Commit Graph

6243 Commits

Author SHA1 Message Date
dependabot[bot] cc63d074e6 build(deps): bump github.com/cilium/ebpf from 0.9.3 to 0.10.0
Bumps [github.com/cilium/ebpf](https://github.com/cilium/ebpf) from 0.9.3 to 0.10.0.
- [Release notes](https://github.com/cilium/ebpf/releases)
- [Commits](https://github.com/cilium/ebpf/compare/v0.9.3...v0.10.0)

---
updated-dependencies:
- dependency-name: github.com/cilium/ebpf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-17 23:24:59 +00:00
Kir Kolyshkin 3c12cbda39 Merge pull request #3700 from AkihiroSuda/fix-3699
tests/integration/get-images.sh: fix busybox.tar.xz URL
2023-01-17 15:19:37 -08:00
Akihiro Suda 6676f9807f tests/integration/get-images.sh: fix busybox.tar.xz URL
Fix issue 3699

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-01-12 08:54:02 +09:00
Akihiro Suda da548c1c1b Merge pull request #3693 from opencontainers/dependabot/go_modules/golang.org/x/net-0.5.0
build(deps): bump golang.org/x/net from 0.4.0 to 0.5.0
2023-01-11 03:17:19 +09:00
dependabot[bot] eacada7630 build(deps): bump golang.org/x/net from 0.4.0 to 0.5.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-05 04:08:48 +00:00
Akihiro Suda dfd1aefd1d Merge pull request #3660 from yzxiu/fix-example
fix libcontainer example
2022-12-24 15:57:31 +09:00
Qiang Huang 7c143086cd Merge pull request #3542 from kolyshkin/ci-fix-vs-azsec
ci: fix delete.bats for GHA
2022-12-16 11:23:51 +08:00
Kir Kolyshkin 0ac98807c3 libct/cg/sd: stop using regex, fix systemdVersionAtoi
Rewrite systemdVersionAtoi to not use regexp, and fix two issues:

1. It was returning 0 (rather than -1) for some errors.

2. The comment was saying that the input string is without quotes,
   while in fact it is.

Note the new function, similar to the old one, works on input either
with or without quotes. Amend the test to add test cases without quotes.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-12-15 18:51:13 -08:00
Kir Kolyshkin b44da4c05f libct: validateID: stop using regexp
Replace a regex with a simple for loop. Document the function.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-12-15 18:50:54 -08:00
Kir Kolyshkin 15677e7b03 ci: fix delete.bats for GHA
A couple of test cases in delete.bats check that a particular cgroup
exists (or doesn't exist) using find. This is now resulting in errors
like these:

        find: ‘/sys/fs/cgroup/blkio/azsec’: Permission denied
        find: ‘/sys/fs/cgroup/blkio/azsec_clamav’: Permission denied
        find: ‘/sys/fs/cgroup/cpu,cpuacct/azsec’: Permission denied
        find: ‘/sys/fs/cgroup/cpu,cpuacct/azsec_clamav’: Permission denied
        find: ‘/sys/fs/cgroup/memory/azsec’: Permission denied
        find: ‘/sys/fs/cgroup/memory/azsec_clamav’: Permission denied

leading to test case failures.

Apparently, GHA runs something else on a test box, so we get this.

To fix, ignore non-zero exit code from find, and redirect its stderr
to /dev/null.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-12-15 15:43:06 -08:00
Kir Kolyshkin c4aa452b18 tests/int/checkpoint: fix lazy migration flakiness
When doing a lazy checkpoint/restore, we should not restore into the
same cgroup, otherwise there is a race which result in occasional
killing of the restored container (GH #2760, #2924).

The fix is to use --manage-cgroup-mode=ignore, which allows to restore
into a different cgroup.

Note that since cgroupsPath is not set in config.json, the cgroup is
derived from the container name, so calling set_cgroups_path is not
needed.

For the previous (unsuccessful) attempt to fix this, as well as detailed
(and apparently correct) analysis, see commit 36fe3cc28c.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-12-15 15:37:42 -08:00
Kir Kolyshkin 683528783e man/runc-restore: describe restore into different cgroup
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-12-15 15:37:42 -08:00
Kir Kolyshkin d4582ae2f1 tests/int: add "--manage-cgroups-mode ignore" test
This test checks that the container is restored into a different cgroup.

To do so, a user should
 - use --manage-cgroups-mode ignore on both checkpoint and restore;
 - change the cgroupsPath value in config.json before restoring.

The test does some checks to ensure that its logic is correct, and that
after the restore the old (original) cgroup does not exist, the new one
exists, and the container's init is in that new cgroup.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-12-15 15:37:42 -08:00
Kir Kolyshkin e8cf8783d1 libct/criuApplyCgroups: add a TODO
I don't want to implement it now, because this might result in some
new issues, but this is definitely something that is worth implementing.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-12-15 15:37:42 -08:00
Kir Kolyshkin 3438ef30b2 restore: fix --manage-cgroups-mode ignore on cgroup v2
When manage-cgroups-mode: ignore is used, criu still needs to know the
cgroup path to work properly (see [1]).

Revert "libct/criuApplyCgroups: don't set cgroup paths for v2"

This reverts commit d5c57dcea6.

[1]: https://github.com/checkpoint-restore/criu/issues/1793#issuecomment-1086675168

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-12-15 15:37:42 -08:00
Kir Kolyshkin 212d25e853 checkpoint/restore: add --manage-cgroups-mode ignore
- add the new mode and document it;
 - slightly improve the --help output;
 - slightly simplify the parsing code.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-12-15 15:37:42 -08:00
Kir Kolyshkin ff3b4f3bb4 restore: fix ignoring --manage-cgroups-mode
Merge the logic of setPageServer, setManageCgroupsMode, and
setEmptyNsMask into criuOptions. This does three things:

1. Fixes ignoring --manage-cgroups-mode on restore;
2. Simplifies the code in checkpoint.go and restore.go;
3. Ensures issues like 1 won't happen again.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-12-15 15:37:39 -08:00
Kir Kolyshkin e7461c8c29 Merge pull request #3291 from indyjo/fix/sd-notify-barrier
notify_socket.go: use sd_notify_barrier mechanism
2022-12-08 15:33:15 -08:00
Kir Kolyshkin 0b21e02038 Merge pull request #3681 from opencontainers/dependabot/go_modules/golang.org/x/net-0.4.0
build(deps): bump golang.org/x/net from 0.2.0 to 0.4.0
2022-12-08 12:39:26 -08:00
dependabot[bot] 4f2af60520 build(deps): bump golang.org/x/net from 0.2.0 to 0.4.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.2.0 to 0.4.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.2.0...v0.4.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-12-08 04:04:47 +00:00
Kir Kolyshkin 19a9d9fc9e tests/int: use runc features in seccomp flags test
This test (initially added by commit 58ea21daef and later amended in
commit 26dc55ef1a) currently has two major deficiencies:

1. All possible flag combinations, and their respective numeric values,
   have to be explicitly listed. Currently we support 3 flags, so
   there is only 2^3 - 1 = 7 combinations, but adding more flags will
   become increasingly difficult (for example, 5 flags will result in
   31 combinations).

2. The test requires kernel 4.17 (for SECCOMP_FILTER_FLAG_SPEC_ALLOW),
   and not doing any tests when running on an older kernel. This, too,
   will make it more difficult to add extra flags in the future.

Both issues can be solved by using runc features which now prints all
known and supported runc flags. We still have to hardcode the numeric
values of all flags, but most of the other work is coded now.

In particular:

 * The test only uses supported flags, meaning it can be used with
   older kernels, removing the limitation (2) above.

 * The test calculates the powerset (all possible combinations) of
   flags and their numeric values. This makes it easier to add more
   flags, removing the limitation (1) above.

 * The test will fail (in flags_value) if any new flags will be added
   to runc but the test itself is not amended.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-11-29 17:24:32 -08:00
Kir Kolyshkin ac04154f0b seccomp: set SPEC_ALLOW by default
If no seccomps flags are set in OCI runtime spec (not even the empty
set), set SPEC_ALLOW as the default (if it's supported).

Otherwise, use the flags as they are set (that includes no flags for
empty seccomp.Flags array).

This mimics the crun behavior, and makes runc seccomp performance on par
with crun.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-11-29 17:24:32 -08:00
Kir Kolyshkin 076745a40f runc features: add seccomp filter flags
Amend runc features to print seccomp flags. Two set of flags are added:
 * known flags are those that this version of runc is aware of;
 * supported flags are those that can be set; normally, this is the same
   set as known flags, but due to older version of kernel and/or
   libseccomp, some known flags might be unsupported.

This commit also consolidates three different switch statements dealing
with flags into one, in func setFlag. A note is added to this function
telling what else to look for when adding new flags.

Unfortunately, it also adds a list of known flags, that should be
kept in sync with the switch statement.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-11-29 17:24:32 -08:00
Kir Kolyshkin ab8480893e types/features: fix docstrings
Fix a few copy-paste errors.

Fixes: 520702dac
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-11-29 17:24:32 -08:00
Kir Kolyshkin 2da0194236 Merge pull request #3670 from AkihiroSuda/fedora-37
Vagrantfile.fedora: upgrade Fedora to 37
2022-11-29 17:23:45 -08:00
Mrunal Patel 25c9e88868 Merge pull request #3655 from kolyshkin/cpt-destroy-on-err
runc checkpoint: destroy only on success
2022-11-22 18:40:52 -05:00
Mrunal Patel c1045cc8de Merge pull request #3662 from vipulnewaskar7/3659-wrong-error-variable-fix
Fixed Init State Error Variable
2022-11-22 18:39:11 -05:00
Akihiro Suda 8e9128ffce Vagrantfile.fedora: upgrade Fedora to 37
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2022-11-18 09:27:57 +09:00
Akihiro Suda 23389fc74d Merge pull request #3658 from opencontainers/dependabot/go_modules/golang.org/x/net-0.2.0
build(deps): bump golang.org/x/net from 0.1.0 to 0.2.0
2022-11-17 06:27:26 +09:00
Vipul Newaskar 9fc707e703 Fixed init state error variable
Init State Error message was using the err variable instead of uerr, which has been fixed now.
The error message should not show "nil" now.

Signed-off-by: Vipul Newaskar <vipulnewaskar7@gmail.com>
2022-11-15 09:41:16 +05:30
Jonas Eschenburg 067ca8f5c8 notify_socket.go: use sd_notify_barrier mechanism
Signed-off-by: Jonas Eschenburg <jonas.eschenburg@kuka.com>
2022-11-14 10:41:22 +01:00
Jonas Eschenburg ee88b90032 notify_socket.go: avoid use of bytes.Buffer
Signed-off-by: Jonas Eschenburg <jonas.eschenburg@kuka.com>
2022-11-14 10:41:22 +01:00
yaozhenxiu 313723fd5f fix libcontainer example
Signed-off-by: yaozhenxiu <946666800@qq.com>
2022-11-11 14:50:21 +08:00
dependabot[bot] 9f38379308 build(deps): bump golang.org/x/net from 0.1.0 to 0.2.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.1.0 to 0.2.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.1.0...v0.2.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-10 01:07:13 +00:00
Akihiro Suda f264cf91fa Merge pull request #3657 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.2.0
build(deps): bump golang.org/x/sys from 0.1.0 to 0.2.0
2022-11-10 10:06:25 +09:00
dependabot[bot] 467dd23402 build(deps): bump golang.org/x/sys from 0.1.0 to 0.2.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.1.0 to 0.2.0.
- [Release notes](https://github.com/golang/sys/releases)
- [Commits](https://github.com/golang/sys/compare/v0.1.0...v0.2.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-09 04:04:06 +00:00
Sebastiaan van Stijn 627e815f20 Merge pull request #3654 from AkihiroSuda/go-mod-sys-v0.1.0
go.mod: golang.org/x/*: use tagged versions
2022-11-08 22:32:06 +01:00
Kir Kolyshkin 0b0244323f Merge pull request #3656 from opencontainers/dependabot/go_modules/github.com/coreos/go-systemd/v22-22.5.0
build(deps): bump github.com/coreos/go-systemd/v22 from 22.4.0 to 22.5.0
2022-11-08 12:01:51 -08:00
dependabot[bot] e0d3c3e07f build(deps): bump github.com/coreos/go-systemd/v22 from 22.4.0 to 22.5.0
Bumps [github.com/coreos/go-systemd/v22](https://github.com/coreos/go-systemd) from 22.4.0 to 22.5.0.
- [Release notes](https://github.com/coreos/go-systemd/releases)
- [Commits](https://github.com/coreos/go-systemd/compare/v22.4.0...v22.5.0)

---
updated-dependencies:
- dependency-name: github.com/coreos/go-systemd/v22
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-08 04:10:57 +00:00
Kir Kolyshkin 783f9ffeeb runc checkpoint: destroy only on success
If checkpointing has failed, the container is kept running. We do not
want to, and we can't remove it in such case.

Do not try to remove the container if there's an error from
checkpointing.

This avoids an unclear error message from destroy() saying "container
still running" or "container paused".

While at it, avoid using defer since it does not make a lot of sense
here.

Fixes: #3577
Reported-by: gosoon <tianfeiyu0@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-11-03 16:14:01 -07:00
Akihiro Suda 79aedac186 go.mod: golang.org/x/*: use tagged versions
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2022-11-03 11:11:19 +09:00
Kir Kolyshkin 2a8e5d3c62 Merge pull request #3579 from kolyshkin/v2-low-mem
runc update: implement memory.checkBeforeUpdate
2022-11-02 18:29:15 -07:00
Kir Kolyshkin 6462e9de67 runc update: implement memory.checkBeforeUpdate
This is aimed at solving the problem of cgroup v2 memory controller
behavior which is not compatible with that of cgroup v1.

In cgroup v1, if the new memory limit being set is lower than the
current usage, setting the new limit fails.

In cgroup v2, same operation succeeds, and the container is OOM killed.

Introduce a new setting, memory.checkBeforeUpdate, and use it to mimic
cgroup v1 behavior.

Note that this is not 100% reliable because of TOCTOU, but this is the
best we can do.

Add some test cases.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-11-02 17:15:26 -07:00
Kir Kolyshkin b34a547d67 Merge pull request #3379 from kolyshkin/bump-shfmt
ci: bump shfmt to 3.5.1, simplify CI setup
2022-11-02 15:00:24 -07:00
Kir Kolyshkin 56edc41ca6 ci: bump shfmt to 3.5.1, simplify CI setup
1. Bump shfmt to v3.5.1. Release notes:
   https://github.com/mvdan/sh/releases

2. Since shfmt v3.5.0, specifying -l bash (or -l bats) is no longer
   necessary. Therefore, we can use shfmt to find all the files.
   Add .editorconfig to ignore vendor subdirectory.

3. Use shfmt docker image, so that we don't have to install anything
   explicitly. This greatly simplifies the shfmt CI job. Add
   localshfmt target so developers can still use a local shfmt binary
   when necessary.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-11-02 11:08:36 -07:00
Kir Kolyshkin 8da0a0b567 Merge pull request #3631 from godsarmy/3612-sigkill_comment
Fix comment of signalAllProcesses for process wait due to sigkill
2022-11-02 10:31:34 -07:00
Walt Chen 18f8f482b1 Fix comment of signalAllProcesses for process wait due to sigkill
Signed-off-by: Walt Chen <godsarmycy@gmail.com>
2022-11-02 10:08:09 -07:00
Aleksa Sarai df2043af5d merge 'refs/pull/3635/head' of github.com:opencontainers/runc
Kir Kolyshkin (1):
  libct/seccomp/patchbpf: rm duplicated code

LGTMs: cyphar thaJeztah
Closes #3635
2022-11-02 15:46:03 +11:00
Kir Kolyshkin 2cd05e44b6 libct/seccomp/patchbpf: rm duplicated code
In findLastSyscalls, we convert libseccomp.ArchNative to the real
libseccomp architecture, but archToNative already does that, so
this code is redundant.

Remove the redundant code, and move its comment to archToNative.

Fixes: 7a8d7162f
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-11-01 18:47:16 -07:00
Kir Kolyshkin c393d16cea Merge pull request #3652 from rst0git/deps-go-criu
deps: bump github.com/checkpoint-restore/go-criu to 6.3.0
2022-11-01 18:42:14 -07:00