Commit Graph

7063 Commits

Author SHA1 Message Date
Aleksa Sarai 8cfbccb6d9 tests: integration: add helper to check if we're in a userns
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-20 19:58:49 +11:00
lfbzhm 8bebdbafd8 Merge pull request #4456 from kolyshkin/misc-ci-cleanups
Misc tests/int cleanups
2024-10-18 21:29:53 +08:00
lfbzhm d1b0ae62a9 Merge pull request #4455 from kolyshkin/ci-hotfix
tests/int: skip "update memory vs CheckBeforeUpdate" on EL9
2024-10-18 21:26:32 +08:00
Kir Kolyshkin 54ef07d899 tests/int: skip "update memory vs CheckBeforeUpdate" on EL9
This test case is frequently hanging recently. Might be caused
by a recent kernel update from 5.14.0-427.33.1.el9_4.x86_64 to
5.14.0-427.37.1.el9_4.x86_64.

Could not reproduce locally.

Let's skip it for now.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-17 19:11:01 -07:00
Aleksa Sarai 2664c845c9 merge #4441 into opencontainers/runc:main
Kir Kolyshkin (1):
  libct: rm initWaiter

LGTMs: lifubang cyphar
2024-10-18 13:09:43 +11:00
Kir Kolyshkin ff7753636f tests/int: rm centos-7 exclusion
We no longer run tests on CentOS 7, so this is now useless.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-17 18:08:14 -07:00
Kir Kolyshkin 76a821fab7 tests/int: update info about EL9 kernel
The issue quoted is now fixed, so add some information about the fixed
kernel version, and remove links to older discussions about idmapped
mounts security.

We can actually remove all of it for now, but let's keep it. Change
the skip message to say which kernel is required.

Amends commit b460dc39.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-17 18:08:14 -07:00
Kir Kolyshkin b5bdf592f2 libct: rm initWaiter
This initWaiter logic was introduced by commit 4ecff8d9, but since the logic of
/proc/self/exe was moved out of runc init in commit 0e9a335, this
seems unnecessary to have initWaiter.

Remove it.

This essentially reverts commit 4ecff8d9.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-17 08:05:42 -07:00
Aleksa Sarai d82235c9d0 merge #4444 into opencontainers/runc:main
lifubang (1):
  dmz: cloned binary: set +x permissions when creating regular tmpfile

LGTMs: kolyshkin cyphar
2024-10-15 15:06:30 +11:00
Aleksa Sarai 798ba5cd11 merge #4428 into opencontainers/runc:main
Kir Kolyshkin (2):
  memfd-bind: more specific doc URL
  memfd-bind: fixup systemd unit file and README

LGTMs: rata cyphar
2024-10-15 15:04:22 +11:00
lifubang 9fa324c479 dmz: cloned binary: set +x permissions when creating regular tmpfile
While we did set +x when "sealing" regular temporary files, the "is
executable" checks were done before then and would thus fail, causing
the fallback to not work properly.

So just set +x after we create the file. We already have a O_RDWR handle
open when we do the chmod so we won't get permission issues when writing
to the file.

Fixes: e089db3b4a ("dmz: add fallbacks to handle noexec for O_TMPFILE and mktemp()")

Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-14 17:48:18 +08:00
Aleksa Sarai 9112335fb2 merge #4350 into opencontainers/runc:main
Sebastiaan van Stijn (1):
  libcontainer/userns: migrate to github.com/moby/sys/userns

LGTMs: AkihiroSuda lifubang cyphar
2024-10-10 05:59:37 +11:00
Sebastiaan van Stijn 9b60a93cf3 libcontainer/userns: migrate to github.com/moby/sys/userns
The userns package was moved to the moby/sys/userns module
at commit 3778ae603c.

This patch deprecates the old location, and adds it as an alias
for the moby/sys/userns package.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-10-09 22:20:25 +08:00
lfbzhm 8bf5f0d441 Merge pull request #4430 from cyphar/securejoin-v0.3.4
go: update github.com/cyphar/filepath-securejoin to v0.3.4
2024-10-09 17:50:56 +08:00
Aleksa Sarai 1623cde125 go: update github.com/cyphar/filepath-securejoin to v0.3.4
This includes a fix to avoid doing import "testing" in non-_test.go
code.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-09 15:13:28 +11:00
Kir Kolyshkin 4fdd56169d memfd-bind: more specific doc URL
Let's point to the relevant README directly in the systemd unit file,
as it is hard to find in the whole nine yards of the runc repo.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-08 13:30:59 -07:00
Kir Kolyshkin 9e5545876e memfd-bind: fixup systemd unit file and README
The example of starting memfd-bind via systemd in README did not work
for me (Fedora 40, systemd 255):

	# systemctl status memfd-bind@/usr/bin/runc
	Invalid unit name "memfd-bind@/usr/bin/runc" escaped as "memfd-bind@-usr-bin-runc" (maybe you should use systemd-escape?).
	○ memfd-bind@-usr-bin-runc.service
	     Loaded: bad-setting (Reason: Unit memfd-bind@-usr-bin-runc.service has a bad unit file setting.)
	     Active: inactive (dead)
	       Docs: https://github.com/opencontainers/runc

So, let's use systemd-escape -p ("path") in the README example,
and use %f in the systemd unit file to prepend the slash to the
filename.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-08 13:30:08 -07:00
Kir Kolyshkin f2d56241d8 Merge pull request #4405 from amghazanfari/main
replace strings.SplitN with strings.Cut
2024-10-04 14:01:23 -07:00
Kir Kolyshkin 84529badb5 Merge pull request #4416 from amghazanfari/change_version
change go minimum version in README
2024-10-04 13:59:53 -07:00
Akihiro Suda db25439c60 Merge pull request #4417 from kolyshkin/fix-mount-leak
runc run: fix mount leak
2024-10-04 10:33:52 +09:00
Kir Kolyshkin 13a6f56097 runc run: fix mount leak
When preparing to mount container root, we need to make its parent mount
private (i.e. disable propagation), otherwise the new in-container
mounts are leaked to the host.

To find a parent mount, we use to read mountinfo and find the longest
entry which can be a parent of the container root directory.

Unfortunately, due to kernel bug in all Linux kernels older than v5.8
(see [1], [2]), sometimes mountinfo can't be read in its entirety. In
this case, getParentMount may occasionally return a wrong parent mount.

As a result, we do not change the mount propagation to private, and
container mounts are leaked.

Alas, we can not fix the kernel, and reading mountinfo a few times to
ensure its consistency (like it's done in, say, Kubernetes) does not
look like a good solution for performance reasons.

Fortunately, we don't need mountinfo. Let's just traverse the directory
tree, trying to remount it private until we find a mount point (any
error other than EINVAL means we just found it).

Fixes issue 2404.

[1]: https://github.com/kolyshkin/procfs-test
[2]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9f6c61f96f2d97cbb5f
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-02 13:58:27 -07:00
lfbzhm c611a2146d Merge pull request #4421 from cyphar/filepath-securejoin-0.3.3
vendor: update github.com/cyphar/filepath-securejoin to v0.3.3
2024-10-01 08:21:39 +08:00
Aleksa Sarai b096459a07 vendor: update github.com/cyphar/filepath-securejoin to v0.3.3
This fixes issues we had with spurious MkdirAll failures.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-30 16:26:42 +02:00
dependabot[bot] b2bf58e12e Merge pull request #4419 from opencontainers/dependabot/github_actions/bats-core/bats-action-3.0.0 2024-09-30 14:04:11 +00:00
dependabot[bot] f55957de35 build(deps): bump bats-core/bats-action from 2.1.1 to 3.0.0
Bumps [bats-core/bats-action](https://github.com/bats-core/bats-action) from 2.1.1 to 3.0.0.
- [Release notes](https://github.com/bats-core/bats-action/releases)
- [Commits](https://github.com/bats-core/bats-action/compare/2.1.1...3.0.0)

---
updated-dependencies:
- dependency-name: bats-core/bats-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-09-30 04:20:03 +00:00
Amir M. Ghazanfari bb2bd38d6f change go minimum version in README
Signed-off-by: Amir M. Ghazanfari <a.m.ghazanfari76@gmail.com>

Update go version

Co-authored-by: Akihiro Suda <suda.kyoto@gmail.com>
Signed-off-by: Amir M. Ghazanfari <a.m.ghazanfari76@gmail.com>
2024-09-29 23:20:03 +03:30
Amir M. Ghazanfari faffe1b9ee replace strings.SplitN with strings.Cut
Signed-off-by: Amir M. Ghazanfari <a.m.ghazanfari76@gmail.com>
2024-09-28 10:02:21 +03:30
Kir Kolyshkin 57798c6776 Merge pull request #4403 from Stavrospanakakis/replace-fields-splitn-cgroups-fs
libcontainer/cgroups/fs: remove todo since strings.Fields performs well
2024-09-27 10:26:59 -07:00
Stavros Panakakis 1be06760ed libcontainer/cgroups/fs: remove todo since strings.Fields performs well
Initially, this was a commit to switch from strings.Fields to
strings.SplitN in getCpuUsageBreakdown, since strings.Fields
was probably slower than strings.SplitN in some old Go versions.

Afterwards, strings.Cut was also considered for potential
speed improvements.

After writing a benchmark test, we learned that:
 - strings.Fields performance is now adequate;
 - strings.SplitN is slower than strings.Fields;
 - strings.Cut had <5% performance gain from strings.Fields;

So, remove the TODO and keep the benchmark test.

Signed-off-by: Stavros Panakakis <stavrospanakakis@gmail.com>
2024-09-26 12:34:32 +03:00
Kir Kolyshkin e1635d5d60 Merge pull request #4367 from kolyshkin/ambient-caps
Don't set ambient caps without inheritable ones
2024-09-25 22:11:34 -07:00
Kir Kolyshkin 7a449109f3 libct/README: simplify example, rm inheritable caps
The example is too long since it lists too many capabilities.
Simplify it, leaving only two capabilities.

Also, remove ambient capabilities from the set. Inheritable capabilities
were removed earlier by commit 98fe566c, but ambient capabilities can't
be raised without inheritable ones.

Fixes: 98fe566c
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-09-25 21:48:29 -07:00
Kir Kolyshkin 0de1953333 runc spec, libct/int: do not add ambient capabilities
Commit 98fe566c removed inheritable capabilities from the example spec
(used by runc spec) and from the libcontainer/integration test config,
but neglected to also remove ambient capabilities.

An ambient capability could only be set if the same inheritable
capability is set, so as a result of the above change ambient
capabilities were not set (but due to a bug in gocapability package,
those errors are never reported).

Once we start using a library with the fix [1], that bug will become
apparent (both bats-based and libct/int tests will fail).

[1]: https://github.com/kolyshkin/capability/pull/3

Fixes: 98fe566c ("runc: do not set inheritable capabilities")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-09-25 21:48:29 -07:00
Kir Kolyshkin 3e3f96034f runc exec --cap: do not add capabilities to ambient
Commit 98fe566c removed setting inheritable capabilities from runc exec
--cap, but neglected to also remove ambient capabilities.

An ambient capability could only be set if the same inheritable
capability is set, so as a result of the above change ambient
capabilities were not set (but due to a bug in gocapability package,
those errors are never reported).

Once we start using a library with the fix [1], that bug will become
apparent. Alas, we do not have any tests for runc exec --cap, so add
one.

Yet, if some inheritable bits are already set from spec, let's set
ambient to avoid a possible regression. Add a test case for that, too.

[1]: https://github.com/kolyshkin/capability/pull/3

Fixes: 98fe566c ("runc: do not set inheritable capabilities")
Co-authored-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-09-25 21:48:29 -07:00
Kir Kolyshkin 8e03054c69 Merge pull request #4412 from akhilerm/remove-unused-bats-libs
ci: update bats-action to v2.1.1
2024-09-25 21:46:10 -07:00
Akhil Mohan 5b161e04ae update bats-action to 2.1.1
bats-action@2.1.1 supports:
- ubuntu 20.04
- cache key with multiple arch

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
2024-09-25 20:39:36 +05:30
Akhil Mohan 35f999dded remove installation of unused bats support libs
bats-core/bats-action installs a few support libraries by default which are not used by
runc. Disable the installation, which will remove /usr/bin/tar: Permission denied errors.

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
2024-09-25 11:31:44 +05:30
Kir Kolyshkin 47756ed7ef Merge pull request #4410 from lifubang/feat-add-ErrCgroupNotExist
Add ErrCgroupNotExist
2024-09-24 11:08:24 -07:00
Kir Kolyshkin a1acfcf793 Merge pull request #4398 from kolyshkin/no-shared-pidns
runc create/run: warn on rootless + shared pidns + no cgroup
2024-09-24 11:02:44 -07:00
Akihiro Suda daaed349e3 Merge pull request #4409 from akhilerm/update-actions
ci: update to setup bats action from bats-core
2024-09-24 17:53:30 +09:00
lifubang 10c951e335 add ErrCgroupNotExist
For some rootless container, runc has no access to cgroup,
But the container is still running. So we should return the
`ErrNotRunning` and `ErrCgroupNotExist` error seperatlly.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-09-23 23:27:35 +00:00
Akihiro Suda 5ff9d16e96 Merge pull request #4407 from rata/rata/min-1.22.4
go.mod: Force 1.22.4 as min go version
2024-09-23 21:51:51 +09:00
Rodrigo Campos 319e133c3c go.mod: Use toolchain 1.22.4
Go since 1.21 allows to set a "toolchain" that specifies the minimum Go
toolchain to use when working in runc. In contrast to the go line,
toolchain does not impose a requirement on other modules[1][2].

As documented in the 1.2.0-rc.1 release notes, 1.22.4 is needed for the
nsenter package. Let's suggest this with the toolchain version.

[1]: https://go.dev/doc/toolchain
[2]: https://go.dev/blog/toolchain

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-09-23 11:47:01 +02:00
Akhil Mohan 8671a7dba9 ci: update to setup bats action from bats-core
mig4/setup-bats is now unmaintained(last commit in Sep 2021).
bats-core/bats-action can be used as a replacement maintained
by the bats-core team.

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
2024-09-22 23:00:59 +05:30
Kir Kolyshkin 30f8f51eab runc create/run: warn on rootless + shared pidns + no cgroup
Shared pid namespace means `runc kill` (or `runc delete -f`) have to
kill all container processes, not just init. To do so, it needs a cgroup
to read the PIDs from.

If there is no cgroup, processes will be leaked, and so such
configuration is bad and should not be allowed. To keep backward
compatibility, though, let's merely warn about this for now.

Alas, the only way to know if cgroup access is available is by returning
an error from Manager.Apply. Amend fs cgroup managers to do so (systemd
doesn't need it, since v1 can't work with rootless, and cgroup v2 does
not have a special rootless case).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-09-17 22:49:37 -07:00
Kir Kolyshkin 21c6116557 tests/int: log when teardown starts
This aids in failed test analysis by allowing to distinguish the output
of various commands being run as part of the test case from the output
of teardown command like runc delete.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-09-17 22:49:37 -07:00
Kir Kolyshkin b1449fd510 libct: use Namespaces.IsPrivate more
In these cases, this is exactly what we want to find out.

Slightly improves performance and readability.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-09-17 22:49:29 -07:00
Kir Kolyshkin 15904913c2 Merge pull request #4397 from rafaelroquetto/main
Upgrade Cilium's eBPF library version to 0.16
2024-09-13 18:22:49 -07:00
Kir Kolyshkin d5ee7a5549 Merge pull request #4400 from cyphar/mkdirall-suidsgid-bits
utils: mkdirall: fix handling of suid/sgid bits
2024-09-13 18:20:18 -07:00
Aleksa Sarai d8844e2939 tests: integration: add setgid mkdirall test
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-13 23:34:33 +10:00
Aleksa Sarai 066b109e99 vendor: update to github.com/cyphar/filepath-securejoin@v0.3.2
This includes a fix for the handling of S_ISGID directories.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-13 23:34:33 +10:00