Commit Graph

7108 Commits

Author SHA1 Message Date
Kir Kolyshkin 7cb363254b VERSION: release v1.2.2
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
v1.2.2
2024-11-15 13:20:24 -08:00
Kir Kolyshkin 24591c0b16 Merge pull request #4530 from lifubang/backport-4509-4525
[1.2] dmz: overlay: minor fixups
2024-11-15 13:18:56 -08:00
Aleksa Sarai eb676de151 memfd-bind: elaborate kernel requirements for overlayfs protection
Arguably these docs should live elsewhere (especially if we plan to
remove memfd-bind in the future), but for now this is the only place
that fully explains this issue.

Suggested-by: Rodrigo Campos <rodrigoca@microsoft.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit ac435895b9)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-15 10:28:39 -08:00
Aleksa Sarai 82f3af8553 readme: drop unused memfd-bind reference
Fixes: 871057d863 ("drop runc-dmz solution according to overlay solution")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit b9dfb22dbf)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-15 10:28:39 -08:00
Aleksa Sarai 2421b59267 memfd-bind: mention that overlayfs obviates the need for it
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit aa505bfa89)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-15 10:28:39 -08:00
Aleksa Sarai b1f733b8ed dmz: overlay: set xino=off to disable dmesg spam
If /run/runc and /usr/bin are on different filesystems, overlayfs may
enable the xino feature which results in the following log message:

  kernel: overlayfs: "xino" feature enabled using 3 upper inode bits.

Each time we have to protect /proc/self/exe. So disable xino to remove
the log message (we don't care about the inode numbers of the files
anyway).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 9bc42d61bb)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-15 10:28:39 -08:00
Sebastiaan van Stijn 1b42ebc7f7 Merge pull request #4531 from lifubang/backport-4523
[1.2] runc delete: fix for rootless cgroup + ro cgroupfs
2024-11-15 09:07:47 +01:00
lfbzhm 832faf08fa libct/cg: add test for remove a non-existent dir in a ro mount point
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
(cherry picked from commit 119111a0df)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-15 00:00:15 +00:00
Akihiro Suda 8bfc3b560c Merge pull request #4528 from lifubang/backport-4505
[1.2] CI: bump Fedora 40 -> 41
2024-11-14 00:07:10 -07:00
Kir Kolyshkin e41cc272b6 libct/cg: RemovePath: improve comments
Let's explain in greater details what's happening here and why.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit ba3d026e52)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-13 13:51:20 +00:00
Kir Kolyshkin 79cdf119b6 libct/cg: RemovePath: simplify logic
If the sub-cgroup RemovePath has failed for any reason, return the
error right away. This way, we don't have to check for err != nil
before retrying rmdir.

This is a cosmetic change and should not change any functionality.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 12e06a7c4f)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-13 13:51:20 +00:00
Kir Kolyshkin e01db0028d runc delete: fix for rootless cgroup + ro cgroupfs
An issue with runc 1.2.0 was reported to buildkit, in which
runc delete returns with an error, with the log saying:

> unable to destroy container: unable to remove container's cgroup: open /sys/fs/cgroup/snschvixiy3s74w74fjantrdg: no such file or directory

Apparently, what happens is runc is running with no cgroup access
(because /sys/fs/cgroup is mounted read-only). In this case error to
create a cgroup path (in runc create/run) is ignored, but cgroup removal
(in runc delete) is not.

This is caused by commit d3d7f7d, which changes the cgroup removal
logic in RemovePath. In the current code, if the initial rmdir has
failed (in this case with EROFS), but the subsequent os.ReadDir returns
ENOENT, it is returned (instead of being ignored -- as the path does not
exist and so there is nothing to remove).

Here is the minimal fix for the issue.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit db59489b68)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-13 13:51:20 +00:00
Kir Kolyshkin 213e12165e Vagrantfile.fedora: stop using dnf shell
In Fedora 41, dnf5 is used and it does not have dnf shell. Let's use
old dnf update; dnf install instead. It is two transactions instead
of one, but dnf5 is faster.

While at it:
 - add `--setopt=tsflags=nodocs` as we don't need docs in CI;
 - change golang-go to golang as this is a new rpm name;
 - remove gcc as it is now required by golang-bin;
 - remove container-selinux, criu, fuse-sshfs, iptables from rpms
   as they are already installed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 609e9a5134)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-13 13:31:19 +00:00
Akihiro Suda 2d6fe54e60 Vagrantfile.fedora: bump Fedora to 41
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 9ce7392b59)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-13 13:31:01 +00:00
Aleksa Sarai 2327ec22c4 merge #4507 into opencontainers/runc:release-1.2
Akihiro Suda (1):
  docs: remove prompt symbols from shell snippets

LGTMs: AkihiroSuda cyphar
2024-11-05 05:09:40 +11:00
Akihiro Suda 6575ab1d7f docs: remove prompt symbols from shell snippets
Remove prompt symbols (`$`, `%`) for ease of copy-pasting

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit c8f5d033c2)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-11-02 12:21:37 -07:00
Aleksa Sarai 7a8738e0c0 merge #4500 into opencontainers/runc:release-1.2
Rodrigo Campos (2):
  VERSION: back to development
  VERSION: release v1.2.1

LGTMs: AkihiroSuda kolyshkin cyphar
2024-11-02 09:00:11 +11:00
Rodrigo Campos 5fc3558626 VERSION: back to development
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-11-02 08:59:12 +11:00
Rodrigo Campos d7735e388e VERSION: release v1.2.1
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.2.1
2024-11-02 08:58:52 +11:00
Rodrigo Campos 360f8f9dbd Merge pull request #4494 from kolyshkin/12-4490
[1.2] Post overlay addition and dmz removal nits
2024-11-01 19:04:16 +01:00
Kir Kolyshkin 3016408dcc Merge pull request #4501 from AkihiroSuda/cherrypick-4357
[1.2] runc update: fix updating swap for cgroup v2
2024-11-01 11:00:33 -07:00
Kir Kolyshkin 258cd8b64b libct: rm obsoleted comment
This was added by commit f2f16213e when runc-dmz was still a thing.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 5586d7caa1)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-11-01 10:19:12 -07:00
Kir Kolyshkin b798594cf9 libct: fix a comment
There is a typo in the comment (ClonedBinary should be CloneBinary), and
the code has changed a bit since then, and it makes more sense to refer
to CloneSelfExe now.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 8cc7375447)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-11-01 10:19:12 -07:00
Kir Kolyshkin 47dfa2024f script/check-config.sh: add OVERLAY_FS check
While this is used by the majority of upper container runtimes, it was
not needed for runc itself. Since commit 515f09f7 runc uses overlay,
too, so let's add a check for this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit ee1bced18c)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-11-01 10:19:12 -07:00
Kir Kolyshkin e0d39536c4 runc update: fix updating swap for cgroup v2
This allows to do

	runc update $ID --memory=-1 --memory-swap=$VAL

for cgroup v2, i.e. set memory to unlimited and swap to a specific
value.

This was not possible because ConvertMemorySwapToCgroupV2Value rejected
memory=-1 ("unlimited"). In a hindsight, it was a mistake, because if
memory limit is unlimited, we should treat memory+swap limit as just swap
limit.

Revise the unit test; add description to each case.

Fixes: c86be8a2 ("cgroupv2: fix setting MemorySwap")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 732806e24c)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-11-02 01:58:28 +09:00
Kir Kolyshkin 914a8f35ad libct/cg: improve ConvertMemorySwapToCgroupV2Value
Improve readability of ConvertMemorySwapToCgroupV2Value by switching
from a bunch of if statements to a switch, and adding a comment
describing each case.

No functional change.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit cb9f3d6d14)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-11-02 01:58:20 +09:00
Akihiro Suda fe36d3801f Merge pull request #4493 from kolyshkin/12-4489
[1.2] CHANGELOG: add (forward-port) v1.1.15 changes
2024-11-02 01:45:49 +09:00
Kir Kolyshkin bb71ad503c CHANGELOG: add (forward-port) v1.1.15 changes
Those are taken from commit bc20cb44.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-30 13:21:54 -07:00
Kir Kolyshkin a0918a5264 Merge pull request #4488 from lifubang/backport-4482
[1.2] drop runc-dmz solution according to overlay solution
2024-10-29 16:53:49 -07:00
lifubang f07d92dbcd drop runc-dmz solution according to overlay solution
Because we have the overlay solution, we can drop runc-dmz binary
solution since it has too many limitations.

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 871057d863)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-29 17:52:12 +08:00
Kir Kolyshkin 989d4e4935 Merge pull request #4480 from austinvazquez/cherry-pick-eb2ff52ace1775ad667ca900b2e57e7d698e3484-to-1.2
[1.2] libct: rm x/sys/execabs usage
2024-10-26 15:03:18 -07:00
Kir Kolyshkin f479676cce libct: rm x/sys/execabs usage
Since Go 1.19, the same functionality is there in os/exec package.
As we require go 1.22 now, there's no need to have this.

This basically reverts commit 9258eac0 ("libct/start: use execabs for
newuidmap lookup").

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit eb2ff52ace)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-10-26 18:27:18 +00:00
lfbzhm 0e4ee0296e Merge pull request #4477 from kolyshkin/1.2-userns
[1.2] libct/nsenter: become root after joining userns
2024-10-26 13:12:25 +08:00
lifubang 74a5c786d0 test join other container userns with selinux enabled
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 34a928550f)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-25 18:13:58 -07:00
lifubang 1eb9ad3edf libct/nsenter: become root after joining userns
Containerd pre-creates userns and netns before calling runc, which
results in the current code not working when SELinux is enabled,
resulting in the following error:

> runc create failed: unable to start container process: error during
container init: error mounting "mqueue" to rootfs at "/dev/mqueue":
setxattr /path/to/rootfs/dev/mqueue: operation not permitted

The solution is to become root in the user namespace right after
we join it.

Fixes #4466.

Co-authored-by: Wei Fu <fuweid89@gmail.com>
Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit c78f3f2ea0)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-25 18:13:58 -07:00
Aleksa Sarai 0ff6451c71 [1.2] VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-22 09:50:27 +11:00
Aleksa Sarai 0b9fa21be2 VERSION: release v1.2.0
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.2.0
2024-10-22 09:21:47 +11:00
Rodrigo Campos 5190d6124b Merge pull request #4452 from lifubang/fix-fd-reuse-race
fix an error caused by fd reuse race when starting runc init
2024-10-21 12:55:03 +02:00
Aleksa Sarai ca45a2c52d merge #4446 into opencontainers/runc:main
Aleksa Sarai (1):
  Revert "increase memory.max in cgroups.bats"

LGTMs: rata cyphar
2024-10-21 19:44:58 +11:00
lfbzhm 568231cc4e Revert "increase memory.max in cgroups.bats"
This reverts commit 65a1074c75.

We needed [1] because when we removed the bindfd logic in [2] we had not
yet moved the binary cloning logic to Go and thus it was necessary to
increase the memory limit in CI because the clone was happening after
joining the cgroup. However, [3] finally moved that code to Go and thus
the cloning is now done outside of the container's cgroup and thus is no
longer accounted as part of the container's memory usage at any point.

Now we can properly support running a simple container with lower memory
usage as we did before.

[1]: commit 65a1074c75 ("increase memory.max in cgroups.bats")
[2]: commit b999376fb2 ("nsenter: cloned_binary: remove bindfd logic entirely")
[3]: commit 0e9a3358f8 ("nsexec: migrate memfd /proc/self/exe logic to Go code")

Signed-off-by: lfbzhm <lifubang@acmcoder.com>
[cyphar: fixed commit messages]
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-21 19:34:41 +11:00
lfbzhm e669926691 fix an error caused by fd reuse race when starting runc init
There is a race situation when we are opening a file, if there is a
small fd was closed at that time, maybe it will be reused by safeExe.
Because of Go stdlib fds shuffling bug, if the fd of safeExe is too
small, go stdlib will dup3 it to another fd, or dup3 a other fd to this
fd, then it will cause the fd type cmd.Path refers to a random path,
and it can lead to an error "permission denied" when starting the process.
Please see #4294 and <https://github.com/golang/go/issues/61751>.
So we should not use the original fd of safeExe, but use the fd after
shuffled by Go stdlib. Because Go stdlib will guarantee this fd refers to
the correct file.

Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-10-21 06:53:44 +00:00
Akihiro Suda ca8ca3ce07 Merge pull request #4448 from cyphar/cloned-binary-overlayfs
dmz: use overlayfs to write-protect /proc/self/exe if possible
2024-10-21 04:11:33 +09:00
Akihiro Suda 08faf15106 Merge pull request #4429 from kolyshkin/cap-load
libct/cap: no need to load capabilities
2024-10-21 04:09:07 +09:00
Aleksa Sarai 515f09f7b1 dmz: use overlayfs to write-protect /proc/self/exe if possible
Commit b999376fb2 ("nsenter: cloned_binary: remove bindfd logic
entirely") removed the read-only bind-mount logic from our cloned binary
code because it wasn't really safe because a container with
CAP_SYS_ADMIN could remove the MS_RDONLY bit and get write access to
/proc/self/exe (even with user namespaces this could've been an issue
because it's not clear if the flags are locked).

However, copying a binary does seem to have a minor performance impact.
The only way to have no performance impact would be for the kernel to
block these write attempts, but barring that we could try to reduce the
overhead by coming up with a mount that cannot have it's read-only bits
cleared.

The "simplest" solution is to create a temporary overlayfs using
fsopen(2) which uses the directory where runc exists as a lowerdir,
ensuring that the container cannot access the underlying file -- and we
don't have to do any copies.

While fsopen(2) is not free because mount namespace cloning is usually
expensive (and so it seems like the difference would be marginal), some
basic performance testing seems to indicate there is a ~60% improvement
doing it this way and that it has effectively no overhead even when
compared to just using /proc/self/exe directly:

  % hyperfine --warmup 50 \
  >           "./runc-noclone run -b bundle ctr" \
  >           "./runc-overlayfs run -b bundle ctr" \
  >           "./runc-memfd run -b bundle ctr"

  Benchmark 1: ./runc-noclone run -b bundle ctr
    Time (mean ± σ):      13.7 ms ±   0.9 ms    [User: 6.0 ms, System: 10.9 ms]
    Range (min … max):    11.3 ms …  16.1 ms    184 runs

  Benchmark 2: ./runc-overlayfs run -b bundle ctr
    Time (mean ± σ):      13.9 ms ±   0.9 ms    [User: 6.2 ms, System: 10.8 ms]
    Range (min … max):    11.8 ms …  16.0 ms    180 runs

  Benchmark 3: ./runc-memfd run -b bundle ctr
    Time (mean ± σ):      22.6 ms ±   1.3 ms    [User: 5.7 ms, System: 20.7 ms]
    Range (min … max):    19.9 ms …  26.5 ms    114 runs

  Summary
    ./runc-noclone run -b bundle ctr ran
      1.01 ± 0.09 times faster than ./runc-overlayfs run -b bundle ctr
      1.65 ± 0.15 times faster than ./runc-memfd run -b bundle ctr

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-20 21:35:09 +11:00
Aleksa Sarai 8cfbccb6d9 tests: integration: add helper to check if we're in a userns
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-20 19:58:49 +11:00
lfbzhm 8bebdbafd8 Merge pull request #4456 from kolyshkin/misc-ci-cleanups
Misc tests/int cleanups
2024-10-18 21:29:53 +08:00
lfbzhm d1b0ae62a9 Merge pull request #4455 from kolyshkin/ci-hotfix
tests/int: skip "update memory vs CheckBeforeUpdate" on EL9
2024-10-18 21:26:32 +08:00
Kir Kolyshkin 54ef07d899 tests/int: skip "update memory vs CheckBeforeUpdate" on EL9
This test case is frequently hanging recently. Might be caused
by a recent kernel update from 5.14.0-427.33.1.el9_4.x86_64 to
5.14.0-427.37.1.el9_4.x86_64.

Could not reproduce locally.

Let's skip it for now.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-17 19:11:01 -07:00
Aleksa Sarai 2664c845c9 merge #4441 into opencontainers/runc:main
Kir Kolyshkin (1):
  libct: rm initWaiter

LGTMs: lifubang cyphar
2024-10-18 13:09:43 +11:00
Kir Kolyshkin ff7753636f tests/int: rm centos-7 exclusion
We no longer run tests on CentOS 7, so this is now useless.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-17 18:08:14 -07:00