Commit Graph

5293 Commits

Author SHA1 Message Date
Shiming Zhang adf733fa64 vendor: update go-systemd and godbus
Signed-off-by: Shiming Zhang <wzshiming@foxmail.com>
2021-04-01 20:54:13 +08:00
Kir Kolyshkin bed4d89f57 Merge pull request #2807 from kolyshkin/google-golang-protobuf
go.mod, libct: switch to google.golang.org/protobuf
2021-03-31 20:34:16 -07:00
Kir Kolyshkin f09a3e1b8d tests/int: don't set/use CGROUP_XXX variables
Helper function init_cgroup_paths sets two sets of cgroup path variables
for cgroup v1 case (below XXX is cgroup controller name, e.g. MEMORY):

1. CGROUP_XXX_BASE_PATH -- path to XXX controller mount point
   (e.g. CGROUP_MEMORY_BASE_PATH=/sys/fs/cgroup/memory);

2. CGROUP_XXX -- path to the particular container XXX controller cgroup
   (e.g. CGROUP_MEMORY=/sys/fs/cgroup/memory/runc-cgroups-integration-test/test-cgroup).

The second set of variables is mostly used by check_cgroup_value(),
with only two exceptions:
 - CGROUP_CPU in @test "update rt period and runtime";
 - few CGROUP_XXX in @test "runc delete --force in cgroupv1 with
   subcgroups".

Remove these variables, as their values are not used much
and are easy to get (as can be seen in modified test cases).

While at it, mark some variables as local.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-31 20:24:46 -07:00
Kir Kolyshkin 4ecff8d9d8 start: don't kill runc init too early
The stars can be aligned in a way that results in runc to leave a stale
bind mount in container's state directory, which manifests itself later,
while trying to remove the container, in an error like this:

> remove /run/runc/test2: unlinkat /run/runc/test2/runc.W24K2t: device or resource busy

The stale mount happens because runc start/run/exec kills runc init
while it is inside ensure_cloned_binary(). One such scenario is when
a unified cgroup resource is specified for cgroup v1, a cgroup manager's
Apply returns an error (as of commit b006f4a180), and when
(*initProcess).start() kills runc init just after it was started.

One solution is NOT to kill runc init too early. To achieve that,
amend the libcontainer/nsenter code to send a \0 byte to signal
that it is past the initial setup, and make start() (for both
run/start and exec) wait for this byte before proceeding with
kill on an error path.

While at it, improve some error messages.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-31 14:36:52 -07:00
Kir Kolyshkin b118430231 libct/configs/validator: add some cgroup support
Add some minimal validation for cgroups. The following checks
are implemented:

 - cgroup name and/or prefix (or path) is set;
 - for cgroup v1, unified resources are not set;
 - for cgroup v2, if memorySwap is set, memory is also set,
   and memorySwap > memory.

This makes some invalid configurations fail earlier (before runc init
is started), which is better.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-31 14:36:52 -07:00
Kir Kolyshkin 0f8d2b6bed libct/cg/fs2.Stat: don't look for available controllers
Some controllers might still have stats available even if they are
disabled (this is definitely so for cpu.stat -- see earlier commit).

Some stat methods might implement sensible fallbacks (see previous
commit for statPids.

In the view of all that, it makes sense to not check if a particular
controller is available, but rather ignore ENOENT from it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-31 12:16:14 -07:00
Kir Kolyshkin 85416b8742 libct/cg/fs2.statPids: fall back directly
When getting pids stats, instead of checking whether the pids controller
is available, let's use a fall back function in case pids.current does
not exist. This simplifies the logic in fs2.GetStats.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-31 12:03:12 -07:00
Kir Kolyshkin 10f9a982ac libct/cg/fs2/getPidsWithoutController: optimize
It is inefficient to create an associative map for the whole purpose of
counting the number of elements in it, especially if the elements are
all unique. It uses more CPU than necessary and creates some work for
the garbage collector.

The file we read contains PIDs and newlines, and the easiest/fastest way
to get the number of PIDs is just to count the newlines.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-31 11:55:07 -07:00
Kir Kolyshkin 6121f8b69f libct/cg/fs2.Stat: always call statCpu
Giuseppe found out that cpu.stat for a cgroup is available even if
the cpu controller is not enabled for it. So, let's call statCpu
regradress, and ignore ENOENT.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-31 11:40:28 -07:00
Kir Kolyshkin 9455395b06 libct/cg/fs2/memory.Stat: add usage for root cgroup
There is no memory.{current,max} for the root node in cgroup v2, and
thus stats for "/sys/fs/cgroup" return an error.

The same thing works with cgroup v1 (as there are
memory.{usage,limit}_in_bytes files in the root node).

Emulate stats for /sys/fs/cgroup by getting numbers from
/proc/self/meminfo.

NOTE that both memory.current (in cgroup v2) and memory.usage_in_bytes
(in cgroup v1) include page cache etc into the number, so we do the same
when calculating memory usage (as opposed to number reported by "free",
which excludes page cache and buffers).

[v2: check for cgroup files first, as future kernels might add it]
[v3: don't subtract cache from mem_used, simplifying the logic]

[Initially, I wanted to avoid parsing yet another /proc file and
instead mock some numbers using data from memory.stat but was
unable to come up with formulae that make sense.]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-31 11:14:49 -07:00
Kir Kolyshkin a9c47fe70f libct/cg/fs[2]/getMemoryData[V2]: optimize
Existing code ignores ENOENT error in case we're reading data from
controls that might not be enabled. While this is correct, the code
can be improved:

1. Check name != "" instead of moduleName != "memory", as these checks
   are equivalent but the new one is faster.

2. It does not make sense to ignore subsequent errors -- if the control
   is not available, we won't hit this codepath.

3. Add a comment explaining why we ignore the error.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-31 11:14:49 -07:00
Kir Kolyshkin b99ca25ad0 libct/cg/fs2/memory: fix swap reporting
cgroup v1 reports combined mem+swap in stats.MemoryStats.SwapUsage.
In cgroup v2, swap is separate.

For the sake of compatibility, make v2 report mem+swap as well.
This also includes Limit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-31 11:14:49 -07:00
Akihiro Suda a1270a6ae9 Merge pull request #2802 from kolyshkin/run-leaks
libct: fix some container.Run fd leaks, add fd leak test
2021-03-31 12:42:43 +09:00
Kir Kolyshkin 79a8647b81 libct/int: add TestFdLeaks
This is a very simple test that checks that container.Run do not leak
opened file descriptors.

In fact it does, so we have to add two exclusions:

1. /sys/fs/cgroup is opened once per lifetime in prepareOpenat2(),
    provided that cgroupv2 is used and openat2 is available. This
    works as intended ("it's not a bug, it's a feature").

2. ebpf program fd is leaked every time we call setDevices() for
   cgroupv2 (iow, every container.Run or container.Set leaks 1 fd).
   This needs to be fixed, thus FIXME.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-30 19:58:09 -07:00
Kir Kolyshkin b3be2b0b4f libct: close execFifo after start
Apparently, the parent never closes execFifo fd. Not a problem for runc
per se, but can be an issue for a user of libcontainer.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-30 19:58:09 -07:00
Kieron Browne 08b5279797 Make test specific to disassembleFilter function
TestPatchHugeSeccompFilterDoesNotBlock is only testing the
disassembleFilter function. There is no need to invoke PatchAndLoad
which has the side effect of loading a seccomp profile.

Co-authored-by: Danail Branekov <danailster@gmail.com>
Co-authored-by: Kieron Browne <kbrowne@vmware.com>
Signed-off-by: Kieron Browne <kbrowne@vmware.com>
Signed-off-by: Danail Branekov <danailster@gmail.com>
2021-03-30 12:31:14 +03:00
Danail Branekov 7b3e0bcf29 Ensure the scratch pipe is read during ExportBPF
There is a potential deadlock where the ExportBPF method call writes to
a pipe but the pipe is not read until after the method call returns.
ExportBPF might fill the pipe buffer, in which case it will block
waiting for a read on the other side which can't happen until the method
returns.

Here we concurrently read from the pipe into a buffer to ensure
ExportBPF will always return.

Co-authored-by: Kieron Browne <kbrowne@vmware.com>
Co-authored-by: Danail Branekov <danailster@gmail.com>
Signed-off-by: Kieron Browne <kbrowne@vmware.com>
Signed-off-by: Danail Branekov <danailster@gmail.com>
2021-03-30 12:29:35 +03:00
Mrunal Patel b79201f280 Merge pull request #2874 from KentaTada/add-security-configs-r93
script/check-config.sh: add SELinux and AppArmor
2021-03-29 13:45:41 -07:00
Mrunal Patel f8987a5c8c Merge pull request #2877 from kolyshkin/cpt-debug
tests/int/cpt: better debug
2021-03-29 10:31:01 -07:00
Kir Kolyshkin 62f1f0e499 tests/int/checkpoint: check all logs for errors
This is to help debug issue #2805.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-28 11:17:23 -07:00
Kir Kolyshkin 346cb35922 Revert "tests/checkpoint: show full log lazy pages cpt"
The full log is very long and it did not gave us any additional clues.

This reverts commit 053e15c001.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-28 10:54:36 -07:00
Kir Kolyshkin 2400e5e36e Merge pull request #2860 from kolyshkin/validate-c
fix/simplify scripts/validate-c, fix *.c formatting
2021-03-28 10:17:34 -07:00
Kenta Tada c9b3787b60 script/check-config.sh: add SELinux and AppArmor
SELinux and AppArmor are always enabled since runc v1.0.0-rc93

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
2021-03-27 10:27:23 +09:00
Sebastiaan van Stijn 5fb831a0fa capabilities: WARN, not ERROR, for unknown / unavailable capabilities
This updates handling of capabilities to match the updated runtime specification,
in https://github.com/opencontainers/runtime-spec/pull/1094.

Prior to that change, the specification required runtimes to produce a (fatal)
error if a container configuration requested capabilities that could not be
granted (either the capability is "unknown" to the runtime, not supported by the
kernel version in use, or not available in the environment that the runtime
operates in).

This caused problems in situations where the runtime was running in a restricted
environment (for example, docker-in-docker), or if there is a mismatch between
the list of capabilities known by higher-level runtimes and the OCI runtime.

Some examples:

- Kernel 5.8 introduced CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE
  capabilities. Docker 20.10.0 ("higher level runtime") shipped with
  an updated list of capabilities, and when creating a "privileged" container,
  would determine what capabilities are known by the kernel in use, and request
  all those capabilities (by including them in the container config).
  However, runc did not yet have an updated list of capabilities, and therefore
  reject the container specification, producing an error because the new
  capabilities were "unknown".
- When running nested containers, for example, when running docker-in-docker,
  the "inner" container may be using a more recent version of docker than the
  "outer" container. In this situation, the "outer" container may be missing
  capabilities that the inner container expects to be supported (based on
  kernel version). However, starting the container would fail, because the OCI
  runtime could not grant those capabilities (them not being available in the
  environment it's running in).

WARN (but otherwise ignore) capabilities that cannot be granted
--------------------------------------------------------------------------------

This patch changes the handling to WARN (but otherwise ignore) capabilities that
are requested in the container config, but cannot be granted, alleviating higher
level runtimes to detect what capabilities are supported (by the kernel, and
in the current environment), as well as avoiding failures in situations where
the higher-level runtime is aware of capabilities that are not (yet) supported
by runc.

Impact on security
--------------------------------------------------------------------------------

Given that `capabilities` is an "allow-list", ignoring unknown capabilities does
not impose a security risk; worst case, a container does not get all requested
capabilities granted and, as a result, some actions may fail.

Backward-compatibility
--------------------------------------------------------------------------------

This change should be fully backward compatible. Higher-level runtimes that
already dynamically adjust the list of requested capabilities can continue to do
so. Runtimes that do not adjust will see an improvement (containers can start
even if some of the requested capabilities are not granted). Container processes
MAY fail (as described in "impact on security"), but users can debug this
situation either by looking at the warnings produces by the OCI runtime, or using
tools such as `capsh` / `libcap` to get the list of actual capabilities in the
container.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-26 21:23:00 +01:00
Sebastiaan van Stijn e49d5da219 go.mod: OCI runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
full diff: https://github.com/opencontainers/runtime-spec/compare/a8c4a9ee0f6b...1c3f411f0417

- Fix seccomp notify inconsistencies
    - seccomp: Add missing const for seccomp notify action
    - schema/defs-linux: Fix inconsistencies with seccomp notify
- Proposal: runtime should ignore capabilities that cannot be granted

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-26 21:22:58 +01:00
Mrunal Patel 3505f15e35 Merge pull request #2834 from AkihiroSuda/cache-vagrant
CI: cache ~/.vagrant.d/boxes
2021-03-26 11:33:33 -07:00
Mrunal Patel 1827254afe Merge pull request #2870 from kolyshkin/seccomp-version
libct/seccomp: remove IsEnabled
2021-03-26 11:20:55 -07:00
Mrunal Patel 547951061e Merge pull request #2835 from kolyshkin/fix-init-log-race
Fix init log forwarding race
2021-03-26 11:17:03 -07:00
Akihiro Suda 5df79d5c3d Merge pull request #2820 from dqminh/io-cgroup2-fallback
fs2: fallback to setting io.weight if io.bfq.weight
2021-03-26 18:58:51 +09:00
Kir Kolyshkin 2726146b04 runc --debug: more tests
First, add runc --debug exec test cases, very similar to those in
debug.bats but for runc exec (rather than runc run). Do not include json
tests as it is already tested in debug.bats.

Second, add logrus debug to late stages of runc init, and amend the
integration tests to check for those messages. This serves two purposes:

 - demonstrate that runc init can be amended with debug logrus which is
   properly forwarded to and logged by the parent runc create/run/exec;

 - improve the chances to catch the race fixed by the previous commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-25 19:19:20 -07:00
Kir Kolyshkin 201d60c51d runc run/start/exec: fix init log forwarding race
Sometimes debug.bats test cases are failing like this:

> not ok 27 global --debug to --log --log-format 'json'
> # (in test file tests/integration/debug.bats, line 77)
> #   `[[ "${output}" == *"child process in init()"* ]]' failed

It happens more when writing to disk.

This issue is caused by the fact that runc spawns log forwarding goroutine
(ForwardLogs) but does not wait for it to finish, resulting in missing
debug lines from nsexec.

ForwardLogs itself, though, never finishes, because it reads from a
reading side of a pipe which writing side is not closed. This is
especially true in case of runc create, which spawns runc init and
exits; meanwhile runc init waits on exec fifo for arbitrarily long
time before doing execve.

So, to fix the failure described above, we need to:

 1. Make runc create/run/exec wait for ForwardLogs to finish;

 2. Make runc init close its log pipe file descriptor (i.e.
    the one which value is passed in _LIBCONTAINER_LOGPIPE
    environment variable).

This is exactly what this commit does:

 1. Amend ForwardLogs to return a channel, and wait for it in start().

 2. In runc init, save the log fd and close it as late as possible.

PS I have to admit I still do not understand why an explicit close of
log pipe fd is required in e.g. (*linuxSetnsInit).Init, right before
the execve which (thanks to CLOEXEC) closes the fd anyway.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-25 19:18:55 -07:00
Kir Kolyshkin c06f999b76 libct/logs/test: refactor
- add check, checkWait, and finish helpers;
 - move test cleanup to runLogForwarding;
 - introduce and use log struct.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-25 18:58:30 -07:00
Kir Kolyshkin 688ea99e1b runc init: fix double call to ConfigureLogs
I have noticed that ConfigureLogs do not return an error in case logging
was already configured -- instead it just warns about it. So I went
ahead and changed the warning to the actual error...

... only to discover I broke things badly, because in case of runc init
logging is configured twice. The fix is to not configure logging in case
we are init.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-25 18:56:15 -07:00
Kir Kolyshkin dd6c8d76bb main: cast Chmod argument to os.FileMode
This fixes a big red warning in my vim.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-25 18:56:15 -07:00
Kir Kolyshkin 69ec21a12f libct/logs.ForwardLogs: use bufio.Scanner
Error handling is slightly cleaner this way.

While at it, do minor refactoring and fix error logging
in processEntry.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-25 18:56:15 -07:00
Kir Kolyshkin 0300299a72 tests/int/debug.bats: fixups
1. Remove redundant "echo $output" from the first test case, as "runc"
   helper function already logs the output.

2. Show the contents of log.out to stderr, so it case of error we can
   see what is going on.

3. Remove the check that `log.out` file exists. This check is redundant,
   since right after it we do `cat log.out` and check its exit code.

4. Factor out common checks into check_debug.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-25 18:56:15 -07:00
Kir Kolyshkin d38d1f9f79 libcontainer/logs: use int for Config.LogPipeFd
It does not make sense to have a string for a numeric type.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-25 18:56:15 -07:00
Kir Kolyshkin ac93746c4d libct/seccomp: rm IsEnabled
seccomp.IsEnabled is not well defined (the presence of Seccomp: field
in /proc/self/status does not tell us whether CONFIG_SECCOMP_FILTER
is enabled in the kernel; parsing all keys in /proc/self/status is a
moderate waste of resources, etc).

I traced its addition back to [1] and even in there it is not clear
what for it was added. There were never an internal user (except
for the recently added one, removed by the previous commit), and
can't find any external users (but found two copy-pastes of this
code, suffering from the same problems, see [2] and [3]).

Since it is broken and has no users, remove it.

[1] https://github.com/opencontainers/runc/pull/471
[2] https://github.com/containerd/containerd/blob/master/pkg/seccomp/seccomp_linux.go
[3] https://github.com/containers/common/blob/master/pkg/seccomp/supported.go

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-23 16:59:46 -07:00
Kir Kolyshkin 9b2f1e6fb6 runc version: don't use seccomp.IsEnabled
As pointed out to in [1], seccomp.IsEnabled does some runtime checks,
while here (when printing libseccomp version) we should merely print
the version number of libseccomp, if compiled in.

Change the code to check if the version is non-zero (as seccomp.Version
returns 0, 0, 0 in case seccomp is not compiled in.

[1] https://github.com/opencontainers/runc/pull/2866

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-23 16:10:08 -07:00
Daniel Dao c8e0486f0f Fix oss-fuzz build
THis fixes incorrect module path and also add proper tags for
FuzzUIDMap.

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32109#c1

Signed-off-by: Daniel Dao <dqminh89@gmail.com>
2021-03-23 11:22:09 +00:00
Kir Kolyshkin ec7ca2a9d8 Merge pull request #2851 from thaJeztah/fix_build_tags
Fix build-tags in libcontainer/devices
2021-03-22 20:34:23 -07:00
Kir Kolyshkin 010d0a3f8b Merge pull request #2867 from KentaTada/fix-seccomp-kernel-config
script/check-config.sh: add CONFIG_SECCOMP_FILTER
2021-03-22 15:53:46 -07:00
Akihiro Suda 3cc9670dd4 Merge pull request #2863 from thaJeztah/runc_refactor_caps
capabilities.Caps: use a map for capability-types
2021-03-22 14:33:35 +09:00
Akihiro Suda e112c95b30 Merge pull request #2852 from thaJeztah/apparmor_once 2021-03-22 03:07:26 +09:00
Kenta Tada d76309f911 script/check-config.sh: add CONFIG_SECCOMP_FILTER
CONFIG_SECCOMP_FILTER is actually used in runc.

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
2021-03-21 13:55:12 +09:00
Sebastiaan van Stijn 997e89420d capabilities.Caps: use a map for capability-types
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-19 11:21:08 +01:00
Kir Kolyshkin 41f466d89d nsexec.c: fix formatting for netlink defines
They were not aligned, and the last two had spaces not tabs.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-18 16:56:14 -07:00
Kir Kolyshkin 522bd64187 Fix checking C code formatting
Apparently, scripts/validate-c is not working in CI (or maybe
maintainers ignored the failures from it) -- current C code
gets some changes if we run indent on it.

This commit fixes this, simplifying things along the way.

 In particular:

1. Remove "validate" make target, add "cfmt" target that just runs
   indent on all *.c files in the repository (NOTE that *.h files
   are not included, as before).

   This may help a contributor to fix their code -- they just need
   to run "make cfmt" now instead of running "make validate" and
   copy-pasting the indent command and options from the hint.

2. Split GHA validate/misc into validate/release and validate/cfmt.
   The latter checks that the sources are not changed after "make cfmt".

3. Adds a few more options to indent. This was mostly motivated by
   trying to save the existing formatting, minimizing the amount of
   changes indent produces.

   The new options are:

   * -il0: sets the offset for goto labels to 0 (currently all labels
     but one are not indented -- let's keep it that way);

   * -ppi2: sets the indentation for nested preprocessor directives
     to 2 spaces (same as it is done in "SYS_memfd_create" defines);

   * -cp1: sets the indentation between #else / #endif and the
     following comment to 1 space.

4. Reformat the code using the new indent options.

5. Remove the now-unused script/{.validate,validate-c}.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-18 16:56:09 -07:00
Kir Kolyshkin 1948b4cee8 cloned_binary.c: rm redundant comments
Remove comments with architectures when defining SYS_memfd_create,
as they are redundant, and indent has a funny way of indenting them.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-18 16:53:44 -07:00
Kir Kolyshkin b67deb567a nsexec.c: rm a block
This block apparently does nothing except for creating
a need for additional indentation. Remove it.

While at it, break a long line in this code.

No functional change.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-17 13:08:20 -07:00