Commit Graph

651 Commits

Author SHA1 Message Date
Kir Kolyshkin 8626c7173e tests/int: fixup find statements
1. Add "-maxdepth 2" to not dive too deep into cgroup hierarchy.

2. Add "-type f" to look for a regular file.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-06 18:52:34 +08:00
Kir Kolyshkin e530b2a668 tests/int/update: fix v2 swap check
If swap is disabled, we should not run swap tests.

Fixes 4166.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-06 18:52:34 +08:00
Kir Kolyshkin 5c5ebe772b tests/int/scheduler: require smp
This test case fails when there's a single CPU. Fix this by adding
"require smp".

While at it, document the test case and add a FIXME to maybe remove
this test later.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-02 11:02:40 -07:00
Kir Kolyshkin f805206611 libct/cg/fs: fix setting rt_period vs rt_runtime
The issue is the same as in commit 1b2adcf but for RT scheduler;
the fix is also the same.

Test case by ls-ggg.

Co-authored-by: ls-ggg <335814617@qq.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-13 17:47:39 -07:00
lifubang 4ea0bf88fd update/add some tests for rlimit
issues:
https://github.com/opencontainers/runc/issues/4195
https://github.com/opencontainers/runc/pull/4265#discussion_r1588599809

Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-05-08 10:57:10 +00:00
lfbzhm 83ea9e5f62 Merge pull request #4251 from kolyshkin/test-cr
tests/int/checkpoint: rm double logging
2024-05-07 23:07:34 +08:00
lifubang 75e02193c2 use go mod instead of go get in spec.bats
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-04-30 05:20:54 +00:00
Kir Kolyshkin 6bf1d3adbe tests/int/tty: increase the timeout
Earlier, commit fce8dd4d already increased this timeout from 1 to 5 seconds.
Yet, I just saw this timeout being hit in actuated-arm CI.

Increase the timeout again, this time from 5 to 50 (100 * 0.5) seconds.

Also, use wait_pids_gone, and improve some comments.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-25 18:17:37 -07:00
Kir Kolyshkin f6b7167bc5 tests/int/checkpoint: add requires criu_feature_xxx
1. A few tests use "criu check --feature" to check for a specific
   feature. Let's generalize it.

2. Fix "checkpoint --pre-dump and restore" test to require memory
   tracking (which is missing on ARM).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-24 19:40:45 -07:00
Kir Kolyshkin e5c82f00e1 tests/int/checkpoint: rm double logging
Since commit c77aaa3f the tail of criu.log is printed by runc, so
there's no need to do the same thing in tests.

Related to 3711, 3816.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-24 17:23:43 -07:00
Akihiro Suda 758b2e2bda helpers.bats: cgroups_cpu_burst: check kernel version
On cgroup v2, cpu burst needs kernel >= 5.14
https://github.com/torvalds/linux/commit/f4183717b370ad28dd0c0d74760142b20e6e7931

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-04-23 09:11:30 +09:00
Akihiro Suda d618c6fe84 cgroups.bats: check cgroups_io_weight
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-04-23 09:11:27 +09:00
Akihiro Suda 053f6a0dca seccomp_syscall_test1: use ftruncate instead of kcmp
kcmp is often missing: https://man7.org/linux/man-pages/man2/kcmp.2.html

> Before Linux 5.12, this system call is available only if the
> kernel is configured with CONFIG_CHECKPOINT_RESTORE, since the
> original purpose of the system call was for the
> checkpoint/restore in user space (CRIU) feature.  (The
> alternative to this system call would have been to expose
> suitable process information via the proc(5) filesystem; this was
> deemed to be unsuitable for security reasons.)  Since Linux 5.12,
> this system call is also available if the kernel is configured
> with CONFIG_KCMP.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-04-23 09:10:13 +09:00
Cédric Clerget afc23e3397 Set temporary single CPU affinity before cgroup cpuset transition.
This handles a corner case when joining a container having all
the processes running exclusively on isolated CPU cores to force
the kernel to schedule runc process on the first CPU core within the
cgroups cpuset.

The introduction of the kernel commit
46a87b3851f0d6eb05e6d83d5c5a30df0eca8f76 has affected this deterministic
scheduling behavior by distributing tasks across CPU cores within the
cgroups cpuset. Some intensive real-time application are relying on this
deterministic behavior and use the first CPU core to run a slow thread
while other CPU cores are fully used by real-time threads with SCHED_FIFO
policy. Such applications prevents runc process from joining a container
when the runc process is randomly scheduled on a CPU core owned by a
real-time thread.

Introduces isolated CPU affinity transition OCI runtime annotation
org.opencontainers.runc.exec.isolated-cpu-affinity-transition to restore
the behavior during runc exec.

Fix issue with kernel >= 6.2 not resetting CPU affinity for container processes.

Signed-off-by: Cédric Clerget <cedric.clerget@gmail.com>
2024-04-16 08:59:49 +02:00
Akihiro Suda f2bd18480d Merge pull request #4211 from lifubang/fix-update-cpu-burst
set the default value of CpuBurst to nil instead of 0
2024-04-10 11:03:40 +09:00
Rodrigo Campos 6b1f73088b tests/integration: Fix remount on debian testing
When we run this:

	mount --bind -o remount,diratime,strictatime "$DIR"

It fails in debian testing, when it is the second time we call this
function in the same bats test (i.e. when $DIR is defined already).

strace shows this syscall failing:

	mount_setattr(3, "", AT_EMPTY_PATH, {attr_set=MOUNT_ATTR_NOSUID|MOUNT_ATTR_NODEV|MOUNT_ATTR_NOEXEC|MOUNT_ATTR_NOATIME|MOUNT_ATTR_STRICTATIME, attr_clr=MOUNT_ATTR_RDONLY|MOUNT_ATTR_NOATIME|MOUNT_ATTR_STRICTATIME|MOUNT_ATTR_NODIRATIME|0x40, propagation=0 /* MS_??? */, userns_fd=0}, 32) = -1 EINVAL (Invalid argument)

Note it has `MOUNT_ATTR_NOATIME` and `MOUNT_ATTR_STRICTATIME` which
probably causes it to return EINVAL.

This patch simply adds atime to the options, so the mount command now
works and fixes most of the tests in debian testing.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-04-09 13:16:55 +01:00
Rodrigo Campos 5052c07510 tests/integration/mounts_sshfs.bats: Fix test on debian testing
relatime is not shown on some debian systems. Let's check that no other
setting that removes the relatime effect is set, as that should be
enough too.

For more info, see the issue linked in the comments.

Signed-off-by: Rodrigo Campos <rodrigo@sdfg.com.ar>
2024-04-09 11:48:53 +01:00
lifubang afcb9c2ebf add a test case for runc update cpu burst
In issue #4210, if we don't provide `--cpu-burst` in `runc update`,
the value of cpu burst will always set to 0.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-04-04 00:56:19 +08:00
utam0k bfbd0305ba Add I/O priority
Signed-off-by: utam0k <k0ma@utam0k.jp>
2024-03-30 22:31:54 +09:00
Akihiro Suda 8e69225e2e Merge pull request #4220 from cyphar/runc-dmz-no-selinux-magic
dmz: remove SELinux special-casing
2024-03-27 14:16:52 +09:00
Aleksa Sarai 44114d32df merge #4179 into opencontainers/runc:main
Kir Kolyshkin (1):
  tests/int: fix flaky kill tests

LGTMs: AkihiroSuda cyphar
2024-03-15 17:57:12 +11:00
Aleksa Sarai 37581ad340 dmz: remove SELinux special-casing
Now that runc-dmz is opt-in, we no longer need to try to detect whether
SELinux would cause issues for us. We can also remove the
special-purpose build-tag we added.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-13 18:18:09 +11:00
Rodrigo Campos 1dae66f748 libct/dmz: Require RUNC_DMZ=true to opt-in
If it is compiled, the user needs to opt-in with this env variable to
use it.

While we are there, remove the RUNC_DMZ=legacy as that is now the
default.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-02-28 12:15:57 -03:00
Kir Kolyshkin 86360598bd tests/int: fix flaky kill tests
It takes some time for the kernel to kill the process (and remove its
PID from cgroup.procs). To ensure we don't have flakes from reading
cgroup.procs right after the kill, check and wait for processes to
actually be gone.

Fixes: 4163
Reported-by: lifubang@acmcoder.com
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-15 13:32:33 -08:00
Kir Kolyshkin 302b2e89a6 tests/int: use gawk where needed
This expression is specific to GNU awk (gawk), so if someone has other version
of awk installed, this won't work and it's not easy to see why.

Explicitly requiring gawk here is better.

Revert "tests/int/helpers: gawk -> awk"

This reverts commit 4e65118d02.

Reported-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 14:44:42 -08:00
lifubang bc4a869d5a test: no execve error msg synced to parent process
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-02-08 01:45:26 +00:00
lfbzhm 0bc4732c07 test for execve error without runc-dmz
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-01-25 04:52:29 +00:00
Rodrigo Campos fe95a2a06a tests/integration: Test exec failures
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-01-21 15:35:46 +01:00
Aleksa Sarai fa93c8b05b tests: mounts: add some tests to check mount ordering
Our previous implementation of idmapped mounts and bind-mount sources
would open all of the source paths before we did any mounts, meaning
that mounts using sources from inside the container rootfs would not be
correct.

This has been fixed with the new on-demand system, and so add some
regression tests.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:43 +11:00
Aleksa Sarai 3b57e45cbf mount: add support for ridmap and idmap
ridmap indicates that the id mapping should be applied recursively (only
really relevant for rbind mount entries), and idmap indicates that it
should not be applied recursively (the default). If no mappings are
specified for the mount, we use the userns configuration of the
container. This matches the behaviour in the currently-unreleased
runtime-spec.

This includes a minor change to the state.json serialisation format, but
because there has been no released version of runc with commit
fbf183c6f8 ("Add uid and gid mappings to mounts"), we can safely make
this change without affecting running containers. Doing it this way
makes it much easier to handle m.IsIDMapped() and indicating that a
mapping has been specified.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:42 +11:00
Aleksa Sarai 5ae88daf06 idmap: allow arbitrary idmap mounts regardless of userns configuration
With the rework of nsexec.c to handle MOUNT_ATTR_IDMAP in our Go code we
can now handle arbitrary mappings without issue, so remove the primary
artificial limit of mappings (must use the same mapping as the
container's userns) and add some tests.

We still only support idmap mounts for bind-mounts because configuring
mappings for other filesystems would require switching our entire mount
machinery to the new mount API. The current design would easily allow
for this but we would need to convert new mount options entirely to the
fsopen/fsconfig/fsmount API. This can be done in the future.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:41 +11:00
Aleksa Sarai c045886f71 tests: remap rootfs for userns tests
Previously, all of our userns tests worked around the remapping issue by
creating the paths that runc would attempt to create (like /proc).
However, this isn't really accurate to how real userns containers are
created, so it's much better to actually remap the rootfs.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:46:10 +11:00
Aleksa Sarai 6fa8d06843 integration: add mega-test for joining namespaces
Given we've had several bugs in this behaviour that have now been fixed,
add an integration test that makes sure that you can start a container
that joins all of the namespaces of a second container.

The only namespace we do not join is the mount namespace, because
joining a namespace that has been pivot_root'd leads to a bunch of
errors. In principle, removing everything from config.json that requires
a mount _should_ work, but the root.path configuration is mandatory and
we cannot just ignore setting up the rootfs in the namespace joining
scenario (if the user has configured a different rootfs, we need to use
it or error out, and there's no reasonable way of checking if if the
rootfs paths are the same that doesn't result in spaghetti logic).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:46:10 +11:00
Aleksa Sarai e6fb7fe515 nsexec: allow timens to work with non-rootless userns
The owner of /proc/self/timens_offsets doesn't change after creating a
userns, meaning that we need to request stage-0 to write our timens
mappings for us. Before this patch, attempting to use timens with a
proper userns resulted in:

  FATA[0000] nsexec-1[18564]: failed to update /proc/self/timens_offsets: Permission denied
  FATA[0000] nsexec-0[18562]: failed to sync with stage-1: next state: Success
  ERRO[0000] runc run failed: unable to start container process: can't get final child's PID from pipe: EOF

Fixes: ebc2e7c435 ("Support time namespace")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:46:09 +11:00
Aleksa Sarai 1912d5988b *: actually support joining a userns with a new container
Our handling for name space paths with user namespaces has been broken
for a long time. In particular, the need to parse /proc/self/*id_map in
quite a few places meant that we would treat userns configurations that
had a namespace path as if they were a userns configuration without
mappings, resulting in errors.

The primary issue was down to the id translation helper functions, which
could only handle configurations that had explicit mappings. Obviously,
when joining a user namespace we need to map the ids but figuring out
the correct mapping is non-trivial in comparison.

In order to get the mapping, you need to read /proc/<pid>/*id_map of a
process inside the userns -- while most userns paths will be of the form
/proc/<pid>/ns/user (and we have a fast-path for this case), this is not
guaranteed and thus it is necessary to spawn a process inside the
container and read its /proc/<pid>/*id_map files in the general case.

As Go does not allow us spawn a subprocess into a target userns,
we have to use CGo to fork a sub-process which does the setns(2). To be
honest, this is a little dodgy in regards to POSIX signal-safety(7) but
since we do no allocations and we are executing in the forked context
from a Go program (not a C program), it should be okay. The other
alternative would be to do an expensive re-exec (a-la nsexec which would
make several other bits of runc more complicated), or to use nsenter(1)
which might not exist on the system and is less than ideal.

Because we need to logically remap users quite a few times in runc
(including in "runc init", where joining the namespace is not feasable),
we cache the mapping inside the libcontainer config struct. A future
patch will make sure that we stop allow invalid user configurations
where a mapping is specified as well as a userns path to join.

Finally, add an integration test to make sure we don't regress this again.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:46:08 +11:00
Aleksa Sarai 884117471c tests: integration: fix spurious SC203[01] shellcheck errors
We had ignore lines for these warnings, but it turns out this is most
likely a bug in shellcheck and we can work around it by moving the
helper function definition before any of the functions that use the
helper function. Hopefully it'll be fixed soon.

Ref: https://github.com/koalaman/shellcheck/issues/2873
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:39:37 +11:00
Kir Kolyshkin ab3cd8d73e runc delete, container.Destroy: kill all processes
(For a container with no private PID namespace, that is).

When runc delete (or container.Destroy) is called on a stopped
container without private PID namespace and there are processes
in its cgroup, kill those.

Add a test case.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-11-27 09:15:39 -08:00
Kir Kolyshkin 29283bb7db runc delete -f: fix for no pidns + no init case
Commit f8ad20f moved the kill logic from container destroy to container
kill (which is the right thing to do).

Alas, it broke the use case of doing "runc delete -f" for a container
which does not have its own private PID namespace, when its init process
is gone. In this case, some processes may still be running, and runc
delete -f should kill them (the same way as "runc kill" does).

It does not do that because the container status is "stopped" (as runc
considers the container with no init process as stopped), and so we only
call "destroy" (which was doing the killing before).

The fix is easy: if --force is set, call killContainer no matter what.

Add a test case, similar to the one in the previous commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-11-27 09:15:39 -08:00
Kir Kolyshkin dcf1b731f5 runc kill: fix sending KILL to non-pidns container
Commit f8ad20f made it impossible to kill leftover processes in a
stopped container that does not have its own PID namespace. In other
words, if a container init is gone, it is no longer possible to use
`runc kill` to kill the leftover processes.

Fix this by moving the check if container init exists to after the
special case of handling the container without own PID namespace.

While at it, fix the minor issue introduced by commit 9583b3d:
if signalAllProcesses is used, there is no need to thaw the
container (as freeze/thaw is either done in signalAllProcesses already,
or not needed at all).

Also, make signalAllProcesses return an error early if the container
cgroup does not exist (as it relies on it to do its job). This way, the
error message returned is more generic and easier to understand
("container not running" instead of "can't open file").

Finally, add a test case.

Fixes: f8ad20f
Fixes: 9583b3d
Co-authored-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-11-27 09:15:39 -08:00
lfbzhm 95a93c132c Merge pull request #4045 from fuweid/support-pidfd-socket
[feature request] *: introduce pidfd-socket flag
2023-11-22 09:13:55 +08:00
Wei Fu 94505a046a *: introduce pidfd-socket flag
The container manager like containerd-shim can't use cgroup.kill feature or
freeze all the processes in cgroup to terminate the exec init process.
It's unsafe to call kill(2) since the pid can be recycled. It's good to
provide the pidfd of init process through the pidfd-socket. It's similar to
the console-socket. With the pidfd, the container manager like containerd-shim
can send the signal to target process safely.

And for the standard init process, we can have polling support to get
exit event instead of blocking on wait4.

Signed-off-by: Wei Fu <fuweid89@gmail.com>
2023-11-21 18:28:50 +08:00
Kir Kolyshkin 2705c9c5d6 Merge pull request #4095 from kolyshkin/flake-tmpfs-perm
tests/int: fix flaky "runc run with tmpfs perm"
2023-11-06 17:46:35 -08:00
Kir Kolyshkin b39781b067 tests/int: add selinux test case
This is a test case to demonstrate the selinux vs dmz issue.

The issue is, runc calls selinux.SetExecLabel and then execs the
runc-dmz binary, but the execve is denied by selinux:

> type=PROCTITLE msg=audit(10/05/2023 22:54:07.911:10904) : proctitle=/tmp/bats-run-sGk2sn/runc.Ql243q/bundle/runc init
> type=SYSCALL msg=audit(10/05/2023 22:54:07.911:10904) : arch=x86_64 syscall=execveat success=no exit=EACCES(Permission denied) a0=0x6 a1=0xc0000b90fa a2=0xc0000a26a0 a3=0xc000024660 items=0 ppid=105316 pid=105327 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=8 comm=runc:[2:INIT] exe=/tmp/bats-run-sGk2sn/runc.Ql243q/bundle/runc subj=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(10/05/2023 22:54:07.911:10904) : avc:  denied  { entrypoint } for  pid=105327 comm=runc:[2:INIT] path=/memfd:runc_cloned:runc-dmz (deleted) dev="tmpfs" ino=2341 scontext=system_u:system_r:container_t:s0:c4,c5 tcontext=unconfined_u:object_r:container_runtime_tmpfs_t:s0 tclass=file permissive=0

Once that error is fixed (by adding a selinux rule that enables it), we
see one more error, also related to executing a file on tmpfs.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-30 16:55:41 -07:00
Zheao.Li 98511bb40e linux: Support setting execution domain via linux personality
carry #3126

Co-authored-by: Aditya R <arajan@redhat.com>
Signed-off-by: Zheao.Li <me@manjusaka.me>
2023-10-27 19:33:37 +08:00
Kir Kolyshkin 6d27922005 tests/int: fix flaky "runc run with tmpfs perm"
Apparently, sometimes a short-lived "runc run" produces result with \r
and sometimes without. As a result, we have an occasional failure of
"runc run with tmpfs perms" test.

The solution (to the flaky test) is to use the first line of the output
(like many other tests do).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-25 18:57:29 -07:00
Aleksa Sarai 7c71a22705 rootfs: remove --no-mount-fallback and finally fix MS_REMOUNT
The original reasoning for this option was to avoid having mount options
be overwritten by runc. However, adding command-line arguments has
historically been a bad idea because it forces strict-runc-compatible
OCI runtimes to copy out-of-spec features directly from runc and these
flags are usually quite difficult to enable by users when using runc
through several layers of engines and orchestrators.

A far more preferable solution is to have a heuristic which detects
whether copying the original mount's mount options would override an
explicit mount option specified by the user. In this case, we should
return an error. You only end up in this path in the userns case, if you
have a bind-mount source with locked flags.

During the course of writing this patch, I discovered that several
aspects of our handling of flags for bind-mounts left much to be
desired. We have completely botched the handling of explicitly cleared
flags since commit 97f5ee4e6a ("Only remount if requested flags differ
from current"), with our behaviour only becoming increasingly more weird
with 50105de1d8 ("Fix failure with rw bind mount of a ro fuse") and
da780e4d27 ("Fix bind mounts of filesystems with certain options
set"). In short, we would only clear flags explicitly request by the
user purely by chance, in ways that it really should've been reported to
us by now. The most egregious is that mounts explicitly marked "rw" were
actually mounted "ro" if the bind-mount source was "ro" and no other
special flags were included. In addition, our handling of atime was
completely broken -- mostly due to how subtle the semantics of atime are
on Linux.

Unfortunately, while the runtime-spec requires us to implement
mount(8)'s behaviour, several aspects of the util-linux mount(8)'s
behaviour are broken and thus copying them makes little sense. Since the
runtime-spec behaviour for this case (should mount options for a "bind"
mount use the "mount --bind -o ..." or "mount --bind -o remount,..."
semantics? Is the fallback code we have for userns actually
spec-compliant?) and the mount(8) behaviour (see [1]) are not
well-defined, this commit simply fixes the most obvious aspects of the
behaviour that are broken while keeping the current spirit of the
implementation.

NOTE: The handling of atime in the base case is left for a future PR to
deal with. This means that the atime of the source mount will be
silently left alone unless the fallback path needs to be taken, and any
flags not explicitly set will be cleared in the base case. Whether we
should always be operating as "mount --bind -o remount,..." (where we
default to the original mount source flags) is a topic for a separate PR
and (probably) associated runtime-spec PR.

So, to resolve this:

* We store which flags were explicitly requested to be cleared by the
  user, so that we can detect whether the userns fallback path would end
  up setting a flag the user explicitly wished to clear. If so, we
  return an error because we couldn't fulfil the configuration settings.

* Revert 97f5ee4e6a ("Only remount if requested flags differ from
  current"), as missing flags do not mean we can skip MS_REMOUNT (in
  fact, missing flags are how you indicate a flag needs to be cleared
  with mount(2)). The original purpose of the patch was to fix the
  userns issue, but as mentioned above the correct mechanism is to do a
  fallback mount that copies the lockable flags from statfs(2).

* Improve handling of atime in the fallback case by:
    - Correctly handling the returned flags in statfs(2).
    - Implement the MNT_LOCK_ATIME checks in our code to ensure we
      produce errors rather than silently producing incorrect atime
      mounts.

* Improve the tests so we correctly detect all of these contingencies,
  including a general "bind-mount atime handling" test to ensure that
  the behaviour described here is accurate.

This change also inlines the remount() function -- it was only ever used
for the bind-mount remount case, and its behaviour is very bind-mount
specific.

[1]: https://github.com/util-linux/util-linux/issues/2433

Reverts: 97f5ee4e6a ("Only remount if requested flags differ from current")
Fixes: 50105de1d8 ("Fix failure with rw bind mount of a ro fuse")
Fixes: da780e4d27 ("Fix bind mounts of filesystems with certain options set")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-10-24 17:28:25 +11:00
Kir Kolyshkin 153865d0fe tests/int: fix teardown in mounts_sshfs.bats
Function teardown assumes that every test case will call
setup_sshfs. Currently, this assumption is true, but once
a test case that won't call setup_sshfs is added (say because
it has some extra "requires" or "skip"), it will break bats,
so any bats invocation involving such a test case will end up
hanging after the last test case is run.

The reason is, we have set -u in helpers.bash to help catching the use
of undefined variables. In the above scenario, such a variable is DIR,
which is referenced in teardown but is only defined after a call to
setup_sshfs. As a result, bash that is running the teardown function
will exit upon seeing the first $DIR, and thus teardown_bundle won't be
run. This, in turn, results in a stale recvtty process, which inherits
bats' fd 3. Until that fd is closed, bats waits for test logs.

Long story short, the fix is to
 - check if DIR is set before referencing it;
 - unset it after unmount.

PS it is still not clear why there is no diagnostics about the failed
teardown.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-10-24 17:28:13 +11:00
Kir Kolyshkin 5ea7c60f33 tests/int: fix cgroup tests
Commit e1584831b6 did two modifications to check_cgroup_value():

1. It now skips the test if the file is not found.

2. If the comparison failed, a second comparison, with value divided by 1000,
   is performed.

These modifications were only needed for cpu.burst, but instead were done
in a generic function used from many cgroup tests. As a result, we can
no longer be sure about the test coverage (item 1) and the check being
correct (item 2) anymore. In fact, part of "update cgroup cpu limits"
test is currently skipped on CentOS 7 and 8 because of item 1.

To fix:
 - replace item 1 with a new "cgroups_cpu_burst" argument for "requires",
   and move the test to a separate case;
 - replace item 2 with a local change in check_cpu_burst.

Fixes: e1584831b6
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-23 11:25:57 -07:00
Kir Kolyshkin bbf8eff818 tests/int: fix "runc run (hugetlb limits)"
Recent commit 4a7d3ae5cd had a bug (extra period).

Fixes: 4a7d3ae5cd
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-23 11:25:48 -07:00
Kir Kolyshkin 4a7d3ae5cd libct/cg: support hugetlb rsvd
This adds support for hugetlb.<pagesize>.rsvd limiting and accounting.

The previous non-rsvd max/limit_in_bytes does not account for reserved
huge page memory, making it possible for a processes to reserve all the
huge page memory, without being able to allocate it (due to cgroup
restrictions).

In practice this makes it possible to successfully mmap more huge page
memory than allowed via the cgroup settings, but when using the memory
the process will get a SIGBUS and crash. This is bad for applications
trying to mmap at startup (and it succeeds), but the program crashes
when starting to use the memory. eg. postgres is doing this by default.

This also keeps writing to the old max/limit_in_bytes, for backward
compatibility.

More info can be found here: https://lkml.org/lkml/2020/2/3/1153

(commit message mostly written by Odin Ugedal)

Co-authored-by: Odin Ugedal <odin@ugedal.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-13 22:55:24 -07:00