Commit Graph

6068 Commits

Author SHA1 Message Date
Cory Snider 9f107489b0 libct/intelrdt: skip reading /proc/cpuinfo
Reading /proc/cpuinfo is a surprisingly expensive operation. Since
kernel version 4.12 [1], opening /proc/cpuinfo on an x86 system can
block for around 20 milliseconds while the kernel samples the current
CPU frequency. There is a very recent patch [2] which gets rid of the
delay, but has yet to make it into the mainline kenel. Regardless,
kernels for which opening /proc/cpuinfo takes 20ms will continue to be
run in production for years to come. libcontainer only opens
/proc/cpuinfo to read the processor feature flags so all the delays to
get an accurate snapshot of the CPU frequency are just wasted time.

If we wanted to, we could interrogate the CPU features directly from
userspace using the `CPUID` instruction. However, Intel and AMD CPUs
have flags in different positions for their analogous sub-features and
there are CPU quirks [3] which would need to be accounted for. Some
Haswell server CPUs support RDT/CAT but are missing the `CPUID` flags
advertising their support; the kernel checks for support on that
processor family by probing the the hardware using privileged
RDMSR/WRMSR instructions [4]. This sort of probing could not be
implemented in userspace so it would not be possible to check for RDT
feature support in userspace without false negatives on some hardware
configurations.

It looks like libcontainer reads the CPU feature flags as a kind of
optimization so that it can skip checking whether the kernel supports an
RDT sub-feature if the hardware support is missing. As the kernel only
exposes subtrees in the `resctrl` filesystem for RDT sub-features with
hardware and kernel support, checking the CPU feature flags is redundant
from a correctness point of view. Remove the /proc/cpuinfo check as it
is an optimization which actually hurts performance.

[1]: https://unix.stackexchange.com/a/526679
[2]: https://lore.kernel.org/all/20220415161206.875029458@linutronix.de/
[3]: https://github.com/torvalds/linux/blob/7cf6a8a17f5b134b7e783c2d45c53298faef82a7/arch/x86/kernel/cpu/resctrl/core.c#L834-L851
[4]: https://github.com/torvalds/linux/blob/a6b450573b912316ad36262bfc70e7c3870c56d1/arch/x86/kernel/cpu/resctrl/core.c#L111-L153

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-07-28 12:06:03 -07:00
Cory Snider 13674f43d3 libct/intelrdt: delete IsMBAScEnabled()
This function is unused, and removing it simplifies the changes which
follow this commit.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-07-28 12:06:03 -07:00
Aleksa Sarai 6f8cb8b4c1 merge branch 'pr-3539'
Kir Kolyshkin (1):
  CI: workaround CentOS Stream 9 criu issue

LGTMs: AkihiroSuda cyphar
Closes #3539
2022-07-28 21:15:14 +10:00
Kir Kolyshkin 4fd4af5b1c CI: workaround CentOS Stream 9 criu issue
Older criu builds fail to work properly on CentOS Stream 9 due to
changes in glibc's rseq.

Skip criu tests if an older criu version is found.

Fixes: https://github.com/opencontainers/runc/issues/3532

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-07-27 17:51:41 -07:00
Aleksa Sarai c0d44ea9fc merge branch 'pr-3523'
Kir Kolyshkin (1):
  CHANGELOG.md: forward-port 1.1.x changes

LGTMs: AkihiroSuda cyphar
Closes #3523
2022-07-20 14:26:51 +10:00
Kir Kolyshkin 93ad6a8513 Merge pull request #3528 from opencontainers/dependabot/github_actions/actions/cache-3.0.5
build(deps): bump actions/cache from 3.0.4 to 3.0.5
2022-07-14 11:42:51 -07:00
dependabot[bot] 5fd3d09e25 build(deps): bump actions/cache from 3.0.4 to 3.0.5
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.4...v3.0.5)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-14 04:15:30 +00:00
Kir Kolyshkin a776ec9c90 Merge pull request #3525 from zhsj/seccomp-arm64
tests: enable seccomp default action tests on arm
2022-07-11 13:49:34 -07:00
Kir Kolyshkin 7928a0ddf7 Merge pull request #3526 from zhsj/replace-hello-image
tests: replace local hello world bundle with busybox bundle
2022-07-11 13:48:34 -07:00
Kir Kolyshkin 2c692a973b Merge pull request #3442 from AkihiroSuda/fedora-36
Vagrantfile.fedora: upgrade Fedora to 36
2022-07-07 10:50:38 -07:00
Shengjing Zhu 66bf3718b4 tests: replace local hello world bundle with busybox bundle
Currently only amd64 and arm64v8 tarball have been checked in testdata,
while busybox bundle is downloaded on fly, and supports multiple architectures.

To enable integration tests for more architectures, the hello world
bundle is replaced by busybox one.

Signed-off-by: Shengjing Zhu <zhsj@debian.org>
2022-07-05 02:19:57 +08:00
Shengjing Zhu e119db7a23 tests: enable seccomp default action tests on arm
Signed-off-by: Shengjing Zhu <zhsj@debian.org>
2022-07-04 16:06:03 +08:00
Kir Kolyshkin d2a5acd22a CHANGELOG.md: forward-port 1.1.x changes
This is a forward-port of commit 91fa032da4 ("ci: add basic checks for
CHANGELOG.md"), plus whatever changes were made in release-1.1 branch
(up to v1.1.3).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-07-01 15:57:34 -07:00
Mrunal Patel eca233d286 Merge pull request #3515 from kolyshkin/linter
Bump golangci-lint, fix an error path
2022-06-29 14:38:02 -07:00
Akihiro Suda 086ddb1542 Vagrantfile.fedora: upgrade Fedora to 36
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2022-06-29 14:33:13 +09:00
Aleksa Sarai 641d5c19ed merge branch 'pr-3501'
Guodong Zhu (1):
  libct/nsenter: switch to sane_kill()

LGTMs: kolyshkin cyphar
Closes #3501
2022-06-27 15:43:57 +10:00
guodong 35e6c3bf79 libct/nsenter: switch to sane_kill()
Signed-off-by: guodong <guodong9211@gmail.com>
2022-06-27 15:43:07 +10:00
Akihiro Suda 214c16fd9a Merge pull request #3510 from kolyshkin/fix-mntns-userns
libct: fix mounting via wrong proc fd
2022-06-23 18:43:25 -05:00
Akihiro Suda 8b9452f75c Merge pull request #3508 from cdoern/blkio
export blockIODevice
2022-06-17 23:25:45 +09:00
Kir Kolyshkin 7481c3c97b ci: bump golangci-lint to 1.46
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-06-16 16:33:55 -07:00
Kir Kolyshkin 6662570110 libct: fix staticcheck warning
A new version of staticcheck (included into golangci-lint 1.46.2) gives
this new warning:

> libcontainer/factory_linux.go:230:59: SA9008: e refers to the result of a failed type assertion and is a zero value, not the value that was being type-asserted (staticcheck)
> 				err = fmt.Errorf("panic from initialization: %v, %s", e, debug.Stack())
> 				                                                      ^
> libcontainer/factory_linux.go:226:7: SA9008(related information): this is the variable being read (staticcheck)
> 			if e, ok := e.(error); ok {
> 			   ^

Apparently, this is indeed a bug. Fix by using a different name for a
new variable, so we can access the old one under "else".

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-06-16 16:31:42 -07:00
Kir Kolyshkin d370e3c046 libct: fix mounting via wrong proc fd
Due to a bug in commit 9c444070ec, when the user and mount namespaces
are used, and the bind mount is followed by the cgroup mount in the
spec, the cgroup is mounted using the bind mount's mount fd.

This can be reproduced with podman 4.1 (when configured to use runc):

$ podman run --uidmap 0:100:10000 quay.io/libpod/testimage:20210610 mount
Error: /home/kir/git/runc/runc: runc create failed: unable to start container process: error during container init: error mounting "cgroup" to rootfs at "/sys/fs/cgroup": mount /proc/self/fd/11:/sys/fs/cgroup/systemd (via /proc/self/fd/12), flags: 0x20502f: operation not permitted: OCI permission denied

or manually with the spec mounts containing something like this:

    {
      "destination": "/etc/resolv.conf",
      "type": "bind",
      "source": "/userdata/resolv.conf",
      "options": [
        "bind"
      ]
    },
    {
      "destination": "/sys/fs/cgroup",
      "type": "cgroup",
      "source": "cgroup",
      "options": [
        "rprivate",
        "nosuid",
        "noexec",
        "nodev",
        "relatime",
        "ro"
      ]
    }

The issue was not found earlier since it requires using userns, and even then
mount fd is ignored by mountToRootfs, except for bind mounts, and all the bind
mounts have mountfd set, except for the case of cgroup v1's /sys/fs/cgroup
which is internally transformed into a bunch of bind mounts.

This is a minimal fix for the issue, suitable for backporting.

A test case is added which reproduces the issue without the fix applied.

Fixes: 9c444070ec ("Open bind mount sources from the host userns")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-06-16 11:54:42 -07:00
Aleksa Sarai fa49e3ba2c merge branch 'pr-3506'
Davanum Srinivas (1):
  Switch to newer v0.10.0 release of libseccomp-golang

LGTMs: AkihiroSuda cyphar
Closes #3506
2022-06-14 13:20:45 +10:00
cdoern c0be1aa2d1 export blockIODevice
the struct blockIODevice is used in an exported struct but it is not itself exported rendering that type inaccessible to
outside projects

Signed-off-by: cdoern <cdoern@redhat.com>
2022-06-13 13:40:39 -04:00
Akihiro Suda d799f7a075 Merge pull request #3505 from opencontainers/dependabot/github_actions/actions/cache-3.0.4
build(deps): bump actions/cache from 3.0.2 to 3.0.4
2022-06-12 15:59:13 +09:00
Davanum Srinivas 56fcc9385c Switch to newer v0.10.0 release of libseccomp-golang
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2022-06-10 15:27:30 -04:00
Sebastiaan van Stijn 258eff101c Merge pull request #3498 from cyphar/systemd-devices-nonexistent-files
cgroups: systemd: skip adding device paths that don't exist
2022-06-08 19:03:26 +02:00
dependabot[bot] cc0feb4b6c build(deps): bump actions/cache from 3.0.2 to 3.0.4
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.2 to 3.0.4.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.2...v3.0.4)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-08 04:12:16 +00:00
Sebastiaan van Stijn a7a45d7d27 Merge pull request #3503 from opencontainers/dependabot/go_modules/github.com/moby/sys/mountinfo-0.6.2
build(deps): bump github.com/moby/sys/mountinfo from 0.6.1 to 0.6.2
2022-06-07 09:24:41 +02:00
dependabot[bot] 5ed3fdff8f build(deps): bump github.com/moby/sys/mountinfo from 0.6.1 to 0.6.2
Bumps [github.com/moby/sys/mountinfo](https://github.com/moby/sys) from 0.6.1 to 0.6.2.
- [Release notes](https://github.com/moby/sys/releases)
- [Commits](https://github.com/moby/sys/compare/mountinfo/v0.6.1...mountinfo/v0.6.2)

---
updated-dependencies:
- dependency-name: github.com/moby/sys/mountinfo
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-07 04:14:12 +00:00
Akihiro Suda 2bc61bb01a Merge pull request #3486 from kolyshkin/gha-ci-shellcheck
ci: shellcheck job nits
2022-06-03 00:31:17 +09:00
Aleksa Sarai 343951a22b cgroups: systemd: skip adding device paths that don't exist
systemd emits very loud warnings when the path specified doesn't exist
(which can be the case for some of our default rules). We don't need the
ruleset we give systemd to be completely accurate (we discard some kinds
of wildcard rules anyway) so we can safely skip adding these.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-06-02 12:10:57 +10:00
Sebastiaan van Stijn a51ea7c477 Merge pull request #3489 from eriksjolund/relax_sanity_check_in_getenv_int
libcontainer: relax getenv_int sanity check
2022-06-01 21:49:40 +02:00
Kir Kolyshkin bd718784af Merge pull request #3495 from AkihiroSuda/update-cgroup2-distros
docs/cgroup-v2.md: update the distro list
2022-06-01 10:55:00 -07:00
Erik Sjölund 03a210d0f2 libcontainer: relax getenv_int sanity check
Remove upper bound in integer sanity check
to not restrict the number of socket-activated
sockets passed in.

Closes #3488

Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
2022-06-01 13:54:02 +10:00
Akihiro Suda 72ad20994b docs/cgroup-v2.md: update the distro list
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2022-05-27 17:41:24 +09:00
Sebastiaan van Stijn 182d77c1a9 Merge pull request #3491 from kolyshkin/bump-ebpf-0.9.0
vendor: bump cilium/ebpf to v0.9.0
2022-05-27 10:24:26 +02:00
Kir Kolyshkin 1505379ca3 Merge pull request #3482 from kolyshkin/seccomp-sha
script/seccomp.sh: check tarball sha256
2022-05-26 18:26:07 -07:00
Mrunal Patel e1889c4bf2 Merge pull request #3484 from kolyshkin/bump-urfave-cli-nodocs
vendor: bump urfave/cli, add urfave_cli_no_docs tag
2022-05-26 17:59:41 -07:00
Kir Kolyshkin 65f41d57d9 vendor: bump urfave/cli, add urfave_cli_no_docs tag
This removes the runc dependency on cpuguy83/md2man and
russross/blackfriday, which saves more than 400 KB (more than 300 KB
once stripped) from the binary.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-26 13:51:48 -07:00
Kir Kolyshkin e0406b4ba6 vendor: bump cilium/ebpf to v0.9.0
Also, change the deprecated Sym to WithSymbol.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-26 13:35:32 -07:00
Kir Kolyshkin 6b96cbdd59 ci: improve shellcheck job
1. Use env directive instead of adding to $GITHUB_ENV.

2. Use bash herefile to feed sha256sum instead of pipe to grep.

3. Fix the hardcoded checksum (it was missing the first character).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-25 18:57:25 -07:00
Kir Kolyshkin e1d04cdfeb script/seccomp.sh: check tarball sha256
Add checking of downloaded tarball checksum.

In case it doesn't match the hardcoded value, the error is like this:

	libseccomp-2.5.4.tar.gz: FAILED
	sha256sum: WARNING: 1 computed checksum did NOT match

In case the checksum for a particular version is not specified in the
script, the error will look like this:

	./script/seccomp.sh: line 29: SECCOMP_SHA256[${ver}]: unbound variable

In case the the hardcoded value in the file is of wrong format/length,
we'll get:

	sha256sum: 'standard input': no properly formatted SHA256 checksum lines found

In any of these cases, the script aborts (due to set -e).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-25 18:29:07 -07:00
Akihiro Suda 016a0d29d1 Merge pull request #3452 from kolyshkin/separate-devices
Decouple setting cgroup device rules from cgroup manager
2022-05-25 18:11:36 +09:00
Aleksa Sarai 436b86f5d9 merge branch 'pr-3483'
Kir Kolyshkin:
  ci: drop docker layer caching from release job

LGTMs: thaJeztah cyphar
Closes #3483
2022-05-25 08:46:15 +10:00
Kir Kolyshkin fbafaf315e ci: drop docker layer caching from release job
This job is failing with "No space left on device" lately, and this
helps to fix it.

Besides, it seems that caching does not help to shorten execution times
(validate/release job succeeds in under 8 minutes now; ymmv).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-24 11:22:27 -07:00
Akihiro Suda 3f0daac908 Merge pull request #3480 from kolyshkin/bump-libseccomp
Dockerfile,scripts/release: bump libseccomp to v2.5.4
2022-05-24 13:13:19 +09:00
Kir Kolyshkin f7b07fd54c Dockerfile,scripts/release: bump libseccomp to v2.5.4
Release notes: https://github.com/seccomp/libseccomp/releases/tag/v2.5.4

This affects the released static binaries (as they are statically linked
against libseccomp).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-23 12:56:35 -07:00
Kir Kolyshkin 848aa38b8e Merge pull request #3474 from cyphar/seccomp-enosys-setup
seccomp: enosys: always return -ENOSYS for setup(2)
2022-05-23 10:43:54 -07:00
Aleksa Sarai 6a79271c31 seccomp: patchbpf: minor cleanups
Define sizeof(int) as a constant, and also return ENOSYS earlier in the
filter if it doesn't increase the number of instructions we generate
(this is a negligible performance improvement but it does make it easier
to understand the generated filter stub).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-05-23 16:36:07 +10:00