Commit Graph

5259 Commits

Author SHA1 Message Date
Aleksa Sarai c7c70ce810 *: clean t.Skip messages
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-23 17:53:01 +10:00
Mrunal Patel 211aceec3b Merge pull request #2957 from haircommander/export-RangeToBits
libctr/cg/systemd: export rangeToBits
2021-05-21 13:36:16 -04:00
Peter Hunt a95237f816 libctr/cg/systemd: export rangeToBits
It's both a useful function, and sufficiently complex to discourage copying

Signed-off-by: Peter Hunt <pehunt@redhat.com>
2021-05-21 10:18:34 -04:00
Akihiro Suda 4d87573871 Merge pull request #2940 from kolyshkin/intelrdt-unit-test
libct/intelrdt: fix unit test
2021-05-20 13:43:20 +09:00
Aleksa Sarai 57d353df7b merge branch 'pr-2955'
Kir Kolyshkin (3):
  libct/cg/fs2: setFreezer: wait until frozen
  libct/cg/fs2: optimize setFreezer more
  libct/cg/fs2: optimize setFreezer

LGTMs: cyphar AkihiroSuda
Closes #2955
2021-05-20 14:25:41 +10:00
Kir Kolyshkin b93666ebc1 libct/cg/fs2: setFreezer: wait until frozen
According to cgroup v2 documentation [1]:

> Freezing of the cgroup may take some time; when this action is
> completed, the “frozen” value in the cgroup.events control file will
> be updated to “1” and the corresponding notification will be issued.

Implement polling of cgroup.events, waiting for "frozen 1" to appear.
In case something goes wrong, limit the maximum number of retries and
return "undefined" after some time (currently 10s).

[1] https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-19 12:15:24 -07:00
Kir Kolyshkin 1069e4e9da libct/cg/fs2: optimize setFreezer more
Before this patch, setFreezer does

- open/read/close (to check if the freezer is supported)
- open/write/close (to set the value)
- open/read/close (to check the value)

Three opens is a bit excessive. Refactor to only open the file once:

- open (to check if the freezer is supported)
- write (to set the value)
- seek/read (to check the value)
- close

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-19 12:10:56 -07:00
Kir Kolyshkin 5d193188db libct/cg/fs2: optimize setFreezer
In case configs.Undefined or any wrong value is passed, there is no need
to check whether the freezer is supported.

Move arguments check to the beginning to avoid an unnecessary call to
supportFreezer().

While at it, simplify the "whether to return an error if freezer is not
supported" check.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-19 12:10:56 -07:00
Aleksa Sarai d3e5303429 Merge branch 'release-rc95'
Aleksa Sarai (3):
  VERSION: back to development
  VERSION: release v1.0.0-rc95
  rootfs: add mount destination validation

LGTMs: cyphar kolyshkin mrunalp AkihiroSuda
Closes GHSA-c3xm-pvg7-gh7r CVE-2021-30465
2021-05-19 19:20:54 +10:00
Aleksa Sarai 8a7a374f5b VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-19 16:59:42 +10:00
Aleksa Sarai b9ee9c6314 VERSION: release v1.0.0-rc95
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.0.0-rc95
2021-05-19 16:59:00 +10:00
Aleksa Sarai 0ca91f44f1 rootfs: add mount destination validation
Because the target of a mount is inside a container (which may be a
volume that is shared with another container), there exists a race
condition where the target of the mount may change to a path containing
a symlink after we have sanitised the path -- resulting in us
inadvertently mounting the path outside of the container.

This is not immediately useful because we are in a mount namespace with
MS_SLAVE mount propagation applied to "/", so we cannot mount on top of
host paths in the host namespace. However, if any subsequent mountpoints
in the configuration use a subdirectory of that host path as a source,
those subsequent mounts will use an attacker-controlled source path
(resolved within the host rootfs) -- allowing the bind-mounting of "/"
into the container.

While arguably configuration issues like this are not entirely within
runc's threat model, within the context of Kubernetes (and possibly
other container managers that provide semi-arbitrary container creation
privileges to untrusted users) this is a legitimate issue. Since we
cannot block mounting from the host into the container, we need to block
the first stage of this attack (mounting onto a path outside the
container).

The long-term plan to solve this would be to migrate to libpathrs, but
as a stop-gap we implement libpathrs-like path verification through
readlink(/proc/self/fd/$n) and then do mount operations through the
procfd once it's been verified to be inside the container. The target
could move after we've checked it, but if it is inside the container
then we can assume that it is safe for the same reason that libpathrs
operations would be safe.

A slight wrinkle is the "copyup" functionality we provide for tmpfs,
which is the only case where we want to do a mount on the host
filesystem. To facilitate this, I split out the copy-up functionality
entirely so that the logic isn't interspersed with the regular tmpfs
logic. In addition, all dependencies on m.Destination being overwritten
have been removed since that pattern was just begging to be a source of
more mount-target bugs (we do still have to modify m.Destination for
tmpfs-copyup but we only do it temporarily).

Fixes: CVE-2021-30465
Reported-by: Etienne Champetier <champetier.etienne@gmail.com>
Co-authored-by: Noah Meyerhans <nmeyerha@amazon.com>
Reviewed-by: Samuel Karp <skarp@amazon.com>
Reviewed-by: Kir Kolyshkin <kolyshkin@gmail.com> (@kolyshkin)
Reviewed-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-19 16:58:35 +10:00
Aleksa Sarai c01a56034f merge branch 'pr-2954'
Giuseppe Scrivano (1):
  libcontainer: honor seccomp defaultErrnoRet

LGTMs: kolyshkin cyphar
Closes #2954
2021-05-18 17:00:37 +10:00
Giuseppe Scrivano c61f606254 libcontainer: honor seccomp defaultErrnoRet
https://github.com/opencontainers/runtime-spec/pull/1087 added support
for defaultErrnoRet to the OCI runtime specs.

If a defaultErrnoRet is specified, disable patching the generated
libseccomp cBPF.

Closes: https://github.com/opencontainers/runc/issues/2943

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2021-05-17 09:23:32 +02:00
Mrunal Patel 5c4ccc2f72 Merge pull request #2938 from kolyshkin/libct-int-nts
libcontainer/integration: nits
2021-05-14 19:15:38 -04:00
Mrunal Patel 5fe1e98a49 Merge pull request #2945 from kolyshkin/update-sh
ci/gha: bump shfmt and shellcheck
2021-05-14 19:14:30 -04:00
Mrunal Patel 0b6d3e5e8e Merge pull request #2932 from kolyshkin/ci-go116
CI: bump go 1.16, bats 1.3.0
2021-05-14 19:14:12 -04:00
Kir Kolyshkin d519da5eb0 Dockerfile, Vagrantfile.centos7, .github: bats 1.3.0
Bump from bats 1.2.1 to 1.3.0.

Changes: https://github.com/bats-core/bats-core/releases/tag/v1.3.0

NOTE we're already using bats 1.3.0 on Fedora CI.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-12 11:34:54 -07:00
Kir Kolyshkin bdad2859f7 Dockerfile, Vagrantfile.centos7: use go 1.16
Dockerfile: switch from go 1.15 to go 1.16.x.

Vagrantfile.centos7: switch from go 1.15 to go 1.16.4.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-12 11:33:58 -07:00
Kir Kolyshkin 4e50d1c163 Merge pull request #2950 from cyphar/add-emeritus
EMERITUS: recognise previous maintainers
2021-05-11 11:44:58 -07:00
Aleksa Sarai f96530f2e4 EMERITUS: recognise previous maintainers
It's long past due that we recognise former maintainers for their work.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-12 01:12:12 +10:00
Aleksa Sarai 4d72b368af Merge branch 'pr-2927'
Aleksa Sarai (2):
  VERSION: release v1.0.0-rc94
  VERSION: back to development

Vote: +6 -0 !1
Closes #2927
2021-05-11 00:41:34 +10:00
Aleksa Sarai c73a6626be VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-10 11:17:40 +10:00
Aleksa Sarai 2c7861bc5e VERSION: release v1.0.0-rc94
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.0.0-rc94
2021-05-10 11:17:34 +10:00
Aleksa Sarai 62250c13fe merge branch 'pr-2944'
Kir Kolyshkin (8):
  tests/int/helpers: rm old code
  libct/cg/sd/v2: call initPath from Path
  tests/int/update.bats: don't set cpuset in setup
  tests/int/helpers: generalize require cgroups_freezer
  tests/int: enable/use requires cgroups_<ctrl>
  tests/int/cgroups: don't check for hugetlb
  tests/int: run rootless_cgroup tests for v2+systemd
  Vagrantfile.fedora: set Delegate=yes

LGTMs: AkihiroSuda cyphar
Closes #2944
2021-05-10 11:16:11 +10:00
Kir Kolyshkin 12e9cac902 Vagrantfile.fedora: set Delegate=yes
Instead of listing all individual controllers we want to be delegated,
just say "yes" which means "all the controllers that are available".

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-07 22:07:33 -07:00
Kir Kolyshkin ac70a9a1b2 tests/int: run rootless_cgroup tests for v2+systemd
Before this commit, "require rootless_cgroup" feature check required "cgroup"
to be present in ROOTLESS_FEATURES. The idea of the requirement, though, is
to ensure that rootless runc can manage cgroups.

In case of systemd + cgroup v2, rootless runc can manage cgroups,
thanks to systemd delegation, so modify the feature check accordingly.

Next, convert (simplify) some of the existing users to the modified check.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-07 22:07:27 -07:00
Kir Kolyshkin 601cf5825f tests/int/cgroups: don't check for hugetlb
Systemd is not able to delegate hugetlb controller, and it is needed for
cgroup v2 + systemd + rootless case (which is currently skipped because
of "requires rootless_cgroup", but will be enabled by a later commit).

The failure being fixed looks like this:

> not ok 4 runc create (limits + cgrouppath + permission on the cgroup dir) succeeds
> # (from function `check_cgroup_value' in file /vagrant/tests/integration/helpers.bash, line 188,
> #  in test file /vagrant/tests/integration/cgroups.bats, line 53)
> #   `check_cgroup_value "cgroup.controllers" "$(cat /sys/fs/cgroup/user.slice/user-$(id -u).slice/cgroup.controllers)"' failed
> # <....>
> # /sys/fs/cgroup/user.slice/user-2000.slice/user@2000.service/machine.slice/runc-cgroups-integration-test-20341.scope/cgroup.controllers
> # current cpuset cpu io memory pids !? cpuset cpu io memory hugetlb pids

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-07 22:07:25 -07:00
Kir Kolyshkin 40b9791916 tests/int: enable/use requires cgroups_<ctrl>
1. In case of cgroup v2 + systemd + rootless, get the list of controllers from
   the own cgroup, rather than from the root one (as systemd cgroup delegation
   is required in this case, and it might not be set or fully working).

2. Use "requires cgroups_<controller>" in tests that need those
   controllers.

Tested on Fedora 31 (which does not support delegation of cpuset controller).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-07 22:07:08 -07:00
Kir Kolyshkin 44fcbfd68f tests/int/helpers: generalize require cgroups_freezer
With this, something like cgroups_pids can be used (to be added
by the next commit).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-07 22:06:13 -07:00
Kir Kolyshkin 353f2ad193 tests/int/update.bats: don't set cpuset in setup
Setting cpuset.cpus requires cpuset controller, which might
not be available in case of cgroup v2 + systemd < 244.

Rather than require cpuset support from every test case, do not set the initial
cpuset value from setup(), and do not check it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-07 22:06:08 -07:00
Kir Kolyshkin 4f8ccc5ff5 libct/cg/sd/v2: call initPath from Path
Sometimes Path() is called before m.path is initialized (in particular,
this happens from (*linuxContainer).newInitConfig), so we do need to
make sure to call initPath.

This fixes the following integration tests (for cgroup v2 + systemd case,
currently not enabled -- to be enabled by further commits):

 *  runc run (blkio weight)
 * runc run (cgroupv2 mount inside container)

Fixes: ff692f289b ("Fix cgroup2 mount for rootless case")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-07 22:05:56 -07:00
Kir Kolyshkin 0ed1f8022d tests/int/helpers: rm old code
This was added by commit ca4f427af, together with set_resources_limit,
and was needed for the latter, since sed was used to update resources.

Now when we switched to jq in commit 79fe41d3c1, this kludge is no
longer needed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-07 22:05:49 -07:00
Qiang Huang fc8a0d97a9 Merge pull request #2913 from liusdu/interative
tiny fix iterative checkpoint test case
2021-05-08 10:16:30 +08:00
Akihiro Suda f577072d61 Merge pull request #2937 from kolyshkin/dbus-cm-leak-alt
libct/cg/sd: fix dbus connection leak (alternative)
2021-05-08 03:18:52 +09:00
Kir Kolyshkin af2e03c50f ci/gha: bump shellcheck 0.7.1 -> 0.7.2
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-06 20:11:09 -07:00
Kir Kolyshkin 2d1bb91dca ci/gha: bump shfmt 3.2.0 -> 3.2.4
Changes: https://github.com/mvdan/sh/releases

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-06 20:09:52 -07:00
Kir Kolyshkin a7feb42395 libct/int: add TestFdLeaksSystemd
Add a test to check that container.Run do not leak file descriptors.

Before the previous commit, it fails like this:

    exec_test.go:2030: extra fd 8 -> socket:[659703]
    exec_test.go:2030: extra fd 11 -> socket:[658715]
    exec_test.go:2033: found 2 extra fds after container.Run

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-06 12:37:55 -07:00
Kir Kolyshkin c7f847ed3a libct/cg/sd: use global dbus connection
Using per cgroup manager dbus connection instances means
that every cgroup manager instance gets a new connection,
and those connections are never closed, ultimately resulting
in file descriptors limit being hit.

Revert back to using a single global dbus connection for everything,
without changing the callers.

NOTE that it is assumed a runtime can't use both root and rootless
dbus at the same time. If this happens, we panic.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-06 12:37:55 -07:00
Kir Kolyshkin 99c5c504ea libct/cg/sd: introduce and use getManagerProperty
Commit 47ef9a104f forgot to wrap GetManagerProperty("ControlGroup")
into retryOnDisconnect. Since there's one other user of
GetManagerProperty, add getManagerProperty wrapper and use it.

Fixes: 47ef9a104f

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-06 12:37:55 -07:00
Kir Kolyshkin 0fabed76c1 libct/int/checkpoint_test: use kill(0) for pid check
os.FindProcess never returns an error on Unix/Linux.
Use kill(0) to actually check if the process exists.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-06 12:36:24 -07:00
Kir Kolyshkin 7eb1405b60 libct/int/checkpoint_test: use waitProcess helper
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-06 12:36:24 -07:00
Kir Kolyshkin 72d7a8249d libct/int/checkpoint_test: use t.Helper
Otherwise showFile log statements show its own file/line info,
rather than that of the caller's.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-06 12:36:24 -07:00
Kir Kolyshkin bcca796848 libct/int: simplify/fix showing errors
Instead of manually figuring out the file and line number of the caller,
use t.Helper() so t.Fatal prints the correct one.

Before:
> utils_test.go:85: exec_test.go:536: unexpected error: container_linux.go:380: starting container process caused: exec: "catt": executable file not found in $PATH

After:
> exec_test.go:536: unexpected error: container_linux.go:380: starting container process caused: exec: "catt": executable file not found in $PATH

(the error is introduced by s/cat/catt/)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-06 12:36:24 -07:00
Kir Kolyshkin ee36ccf591 Merge pull request #2941 from kolyshkin/another-kludge-to-fix-freeze
freezer: add delay after freeze

LGTMs: AkihiroSuda mrunalp dqminh
2021-05-06 12:28:53 -07:00
Kir Kolyshkin 524abc59f4 freezer: add delay after freeze
I hate to keep adding those kludges, but lately TestFreeze (and
TestSystemdFreeze) from libcontainer/integration fails a lot. The
failure comes and goes, and is probably this is caused by a slow host
allocated for the test, and a slow VM on top of it.

To remediate, add a small sleep on every 25th iteration in between
asking the kernel to freeze and checking its status.

In the worst case scenario (failure to freeze), this adds about 0.4 ms
(40 x 10 us) to the duration of the call.

It is hard to measure how this affects CI as GHA plays a roulette when
allocating a node to run the test on, but it seems to help. With
additional debug info, I saw somewhat frequent "frozen after 24 retries"
or "frozen after 49 retries", meaning it succeeded right after the added
sleep.

While at it, rewrite/improve the comments.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-06 10:51:46 -07:00
Kir Kolyshkin e1d842cfa6 libct/intelrdt: fix unit test
1. These tests can't be run in parallel since they do check
   a global variable (mbaScEnabled).

2. findIntelRdtMountpointDir() relies on mbaScEnabled to be initially
   set to the default value (false) and this the test fails if run
   more than once:

> go test -count 2
> ...
> intelrdt_test.go:243: expected mbaScEnabled=false, got true
>    --- FAIL: TestFindIntelRdtMountpointDir/Valid_mountinfo_with_MBA_Software_Controller_disabled (0.00s)

Fixes: 2c70d2384
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-05 14:07:10 -07:00
Akihiro Suda 4638b379fc Merge pull request #2929 from bwh-mind/ppc32
Update golang.org/x/sys to add linux/ppc support
2021-05-06 03:52:42 +09:00
Akihiro Suda f9176c909a Merge pull request #2909 from kolyshkin/libct-int-better-names
libct/int: misc cleanups and fixes
2021-05-06 02:21:19 +09:00
Mrunal Patel 2965ffc7e3 Merge pull request #2933 from oss-qm/submit/makefile_go_cmd
Makefile: allow overriding go command by environment
2021-05-04 09:57:45 -07:00