Commit Graph

164 Commits

Author SHA1 Message Date
Kir Kolyshkin 87bd784614 Add dmz-vs-selinux kludge and a way to disable it
Add a workaround for a problem of older container-selinux not allowing
runc to use dmz feature. If runc sees that SELinux is in enforced mode
and the container's SELinux label is set, it disables dmz.

Add a build tag, runc_dmz_selinux_nocompat, which disables the workaround.
Newer distros that ship container-selinux >= 2.224.0 (currently CentOS
Stream 8 and 9, RHEL 8 and 9, and Fedora 38+) may build runc with this
build tag set to benefit from dmz working with SELinux.

Document the build tag in the top-level and libct/dmz READMEs.

Use the build tag in our CI builds for CentOS Stream 9 and Fedora 38,
as they already has container-selinux 2.224.0 available in updates.

Add a TODO to use the build tag for CentOS Stream 8 once it has
container-selinux updated.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-30 16:55:41 -07:00
Kir Kolyshkin 393c7a81c9 README: fix reference to memfd-bind
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-30 16:55:41 -07:00
Aleksa Sarai b9a4727f54 contrib: memfd-bind: add helper for memfd-sealed-bind trick
This really isn't ideal but it can be used to avoid the largest issues
with the memfd-based runc binary protection. There are several caveats
with using this tool, see the help page for the new binary for details.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:38:20 +10:00
lifubang dac4171746 runc-dmz: reduce memfd binary cloning cost with small C binary
The idea is to remove the need for cloning the entire runc binary by
replacing the final execve() call of the container process with an
execve() call to a clone of a small C binary which just does an execve()
of its arguments.

This provides similar protection against CVE-2019-5736 but without
requiring a >10MB binary copy for each "runc init". When compiled with
musl, runc-dmz is 13kB (though unfortunately with glibc, it is 1.1MB
which is still quite large).

It should be noted that there is still a window where the container
processes could get access to the host runc binary, but because we set
ourselves as non-dumpable the container would need CAP_SYS_PTRACE (which
is not enabled by default in Docker) in order to get around the
proc_fd_access_allowed() checks. In addition, since Linux 4.10[1] the
kernel blocks access entirely for user namespaced containers in this
scenario. For those cases we cannot use runc-dmz, but most containers
won't have this issue.

This new runc-dmz binary can be opted out of at compile time by setting
the "runc_nodmz" buildtag, and at runtime by setting the RUNC_DMZ=legacy
environment variable. In both cases, runc will fall back to the classic
/proc/self/exe-based cloning trick. If /proc/self/exe is already a
sealed memfd (namely if the user is using contrib/cmd/memfd-bind to
create a persistent sealed memfd for runc), neither runc-dmz nor
/proc/self/exe cloning will be used because they are not necessary.

[1]: https://github.com/torvalds/linux/commit/bfedb589252c01fa505ac9f6f2a3d5d68d707ef4

Co-authored-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
[cyphar: address various review nits]
[cyphar: fix runc-dmz cross-compilation]
[cyphar: embed runc-dmz into runc binary and clone in Go code]
[cyphar: make runc-dmz optional, with fallback to /proc/self/exe cloning]
[cyphar: do not use runc-dmz when the container has certain privs]
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:38:19 +10:00
Aleksa Sarai 872149470b release: add runc.keyring file and script
In order to allow any of the maintainers to cut releases for runc,
create a keyring file that distributions can use to verify that releases
are signed by one of the maintainers.

The format matches the gpg-offline format used by openSUSE packaging,
but it can be easily imported with "gpg --import" so any distribution
should be able to handle this keyring format wtihout issues.

Each key includes the GitHub handle of the associated user. There isn't
any way for this information to be automatically verified (outside of
using something like keybase.io) but since all changes of this file need
to be approved by maintainers this is okay for now.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-04-14 01:00:27 +10:00
Akihiro Suda e412b4e88c docs: add docs/spec-conformance.md
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-02-10 12:10:18 +09:00
Austin Vazquez 5ecd40b9bd Add Go 1.20, require Go 1.19, drop Go 1.18
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2023-02-02 19:56:26 +00:00
Kir Kolyshkin b7dcdcecb4 Add go 1.19, require go 1.18, drop go 1.17
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-16 09:53:54 -07:00
Kir Kolyshkin 6e624d6f20 Merge pull request #3419 from kolyshkin/go1.18
Add / switch to Go 1.18
2022-03-22 18:02:37 -07:00
Kir Kolyshkin a0f8847e2a Drop go 1.16
Require go 1.17 from now on, since go 1.16 is no longer supported.
Drop go1.16 compatibility.

NOTE we also have to install go 1.18 from Vagrantfile, because
Fedora 35 comes with Go 1.16.x which can't be used.

Note the changes to go.mod and vendor are due to
https://go.dev/doc/go1.17#tools

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-22 12:22:22 -07:00
Kir Kolyshkin 3618079cab README.md: add cirrus-ci badge
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-21 17:19:06 -07:00
Kir Kolyshkin f309a69a48 README,libct/README: fix pkg.go.dev badges
What used to be godoc.org is now pkg.go.dev, and while the old URLs
still work, they might be broken in the future.

Updated badges are generated via https://pkg.go.dev/badge/

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-21 17:05:41 -07:00
Akihiro Suda deb0a5f2ef Mark runc features experimental
Follow-up to PR 3296

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-12-07 17:51:39 +09:00
Kir Kolyshkin 12e99a0f8d Require Go >= 1.16
Go 1.15 is not supported since Go 1.17 release (16 Aug 2021), and some
packages that we use already require Go 1.16+ (notably,
github.com/cilium/ebpf v0.7.0).

Let's require Go 1.16+.

Remove Go version requirement from README when describing dependencies,
since it is no longer needed:

	$ GO=go1.15.15 make vendor
	go1.15.15 mod tidy
	go mod tidy: go.mod file indicates go 1.16, but maximum supported version is 1.15
	make: *** [Makefile:141: vendor] Error 1

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-14 13:46:02 -07:00
Kir Kolyshkin c5b0be78e8 Rm build tags from main pkg
This was added by commit 5aa82c950 back in the day when we thought
runc is going to be cross-platform. It's very clear now it's Linux-only
package.

While at it, further clarify it in README that we're Linux only.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-30 20:15:01 -07:00
Kir Kolyshkin a952b5aaae README, go.mod: require go 1.15+
This mostly reverts commit e2dd9220dd, and bumps
the min Go version to 1.15.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-27 01:41:47 -07:00
Kir Kolyshkin 015fa29afd Revert "Revert "Makefile: rm go 1.13 workaround""
This reverts commit 1a659bc68e,
essentially reinstating commit d0cbef576f.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-27 01:41:47 -07:00
Akihiro Suda cc0b16444f README.md: remove abandoned versioning policy
"`runc` X.Y.Z should implement the X.Y version of the specification." is no longer correct.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-21 14:05:35 +09:00
Akihiro Suda 1a659bc68e Revert "Makefile: rm go 1.13 workaround"
This reverts commit d0cbef576f.

Dockre/Moby still builds runc with Go 1.13, so we should still support
Go 1.13.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-30 19:12:07 +09:00
Qiang Huang 2d38476c96 Merge pull request #2840 from kolyshkin/ignore-kmem
Ignore kernel memory settings
2021-04-13 09:44:14 +08:00
Kir Kolyshkin 52390d6804 Ignore kernel memory settings
This is somewhat radical approach to deal with kernel memory.

Per-cgroup kernel memory limiting was always problematic. A few
examples:

 - older kernels had bugs and were even oopsing sometimes (best example
   is RHEL7 kernel);
 - kernel is unable to reclaim the kernel memory so once the limit is
   hit a cgroup is toasted;
 - some kernel memory allocations don't allow failing.

In addition to that,

 - users don't have a clue about how to set kernel memory limits
   (as the concept is much more complicated than e.g. [user] memory);
 - different kernels might have different kernel memory usage,
   which is sort of unexpected;
 - cgroup v2 do not have a [dedicated] kmem limit knob, and thus
   runc silently ignores kernel memory limits for v2;
 - kernel v5.4 made cgroup v1 kmem.limit obsoleted (see
   https://github.com/torvalds/linux/commit/0158115f702b).

In view of all this, and as the runtime-spec lists memory.kernel
and memory.kernelTCP as OPTIONAL, let's ignore kernel memory
limits (for cgroup v1, same as we're already doing for v2).

This should result in less bugs and better user experience.

The only bad side effect from it might be that stat can show kernel
memory usage as 0 (since the accounting is not enabled).

[v2: add a warning in specconv that limits are ignored]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-04-12 12:18:11 -07:00
Kir Kolyshkin 44611630a5 docs/systemd: add
1. Move docs/systemd-properties.md to docs/systemd.md

2. Document the cgroupsPath to systemd unit name and slice conversion
   rules, as well as mapping of OCI runtime spec resource limits to
   systemd unit properties.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-04-01 19:50:47 -07:00
Kir Kolyshkin d0cbef576f Makefile: rm go 1.13 workaround
Since go 1.14, mod=vendor is used automatically. Since go 1.16 is now
released, and minimally supported go version is 1.15.

As per commit fbeed5228, remove the go 1.13 workaround.

Fix README to require go 1.14.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-02-16 18:58:55 -08:00
Kir Kolyshkin 5b14a26164 README: add gha badges
Note that validate currently fails on master -- this is tracked
in https://github.com/opencontainers/runc/issues/2627.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-02-10 14:39:27 -08:00
wangtianxia d89c96297b Fix typo in README
Signed-off-by: wangtianxia <sometimesnaive@sjtu.edu.cn>
2021-01-29 10:09:00 +08:00
Kir Kolyshkin 58c3100378 README: rm travis badge
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-01-15 00:45:15 -08:00
Kir Kolyshkin 17a0dc3162 README: add note about not using runc directly
Inspired-by: https://github.com/opencontainers/runc/issues/2702

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-01-06 14:53:36 -08:00
Kir Kolyshkin 4bc2aab954 README: add links to misc docs
That way it is easier to find.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-01-06 14:53:36 -08:00
Akihiro Suda cb26930680 remove "selinux" build tag (Always compile SELinux support)
The build tag was removed in go-selinux v1.8.0: https://github.com/opencontainers/selinux/pull/132

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-12-16 17:41:11 +09:00
Akihiro Suda 552a1c7bb1 remove "apparmor" build tag (Always compile AppArmor support)
The apparmor tag was introduced in a01ed80 (2014) to make cgo dependency
on libapparmor optional.

However, the cgo dependency was removed in db093f6 (2017), so it is no
longer meaningful to keep apparmor build tag.

Close #2704

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-12-16 17:39:48 +09:00
Akihiro Suda 3f2f06dfe1 Move cgroup v2 out of experimental
After a lot of refactoring, our cgroup v1 and v2 drivers now have same level of implementation quality,
so we can move the v2 driver out of experimental.

Close #2663

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-11-10 17:07:06 +09:00
Akihiro Suda 1386570498 add cgroup v2 documentation
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-06-04 00:21:31 +09:00
Akihiro Suda 5b601c66d0 README.md: fix a dead link
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-05-21 02:31:33 +09:00
Chris Aniszczyk 7376bdc142 Fix reference to badge
Signed-off-by: Chris Aniszczyk <caniszczyk@gmail.com>
2020-04-21 13:20:20 -05:00
Chris Aniszczyk 5c2a97828c Add CII Badge to README
https://master.bestpractices.coreinfrastructure.org/projects/588

Signed-off-by: Chris Aniszczyk <caniszczyk@gmail.com>
2020-04-20 11:38:49 -05:00
Kenta Tada f8f03700cc README.md: update Go version to build
Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
2020-04-06 20:14:21 +09:00
Aleksa Sarai a15d2c3ca0 merge branch 'pr-2073'
Odin Ugedal (7):
  Run verify-dependencies only on go1.x
  Don't add git utils to go.mod in CI
  Remove refrences to vndr
  Make CI script to verify that vendor is in sync
  Fix file permissions for mounts.bats
  Update spec test to use go.mod
  Add support for GO Modules

LGTMs: @hqhq @AkihiroSuda @cyphar
Closes #2073
2020-03-16 12:38:40 +11:00
Kir Kolyshkin 89c108b1be Makefile: add selinux and apparmor build tags
Both selinux and apparmor subsystem can detect whether it is enabled,
and act accordingly. Compiling it in by default should help avoid
some frustration cased by missing build tags.

This should not change anything in case BUILDTAGS is already set.

README.md is amended to clarify what BUILDTAGS are enabled by
default.

[v2: add apparmor]
[v3: add it unconditionally, fix README]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-03-15 10:29:35 -07:00
Kir Kolyshkin 69f6f32f6b README, travis.yml: rm ambient tag
This build tag was removed in commit 4f903a21c4 (PR #1370)
quite some time ago.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-03-15 10:25:33 -07:00
Odin Ugedal 777f97d8de Run verify-dependencies only on go1.x
Signed-off-by: Odin Ugedal <odin@ugedal.com>
2020-03-07 10:46:34 +01:00
Odin Ugedal f7edcc3a89 Remove refrences to vndr
Signed-off-by: Odin Ugedal <odin@ugedal.com>
2020-03-07 09:29:33 +01:00
Kenta Tada af3a81e48e Add rootless testpath in Makefile
This commit modifies Makefile for rootless test to select testpath.

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
2020-03-06 17:02:33 +09:00
Kenta Tada e03859022a README.md: modify the explanation of make flags
Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
2020-02-03 15:03:26 +09:00
Amye Scavarda Perrin 7d23d1e172 Update README.md
Signed-off-by: Amye Scavarda Perrin <amye@linuxfoundation.org>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2020-01-31 10:59:57 +11:00
Kohei Ota ed4a3e9bc6 Apply review
Signed-off-by: Kohei Ota <kela@inductor.me>
2020-01-26 23:03:13 +09:00
Kohei Ota c8ba985325 Fix path for security report line
Signed-off-by: Kohei Ota <kela@inductor.me>
2020-01-26 16:13:05 +09:00
Michael Crosby 792af40dc0 Merge pull request #1929 from kkallday/patch-1
Adds info about `userns` for rootless containers
2019-10-23 12:35:59 -04:00
Akihiro Suda 9996cf7d39 README.md: clarify cgroup2 support is not ready for production
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-19 01:51:11 +09:00
Manuel Rüger 4be50fe338 SECURITY: Add Security Policy
This should make the vuln reporting process more visible on GitHub
https://help.github.com/en/articles/adding-a-security-policy-to-your-repository

Signed-off-by: Manuel Rüger <manuel@rueg.eu>
2019-10-01 13:38:50 +02:00
Vincent Batts dbf6e48d0f README: link to /org/security/
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2019-03-03 15:01:08 -05:00