Commit Graph

6720 Commits

Author SHA1 Message Date
Kir Kolyshkin 6aa4c1a13e script/check-config: disable colors
...when the stdout is not a terminal, and also when NO_COLOR environment
variable is set to any non-empty value (as per no-color.org).

Co-authored-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-12-20 10:06:52 -08:00
Kir Kolyshkin b94b559058 scripts/check-config: don't check MEMCG_SWAP on newer kernels
Kernel commit e55b9f96860f (which made its way into Linux v6.1-rc1)
removes CONFIG_MEMCG_SWAP entirely, so there's no sense to check for in
on newer kernels.

Make the check conditional.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-12-19 17:28:32 -08:00
Akihiro Suda 29222735a7 Merge pull request #4150 from lifubang/fix-int64err
fix a (u|g)IDMappings type value convertion error
2023-12-18 15:49:02 +09:00
lfbzhm d08ba9ca89 fix a (u|g)IDMappings type value convertion error
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2023-12-18 05:36:10 +00:00
lfbzhm 371ff9c5e7 Merge pull request #3985 from cyphar/idmap-generic
libcontainer: remove all mount logic from nsexec
2023-12-18 13:10:45 +08:00
dependabot[bot] 3878ef5657 Merge pull request #4148 from opencontainers/dependabot/github_actions/actions/upload-artifact-4 2023-12-15 12:09:05 +00:00
dependabot[bot] 7b655782bf build(deps): bump actions/upload-artifact from 3 to 4
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-15 04:57:18 +00:00
lfbzhm a31262c1e3 Merge pull request #4134 from cyphar/ns-path-regression
specconv: temporarily allow userns path and mapping if they match
2023-12-14 12:39:02 +08:00
Aleksa Sarai 482e56379a configs: make id mappings int64 to better handle 32-bit
Using ints for all of our mapping structures means that a 32-bit binary
errors out when trying to parse /proc/self/*id_map:

  failed to cache mappings for userns: failed to parse uid_map of userns /proc/1/ns/user:
  parsing id map failed: invalid format in line "         0          0 4294967295": integer overflow on token 4294967295

This issue was unearthed by commit 1912d5988b ("*: actually support
joining a userns with a new container") but the underlying issue has
been present since the docker/libcontainer days.

In theory, switching to uint32 (to match the spec) instead of int64
would also work, but keeping everything signed seems much less
error-prone. It's also important to note that a mapping might be too
large for an int on 32-bit, so we detect this during the mapping.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 12:14:32 +11:00
Aleksa Sarai fa93c8b05b tests: mounts: add some tests to check mount ordering
Our previous implementation of idmapped mounts and bind-mount sources
would open all of the source paths before we did any mounts, meaning
that mounts using sources from inside the container rootfs would not be
correct.

This has been fixed with the new on-demand system, and so add some
regression tests.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:43 +11:00
Aleksa Sarai 3b57e45cbf mount: add support for ridmap and idmap
ridmap indicates that the id mapping should be applied recursively (only
really relevant for rbind mount entries), and idmap indicates that it
should not be applied recursively (the default). If no mappings are
specified for the mount, we use the userns configuration of the
container. This matches the behaviour in the currently-unreleased
runtime-spec.

This includes a minor change to the state.json serialisation format, but
because there has been no released version of runc with commit
fbf183c6f8 ("Add uid and gid mappings to mounts"), we can safely make
this change without affecting running containers. Doing it this way
makes it much easier to handle m.IsIDMapped() and indicating that a
mapping has been specified.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:42 +11:00
Aleksa Sarai 7795ca4668 specconv: handle recursive attribute clearing more consistently
If a user specifies a configuration like "rro, rrw", we should have
similar behaviour to "ro, rw" where we clear the previous flags so that
the last specified flag takes precendence.

Fixes: 382eba4354 ("Support recursive mount attrs ("rro", "rnosuid", "rnodev", ...)")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:42 +11:00
Aleksa Sarai cdff09ab87 rootfs: fix 'can we mount on top of /proc' check
Our previous test for whether we can mount on top of /proc incorrectly
assumed that it would only be called with bind-mount sources. This meant
that having a non bind-mount entry for a pseudo-filesystem (like
overlayfs) with a dummy source set to /proc on the host would let you
bypass the check, which could easily lead to security issues.

In addition, the check should be applied more uniformly to all mount
types, so fix that as well. And add some tests for some of the tricky
cases to make sure we protect against them properly.

Fixes: 331692baa7 ("Only allow proc mount if it is procfs")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:42 +11:00
Aleksa Sarai 8e8b136c49 tree-wide: use /proc/thread-self for thread-local state
With the idmap work, we will have a tainted Go thread in our
thread-group that has a different mount namespace to the other threads.
It seems that (due to some bad luck) the Go scheduler tends to make this
thread the thread-group leader in our tests, which results in very
baffling failures where /proc/self/mountinfo produces gibberish results.

In order to avoid this, switch to using /proc/thread-self for everything
that is thread-local. This primarily includes switching all file
descriptor paths (CLONE_FS), all of the places that check the current
cgroup (technically we never will run a single runc thread in a separate
cgroup, but better to be safe than sorry), and the aforementioned
mountinfo code. We don't need to do anything for the following because
the results we need aren't thread-local:

 * Checks that certain namespaces are supported by stat(2)ing
   /proc/self/ns/...

 * /proc/self/exe and /proc/self/cmdline are not thread-local.

 * While threads can be in different cgroups, we do not do this for the
   runc binary (or libcontainer) and thus we do not need to switch to
   the thread-local version of /proc/self/cgroups.

 * All of the CLONE_NEWUSER files are not thread-local because you
   cannot set the usernamespace of a single thread (setns(CLONE_NEWUSER)
   is blocked for multi-threaded programs).

Note that we have to use runtime.LockOSThread when we have an open
handle to a tid-specific procfs file that we are operating on multiple
times. Go can reschedule us such that we are running on a different
thread and then kill the original thread (causing -ENOENT or similarly
confusing errors). This is not strictly necessary for most usages of
/proc/thread-self (such as using /proc/thread-self/fd/$n directly) since
only operating on the actual inodes associated with the tid requires
this locking, but because of the pre-3.17 fallback for CentOS, we have
to do this in most cases.

In addition, CentOS's kernel is too old for /proc/thread-self, which
requires us to emulate it -- however in rootfs_linux.go, we are in the
container pid namespace but /proc is the host's procfs. This leads to
the incredibly frustrating situation where there is no way (on pre-4.1
Linux) to figure out which /proc/self/task/... entry refers to the
current tid. We can just use /proc/self in this case.

Yes this is all pretty ugly. I also wish it wasn't necessary.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:41 +11:00
Aleksa Sarai a04d88ec73 vendor: update to github.com/moby/sys/mountinfo@v0.7.1
The primary change is a switch to using /proc/thread-self, which is
needed for when we add a CLONE_FS thread to runc.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:41 +11:00
Aleksa Sarai 5ae88daf06 idmap: allow arbitrary idmap mounts regardless of userns configuration
With the rework of nsexec.c to handle MOUNT_ATTR_IDMAP in our Go code we
can now handle arbitrary mappings without issue, so remove the primary
artificial limit of mappings (must use the same mapping as the
container's userns) and add some tests.

We still only support idmap mounts for bind-mounts because configuring
mappings for other filesystems would require switching our entire mount
machinery to the new mount API. The current design would easily allow
for this but we would need to convert new mount options entirely to the
fsopen/fsconfig/fsmount API. This can be done in the future.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:41 +11:00
Aleksa Sarai ba0b5e2698 libcontainer: remove all mount logic from nsexec
With open_tree(OPEN_TREE_CLONE), it is possible to implement both the
id-mapped mounts and bind-mount source file descriptor logic entirely in
Go without requiring any complicated handling from nsexec.

However, implementing it the naive way (do the OPEN_TREE_CLONE in the
host namespace before the rootfs is set up -- which is what the existing
implementation did) exposes issues in how mount ordering (in particular
when handling mount sources from inside the container rootfs, but also
in relation to mount propagation) was handled for idmapped mounts and
bind-mount sources. In order to solve this problem completely, it is
necessary to spawn a thread which joins the container mount namespace
and provides mountfds when requested by the rootfs setup code (ensuring
that the mount order and mount propagation of the source of the
bind-mount are handled correctly). While the need to join the mount
namespace leads to other complicated (such as with the usage of
/proc/self -- fixed in a later patch) the resulting code is still
reasonable and is the only real way to solve the issue.

This allows us to reduce the amount of C code we have in nsexec, as well
as simplifying a whole host of places that were made more complicated
with the addition of id-mapped mounts and the bind sourcefd logic.
Because we join the container namespace, we can continue to use regular
O_PATH file descriptors for non-id-mapped bind-mount sources (which
means we don't have to raise the kernel requirement for that case).

In addition, we can easily add support for id-mappings that don't match
the container's user namespace. The approach taken here is to use Go's
officially supported mechanism for spawning a process in a user
namespace, but (ab)use PTRACE_TRACEME to avoid actually having to exec a
different process. The most efficient way to implement this would be to
do clone() in cgo directly to run a function that just does
kill(getpid(), SIGSTOP) -- we can always switch to that if it turns out
this approach is too slow. It should be noted that the included
micro-benchmark seems to indicate this is Fast Enough(TM):

  goos: linux
  goarch: amd64
  pkg: github.com/opencontainers/runc/libcontainer/userns
  cpu: Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz
  BenchmarkSpawnProc
  BenchmarkSpawnProc-8        1670            770065 ns/op

Fixes: fda12ab101 ("Support idmap mounts on volumes")
Fixes: 9c444070ec ("Open bind mount sources from the host userns")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:40 +11:00
Aleksa Sarai ebcef3e651 specconv: temporarily allow userns path and mapping if they match
It turns out that the error added in commit 09822c3da8 ("configs:
disallow ambiguous userns and timens configurations") causes issues with
containerd and CRIO because they pass both userns mappings and a userns
path.

These configurations are broken, but to avoid the regression in this one
case, output a warning to tell the user that the configuration is
incorrect but we will continue to use it if and only if the configured
mappings are identical to the mappings of the provided namespace.

Fixes: 09822c3da8 ("configs: disallow ambiguous userns and timens configurations")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-10 20:49:43 +11:00
dependabot[bot] 99f7fa1413 Merge pull request #4135 from opencontainers/dependabot/github_actions/actions/setup-go-5 2023-12-07 07:56:45 +00:00
dependabot[bot] e66ba70f50 build(deps): bump actions/setup-go from 4 to 5
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4 to 5.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-07 04:18:24 +00:00
Akihiro Suda 4516c25538 Merge pull request #4124 from cyphar/ns-path-handling
*: fix several issues with namespace path handling
2023-12-05 16:40:14 +09:00
Aleksa Sarai c045886f71 tests: remap rootfs for userns tests
Previously, all of our userns tests worked around the remapping issue by
creating the paths that runc would attempt to create (like /proc).
However, this isn't really accurate to how real userns containers are
created, so it's much better to actually remap the rootfs.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:46:10 +11:00
Aleksa Sarai 6fa8d06843 integration: add mega-test for joining namespaces
Given we've had several bugs in this behaviour that have now been fixed,
add an integration test that makes sure that you can start a container
that joins all of the namespaces of a second container.

The only namespace we do not join is the mount namespace, because
joining a namespace that has been pivot_root'd leads to a bunch of
errors. In principle, removing everything from config.json that requires
a mount _should_ work, but the root.path configuration is mandatory and
we cannot just ignore setting up the rootfs in the namespace joining
scenario (if the user has configured a different rootfs, we need to use
it or error out, and there's no reasonable way of checking if if the
rootfs paths are the same that doesn't result in spaghetti logic).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:46:10 +11:00
Aleksa Sarai e6fb7fe515 nsexec: allow timens to work with non-rootless userns
The owner of /proc/self/timens_offsets doesn't change after creating a
userns, meaning that we need to request stage-0 to write our timens
mappings for us. Before this patch, attempting to use timens with a
proper userns resulted in:

  FATA[0000] nsexec-1[18564]: failed to update /proc/self/timens_offsets: Permission denied
  FATA[0000] nsexec-0[18562]: failed to sync with stage-1: next state: Success
  ERRO[0000] runc run failed: unable to start container process: can't get final child's PID from pipe: EOF

Fixes: ebc2e7c435 ("Support time namespace")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:46:09 +11:00
Aleksa Sarai 09822c3da8 configs: disallow ambiguous userns and timens configurations
For userns and timens, the mappings (and offsets, respectively) cannot
be changed after the namespace is first configured. Thus, configuring a
container with a namespace path to join means that you cannot also
provide configuration for said namespace. Previously we would silently
ignore the configuration (and just join the provided path), but we
really should be returning an error (especially when you consider that
the configuration userns mappings are used quite a bit in runc with the
assumption that they are the correct mapping for the userns -- but in
this case they are not).

In the case of userns, the mappings are also required if you _do not_
specify a path, while in the case of the time namespace you can have a
container with a timens but no mappings specified.

It should be noted that the case checking that the user has not
specified a userns path and a userns mapping needs to be handled in
specconv (as opposed to the configuration validator) because with this
patchset we now cache the mappings of path-based userns configurations
and thus the validator can't be sure whether the mapping is a cached
mapping or a user-specified one. So we do the validation in specconv,
and thus the test for this needs to be an integration test.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:46:09 +11:00
Aleksa Sarai 3bab7e9223 configs: clean up error messages for Host[UG]ID
If a user has misconfigured their userns mappings, they need to know
which id specifically is not mapped. There's no need to be vague.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:46:09 +11:00
Aleksa Sarai 9387eac3a5 init: don't pre-flight-check the set[ug]id arguments
While we do cache the mappings when using userns paths, there's no need
to do this in this particular case, since we are in the namespace and
set[ug]id() give unambiguous EINVAL error codes if the id is unmapped.
This appears to also be the only code which does Host[UG]ID calculations
from inside "runc init".

Ref: 1a5fdc1c5f ("init: support setting -u with rootless containers")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:46:08 +11:00
Aleksa Sarai 1912d5988b *: actually support joining a userns with a new container
Our handling for name space paths with user namespaces has been broken
for a long time. In particular, the need to parse /proc/self/*id_map in
quite a few places meant that we would treat userns configurations that
had a namespace path as if they were a userns configuration without
mappings, resulting in errors.

The primary issue was down to the id translation helper functions, which
could only handle configurations that had explicit mappings. Obviously,
when joining a user namespace we need to map the ids but figuring out
the correct mapping is non-trivial in comparison.

In order to get the mapping, you need to read /proc/<pid>/*id_map of a
process inside the userns -- while most userns paths will be of the form
/proc/<pid>/ns/user (and we have a fast-path for this case), this is not
guaranteed and thus it is necessary to spawn a process inside the
container and read its /proc/<pid>/*id_map files in the general case.

As Go does not allow us spawn a subprocess into a target userns,
we have to use CGo to fork a sub-process which does the setns(2). To be
honest, this is a little dodgy in regards to POSIX signal-safety(7) but
since we do no allocations and we are executing in the forked context
from a Go program (not a C program), it should be okay. The other
alternative would be to do an expensive re-exec (a-la nsexec which would
make several other bits of runc more complicated), or to use nsenter(1)
which might not exist on the system and is less than ideal.

Because we need to logically remap users quite a few times in runc
(including in "runc init", where joining the namespace is not feasable),
we cache the mapping inside the libcontainer config struct. A future
patch will make sure that we stop allow invalid user configurations
where a mapping is specified as well as a userns path to join.

Finally, add an integration test to make sure we don't regress this again.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:46:08 +11:00
Aleksa Sarai 884117471c tests: integration: fix spurious SC203[01] shellcheck errors
We had ignore lines for these warnings, but it turns out this is most
likely a bug in shellcheck and we can work around it by moving the
helper function definition before any of the functions that use the
helper function. Hopefully it'll be fixed soon.

Ref: https://github.com/koalaman/shellcheck/issues/2873
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:39:37 +11:00
dependabot[bot] 9fffadae83 Merge pull request #4127 from opencontainers/dependabot/go_modules/golang.org/x/net-0.19.0 2023-11-28 11:25:35 +00:00
Aleksa Sarai c9019ea9eb merge #4102 into opencontainers/runc:main
Kir Kolyshkin (8):
  libct: replace runType with hasInit
  libct: Signal: slight refactor
  runc kill: fix sending KILL to non-pidns container
  runc delete -f: fix for no pidns + no init case
  libct/cg: improve cgroup removal logic
  runc delete: do not ignore error from destroy
  runc delete, container.Destroy: kill all processes
  libct: Destroy: don't proceed in case of errors

LGTMs: lifubang cyphar
2023-11-28 17:51:06 +11:00
dependabot[bot] c25493fce4 build(deps): bump golang.org/x/net from 0.17.0 to 0.19.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.17.0 to 0.19.0.
- [Commits](https://github.com/golang/net/compare/v0.17.0...v0.19.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-28 06:40:44 +00:00
dependabot[bot] eb2443076f Merge pull request #4128 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.15.0 2023-11-28 06:40:07 +00:00
dependabot[bot] b278296513 build(deps): bump golang.org/x/sys
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.14.1-0.20231108175955-e4099bfacb8c to 0.15.0.
- [Commits](https://github.com/golang/sys/commits/v0.15.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-28 04:47:32 +00:00
Kir Kolyshkin a6f4081766 libct: Destroy: don't proceed in case of errors
For some reason, container destroy operation removes container's state
directory even if cgroup removal fails (and then still returns an
error). It has been that way since commit 5c246d038f, which added
cgroup removal.

This is problematic because once the container state dir is removed, we
no longer know container's cgroup and thus can't remove it.

Let's return the error early and fail if cgroup can't be removed.

Same for other operations: do not proceed if we fail.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-11-27 09:15:39 -08:00
Kir Kolyshkin ab3cd8d73e runc delete, container.Destroy: kill all processes
(For a container with no private PID namespace, that is).

When runc delete (or container.Destroy) is called on a stopped
container without private PID namespace and there are processes
in its cgroup, kill those.

Add a test case.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-11-27 09:15:39 -08:00
Kir Kolyshkin 7396ca90fa runc delete: do not ignore error from destroy
If container.Destroy() has failed, runc destroy still return 0, which is
wrong and can result in other issues down the line.

Let's always return error from destroy in runc delete.

For runc checkpoint and runc run, we still treat it as a warning.

Co-authored-by: Zhang Tianyang <burning9699@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-11-27 09:15:39 -08:00
Kir Kolyshkin d3d7f7d85a libct/cg: improve cgroup removal logic
The current code is only doing retries in RemovePaths, which is only
used for cgroup v1 (cgroup v2 uses RemovePath, which makes no retries).

Let's remove all retry logic and logging from RemovePaths, together
with:

 - os.Stat check from RemovePaths (its usage probably made sense before
   commit 19be8e5ba5 but not after);

 - error/warning logging from RemovePaths (this was added by commit
   19be8e5ba5 in 2020 and so far we've seen no errors other
   than EBUSY, so reporting the actual error proved to be useless).

Add the retry logic to rmdir, and the second retry bool argument.
Decrease the initial delay and increase the number of retries from the
old implementation so it can take up to ~1 sec before returning EBUSY
(was about 0.3 sec).

Hopefully, as a result, we'll have less "failed to remove cgroup paths"
errors.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-11-27 09:15:39 -08:00
Kir Kolyshkin 29283bb7db runc delete -f: fix for no pidns + no init case
Commit f8ad20f moved the kill logic from container destroy to container
kill (which is the right thing to do).

Alas, it broke the use case of doing "runc delete -f" for a container
which does not have its own private PID namespace, when its init process
is gone. In this case, some processes may still be running, and runc
delete -f should kill them (the same way as "runc kill" does).

It does not do that because the container status is "stopped" (as runc
considers the container with no init process as stopped), and so we only
call "destroy" (which was doing the killing before).

The fix is easy: if --force is set, call killContainer no matter what.

Add a test case, similar to the one in the previous commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-11-27 09:15:39 -08:00
Kir Kolyshkin dcf1b731f5 runc kill: fix sending KILL to non-pidns container
Commit f8ad20f made it impossible to kill leftover processes in a
stopped container that does not have its own PID namespace. In other
words, if a container init is gone, it is no longer possible to use
`runc kill` to kill the leftover processes.

Fix this by moving the check if container init exists to after the
special case of handling the container without own PID namespace.

While at it, fix the minor issue introduced by commit 9583b3d:
if signalAllProcesses is used, there is no need to thaw the
container (as freeze/thaw is either done in signalAllProcesses already,
or not needed at all).

Also, make signalAllProcesses return an error early if the container
cgroup does not exist (as it relies on it to do its job). This way, the
error message returned is more generic and easier to understand
("container not running" instead of "can't open file").

Finally, add a test case.

Fixes: f8ad20f
Fixes: 9583b3d
Co-authored-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-11-27 09:15:39 -08:00
Kir Kolyshkin 542cce0122 libct: Signal: slight refactor
Let's use c.hasInit and c.isPaused where needed instead of
c.curentStatus for simplicity.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-11-27 09:15:39 -08:00
Kir Kolyshkin d9f2a24a5b libct: replace runType with hasInit
The semantics of runType is slightly complicated, and the only place
where we need to distinguish between Created and Running is
refreshState.

Replace runType with simpler hasInit, simplifying its users (except the
refreshState, which now figures out on its own whether the container is
Created or Running).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-11-27 09:15:39 -08:00
lfbzhm 95a93c132c Merge pull request #4045 from fuweid/support-pidfd-socket
[feature request] *: introduce pidfd-socket flag
2023-11-22 09:13:55 +08:00
Wei Fu 94505a046a *: introduce pidfd-socket flag
The container manager like containerd-shim can't use cgroup.kill feature or
freeze all the processes in cgroup to terminate the exec init process.
It's unsafe to call kill(2) since the pid can be recycled. It's good to
provide the pidfd of init process through the pidfd-socket. It's similar to
the console-socket. With the pidfd, the container manager like containerd-shim
can send the signal to target process safely.

And for the standard init process, we can have polling support to get
exit event instead of blocking on wait4.

Signed-off-by: Wei Fu <fuweid89@gmail.com>
2023-11-21 18:28:50 +08:00
Aleksa Sarai 32d433cf52 merge #3990 into opencontainers/runc:main
Aleksa Sarai (1):
  configs: validate: add validation for bind-mount fsflags

LGTMs: kolyshkin AkihiroSuda
2023-11-18 16:46:33 +11:00
Aleksa Sarai a2ba98557d merge #4119 into opencontainers/runc:main
lfbzhm (2):
  fix some unit test error after bump ebpf to 0.12.3
  bump github.com/cilium/ebpf from 0.12.2 to 0.12.3

LGTMs: kolyshkin cyphar
2023-11-11 23:00:05 +11:00
lfbzhm 3bde5111b4 fix some unit test error after bump ebpf to 0.12.3
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2023-11-10 13:56:34 +00:00
lfbzhm b2f7614afc bump github.com/cilium/ebpf from 0.12.2 to 0.12.3
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2023-11-10 13:48:36 +00:00
Akihiro Suda 5bcffdffdb Merge pull request #4101 from cyphar/runc-dmz-go-get-build
libcontainer: dmz: fix "go get" builds
2023-11-06 20:00:27 -06:00
Kir Kolyshkin 2705c9c5d6 Merge pull request #4095 from kolyshkin/flake-tmpfs-perm
tests/int: fix flaky "runc run with tmpfs perm"
2023-11-06 17:46:35 -08:00