Commit Graph

6849 Commits

Author SHA1 Message Date
Kir Kolyshkin b032fead22 libct/cg/fs: don't write cpu_burst twice on ENOENT
If CPU burst knob is non-existent, the current implementation (added in
commit e1584831) still tries to set it again after setting the new CPU
quota, which is useless (and we have to ignore ENOENT again).

Fix this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-25 18:27:28 -07:00
lfbzhm 426c04b6db Merge pull request #4248 from kolyshkin/mv-dev
libct: decouple libct/cg/devices
2024-04-26 09:18:52 +08:00
lfbzhm 57d01a791d Merge pull request #4256 from kolyshkin/f39
Vagrantfile.fedora: bump Fedora to 39
2024-04-26 08:44:36 +08:00
Kir Kolyshkin 8732eada62 Vagrantfile.fedora: bump Fedora to 39
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-25 10:49:02 -07:00
lfbzhm e74ff0f4c1 Merge pull request #4252 from kolyshkin/test-actuated-cr
ci/actuated: re-enable CRIU tests
2024-04-25 11:39:00 +08:00
Kir Kolyshkin baba55e278 ci/actuated: re-enable CRIU tests
They were failing earlier but are working now.

This includes a fix to criu repo path assignment so it works for actuated case.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-24 19:40:45 -07:00
Kir Kolyshkin f6b7167bc5 tests/int/checkpoint: add requires criu_feature_xxx
1. A few tests use "criu check --feature" to check for a specific
   feature. Let's generalize it.

2. Fix "checkpoint --pre-dump and restore" test to require memory
   tracking (which is missing on ARM).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-24 19:40:45 -07:00
lfbzhm 52bd9fde20 Merge pull request #4142 from AkihiroSuda/actuated
CI: add actuated-arm64
2024-04-24 18:44:37 +08:00
Akihiro Suda 00238f5d2b CI: add actuated-arm64
See <https://actuated.dev/blog/arm-ci-cncf-ampere>.
Thanks to Alex Ellis, Ampere Computing, and Equinix.

Host information:
* CPU: aarch64 (ARMv8)
* Kernel: 5.10.201
  * Lacks ~CONFIG_CHECKPOINT_RESTORE~, CONFIG_BLK_CGROUP_IOCOST, etc.
* Cgroup: v2
* OS: Ubuntu 22.04
  * Lacks newuidmap, newgidmap, etc. (still apt-gettable)
  * sshd is not running

vmmeter is added from:
https://gist.github.com/alexellis/1f33e581c75e11e161fe613c46180771#file-metering-gha-md

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-04-24 17:22:33 +09:00
Akihiro Suda 758b2e2bda helpers.bats: cgroups_cpu_burst: check kernel version
On cgroup v2, cpu burst needs kernel >= 5.14
https://github.com/torvalds/linux/commit/f4183717b370ad28dd0c0d74760142b20e6e7931

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-04-23 09:11:30 +09:00
Akihiro Suda d618c6fe84 cgroups.bats: check cgroups_io_weight
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-04-23 09:11:27 +09:00
Akihiro Suda 053f6a0dca seccomp_syscall_test1: use ftruncate instead of kcmp
kcmp is often missing: https://man7.org/linux/man-pages/man2/kcmp.2.html

> Before Linux 5.12, this system call is available only if the
> kernel is configured with CONFIG_CHECKPOINT_RESTORE, since the
> original purpose of the system call was for the
> checkpoint/restore in user space (CRIU) feature.  (The
> alternative to this system call would have been to expose
> suitable process information via the proc(5) filesystem; this was
> deemed to be unsuitable for security reasons.)  Since Linux 5.12,
> this system call is also available if the kernel is configured
> with CONFIG_KCMP.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-04-23 09:10:13 +09:00
Akihiro Suda 30dc98f577 CI: run apt with -y
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-04-23 09:10:09 +09:00
Kir Kolyshkin 4f3319b56d libct: decouple libct/cg/devices
Commit b6967fa84c moved the functionality of managing cgroup devices
into a separate package, and decoupled libcontainer/cgroups from it.

Yet, some software (e.g. cadvisor) may need to use libcontainer package,
which imports libcontainer/cgroups/devices, thus making it impossible to
use libcontainer without bringing in cgroup/devices dependency.

In fact, we only need to manage devices in runc binary, so move the
import to main.go.

The need to import libct/cg/dev in order to manage devices is already
documented in libcontainer/cgroups, but let's
 - update that documentation;
 - add a similar note to libcontainer/cgroups/systemd;
 - add a note to libct README.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-17 15:05:38 -07:00
Kir Kolyshkin 6a2813f16a Merge pull request #3923 from cclerget/issue-3922
Set temporary single CPU affinity before cgroup cpuset transition.
2024-04-16 11:31:12 -07:00
Cédric Clerget afc23e3397 Set temporary single CPU affinity before cgroup cpuset transition.
This handles a corner case when joining a container having all
the processes running exclusively on isolated CPU cores to force
the kernel to schedule runc process on the first CPU core within the
cgroups cpuset.

The introduction of the kernel commit
46a87b3851f0d6eb05e6d83d5c5a30df0eca8f76 has affected this deterministic
scheduling behavior by distributing tasks across CPU cores within the
cgroups cpuset. Some intensive real-time application are relying on this
deterministic behavior and use the first CPU core to run a slow thread
while other CPU cores are fully used by real-time threads with SCHED_FIFO
policy. Such applications prevents runc process from joining a container
when the runc process is randomly scheduled on a CPU core owned by a
real-time thread.

Introduces isolated CPU affinity transition OCI runtime annotation
org.opencontainers.runc.exec.isolated-cpu-affinity-transition to restore
the behavior during runc exec.

Fix issue with kernel >= 6.2 not resetting CPU affinity for container processes.

Signed-off-by: Cédric Clerget <cedric.clerget@gmail.com>
2024-04-16 08:59:49 +02:00
lfbzhm d0f803e584 Merge pull request #4246 from sohankunkerkar/runc-fips
libcontainer: force apps to think fips is enabled/disabled for testing
2024-04-12 11:15:29 +08:00
Sohan Kunkerkar cde1d0908a libcontainer: force apps to think fips is enabled/disabled for testing
The motivation behind this change is to provide a flexible mechanism for
containers within a Kubernetes cluster to opt out of FIPS mode when necessary.
This change enables apps to simulate FIPS mode being enabled or disabled for testing
purposes. Users can control whether apps believe FIPS mode is on or off by manipulating
`/proc/sys/crypto/fips_enabled`.

Signed-off-by: Sohan Kunkerkar <sohank2602@gmail.com>
2024-04-10 18:58:34 -04:00
Akihiro Suda f2bd18480d Merge pull request #4211 from lifubang/fix-update-cpu-burst
set the default value of CpuBurst to nil instead of 0
2024-04-10 11:03:40 +09:00
Kir Kolyshkin c42ba59d20 Merge pull request #4245 from kinvolk/rata/fix-tests-debian-testing-minimal-fix
Fix tests in debian testing (mount_sshfs.bats) - minimal fix
2024-04-09 17:04:18 -07:00
Rodrigo Campos 6b1f73088b tests/integration: Fix remount on debian testing
When we run this:

	mount --bind -o remount,diratime,strictatime "$DIR"

It fails in debian testing, when it is the second time we call this
function in the same bats test (i.e. when $DIR is defined already).

strace shows this syscall failing:

	mount_setattr(3, "", AT_EMPTY_PATH, {attr_set=MOUNT_ATTR_NOSUID|MOUNT_ATTR_NODEV|MOUNT_ATTR_NOEXEC|MOUNT_ATTR_NOATIME|MOUNT_ATTR_STRICTATIME, attr_clr=MOUNT_ATTR_RDONLY|MOUNT_ATTR_NOATIME|MOUNT_ATTR_STRICTATIME|MOUNT_ATTR_NODIRATIME|0x40, propagation=0 /* MS_??? */, userns_fd=0}, 32) = -1 EINVAL (Invalid argument)

Note it has `MOUNT_ATTR_NOATIME` and `MOUNT_ATTR_STRICTATIME` which
probably causes it to return EINVAL.

This patch simply adds atime to the options, so the mount command now
works and fixes most of the tests in debian testing.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-04-09 13:16:55 +01:00
Rodrigo Campos 5052c07510 tests/integration/mounts_sshfs.bats: Fix test on debian testing
relatime is not shown on some debian systems. Let's check that no other
setting that removes the relatime effect is set, as that should be
enough too.

For more info, see the issue linked in the comments.

Signed-off-by: Rodrigo Campos <rodrigo@sdfg.com.ar>
2024-04-09 11:48:53 +01:00
Aleksa Sarai 5e0ec3fbbf merge #4238 opencontainers/runc:main
Kir Kolyshkin (1):
  ci/test: exclude some runc_nodmz jobs

LGTMs: AkihiroSuda cyphar
2024-04-04 22:43:34 +11:00
Akihiro Suda e4bf49ff2c runc update: distinguish nil from zero
Prior to this commit, commands like `runc update --cpuset-cpus=1`
were implying to set cpu burst to "0" (which does not mean "leave it as is").

This was failing when the kernel does not support cpu burst:
`openat2 /sys/fs/cgroup/runc-cgroups-integration-test/test-cgroup-22167/cpu.max.burst: no such file or directory`

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-04-04 00:56:19 +08:00
lifubang afcb9c2ebf add a test case for runc update cpu burst
In issue #4210, if we don't provide `--cpu-burst` in `runc update`,
the value of cpu burst will always set to 0.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-04-04 00:56:19 +08:00
Aleksa Sarai 0680e2b6c4 merge #4221 into opencontainers/runc:main
Aleksa Sarai (5):
  VERSION: back to development
  VERSION: release v1.2.0-rc.1
  changelog: update to include all new changes since 1.1.0
  changelog: sync changelog entries up to runc 1.1.12
  changelog: mention key breaking changes for mount options

LGTMs: lifubang AkihiroSuda kolyshkin cyphar
2024-04-03 22:01:35 +11:00
Aleksa Sarai 5194bd8df3 VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-03 21:43:25 +11:00
Aleksa Sarai 275e6d85f7 VERSION: release v1.2.0-rc.1
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.2.0-rc.1
2024-04-03 21:43:24 +11:00
Aleksa Sarai fc3e04dc35 changelog: update to include all new changes since 1.1.0
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
[ cyphar: restructuring and removal of outdated or incorrect info ]
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 15:46:49 +11:00
Aleksa Sarai b47fb3fda4 changelog: sync changelog entries up to runc 1.1.12
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 15:46:24 +11:00
Aleksa Sarai d4b670fca6 changelog: mention key breaking changes for mount options
Just to make sure we don't forget to fully explain these when we do
-rc1.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 15:46:23 +11:00
Kir Kolyshkin 851e3882b7 ci/test: exclude some runc_nodmz jobs
1. Sort the list of matrix excludes in the order of matrix,
   add comments explaining why we disable some jobs.

2. Exclude some jobs:
 - runc_nodmz && go 1.20.x
 - runc_nodmz && -race

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-01 17:06:40 -07:00
Kir Kolyshkin 4641f17e86 Merge pull request #4234 from cyphar/go122
[hotfix] nsenter: refuse to build with Go 1.22
2024-04-01 17:05:51 -07:00
Aleksa Sarai e377e16846 [hotfix] nsenter: refuse to build with Go 1.22 on glibc
We will almost certainly need to eventually rework nsenter to:

 1. Figure out a way to make pthread_self() not break after nsenter runs
    (probably not possible, because the core issue is likely that we are
    ignoring the rules of signal-safety(7)); or
 2. Do an other re-exec of /proc/self/exe to execute the Go half of
    "runc init" -- after we've done the nsenter setup. This would reset
    all of the process state and ensure we have a clean glibc state for
    Go, but it would make runc slower...

For now, just block Go 1.22 builds to avoid having broken runcs floating
around until we resolve the issue. It seems possible for musl to also
have an issue, but it appears to work and so for now just block glibc
builds.

Note that this will only block builds for anything that uses nsenter --
so users of our (internal) libcontainer libraries should be fine. Only
users that are starting containers using nsenter to actually start
containers will see the error (which is precisely what we want).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 01:59:46 +11:00
Kir Kolyshkin ac31da6b80 ci/cross-i386: pin Go to 1.21.x
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 01:55:50 +11:00
lfbzhm ea38465a37 Merge pull request #3783 from utam0k/io-prio
Add I/O priority
2024-03-31 09:56:25 +08:00
utam0k bfbd0305ba Add I/O priority
Signed-off-by: utam0k <k0ma@utam0k.jp>
2024-03-30 22:31:54 +09:00
Aleksa Sarai a1acca9acb merge #4219 into opencontainers/runc:main
Aleksa Sarai (2):
  seccomp: patchbpf: always include native architecture in stub
  seccomp: patchbpf: rename nativeArch -> linuxAuditArch

LGTMs: AkihiroSuda kolyshkin
2024-03-29 12:44:51 +11:00
Aleksa Sarai ccc500c427 seccomp: patchbpf: always include native architecture in stub
It turns out that on ppc64le (at least), Docker doesn't include any
architectures in the list of allowed architectures. libseccomp
interprets this as "just include the default architecture" but patchbpf
would return a no-op ENOSYS stub, which would lead to the exact issues
that commit 7a8d7162f9 ("seccomp: prepend -ENOSYS stub to all
filters") fixed for other architectures.

So, just always include the running architecture in the list. There's
no real downside.

Ref: https://bugzilla.suse.com/show_bug.cgi?id=1192051#c6
Reported-by: Fabian Vogt <fvogt@suse.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-29 12:01:47 +11:00
Aleksa Sarai b288abeaa5 seccomp: patchbpf: rename nativeArch -> linuxAuditArch
Calling the Linux AUDIT_* architecture constants "native" leads to
confusing code when we are getting the actual native architecture of the
running system.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-29 12:01:47 +11:00
Akihiro Suda 8e69225e2e Merge pull request #4220 from cyphar/runc-dmz-no-selinux-magic
dmz: remove SELinux special-casing
2024-03-27 14:16:52 +09:00
lfbzhm 3db0871f1c Merge pull request #4217 from AkihiroSuda/features-unsafe
features: implement returning potentiallyUnsafeConfigAnnotations list
2024-03-25 19:00:01 +08:00
lfbzhm 18c313be72 Merge pull request #4223 from cyphar/seccomp-2.5.5
build: update libseccomp to v2.5.5
2024-03-16 08:02:10 +08:00
lfbzhm d6df41c767 Merge pull request #4224 from SuperQ/update_urfave_cli
Remove dependabot ignore
2024-03-16 07:59:02 +08:00
SuperQ ab6788d307 Remove dependabot ignore
The referenced issue was fixed in `github.com/urfave/cli` v1.22.6. We
can now remove the dependabot ignore for this package.

Signed-off-by: SuperQ <superq@gmail.com>
2024-03-15 08:38:53 +01:00
Aleksa Sarai cdccf6d615 build: update libseccomp to v2.5.5
This adds support for syscalls up to Linux 6.7-rc3.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-15 17:57:54 +11:00
Aleksa Sarai 44114d32df merge #4179 into opencontainers/runc:main
Kir Kolyshkin (1):
  tests/int: fix flaky kill tests

LGTMs: AkihiroSuda cyphar
2024-03-15 17:57:12 +11:00
Aleksa Sarai e0cfcb3f85 merge #4222 into opencontainers/runc:main
lifubang (1):
  fix runc-dmz bin path error in Makefile

LGTMs: AkihiroSuda cyphar
2024-03-15 17:34:36 +11:00
lifubang da79b616a3 fix runc-dmz bin path error in Makefile
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-03-14 18:16:09 +08:00
Aleksa Sarai 37581ad340 dmz: remove SELinux special-casing
Now that runc-dmz is opt-in, we no longer need to try to detect whether
SELinux would cause issues for us. We can also remove the
special-purpose build-tag we added.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-13 18:18:09 +11:00