Commit Graph

5770 Commits

Author SHA1 Message Date
Kir Kolyshkin c4a61aa918 ci: enable extra linters for new code
This adds a new GHA CI job which runs a few extra linters. This is only
done for pull requests, and should only warn about new code.

The justification is simple: we want more linters, but since this is not
a new project, adding a new linter meaning we have to fix all the
existing warnings. In some cases having all the warnings fixed is
difficult and takes time, plus it is usually a low priority task.

Therefore, we are stuck with inability to add new linters because we
can't fix all their warnings. Meanwhile, new pull requests add more
code which is not linted.

This is an attempt to break this vicious cycle. Let's enable godot
and revive for now and see how it is going.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-30 16:51:55 -08:00
Akihiro Suda 6ff042023c Merge pull request #3234 from kolyshkin/hugepage-v2
libct/cg: refactor/improve/rename GetHugePageSize -> HugePageSizes
2021-11-29 18:14:14 +09:00
Aleksa Sarai 19d696ec29 merge branch 'pr-3276'
Kir Kolyshkin (2):
  runc run: fix ro /dev
  test/int/mount.bats: refer to github issue

LGTMs: thaJeztah cyphar
Closes #3276
2021-11-26 09:37:43 +11:00
Sebastiaan van Stijn 0e79754c9b Merge pull request #3294 from kolyshkin/xattr
libct/system/xattrs: remove
2021-11-24 20:07:43 +01:00
Kir Kolyshkin ec0f35bc68 libct/system/xattrs: remove
This is not used since commit 5e7b48f7c0 (23 Mar 2017).

In case there are external users, they should switch to
opencontainers/selinux.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-23 08:40:49 -08:00
Kir Kolyshkin 20feb5d315 Merge pull request #3290 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.10.0
build(deps): bump github.com/opencontainers/selinux from 1.9.1 to 1.10.0
2021-11-22 13:40:34 -08:00
Sebastiaan van Stijn e23602ebba Merge pull request #3284 from kolyshkin/ci-fedora-revert-fix
Vagrantfile.fedora: revert excluding systemd
2021-11-22 20:40:43 +01:00
Sebastiaan van Stijn 02fe5f4734 Merge pull request #3283 from kolyshkin/rootless-ro-bind-rw
Fix failure with rw bind mount of a ro fuse
2021-11-22 18:39:44 +01:00
dependabot[bot] e9ed200031 build(deps): bump github.com/opencontainers/selinux from 1.9.1 to 1.10.0
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.9.1 to 1.10.0.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.9.1...v1.10.0)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-11-22 04:21:12 +00:00
Sebastiaan van Stijn d1f316f324 Merge pull request #3286 from chendave/cleanup
Avoid non-op when the list of `Hooks` is empty
2021-11-19 21:29:14 +01:00
Kir Kolyshkin e3dd80fa06 Vagrantfile.fedora: revert excluding systemd
Since https://bugzilla.redhat.com/2022041 is fixed (in
systemd-249.7-2.fc35), the exclude kludge can be dropped.

This partially reverts commit b028ecb352.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-19 12:13:24 -08:00
Kir Kolyshkin 1da84d1aff libct/cg: TestGetHugePageSizeImpl: use t.Run
Move test case comments to doc strings, and use t.Run.

Suggested-by:  Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-19 12:03:12 -08:00
Dave Chen 1362291a6d Avoid non-op when the list of Hooks is empty
There is no need to run hooks when `Config.Hooks` is just an empty map,

(dlv) p p.config.Config.Hooks
github.com/opencontainers/runc/libcontainer/configs.Hooks []

Signed-off-by: Dave Chen <dave.chen@arm.com>
2021-11-19 22:37:27 +08:00
Akihiro Suda eba6097aba Merge pull request #3287 from cyphar/netlink-embedded-nulls
specconv: do not permit null bytes in mount fields
2021-11-19 14:06:59 +09:00
Kir Kolyshkin f13a932570 libct/cg: HugePageSizes: simplify code and test
1. Instead of distinguishing between errors and warnings, let's treat all
   errors as warnings, thus simplifying the code. This changes the
   function behaviour for input like hugepages-BadNumberKb --
   previously, the error from Atoi("BadNumber") was considered fatal,
   now it's just another warnings.

2. Move the warning logging to HugePageSizes, thus simplifying the test
   case, which no longer needs to read what logrus writes. Note that we
   do not want to log all the warnings (as chances are very low we'll
   get any, and if we do this means the code need to be updated), only
   the first one.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-18 18:20:49 -08:00
Kir Kolyshkin 39d4c8d5f9 libct/cg: lazy init for HugePageSizes
I have noticed that libct/cg/fs allocates 8K during init on every runc
execution:

> init github.com/opencontainers/runc/libcontainer/cgroups/fs @1.5 ms, 0.028 ms clock, 8512 bytes, 13 allocs

Apparently this is caused by global HugePageSizes variable init, which
is only used from GetStats (i.e. it is never used by runc itself).

Remove it, and use HugePageSizes() directly instead. Make it init-once,
so that GetStats (which, I guess, is periodically called by kubernetes)
does not re-read huge page sizes over and over.

This also removes 12 allocs and 8K from libct/cg/fs init section:

> $ time GODEBUG=inittrace=1 ./runc --help 2>&1 | grep cgroups/fs
> init github.com/opencontainers/runc/libcontainer/cgroups/fs @1.5 ms, 0.003 ms clock, 16 bytes, 1 allocs

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-18 18:20:49 -08:00
Kir Kolyshkin a4d4c4dd9f libct/cg: GetHugePageSize -> HugePageSizes
1. Since GetHugePageSize do not have any external users (checked by
   sourcegraph), and no internal user ever uses its second return value
   (the error), let's drop it.

2. Rename GetHugePageSize -> HugePageSizes (drop the Get prefix as per
   Go guidelines, add suffix since we return many sizes).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-18 18:20:49 -08:00
Aleksa Sarai 8b4a8f093d merge branch 'pr-3289'
Kir Kolyshkin (1):
  libct/standard_init: fix linter warning

LGTMs: thaJeztah cyphar
Closes #3289
2021-11-19 11:44:57 +11:00
Aleksa Sarai dde509df4e specconv: do not permit null bytes in mount fields
Using null bytes as control characters for sending strings via netlink
opens us up to a user explicitly putting a null byte in a mount string
(which JSON will happily let you do) and then causing us to open a mount
path different to the one expected.

In practice this is more of an issue in an environment such as
Kubernetes where you may have path-based access control policies (which
are more susceptible to these kinds of flaws).

Found by Google Project Zero.

Fixes: 9c444070ec ("Open bind mount sources from the host userns")
Reported-by: Felix Wilhelm <fwilhelm@google.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-11-19 11:41:05 +11:00
Kir Kolyshkin 50105de1d8 Fix failure with rw bind mount of a ro fuse
As reported in [1], in a case where read-only fuse (sshfs) mount
is used as a volume without specifying ro flag, the kernel fails
to remount it (when adding various flags such as nosuid and nodev),
returning EPERM.

Here's the relevant strace line:

> [pid 333966] mount("/tmp/bats-run-PRVfWc/runc.RbNv8g/bundle/mnt", "/proc/self/fd/7", 0xc0001e9164, MS_NOSUID|MS_NODEV|MS_REMOUNT|MS_BIND|MS_REC, NULL) = -1 EPERM (Operation not permitted)

I was not able to reproduce it with other read-only mounts as the source
(tried tmpfs, read-only bind mount, and an ext2 mount), so somehow this
might be specific to fuse.

The fix is to check whether the source has RDONLY flag, and retry the
remount with this flag added.

A test case (which was kind of hard to write) is added, and it fails
without the fix. Note that rootless user need to be able to ssh to
rootless@localhost in order to sshfs to work -- amend setup scripts
to make it work, and skip the test if the setup is not working.

[1] https://github.com/containers/podman/issues/12205

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-18 13:09:41 -08:00
Kir Kolyshkin 982b9a1dd3 libct/standard_init: fix linter warning
The staticcheck linter points out that the err != nil comparison
after system.Exec is always true:

> libcontainer/standard_init_linux.go#L253
> SA4023: this comparison is always true (staticcheck)
> libcontainer/system/linux.go#L43
> SA4023(related information): github.com/opencontainers/runc/libcontainer/system.Exec never returns a nil interface value (staticcheck)

Indeed, Exec either returns an error or does not return at all.

Remove the (useless) check.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-18 08:53:50 -08:00
Akihiro Suda 0d5ac13200 Merge pull request #3285 from kolyshkin/3281-followups
libct/specconv: nits
2021-11-18 14:23:50 +09:00
Kir Kolyshkin 643f8a2b40 libct/specconv: nits
1. Decapitalize errors.
2. Rename isValidName to checkPropertyName.
3. Make it return a specific error.

Suggested-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-17 17:32:28 -08:00
Sebastiaan van Stijn 20e928875a Merge pull request #3275 from kolyshkin/rm-prlimit
libcontainer/system: rm Prlimit
2021-11-17 14:38:27 +01:00
Sebastiaan van Stijn e49007f3ad Merge pull request #3281 from kolyshkin/specconv-maps
libct/specconv: reduce init allocations, use global maps, refactor
2021-11-17 13:40:59 +01:00
Kir Kolyshkin b247cd392a runc run: fix ro /dev
Commit fb4c27c4b7 (went into v1.0.0-rc93) fixed a bug with
read-only tmpfs, but introduced a bug with read-only /dev.

This happens because /dev is a tmpfs mount and is therefore remounted
read-only a bit earlier than before.

To fix,

1. Revert the part of the above commit which remounts all tmpfs mounts
   as read-only in mountToRootfs.

2. Reuse finalizeRootfs (which is already used to remount /dev
   read-only) to also remount all ro tmpfs mounts that were previously
   mounted rw in mountPropagate.

3. Remove the break in finalizeRootfs, as now we have more than one
   mount to care about.

4. Reorder the if statements in finalizeRootfs to perform the fast check
   (for ro flag) first, and compare the strings second. Since /dev is
   most probably also a tmpfs mount, do the m.Device check first.

Add a test case to validate the fix and prevent future regressions;
make sure it fails before the fix:

 ✗ runc run [ro /dev mount]
   (in test file tests/integration/mounts.bats, line 45)
     `[ "$status" -eq 0 ]' failed
   runc spec (status=0):

   runc run test_busybox (status=1):
   time="2021-11-12T12:19:48-08:00" level=error msg="runc run failed: unable to start container process: error during container init: error mounting \"devpts\" to rootfs at \"/dev/pts\": mkdir /tmp/bats-run-VJXQk7/runc.0Fj70w/bundle/rootfs/dev/pts: read-only file system"

Fixes: fb4c27c4b7
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-15 10:37:16 -08:00
Sebastiaan van Stijn 7c219d814f Merge pull request #3270 from kolyshkin/wrap-err
libct: wrap more unix errors
2021-11-14 21:16:34 +01:00
Sebastiaan van Stijn f247ad2067 Merge pull request #3280 from kolyshkin/ci-revert-kludge
Revert "ci: temporarily disable criu repo gpg check"
2021-11-13 09:44:03 +01:00
Kir Kolyshkin 029b73c1b0 libct/spec: replace isValidName regex with a function
Also, add a simple test and a benchmark (just out of sheer curiosity).

Benchmark results:

name           old time/op  new time/op  delta
IsValidName-4   540ns ± 3%    45ns ± 1%  -91.76%  (p=0.008 n=5+5)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-12 20:23:49 -08:00
Kir Kolyshkin 6907becaf9 libct/specconv: remove isSecSuffix regex
Commit 1cd71dfd7 added isSecSuffix, but the same thing can be done
easily without a regex. This is faster and saves some init time and
memory.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-12 20:23:47 -08:00
Kir Kolyshkin 37c5fd554e libct/specconv: make parseMountOptions return Mount
parseMountOption already returns way too many values, making the code
kind of hard to read.

Since all of the return values are used as is to populate the fields of
configs.Mount, let's change it to return (semi-)populated *configs.Mount
instead.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-12 20:23:30 -08:00
Kir Kolyshkin 2c3792baf9 libct/specconv: make mountFlags and extensionFlags global
This makes the repeated calls to parseMountOptions faster,
and decreases the amount of garbage to collect.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-12 20:16:04 -08:00
Kir Kolyshkin 81586e1935 libct/specconv: reuse mountPropagationMapping in parseMountOptions
These two maps are the same, except that mountPropagationMapping
has an extra element with key of "" and value of 0. Since the
code already checks for f != 0, this extra element is not a problem.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-12 20:15:54 -08:00
Kir Kolyshkin 8fe1e8bf8c libct/specconv: rm some init allocations
Eliminate some of these allocations when starting runc:

> init github.com/opencontainers/runc/libcontainer/specconv @10 ms, 0.11 ms clock, 5408 bytes, 70 allocs

Most of this (4K) is the two regexes, which are left intact for now.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-12 20:15:37 -08:00
Kir Kolyshkin 712157f663 Revert "ci: temporarily disable criu repo gpg check"
This was a temporary kludge, which is no longer required.

This reverts commit c5ca778fa8.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-12 13:27:31 -08:00
Kir Kolyshkin f252eb5436 test/int/mount.bats: refer to github issue
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-12 12:10:46 -08:00
Kir Kolyshkin 7563a8f06d libct: wrap more unix errors
When I tried to start a rootless container under a different/wrong user,
I got:

	$ ../runc/runc --systemd-cgroup --root /tmp/runc.$$ run 445
	ERRO[0000] runc run failed: operation not permitted

This is obviously not good enough. With this commit, the error is:

	ERRO[0000] runc run failed: fchown fd 9: operation not permitted

Alas, there are still some code that returns unwrapped errnos from
various unix calls.

This is a followup to commit d8ba4128b2 which wrapped many, but not
all, bare unix errors. Do wrap some more, using either os.PathError or
os.SyscallError.

While at it,
 - use os.SyscallError instead of os.NewSyscallError;
 - use errors.Is(err, os.ErrXxx) instead of os.IsXxx(err).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-12 00:33:59 -08:00
Kir Kolyshkin db4ad6a7f1 libcontainer/system: rm Prlimit
It is now available from golang.org/x/sys/unix
(https://go-review.googlesource.com/c/sys/+/332029)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-11 19:57:56 -08:00
Aleksa Sarai c1103d986f merge branch 'pr-3273'
Kir Kolyshkin (2):
  .cirrus.yml: silence vagrant up
  Vagrantfile.fedora: exclude systemd from upgrade

LGTMs: AkihiroSuda cyphar
2021-11-12 14:51:07 +11:00
Kir Kolyshkin 0880c001ab .cirrus.yml: silence vagrant up
This skips printing endless "Progress 0%" messages.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-11 19:19:57 -08:00
Kir Kolyshkin b028ecb352 Vagrantfile.fedora: exclude systemd from upgrade
A bug in systemd-249.6-2.fc35.x86_64 prevents rootless containers from
start when systemd manager is used.

Apparently, "config exclude" is not working in F35 dnf shell either, so
use a workaround of specifying --exclude from the command line.

This should fix runc CI for the time being.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-11 19:06:48 -08:00
Akihiro Suda cbd725e6ef Merge pull request #3223 from kolyshkin/refuse-bad-cgroup
run create/run/exec: refuse bad cgroup
2021-11-08 16:19:43 +09:00
Kir Kolyshkin 5948764a40 Merge pull request #3263 from thaJeztah/bump_mountinfo
go.mod: github.com/moby/sys/mountinfo v0.5.0
2021-11-07 23:14:44 -08:00
Kir Kolyshkin 8682983648 Merge pull request #3264 from thaJeztah/cirrus_go_version
ci/cirrus: update to Go 1.17.3
2021-11-07 23:12:53 -08:00
Sebastiaan van Stijn 12a36265c0 ci/cirrus: update to Go 1.17.3
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-05 17:17:12 +01:00
Sebastiaan van Stijn 02d527d26d go.mod: github.com/moby/sys/mountinfo v0.5.0
full diff: https://github.com/moby/sys/compare/mountinfo/v0.4.1...mountinfo/v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-05 17:10:46 +01:00
Sebastiaan van Stijn 0e21d56ed8 go.mod: golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359
full diff: https://github.com/golang/sys/compare/6f6e22806c34...69cdffdb9359

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-05 17:09:21 +01:00
Kir Kolyshkin ecdc966471 Merge pull request #3262 from opencontainers/dependabot/go_modules/github.com/checkpoint-restore/go-criu/v5-5.2.0
build(deps): bump github.com/checkpoint-restore/go-criu/v5 from 5.1.0 to 5.2.0
2021-11-04 22:42:52 -07:00
dependabot[bot] b2d64fed31 build(deps): bump github.com/checkpoint-restore/go-criu/v5
Bumps [github.com/checkpoint-restore/go-criu/v5](https://github.com/checkpoint-restore/go-criu) from 5.1.0 to 5.2.0.
- [Release notes](https://github.com/checkpoint-restore/go-criu/releases)
- [Commits](https://github.com/checkpoint-restore/go-criu/compare/v5.1.0...v5.2.0)

---
updated-dependencies:
- dependency-name: github.com/checkpoint-restore/go-criu/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-11-05 04:16:40 +00:00
Kir Kolyshkin b6475489e3 Merge pull request #3257 from mengjiao-liu/sysctl-allow-slash
Fix the conversion of sysctl variable dots and slashes
2021-11-04 20:34:28 -07:00