Commit Graph

31 Commits

Author SHA1 Message Date
Kir Kolyshkin 6171da6005 libct/configs: add HookList.SetDefaultEnv
1. Make CommandHook.Command a pointer, which reduces the amount of data
   being copied when using hooks, and allows to modify command hooks.

2. Add SetDefaultEnv, which is to be used by the next commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-01-09 18:22:53 +08:00
Kir Kolyshkin f9fd70b7ff CHANGELOG: add (forward-port) v1.1.15 changes
Those are taken from commit bc20cb44.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-29 17:08:23 -07:00
Aleksa Sarai 0b9fa21be2 VERSION: release v1.2.0
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-22 09:21:47 +11:00
Aleksa Sarai 961b8031f6 VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 11:33:06 +10:00
lifubang 45471bc945 VERSION: release v1.2.0-rc.3
Signed-off-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 11:29:51 +10:00
Aleksa Sarai 6c24b2e83e changelog: update to include 1.1.14 notes
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 11:29:21 +10:00
Kir Kolyshkin 8b1c0f7e47 CHANGELOG.md: dedup v1.2.0-rc.2 notes
Remove changes that are already reflected in v1.1.13 changelog:
 - rlimit_nofile fix;
 - rt_period vs rt_runtime fix;
 - gpg vs keyboxd fix;
 - nsexec debug log fix;
 - fips faking;
 - vagrant Fedora 39 bump;
 - golangci-lint bump;
 - x/net bump;
 - centos stream 8 removal;
 - codespell ci fixes.

Compact some of the entries that are related (e.g. about actuated-ci).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-07-01 10:24:22 -07:00
lifubang f2d2ee5e45 VERSION: release 1.2.0-rc.2
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-06-26 20:03:03 +08:00
lfbzhm ad976aa155 put the changelog of v1.1.13 after v1.2.0-rc.1
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-06-19 14:09:02 +00:00
lfbzhm 4e2d7c0a6e update changelog after v1.1.13 released
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-06-13 22:45:00 +00:00
Kir Kolyshkin 4f3319b56d libct: decouple libct/cg/devices
Commit b6967fa84c moved the functionality of managing cgroup devices
into a separate package, and decoupled libcontainer/cgroups from it.

Yet, some software (e.g. cadvisor) may need to use libcontainer package,
which imports libcontainer/cgroups/devices, thus making it impossible to
use libcontainer without bringing in cgroup/devices dependency.

In fact, we only need to manage devices in runc binary, so move the
import to main.go.

The need to import libct/cg/dev in order to manage devices is already
documented in libcontainer/cgroups, but let's
 - update that documentation;
 - add a similar note to libcontainer/cgroups/systemd;
 - add a note to libct README.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-17 15:05:38 -07:00
Aleksa Sarai 275e6d85f7 VERSION: release v1.2.0-rc.1
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-03 21:43:24 +11:00
Aleksa Sarai fc3e04dc35 changelog: update to include all new changes since 1.1.0
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
[ cyphar: restructuring and removal of outdated or incorrect info ]
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 15:46:49 +11:00
Aleksa Sarai b47fb3fda4 changelog: sync changelog entries up to runc 1.1.12
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 15:46:24 +11:00
Aleksa Sarai d4b670fca6 changelog: mention key breaking changes for mount options
Just to make sure we don't forget to fully explain these when we do
-rc1.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 15:46:23 +11:00
Aleksa Sarai e377e16846 [hotfix] nsenter: refuse to build with Go 1.22 on glibc
We will almost certainly need to eventually rework nsenter to:

 1. Figure out a way to make pthread_self() not break after nsenter runs
    (probably not possible, because the core issue is likely that we are
    ignoring the rules of signal-safety(7)); or
 2. Do an other re-exec of /proc/self/exe to execute the Go half of
    "runc init" -- after we've done the nsenter setup. This would reset
    all of the process state and ensure we have a clean glibc state for
    Go, but it would make runc slower...

For now, just block Go 1.22 builds to avoid having broken runcs floating
around until we resolve the issue. It seems possible for musl to also
have an issue, but it appears to work and so for now just block glibc
builds.

Note that this will only block builds for anything that uses nsenter --
so users of our (internal) libcontainer libraries should be fine. Only
users that are starting containers using nsenter to actually start
containers will see the error (which is precisely what we want).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 01:59:46 +11:00
Heran Yang 104b8dc951 libct/cg: add swapOnlyUsage in MemoryStats
This field reports swap-only usage. For cgroupv1, `Usage` and `Failcnt`
are set by subtracting memory usage from memory+swap usage. For cgroupv2,
`Usage`, `Limit`, and `MaxUsage` are set. This commit also export `MaxUsage`
of memory under cgroupv2 mode, using `memory.peak` introduced in kernel 5.19.

Signed-off-by: Heran Yang <heran55@126.com>
2023-10-25 09:47:25 +08:00
Alexander Eldeib 7d2becdf2c libct/cg/fs2: use file + anon + swap for usage
This aligns v2 usage calculations more closely with v1.
Current node-level reporting for v1 vs v2 on the same
machine under similar load may differ by ~250-750Mi.

Also return usage as combined swap + memory usage, aligned
with v1 and non-root v2 cgroups.

`mem_cgroup_usage` in the kernel counts NR_FILE_PAGES
+ NR_ANON_MAPPED + `nr_swap_pages` (if swap enabled) [^0].

Using total - free results in higher "usage" numbers.
This is likely due to various types of reclaimable
memory technically counted as in use (e.g. inactive anon).

See also https://github.com/kubernetes/kubernetes/issues/118916 for more context

[^0]: https://github.com/torvalds/linux/blob/06c2afb862f9da8dc5efa4b6076a0e48c3fbaaa5/mm/memcontrol.c#L3673-L3680

Signed-off-by: Alexander Eldeib <alexeldeib@gmail.com>
2023-08-02 15:18:22 +02:00
lifubang 237acdd813 add some important announcements in unreleased section
Signed-off-by: lifubang <lifubang@acmcoder.com>
2023-07-23 18:48:31 +08:00
lifubang d9494fc6b4 CHANGELOG: forward-port 1.1.6-1.1.8 changes
Signed-off-by: lifubang <lifubang@acmcoder.com>
2023-07-23 10:31:34 +08:00
Kir Kolyshkin 9f32ce6a2d CHANGELOG: forward-port 1.1.4 and 1.1.5 changes
...from the tip of release-1.1 branch (commit 060a61c69d).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-30 19:46:53 -07:00
Kir Kolyshkin d2a5acd22a CHANGELOG.md: forward-port 1.1.x changes
This is a forward-port of commit 91fa032da4 ("ci: add basic checks for
CHANGELOG.md"), plus whatever changes were made in release-1.1 branch
(up to v1.1.3).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-07-01 15:57:34 -07:00
Aleksa Sarai be6488a5a9 seccomp: enosys: always return -ENOSYS for setup(2) on s390(x)
On s390x, syscalls above 255 are multiplexed using the (now otherwise
unused) setup(2) syscall (syscall number 0). If the kernel supports the
syscall then it will correctly translate the syscall number such that
seccomp will correctly detect it -- however, for unknown syscalls the
syscall number remains unchanged. This can be verified by running the
following program under strace:

	int main(void)
	{
		scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP);
		seccomp_load(ctx);

		return syscall(439, AT_FDCWD, "asdf", X_OK, 0);
	}

Which will then die with the following signal (on pre-5.8 kernels):

	--- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP,
	            si_call_addr=0x3ffb3006c22, si_syscall=__NR_setup,
	            si_arch=AUDIT_ARCH_S390X} ---

(Note that the si_syscall is __NR_setup, not __NR_faccessat2.)

As a result, the -ENOSYS handling we had previously did not work
completely correctly on s390x because any syscall not supported by the
kernel would be treated as syscall number 0 rather than the actual
syscall number.

Always returning -ENOSYS will not cause any issues because in all of the
cases where this multiplexing occurs, seccomp will see the remapped
syscall number -- and no userspace program will call setup(2)
intentionally (the syscall has not existed in Linux for decades and was
originally a hack used early in Linux init prior to spawning pid1 -- so
you will get -ENOSYS from the kernel anyway).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-05-23 16:36:07 +10:00
Daniel, Dao Quang Minh c6487533f1 Merge pull request #3342 from kolyshkin/cloned-binary
libct/nsenter: fix extra runc re-exec on tmpfs
2022-02-16 16:17:56 +00:00
Kir Kolyshkin 18e286261e libct/nsenter: fix extra runc re-exec on tmpfs
After adding some debug info to cloned_binary.c I found out that
is_self_cloned() is not working right when runc binary is on tmpfs,
resulting in one extra re-exec of runc.

With some added debug:

	$ mkdir bin
	$ sudo mount -t tmpfs tmp bin
	$ sudo cp runc bin
	$ sudo ./bin/runc --debug exec xxx true
	DEBU[0000] nsexec[763590]: => is_self_cloned
	DEBU[0000] nsexec[763590]: got seals 1 (want 15)
	DEBU[0000] nsexec[763590]: <= is_self_cloned, is_cloned = 0
	DEBU[0000] nsexec[763590]: try_bindfd: 5
	DEBU[0000] nsexec[763590]: re-exec itself...
	DEBU[0000] nsexec[763590]: => is_self_cloned
	DEBU[0000] nsexec[763590]: got seals 1 (want 15)
	DEBU[0000] nsexec[763590]: <= is_self_cloned, is_cloned = 0
	DEBU[0000] nsexec[763590]: try_bindfd: -1
	DEBU[0000] nsexec[763590]: fallback to make_execfd: 5
	DEBU[0000] nsexec[763590]: re-exec itself...
	DEBU[0000] nsexec[763590]: => is_self_cloned
	DEBU[0000] nsexec[763590]: got seals 15 (want 15)
	DEBU[0000] nsexec[763590]: <= is_self_cloned, is_cloned = 1

From the above, it is seen that
 - `is_self_cloned` returns 0,
 - `try_bindfd` is called and succeeds,
 - runc re-execs itself,
 - the second call to `is_self_cloned` returns 0 again (because GET_SEALS returns 1),
 - runc falls back to `make_execfd`, and re-execs again,
 - finally, the third `is_self_cloned` returns 1.

I guess that the code relied on the following (quoting fcntl(2)):

> Currently, file seals can be applied only to a file descriptor
> returned by memfd_create(2) (if the MFD_ALLOW_SEALING was employed).
> On other filesystems, all fcntl() operations that operate on seals
> will return EINVAL.

It looks like in case of a file on tmpfs it returns 1 (F_SEAL_SEAL).

With the fix:

	DEBU[0000] nsexec[768367]: => is_self_cloned
	DEBU[0000] nsexec[768367]: got seals 1 (want 15)
	DEBU[0000] nsexec[768367]: no CLONED_BINARY_ENV
	DEBU[0000] nsexec[768367]: <= is_self_cloned, is_cloned = 0
	DEBU[0000] nsexec[768367]: try_bindfd: 5
	DEBU[0000] nsexec[768367]: re-exec itself...
	DEBU[0000] nsexec[768367]: => is_self_cloned
	DEBU[0000] nsexec[768367]: got seals 1 (want 15)
	DEBU[0000] nsexec[768367]: fstatfs says ro = 1
	DEBU[0000] nsexec[768367]: fstat says nlink = 1
	DEBU[0000] nsexec[768367]: <= is_self_cloned, is_cloned = 1

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-27 08:42:11 -08:00
Kir Kolyshkin 6e1d476aad runc: remove --criu option
This was introduced in an initial commit, back in the day when criu was
a highly experimental thing. Today it's not; most users who need it have
it packaged by their distro vendor.

The usual way to run a binary is to look it up in directories listed in
$PATH. This is flexible enough and allows for multiple scenarios (custom
binaries, extra binaries, etc.). This is the way criu should be run.

Make --criu a hidden option (thus removing it from help). Remove the
option from man pages, integration tests, etc. Remove all traces of
CriuPath from data structures.

Add a warning that --criu is ignored and will be removed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-26 20:25:56 -08:00
Kir Kolyshkin 2eb6ac5347 CHANGELOG: add #3306
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-20 18:47:52 -08:00
Kir Kolyshkin e4d23d50fa CHANGELOG.md: nit
The 1.1.0 "Changed" heading level is not proper.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-20 18:42:21 -08:00
Aleksa Sarai 067aaf8548 VERSION: release runc v1.1.0
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-01-17 19:16:31 +11:00
Aleksa Sarai 55df1fc4c8 VERSION: release v1.1.0-rc.1
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-12-14 14:23:00 +11:00
Aleksa Sarai a8f9d5defc CHANGELOG: add an in-repo changelog file
This will make releases much simpler. I've back-filled the changelog
with everything since runc 1.0.0 (there's not much point going further
back than that).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-12-13 13:22:11 +11:00