Commit Graph

6609 Commits

Author SHA1 Message Date
Kir Kolyshkin 730bc84418 Fix directory perms vs umask for tmpcopyup
Bump fileutils to v0.5.1, which fixes permissions of newly created directories
to not depend on the value of umask.

Add a test case which fails like this before the fix:

	mounts.bats
	 ✗ runc run [tmpcopyup]
	   (in test file tests/integration/mounts.bats, line 28)
	     `[[ "${lines[0]}" == *'drwxrwxrwx'* ]]' failed
	   runc spec (status=0):

	   runc run test_busybox (status=0):
	   drwxr-xr-x    2 root     root            40 Oct  4 22:35 /dir1/dir2

Fixes 3991.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-04 15:35:44 -07:00
Aleksa Sarai d8d576ca4f merge #4031 into opencontainers/runc:main
Akihiro Suda (1):
  docs: clarify the supported architectures (No MIPS)

LGTMs: kolyskin cyphar
2023-10-04 16:08:08 +11:00
Aleksa Sarai ce961443cb merge #4051 into opencontainers/runc:main
Kir Kolyshkin (1):
  libc: rm _LIBCONTAINER_STATEDIR
  libct: rename root to stateDir in struct Container

LGTMs: thaJeztah cyphar
2023-10-04 16:04:15 +11:00
Kir Kolyshkin efbebb39b5 libct: rename root to stateDir in struct Container
The name "root" (or "containerRoot") is confusing; one might think it is
the root of container's file system (the directory we chroot into).

Rename to stateDir for clarity.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-04 14:57:10 +11:00
Kir Kolyshkin c89faacc13 libc: rm _LIBCONTAINER_STATEDIR
It's only user was recently removed.

Fixes: 0e9a3358f8
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-04 14:57:10 +11:00
Aleksa Sarai 9350f9013e merge #4039 into opencontainers/runc:main
Kir Kolyshkin (1):
  libct: use chmod instead of umask

LGTMs: lifubang cyphar
2023-10-04 14:55:07 +11:00
lfbzhm 634280f5ab Merge pull request #4054 from kolyshkin/codespell-226
libct: fix a typo
2023-10-04 11:23:00 +08:00
Kir Kolyshkin 6538e6d0bd libct: fix a typo
syncrhonisation ==> synchronisation

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-03 17:51:54 -07:00
Kir Kolyshkin f56b007b1e Merge pull request #4003 from lifubang/carry3985-01-syncPipe
[Carry #3985 Part I] code refactor for process sync
2023-10-03 13:13:52 -07:00
Sebastiaan van Stijn e712b87b6c Merge pull request #4050 from lifubang/fix-Typeo
fix two typos
2023-10-03 12:39:25 -07:00
lifubang 109dcadd9d fix two typos
Signed-off-by: lifubang <lifubang@acmcoder.com>
2023-10-03 20:08:17 +08:00
Kir Kolyshkin ee45b9bf60 Merge pull request #4034 from AkihiroSuda/fix-goarm
script/lib.sh: set GOARM=5 for armel, GOARM=6 for armhf
2023-09-28 15:40:22 -07:00
Kir Kolyshkin 2e2ecf29ff libct: use chmod instead of umask
Umask is problematic for Go programs as it affects other goroutines
(see [1] for more details).

Instead of using it, let's just prop up with Chmod.

Note this patch misses the MkdirAll call in createDeviceNode. Since the
runtime spec does not say anything about creating intermediary
directories for device nodes, let's assume that doing it via mkdir with
the current umask set is sufficient (if not, we have to reimplement
MkdirAll from scratch, with added call to os.Chmod).

[1] https://github.com/opencontainers/runc/pull/3563#discussion_r990293788

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-09-27 16:46:53 -07:00
Kir Kolyshkin 4d948b1e64 Merge pull request #4035 from Zheaoli/manjusaka/fix-docs
Update feature status in docs
2023-09-27 10:34:53 -07:00
Zheao Li 4b3b7e9973 docs/spec-conformance: update
Since PR 3876 was merged, let's remove time namespace from the list of unimplemented features.

Signed-off-by: Zheao Li <me@manjusaka.me>
2023-09-27 20:24:43 +08:00
Kir Kolyshkin 96a61d3bf0 Merge pull request #4030 from kinvolk/rata/smaller-runc-dmz
libct/dmz: Move comment out of the Makefile rule
2023-09-26 15:04:40 -07:00
Akihiro Suda 531e29e192 script/lib.sh: set GOARM=5 for armel, GOARM=6 for armhf
"armhf" means ARMv7 for Debian, ARMv6 for Raspbian.
ARMv6 is chosen here for compatibility.

https://wiki.debian.org/RaspberryPi

> Raspberry Pi OS builds a single image for all of the Raspberry families,
> so you will get an armhf 32-bit, hard floating-point system, but built
> for the ARMv6 ISA (with VFP2), unlike Debian's ARMv7 ISA (with VFP3)
> port.

Prior to this commit, the script was setting GOARM=6 for armel,
GOARM=7 for armhf.

Fix issue 4033

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-09-27 05:48:02 +09:00
Akihiro Suda 9060666531 docs: clarify the supported architectures (No MIPS)
In reviewing PR 4024 ("libct/dmz: Reduce the binary size using nolibc"),
we noticed that we do not intend to actively support MIPS.

We do not intend to support i386 either.

This might be a breaking change for Debian, which has been officially
providing runc packages for `i386`, `mips64el` and `mipsel`:
https://packages.debian.org/bookworm/runc

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-09-27 05:39:47 +09:00
Rodrigo Campos 9976be86b3 libct/dmz: Move comment out of the Makefile rule
Otherwise it is shown when compiling, like this:
	# We use the flags suggested in nolibc/nolibc.h, it makes the binary very small.
	gcc  -fno-asynchronous-unwind-tables -fno-ident -s -Os -nostdlib -lgcc -static -o runc-dmz _dmz.c
	strip -gs runc-dmz

Having it before the target is equally clear and will not be shown while
compiling.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-09-26 18:46:01 +02:00
Aleksa Sarai 1a8b5588a5 merge #4024 into opencontainers/runc:main
Rodrigo Campos (1):
  libct/dmz: Reduce the binary size using nolibc

LGTMs: AkihiroSuda cyphar
2023-09-27 02:21:59 +10:00
Rodrigo Campos 90f5da651a libct/dmz: Reduce the binary size using nolibc
Linux repo has under `tools/include/nolibc` very simple include files
that we can use to generate very small binaries that don't depend on
libc.

To make things even better, since Linux 6.6 it supports all the
architectures we support in runc, which is just beautiful.

The runc-dmz binary on x86_64 before this patch (on my debian host) was
taking 636K, with this patch it takes only 8K.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-09-26 14:55:04 +02:00
Akihiro Suda a32ad76da3 Merge pull request #4018 from jrife/main
Handle kmem.limit_in_bytes removal
2023-09-25 09:53:08 +09:00
Aleksa Sarai 8da42aaec2 sync: split init config (stream) and synchronisation (seqpacket) pipes
We have different requirements for the initial configuration and
initWaiter pipe (just send netlink and JSON blobs with no complicated
handling needed for message coalescing) and the packet-based
synchronisation pipe.

Tests with switching everything to SOCK_SEQPACKET lead to endless issues
with runc hanging on start-up because random things would try to do
short reads (which SOCK_SEQPACKET will not allow and the Go stdlib
explicitly treats as a streaming source), so splitting it was the only
reasonable solution. Even doing somewhat dodgy tricks such as adding a
Read() wrapper which actually calls ReadPacket() and makes it seem like
a stream source doesn't work -- and is a bit too magical.

One upside is that doing it this way makes the difference between the
modes clearer -- INITPIPE is still used for initWaiter syncrhonisation
but aside from that all other synchronisation is done by SYNCPIPE.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-24 20:31:14 +08:00
Aleksa Sarai ccc76713a7 sync: rename procResume -> procHooksDone
The old name was quite confusing, and with the addition of the
procMountPlease sync message there are now multiple sync messages that
are related to "resuming" runc-init.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-24 20:02:11 +08:00
Akihiro Suda f235fa6763 Merge pull request #3987 from cyphar/cloned-binary-rework
nsexec: cloned binary rework
2023-09-24 19:27:52 +09:00
Jordan Rife 99469eba3e Handle kmem.limit_in_bytes removal
kmem.limit_in_bytes has been removed in upstream linux and this patch
is queued to be backported to linux 6.1 stable:

- https://lore.kernel.org/linux-mm/20230705134434.GA156754@cmpxchg.org/T/
- https://www.spinics.net/lists/stable-commits/msg316619.html

Without this change to libcontainerd, GetStats() will return an error
on the latest kernel(s). A downstream effect is that Kubernetes's
kubelet does not start up. This fix was tested by ensuring that it
unblocks kubelet startup when running on the latest kernel.

Signed-off-by: Jordan Rife <jrife0@gmail.com>
2023-09-24 02:17:21 +00:00
Aleksa Sarai 90c8d36afe dmz: use sendfile(2) when cloning /proc/self/exe
This results in a 5-20% speedup of dmz.CloneBinary(), depending on the
machine.

io.Copy:

  goos: linux
  goarch: amd64
  pkg: github.com/opencontainers/runc/libcontainer/dmz
  cpu: Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz
  BenchmarkCloneBinary
  BenchmarkCloneBinary-8               139           8075074 ns/op
  PASS
  ok      github.com/opencontainers/runc/libcontainer/dmz 2.286s

unix.Sendfile:

  goos: linux
  goarch: amd64
  pkg: github.com/opencontainers/runc/libcontainer/dmz
  cpu: Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz
  BenchmarkCloneBinary
  BenchmarkCloneBinary-8               192           6382121 ns/op
  PASS
  ok      github.com/opencontainers/runc/libcontainer/dmz 2.415s

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:51:36 +10:00
Aleksa Sarai f8348f64ae tests: integration: add runc-dmz smoke tests
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:38:21 +10:00
Aleksa Sarai 6be763eeaa tests: integration: fix capability setting for CAP_DAC_OVERRIDE
Due to the way capabilities have to be set by runc, capabilities need to
be included in the inheritable and ambient sets anyway. Otherwise, the
container process would not have the correct privileges. This test only
functioned because adding CAP_DAC_OVERRIDE to the inherited,
permissible, and bounding sets means that only "runc init" has these
capabilities -- everything other than the bounding set is cleared on the
first execve(). This breaks with runc-dmz, but the behaviour was broken
from the outset.

Docker appears to not handle this properly at all (the logic for
capability sets changed with the introduction of ambient capabilities,
and while Docker was updated it seems the behaviour is still incorrect
for non-root users).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:38:20 +10:00
Aleksa Sarai b9a4727f54 contrib: memfd-bind: add helper for memfd-sealed-bind trick
This really isn't ideal but it can be used to avoid the largest issues
with the memfd-based runc binary protection. There are several caveats
with using this tool, see the help page for the new binary for details.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:38:20 +10:00
lifubang dac4171746 runc-dmz: reduce memfd binary cloning cost with small C binary
The idea is to remove the need for cloning the entire runc binary by
replacing the final execve() call of the container process with an
execve() call to a clone of a small C binary which just does an execve()
of its arguments.

This provides similar protection against CVE-2019-5736 but without
requiring a >10MB binary copy for each "runc init". When compiled with
musl, runc-dmz is 13kB (though unfortunately with glibc, it is 1.1MB
which is still quite large).

It should be noted that there is still a window where the container
processes could get access to the host runc binary, but because we set
ourselves as non-dumpable the container would need CAP_SYS_PTRACE (which
is not enabled by default in Docker) in order to get around the
proc_fd_access_allowed() checks. In addition, since Linux 4.10[1] the
kernel blocks access entirely for user namespaced containers in this
scenario. For those cases we cannot use runc-dmz, but most containers
won't have this issue.

This new runc-dmz binary can be opted out of at compile time by setting
the "runc_nodmz" buildtag, and at runtime by setting the RUNC_DMZ=legacy
environment variable. In both cases, runc will fall back to the classic
/proc/self/exe-based cloning trick. If /proc/self/exe is already a
sealed memfd (namely if the user is using contrib/cmd/memfd-bind to
create a persistent sealed memfd for runc), neither runc-dmz nor
/proc/self/exe cloning will be used because they are not necessary.

[1]: https://github.com/torvalds/linux/commit/bfedb589252c01fa505ac9f6f2a3d5d68d707ef4

Co-authored-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
[cyphar: address various review nits]
[cyphar: fix runc-dmz cross-compilation]
[cyphar: embed runc-dmz into runc binary and clone in Go code]
[cyphar: make runc-dmz optional, with fallback to /proc/self/exe cloning]
[cyphar: do not use runc-dmz when the container has certain privs]
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:38:19 +10:00
Aleksa Sarai e089db3b4a dmz: add fallbacks to handle noexec for O_TMPFILE and mktemp()
Previously, if /var/run was mounted noexec, our cloned binary logic
would not work if memfd_create(2) was not available because we would try
to exec a binary that is on a noexec filesystem.

We cannot guarantee there will be an executable filesystem on the system
(other than mounting one ourselves, which would cause a bunch of other
headaches) but we can at least try the obvious options (/tmp, /bin, and
/). If none of these work, we will have to fail.

Reported-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:13:19 +10:00
Aleksa Sarai 0e9a3358f8 nsexec: migrate memfd /proc/self/exe logic to Go code
This allow us to remove the amount of C code in runc quite
substantially, as well as removing a whole execve(2) from the nsexec
path because we no longer spawn "runc init" only to re-exec "runc init"
after doing the clone.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:13:18 +10:00
Aleksa Sarai 321aa20c49 scripts: add proper 386 and amd64 target triples and builds
We need these to match the Makefile detection of the right gcc for
runc-dmz, as well as making sure that everything builds properly for our
cross-i386 tests. While we're at it, add x86 to the list of build
targets for release builds (presumably nobody will use it, but since we
do test builds of this anyway it probably won't hurt).

In addition, clean up the handling of the native architecture build by
treating it the same as any other build (ensuring that building runc
from a different platform will work the same way regardless of the
native architecture). In practice, the build works the same way as
before.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:13:18 +10:00
Akihiro Suda 1d9b158056 Merge pull request #4017 from thaJeztah/migrate_libcontainer_user
Deprecate libcontainer/user, and migrate to github.com/moby/sys/user
2023-09-21 19:14:59 +09:00
Sebastiaan van Stijn d9ea71bf96 deprecate libcontainer/user
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-19 10:22:29 +02:00
Sebastiaan van Stijn ca32014adb migrate libcontainer/user to github.com/moby/sys/user
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-19 10:22:23 +02:00
Akihiro Suda 1614cab553 Merge pull request #4020 from lifubang/fix-ci-cs9oom
[CI] increase memory.max in cgroups.bats
2023-09-19 11:27:46 +09:00
lifubang 65a1074c75 increase memory.max in cgroups.bats
Signed-off-by: lifubang <lifubang@acmcoder.com>
2023-09-17 09:55:12 +08:00
lfbzhm a3a0ec48c4 Merge pull request #4013 from kinvolk/rata/relax-dst-path-rel
validator: Relax warning for not abs mount dst path
2023-09-12 19:19:40 +08:00
Rodrigo Campos b17c6f237d validator: Relax warning for not abs mount dst path
The runtime spec now allows relative mount dst paths, so remove the
comment saying we will switch this to an error later and change the
error messages to reflect that.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-09-11 16:02:41 +02:00
lfbzhm e897a16e1d Merge pull request #4012 from Juneezee/specconv/remove-redundant-nil-check
libct/specconv: remove redundant nil check
2023-09-09 07:32:23 +08:00
Eng Zer Jun c378602bf6 libct/specconv: remove redundant nil check
From the Go specification:

  "1. For a nil slice, the number of iterations is 0." [1]

Therefore, an additional nil check for before the loop is unnecessary.

[1]: https://go.dev/ref/spec#For_range

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2023-09-08 23:40:51 +08:00
dependabot[bot] dc886433d2 Merge pull request #4011 from opencontainers/dependabot/go_modules/github.com/cyphar/filepath-securejoin-0.2.4 2023-09-07 05:38:18 +00:00
dependabot[bot] c7ad2749fd build(deps): bump github.com/cyphar/filepath-securejoin
Bumps [github.com/cyphar/filepath-securejoin](https://github.com/cyphar/filepath-securejoin) from 0.2.3 to 0.2.4.
- [Release notes](https://github.com/cyphar/filepath-securejoin/releases)
- [Commits](https://github.com/cyphar/filepath-securejoin/compare/v0.2.3...v0.2.4)

---
updated-dependencies:
- dependency-name: github.com/cyphar/filepath-securejoin
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-07 04:30:28 +00:00
Akihiro Suda 6b8a45d16f Merge pull request #3749 from Zheaoli/manjusaka/carry-burst
[Carry #3205] libct/cg: add CFS bandwidth burst for CPU
2023-09-07 00:55:16 +09:00
Akihiro Suda f0eea9926a Merge pull request #4009 from opencontainers/dependabot/go_modules/golang.org/x/net-0.15.0
build(deps): bump golang.org/x/net from 0.14.0 to 0.15.0
2023-09-07 00:48:26 +09:00
Kailun Qin e1584831b6 libct/cg: add CFS bandwidth burst for CPU
Burstable CFS controller is introduced in Linux 5.14. This helps with
parallel workloads that might be bursty. They can get throttled even
when their average utilization is under quota. And they may be latency
sensitive at the same time so that throttling them is undesired.

This feature borrows time now against the future underrun, at the cost
of increased interference against the other system users, by introducing
cfs_burst_us into CFS bandwidth control to enact the cap on unused
bandwidth accumulation, which will then used additionally for burst.

The patch adds the support/control for CFS bandwidth burst.

runtime-spec: https://github.com/opencontainers/runtime-spec/pull/1120

Co-authored-by: Akihiro Suda <suda.kyoto@gmail.com>
Co-authored-by: Nadeshiko Manju <me@manjusaka.me>
Signed-off-by: Kailun Qin <kailun.qin@intel.com>
2023-09-06 23:23:30 +08:00
dependabot[bot] 1fe9447f65 build(deps): bump golang.org/x/net from 0.14.0 to 0.15.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.14.0 to 0.15.0.
- [Commits](https://github.com/golang/net/compare/v0.14.0...v0.15.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-06 04:09:10 +00:00
dependabot[bot] 319b2ba730 Merge pull request #4008 from opencontainers/dependabot/github_actions/actions/checkout-4 2023-09-06 01:21:12 +00:00