Commit Graph

2710 Commits

Author SHA1 Message Date
Kir Kolyshkin 42cea2ecb4 libct: don't allow to start second init process
By definition, every container has only 1 init (i.e. PID 1) process.

Apparently, libcontainer API supported running more than 1 init, and
at least one tests mistakenly used it.

Let's not allow that, erroring out if we already have init. Doing
otherwise _probably_ results in some confusion inside the library.

Fix two cases in libct/int which ran two inits inside a container.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-10 22:30:03 -07:00
Kir Kolyshkin e3e1072575 libct: fix locking in Start/Run/Exec
1. The code to call c.exec from c.Run was initially added by commit
   3aacff695. At the time, there was a lock in c.Run. That lock was
   removed by commit bd3c4f84, which resulted in part of c.Run executing
   without the lock.

2. All the Start/Run/Exec calls were a mere wrappers for start/run/exec
   adding a lock, but some more code crept into Start at some point,
   e.g. by commits 805b8c73 and 108ee85b8. Since the reason mentioned in
   commit 805b8c73 is no longer true after refactoring, we can fix this.

Fix both issues by moving code out of wrappers, and adding locking into
c.Run.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-10 22:30:03 -07:00
Kir Kolyshkin 304a4c0fee libct: createExecFifo: rm unneeded os.Stat
In case file already exists, mknod(2) will return EEXIST.

This os.Stat call was (inadvertently?) added by commit 805b8c73.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-10 22:30:03 -07:00
Kir Kolyshkin 1c505fffdc Revert "Set temporary single CPU affinity..."
There's too much logic here figuring out which CPUs to use. Runc is a
low level tool and is not supposed to be that "smart". What's worse,
this logic is executed on every exec, making it slower. Some of the
logic in (*setnsProcess).start is executed even if no annotation is set,
thus making ALL execs slow.

Also, this should be a property of a process, rather than annotation.

The plan is to rework this.

This reverts commit afc23e3397.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-10 06:31:03 +08:00
Kir Kolyshkin 771903608c libct/cg: write unified resources line by line
It has been pointed out that some controllers can not accept multiple
lines of output at once. In particular, io.max can only set one device
at a time.

Practically, the only multi-line resource values we can get come from
unified.* -- let's write those line by line.

Add a test case.

Reported-by: Tao Shen <shentaoskyking@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-09 14:01:45 -07:00
Akihiro Suda 30b7b63974 Merge pull request #4311 from lifubang/fix-debug-msg-in-nsexec
fix a debug msg for user ns in nsexec
2024-06-08 19:57:50 +09:00
Kir Kolyshkin 3019e842de libct/cg: use clear built-in
As we no longer support Go < 1.21.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 10:18:59 -07:00
Kir Kolyshkin b7fdd524cb libct: use slices package
As we're no longer supporting Go < 1.21.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 10:18:59 -07:00
Kir Kolyshkin a1e87f8d76 libct: rm eaccess
It is not needed since Go 1.20 (which was released in February 2023 and
is no longer supported since February 2024).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 10:18:59 -07:00
Kir Kolyshkin e660ef61a5 libct/nsenter: stop blacklisting go 1.22+
Go 1.23 includes a fix (https://go.dev/cl/587919) so go1.23.x can be
used. This fix is also backported to 1.22.4, so go1.22.x can also be
used (when x >= 4). Finally, for glibc >= 2.32 it doesn't really matter.

Add a note about Go 1.22.x > 1.22.4 to README as well.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 10:18:56 -07:00
lfbzhm 24c2d28d1f fix a debug msg for user ns in nsexec
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-06-06 14:30:29 +00:00
Kir Kolyshkin 4209439b5f libct/cg/fs/v2: ignore setting swap in some cases
When swap is being disabled (as set to 0), or set to max, ignore
non-existent memory.swap.max cgroup file.

If swap is being set explicitly to some value, do return an error like
before.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-06 18:52:34 +08:00
Kir Kolyshkin 584afc6756 libct/system: ClearRlimitNofileCache for go 1.23
Go 1.23 tightens access to internal symbols, and even puts runc into
"hall of shame" for using an internal symbol (recently added by commit
da68c8e3). So, while not impossible, it becomes harder to access those
internal symbols, and it is a bad idea in general.

Since Go 1.23 includes https://go.dev/cl/588076, we can clean the
internal rlimit cache by setting the RLIMIT_NOFILE for ourselves,
essentially disabling the rlimit cache.

Once Go 1.22 is no longer supported, we will remove the go:linkname hack.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-01 13:02:29 -07:00
Kir Kolyshkin d697725a4d libct/cg/dev: fix TestSetV1Allow panic
This test panics if userns is detected (such as when run in a rootless
docker container) because SetV1 does nothing in this case.

We could fix the panic, but it doesn't make sense to run the test at
all.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-30 11:18:01 -07:00
Akihiro Suda 68564eecde Merge pull request #4258 from kolyshkin/fix-4094
libct/cg/fs: fix setting rt_period vs rt_runtime
2024-05-21 11:21:53 +09:00
Akihiro Suda 492dc558cd Merge pull request #4276 from kolyshkin/arm-cpt-test-fixes
fix checkpoint/restore tests on actuated-arm64
2024-05-20 10:09:11 +09:00
lifubang a35f7d8093 fix comments for ClearRlimitNofileCache
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-05-16 20:34:43 +08:00
Kir Kolyshkin f805206611 libct/cg/fs: fix setting rt_period vs rt_runtime
The issue is the same as in commit 1b2adcf but for RT scheduler;
the fix is also the same.

Test case by ls-ggg.

Co-authored-by: ls-ggg <335814617@qq.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-13 17:47:39 -07:00
Kir Kolyshkin 36be6d0510 libct/int: checkpoint test: skip pre-dump if not avail
Since we're now testing on ARM, the test case fails when trying to do
pre-dump since MemTrack is not available.

Skip the pre-dump part if so.

This also reverts part of commit 3f4a73d6 as it is no longer needed
(now, instead of skipping the whole test, we're just skipping the
pre-dump).

[Review with --ignore-all-space]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-10 11:04:58 -07:00
Kir Kolyshkin e42d981d67 libct/int: rm double logging in checkpoint_test
Since commit c77aaa3f the tail of criu log is printed by runc, so
there's no need to do the same thing in tests.

This also fixes a test failure on ARM where showLog fails (because
there's no log file) and thus the conditional t.Skip is not called.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-09 15:18:29 -07:00
Kir Kolyshkin 62a314656a libct/int/cpt: simplify test pre-check
criu check --feature userns also tests for the /proc/self/ns/user
presense, so remove the redundant check, and simplify the error message.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-09 15:18:29 -07:00
Kir Kolyshkin e676dac523 libct/criu: simplify checkCriuFeatures
Since criu 2.12, rpcOpts is not needed when checking criu features.
As we requires criu >= 3.0 in Checkpoint, we can remove rpcOpts.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-09 15:18:29 -07:00
Kir Kolyshkin f6a8c9b816 libct: checkCriuFeatures: return underlying error
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-09 15:18:29 -07:00
lifubang 4ea0bf88fd update/add some tests for rlimit
issues:
https://github.com/opencontainers/runc/issues/4195
https://github.com/opencontainers/runc/pull/4265#discussion_r1588599809

Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-05-08 10:57:10 +00:00
ls-ggg da68c8e37b libct: clean cached rlimit nofile in go runtime
As reported in issue #4195, the new version(since 1.19) of go runtime
will cache rlimit-nofile. Before executing execve, the rlimit-nofile
of the process will be restored with the cache. In runc, this will
cause the rlimit-nofile set by the parent process for the container
to become invalid. It can be solved by clearing the cache.

Signed-off-by: ls-ggg <335814617@qq.com>
(cherry picked from commit f9f8abf310)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-05-08 10:40:13 +00:00
lifubang a853a82677 runc exec: setupRlimits after syscall.rlimit.init() completed
Issue: https://github.com/opencontainers/runc/issues/4195
Since https://go-review.googlesource.com/c/go/+/476097, there is
a get/set race between runc exec and syscall.rlimit.init, so we
need to call setupRlimits after syscall.rlimit.init() completed.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-05-08 10:40:07 +00:00
Kir Kolyshkin bac506463d libct: fix a comment
Do not refer to the function which was removed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-07 14:10:16 -07:00
Kir Kolyshkin dbd0c3349f libct/system: rm Execv
This is not used since commit dac41717.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-07 14:09:22 -07:00
Akihiro Suda 03db4d633d Merge pull request #4259 from kolyshkin/fix-cpu-burst
libct/cg/fs: don't write cpu_burst twice on ENOENT
2024-04-27 12:22:24 +09:00
lfbzhm c9f624eafe Merge pull request #4255 from kolyshkin/golangci-lint-action
ci/gha: bump golangci-lint[-action]
2024-04-26 22:04:57 +08:00
Kir Kolyshkin b032fead22 libct/cg/fs: don't write cpu_burst twice on ENOENT
If CPU burst knob is non-existent, the current implementation (added in
commit e1584831) still tries to set it again after setting the new CPU
quota, which is useless (and we have to ignore ENOENT again).

Fix this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-25 18:27:28 -07:00
Kir Kolyshkin 0eb8bb5f66 Format sources with gofumpt v0.6
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-25 08:39:26 -07:00
Kir Kolyshkin 4f3319b56d libct: decouple libct/cg/devices
Commit b6967fa84c moved the functionality of managing cgroup devices
into a separate package, and decoupled libcontainer/cgroups from it.

Yet, some software (e.g. cadvisor) may need to use libcontainer package,
which imports libcontainer/cgroups/devices, thus making it impossible to
use libcontainer without bringing in cgroup/devices dependency.

In fact, we only need to manage devices in runc binary, so move the
import to main.go.

The need to import libct/cg/dev in order to manage devices is already
documented in libcontainer/cgroups, but let's
 - update that documentation;
 - add a similar note to libcontainer/cgroups/systemd;
 - add a note to libct README.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-17 15:05:38 -07:00
Cédric Clerget afc23e3397 Set temporary single CPU affinity before cgroup cpuset transition.
This handles a corner case when joining a container having all
the processes running exclusively on isolated CPU cores to force
the kernel to schedule runc process on the first CPU core within the
cgroups cpuset.

The introduction of the kernel commit
46a87b3851f0d6eb05e6d83d5c5a30df0eca8f76 has affected this deterministic
scheduling behavior by distributing tasks across CPU cores within the
cgroups cpuset. Some intensive real-time application are relying on this
deterministic behavior and use the first CPU core to run a slow thread
while other CPU cores are fully used by real-time threads with SCHED_FIFO
policy. Such applications prevents runc process from joining a container
when the runc process is randomly scheduled on a CPU core owned by a
real-time thread.

Introduces isolated CPU affinity transition OCI runtime annotation
org.opencontainers.runc.exec.isolated-cpu-affinity-transition to restore
the behavior during runc exec.

Fix issue with kernel >= 6.2 not resetting CPU affinity for container processes.

Signed-off-by: Cédric Clerget <cedric.clerget@gmail.com>
2024-04-16 08:59:49 +02:00
Sohan Kunkerkar cde1d0908a libcontainer: force apps to think fips is enabled/disabled for testing
The motivation behind this change is to provide a flexible mechanism for
containers within a Kubernetes cluster to opt out of FIPS mode when necessary.
This change enables apps to simulate FIPS mode being enabled or disabled for testing
purposes. Users can control whether apps believe FIPS mode is on or off by manipulating
`/proc/sys/crypto/fips_enabled`.

Signed-off-by: Sohan Kunkerkar <sohank2602@gmail.com>
2024-04-10 18:58:34 -04:00
Aleksa Sarai e377e16846 [hotfix] nsenter: refuse to build with Go 1.22 on glibc
We will almost certainly need to eventually rework nsenter to:

 1. Figure out a way to make pthread_self() not break after nsenter runs
    (probably not possible, because the core issue is likely that we are
    ignoring the rules of signal-safety(7)); or
 2. Do an other re-exec of /proc/self/exe to execute the Go half of
    "runc init" -- after we've done the nsenter setup. This would reset
    all of the process state and ensure we have a clean glibc state for
    Go, but it would make runc slower...

For now, just block Go 1.22 builds to avoid having broken runcs floating
around until we resolve the issue. It seems possible for musl to also
have an issue, but it appears to work and so for now just block glibc
builds.

Note that this will only block builds for anything that uses nsenter --
so users of our (internal) libcontainer libraries should be fine. Only
users that are starting containers using nsenter to actually start
containers will see the error (which is precisely what we want).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 01:59:46 +11:00
utam0k bfbd0305ba Add I/O priority
Signed-off-by: utam0k <k0ma@utam0k.jp>
2024-03-30 22:31:54 +09:00
Aleksa Sarai ccc500c427 seccomp: patchbpf: always include native architecture in stub
It turns out that on ppc64le (at least), Docker doesn't include any
architectures in the list of allowed architectures. libseccomp
interprets this as "just include the default architecture" but patchbpf
would return a no-op ENOSYS stub, which would lead to the exact issues
that commit 7a8d7162f9 ("seccomp: prepend -ENOSYS stub to all
filters") fixed for other architectures.

So, just always include the running architecture in the list. There's
no real downside.

Ref: https://bugzilla.suse.com/show_bug.cgi?id=1192051#c6
Reported-by: Fabian Vogt <fvogt@suse.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-29 12:01:47 +11:00
Aleksa Sarai b288abeaa5 seccomp: patchbpf: rename nativeArch -> linuxAuditArch
Calling the Linux AUDIT_* architecture constants "native" leads to
confusing code when we are getting the actual native architecture of the
running system.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-29 12:01:47 +11:00
Aleksa Sarai 37581ad340 dmz: remove SELinux special-casing
Now that runc-dmz is opt-in, we no longer need to try to detect whether
SELinux would cause issues for us. We can also remove the
special-purpose build-tag we added.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-13 18:18:09 +11:00
Aleksa Sarai 1950892f69 merge #4174 into opencontainers/runc:main
Rodrigo Campos (3):
  Makefile: Fix runc-dmz removal
  contrib/cmd/memfd-bind: Mention runc-dmz needs RUNC_DMZ=true
  libct/dmz: Require RUNC_DMZ=true to opt-in

LGTMs: AkihiroSuda cyphar
2024-03-13 16:22:16 +11:00
dependabot[bot] 606251ab33 build(deps): bump github.com/opencontainers/runtime-spec
Bumps [github.com/opencontainers/runtime-spec](https://github.com/opencontainers/runtime-spec) from 1.1.1-0.20230823135140-4fec88fd00a4 to 1.2.0.
- [Release notes](https://github.com/opencontainers/runtime-spec/releases)
- [Changelog](https://github.com/opencontainers/runtime-spec/blob/main/ChangeLog)
- [Commits](https://github.com/opencontainers/runtime-spec/commits/v1.2.0)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/runtime-spec
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-03-07 14:43:33 +09:00
Rodrigo Campos 1dae66f748 libct/dmz: Require RUNC_DMZ=true to opt-in
If it is compiled, the user needs to opt-in with this env variable to
use it.

While we are there, remove the RUNC_DMZ=legacy as that is now the
default.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-02-28 12:15:57 -03:00
Kir Kolyshkin 3a9859bdc0 libct/nsenter: rm unused include
This was added by commit 9c444070 (to use LONG_MAX and INT_MAX) but the
code was later removed by commit ba0b5e26.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 13:19:12 -08:00
Kir Kolyshkin ea140db712 libct/nsenter: rm unused code
Commits b999376f and b999376f removed all users of this code.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 13:17:05 -08:00
lifubang d075058717 close the sync pipe explicitly in exec
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-02-08 01:45:06 +00:00
Aleksa Sarai 02120488a4 Merge pull request from GHSA-xr7r-f8xq-vfvv
fix GHSA-xr7r-f8xq-vfvv and harden fd leaks
2024-02-01 07:04:29 +11:00
Kir Kolyshkin 8454bbb613 Merge pull request #4175 from cyphar/fd-file-switch
init: use *os.File for passed file descriptors
2024-01-31 10:40:28 -08:00
lifubang 35aa63ea87 never send procError after the socket closed
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-01-25 04:52:11 +00:00
Aleksa Sarai d8edada9f2 init: don't special-case logrus fds
We close the logfd before execve so there's no need to special case it.
In addition, it turns out that (*os.File).Fd() doesn't handle the case
where the file was closed and so it seems suspect to use that kind of
check.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:20:59 +11:00