns/op
PASS

=== With memfd-bind ===

[kir@kir-tp1 integration]$ sudo systemctl start  memfd-bind@$(systemd-escape -p $PWD/integration.test)
[kir@kir-tp1 integration]$ sudo ./integration.test -test.run xxx -test.v -test.benchtime 5s -test.count 5 -test.bench . .
goos: linux
goarch: amd64
pkg: github.com/opencontainers/runc/libcontainer/integration
cpu: 12th Gen Intel(R) Core(TM) i7-12800H
BenchmarkExecTrue
BenchmarkExecTrue-20    	     800	   7538839 ns/op
BenchmarkExecTrue-20    	     717	   7424755 ns/op
BenchmarkExecTrue-20    	     848	   7747787 ns/op
BenchmarkExecTrue-20    	     800	   7668740 ns/op
BenchmarkExecTrue-20    	     751	   7304373 ns/op
PASS

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-24 13:39:26 -07:00
Kir Kolyshkin cb20148703 libct/int: use testing.TB for utils
...so that they can be used for benchmarks, too.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-24 13:39:26 -07:00
Akihiro Suda e37371ebd7 Merge pull request #4471 from kolyshkin/ci-12
ci: use Go 1.23
2024-10-23 17:11:15 +09:00
dependabot[bot] 4df7b1b199 build(deps): bump golang.org/x/sys from 0.22.0 to 0.26.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.22.0 to 0.26.0.
- [Commits](https://github.com/golang/sys/compare/v0.22.0...v0.26.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-23 07:56:22 +00:00
dependabot[bot] f22cee6634 Merge pull request #4460 from opencontainers/dependabot/go_modules/github.com/vishvananda/netlink-1.3.0 2024-10-23 07:55:40 +00:00
Aleksa Sarai b69954038c merge #4465 into opencontainers/runc:main
Kir Kolyshkin (1):
  libct: rm x/sys/execabs usage

LGTMs: AkihiroSuda cyphar
2024-10-23 18:52:54 +11:00
Kir Kolyshkin cbb9b309cd ci: use Go 1.23
Where we only use one Go version, let's use Go 1.23.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-23 00:04:17 -07:00
Kir Kolyshkin 732806e24c runc update: fix updating swap for cgroup v2
This allows to do

	runc update $ID --memory=-1 --memory-swap=$VAL

for cgroup v2, i.e. set memory to unlimited and swap to a specific
value.

This was not possible because ConvertMemorySwapToCgroupV2Value rejected
memory=-1 ("unlimited"). In a hindsight, it was a mistake, because if
memory limit is unlimited, we should treat memory+swap limit as just swap
limit.

Revise the unit test; add description to each case.

Fixes: c86be8a2 ("cgroupv2: fix setting MemorySwap")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-22 23:51:23 -07:00
Kir Kolyshkin cb9f3d6d14 libct/cg: improve ConvertMemorySwapToCgroupV2Value
Improve readability of ConvertMemorySwapToCgroupV2Value by switching
from a bunch of if statements to a switch, and adding a comment
describing each case.

No functional change.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-22 23:51:23 -07:00
dependabot[bot] 69b3be763a build(deps): bump github.com/vishvananda/netlink from 1.1.0 to 1.3.0
Bumps [github.com/vishvananda/netlink](https://github.com/vishvananda/netlink) from 1.1.0 to 1.3.0.
- [Release notes](https://github.com/vishvananda/netlink/releases)
- [Commits](https://github.com/vishvananda/netlink/compare/v1.1.0...v1.3.0)

---
updated-dependencies:
- dependency-name: github.com/vishvananda/netlink
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-23 06:49:47 +00:00
Kir Kolyshkin d123e56739 Merge pull request #4467 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.35.1
build(deps): bump google.golang.org/protobuf from 1.33.0 to 1.35.1
2024-10-22 23:49:04 -07:00
Kir Kolyshkin eb2ff52ace libct: rm x/sys/execabs usage
Since Go 1.19, the same functionality is there in os/exec package.
As we require go 1.22 now, there's no need to have this.

This basically reverts commit 9258eac0 ("libct/start: use execabs for
newuidmap lookup").

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-22 23:45:18 -07:00
Kir Kolyshkin 891d8ff63b Merge pull request #4468 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.11.1
build(deps): bump github.com/opencontainers/selinux from 1.11.0 to 1.11.1
2024-10-22 23:43:57 -07:00
dependabot[bot] f20f273aff build(deps): bump github.com/opencontainers/selinux
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.11.0 to 1.11.1.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.11.0...v1.11.1)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-23 04:20:54 +00:00
dependabot[bot] 139789f1bd build(deps): bump google.golang.org/protobuf from 1.33.0 to 1.35.1
Bumps google.golang.org/protobuf from 1.33.0 to 1.35.1.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-23 04:20:52 +00:00
Akihiro Suda e98851de36 Merge pull request #4464 from opencontainers/dependabot/go_modules/github.com/urfave/cli-1.22.16
build(deps): bump github.com/urfave/cli from 1.22.14 to 1.22.16
2024-10-23 10:46:42 +09:00
Akihiro Suda 70efba8239 Merge pull request #4463 from opencontainers/dependabot/go_modules/github.com/moby/sys/mountinfo-0.7.2
build(deps): bump github.com/moby/sys/mountinfo from 0.7.1 to 0.7.2
2024-10-23 10:45:58 +09:00
dependabot[bot] 93db63ab52 build(deps): bump github.com/urfave/cli from 1.22.14 to 1.22.16
Bumps [github.com/urfave/cli](https://github.com/urfave/cli) from 1.22.14 to 1.22.16.
- [Release notes](https://github.com/urfave/cli/releases)
- [Changelog](https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md)
- [Commits](https://github.com/urfave/cli/compare/v1.22.14...v1.22.16)

---
updated-dependencies:
- dependency-name: github.com/urfave/cli
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-22 13:23:32 +00:00
dependabot[bot] af024b6c2b build(deps): bump github.com/moby/sys/mountinfo from 0.7.1 to 0.7.2
Bumps [github.com/moby/sys/mountinfo](https://github.com/moby/sys) from 0.7.1 to 0.7.2.
- [Release notes](https://github.com/moby/sys/releases)
- [Commits](https://github.com/moby/sys/compare/signal/v0.7.1...mountinfo/v0.7.2)

---
updated-dependencies:
- dependency-name: github.com/moby/sys/mountinfo
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-22 13:23:25 +00:00
Aleksa Sarai d545279974 merge #4458 into opencontainers/runc:main
Aleksa Sarai (2):
  VERSION: back to development
  VERSION: release v1.2.0

LGTMs: AkihiroSuda lifubang hqhq rata
2024-10-22 17:02:21 +11:00
Aleksa Sarai 42f9630578 VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-22 09:21:47 +11:00
Aleksa Sarai 0b9fa21be2 VERSION: release v1.2.0
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.2.0
2024-10-22 09:21:47 +11:00
Rodrigo Campos 5190d6124b Merge pull request #4452 from lifubang/fix-fd-reuse-race
fix an error caused by fd reuse race when starting runc init
2024-10-21 12:55:03 +02:00
Aleksa Sarai ca45a2c52d merge #4446 into opencontainers/runc:main
Aleksa Sarai (1):
  Revert "increase memory.max in cgroups.bats"

LGTMs: rata cyphar
2024-10-21 19:44:58 +11:00
lfbzhm 568231cc4e Revert "increase memory.max in cgroups.bats"
This reverts commit 65a1074c75.

We needed [1] because when we removed the bindfd logic in [2] we had not
yet moved the binary cloning logic to Go and thus it was necessary to
increase the memory limit in CI because the clone was happening after
joining the cgroup. However, [3] finally moved that code to Go and thus
the cloning is now done outside of the container's cgroup and thus is no
longer accounted as part of the container's memory usage at any point.

Now we can properly support running a simple container with lower memory
usage as we did before.

[1]: commit 65a1074c75 ("increase memory.max in cgroups.bats")
[2]: commit b999376fb2 ("nsenter: cloned_binary: remove bindfd logic entirely")
[3]: commit 0e9a3358f8 ("nsexec: migrate memfd /proc/self/exe logic to Go code")

Signed-off-by: lfbzhm <lifubang@acmcoder.com>
[cyphar: fixed commit messages]
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-21 19:34:41 +11:00
lfbzhm e669926691 fix an error caused by fd reuse race when starting runc init
There is a race situation when we are opening a file, if there is a
small fd was closed at that time, maybe it will be reused by safeExe.
Because of Go stdlib fds shuffling bug, if the fd of safeExe is too
small, go stdlib will dup3 it to another fd, or dup3 a other fd to this
fd, then it will cause the fd type cmd.Path refers to a random path,
and it can lead to an error "permission denied" when starting the process.
Please see #4294 and <https://github.com/golang/go/issues/61751>.
So we should not use the original fd of safeExe, but use the fd after
shuffled by Go stdlib. Because Go stdlib will guarantee this fd refers to
the correct file.

Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-10-21 06:53:44 +00:00
Akihiro Suda ca8ca3ce07 Merge pull request #4448 from cyphar/cloned-binary-overlayfs
dmz: use overlayfs to write-protect /proc/self/exe if possible
2024-10-21 04:11:33 +09:00