Commit Graph

4614 Commits

Author SHA1 Message Date
Sebastiaan van Stijn b7c446b31a checkpoint: setPageServer: use net.SplitHostPort instead of strings.Split
strings.Split() isn't the best solution for this, as it will not handle (e.g.)
IPv6 addresses.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-29 12:28:03 +02:00
Akihiro Suda 49d4507c77 Merge pull request #2595 from thaJeztah/libcontainer_caps_refactor
Libcontainer: refactor capabilities code and remove RHEL6 workaround
2020-09-29 13:53:40 +09:00
Mrunal Patel 43d2b10300 Merge pull request #2592 from kolyshkin/tests-int-nits
tests/integration: nits
2020-09-28 09:27:03 -07:00
Akihiro Suda 6e5320ffa8 Merge pull request #2584 from kolyshkin/unified-support
libct/cgroups: support Cgroups.Resources.Unified
2020-09-26 18:48:16 +09:00
Kir Kolyshkin 4929c05ad1 tests/int: add cgroupv2 unified resources tests
Note that various invalid keys are covered by test cases in
libcontainer/integration/exec_test.go

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-24 15:29:40 -07:00
Kir Kolyshkin 6e2159be74 tests/int/cgroups: make sure to rm containers
Container test_cgroups_group was missing from the teardown.

Fixes: c91fe9aeba.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-24 15:29:40 -07:00
Kir Kolyshkin b006f4a180 libct/cgroups: support Cgroups.Resources.Unified
Add support for unified resource map (as per [1]), and add some test
cases for the new functionality.

[1] https://github.com/opencontainers/runtime-spec/pull/1040

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-24 15:29:35 -07:00
Akihiro Suda 33faa5d0e2 Merge pull request #2575 from fuweid/update-state-store
libcontainer: Store state.json before sync procRun
2020-09-23 22:12:15 +09:00
Mrunal Patel 190fcf244c Merge pull request #2593 from kolyshkin/fix-verify-deps
Makefile: fix vendor and verify-dependencies
2020-09-21 18:57:42 -07:00
Kir Kolyshkin 30601efa81 tests/int/spec.bats: simplify
Most of whatever is happening in the test cases is already available in
setup_hello and teardown_hello. Use these.

Rewrite the validation test to be more compact and not dependent
on `pwd` value. Also, pinning xeipuuv/gojsonschema to a particular
version is no longer required.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-21 03:11:02 -07:00
Kir Kolyshkin 6c21de38a1 tests/int/spec: only run once for rootless
The purpose of the spec validation test is to make sure
that config.json generated by runc spec is valid. Therefore,
it does not depend on ROOTLESS_FEATURES.

Taking that into account, and given the fact that this test
involves cloning repos and building some code, it makes sense
to not run it 4 times for various rootless features.

Time it takes to execute spec.bats in rootless mode has improved.

Before:
	real	0m21.286s
	user	0m37.837s
	sys	0m5.745s

After:
	real	0m13.162s
	user	0m30.814s
	sys	0m4.050s

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-21 03:10:19 -07:00
Kir Kolyshkin 186a38ba73 tests/int: whitespace cleanup
Fix
 - whitespace at EOL
 - empty lines at EOF

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-21 02:47:23 -07:00
Kir Kolyshkin 792d2c3b36 tests/int/cgroups.bats: rm unused code
Commit d78ae51a2 adds this line, but the file is never created.

This is probably a leftover from copy-pasting update.bats code.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-21 02:47:23 -07:00
Kir Kolyshkin 908b7076e9 tests/int/*.bats: make sure to delete containers
With some grep|awk help, found a few places where the containers
supposed to be removed in teardown() weren't.

To find container names:

	grep -E '^[[:space:]]*\<_*_*runc\>.*\<(create|run|restore)\>'

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-21 02:47:23 -07:00
Sebastiaan van Stijn 1c3af27519 libcontainer: newContainerCapList() refactor to reduce duplicated code
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-19 11:26:27 +02:00
Sebastiaan van Stijn 8820a1459a libcontainer: initialize slices with length
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-19 11:04:29 +02:00
Sebastiaan van Stijn f5c96b7460 libcontainer: remove unneeded sprintf and intermediate variable
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-19 10:58:56 +02:00
Sebastiaan van Stijn b9e26ad8c6 libcontainer: remove workaround for RHEL6 kernels
This was a workaround for RHEL6 (2.6.xx) kernels, which have not
been supported by container runtimes for a long time, so should
be safe to remove this workaround.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-19 10:45:38 +02:00
Sebastiaan van Stijn 373811bad4 libcontainer: rename cap variable as it collides with built-in
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-19 10:43:31 +02:00
Kir Kolyshkin 074e67ad06 Makefile: fix vendor and verify-dependencies
Commit a08ab87fe added these targets. Alas, the `go mod tidy` never
worked, as it was written as part of `export` statement:

	export GO111MODULE=on \
        $(GO) mod tidy && \
	...

which is the same as

	export GO111MODULE=on $(GO) mod tidy && ...

which exports a bunch of variables, such as `go`, `mod`, and `tidy`,
but does not run it.

The fix would be to add a semicolon after the `export` statement,
but since GO111MODULE is not really needed here (maybe some older
golang versions needed it?), let's just drop it.

With this dropped, && does not make any sense, so drop it, too.

NOTE that if someone tries

	GO111MODULE=off make vendor

it will fail, but I guess it is expected.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-17 12:50:54 -07:00
Aleksa Sarai d636ad6256 merge branch 'pr-2591' into master
Sebastiaan van Stijn (1):
  vendor: github.com/moby/sys/mountinfo v0.2.0

LGTMs: @cyphar @AkihiroSuda
Closes #2591
2020-09-17 19:29:45 +10:00
Sebastiaan van Stijn 71c10e3c78 vendor: github.com/moby/sys/mountinfo v0.2.0
full diff: https://github.com/moby/sys/compare/mountinfo/v0.1.3...mountinfo/v0.2.0

Bug fixes:

- Fix path unescaping for paths with double quotes

Improvements:

- Mounted: speed up by adding fast paths using openat2 (Linux-only) and stat
- Mounted: relax path requirements (allow relative, non-cleaned paths, symlinks)
- Unescape fstype and source fields
- Documentation improvements

Testing/CI:

- Unit tests: exclude darwin
- CI: run tests under Fedora 32 to test openat2
- TestGetMounts: fix for Ubuntu build system
- Makefile: fix ignoring test failures
- CI: add cross build

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-16 22:52:26 +02:00
Kir Kolyshkin ba8687fc28 tests/int/helpers: fix indentation
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-16 13:17:50 -07:00
Kir Kolyshkin fdb0590c40 tests/int/helpers: simplify set_cgroup_mount_writable
Use update_config like in all the other places.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-16 13:17:44 -07:00
Kir Kolyshkin 74b57fea54 fscommon.WriteFile: simplify error message
As the underlying error message from iotuils.WriteFile already contains
file name, there's no need to put it, otherwise we end up with something
like:

	failed to write "val" to "/sys/fs/cgroup/.../file": open /sys/fs/cgroup/.../file: permission denied

With this patch, the error will be

	failed to write "val": open /sys/fs/cgroup/.../file: permission denied

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-16 10:23:12 -07:00
Kir Kolyshkin a3f91b9864 vendor: bump runtime-spec
... to include unified resources support.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-16 10:23:12 -07:00
Mrunal Patel 892477ca26 Merge pull request #2581 from kolyshkin/fix-cpt-again
tests/integration/checkpoint.bats: fix showing errors, rm unused code
2020-09-15 08:22:22 -07:00
Akihiro Suda 2cf8d24007 Merge pull request #2494 from kolyshkin/cgroupv1-optimize-path
cgroups/v1: optimize path usage
2020-09-11 11:42:53 +09:00
Akihiro Suda bbd4ffe195 Merge pull request #2579 from kolyshkin/bump-fileutils
vendor: bump fileutils to v0.5.0
2020-09-11 04:28:19 +09:00
Kir Kolyshkin b682e8cf2d vendor: bump fileutils to v0.5.0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-10 10:36:54 -07:00
Michael Crosby ab740e9f76 Merge pull request #2541 from AkihiroSuda/go-version
add Go version and libseccomp version to `runc --version`
2020-09-10 08:26:14 -04:00
Kir Kolyshkin d1d13d9ac3 tests/int/checkpoint: don't hide stderr
For test cases where we used pipes for container's stdin/stdout/stderr,
stderr was redirected to the same pipe as stdout, which practically
means it is lost.

These redirects to fd is needed not because we check that container is
working by writing to its stdin and reading from stdout (see
check_pipes), but also because bats redirects test stdout/stderr to a
file, which makes c/r impossible (as the file is outside of container).
This is why we can't just do something like `2>stderr.log`, and have
to do what is done in this commit.

Introduce and use another pipe for stdout, to be used for both runc run
and runc restore, so it will be shown in case of errors.

Since its handling is somewhat complicated and is used from 4 places
(2 for run, 2 for restore), separate it into a helper functions.

NOTE the code assumes that runc exits with non-zero exit code in case
there is anything that needs to be shown to a user from runc's stderr.

While at it, add error checking to runc run calls.

Hopefully, this will help debug those rare checkpoint failures in CI.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-09 20:40:08 -07:00
Kir Kolyshkin 627074d0f9 tests/int/checkpoint: rm useless code
Commit 417f5ff40 added a code to close fds and kill processes, which
should have helped in an event of test case failure.

In fact, each test case is executed in a subshell, so
 - any variables set there can't reach teardown();
 - all the fds are closed (as the process is gone).

Now, I am not sure about the processes, but the code being removed
has never worked anyway, so it does not make sense to keep it.
Normally, those are waited for. In case of a test case failure,
well, the subsequent cases might fail, too.

Fixes: 417f5ff40d
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-09 20:04:48 -07:00
Kir Kolyshkin bca5f24c99 tests/int/checkpoint.bats: fix showing logs on fail
This fixes the following issue with the test:

	not ok 12 checkpoint --lazy-pages and restore
	# (in test file tests/integration/checkpoint.bats, line 202)
	#   `[ $ret -eq 0 ]' failed
	...
	# grep: ./work-dir/restore.log: No such file or directory

One might think that `--work-path ./image-dir` is a mistake, but it's
not, since `criu lazy-pages -D ./image-dir` creates a socket in
./image-dir, and then `criu restore --lazy-pages` expects a socket in
the workdir.

Fixes: e232a71a3d
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-09 18:24:39 -07:00
Mrunal Patel 165ecd2639 Merge pull request #2580 from kolyshkin/fix-exec-test
tests/int: fix wrt busybox's nogroup->nobody change
2020-09-09 08:22:59 -07:00
Kir Kolyshkin dd3e0da337 tests/int/dev.bats: fixes for new busybox
These tests expect group name to be "nogroup", while recent busybox
changed that to "nobody".

Use numeric uids/gids to fix.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-08 18:53:08 -07:00
Kir Kolyshkin bcd309548a tests/int: fix runc exec --preserve-fds
This test started to fail, as it expected the output from
`id` to be

	uid=1000 gid=1000 groups=100(users),65534(nogroup)

while the actual output is now

	uid=1000 gid=1000 groups=100(users),65534(nobody)

Apparently, busybox image changed group name.

As we're only interested in ids, not names, and to fix the test,
let's use `id -G`.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-09-08 17:53:57 -07:00
Wei Fu ba0246da75 libcontainer: Store state.json before sync procRun
If the procRun state has been synced and the runc-create process has
been killed for some reason, the runc-init[2:stage] process will be
leaky. And the runc command also fails to parse root directory because
the container doesn't have state.json.

In order to make it possible to clean the leaky runc-init[2:stage]
process , we should store the status before sync procRun.

```before
current workflow:

[  child  ] <-> [   parent   ]

procHooks   --> [run hooks]
            <-- procResume

procReady   --> [final setup]
            <-- procRun

                ( killed for some reason)
                ( store state.json )
```

```expected
expected workflow:

[  child  ] <-> [   parent   ]

procHooks   --> [run hooks]
            <-- procResume

procReady   --> [final setup]
                store state.json
            <-- procRun
```

Signed-off-by: Wei Fu <fuweid89@gmail.com>
2020-09-07 23:22:42 +08:00
Shukui Yang cbb0a79322 Make sure signalAllProcesses is invoked in the function of destroy
It's expect that signalAllProcesses is invoked when container shares
pid namespace. share pid ns contains the following conditions:

{
    // no specify pid ns
}
{
    "type": "pid",
    "path": "/proc/${num}/ns/pid"
}

Signed-off-by: Shukui Yang <jryangshukui@jd.com>
Signed-off-by: Shukui Yang <keloyangsk@gmail.com>
2020-09-03 10:04:52 -04:00
Kir Kolyshkin 940e15479f cgroupv1/systemd: (re)use m.paths
In all these cases, getSubsystemPath() was already called, and its
result stored in m.paths map. It makes no sense to not reuse it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-08-25 11:42:24 -07:00
Kir Kolyshkin f075084a47 cgroupv1/systemd: rework Apply/joinCgroups
We call joinCgroups() from Apply, and in there we iterate through the
list of subsystems, calling getSubsystemPath() for each. This is
expensive, since every getSubsystemPath() involves parsing mountinfo.

At the end of Apply(), we iterate through the list of subsystems to fill
the m.paths, again calling getSubsystemPath() for every subsystem.

As a result, we parse mountinfo about 20 times here.

Let's find the paths first and reuse m.paths in joinCgroups().

While at it, since join() is just two calls now, inline it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-08-25 11:42:21 -07:00
Kir Kolyshkin fad92bbffa cgroupv1/Apply: do not overuse d.path/getSubsystemPath
When paths are set, we only need to place the PID into proper
cgroups, and we do know all the paths already.

Both fs/d.path() and systemd/v1/getSubsystemPath() parse
/proc/self/mountinfo, and the only reason they are used
here is to check whether the subsystem is available.

Use a much simpler/faster check instead.

Frankly, I am not sure why the check is needed at all. Maybe it should
be dropped.

Also, for fs driver, since d is no longer used in this code path,
move its initialization to after it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-08-25 11:40:58 -07:00
Michael Crosby 09ddc63afd Merge pull request #2535 from kolyshkin/no-term-on-stdin
Fix run/exec with terminal: true in case stdin is not a terminal
2020-08-24 21:18:38 -04:00
Akihiro Suda e5f2eae5a5 Merge pull request #2558 from rhatdan/windows
Since no kernels support direct labeling of /dev/mqueue remove label
2020-08-22 04:43:36 +09:00
Akihiro Suda 19b63de7f7 Merge pull request #2554 from saschagrunert/apparmor-parser
Remove check for apparmor_parser in apparmor.IsEnabled()
2020-08-22 04:15:17 +09:00
Kir Kolyshkin f844a2f56c Merge pull request #2527 from ashley-cui/master
Add support for umask
2020-08-20 11:28:03 -07:00
Kir Kolyshkin 8898ad31e6 Merge pull request #2488 from ManaSugi/modify-space-to-tab
Modify spaces to tabs for indentation
2020-08-20 11:24:23 -07:00
Daniel J Walsh 0445fd60a4 Since no kernels support direct labeling of /dev/mqueue remove label
This looks like this is just filling logs for years, since the kernel never
added the support for automatically labeling /dev/mqueue.

Removes these dmesg lines

[ 1731.969847] SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)
[ 1736.985146] SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)
[ 1738.356796] SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)
[ 1738.479952] SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)
[ 1738.628935] SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)
[ 1763.433276] SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)
[ 1806.802133] SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)
[ 1806.982003] SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)
[ 1808.955390] SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)
[ 1815.951076] SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)
[ 1827.257757] SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)
[ 1828.947888] SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)
[ 1834.964451] SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)
[ 1835.941465] SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2020-08-20 13:56:19 -04:00
Sascha Grunert bfb4ea1b1b Remove check for apparmor_parser in apparmor.IsEnabled()
The `apparmor_parser` binary is not really required for a system to run
AppArmor from a runc perspective. How to apply the profile is more in
the responsibility of higher level runtimes like Podman and Docker,
which may do the binary check on their own.

Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2020-08-20 19:23:04 +02:00
Giuseppe Scrivano a63f99fcc5 Add support for umask
Signed-off-by: Ashley Cui <acui@redhat.com>
2020-08-20 11:39:43 -04:00