Commit Graph

7096 Commits

Author SHA1 Message Date
Aleksa Sarai f2ec540997 merge #4484 into opencontainers/runc:main
Akihiro Suda (1):
  docs: remove prompt symbols from shell snippets

LGTMs: kolyshkin cyphar
2024-10-29 11:58:35 +11:00
Akihiro Suda c8f5d033c2 docs: remove prompt symbols from shell snippets
Remove prompt symbols (`$`, `%`) for ease of copy-pasting

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-10-29 01:38:24 +09:00
Rodrigo Campos 4ad9f7fd36 Merge pull request #4432 from kolyshkin/exec-bench
libct/int: add exec benchmark
2024-10-25 10:48:26 +02:00
Aleksa Sarai 22106a4c66 merge #4473 into opencontainers/runc:main
lifubang:
  test join other container userns with selinux enabled
  libct/nsenter: become root after joining userns

LGTMs: AkihiroSuda cyphar
2024-10-25 18:22:08 +11:00
lifubang 34a928550f test join other container userns with selinux enabled
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-25 14:01:05 +08:00
lifubang c78f3f2ea0 libct/nsenter: become root after joining userns
Containerd pre-creates userns and netns before calling runc, which
results in the current code not working when SELinux is enabled,
resulting in the following error:

> runc create failed: unable to start container process: error during
container init: error mounting "mqueue" to rootfs at "/dev/mqueue":
setxattr /path/to/rootfs/dev/mqueue: operation not permitted

The solution is to become root in the user namespace right after
we join it.

Fixes #4466.

Co-authored-by: Wei Fu <fuweid89@gmail.com>
Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-25 13:40:49 +08:00
Kir Kolyshkin 1e674098f5 libct/int: add exec benchmark
This is a benchmark which checks how fast we can execute /bin/true
inside a container.

Results from my machine are below. As you can see, in default setup
about 70% of exec time is spent for CVE-2019-5736 (copying runc binary),
and using either RUNC_DMZ=true or memfd-bind helps a lot.

This can also be used for profiling (using -test.cpuprofile option).

=== Default setup ===

[kir@kir-tp1 integration]$ sudo ./integration.test -test.run xxx -test.v -test.benchtime 5s -test.count 5 -test.bench . .
goos: linux
goarch: amd64
pkg: github.com/opencontainers/runc/libcontainer/integration
cpu: 12th Gen Intel(R) Core(TM) i7-12800H
BenchmarkExecTrue
BenchmarkExecTrue-20    	     327	  24475677 ns/op
BenchmarkExecTrue-20    	     244	  25242718 ns/op
BenchmarkExecTrue-20    	     232	  26187174 ns/op
BenchmarkExecTrue-20    	     237	  26780030 ns/op
BenchmarkExecTrue-20    	     318	  18487219 ns/op
PASS

=== With DMZ enabled ===

[kir@kir-tp1 integration]$ sudo -E RUNC_DMZ=true ./integration.test -test.run xxx -test.v -test.benchtime 5s -test.count 5 -test.bench . .
goos: linux
goarch: amd64
pkg: github.com/opencontainers/runc/libcontainer/integration
cpu: 12th Gen Intel(R) Core(TM) i7-12800H
BenchmarkExecTrue
BenchmarkExecTrue-20    	     694	   8263744 ns/op
BenchmarkExecTrue-20    	     778	   8483228 ns/op
BenchmarkExecTrue-20    	     784	   8456018 ns/op
BenchmarkExecTrue-20    	     732	   8160239 ns/op
BenchmarkExecTrue-20    	     769	   8236972 ns/op
PASS

=== With memfd-bind ===

[kir@kir-tp1 integration]$ sudo systemctl start  memfd-bind@$(systemd-escape -p $PWD/integration.test)
[kir@kir-tp1 integration]$ sudo ./integration.test -test.run xxx -test.v -test.benchtime 5s -test.count 5 -test.bench . .
goos: linux
goarch: amd64
pkg: github.com/opencontainers/runc/libcontainer/integration
cpu: 12th Gen Intel(R) Core(TM) i7-12800H
BenchmarkExecTrue
BenchmarkExecTrue-20    	     800	   7538839 ns/op
BenchmarkExecTrue-20    	     717	   7424755 ns/op
BenchmarkExecTrue-20    	     848	   7747787 ns/op
BenchmarkExecTrue-20    	     800	   7668740 ns/op
BenchmarkExecTrue-20    	     751	   7304373 ns/op
PASS

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-24 13:39:26 -07:00
Kir Kolyshkin cb20148703 libct/int: use testing.TB for utils
...so that they can be used for benchmarks, too.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-24 13:39:26 -07:00
Akihiro Suda e37371ebd7 Merge pull request #4471 from kolyshkin/ci-12
ci: use Go 1.23
2024-10-23 17:11:15 +09:00
dependabot[bot] f22cee6634 Merge pull request #4460 from opencontainers/dependabot/go_modules/github.com/vishvananda/netlink-1.3.0 2024-10-23 07:55:40 +00:00
Aleksa Sarai b69954038c merge #4465 into opencontainers/runc:main
Kir Kolyshkin (1):
  libct: rm x/sys/execabs usage

LGTMs: AkihiroSuda cyphar
2024-10-23 18:52:54 +11:00
Kir Kolyshkin cbb9b309cd ci: use Go 1.23
Where we only use one Go version, let's use Go 1.23.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-23 00:04:17 -07:00
dependabot[bot] 69b3be763a build(deps): bump github.com/vishvananda/netlink from 1.1.0 to 1.3.0
Bumps [github.com/vishvananda/netlink](https://github.com/vishvananda/netlink) from 1.1.0 to 1.3.0.
- [Release notes](https://github.com/vishvananda/netlink/releases)
- [Commits](https://github.com/vishvananda/netlink/compare/v1.1.0...v1.3.0)

---
updated-dependencies:
- dependency-name: github.com/vishvananda/netlink
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-23 06:49:47 +00:00
Kir Kolyshkin d123e56739 Merge pull request #4467 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.35.1
build(deps): bump google.golang.org/protobuf from 1.33.0 to 1.35.1
2024-10-22 23:49:04 -07:00
Kir Kolyshkin eb2ff52ace libct: rm x/sys/execabs usage
Since Go 1.19, the same functionality is there in os/exec package.
As we require go 1.22 now, there's no need to have this.

This basically reverts commit 9258eac0 ("libct/start: use execabs for
newuidmap lookup").

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-22 23:45:18 -07:00
Kir Kolyshkin 891d8ff63b Merge pull request #4468 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.11.1
build(deps): bump github.com/opencontainers/selinux from 1.11.0 to 1.11.1
2024-10-22 23:43:57 -07:00
dependabot[bot] f20f273aff build(deps): bump github.com/opencontainers/selinux
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.11.0 to 1.11.1.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.11.0...v1.11.1)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-23 04:20:54 +00:00
dependabot[bot] 139789f1bd build(deps): bump google.golang.org/protobuf from 1.33.0 to 1.35.1
Bumps google.golang.org/protobuf from 1.33.0 to 1.35.1.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-23 04:20:52 +00:00
Akihiro Suda e98851de36 Merge pull request #4464 from opencontainers/dependabot/go_modules/github.com/urfave/cli-1.22.16
build(deps): bump github.com/urfave/cli from 1.22.14 to 1.22.16
2024-10-23 10:46:42 +09:00
Akihiro Suda 70efba8239 Merge pull request #4463 from opencontainers/dependabot/go_modules/github.com/moby/sys/mountinfo-0.7.2
build(deps): bump github.com/moby/sys/mountinfo from 0.7.1 to 0.7.2
2024-10-23 10:45:58 +09:00
dependabot[bot] 93db63ab52 build(deps): bump github.com/urfave/cli from 1.22.14 to 1.22.16
Bumps [github.com/urfave/cli](https://github.com/urfave/cli) from 1.22.14 to 1.22.16.
- [Release notes](https://github.com/urfave/cli/releases)
- [Changelog](https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md)
- [Commits](https://github.com/urfave/cli/compare/v1.22.14...v1.22.16)

---
updated-dependencies:
- dependency-name: github.com/urfave/cli
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-22 13:23:32 +00:00
dependabot[bot] af024b6c2b build(deps): bump github.com/moby/sys/mountinfo from 0.7.1 to 0.7.2
Bumps [github.com/moby/sys/mountinfo](https://github.com/moby/sys) from 0.7.1 to 0.7.2.
- [Release notes](https://github.com/moby/sys/releases)
- [Commits](https://github.com/moby/sys/compare/signal/v0.7.1...mountinfo/v0.7.2)

---
updated-dependencies:
- dependency-name: github.com/moby/sys/mountinfo
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-22 13:23:25 +00:00
Aleksa Sarai d545279974 merge #4458 into opencontainers/runc:main
Aleksa Sarai (2):
  VERSION: back to development
  VERSION: release v1.2.0

LGTMs: AkihiroSuda lifubang hqhq rata
2024-10-22 17:02:21 +11:00
Aleksa Sarai 42f9630578 VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-22 09:21:47 +11:00
Aleksa Sarai 0b9fa21be2 VERSION: release v1.2.0
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.2.0
2024-10-22 09:21:47 +11:00
Rodrigo Campos 5190d6124b Merge pull request #4452 from lifubang/fix-fd-reuse-race
fix an error caused by fd reuse race when starting runc init
2024-10-21 12:55:03 +02:00
Aleksa Sarai ca45a2c52d merge #4446 into opencontainers/runc:main
Aleksa Sarai (1):
  Revert "increase memory.max in cgroups.bats"

LGTMs: rata cyphar
2024-10-21 19:44:58 +11:00
lfbzhm 568231cc4e Revert "increase memory.max in cgroups.bats"
This reverts commit 65a1074c75.

We needed [1] because when we removed the bindfd logic in [2] we had not
yet moved the binary cloning logic to Go and thus it was necessary to
increase the memory limit in CI because the clone was happening after
joining the cgroup. However, [3] finally moved that code to Go and thus
the cloning is now done outside of the container's cgroup and thus is no
longer accounted as part of the container's memory usage at any point.

Now we can properly support running a simple container with lower memory
usage as we did before.

[1]: commit 65a1074c75 ("increase memory.max in cgroups.bats")
[2]: commit b999376fb2 ("nsenter: cloned_binary: remove bindfd logic entirely")
[3]: commit 0e9a3358f8 ("nsexec: migrate memfd /proc/self/exe logic to Go code")

Signed-off-by: lfbzhm <lifubang@acmcoder.com>
[cyphar: fixed commit messages]
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-21 19:34:41 +11:00
lfbzhm e669926691 fix an error caused by fd reuse race when starting runc init
There is a race situation when we are opening a file, if there is a
small fd was closed at that time, maybe it will be reused by safeExe.
Because of Go stdlib fds shuffling bug, if the fd of safeExe is too
small, go stdlib will dup3 it to another fd, or dup3 a other fd to this
fd, then it will cause the fd type cmd.Path refers to a random path,
and it can lead to an error "permission denied" when starting the process.
Please see #4294 and <https://github.com/golang/go/issues/61751>.
So we should not use the original fd of safeExe, but use the fd after
shuffled by Go stdlib. Because Go stdlib will guarantee this fd refers to
the correct file.

Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-10-21 06:53:44 +00:00
Akihiro Suda ca8ca3ce07 Merge pull request #4448 from cyphar/cloned-binary-overlayfs
dmz: use overlayfs to write-protect /proc/self/exe if possible
2024-10-21 04:11:33 +09:00
Akihiro Suda 08faf15106 Merge pull request #4429 from kolyshkin/cap-load
libct/cap: no need to load capabilities
2024-10-21 04:09:07 +09:00
Aleksa Sarai 515f09f7b1 dmz: use overlayfs to write-protect /proc/self/exe if possible
Commit b999376fb2 ("nsenter: cloned_binary: remove bindfd logic
entirely") removed the read-only bind-mount logic from our cloned binary
code because it wasn't really safe because a container with
CAP_SYS_ADMIN could remove the MS_RDONLY bit and get write access to
/proc/self/exe (even with user namespaces this could've been an issue
because it's not clear if the flags are locked).

However, copying a binary does seem to have a minor performance impact.
The only way to have no performance impact would be for the kernel to
block these write attempts, but barring that we could try to reduce the
overhead by coming up with a mount that cannot have it's read-only bits
cleared.

The "simplest" solution is to create a temporary overlayfs using
fsopen(2) which uses the directory where runc exists as a lowerdir,
ensuring that the container cannot access the underlying file -- and we
don't have to do any copies.

While fsopen(2) is not free because mount namespace cloning is usually
expensive (and so it seems like the difference would be marginal), some
basic performance testing seems to indicate there is a ~60% improvement
doing it this way and that it has effectively no overhead even when
compared to just using /proc/self/exe directly:

  % hyperfine --warmup 50 \
  >           "./runc-noclone run -b bundle ctr" \
  >           "./runc-overlayfs run -b bundle ctr" \
  >           "./runc-memfd run -b bundle ctr"

  Benchmark 1: ./runc-noclone run -b bundle ctr
    Time (mean ± σ):      13.7 ms ±   0.9 ms    [User: 6.0 ms, System: 10.9 ms]
    Range (min … max):    11.3 ms …  16.1 ms    184 runs

  Benchmark 2: ./runc-overlayfs run -b bundle ctr
    Time (mean ± σ):      13.9 ms ±   0.9 ms    [User: 6.2 ms, System: 10.8 ms]
    Range (min … max):    11.8 ms …  16.0 ms    180 runs

  Benchmark 3: ./runc-memfd run -b bundle ctr
    Time (mean ± σ):      22.6 ms ±   1.3 ms    [User: 5.7 ms, System: 20.7 ms]
    Range (min … max):    19.9 ms …  26.5 ms    114 runs

  Summary
    ./runc-noclone run -b bundle ctr ran
      1.01 ± 0.09 times faster than ./runc-overlayfs run -b bundle ctr
      1.65 ± 0.15 times faster than ./runc-memfd run -b bundle ctr

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-20 21:35:09 +11:00
Aleksa Sarai 8cfbccb6d9 tests: integration: add helper to check if we're in a userns
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-20 19:58:49 +11:00
lfbzhm 8bebdbafd8 Merge pull request #4456 from kolyshkin/misc-ci-cleanups
Misc tests/int cleanups
2024-10-18 21:29:53 +08:00
lfbzhm d1b0ae62a9 Merge pull request #4455 from kolyshkin/ci-hotfix
tests/int: skip "update memory vs CheckBeforeUpdate" on EL9
2024-10-18 21:26:32 +08:00
Kir Kolyshkin 54ef07d899 tests/int: skip "update memory vs CheckBeforeUpdate" on EL9
This test case is frequently hanging recently. Might be caused
by a recent kernel update from 5.14.0-427.33.1.el9_4.x86_64 to
5.14.0-427.37.1.el9_4.x86_64.

Could not reproduce locally.

Let's skip it for now.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-17 19:11:01 -07:00
Aleksa Sarai 2664c845c9 merge #4441 into opencontainers/runc:main
Kir Kolyshkin (1):
  libct: rm initWaiter

LGTMs: lifubang cyphar
2024-10-18 13:09:43 +11:00
Kir Kolyshkin ff7753636f tests/int: rm centos-7 exclusion
We no longer run tests on CentOS 7, so this is now useless.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-17 18:08:14 -07:00
Kir Kolyshkin 76a821fab7 tests/int: update info about EL9 kernel
The issue quoted is now fixed, so add some information about the fixed
kernel version, and remove links to older discussions about idmapped
mounts security.

We can actually remove all of it for now, but let's keep it. Change
the skip message to say which kernel is required.

Amends commit b460dc39.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-17 18:08:14 -07:00
Kir Kolyshkin b5bdf592f2 libct: rm initWaiter
This initWaiter logic was introduced by commit 4ecff8d9, but since the logic of
/proc/self/exe was moved out of runc init in commit 0e9a335, this
seems unnecessary to have initWaiter.

Remove it.

This essentially reverts commit 4ecff8d9.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-17 08:05:42 -07:00
Aleksa Sarai d82235c9d0 merge #4444 into opencontainers/runc:main
lifubang (1):
  dmz: cloned binary: set +x permissions when creating regular tmpfile

LGTMs: kolyshkin cyphar
2024-10-15 15:06:30 +11:00
Aleksa Sarai 798ba5cd11 merge #4428 into opencontainers/runc:main
Kir Kolyshkin (2):
  memfd-bind: more specific doc URL
  memfd-bind: fixup systemd unit file and README

LGTMs: rata cyphar
2024-10-15 15:04:22 +11:00
lifubang 9fa324c479 dmz: cloned binary: set +x permissions when creating regular tmpfile
While we did set +x when "sealing" regular temporary files, the "is
executable" checks were done before then and would thus fail, causing
the fallback to not work properly.

So just set +x after we create the file. We already have a O_RDWR handle
open when we do the chmod so we won't get permission issues when writing
to the file.

Fixes: e089db3b4a ("dmz: add fallbacks to handle noexec for O_TMPFILE and mktemp()")

Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-14 17:48:18 +08:00
Kir Kolyshkin eff6f049bc libct/cap: no need to load capabilities
We are not really interested in the capabilities of the current process,
so there is no need to load those.

This results in some performance improvement since now the capability
package don't have to parse /proc/self/status.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-09 12:08:44 -07:00
Aleksa Sarai 9112335fb2 merge #4350 into opencontainers/runc:main
Sebastiaan van Stijn (1):
  libcontainer/userns: migrate to github.com/moby/sys/userns

LGTMs: AkihiroSuda lifubang cyphar
2024-10-10 05:59:37 +11:00
Sebastiaan van Stijn 9b60a93cf3 libcontainer/userns: migrate to github.com/moby/sys/userns
The userns package was moved to the moby/sys/userns module
at commit 3778ae603c.

This patch deprecates the old location, and adds it as an alias
for the moby/sys/userns package.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-10-09 22:20:25 +08:00
lfbzhm 8bf5f0d441 Merge pull request #4430 from cyphar/securejoin-v0.3.4
go: update github.com/cyphar/filepath-securejoin to v0.3.4
2024-10-09 17:50:56 +08:00
Aleksa Sarai 1623cde125 go: update github.com/cyphar/filepath-securejoin to v0.3.4
This includes a fix to avoid doing import "testing" in non-_test.go
code.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-09 15:13:28 +11:00
Kir Kolyshkin 4fdd56169d memfd-bind: more specific doc URL
Let's point to the relevant README directly in the systemd unit file,
as it is hard to find in the whole nine yards of the runc repo.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-08 13:30:59 -07:00
Kir Kolyshkin 9e5545876e memfd-bind: fixup systemd unit file and README
The example of starting memfd-bind via systemd in README did not work
for me (Fedora 40, systemd 255):

	# systemctl status memfd-bind@/usr/bin/runc
	Invalid unit name "memfd-bind@/usr/bin/runc" escaped as "memfd-bind@-usr-bin-runc" (maybe you should use systemd-escape?).
	○ memfd-bind@-usr-bin-runc.service
	     Loaded: bad-setting (Reason: Unit memfd-bind@-usr-bin-runc.service has a bad unit file setting.)
	     Active: inactive (dead)
	       Docs: https://github.com/opencontainers/runc

So, let's use systemd-escape -p ("path") in the README example,
and use %f in the systemd unit file to prepend the slash to the
filename.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-08 13:30:08 -07:00