Compare commits

...

2754 Commits

Author SHA1 Message Date
Aleksa Sarai b33d1c2605 VERSION: release v1.5.0-rc.3
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-06-13 14:24:39 +02:00
Aleksa Sarai 50bac276ed merge CVE-2026-41579 fixes into release-1.5
Aleksa Sarai (3):
  rootfs: make cgroupv1 subsystem symlinks fd-based
  rootfs: make /dev initialisation code fd-based
  rootfs: switch createDevices argument order

LGTMs: lifubang kolyshkin rata
2026-06-13 14:00:23 +02:00
Aleksa Sarai cd1c87d05a rootfs: make cgroupv1 subsystem symlinks fd-based
As with /dev symlinks, this was missed in commit d40b3439a9 ("rootfs:
switch to fd-based handling of mountpoint targets"). It's not really
clear to what extent this was exploitable (/sys/fs/cgroup is a tmpfs we
create) but it's better to just fix this anyway.

Fixes: d40b3439a9 ("rootfs: switch to fd-based handling of mountpoint targets")
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
(cherry picked from commit 66acd48f9d)
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-06-13 00:28:59 +02:00
Aleksa Sarai 4504accbba rootfs: make /dev initialisation code fd-based
These codepaths are very old and operate on pure paths but before
pivot_root(2), meaning that a bad image with a malicious /dev symlink
could cause us to operate on host paths instead.

In practice this means that we could be tricked into removing a file
called "ptmx" (note that /dev/pts/ptmx and /dev/ptmx are both immune for
different reasons) or creating a very restricted set of symlinks (with
fixed targets and names). The scope of these bugs is thus quite limited,
but we definitely need to harden against it.

These codepaths were unfortunately missed during the fd-based rework in
commit d40b3439a9 ("rootfs: switch to fd-based handling of mountpoint
targets") -- I must've assumed they were called after pivot_root(2)...

Fixes: GHSA-xjvp-4fhw-gc47
Fixes: CVE-2026-41579
Fixes: d40b3439a9 ("rootfs: switch to fd-based handling of mountpoint targets")
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
(cherry picked from commit 864db8042d)
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-06-13 00:14:51 +02:00
Aleksa Sarai c33c74f670 rootfs: switch createDevices argument order
This argument order matches most other helpers we have and will also
match the changes we are about to make to setupPtmx and
setupDevSymlinks.

Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
(cherry picked from commit fcf04eb41b)
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-06-13 00:14:51 +02:00
Rodrigo Campos Catelin f869956058 Merge pull request #5301 from kolyshkin/1.5-5297
[1.5] runc list: fix error reporting for non-existent root
2026-05-28 18:15:25 +02:00
Kir Kolyshkin 524803ccd6 [1.5] runc list: fix error reporting for non-existent root
The idea of commit d1fca8e was right (report errors for non-existent
root, unless using the default root dir) but the logic was inverted.

Fix the logic.

Test case for default root requires non-existent /root/runc, which is
not always possible.

[v1.5 backport: use GlobalIsSet]

Reported-by: RedMakeUp <girafeeblue@gmail.com>
Co-authored-by: RedMakeUp <girafeeblue@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 98c442a0e6)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-05-28 18:01:12 +02:00
Akihiro Suda 92e7dd9734 Merge pull request #5303 from ricardobranco777/1.5-5295
[1.5] Update busybox:glibc in integration tests to latest (1.38.0) builds
2026-05-28 13:52:03 +09:00
Ricardo Branco 3964cb7e6c Update busybox:glibc in integration tests to latest (1.38.0) builds
This release fixes tests on ppc64le in busybox commit 3621595939e43:
"nsenter,unshare: don't use xvfork_parent_waits_and_exits(), it SEGVs
on ppc64le".

Fixes: https://github.com/opencontainers/runc/issues/4836

Signed-off-by: Ricardo Branco <rbranco@suse.de>
(cherry picked from commit c7c2920db0)
Signed-off-by: Ricardo Branco <rbranco@suse.de>
2026-05-27 10:51:55 +02:00
Ricardo Branco d5dc535668 tests/int: relax testPids fork error match string
The test checked for the exact BusyBox ash diagnostic "sh: can't fork".
With BusyBox 1.38, ash reports the failure as:

  /bin/sh: line 0: can't fork: Resource temporarily unavailable

Match the stable "can't fork" part of the error message instead.

Signed-off-by: Ricardo Branco <rbranco@suse.de>
(cherry picked from commit de39d5e79b)
Signed-off-by: Ricardo Branco <rbranco@suse.de>
2026-05-27 10:51:55 +02:00
Ricardo Branco 2b02fb6327 tests/int: build TestPids pipelines programmatically
TestPids used long hand-written /bin/true pipelines for the 4-, 32- and
64-command cases. This made the test easy to typo and hard to review, as
seen by the earlier "bin/true" entries.

Build the shell pipelines instead, preserving the existing test coverage
while making the command counts explicit.

Signed-off-by: Ricardo Branco <rbranco@suse.de>
(cherry picked from commit 3acb097f93)
Signed-off-by: Ricardo Branco <rbranco@suse.de>
2026-05-27 10:51:55 +02:00
Rodrigo Campos Catelin 2c0d0d7408 Merge pull request #5286 from lifubang/backport-5269-1.5
[1.5] tests/int: fix flake in "resources.unified override" (backport #5269)
2026-05-22 10:45:40 +02:00
Kir Kolyshkin 7522b50684 tests/int: fix flake in "resources.unified override"
As runc binary grows in size over time (new features, more
dependencies) some tests start to flake because of low memory limits.

One such test is "runc run (cgroup v2 resources.unified override)";
it obviously fails because of 1M memory limit:

> runc run failed: unable to start container process: container init was OOM-killed (memory limit too low?)

Increase the limits 4x. Do the same for the "unified only" test.

Fixes issue 5264.

Reported-by: Kevin Berry <kpberry11@gmail.com>
Reported-by: Ricardo Branco <rbranco@suse.de>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 3fabb4d070)
Signed-off-by: lifubang <lifubang@acmcoder.com>
Co-authored-by: Claude <noreply@anthropic.com>
2026-05-22 10:32:49 +02:00
Rodrigo Campos Catelin a5e6e351a9 Merge pull request #5280 from lifubang/backport-5275-1.5
[1.5] libct: reuse tmpfs for directory masks
2026-05-21 11:52:43 +02:00
lifubang 8cf2a2d684 libct: close rootFd ASAP in maskPaths
Close the root file descriptor immediately after use in maskPaths to
reduce the window during which an attacker could potentially exploit
an open fd to access or manipulate the root filesystem. This follows
the principle of least privilege and mitigates risks in compromised
or malicious container scenarios.

Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit b88635e57e)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-05-20 10:17:24 +00:00
lifubang e2eb5dd2db libct: optimize maskPaths for single-directory case
This is a follow-up to #5275. That change reused a single tmpfs mount
to mask multiple directories, which is efficient when masking more than
one path. However, it introduced unnecessary overhead when only one
directory is masked. This commit restores the original behavior for the
single-path case while preserving shared tmpfs logic for multiple paths.

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit e7e2f00248)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-05-20 10:17:13 +00:00
lifubang d7791e5c23 integration: reuse tmpfs for directory masks
Co-authored-by: Davanum Srinivas <davanum@gmail.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 124772f354)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-05-20 10:16:18 +00:00
lifubang 411b5f2f23 libct: reuse tmpfs for directory masks
Kubernetes may add one sysfs thermal_throttle entry per CPU to
maskedPaths. On large Intel systems this can produce many directory
masks for a single container. runc currently handles each directory
mask with a separate read-only tmpfs mount, and therefore a separate
tmpfs superblock.

On Linux 4.18/RHEL 8 kernels, creating and tearing down many tmpfs
superblocks can contend on the global shrinker_rwsem when containers
start or stop concurrently.

Use one read-only tmpfs for directory masks and bind-mount it over the
remaining directory targets. The first non-procfs-fd directory mount is
reopened through the container root fd before it is reused. File masks
still bind /dev/null, and procfs fd targets keep the existing
one-tmpfs-per-target behaviour because they are fd aliases rather than
stable rootfs paths.

If the bind-mount of the shared source fails (e.g. due to kernel
restrictions), fall back to individual tmpfs mounts for all remaining
directories. Tmpfs mounts use nr_blocks=1,nr_inodes=1 to minimise
kernel resource usage.

The bind mounts do not create additional tmpfs superblocks. They also
retain the read-only mount flag inherited from the source vfsmount, so
the masking semantics remain unchanged.

xref: kubernetes/kubernetes#138512
xref: kubernetes/kubernetes#138388
xref: kubernetes/kubernetes#131018

Co-authored-by: Davanum Srinivas <davanum@gmail.com>
Refactored-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit c046c9b973)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-05-20 10:16:18 +00:00
lifubang 24867ade0a libct: enforce strict tmpfs limits for masked paths
Previously, masked directories (e.g., /proc/acpi, /proc/scsi) were
mounted as read-only tmpfs without explicit size or inode limits.
Although these mounts are meant to be empty and unwritable, the lack
of resource constraints means that—should an attacker bypass the
read-only protection (e.g., via container escape, mount namespace
manipulation, or a kernel vulnerability)—the tmpfs could consume up
to 50% of system memory by default (the kernel's default tmpfs limit).

To mitigate this risk in high-density container environments and
adhere to the principle of least privilege, we now explicitly set:
  - nr_blocks=1 (sufficient for at most one block size)
  - nr_inodes=1 (sufficient for at most one inode)
Ref: https://man7.org/linux/man-pages/man5/tmpfs.5.html

These limits ensure that even if compromised, kernel memory usage
remains strictly bounded and negligible.

This change aligns with best practices used by other container
runtimes and strengthens defense-in-depth for sensitive masked paths.

Co-authored-by: Davanum Srinivas <davanum@gmail.com>
Refactored-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit e57a7a4c8f)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-05-20 10:16:18 +00:00
lifubang 0fc2921263 libct: skip mount for duplicate masked paths
Co-authored-by: Davanum Srinivas <davanum@gmail.com>
Refactored-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit abf70bab63)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-05-20 10:16:18 +00:00
lfbzhm 5e4d064c80 Merge pull request #5283 from kolyshkin/1.5-5279
[1.5] tests/rootless.sh: use command -v instead of which
2026-05-14 22:19:17 +08:00
Kir Kolyshkin 86f61cc3bb tests/rootless.sh: use command -v instead of which
Apparently, lima's experimental/fedora-rawhide image does not include
which rpm, and we don't really want to bother installing it.

Replace "which" with "command -v". Looks like this was the only place;
we already use "command -v" everywhere else.

This should fix lima (experimental/fedora-rawhide) CI.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 5e78f4a66d)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-05-13 11:07:52 -07:00
lfbzhm 5e3b21e192 Merge pull request #5248 from AkihiroSuda/cherrypick-5239-1.5
[release-1.5] Complete migration from Cirrus CI to GHA (Lima)
2026-04-19 08:51:02 +08:00
Akihiro Suda a03e109e7a CI: lima: add template name to cache key
The cache created for almalinux-8 could be overwritten for almalinux-9

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit ff4470156e)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2026-04-17 17:39:01 +09:00
Akihiro Suda 27838f271f Complete migration from Cirrus CI to GHA (Lima)
Fix issue 5238

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 9d697a9222)
(cherry-pick was not clean)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2026-04-16 22:20:31 +09:00
lfbzhm c0b996d0d3 Merge pull request #5246 from kolyshkin/1.5-5232
[1.5] libct/int: better error reporting
2026-04-16 14:51:19 +08:00
Kir Kolyshkin c2092624ed libct/int: switch from bytes.Buffer to strings.Builder
The latter is simpler and provides just enough functionality to be used
here.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 9970cbfdb6)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-04-15 11:44:08 -07:00
Kir Kolyshkin c63f75727c libct/int: remove buffers.Stdin
It is never used.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 568a309225)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-04-15 11:44:08 -07:00
Kir Kolyshkin 87edc29643 libct/int: use readlink -v
By default, readlink is silent about any errors. Make it verbose so we
can better interpret any test failures.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 54be90bf68)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-04-15 11:44:08 -07:00
Kir Kolyshkin f3e4f8ece9 libct/int: show stderr if command failed
When running a process inside a container, make sure its stderr is not
nil (except for some trivial cases like cat). Modify waitProcess to show
failed command's stderr, if possible.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit bf4fcc3002)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-04-15 11:44:08 -07:00
Kir Kolyshkin c9fd1a38f0 libct/int: waitProcess: rm dead code
Since Wait returns an ExitError if process' exit status is not 0,
checking process status is redundant and this code is never reached.

Remove it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit dd9fda7d60)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-04-15 11:44:08 -07:00
Rodrigo Campos Catelin f4254caa59 Merge pull request #5230 from kolyshkin/1.5-5226
[1.5] tests/rootless.sh: fix skipping idmap tests for systemd
2026-04-13 20:16:30 +02:00
Kir Kolyshkin 44838af3ee tests/rootless.sh: fix skipping idmap tests for systemd
When RUNC_USE_SYSTEMD is set, tests/rootless.sh is using

	ssh -tt rootless@localhost

to run tests as rootless user. In this case, local environment is not
passed to the user's ssh session (unless explicitly specified), and so
the tests do not get ROOTLESS_FEATURES.

As a result, idmap-related tests are skipped when running as rootless
using systemd cgroup driver:

	integration test (systemd driver)
	...
	[02] run rootless tests ... (idmap)
	...
	ok 286 runc run detached ({u,g}id != 0) # skip test requires rootless_idmap
	...

Fix this by creating a list of environment variables needed by the
tests, and adding those to ssh command line (in case of ssh) or
exporting (in case of sudo) so both cases work similarly.

Also, modify disable_idmap to unset variables set in enable_idmap so
they are not exported at all if idmap is not in features.

Fixes: bf15cc99 ("cgroup v2: support rootless systemd")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 3e0829d195)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-04-13 10:56:18 -07:00
Kir Kolyshkin 96ffda7b87 tests: rename AUX_{DIR,UID} to ROOTLESS_AUX_*
Also, fix the typo (AUX_DIX) in cleanup.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit ac2a53be8e)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-04-13 10:56:18 -07:00
Rodrigo Campos Catelin 0500f93a25 Merge pull request #5236 from kolyshkin/1.5-5222
[1.5] tests/int/checkpoint: drop unneeded tests
2026-04-13 11:15:51 +02:00
Kir Kolyshkin 68388249f1 tests/int/checkpoint: drop unneeded tests
Those tests were added by commit 8d180e96 ("Add support for Linux
Network Devices"), apparently by copy-pasting the test cases which
call simple_cr (all four of them).

While different simple_cr tests make sense as they cover different
code paths in runc and/or check for various regression, the same
variations with netdevice do not make sense, as having a net device
is orthogonal to e.g. bind mount, --debug, or cgroupns.

Remove those.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 2cd4782b70)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-04-10 11:19:42 -07:00
Aleksa Sarai 68f0c46b2c Merge pull request #5231 from kolyshkin/1.5-5227
[1.5] libct: move cmsg helpers to new internal/cmsg package
2026-04-09 10:53:42 +10:00
Aleksa Sarai d5cead38fd libct: move cmsg helpers to new internal/cmsg package
These helpers all make more sense as a self-contained package and moving
them has the added benefit of removing an unneeded libpathrs dependency
(from libcontainer/utils's import of pathrs-lite) from several test
binaries.

Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
(cherry picked from commit ca509e76ff)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-04-08 11:09:19 -07:00
lfbzhm 8583683931 Merge pull request #5225 from thaJeztah/1.5_backport_gofix
[1.5 backport] libcontainer/devices: add '//go:fix inline' directives
2026-04-07 23:18:19 +08:00
Sebastiaan van Stijn 83e60ddaf0 libcontainer/devices: add '//go:fix inline' directives
This allows users to automaticaly migrate to the new location
using `go fix`. It has some limitations, but can help smoothen
the transition; for example, taking this file;

```
package main

import (
	"github.com/opencontainers/runc/libcontainer/devices"
)

func main() {
	_, _ = devices.DeviceFromPath("a", "b")
	_, _ = devices.HostDevices()
	_, _ = devices.GetDevices("a")
}
```

Running `go fix -mod=readonly ./...` will migrate the code;

```
package main

import (
	devices0 "github.com/moby/sys/devices"
)

func main() {
	_, _ = devices0.DeviceFromPath("a", "b")
	_, _ = devices0.HostDevices()
	_, _ = devices0.GetDevices("a")
}
```

updates b345c78dca

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ba83c7c7d7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-04-06 20:41:47 +02:00
Kir Kolyshkin fcec5762e2 Merge pull request #5219 from kolyshkin/150rc2
Release 1.5.0-rc.2
2026-04-02 21:54:29 -07:00
Kir Kolyshkin 3bd7cbb531 VERSION: back to development
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-04-02 19:59:33 -07:00
Kir Kolyshkin c3e4075c34 VERSION: release v1.5.0-rc.2
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-04-02 19:59:04 -07:00
Kir Kolyshkin e2e3deffc2 [1.5] CHANGELOG: forward-port 1.4.2 changes
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-04-02 19:56:23 -07:00
Aleksa Sarai 8bc2658d78 Merge pull request #5220 from kolyshkin/1.5-5142
[1.5] libct/devices: deprecate in favour of moby/sys/devices
2026-04-03 13:54:16 +11:00
Aleksa Sarai ffde8d4ed3 libct/devices: deprecate in favour of moby/sys/devices
The libcontainer/devices package has been moved to moby/sys/devices, so
we can just point users to that and keep some compatibility shims around
until runc 1.6. We don't use it at all so there are no other changes
needed.

Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
(cherry picked from commit b345c78dca)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-04-02 18:13:02 -07:00
Rodrigo Campos Catelin 8ab3db99c6 Merge pull request #5214 from lifubang/backport-5210
[1.5] Fix SIGCHLD race in signal handler setup
2026-04-02 12:21:28 +02:00
lifubang 38f7404ba7 Fix SIGCHLD race in signal handler setup
When signal installation was moved to a goroutine for performance,
containers that exited quickly could complete before SIGCHLD was
registered, causing runc to hang waiting for the signal.

This fix ensures SIGCHLD is registered immediately in the main thread
before other signals are handled in the goroutine, maintaining performance
while guaranteeing no missed SIGCHLD notifications for fast-exiting
containers.

Reported-by: Ayato Tokubi <atokubi@redhat.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 404181e4cc)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-04-02 09:39:04 +08:00
lfbzhm ef42f35b3e Merge pull request #5211 from kolyshkin/1.5-5205
[1.5] Switch to Go 1.25+
2026-04-02 09:05:37 +08:00
Aleksa Sarai a7dc07d5af go fix: use (*sync.WaitGroup).Go
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 47fba7e4b1)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-04-01 11:06:50 -07:00
Aleksa Sarai b66fa4c218 go.mod: bump minimum to Go 1.25
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
(cherry picked from commit 99d054b93f)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-04-01 11:06:50 -07:00
Kir Kolyshkin 62a05b94cd tests/int: allow cpu quota cgroup v1 files fds
Since switching to Go 1.25 in go.mod, the "detect fd leaks" test fails
like this:

> not ok 57 runc create[detect fd leak as comprehensively as possible]
> # (in test file tests/integration/create.bats, line 76)
> #   `[ "$violation_found" -eq 0 ]' failed
> ...
> # Violation: FD 9 -> '/system.slice/runc-test_busybox.scope/cpu.cfs_quota_us'
> # Violation: FD 10 -> '/system.slice/runc-test_busybox.scope/cpu.cfs_period_us'
> ...

This happens because Go 1.25 adds a feature to dynamically set GOMAXPROC
based on current CPU quota values. This feature can be disabled by setting

	GODEBUG=containermaxprocs=0,updatemaxprocs=0

but it is harmless to keep it (except for the above test failure).

Add an exception to the test case.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f9a9a36fa8)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-04-01 11:06:50 -07:00
Aleksa Sarai 47fc012f96 merge #5204 into opencontainers/runc:release-1.5
Kir Kolyshkin (3):
  Pre-open container root directory
  libct: minor refactor in mountToRootfs
  libct: mountCgroupV1: address TODO

Li Fubang (1):
  libct: use preopened rootfs more

LGTMs: lifubang cyphar
2026-03-31 20:47:37 +11:00
lfbzhm 400e0abdb9 libct: use preopened rootfs more
This uses preopened rootfs in Chdir and pivotRoot.

While at it, add O_PATH when opening oldroot in pivotRoot.

Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 5b094ed1ac)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-30 11:12:51 -07:00
Kir Kolyshkin 64de2a7bc6 Pre-open container root directory
A lot of filesystem-related stuff happens inside the container root
directory, and we have used its name before. It makes sense to pre-open
it and use a *os.File handle instead.

Function names in internal/pathrs are kept as is for simplicity (and it
is an internal package), but they now accept root as *os.File.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 28cb321887)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-30 11:12:51 -07:00
Kir Kolyshkin cfda2530bc libct: minor refactor in mountToRootfs
No change in functionality, just a preparation for the next patch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 78b80677f6)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-30 11:12:51 -07:00
Kir Kolyshkin c00c9bc31a libct: mountCgroupV1: address TODO
Indeed, it does not make sense to prepend c.root once we started using
MkdirAllInRoot in commit 63c29081.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 60352524d3)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-30 11:12:51 -07:00
Aleksa Sarai ca6fa25527 Merge pull request #5202 from lifubang/backport-5177-1.5
[1.5] libct: close the mount source fd ASAP!
2026-03-29 19:55:50 +11:00
lifubang 1dda9cdd2d test: check mount source fds are cleaned up with idmapped mounts
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 7fdab1cb69)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-03-28 15:15:09 +00:00
lifubang 91fb1d9e21 libct: close mount source fd as soon as possible
This commit factors out setupAndMountToRootfs without changing any
logic. Use "Hide whitespace changes" during review to focus on the
actual changes.

The refactor ensures the mount source file descriptor is closed via
defer in each loop iteration, reducing the total number of open FDs
in runc. This helps avoid hitting the file descriptor limit under
high concurrency or when handling many mounts.

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit c77e71a3e7)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-03-28 15:14:57 +00:00
lifubang 0f0578e878 libct: add a nil check for mountError
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 0d0fd95731)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-03-28 15:14:37 +00:00
lfbzhm f642515632 Merge pull request #5199 from cyphar/1.5-5195-readme-libpathrs
[1.5] README: add libpathrs installation notes
2026-03-28 14:56:18 +08:00
Aleksa Sarai fe80f38a31 README: add libpathrs installation notes
libpathrs now has its own installation instructions[1] but it is quite
helpful to provide some high-level instructions as well as notes about
what minimum versions we expect.

[1]: https://github.com/cyphar/libpathrs/blob/main/INSTALL.md

Suggested-by: Li Fubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
(cherry picked from commit 81d59df8d5)
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-03-28 17:32:05 +11:00
lfbzhm 0826ad7ab6 Merge pull request #5198 from kolyshkin/1.5-5171
[1.5] Makefile: add RUNC_BUILDTAGS, deprecate EXTRA_BUILDTAGS
2026-03-28 09:59:19 +08:00
Kir Kolyshkin 8676012e2e Makefile: add RUNC_BUILDTAGS, deprecate EXTRA_BUILDTAGS
A bit of history. EXTRA_BUILDTAGS was introduced in commit dac417174,
as a quick way to add some extra Go build tags to the runc build.

Later, commit 767bc008 changed Makefile to not get EXTRA_TAGS from the
shell environment, as the name is quite generic and some unrelated
environment variable with that name can affect runc build. While such
change does make sense, it makes it more complicated to pass build tags
in CI and otherwise (see e.g. commit 0e1fe368a).

Moreover, runc build uses some Go build tags by default (via Makefile),
and while it is easy to add more build tags (via EXTRA_BUILDTAGS), in
order to remove some existing tags one has to redefine BUILDTAGS from
scratch, which is not very convenient (again, see commit 0e1fe368a which
gets the current value of BUILDTAGS from the Makefile in order to remove
a single tag).

To handle all of the above, let's do this:
 - implement RUNC_BUILDTAGS, fixing the issue of not-so-unique name;
 - allow to get RUNC_BUILDTAGS from shell environment;
 - implement a feature to remove a build tag from default set by
   prefixing it with "-" (as in RUNC_BUILDTAGS="-seccomp");
 - document all this in README;
 - make CI use the new feature;
 - keep EXTRA_BUILDTAGS for backward compatibility, add a make warning
   and a TODO to remove it for runc 1.6.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit d8c62c7d0b)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-25 21:58:12 -07:00
lfbzhm 84c4850317 Merge pull request #5183 from kolyshkin/1.5-5172
[1.5] Support specs.LinuxSeccompFlagWaitKillableRecv
2026-03-25 12:04:10 +08:00
Kir Kolyshkin 7dd372d40e Support specs.LinuxSeccompFlagWaitKillableRecv
This adds support for WaitKillableRecv seccomp flag
(also known as SCMP_FLTATR_CTL_WAITKILL in libseccomp and
as SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV in the kernel).

This requires:
 - libseccomp >= 2.6.0
 - libseccomp-golang >= 0.11.0
 - linux kernel >= 5.19

Note that this flag does not make sense without NEW_LISTENER, and
the kernel returns EINVAL when SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV
is set but SECCOMP_FILTER_FLAG_NEW_LISTENER is not set.

For runc this means that .linux.seccomp.listenerPath should also be set,
and some of the seccomp rules should have SCMP_ACT_NOTIFY action. This
is why the flag is tested separately in seccomp-notify.bats.

At the moment the only adequate CI environment for this functionality is
Fedora 43. On all other platforms (including CentOS 10 and Ubuntu 24.04)
it is skipped similar to this:

> ok 251 runc run [seccomp] (SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV) # skip requires libseccomp >= 2.6.0 and API level >= 7 (current version: 2.5.6, API level: 6)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 0079bee17f)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-25 11:40:18 +08:00
lfbzhm 284d983c1e Merge pull request #5196 from cyphar/1.5-5194-fix-libpathrs-build
[1.5] build: use POSIX regex in libpathrs build
2026-03-25 11:39:05 +08:00
Akhil Mohan aa17fa3876 [1.5] use POSIX regex in libpathrs build
word boundary anchor \> is present only in GNU awk implementation. This
will not work if we are building libpathrs inside a container like
debian/ubuntu which uses mawk. Therefore switch to a POSIX compatible
regex that can be used with all implementations of awk to find the
system libc path

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
(cherry picked from commit 28d5ffbab0)
Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
2026-03-25 02:59:18 +11:00
Aleksa Sarai e1c1378fc9 Merge pull request #5179 from kolyshkin/1.5-5175
[1.5] CHANGELOG: move "better errors from runc init" to 1.4.0
2026-03-17 10:25:23 +09:00
Kir Kolyshkin d5db4a59a5 CHANGELOG: move "better errors from runc init" to 1.4.0
Found out that these changes were backported to release-1.4 (PR 5040)
and made its way into runc v1.4.0, but were missing from its CHANGELOG.

Move the item to v1.4.0 changelog, and add a backport PR reference.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit e232a541bd)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-16 10:45:23 -07:00
Aleksa Sarai 5c48e21781 merge #5154 into opencontainers/runc:main
Aleksa Sarai (4):
  VERSION: back to development
  VERSION: release v1.5.0-rc.1
  CHANGELOG: forward-port v1.4.1 entry
  CHANGELOG: add original PR references to backports

LGTMs: rata lifubang
2026-03-13 21:28:25 +09:00
Aleksa Sarai e5b355048c VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-13 18:17:43 +09:00
Aleksa Sarai 5d2588d379 VERSION: release v1.5.0-rc.1
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-13 18:17:43 +09:00
Aleksa Sarai ced0149acf CHANGELOG: forward-port v1.4.1 entry
Some of the patches in the "unreleased" section were backported and so
they can be moved to the v1.4.1 section to some unneeded avoid
duplication.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-13 16:29:31 +09:00
Aleksa Sarai ed75f30e7a CHANGELOG: add original PR references to backports
When going through the changelog for v1.5.0-rc.1, these PRs were merged
but not referenced by their original PR number in the changelog, making
it harder to figure out which patches since v1.4.0-rc.1 are in
v1.5.0-rc.1 or v1.4.0.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 23:20:38 +09:00
Rodrigo Campos Catelin fd0388b2c4 Merge pull request #5170 from cyphar/ci-conmon-libpathrs
gha: install libpathrs for conmon test as well
2026-03-12 13:48:11 +01:00
Aleksa Sarai 9cf46be341 gha: install libpathrs for conmon test as well
Commit 192e3d416f ("ci: add conmon tests run") was merged without
rebasing on top of commit e2c989b7e1 ("build: enable libpathrs by
default"), causing build failures when it was merged.

The solution is to just use the same install script as the rest of CI
from commit 7322b05f41 ("ci: build and install libpathrs").

Fixes: 192e3d416f ("ci: add conmon tests run")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 20:46:10 +09:00
lfbzhm 7837689f9a Merge pull request #5159 from kolyshkin/add-conmon
ci: add conmon tests run
2026-03-12 19:18:14 +08:00
Aleksa Sarai ba01f0fb6a merge #5150 into opencontainers/runc:main
Aleksa Sarai (1):
  conformance: poststart hooks spec now matches runc

LGTMs: rata kolyshkin
2026-03-12 19:05:19 +09:00
Aleksa Sarai d0444a61ba merge #5103 into opencontainers/runc:main
Aleksa Sarai (11):
  gha: test both with and without libpathrs
  build: enable libpathrs by default
  ci: build and install libpathrs
  build: enable builds with libpathrs
  deps: update to cyphar.com/go-pathrs@v0.2.4
  README: document libpathrs build tag
  script: seccomp.sh -> build-seccomp.sh
  build: rename /opt/libseccomp cdylib directory
  build: treat armhf as ARMv7
  dockerfile: switch to Debian 13
  integration: output debug information in fd leak test

LGTMs: rata kolyshkin AkihiroSuda
2026-03-12 18:56:27 +09:00
Aleksa Sarai 1c7b8c9de4 conformance: poststart hooks spec now matches runc
This entry was added by commit 653161f6d8 ("docs/spec-conformance.md:
update for spec v1.3.0") but the spec was updated before the v1.3.0
release to remove this requirement for poststart hooks in order to match
runc's current behaviour.

Fixes: 653161f6d8 ("docs/spec-conformance.md: update for spec v1.3.0")
Ref: opencontainers/runtime-spec#1262
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 18:13:16 +09:00
Aleksa Sarai 0e1fe368a2 gha: test both with and without libpathrs
We do plan to make libpathrs required in the future, but in the meantime
we should test both with and without libpathrs in our CI to catch
regressions for users that will not use libpathrs initially.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 17:58:11 +09:00
Aleksa Sarai e2c989b7e1 build: enable libpathrs by default
libpathrs has better hardening against certain attacks (most notably on
older kernels) so we should use it by default. This opens the door to
us using cyphar.com/go-pathrs in the future in order to remove some of
our internal/pathrs wrappers (that reimplement bits of libpathrs).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 17:58:11 +09:00
Aleksa Sarai 7322b05f41 ci: build and install libpathrs
libpathrs will be opt-out in a future patch so we need to test with it
in our CI.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 17:58:11 +09:00
Aleksa Sarai 8689e50cbe build: enable builds with libpathrs
pathrs-lite supports transparently switching to libpathrs.so as the
backend with the "libpathrs" build tag. In order to make this work
properly with our CI and release build scripts, we we need to have a
similar setup as with we do with libseccomp.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 17:58:10 +09:00
Aleksa Sarai b58e342758 deps: update to cyphar.com/go-pathrs@v0.2.4
This includes a few fixes for 32-bit builds.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 17:58:10 +09:00
Aleksa Sarai ab6f75dd25 README: document libpathrs build tag
Ever since v0.6.0 of github.com/cyphar/filepath-securejoin, pathrs-lite
has been able to transparently switch to using libpathrs as the backend
for safe path resolution (at compile-time, using a build tag). Note that
because build-tags apply globally, this allows for us to easily opt
pure-Go dependencies into all using libpathrs as well for our binaries.

In a future patch this will likely be enabled by default, but document
that this is an option for downstreams that want to opt-in to using
libpathrs.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 17:58:10 +09:00
Aleksa Sarai b1a9047c7a script: seccomp.sh -> build-seccomp.sh
This name is far more descriptive.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 17:58:10 +09:00
Aleksa Sarai 8292574e7a build: rename /opt/libseccomp cdylib directory
In a future patch this will contain other cdylibs so it deserves a
slightly more general name.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 17:58:10 +09:00
Aleksa Sarai 51ae8de054 build: treat armhf as ARMv7
The intention of commit 531e29e192 ("script/lib.sh: set GOARM=5 for
armel, GOARM=6 for armhf") was to properly support older ARM platforms
with our release builds.

However, we have never been able to support ARMv6 for our builds because
we use the Debian compiler to build the libseccomp we statically compile
into our binaries and (as per the now-deleted comment itself) Debian
treats armhf as being ARMv7 so the final binaries we produced were
always only ever compatible with ARMv7+.

This was a bit of an oddity before but when building libpathrs for
releases we will need to use Rust which makes the target more explicit
(and while it does support armhf, we are using the Debian-packaged Rust
cross-compiler and thus are in the same dilemma with what Debian
considers "armhf" to be).

All-in-all, it's better to just bite the bullet and just follow Debian
here properly.

Fixes: 531e29e192 ("script/lib.sh: set GOARM=5 for armel, GOARM=6 for armhf")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 17:58:09 +09:00
Aleksa Sarai 6b757b6aa0 dockerfile: switch to Debian 13
Debian 13 (trixie) was released a few months ago and it's probably
prudent to just upgrade. This is also necessary to get access to riscv64
repositories when we build libpathrs for inclusion in our runc binaries.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 17:58:09 +09:00
Aleksa Sarai bb9ee2b0df integration: output debug information in fd leak test
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-12 17:58:09 +09:00
Kir Kolyshkin 192e3d416f ci: add conmon tests run
This adds a CI job to run conmon tests with runc.

Related to issue 5151, PR 5153.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-11 16:43:18 -07:00
Aleksa Sarai a462d6f8a8 Merge pull request #5160 from kolyshkin/fixup-relabel
libct/configs: exclude Relabel from json [un]marshaling
2026-03-11 18:54:28 +09:00
Kir Kolyshkin d2abe47689 libct/configs: exclude Relabel from json [un]marshaling
When deprecating Relabel field, its json attributes were mistakenly
removed, so now it is:
 - saved to JSON under "Relabel" (rather than "relabel");
 - won't be ignored if empty.

Let's fix it before it's too late.

Fixes: 8b2b5e94 ("libct: remove relabeling dead code")

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-10 14:13:11 -07:00
Aleksa Sarai 5f3ac16d18 merge #5152 into opencontainers/runc:main
Kir Kolyshkin (1):
  libct: remove relabeling dead code

LGTMs: cyphar rata
2026-03-08 00:16:03 +09:00
Rodrigo Campos Catelin 2db0c5e8b1 Merge pull request #5155 from cyphar/intelrdt-improve-mkdir
libct: intelrdt: improve directory cleanup logic
2026-03-06 14:40:40 +01:00
Aleksa Sarai 1c35df9ea2 merge #5153 into opencontainers/runc:main
Kir Kolyshkin (1):
  Revert "Preventing containers from being unable to be deleted"

LGTMs: cyphar rata
2026-03-06 18:48:53 +09:00
Aleksa Sarai fbaf5e3161 libct: intelrdt: improve directory cleanup logic
It makes more sense to save whether we should cleanup the directory
after it gets created (to avoid error cases deleting a different
directory) as well as tying this check to the existing os.ErrExist
check rather than doing an extra stat(2).

Fixes: e2baa3ad10 ("Intel RDT: update according to spec changes.")
Suggested-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-06 18:45:36 +09:00
Aleksa Sarai bf547fb885 merge #3832 into opencontainers/runc:main
Ismo Puustinen (1):
  Intel RDT: update according to spec changes.

LGTMs: AkihiroSuda cyphar
2026-03-06 16:43:41 +09:00
Kir Kolyshkin 5996fe143a Revert "Preventing containers from being unable to be deleted"
This fixes random failures to start a container in conmon integration
tests (see issue 5151).

I guess we need to find another way to fix issue 4645.

This reverts commit 1b39997e73.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-05 18:44:30 -08:00
Kir Kolyshkin 8b2b5e9492 libct: remove relabeling dead code
There is no way to set Mount.Relabel field via OCI spec (config.json),
and so the relabeling code is never used.

My guess it's a leftover from times when runc used to be part of Docker.

Remove it, and mark Relabel field as deprecated.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-05 14:57:21 -08:00
Ismo Puustinen e2baa3ad10 Intel RDT: update according to spec changes.
There is one proposed clarification to the OCI spec: the subdirectory
needs to be deleted. Runc already does that, but the clarification adds
for directory removal only if the directory was created by us.

Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 12:28:32 +11:00
Akihiro Suda c1c788765c Merge pull request #5148 from cyphar/keyring-AkihiroSuda
keyring: update AkihiroSuda's key
2026-03-05 09:43:11 +09:00
Kir Kolyshkin bc7f1c2f84 Merge pull request #5025 from askervin/5eA-workaround-max-1kcpus
libct: fix resetting CPU affinity
2026-03-04 13:26:42 -08:00
Antti Kervinen 700c944c4d libct: fix resetting CPU affinity
unix.CPUSet is limited to 1024 CPUs. Calling
unix.SchedSetaffinity(pid, cpuset) removes all CPUs starting from 1024
from allowed CPUs of pid, even if cpuset is all ones. As a
consequence, when runc tries to reset CPU affinity to "allow all" by
default, it prevents all containers from CPUs 1024 onwards.

This change uses a huge CPU mask to play safe and get all possible
CPUs enabled with a single sched_setaffinity call.

Fixes: #5023

Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
2026-03-04 13:06:33 -08:00
Kir Kolyshkin ffe8b28ff4 Merge pull request #5141 from cyphar/remove-deprecated-apis
libct: remove deprecated APIs
2026-03-04 11:40:28 -08:00
Aleksa Sarai 9ad18b1347 keyring: update AkihiroSuda's key
This comes from <https://github.com/AkihiroSuda.gpg> and is a valid
update of the key metadata.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 01:13:37 +11:00
Aleksa Sarai b9303a6fb9 Merge pull request #5144 from cyphar/keyring-check-no-keys
keyring: validate: allow maintainers to have no keys
2026-03-05 01:10:39 +11:00
Aleksa Sarai 936a59b07f keyring: validate: allow maintainers to have no keys
Some maintainers appear to have removed their PGP keys, which causes
"gpg --import" during "make validate-keyring" to fail. The solution is
to switch to a non-fatal warning if no keys were imported.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 00:42:06 +11:00
Aleksa Sarai e67725c087 contrib: remove deprecated memfd-bind binary
This was a really ugly hack to try to reduce the impact of our original
set of CVE-2019-5736 mitigations, but unfortunately had too many caveats
to its use to ever be really useful. In addition, it was completely
obsoleted by the migration to using an detached overlayfs mount in
commit 515f09f7b1 ("dmz: use overlayfs to write-protect /proc/self/exe
if possible").

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 00:04:35 +11:00
Aleksa Sarai 625ef531b7 libct: devices: drop deprecated cgroup types
These were all marked deprecated in commit a75076b4a4 ("Switch to
opencontainers/cgroups") when we switched maintenance of our cgroup code
to opencontainers/cgroups.

Users have had ample time to switch to opencontainers/cgroups
themselves, so we can finally remove this.

Note that the whole libcontainer/devices package will be moved to
moby/sys in the near future, so this whole package will be marked
deprecated soon.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 00:04:34 +11:00
Aleksa Sarai 6a77ee7864 libct: remove deprecated MPOL_* constants
These were inadvertently added to our exported APIs by commit
eeda7bdf80cca ("Add memory policy support"). We couldn't remove them
from runc 1.4.x, but we deprecated them in commit 3741f9186d
("libct/configs: mark MPOL_* constants as deprecated") and marked them
for removal in runc 1.5. Users should never have used these in the first
place.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-05 00:04:34 +11:00
Aleksa Sarai 87b0804345 libct: remove deprecated HooksList.RunHooks
This was deprecated in commit e6a4870e4ac40 ("libct: better errors for
hooks"), and users have had ample time to migrate to Hooks.Run since.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-04 23:01:30 +11:00
Aleksa Sarai 8fd8e433f8 libct: config: remove deprecated cgroup types
These were all marked deprecated in commit a75076b4a4 ("Switch to
opencontainers/cgroups") when we switched maintenance of our cgroup code
to opencontainers/cgroups.

Users have had ample time to switch to opencontainers/cgroups
themselves, so we can finally remove this.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-04 23:01:16 +11:00
Aleksa Sarai f0ea41ad1f CHANGELOG: add notice for removed libct/utils APIs
Ref: a412bd93e9 ("libct/utils: remove Deprecated functions")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-04 23:00:18 +11:00
Rodrigo Campos Catelin a1017ad400 Merge pull request #5139 from cyphar/aleksa-suse-email
keyring: remove asarai@suse.de key
2026-03-04 02:05:49 +01:00
Aleksa Sarai a691486c83 keyring: remove asarai@suse.de key
I no longer work at SUSE and thus this key (and email address) are no
longer associated with me.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2026-03-03 23:34:22 +11:00
lfbzhm a51b20a37b Merge pull request #5136 from opencontainers/dependabot/github_actions/actions/upload-artifact-7
build(deps): bump actions/upload-artifact from 6 to 7
2026-03-01 02:21:12 +08:00
lfbzhm 4d4e064109 Merge pull request #5133 from kolyshkin/usec
libct/specconv: fix panic in initSystemdProps
2026-02-27 18:55:42 +08:00
dependabot[bot] 106f302c54 build(deps): bump actions/upload-artifact from 6 to 7
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v6...v7)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-27 04:52:14 +00:00
lfbzhm 8de198f11d Merge pull request #5118 from kolyshkin/lint29
ci: bump golangci-lint to v2.10, fix some prealloc linter warnings
2026-02-27 12:37:12 +08:00
Kir Kolyshkin a48a7cef96 libct/specconv: fix panic in initSystemdProps
There is a chance of panic here -- eliminate it.

Add a test case (which panics before the fix).

Reported-by: Luke Hinds <luke@stacklok.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-26 18:26:46 -08:00
Kir Kolyshkin 392a221293 libct/specconv: TestInitSystemdProps: use t.Run
Use t.Run for individual tests. Add missing desc fields.

Best reviewed with --ignore-all-space.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-26 18:26:46 -08:00
Kir Kolyshkin ed6a3d6324 Merge pull request #5127 from kolyshkin/libct-ex
libcontainer: move example code out of README
2026-02-26 16:53:16 -08:00
Kir Kolyshkin 6a374e6c1d libcontainer: move example code out of README
Example code in README is outdated (especially since cgroups is moved to
a separate repository) and lacks proper import statements. And, since it
is not code, it is hard to keep it up to date.

Let's move it out to the example_test.go file and refer to it. Note we
still don't run it, but it will be compiled and linted in CI.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-26 09:36:56 -08:00
Kir Kolyshkin 61a1d1b3aa ci: bump golangci-lint to v2.10
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-25 13:48:55 -08:00
Kir Kolyshkin 5a6e1e18f9 Preallocate some slices
Fix *some* of the prealloc linter warnings. While it does not make sense
to address all warnings (or add prealloc to the list of linters we run
in CI), some do make sense.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-25 13:48:55 -08:00
Kir Kolyshkin e89f01eda9 Merge pull request #5124 from ricardobranco777/nocoredump
tests/int: Disable coredumps for SCMP_ACT_KILL tests
2026-02-25 13:44:31 -08:00
Ricardo Branco f18e97d312 tests/int: Disable coredumps for SCMP_ACT_KILL tests
SCMP_ACT_KILL terminates the process with a fatal signal, which may
produce a core dump depending on the host configuration.

While this is harmless on ephemeral CI instances, it can leave unwanted
core files on developer or customer systems. It also interferes with
test environments that detect unexpected core dumps.

Signed-off-by: Ricardo Branco <rbranco@suse.de>
2026-02-25 13:22:17 +01:00
Rodrigo Campos Catelin 1c30a17471 Merge pull request #5123 from kolyshkin/ci-el10
ci: update policycoreutils for CentOS 10
2026-02-25 10:49:47 +01:00
Kir Kolyshkin 3235c5a90a ci: update policycoreutils for CentOS 10
When container-selinux 4:2.246.0-1.el10 is installed, it produces the
following %post script warnings:

> ...
>   Running scriptlet: container-selinux-4:2.246.0-1.el10.noarch            26/37
>   Installing       : container-selinux-4:2.246.0-1.el10.noarch            26/37
>   Running scriptlet: container-selinux-4:2.246.0-1.el10.noarch            26/37
> libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No data available).
> libsemanage.semanage_compile_module: container: libsepol.policydb_read: policydb module version 24 does not match my version range 4-23.
> libsemanage.semanage_compile_module: container: libsepol.sepol_module_package_read: invalid module in module package (at section 0).
> libsemanage.semanage_compile_module: container: libsepol.sepol_ppfile_to_module_package: Failed to read policy package.
> libsemanage.semanage_direct_commit: Failed to compile hll files into cil files. (No data available).
> semodule:  Failed!
> ...

For some reason, dnf install still succeeds, but when the selinux tests
fail with:

> chcon: failed to change context of '/tmp/bats-run-3MMyYP/runc.szTqBc/bundle/runc' to ‘system_u:object_r:container_runtime_exec_t:s0’: Invalid argument

All this is fixed once policycoreutils is added to the list of RPMS so
it is updated (from 3.9-3.el10 to 3.10-1.el10) during the same
transaction.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-24 16:09:41 -08:00
Kir Kolyshkin 165a4a0229 Merge pull request #5119 from kolyshkin/ubu2404
ci: switch to ubuntu 24.04 for cross-i386 job
2026-02-12 17:34:43 -08:00
Kir Kolyshkin 23effed6eb ci: switch to ubuntu 24.04 for cross-i386 job
Commit 67f6c37b ("ci/gha: switch to ubuntu 24.04") switched most GHA CI
to Ubuntu 24.04 except for one job. It says:

> Leave ubuntu-22.04 for ci/cross-i386 (issue with systemctl restart hang
> after apt install). This can be addressed separately later.

Assuming the issue it already fixed (updated systemd or something),
let's finalize the 24.04 switch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-12 13:31:56 -08:00
Kir Kolyshkin f047c6b0f8 Merge pull request #5101 from kolyshkin/fix-exec
libct: prepareCgroupFD: fall back to container init cgroup
2026-02-11 12:33:40 -08:00
Kir Kolyshkin 1fdbab8107 tests/int: add "runc exec [init changes cgroup]"
Add a test case to reproduce runc issue 5089.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-11 11:57:27 -08:00
Kir Kolyshkin 6c07a37a58 libct: prepareCgroupFD: fall back to container init cgroup
Previously, when prepareCgroupFD would not open container's cgroup
(as configured in config.json and saved to state.json), it returned
a fatal error, as we presumed a container can't exist without its own
cgroup.

Apparently, it can. In a case when container is configured without
cgroupns (i.e. it uses hosts cgroups), and /sys/fs/cgroup is mounted
read-write, a rootful container's init can move itself to an entirely
different cgroup (even a new one that it just created), and then the
original container cgroup is removed by the kernel (or systemd?) as
it has no processes left. By the way, from the systemd point of view
the container is gone. And yet it is still there, and users want
runc exec to work!

And it worked, thanks to the "let's try container init's cgroup"
fallback as added by commit c91fe9aeba ("cgroup2: exec: join the
cgroup of the init process on EBUSY"). The fallback was added for
the entirely different reason, but it happened to work in this very
case, too.

This behavior was broken with the introduction of CLONE_INTO_CGROUP
support.

While it is debatable whether this is a valid scenario when a container
moves itself into a different cgroup, this very setup is used by e.g.
buildkitd running in a privileged kubernetes container (see issue 5089).

To restore the way things are expected to work, add the same "try
container init's cgroup" fallback into prepareCgroupFD.

While at it, simplify the code flow.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-11 11:57:25 -08:00
Kir Kolyshkin 1d030fab7d libct: refactor addIntoCgroupV2, fix wrt rootless
1. Refactor addIntoCgroupV2 in an attempt to simplify it.

2. Fix the bug of not trying the init cgroup fallback if
   rootlessCgroup is set. This is a bug because rootlessCgroup
   tells to ignore cgroup join errors, not to never try the fallback.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-11 11:56:57 -08:00
Kir Kolyshkin 94133fab97 libct: factor out initProcessCgroupPath
Separate initProcessCgroupPath code out of addIntoCgroupV2.
To be used by the next patch.

While at it, describe the new scenario in which the container's
configured cgroup might not be available.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-11 11:52:59 -08:00
Akihiro Suda fffd7cfde5 Merge pull request #5109 from kolyshkin/go126-released
ci: bump Go 1.26rc2 -> 1.26.x
2026-02-11 16:17:50 +09:00
Kir Kolyshkin daa5ffcc84 ci: bump Go 1.26rc2 -> 1.26.x
Since Go 1.26.0 is released today.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-02-10 13:05:24 -08:00
Kir Kolyshkin d12ba865ae Merge pull request #5106 from opencontainers/dependabot/go_modules/golang.org/x/net-0.50.0
build(deps): bump golang.org/x/net from 0.49.0 to 0.50.0
2026-02-10 11:01:51 -08:00
dependabot[bot] d9879698a3 build(deps): bump golang.org/x/net from 0.49.0 to 0.50.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.49.0 to 0.50.0.
- [Commits](https://github.com/golang/net/compare/v0.49.0...v0.50.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.50.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-10 04:52:25 +00:00
lfbzhm 8cbd8f9027 Merge pull request #5104 from opencontainers/dependabot/github_actions/bats-core/bats-action-4.0.0
build(deps): bump bats-core/bats-action from 3.0.1 to 4.0.0
2026-02-09 17:10:21 +08:00
lfbzhm f60dfbcf90 Merge pull request #5105 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.41.0
build(deps): bump golang.org/x/sys from 0.40.0 to 0.41.0
2026-02-09 17:09:39 +08:00
dependabot[bot] 06c7d3375e build(deps): bump golang.org/x/sys from 0.40.0 to 0.41.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.40.0 to 0.41.0.
- [Commits](https://github.com/golang/sys/compare/v0.40.0...v0.41.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-version: 0.41.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-09 04:53:03 +00:00
dependabot[bot] 4c7cf7d503 build(deps): bump bats-core/bats-action from 3.0.1 to 4.0.0
Bumps [bats-core/bats-action](https://github.com/bats-core/bats-action) from 3.0.1 to 4.0.0.
- [Release notes](https://github.com/bats-core/bats-action/releases)
- [Commits](https://github.com/bats-core/bats-action/compare/3.0.1...4.0.0)

---
updated-dependencies:
- dependency-name: bats-core/bats-action
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-09 04:52:53 +00:00
Kir Kolyshkin f6604e6386 Merge pull request #5098 from lifubang/fix-recattr-atime
libct/specconv: always clear entire MOUNT_ATTR__ATIME field when updating atime mode
2026-02-08 14:26:34 -08:00
lifubang 5560d55bfd libct/specconv: fix partial clear of atime mount flags
When parsing mount options into recAttrSet and recAttrClr,
the code sets attr_clr to individual atime flags (e.g.
MOUNT_ATTR_NOATIME or MOUNT_ATTR_STRICTATIME) when clearing
atime attributes. However, this violates the kernel's
requirement documented in mount_setattr(2)[1]:

> Note that, since the access-time values are an enumeration
> rather than bit values, a caller wanting to transition to a
> different access-time setting cannot simply specify the
> access-time setting in attr_set, but must also include
> MOUNT_ATTR__ATIME in the attr_clr field.  The kernel will
> verify that MOUNT_ATTR__ATIME isn't partially set in
> attr_clr (i.e., either all bits in the MOUNT_ATTR__ATIME
> bit field are either set or clear), and that attr_set
> doesn't have any access-time bits set if MOUNT_ATTR__ATIME
> isn't set in attr_clr.

Passing only a single atime flag (e.g. MOUNT_ATTR_RELATIME) in
attr_clr causes mount_setattr() to fail with EINVAL.

This change ensures that whenever an atime mode is updated,
attr_clr includes MOUNT_ATTR__ATIME to properly reset the
entire access-time attribute field before applying the new mode.

[1] https://man7.org/linux/man-pages/man2/mount_setattr.2.html

Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-02-06 03:30:55 +00:00
Akihiro Suda 92c80abae1 Merge pull request #5091 from kolyshkin/go126
Fix runc exec vs go1.26 + older kernel
2026-02-04 19:43:32 +09:00
Kir Kolyshkin cb31d62f1c Fix exec vs Go 1.26
Since [PR 4812], runc exec tries to use clone3 syscall with
CLONE_INTO_CGROUP, falling back to the old method if it is not
supported.

One issue with that approach is, a

> Cmd cannot be reused after calling its [Cmd.Start], [Cmd.Run],
> [Cmd.Output], or [Cmd.CombinedOutput] methods.

(from https://pkg.go.dev/os/exec#Cmd).

This is enforced since Go 1.26, see [CL 728642], and so runc exec
actually fails in specific scenarios (go1.26 and no CLONE_INTO_CGROUP
support).

The easiest workaround is to pre-copy the p.cmd structure (copy = *cmd).
From the [CL 734200] it looks like it is an acceptable way, but it might
break in the future as it also copies the private fields, so let's do a
proper field-by-field copy. If the upstream will add cmd.Clone method,
we will switch to it.

Also, we can probably be fine with a post-copy (once the first Start has
failed), but let's be conservative here and do a pre-copy.

[PR 4812]: https://github.com/opencontainers/runc/pull/4812
[CL 728642]: https://go.dev/cl/728642
[CL 734200]: https://go.dev/cl/734200

Reported-by: Efim Verzakov <efimverzakov@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-01-29 13:49:34 -08:00
Kir Kolyshkin 82b7597a26 libct: check cmd.Err after exec.Command call
Theoretically, exec.Command can set cmd.Err.

Practically, this should never happen (Linux, Go <= 1.26, exePath is
absolute), but in the unlikely case it does, let's fail early.

This is related to the cloneCmd (to be introduced by the following
commit) which chooses to not copy the Err field. Theoretically,
exec.Command can set Err and so the first call to cmd.Start will fail
(since Err != nil), and the second call to cmd.Start may succeed because
Err == nil. Yet, this scenario is highly unlikely, but better be safe
than sorry.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-01-29 13:49:04 -08:00
Kir Kolyshkin e4e05423e4 ci: add go 1.26 rc2
This is mostly to test whether https://go.dev/cl/728642 results in
any test failures in the current CI matrix.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-01-28 17:34:14 -08:00
lfbzhm 08072e9368 Merge pull request #5093 from opencontainers/dependabot/go_modules/github.com/coreos/go-systemd/v22-22.7.0
build(deps): bump github.com/coreos/go-systemd/v22 from 22.6.0 to 22.7.0
2026-01-29 00:29:17 +08:00
dependabot[bot] 9abc1824f2 build(deps): bump github.com/coreos/go-systemd/v22 from 22.6.0 to 22.7.0
Bumps [github.com/coreos/go-systemd/v22](https://github.com/coreos/go-systemd) from 22.6.0 to 22.7.0.
- [Release notes](https://github.com/coreos/go-systemd/releases)
- [Commits](https://github.com/coreos/go-systemd/compare/v22.6.0...v22.7.0)

---
updated-dependencies:
- dependency-name: github.com/coreos/go-systemd/v22
  dependency-version: 22.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-28 04:52:18 +00:00
lfbzhm 3d60760d3b Merge pull request #5088 from kolyshkin/pointers 2026-01-27 08:05:02 +08:00
Kir Kolyshkin 593ac3b7d9 libct: use pointers for Process methods
The Process type is quite big (currently 368 bytes on a 64 bit Linux)
and using non-pointer receivers in its methods results in copying which
is totally unnecessary.

Change the methods to use pointer receivers.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-01-26 14:17:46 -08:00
Kir Kolyshkin 6cd91f665e libct/configs: use pointers for Config methods
The Config type is quite big (currently 554 bytes on a 64 bit Linux)
and using non-pointer receivers in its methods results in copying which
is totally unnecessary.

Change the methods to use pointer receivers.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-01-26 14:17:44 -08:00
Kir Kolyshkin 2088e000eb libct/configs: Id -> ID
Rename a function parameter (containerId -> containerID) to avoid a
linter warning:

> var-naming: method parameter containerId should be containerID (revive)

In many other places, including config.json (.linux.uidMappings and
.gidMappings) it is already called containerID, so let's rename.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-01-26 14:16:19 -08:00
lfbzhm 506a849db7 Merge pull request #5086 from opencontainers/dependabot/go_modules/github.com/sirupsen/logrus-1.9.4
build(deps): bump github.com/sirupsen/logrus from 1.9.3 to 1.9.4
2026-01-19 23:12:47 +08:00
dependabot[bot] 833e15e078 build(deps): bump github.com/sirupsen/logrus from 1.9.3 to 1.9.4
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.3 to 1.9.4.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.3...v1.9.4)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-version: 1.9.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-16 04:52:25 +00:00
Rodrigo Campos 9b40f6af91 Merge pull request #5085 from opencontainers/dependabot/go_modules/golang.org/x/net-0.49.0
build(deps): bump golang.org/x/net from 0.48.0 to 0.49.0
2026-01-13 22:23:09 -03:00
dependabot[bot] b650eda423 build(deps): bump golang.org/x/net from 0.48.0 to 0.49.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.48.0 to 0.49.0.
- [Commits](https://github.com/golang/net/compare/v0.48.0...v0.49.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.49.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-13 06:33:37 +00:00
lfbzhm 3a4ffe8068 Merge pull request #5083 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.40.0 2026-01-09 21:51:38 +08:00
dependabot[bot] 9e6a4cc36d build(deps): bump golang.org/x/sys from 0.39.0 to 0.40.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.39.0 to 0.40.0.
- [Commits](https://github.com/golang/sys/compare/v0.39.0...v0.40.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-version: 0.40.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-09 05:02:06 +00:00
Akihiro Suda 6dfec8bab1 Merge pull request #5081 from kolyshkin/sim
internal/sys: simplify WriteSysctls
2026-01-08 10:07:11 +09:00
Kir Kolyshkin c84a878cac internal/sys: simplify WriteSysctls
Apparently Write (and WriteString) must return an error (apparently
io.ErrShortWrite) on short writes (see [1], [2]), so no explicit check
for a short write is needed.

While at it, use (*os.File).WriteString directly rather than
io.WriteString.

[1]: https://pkg.go.dev/os#File.Write
[2]: https://pkg.go.dev/io#Writer
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-01-07 13:27:44 -08:00
Rodrigo Campos 7b39322a5d Merge pull request #5080 from lifubang/followup-5079
integration: quote shell value to prevent word splitting
2026-01-06 16:42:47 -03:00
lifubang 9632f1e198 integration: quote shell value to prevent word splitting
Signed-off-by: lifubang <lifubang@acmcoder.com>
2026-01-06 10:02:03 +00:00
Kir Kolyshkin ed01e20ee3 Merge pull request #5079 from ricardobranco777/no_new_privs
integration: Skip test for new privileges if NoNewPrivs is set
2026-01-05 16:53:46 -08:00
Ricardo Branco c1ba275d88 integration: Skip test for new privileges if NoNewPrivs is set
Signed-off-by: Ricardo Branco <rbranco@suse.de>
2026-01-06 00:55:15 +01:00
lfbzhm 561c95f7cf Merge pull request #5078 from opencontainers/dependabot/go_modules/github.com/godbus/dbus/v5-5.2.2
build(deps): bump github.com/godbus/dbus/v5 from 5.2.0 to 5.2.2
2026-01-05 14:44:20 +08:00
dependabot[bot] 9d0d5ea411 build(deps): bump github.com/godbus/dbus/v5 from 5.2.0 to 5.2.2
Bumps [github.com/godbus/dbus/v5](https://github.com/godbus/dbus) from 5.2.0 to 5.2.2.
- [Release notes](https://github.com/godbus/dbus/releases)
- [Commits](https://github.com/godbus/dbus/compare/v5.2.0...v5.2.2)

---
updated-dependencies:
- dependency-name: github.com/godbus/dbus/v5
  dependency-version: 5.2.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-30 04:02:43 +00:00
lfbzhm 4246d6a078 Merge pull request #5076 from rata/main
Update rata's email address
2025-12-21 13:05:05 +08:00
Rodrigo Campos a4b2adc566 Merge pull request #5075 from kolyshkin/fix-modernize-url
ci: fix modernize URL
2025-12-20 01:23:04 -03:00
Rodrigo Campos cf9076db56 Update rata's email address
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-12-19 15:01:45 -03:00
Kir Kolyshkin 0d788db46d Merge pull request #5068 from opencontainers/dependabot/github_actions/actions/upload-artifact-6
build(deps): bump actions/upload-artifact from 5 to 6
2025-12-17 19:33:19 -08:00
Kir Kolyshkin a431b11529 Merge pull request #5069 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.36.11
build(deps): bump google.golang.org/protobuf from 1.36.10 to 1.36.11
2025-12-17 19:32:27 -08:00
Kir Kolyshkin 428043bcf2 ci: fix modernize URL
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-17 11:57:00 -08:00
dependabot[bot] b4887cec32 build(deps): bump google.golang.org/protobuf from 1.36.10 to 1.36.11
Bumps google.golang.org/protobuf from 1.36.10 to 1.36.11.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-17 01:30:19 +00:00
Kir Kolyshkin ef5e8a5505 Merge pull request #5064 from opencontainers/dependabot/go_modules/golang.org/x/net-0.48.0
build(deps): bump golang.org/x/net from 0.47.0 to 0.48.0
2025-12-16 17:29:13 -08:00
dependabot[bot] 65fe59d01d build(deps): bump golang.org/x/net from 0.47.0 to 0.48.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.47.0 to 0.48.0.
- [Commits](https://github.com/golang/net/compare/v0.47.0...v0.48.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.48.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-17 00:54:36 +00:00
Kir Kolyshkin 7658403efc Merge pull request #5050 from cyphar/release-policy-finalised
RELEASES: finalise policy
2025-12-16 16:54:27 -08:00
dependabot[bot] 3be9a054e7 build(deps): bump actions/upload-artifact from 5 to 6
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5 to 6.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-17 00:53:57 +00:00
Rodrigo Campos 58c2e4aca7 Merge pull request #5072 from kolyshkin/ci-125
CI: fix modernize job failure
2025-12-17 01:40:56 +01:00
Kir Kolyshkin 20bdd0b537 ci: use Go 1.25 for validate jobs
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-16 15:05:01 -08:00
Kir Kolyshkin dbc4234607 ci: drop -test from modernize run
The modernize documentation used to suggest -test flag but it's not
needed as it is enabled by default. Drop it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-16 15:05:01 -08:00
Kir Kolyshkin 16ee2bbf4c ci: use latest Go for modernize job
Since we use modernize@latest, it may require latest Go as well (and now it does),
so use "go-version: stable" explicitly (which resolves to latest Go).

This fixes the issue with CI:

> go: golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize@latest: golang.org/x/tools/gopls@v0.21.0 requires go >= 1.25 (running go 1.24.11; GOTOOLCHAIN=local)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-16 15:04:58 -08:00
Kir Kolyshkin 652269729d libc/int: use strings.Builder
Generated by modernize@latest (v0.21.0).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-16 15:04:04 -08:00
Akihiro Suda 4dcda051da Merge pull request #5055 from kolyshkin/mpol-2
libct/configs: mark MPOL_* constants as deprecated
2025-12-16 10:39:09 +09:00
Akihiro Suda f38b1cef24 Merge pull request #5061 from curdbecker/fix/missing-error-unwrapping-in-init-container
Handle os.Is* wrapped errors correctly
2025-12-16 10:26:56 +09:00
Kir Kolyshkin d978dd2f14 Merge pull request #5057 from kolyshkin/sd-act
Copy go-systemd/activation.Files code to avoid bringing in crypto/tls
2025-12-15 13:36:42 -08:00
Akihiro Suda f29c4df140 Merge pull request #5067 from opencontainers/dependabot/github_actions/actions/cache-5
build(deps): bump actions/cache from 4 to 5
2025-12-15 15:01:18 +09:00
dependabot[bot] 18c3adb8dc build(deps): bump actions/cache from 4 to 5
Bumps [actions/cache](https://github.com/actions/cache) from 4 to 5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-12 04:02:43 +00:00
Curd Becker 58d24d2dfb Add linter rule to guard against use of os.Is* error functions
Signed-off-by: Curd Becker <me@curd-becker.de>
2025-12-11 03:16:11 +01:00
Curd Becker 536e183451 Replace os.Is* error checking functions with their errors.Is counterpart
Signed-off-by: Curd Becker <me@curd-becker.de>
2025-12-11 03:16:02 +01:00
Kir Kolyshkin 3741f9186d libct/configs: mark MPOL_* constants as deprecated
Alas, these new constants are already in v1.4.0 release so we can't
remove those right away, but we can mark them as deprecated now
and target removal for v1.5.0.

So,
 - mark them as deprecated;
 - redefine via unix.MPOL_* counterparts;
 - fix the validator code to use unix.MPOL_* directly.

This amends commit a0e809a8.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-08 15:36:29 -08:00
Kir Kolyshkin 6ede591761 internal/systemd: simplify
Remove unused code and argument from the ActivationFiles,
and simplify its usage.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-08 15:34:58 -08:00
Kir Kolyshkin ba9e60f7a8 Remove crypto/tls dependency
It appears that when we import github.com/coreos/go-systemd/activation,
it brings in the whole crypto/tls package (which is not used by runc
directly or indirectly), making the runc binary size larger and
potentially creating issues with FIPS compliance.

Let's copy the code of function we use from go-systemd/activation
to avoid that.

The space savings are:

$ size runc.before runc.after
   text	   data	    bss	    dec	    hex	filename
7101084	5049593	 271560	12422237	 bd8c5d	runc.before
6508796	4623281	 229128	11361205	 ad5bb5	runc.after

Reported-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-08 15:31:42 -08:00
lfbzhm e0adafb4ca Merge pull request #5054 from kolyshkin/alma10
Add EL10 to CI
2025-12-05 11:43:58 +08:00
Rodrigo Campos ee8f6b61be Merge pull request #5012 from kolyshkin/criu-dev-ignore-fails
ci: don't fail CI if criu-dev test fails
2025-12-05 04:15:31 +01:00
Kir Kolyshkin 5407cfe4a1 ci: don't fail CI if criu-dev test fails
In view of recent criu-dev failure, let's not fail the
required "all-done" job when criu-dev tests fail.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-05 10:54:00 +08:00
Kir Kolyshkin 4f93f06fb7 ci: add centos-cloud-10 run
Alas there's no almalinux-10 so we use centos-stream-10.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-03 23:16:29 -08:00
Kir Kolyshkin 94167dae29 .cirrus.yml: use dnf not yum
Since we dropped EL7, we can use dnf everywhere.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-03 23:16:29 -08:00
Akihiro Suda 14cc644c33 Merge pull request #5053 from kolyshkin/misc-bumps
Various version bumps (mostly CI)
2025-12-04 08:19:30 +09:00
Kir Kolyshkin 68771cfe51 ci: bump shellcheck to v0.11.0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-03 10:22:14 -08:00
Kir Kolyshkin 79b97d4642 Use Go 1.25 for official builds
(as well as for testing on Cirrus CI)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-03 10:22:14 -08:00
Kir Kolyshkin f4710e5023 Bump seccomp to v2.6.0
This version was released almost a year ago.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-03 10:22:14 -08:00
Kir Kolyshkin f128234354 ci: bump bats to 1.12.0
This which is already using in CI on Fedora.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-03 10:22:14 -08:00
Kir Kolyshkin 54d8257ec1 Merge pull request #5052 from cyphar/release-tarball
release: use runc-$version.tar.xz as archive name
2025-12-03 09:13:15 -08:00
Kir Kolyshkin fd185882e5 Merge pull request #5009 from kolyshkin/defer-close-init
Close fds on error
2025-12-02 17:35:12 -08:00
Kir Kolyshkin 93792e6c13 notify_socket: close fds on error
Reported in issue 5008.

Reported-by: Arina Cherednik <arinacherednik034@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-02 15:15:23 -08:00
Kir Kolyshkin 8a9b4dcda6 libct: mountFd: close mountFile on error
Reported in issue 5008.

Reported-by: Arina Cherednik <arinacherednik034@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-02 15:15:23 -08:00
Kir Kolyshkin c24965b742 libct: newProcessComm: close fds on error
Reported in issue 5008.

Reported-by: Arina Cherednik <arinacherednik034@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-02 15:15:23 -08:00
Kir Kolyshkin 88f897160c libct: startInitialization: add defer close
This function calls Init what normally never returns, so the defer only
works if there is an error and we can safely use it to close those fds
we opened. This was done for most but not all fds.

Reported in issue 5008.

Reported-by: Arina Cherednik <arinacherednik034@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-12-02 15:15:23 -08:00
Kir Kolyshkin 1f1ff4be06 Merge pull request #5051 from cyphar/libct-utils-deprecated
libct/utils: remove Deprecated functions
2025-12-02 15:06:01 -08:00
Aleksa Sarai 7c8fccd646 release: use runc-$version.tar.xz as archive name
Because we add the runc-$version/ prefix to the archive we generate,
including the version in the name makes it easier for some tools to
operate on as it matches most other projects (for openSUSE we rename the
archive file to this format in order for the automated RPM scripts to
work properly).

Also, when doing several releases at the same time, being able to
double-check that the correct artefact versions were uploaded for each
release can be quite handy.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-30 15:10:36 +11:00
Rodrigo Campos 20a9532fd0 Merge pull request #5049 from cyphar/changelog-update
CHANGELOG: forward-port changelog entries
2025-11-28 08:34:57 -03:00
Akihiro Suda 64c3c8eea6 Merge pull request #4994 from kolyshkin/gofumpt-extra
Enable gofumpt extra rules
2025-11-28 09:30:57 +09:00
Aleksa Sarai a412bd93e9 libct/utils: remove Deprecated functions
These were all marked for deprecation in runc 1.5.0, so remove them now
to make sure we don't forget.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-28 11:11:11 +11:00
Aleksa Sarai bf258ce163 RELEASES: remove <= 1.1.x special casing
Now that runc 1.4.0 has been released, there is no need to single out
1.1.x and earlier as no longer being supported, as latest-2 is now 1.2.x
and thus 1.1.x would no longer be supported even with the new support
model.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-28 11:07:47 +11:00
Aleksa Sarai 0c150f4c3a RELEASES: remove 'draft' section of policy
We have used this release policy for a year and it seems to work well
for everyone and we haven't received much feedback, so it seems
reasonable to say that we are committed to this policy now.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-28 11:06:41 +11:00
Aleksa Sarai 48de3431a1 CHANGELOG: forward-port changelog entries
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-28 11:04:33 +11:00
lfbzhm 52c3a0e794 Merge pull request #4985 from cyphar/hallucinated-paths
pathrs: add "hallucination" helpers for SecureJoin magic
2025-11-26 22:12:59 +08:00
lifubang 15d7c214cd integration: add some tests for bind mount through dangling symlinks
We intentionally broke this in commit d40b3439a9 ("rootfs: switch to
fd-based handling of mountpoint targets") under the assumption that most
users do not need this feature. Sadly it turns out they do, and so
commit 3f925525b4 ("rootfs: re-allow dangling symlinks in mount
targets") added a hotfix to re-add this functionality.

This patch adds some much-needed tests for this behaviour, since it
seems we are going to need to keep this for compatibility reasons (at
least until runc v2...).

Co-developed-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:04:05 +11:00
Aleksa Sarai 195e9551e4 pathrs: add MkdirAllParentInRoot helper
While CreateInRoot supports hallucinating the target path, we do not use
it directly when constructing device inode targets because we need to
have different handling for mknod and bind-mounts.

The solution is to simply have a more generic MkdirAllParentInRoot
helper that MkdirAll's the parent directory of the target path and then
allows the caller to create the trailing component however they like.
(This can be used by CreateInRoot internally as well!)

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:04:05 +11:00
Aleksa Sarai cfb74326be pathrs: add "hallucination" helpers for SecureJoin magic
In order to maintain compatibility with previous releases of runc (which
permitted dangling symlinks as path components by permitting
non-existent path components to be treated like real directories) we
have to first do SecureJoin to construct a target path that is
compatible with the old behaviour but has all dangling symlinks (or
other invalid paths like ".." components after non-existent directories)
removed.

This is effectively a more generic verison of commit 3f925525b4
("rootfs: re-allow dangling symlinks in mount targets") and will let us
remove the need for open-coding SecureJoin workarounds.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:04:05 +11:00
Aleksa Sarai 20c5a8ec4a pathrs: rename MkdirAllInRootOpen -> MkdirAllInRoot
Now that MkdirAllInRoot has been removed, we can make MkdirAllInRootOpen
less wordy by renaming it to MkdirAllInRoot. This is a non-functional
change.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:04:04 +11:00
Aleksa Sarai 9dbd37e06f libct: switch final WithProcfd users to WithProcfdFile
This probably should've been done as part of commit d40b3439a9
("rootfs: switch to fd-based handling of mountpoint targets") but it
seems I missed them when doing the rest of the conversions.

This also lets us remove utils.WithProcfd entirely, as well as
pathrs.MkdirAllInRoot. Unfortunately, WithProcfd was exposed in the
externally-importable "libcontainer/utils" package and so we need to
have a deprecation notice to remove it in runc 1.5.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:03:30 +11:00
Aleksa Sarai 42a1e19d67 libcontainer: move CleanPath and StripRoot to internal/pathrs
These helpers will be needed for the compatibility code added in future
patches in this series, but because "internal/pathrs" is imported by
"libcontainer/utils" we need to move them so that we can avoid circular
dependencies.

Because the old functions were in a non-internal package it is possible
some downstreams use them, so add some wrappers but mark them as
deprecated.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-26 21:03:29 +11:00
Akihiro Suda 475473d869 Merge pull request #5026 from lifubang/ci-detect-fdleak-try-best
fix fd leaks and detect them as comprehensively as possible
2025-11-26 08:33:53 +09:00
lfbzhm a7a402a7ea Merge pull request #4928 from kolyshkin/better-init-errors
Better errors from `runc init`
2025-11-22 15:02:52 +08:00
Kir Kolyshkin f944ccecb2 runc create/run/exec: show fatal errors from init
In case early stage of runc init (nsenter) fails for some reason, it
logs error(s) with FATAL log level, via bail().

The runc init log is read by a parent (runc create/run/exec) and is
logged via normal logrus mechanism, which is all fine and dandy, except
when `runc init` fails, we return the error from the parent (which is
usually not too helpful, for example):

	runc run failed: unable to start container process: can't get final child's PID from pipe: EOF

Now, the actual underlying error is from runc init and it was logged
earlier; here's how full runc output looks like:

	FATA[0000] nsexec-1[3247792]: failed to unshare remaining namespaces: No space left on device
	FATA[0000] nsexec-0[3247790]: failed to sync with stage-1: next state
	ERRO[0000] runc run failed: unable to start container process: can't get final child's PID from pipe: EOF

The problem is, upper level runtimes tend to ignore everything except
the last line from runc, and thus error reported by e.g. docker is not
very helpful.

This patch tries to improve the situation by collecting FATAL errors
from runc init and appending those to the error returned (instead of
logging). With it, the above error will look like this:

	ERRO[0000] runc run failed: unable to start container process: can't get final child's PID from pipe: EOF; runc init error(s): nsexec-1[141549]: failed to unshare remaining namespaces: No space left on device; nsexec-0[141547]: failed to sync with stage-1: next state

Yes, it is long and ugly, but at least the upper level runtime will
report it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-22 12:11:20 +07:00
Aleksa Sarai 21ad0e4399 Merge pull request #5037 from opencontainers/dependabot/github_actions/actions/checkout-6
build(deps): bump actions/checkout from 5 to 6
2025-11-21 17:22:16 +11:00
dependabot[bot] 257fb71e45 build(deps): bump actions/checkout from 5 to 6
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-21 04:02:45 +00:00
lifubang d8706501cf integration: verify syscall compatibility after seccomp enforcement
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 19:43:22 +08:00
lifubang 75188fab73 bump github.com/cyphar/filepath-securejoin from 0.6.0 to 0.6.1
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 19:43:22 +08:00
lifubang 6ac151d69b libct: add a defer fd close in createDeviceNode
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 19:43:22 +08:00
lifubang 69785c117c libct: always close m.dstFile in mountToRootfs
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 19:43:22 +08:00
lifubang b209358db3 ci: detect file descriptor leaks as comprehensively as possible
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-20 19:43:22 +08:00
lfbzhm 9504c6f2ad Merge pull request #5014 from kolyshkin/fd-leaks-flake
libct/int: TestFdLeaks: deflake
2025-11-20 17:53:40 +08:00
Kir Kolyshkin 5fbc3bb019 libct/int: TestFdLeaks: deflake
Since the recent CVE fixes, TestFdLeaksSystemd sometimes fails:

	=== RUN   TestFdLeaksSystemd
	    exec_test.go:1750: extra fd 9 -> /12224/task/13831/fd
	    exec_test.go:1753: found 1 extra fds after container.Run
	--- FAIL: TestFdLeaksSystemd (0.10s)

It might have been caused by the change to the test code in commit
ff6fe13 ("utils: use safe procfs for /proc/self/fd loop code") -- we are
now opening a file descriptor during the logic to get a list of file
descriptors. If the file descriptor happens to be allocated to a
different number, you'll get an error.

Let's try to filter out the fd used to read a directory.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-20 15:36:14 +08:00
lfbzhm f2aa133feb Merge pull request #5001 from opencontainers/dependabot/go_modules/golang.org/x/net-0.47.0
build(deps): bump golang.org/x/net from 0.46.0 to 0.47.0
2025-11-20 10:16:13 +08:00
dependabot[bot] da4ec2375c build(deps): bump golang.org/x/net from 0.46.0 to 0.47.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.46.0 to 0.47.0.
- [Commits](https://github.com/golang/net/compare/v0.46.0...v0.47.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.47.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-20 09:52:34 +08:00
lfbzhm db1b9368e1 Merge pull request #5018 from opencontainers/dependabot/go_modules/github.com/godbus/dbus/v5-5.2.0
build(deps): bump github.com/godbus/dbus/v5 from 5.1.0 to 5.2.0
2025-11-20 09:51:28 +08:00
Akihiro Suda 73f7c0a7c5 Merge pull request #5019 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.13.1
build(deps): bump github.com/opencontainers/selinux from 1.13.0 to 1.13.1
2025-11-20 10:37:38 +09:00
dependabot[bot] 95baf621b4 build(deps): bump github.com/opencontainers/selinux
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.13.0 to 1.13.1.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.13.0...v1.13.1)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-version: 1.13.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-20 01:15:13 +00:00
dependabot[bot] 8f2a85dc94 build(deps): bump github.com/godbus/dbus/v5 from 5.1.0 to 5.2.0
Bumps [github.com/godbus/dbus/v5](https://github.com/godbus/dbus) from 5.1.0 to 5.2.0.
- [Release notes](https://github.com/godbus/dbus/releases)
- [Commits](https://github.com/godbus/dbus/compare/v5.1.0...v5.2.0)

---
updated-dependencies:
- dependency-name: github.com/godbus/dbus/v5
  dependency-version: 5.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-20 01:15:03 +00:00
Aleksa Sarai 117d334130 merge #5017 into opencontainers/runc:main
Li Fubang (1):
  ci: ensure the cgroup(v1) parent always exists for rootless

LGTMs: AkihiroSuda cyphar
2025-11-20 03:26:19 +11:00
lifubang bba7647d09 ci: ensure the cgroup(v1) parent always exists for rootless
On some systems (e.g., AlmaLinux 8), systemd automatically removes cgroup paths
when they become empty (i.e., contain no processes). To prevent this, we spawn
a dummy process to pin the cgroup in place.
Fix: https://github.com/opencontainers/runc/issues/5003

Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-18 13:58:46 +00:00
Kir Kolyshkin 59a5ff14a2 Merge pull request #4948 from AkihiroSuda/spec-1.3
docs/spec-conformance.md: update for spec v1.3.0
2025-11-12 15:14:49 -08:00
Aleksa Sarai 36667a33e2 merge #4997 into opencontainers/runc:main
Kir Kolyshkin (2):
  ci: add checking Go version from Dockerfile
  ci: faster git clone

LGTMs: cyphar thaJeztah
2025-11-12 20:23:30 +11:00
Aleksa Sarai 6a737ed1b7 merge #4956 into opencontainers/runc:main
Akihiro Suda (1):
  Deprecate cgroup v1

LGTMs: kolyshkin cyphar
2025-11-12 20:17:45 +11:00
Akihiro Suda 653161f6d8 docs/spec-conformance.md: update for spec v1.3.0
ref: opencontainers/runtime-spec PR 1302

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-12 20:15:54 +11:00
Kir Kolyshkin df4acc8867 ci: add checking Go version from Dockerfile
This is to ensure that Go version in Dockerfile (which is used to build
release binaries) is:
 - currently supported;
 - used in CI tests.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-11 20:20:21 -08:00
Kir Kolyshkin 3fe21c54e6 ci: faster git clone
For some reason, some jobs in .github/workflows/validate.yml
have "fetch-depth: 0" argument to actions/checkout, meaning
"all history for all branches and tags". Obviously this is
not needed here.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-11 20:20:21 -08:00
Akihiro Suda 996278a189 Merge pull request #4949 from cyphar/pids-limit-0
runtime-spec: update pids.limit handling to match new guidance
2025-11-11 03:47:18 -05:00
Aleksa Sarai 8ab2458bc4 update: switch to generics for mkPtr logic
This is much easier to read and removes the need for explicit per-type
helper functions.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-11 15:16:50 +11:00
Aleksa Sarai 72421e0e25 tests: add pids.limit tests
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-11 15:16:50 +11:00
Aleksa Sarai 3b75374cc7 runtime-spec: update pids.limit handling to match new guidance
The main update is actually in github.com/opencontainers/cgroups, but we
need to also update runtime-spec to a newer pre-release version to get
the updates from there as well.

In short, the behaviour change is now that "0" is treated as a valid
value to set in "pids.max", "-1" means "max" and unset/nil means "do
nothing". As described in the opencontainers/cgroups PR, this change is
actually backwards compatible because our internal state.json stores
PidsLimit, and that entry is marked as "omitempty". So, an old runc
would omit PidsLimit=0 in state.json, and this will be parsed by a new
runc as being "nil" -- and both would treat this case as "do not set
anything".

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-11 15:15:27 +11:00
Kir Kolyshkin 67840cce4b Enable gofumpt extra rules
Commit b2f8a74d "clothed" the naked return as inflicted by gofumpt
v0.9.0. Since gofumpt v0.9.2 this rule was moved to "extra" category,
not enabled by default. The only other "extra" rule is to group adjacent
parameters with the same type, which also makes sense.

Enable gofumpt "extra" rules, and reformat the code accordingly.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-10 13:18:45 -08:00
Aleksa Sarai eec1f7e34b merge #4973 into opencontainers/runc:main
Aleksa Sarai (1):
  rootfs: only set mode= for tmpfs mount if target already existed

LGTMS: lifubang thaJeztah
2025-11-11 03:10:01 +11:00
Aleksa Sarai 5e40702bf1 Merge pull request #4993 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.38.0
build(deps): bump golang.org/x/sys from 0.37.0 to 0.38.0
2025-11-10 21:05:30 +11:00
Aleksa Sarai d72e268d2b Merge pull request #4992 from opencontainers/dependabot/github_actions/golangci/golangci-lint-action-9
build(deps): bump golangci/golangci-lint-action from 8 to 9
2025-11-10 21:05:01 +11:00
Aleksa Sarai a0e809a8ba libct: switch to unix.SetMemPolicy wrapper
This is mostly a mechanical change, but we also need to change some
types to match the "mode int" argument that golang.org/x/sys/unix
decided to use.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-10 16:03:02 +11:00
dependabot[bot] 071beab281 build(deps): bump golang.org/x/sys from 0.37.0 to 0.38.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.37.0 to 0.38.0.
- [Commits](https://github.com/golang/sys/compare/v0.37.0...v0.38.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-version: 0.38.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-10 04:03:04 +00:00
dependabot[bot] c0db4632d2 build(deps): bump golangci/golangci-lint-action from 8 to 9
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 8 to 9.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v8...v9)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-version: '9'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-11-10 04:02:58 +00:00
Aleksa Sarai 9a9719eeb4 rootfs: only set mode= for tmpfs mount if target already existed
This was always the intended behaviour but commit 72fbb34f50 ("rootfs:
switch to fd-based handling of mountpoint targets") regressed it when
adding a mechanism to create a file handle to the target if it didn't
already exist (causing the later stat to always succeed).

A lot of people depend on this functionality, so add some tests to make
sure we don't break it in the future.

Fixes: 72fbb34f50 ("rootfs: switch to fd-based handling of mountpoint targets")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-08 23:11:57 +11:00
lfbzhm 95762b6ee1 Merge pull request #4977 from cyphar/selinux-1.13
deps: update to github.com/opencontainers/selinux@v0.13.0
2025-11-08 09:58:48 +08:00
Aleksa Sarai 96f1962f91 deps: update to github.com/opencontainers/selinux@v0.13.0
This new version includes the fixes for CVE-2025-52881, so we can remove
the internal/third_party copy of the library we added in commit
ed6b1693b8 ("selinux: use safe procfs API for labels") as well as the
"replace" directive in go.mod (which is problematic for "go get"
installs).

Fixes: ed6b1693b8 ("selinux: use safe procfs API for labels")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-08 02:14:38 +11:00
Rodrigo Campos 846835cce9 Merge pull request #4970 from kolyshkin/fix-lint
ci: disable golangci-lint cache to fix false positives
2025-11-07 06:12:37 -03:00
Kir Kolyshkin 49780ce734 ci: bump golangci-lint to v2.6
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-05 20:05:05 -08:00
Kir Kolyshkin 96dfa9de54 ci: disable golangci-lint cache
This will result in slower runs but we are having issues with
golangci-lint (false positives) that are most probably related
to caching.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-05 20:04:53 -08:00
Aleksa Sarai f73814296c merge #4964 into opencontainers/runc:main
Kir Kolyshkin (1):
  libct: fix mips compilation

LGTMs: AkihiroSuda cyphar
2025-11-06 13:44:17 +11:00
Kir Kolyshkin 1b954f1f06 libct: fix mips compilation
On MIPS arches, Rdev is uint32 so we have to convert it.

Fixes issue 4962.

Fixes: 8476df83 ("libct: add/use isDevNull, verifyDevNull")
Fixes: de87203e ("console: verify /dev/pts/ptmx before use")
Fixes: 398955bc ("console: add fallback for pre-TIOCGPTPEER kernels")
Reported-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-05 17:56:14 -08:00
Aleksa Sarai 2f74f4ae1b merge private security patches into opencontainers/runc:main
Aleksa Sarai (21):
  rootfs: re-allow dangling symlinks in mount targets
  openat2: improve resilience on busy systems
  selinux: use safe procfs API for labels
  rootfs: switch to fd-based handling of mountpoint targets
  libct/system: use securejoin for /proc/$pid/stat
  init: use securejoin for /proc/self/setgroups
  init: write sysctls using safe procfs API
  utils: remove unneeded EnsureProcHandle
  utils: use safe procfs for /proc/self/fd loop code
  apparmor: use safe procfs API for labels
  ci: add lint to forbid the usage of os.Create
  rootfs: avoid using os.Create for new device inodes
  internal: add wrappers for securejoin.Proc*
  go.mod: update to github.com/cyphar/filepath-securejoin@v0.5.0
  console: verify /dev/pts/ptmx before use
  console: avoid trivial symlink attacks for /dev/console
  console: add fallback for pre-TIOCGPTPEER kernels
  console: use TIOCGPTPEER when allocating peer PTY
  *: switch to safer securejoin.Reopen
  internal: move utils.MkdirAllInRoot to internal/pathrs
  internal/sys: add VerifyInode helper

Li Fubang (1):
  libct: align param type for mountCgroupV1/V2 functions

Kir Kolyshkin (3):
  libct: maskPaths: don't rely on ENOTDIR for mount
  libct: maskPaths: only ignore ENOENT on mount dest
  libct: add/use isDevNull, verifyDevNull

Fixes: CVE-2025-31133 GHSA-9493-h29p-rfm2
Fixes: CVE-2025-52565 GHSA-qw9x-cqr3-wc7r
Fixes: CVE-2025-52881 GHSA-cgrx-mc8f-2prm
Reported-by: Lei Wang <ssst0n3@gmail.com>
Reported-by: Li Fubang <lifubang@acmcoder.com>
Reported-by: Tõnis Tiigi <tonistiigi@gmail.com>
Reported-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 20:19:30 +11:00
Aleksa Sarai 3f925525b4 rootfs: re-allow dangling symlinks in mount targets
It seems there are a fair few images where dangling symlinks are used as
path components for mount targets, which pathrs-lite does not support
(and it would be difficult to fully support this in a race-free way).

This was actually meant to be blocked by commit 63c2908164 ("rootfs:
try to scope MkdirAll to stay inside the rootfs"), followed by commit
dd827f7b71 ("utils: switch to securejoin.MkdirAllHandle"). However, we
still used SecureJoin to construct mountpoint targets, which means that
dangling symlinks were "resolved" before reaching pathrs-lite.

This patch basically re-adds this hack in order to reduce the breakages
we've seen so far.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 18:58:07 +11:00
Aleksa Sarai a41366e740 openat2: improve resilience on busy systems
Previously, we would see a ~3% failure rate when starting containers
with mounts that contain ".." (which can trigger -EAGAIN). To counteract
this, filepath-securejoin v0.5.1 includes a bump of the internal retry
limit from 32 to 128, which lowers the failure rate to 0.12%.

However, there is still a risk of spurious failure on regular systems.
In order to try to provide more resilience (while avoiding DoS attacks),
this patch also includes an additional retry loop that terminates based
on a deadline rather than retry count. The deadline is 2ms, as my
testing found that ~800us for a single pathrs operation was the longest
latency due to -EAGAIN retries, and that was an outlier compared to the
more common ~400us latencies -- so 2ms should be more than enough for
any real system.

The failure rates above were based on more 50k runs of runc with an
attack script (from libpathrs) running a rename attack on all cores of a
16-core system, which is arguably a worst-case but heavily utilised
servers could likely approach similar results.

Tested-by: Phil Estes <estesp@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-05 18:57:51 +11:00
Aleksa Sarai ed6b1693b8 selinux: use safe procfs API for labels
Due to the sensitive nature of these fixes, it was not possible to
submit these upstream and vendor the upstream library. Instead, this
patch uses a fork of github.com/opencontainers/selinux, branched at
commit opencontainers/selinux@879a755db5.

In order to permit downstreams to build with this patched version, a
snapshot of the forked version has been included in
internal/third_party/selinux. Note that since we use "go mod vendor",
the patched code is usable even without being "go get"-able. Once the
embargo for this issue is lifted we can submit the patches upstream and
switch back to a proper upstream go.mod entry.

Also, this requires us to temporarily disable the CI job we have that
disallows "replace" directives.

Fixes: GHSA-cgrx-mc8f-2prm CVE-2025-52881
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:06 +11:00
Aleksa Sarai d40b3439a9 rootfs: switch to fd-based handling of mountpoint targets
An attacker could race with us during mount configuration in order to
trick us into mounting over an unexpected path. This would bypass
checkProcMount() and would allow for security profiles to be left
unapplied by mounting over /proc/self/attr/... (or even more serious
outcomes such as killing the entire system by tricking runc into writing
strings to /proc/sysrq-trigger).

This is a larger issue with our current mount infrastructure, and the
ideal solution would be to rewrite it all to be fd-based (which would
also allow us to support the "new" mount API, which also avoids a bunch
of other issues with mount(8)). However, such a rewrite is not really
workable as a security fix, so this patch is a bit of a compromise
approach to fix the issue while also moving us a bit towards that
eventual end-goal.

The core issue in CVE-2025-52881 is that we currently use the (insecure)
SecureJoin to re-resolve mountpoint target paths multiple times during
mounting. Rather than generating a string from createMountpoint(), we
instead open an *os.File handle to the target mountpoint directly and
then operate on that handle. This will make it easier to remove
utils.WithProcfd() and rework mountViaFds() in the future.

The only real issue we need to work around is that we need to re-open
the mount target after doing the mount in order to get a handle to the
mountpoint -- pathrs.Reopen() doesn't work in this case (it just
re-opens the inode under the mountpoint) so we need to do a naive
re-open using the full path. Note that if we used move_mount(2) this
wouldn't be a problem because we would have a handle to the mountpoint
itself.

Note that this is still somewhat of a temporary solution -- ideally
mountViaFds would use *os.File directly to let us avoid some other
issues with using bare /proc/... paths, as well as also letting us more
easily use the new mount API on modern kernels.

Fixes: GHSA-cgrx-mc8f-2prm CVE-2025-52881
Co-developed-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:06 +11:00
lifubang 4b37cd93f8 libct: align param type for mountCgroupV1/V2 functions
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-11-01 21:24:05 +11:00
Aleksa Sarai d61fd29d85 libct/system: use securejoin for /proc/$pid/stat
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:05 +11:00
Aleksa Sarai 435cc81be6 init: use securejoin for /proc/self/setgroups
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:05 +11:00
Aleksa Sarai 77d217c7c3 init: write sysctls using safe procfs API
sysctls could in principle also be used as a write gadget for arbitrary
procfs files. As this requires getting a non-subset=pid /proc handle we
amortise this by only allocating a single procfs handle for all sysctl
writes.

Fixes: GHSA-cgrx-mc8f-2prm CVE-2025-52881
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:05 +11:00
Aleksa Sarai b3dd1bc562 utils: remove unneeded EnsureProcHandle
All of the callers of EnsureProcHandle now use filepath-securejoin's
ProcThreadSelf to get a file handle, which has much stricter
verification to avoid procfs attacks than EnsureProcHandle's very
simplistic filesystem type check.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:05 +11:00
Aleksa Sarai ff6fe13246 utils: use safe procfs for /proc/self/fd loop code
From a safety perspective this might not be strictly required, but it
paves the way for us to remove utils.ProcThreadSelf.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:04 +11:00
Aleksa Sarai fdcc9d3cad apparmor: use safe procfs API for labels
EnsureProcHandle only protects us against a tmpfs mount, but the risk of
a procfs path being used (such as /proc/self/sched) has been known for a
while. Now that filepath-securejoin has a reasonably safe procfs API,
switch to it.

Fixes: GHSA-cgrx-mc8f-2prm CVE-2025-52881
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:04 +11:00
Aleksa Sarai aee7d3fe35 ci: add lint to forbid the usage of os.Create
os.Create is shorthand for open(O_CREAT|O_TRUNC) *without* O_EXCL, which
is incredibly unsafe for us to do when interacting with a container
rootfs (especially before pivot_root) as an attacker could swap the
target path with a symlink that points to the host filesystem, causing
us to delete the contents of or create host files.

We did have a similar bug in CVE-2024-45310, but in that case we
(luckily) didn't have O_TRUNC set which avoided the worst possible case.
However, os.Create does set O_TRUNC and we were using it in scenarios
that may have been exploitable.

Because of how easy it us for us to accidentally introduce this kind of
bug, we should simply not allow the usage of os.Create in our entire
codebase.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:04 +11:00
Aleksa Sarai 01de9d65dc rootfs: avoid using os.Create for new device inodes
If an attacker were to make the target of a device inode creation be a
symlink to some host path, os.Create would happily truncate the target
which could lead to all sorts of issues. This exploit is probably not as
exploitable because device inodes are usually only bind-mounted for
rootless containers, which cannot overwrite important host files (though
user files would still be up for grabs).

The regular inode creation logic could also theoretically be tricked
into changing the access mode and ownership of host files if the
newly-created device inode was swapped with a symlink to a host path.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:04 +11:00
Aleksa Sarai 77889b56db internal: add wrappers for securejoin.Proc*
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:04 +11:00
Aleksa Sarai 44a0fcf685 go.mod: update to github.com/cyphar/filepath-securejoin@v0.5.0
In order to avoid lint errors due to the deprecation of the top-level
securejoin methods ported from libpathrs, we need to adjust
internal/pathrs to use the new pathrs-lite subpackage instead.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:03 +11:00
Aleksa Sarai de87203e62 console: verify /dev/pts/ptmx before use
This is primarily done out of an abudance of caution against runc exec
being attacked by a container where /dev/pts/ptmx has been replaced with
some other bad inode (a disconnected NFS handle, a symlink that goes
through a leaked runc file descriptor to reference a host ptmx, etc).

Unfortunately, we cannot trivially verify that /dev/pts/ptmx is actually
the /dev/pts from the container without storing stuff like the fsid in
the runc state.json, which is probably not worth the extra effort. This
should at least avoid the most concerning cases.

Reported-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:03 +11:00
Aleksa Sarai 9be1dbf4ac console: avoid trivial symlink attacks for /dev/console
An attacker could make /dev/console a symlink. This presents two
possible issues:

 1. os.Create will happily truncate targets, which could have resulted
    in a worse version of CVE-2024-4531. Luckily, this all happens after
    pivot_root(2) so the scope of that particular attack is fairly
    limited (you are unlikely to be able to easily access host rootfs
    files -- though it might be possible to take advantage of leaks such
    as in CVE-2024-21626). However, O_CREAT|O_NOFOLLOW is what we should
    be doing for all file creations.

 2. Because we passed /dev/console as the only mount path (as opposed to
    using a /proc/self/fd/$n path), an attacker could swap the symlink
    to point to any other path and thus cause us to mount over some
    other path. This is not as big of a problem because all the mounts
    are in the container namespace after pivot_root(2), and users
    usually can create arbitrary mount targets inside the container.

These issues don't seem particularly exploitable, but they deserve to be
hardened regardless.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:03 +11:00
Aleksa Sarai 398955bccb console: add fallback for pre-TIOCGPTPEER kernels
The pty driver has very consistent allocation rules for the major:minor
numbers of /dev/pts/$n inodes, so it is possible to somewhat safely open
/dev/pts/* paths if we validate that the inode is the one we expect.

It is possible for an attacker to have over-mounted a pts peer from a
different devpts instance, but to fix this would require more tracking
of devpts instances than runc currently can do.

This means runc should continue to work on very old kernels.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:03 +11:00
Aleksa Sarai 531ef794e4 console: use TIOCGPTPEER when allocating peer PTY
When opening the peer end of a pty, the old kernel API required us to
open /dev/pts/$num inside the container (at least since we fixed console
handling many years ago in commit 244c9fc426 ("*: console rewrite")).

The problem is that in a hostile container it is possible for
/dev/pts/$num to be an attacker-controlled symlink that runc can be
tricked into resolving when doing bind-mounts. This allows the attacker
to (among other things) persist /proc/... entries that are later masked
by runc, allowing an attacker to escape through the kernel.core_pattern
sysctl (/proc/sys/kernel/core_pattern). This is the original issue
reported by Lei Wang and Li Fu Bang in CVE-2025-52565.

However, it should be noted that this is not entirely a newly-discovered
problem. Way back in Linux 4.13 (2017), I added the TIOCGPTPEER ioctl,
which allows us to get a pty peer without touching the /dev/pts inside
the container. The original threat model was around an attacker
replacing /dev/pts/$n or /dev/pts/ptmx with some malicious inode (a DoS
inode, or possibly a PTY they wanted a confused deputy to operate on).
Unfortunately, there was no practical way for runc to cache a safe
O_PATH handle to /dev/pts/ptmx (unlike other runtimes like LXC, which
switched to TIOCGPTPEER way back in 2017). Since it wasn't clear how we
could protect against the main attack TIOCGPTPEER was meant to protect
against, we never switched to it (even though I implemented it
specifically to harden container runtimes).

Unfortunately, It turns out that mount *sources* are a threat we didn't
fully consider. Since TIOCGPTPEER already solves this problem entirely
for us in a race free way, we should just use that. In a later patch, we
will add some hardening for /dev/pts/$num opening to maintain support
for very old kernels (Linux 4.13 is very old at this point, but RHEL 7
is still kicking and is stuck on Linux 3.10).

Fixes: GHSA-qw9x-cqr3-wc7r CVE-2025-52565
Reported-by: Lei Wang <ssst0n3@gmail.com> (CVE-2025-52565)
Reported-by: lfbzhm <lifubang@acmcoder.com> (CVE-2025-52565)
Reported-by: Aleksa Sarai <cyphar@cyphar.com> (TIOCGPTPEER)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:03 +11:00
Kir Kolyshkin 5d7b242407 libct: maskPaths: don't rely on ENOTDIR for mount
Currently, we rely on mount returning ENOTDIR when the destination is a
directory (and so mount tells us that the source is not), and fall back
to read-only tmpfs bind mount for such cases.

Theoretically, ENOTDIR can also be returned in some other cases,
resulting in the wrong type of mount being used.

Let's be more straightforward here -- call fstat on destination file
descriptor, and use the proper mount depending on whether it is a
directory.

Reported-by: Rodrigo Campos <rodrigoca@microsoft.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-01 21:24:02 +11:00
Kir Kolyshkin 1a30a8f3d9 libct: maskPaths: only ignore ENOENT on mount dest
When mounting a path being masked, the /dev/null might disappear from
under us, and mount (even on an opened /dev/null file descriptor) will
return ENOENT, which we deliberately ignore, as there's no need to mask
non-existent paths.

Let's open the destination path and ignore ENOENT during open, then
mount via the destination file descriptor, not ignoring ENOENT.

Reported-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-11-01 21:24:02 +11:00
Kir Kolyshkin 8476df83b5 libct: add/use isDevNull, verifyDevNull
The /dev/null in a container should not be trusted, because when /dev
is a bind mount, /dev/null is not created by runc itself.

1. Add isDevNull which checks the fd minor/major and device type,
   and verifyDevNull which does the stat and the check.

2. Rewrite maskPath to open and check /dev/null, and use its fd to
   perform mounts. Move the loop over the MaskPaths into the function,
   and rename it to maskPaths.

3. reOpenDevNull: use verifyDevNull and isDevNull.

4. fixStdioPermissions: use isDevNull instead of stat.

Fixes: GHSA-9493-h29p-rfm2 CVE-2025-31133
Co-authored-by: Rodrigo Campos <rodrigoca@microsoft.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:02 +11:00
Aleksa Sarai ff94f9991b *: switch to safer securejoin.Reopen
filepath-securejoin v0.3 gave us a much safer re-open primitive, we
should use it to avoid any theoretical attacks. Rather than using it
direcly, add a small pathrs wrapper to make libpathrs migrations in the
future easier...

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:02 +11:00
Aleksa Sarai 6fc1914491 internal: move utils.MkdirAllInRoot to internal/pathrs
We will have more wrappers around filepath-securejoin, and so move them
to their own specific package so that we can eventually use libpathrs
fairly cleanly (by swapping out the implementation).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:02 +11:00
Aleksa Sarai db19bbed53 internal/sys: add VerifyInode helper
This will be used for a few security patches in later patches in this
patchset. The need to verify what kind of inode we are operating on in a
race-free way turns out to be quite a common pattern...

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-11-01 21:24:01 +11:00
Akihiro Suda 1cdfc0def9 Deprecate cgroup v1
For issue 4955

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2025-11-01 00:17:49 +09:00
Kir Kolyshkin fb01482d12 Merge pull request #4951 from kolyshkin/better-nsenter-errors
libct/nsenter: improve error reporting
2025-10-29 09:54:49 -07:00
Kir Kolyshkin 6c18b25cdc libct/nsenter: better read/write errors
Introduce and use iobail, xread, and xwrite wrappers so that we can
properly check read/write return value and call either bail or bailx on
error, with proper diagnostics (distinguishing failed read/write from a
short read/write).

This prevents the "Success" prefix in errors like:

	failed to sync with stage-1: next state: Success

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-28 17:26:09 -07:00
Kir Kolyshkin aea52d0ab0 libct/nsenter: sprinkle missing sane_kill
Add a few missing sane_kill calls where they make sense.

Remove one useless sane_kill of stage2_pid, as during SYNC_USERMAP stage2
is not yet started. It is harmless yet it makes the code slightly harder
to read.

Set the child pid to -1 upon receiving SYNC_CHILD_FINISH
to minimize the chances of killing an unrelated process.
When a child sends SYNC_CHILD_FINISH it is about to exit
(although theoretically it could be stuck during debug logging).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-28 17:21:38 -07:00
Kir Kolyshkin 067b8335e7 libct/nsenter: add and use bailx
We use bail to report fatal errors, and bail always append %m
(aka strerror(errno)). In case an error condition did not set
errno, the log message will end up with ": Success" or an error
from a stale errno value. Either case is confusing for users.

Introduce bailx which is the same as bail except it does not
append %m, and use it where appropriate.

The naming follows libc's err(3) and errx(3).

PS we still use bail in a few cases after read or write, even
if that read/write did not return an error, because the code
does not distinguish between short read/write and error (-1).
This will be addressed by the next commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-28 17:21:38 -07:00
Kir Kolyshkin 9c8f476cb6 libct/nsenter: save errno in sane_kill
Since sane_kill after a failed read or write, but before reporting the
error from that read or write, it may change the errno value in case
kill(2) fails.

Save and restore the errno around the call to kill.

While at it,
 - change the code to return early;
 - don't return kill return value as no one is using it, and the errno
   value no longer correlates.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-28 17:21:25 -07:00
lfbzhm 52a9dd563d Merge pull request #4953 from opencontainers/dependabot/github_actions/actions/upload-artifact-5
build(deps): bump actions/upload-artifact from 4 to 5
2025-10-28 08:13:33 +08:00
dependabot[bot] f5f6056219 build(deps): bump actions/upload-artifact from 4 to 5
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 5.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-10-27 04:09:57 +00:00
Akihiro Suda 644bb1e59d Merge pull request #4950 from ariel-anieli/loop-range-integers
test: add missed use of for range over integers
2025-10-26 04:20:57 +09:00
Ariel Otilibili 34da991298 libcontainer/seccomp: Use for range over integers
The commit mentioned below has missed these changes.

Fixes: 17570625 ("Use for range over integers")
Signed-off-by: Ariel Otilibili <otilibil@eurecom.fr>
2025-10-23 12:48:49 +02:00
lfbzhm 3a56046197 Merge pull request #4945 from kolyshkin/int-cleanup-part1
tests/int: cleanup
2025-10-22 23:40:54 +08:00
Akihiro Suda 7f32e50085 Merge pull request #4938 from zhaixiaojuan/main
Add loong64 support in seccomp and PIE
2025-10-22 12:51:28 +09:00
zhaixiaojuan d12d6010de Merge branch 'main' into main 2025-10-21 10:10:33 +08:00
zhaixiaojuan 885509afdf Add loong64 support in seccomp and PIE
Signed-off-by: zhaixiaojuan <zhaixiaojuan@loongson.cn>
2025-10-21 09:41:49 +08:00
Aleksa Sarai a7651e0ee0 merge #4944 into opencontainers/runc:main
Kir Kolyshkin (2):
  ci: show criu version in criu-dev testing
  ci: bump bats to 1.11.1

LGTMs: AkihiroSuda cyphar
2025-10-20 19:29:58 +11:00
Kir Kolyshkin 3c2683f52f tests/int/cgroups: use heredoc to break a long line
This is mostly to improve readability. While at it, make the script more
robust by adding -e option to shell. The exception is echo $pid which is
opportunistic and may fail depending on the order of pids in the file.

Also, remove the empty comment and a shellcheck annotation.

Fixes: c91fe9ae
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-18 15:35:51 -07:00
Kir Kolyshkin b82ae3afdc tests/int/delete: fix pause test for rootless case
The "runc delete --force [paused container]" test case does not check
runc pause exit code, and if added, the test fails in rootless tests,
because:
 - not all rootless tests have access to cgroups;
 - rootless containers doesn't have default cgroups path.

To fix, add:
  - setup for rootless case;
  - require cgroups_freezer;
  - runc pause exit code check.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-18 15:33:27 -07:00
Kir Kolyshkin ad72eab6c7 tests/int/checkpoint: fix using run twice
In our bats tests, runc itself is a wrapper which calls bats run helper,
so using "run runc" is wrong as it results in calling run helper twice.

Fixes: 8d180e965
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-18 15:30:16 -07:00
Kir Kolyshkin 92f3d1b225 tests/int/cgroups.bats: fix a wrong comment
This misleading comment is obviously a copy/paste from the previous
test. Fix it.

Fixes: dd696235
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-18 15:30:16 -07:00
Kir Kolyshkin b3a9f423b9 tests/int: remove bogus $status checks
Commands that are not run via "run" helper (cat, mkdir, __runc)
do not set $status, so it makes no sense to check it.

Fixes: 94505a04, ed548376
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-18 15:30:16 -07:00
Kir Kolyshkin 693a471af8 tests/int: use run with a status check
...instead of an explicit or absent status check.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-18 15:30:16 -07:00
Kir Kolyshkin 773a44cc1d tests/int/netdev: slight refactoring
Move the repetitive code and comment into setup_netns.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-18 15:30:16 -07:00
Kir Kolyshkin 0eb03ef86f tests/int: remove useless/obvious comments
This is a bit opinionated, but some comments in integration tests do not
really help to understand the nature of the tests being performed by
stating something very obvious, like

	# run busybox detached
	runc run -d busybox

To make things worse, these not-so-helpful messages are being
copy/pasted over and over, and that is the main reason to remove them.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-18 15:30:16 -07:00
Kir Kolyshkin 772e91062d tests/int/README: update
1. Remove the devicemapper driver mentions, and is it no longer
   supported by docker (or podman).

2. Remove the test example -- we have plenty of real ones.

3. Add a link to (well written and extensive) bats documentation.

4. Fix capitalization in a sentence.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-18 15:30:16 -07:00
Kir Kolyshkin 2a7ce15e68 ci: show criu version in criu-dev testing
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-16 12:09:46 -07:00
Kir Kolyshkin 6af1d637ba ci: bump bats to 1.11.1
Bump bats to the version from Fedora 42 (used in "fedora" job), so we
have the same version everywhere.

This also fixes an issue introduced by commit d31e6b87 (which forgot to
bump bats in GHA CI), and adds a note to the yaml in order to avoid the
same issue in the future.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-16 12:07:55 -07:00
lfbzhm d34ea2bc06 Merge pull request #4937 from kolyshkin/lint-extra
ci: only run lint-extra job on PRs to main
2025-10-16 08:58:04 +08:00
Kir Kolyshkin 1c4dba693f ci: only run lint-extra job on PRs to main
All the new code appears in main (not in the release branches),
and we only want extra linter rules to apply to new code.

Disable lint-extra job if the PR is not to the main branch.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-15 16:51:22 -07:00
Aleksa Sarai ef90082853 merge #4930 into opencontainers/runc:main
Kir Kolyshkin (2):
  libct: refactor setnsProcess.start
  libct: close child fds on prepareCgroupFD error

LGTMs: lifubang cyphar
2025-10-16 09:36:26 +11:00
lfbzhm f023e1c222 Merge pull request #4934 from AkihiroSuda/lima
CI: remove deprecated lima-vm/lima-actions/ssh
2025-10-15 09:22:23 +08:00
Kir Kolyshkin 871052b791 libct: refactor setnsProcess.start
Factor startWithCgroupFD out of start to reduce the start complexity.
This also implements a more future-proof way of calling p.comm.closeChild.

Co-authored-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-14 11:48:25 -07:00
Kir Kolyshkin 4e262509b8 libct: close child fds on prepareCgroupFD error
The (*setns).start is supposed to close child fds once the child has
started, or upon an error. Commit 5af4dd4e6 added a bug -- child fds
are not closed if prepareCgroupFD fails.

Fix by adding a missing call to closeChild.

I'm not sure how to write a good test case for it. Found when working
on PR 4928 (and tested in there).

Fixes: 5af4dd4e6
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-14 11:48:25 -07:00
Akihiro Suda c0e6f42427 CI: remove deprecated lima-vm/lima-actions/ssh
`lima-vm/lima-actions/ssh` is now merged into
`lima-vm/lima-actions/setup`.

https://github.com/lima-vm/lima-actions/releases/tag/v1.1.0

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2025-10-14 14:41:27 +09:00
lfbzhm 721d066576 Merge pull request #4902 from osamakader/fix-outdated-seccomp-todo
docs: update seccomp documentation
2025-10-14 08:11:27 +08:00
Osama Abdelkader e0632ccd1c docs: update seccomp documentation
Replace outdated TODO comment with updated information about runc's seccomp support.

Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
2025-10-13 22:41:36 +03:00
lfbzhm fa1b69348e Merge pull request #4914 from osamakader/fix-stringsTitle-criu-linux
criu: replace deprecated strings.Title
2025-10-13 17:33:16 +08:00
Osama Abdelkader 1adb070b58 criu: replace deprecated strings.Title
strings.Title is deprecated since Go 1.18. Replace it with a simple
manual capitalization of the first character in criuNsToKey().

Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-12 14:02:21 +03:00
Akihiro Suda 17938cd8b9 Merge pull request #4926 from cyphar/cpuset-fill
libct: switch to (*CPUSet).Fill
2025-10-09 16:41:02 +09:00
Aleksa Sarai 93f9a392cf libct: switch to (*CPUSet).Fill
Now that we've updated to golang.org/x/sys@v0.37.0, CPUSet has a Fill
helper that does the equivalent to our underflow trick to make setting
all CPUs efficient.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-09 15:39:02 +11:00
Aleksa Sarai e3ab743998 Merge pull request #4924 from opencontainers/dependabot/go_modules/golang.org/x/net-0.46.0
build(deps): bump golang.org/x/net from 0.45.0 to 0.46.0
2025-10-09 15:37:03 +11:00
dependabot[bot] e59062cec9 build(deps): bump golang.org/x/net from 0.45.0 to 0.46.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.45.0 to 0.46.0.
- [Commits](https://github.com/golang/net/compare/v0.45.0...v0.46.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-10-09 04:02:50 +00:00
lfbzhm 6e6ac00eb3 Merge pull request #4898 from kolyshkin/hugetlb-unit-test
tests/int: add check for hugetlb stats
2025-10-08 17:12:07 +08:00
lfbzhm a217cb827d Merge pull request #4917 from kolyshkin/golangci-v25
ci: bump golangci-lint to v2.5
2025-10-08 16:10:11 +08:00
Kir Kolyshkin ef61b7f0be tests/int: add check for hugetlb stats
As promised in

	https://github.com/opencontainers/cgroups/pull/24#pullrequestreview-3007872832

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-08 00:42:08 -07:00
Kir Kolyshkin 28daf53d7e Merge pull request #4832 from marquiz/devel/rdt-enablemonitoring
libcontainer/intelrdt: add support for EnableMonitoring field
2025-10-08 00:18:02 -07:00
Kir Kolyshkin b40777d41a Merge pull request #4919 from opencontainers/dependabot/go_modules/golang.org/x/net-0.45.0
build(deps): bump golang.org/x/net from 0.44.0 to 0.45.0
2025-10-07 22:00:29 -07:00
dependabot[bot] a35a0e0276 build(deps): bump golang.org/x/net from 0.44.0 to 0.45.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.44.0 to 0.45.0.
- [Commits](https://github.com/golang/net/compare/v0.44.0...v0.45.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.45.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-10-08 04:02:33 +00:00
Kir Kolyshkin 2aea8617ea ci: bump golangci-lint to v2.5
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-07 17:09:28 -07:00
Kir Kolyshkin b2f8a74de5 all: format sources with gofumpt v0.9.1
Since gofumpt v0.9.0 there's a new formatting rule to "clothe" any naked
returns.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-07 17:08:56 -07:00
Aleksa Sarai a672a5f36c merge #4726 into opencontainers/runc:main
Antti Kervinen (1):
  Add memory policy support

LGTMs: lifubang AkihiroSuda cyphar
2025-10-08 05:18:13 +11:00
Antti Kervinen eda7bdf80c Add memory policy support
Implement support for Linux memory policy in OCI spec PR:
https://github.com/opencontainers/runtime-spec/pull/1282

Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
2025-10-07 15:06:37 +03:00
Akihiro Suda bc432ce88c Merge pull request #4913 from MegaManSec/k
fix(seccompagent): close received FDs, not loop index
2025-10-06 19:38:51 +09:00
Akihiro Suda 39a87aae08 Merge pull request #4912 from cyphar/changelog-1.3.2
CHANGELOG: add v1.3.2 entry
2025-10-06 19:38:29 +09:00
Joshua Rogers 8c1b3f9608 fix(seccompagent): close received FDs, not loop index
Prevents accidentally closing 0/1/2 on error paths.

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
2025-10-06 06:16:33 +08:00
Aleksa Sarai 918de6824a CHANGELOG: add v1.3.2 entry
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-04 21:17:35 +10:00
lfbzhm 80486a207f Merge pull request #4910 from cyphar/remove-libct-userns
libcontainer: remove deprecated package "userns"
2025-10-04 09:12:18 +08:00
dependabot[bot] 2c5d55e491 Merge pull request #4909 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.36.10 2025-10-03 16:37:56 +00:00
Aleksa Sarai e4f99b5c95 libcontainer: remove deprecated package "userns"
This package was marked deprecated in commit 9b60a93cf3
("libcontainer/userns: migrate to github.com/moby/sys/userns"), which
was included in runc 1.2. Users have thus had a year to migrate to
github.com/moby/sys/userns and it's okay for us to remove this wrapper
package.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-03 16:32:10 +10:00
Aleksa Sarai 984b35389c merge #4904 into opencontainers/runc:main
Aleksa Sarai (1):
  lint/revive: add package doc comments

LGTMs: lifubang kolyshkin
2025-10-03 16:21:42 +10:00
Aleksa Sarai 627054d246 lint/revive: add package doc comments
This silences all of the "should have a package comment" lint warnings
from golangci-lint.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-03 15:17:43 +10:00
dependabot[bot] dbffd5cd08 build(deps): bump google.golang.org/protobuf from 1.36.9 to 1.36.10
Bumps google.golang.org/protobuf from 1.36.9 to 1.36.10.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-10-03 04:02:51 +00:00
Kir Kolyshkin 8b06dd8743 Merge pull request #4908 from ariel-anieli/context-after-func-libcontainer
libcontainer: switch `goCreateMountSources()` to `ctx.AfterFunc`
2025-10-02 19:29:44 -07:00
Ariel Otilibili 4404cdf94b libcontainer: switch goCreateMountSources() to ctx.AfterFunc
ba0b5e26 ("libcontainer: remove all mount logic from nsexec") introduced
a request function that handles two tasks:
- the exchanges with the request and response channels
- the closing of the request channel.

From 1.21, the closing of the request channel may be done with
context.AfterFunc(). Moreover, context.AfterFunc() is guaranteed to run
once.

Link: https://pkg.go.dev/context#AfterFunc
Suggested-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Ariel Otilibili <otilibil@eurecom.fr>
2025-10-02 16:46:31 +02:00
lfbzhm 00aec12c71 Merge pull request #4842 from tianon/busybox
Update `busybox:glibc` in integration tests to latest builds
2025-09-27 16:04:38 +08:00
lfbzhm 050a85361b Merge pull request #4812 from kolyshkin/exec-clone-into-cgroup
runc exec: use CLONE_INTO_CGROUP
2025-09-27 15:22:07 +08:00
Kir Kolyshkin 5af4dd4e64 runc exec: use CLONE_INTO_CGROUP when available
It makes sense to make runc exec benefit from clone2(CLONE_INTO_CGROUP),
if it is available. Since it requires a recent kernel and might not work,
implement a fallback to older way of joining the cgroup.

Based on:
 - https://go-review.googlesource.com/c/go/+/417695
 - https://github.com/coreos/go-systemd/pull/458
 - https://github.com/opencontainers/cgroups/pull/26
 - https://github.com/opencontainers/runc/pull/4822

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-09-26 14:27:18 -07:00
Tianon Gravi ce5400da08 Update busybox:glibc in integration tests to latest (1.37.0) builds
This removes `mips64le` (no longer supported by the image / upstream in Debian Trixie+) and adds `riscv64`.

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
2025-09-25 17:06:20 -07:00
Kir Kolyshkin 7d81b21c1a Merge pull request #4900 from lifubang/fix-Personality-seccomp
libct: setup personality before initializing seccomp
2025-09-25 16:59:28 -07:00
lifubang 57f1bef422 test: runc run with personality syscall blocked by seccomp
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-09-25 09:54:08 +00:00
lifubang f7dda6e6dc libct: setup personality before initializing seccomp
Set the process personality early to ensure it takes effect before
seccomp is initialized. If seccomp filters are applied first and they
block personality-related system calls (e.g., `personality(2)`),
subsequent attempts to set the personality will fail.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-09-25 09:39:36 +00:00
Kir Kolyshkin 77ead42c9f Merge pull request #4822 from kolyshkin/add-pid
runc exec: use manager.AddPid
2025-09-17 18:43:25 -07:00
Rodrigo Campos 184024da25 Merge pull request #4893 from donettom-1/runc_cgroup_test_fix_for_ppc64
tests/int/cgroups: Use 64K aligned limits for memory.max
2025-09-17 04:13:33 -03:00
Markus Lehtonen 7aa4e1a63d libcontainer/intelrdt: add support for EnableMonitoring field
The linux.intelRdt.enableMonitoring field enables the creation of
a per-container monitoring group. The monitoring group is removed when
the container is destroyed.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-09-17 08:54:08 +03:00
Kir Kolyshkin 37b5acc2d7 libct: use manager.AddPid to add exec to cgroup
The main benefit here is when we are using a systemd cgroup driver,
we actually ask systemd to add a PID, rather than doing it ourselves.
This way, we can add rootless exec PID to a cgroup.

This requires newer opencontainers/cgroups and coreos/go-systemd.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-09-16 13:31:16 -07:00
Kir Kolyshkin 5730a141f1 libct: move exec sub-cgroup handling down the line
Remove cgroupPaths field from struct setnsProcess, because:
 - we can get base cgroup paths from p.manager.GetPaths();
 - we can get sub-cgroup paths from p.process.SubCgroupPaths.

But mostly because we are going to need separate cgroup paths when
adopting cgroups.AddPid.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-09-16 13:27:56 -07:00
Kir Kolyshkin 5560020cbb libct: split addIntoCgroup into V1 and V2
The main idea is to maintain the code separately (and eventually kill V1
implementation).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-09-16 13:27:56 -07:00
Kir Kolyshkin b39e0d6468 libct: factor out addIntoCgroup from setnsProcess.start
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-09-16 13:27:56 -07:00
Kir Kolyshkin 7d6848f883 script/setup_rootless.sh: chown nit
This fixes the following warning (seen on Fedora 42 and Ubuntu 24.04):

	+ sudo chown -R rootless.rootless /home/rootless
	chown: warning: '.' should be ':': ‘rootless.rootless’

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-09-16 13:27:56 -07:00
Kir Kolyshkin b5cb56413c Merge pull request #4830 from marquiz/devel/rdt-schemata-field
libcontainer/intelrdt: add support for Schemata field
2025-09-16 13:23:43 -07:00
donettom-1 830c479ae2 tests/int/cgroups: Use 64K aligned limits for memory.max
When a non–page-aligned value is written to memory.max, the kernel aligns it
down to the nearest page boundary. On systems with a page size greater
than 4K (e.g., 64K), this caused failures because the configured
memory.max value was not 64K aligned.

This patch fixes the issue by explicitly aligning the memory.max value
to 64K. Since 64K is also a multiple of 4K, the value is correctly
aligned on both 4K and 64K page size systems.

However, this approach will still fail on systems where the hardcoded
memory.max value is not aligned to the system page size.

Fixes: https://github.com/opencontainers/runc/issues/4841

Signed-off-by: Vishal Chourasia <vishalc@linux.ibm.com>
Signed-off-by: Donet Tom <donettom@linux.ibm.com>
2025-09-16 17:31:35 +05:30
Rodrigo Campos f3ea522a28 Merge pull request #4889 from tych0/allow-ucounts
libcontainer/validator: allow setting user.* sysctls inside userns
2025-09-15 09:18:58 -03:00
Markus Lehtonen 7be025fff3 events/intelrdt: report full schemata
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-09-15 15:09:06 +03:00
Markus Lehtonen 41553216ee libcontainer/intelrdt: add support for Schemata field
Implement support for the linux.intelRdt.schemata field of the spec.
This allows management of the "schemata" file in the resctrl group in a
generic way.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-09-15 15:09:06 +03:00
Tycho Andersen 70d88bc449 libcontainer/validator: allow setting user.* sysctls inside userns
These sysctls are all per-userns (termed `ucounts` in the kernel code) are
settable with CAP_SYS_RESOURCE in the user namespace.

Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
2025-09-12 12:40:44 -06:00
dependabot[bot] 55c90aaf02 Merge pull request #4888 from opencontainers/dependabot/go_modules/golang.org/x/net-0.44.0 2025-09-10 07:34:52 +00:00
dependabot[bot] ffe6d3a3c8 build(deps): bump golang.org/x/net from 0.43.0 to 0.44.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.43.0 to 0.44.0.
- [Commits](https://github.com/golang/net/compare/v0.43.0...v0.44.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.44.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-09-10 06:50:38 +00:00
Akihiro Suda 441d6f7528 Merge pull request #4887 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.36.9
build(deps): bump google.golang.org/protobuf from 1.36.8 to 1.36.9
2025-09-10 15:49:38 +09:00
dependabot[bot] cbf8a4d933 build(deps): bump google.golang.org/protobuf from 1.36.8 to 1.36.9
Bumps google.golang.org/protobuf from 1.36.8 to 1.36.9.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-09-10 04:02:44 +00:00
Rodrigo Campos 1d80c2f9ad Merge pull request #4885 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.36.0
build(deps): bump golang.org/x/sys from 0.35.0 to 0.36.0
2025-09-08 11:57:32 -03:00
dependabot[bot] 527d2e668f build(deps): bump golang.org/x/sys from 0.35.0 to 0.36.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.35.0 to 0.36.0.
- [Commits](https://github.com/golang/sys/compare/v0.35.0...v0.36.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-09-08 04:02:59 +00:00
Rodrigo Campos 2998f90507 Merge pull request #4883 from opencontainers/dependabot/github_actions/actions/github-script-8
build(deps): bump actions/github-script from 7 to 8
2025-09-05 12:51:27 -03:00
Aleksa Sarai 650afdde5f merge #4881 into opencontainers/runc:main
Aleksa Sarai (4):
  VERSION: back to development
  VERSION: release v1.4.0-rc.1
  CHANGELOG: forward-port v1.3.1 changelog
  CHANGELOG: forward-port v1.2.7 changelog

LGTMs: kolyshkin rata AkihiroSuda
2025-09-05 23:48:59 +10:00
Aleksa Sarai 77367fca1f VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-09-05 19:03:49 +10:00
Aleksa Sarai b2ec7f9201 VERSION: release v1.4.0-rc.1
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-09-05 19:03:49 +10:00
Aleksa Sarai 081b8c25b3 CHANGELOG: forward-port v1.3.1 changelog
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-09-05 19:03:49 +10:00
Aleksa Sarai 1931ebf739 CHANGELOG: forward-port v1.2.7 changelog
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-09-05 19:03:49 +10:00
Akihiro Suda 95b448addf Merge pull request #4882 from opencontainers/dependabot/github_actions/actions/setup-go-6
build(deps): bump actions/setup-go from 5 to 6
2025-09-05 16:05:48 +09:00
dependabot[bot] 9408f6643d build(deps): bump actions/github-script from 7 to 8
Bumps [actions/github-script](https://github.com/actions/github-script) from 7 to 8.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](https://github.com/actions/github-script/compare/v7...v8)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-09-05 04:02:37 +00:00
dependabot[bot] edc2eb60f3 build(deps): bump actions/setup-go from 5 to 6
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5 to 6.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-09-05 04:02:34 +00:00
Kir Kolyshkin 8483c697a7 Merge pull request #4735 from ningmingxiao/fix_start
bug:fix runc delete run before delete exec.fifo
2025-09-02 22:35:59 -07:00
Kir Kolyshkin 424745c6e6 Merge pull request #4877 from cyphar/remove-libct-user
libct: user: remove deprecated module
2025-09-02 22:25:39 -07:00
Kir Kolyshkin ba97aebfc0 Merge pull request #4874 from kolyshkin/ci-run-modernize
ci/validate: add modernize run
2025-09-02 22:23:59 -07:00
Aleksa Sarai 779c9e1d9a libct: user: remove deprecated module
libcontainer/user was marked as deprecated in d9ea71bf96 ("deprecate
libcontainer/user") and users have had plenty of time to migrate to
github.com/moby/sys/user.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-09-03 00:45:15 +10:00
Kir Kolyshkin c04d9c446d ci/validate: add modernize run
Modernize tool [1] basically ensures that the new language features and
packages are used across the code.

The reason to run it in CI is to ensure that
 - PR authors use modern code;
 - our code is modern whether we bump Go version in go.mod.

Shove it into go-fix job which already does a similar thing
but for 'go-fix' and rename the whole job to modernize.

[1]: https://pkg.go.dev/golang.org/x/tools/gopls/internal/analysis/modernize

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-29 15:24:04 -07:00
Rodrigo Campos 7a982f4282 Merge pull request #4854 from marquiz/devel/rdt-root-clos
libcontainer/intelrdt: support explicit assignment to root CLOS
2025-08-29 07:17:43 -03:00
Markus Lehtonen 762819496e libcontainer/configs/validate: add doc.go
Add package comment to make revive pass muster.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-29 12:36:04 +03:00
Markus Lehtonen ba68a17ad1 libcontainer/configs: add validator unit tests for intelRdt
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-28 14:11:07 +03:00
Markus Lehtonen b8a83ac255 libcontainer/intelrdt: support explicit assignment to root CLOS
Makes it possible e.g. to enable monitoring
(linux.intelRdt.enableMonitoring) without creating a CLOS (resctrl
group) for the container.

Implements https://github.com/opencontainers/runtime-spec/pull/1289.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-28 14:08:37 +03:00
Markus Lehtonen 3867f826da libcontainer/intelrdt: refactor tests
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-28 13:42:10 +03:00
Akihiro Suda d845c4ae24 Merge pull request #4868 from kolyshkin/test-nits
Fix bogus test failures when running with RUNC=$(pwd)/runc.smth
2025-08-28 14:10:00 +09:00
Rodrigo Campos f8bb8ace3c Merge pull request #4851 from kolyshkin/go124-min
Switch to Go 1.24 as a min version, bump CI, modernize sources
2025-08-27 23:33:58 -03:00
Kir Kolyshkin 89e59902c4 Modernize code for Go 1.24
Brought to you by

	modernize -fix -test ./...

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-27 19:11:02 -07:00
Kir Kolyshkin b042b6d455 types/events: use omitzero where appropriate
In these cases, omitempty doesn't really work so it is useless,
but omitzero actually works.

As a result, output of `runc events` may omit these fields if all they
contain are zeroes.

NOTE this might be a breaking change.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-27 19:11:02 -07:00
Kir Kolyshkin 26602650ad Add go 1.25, require go 1.24
Now that Go 1.25 is out, let's switch to go 1.24.0 as a minimally
supported version, drop Go 1.23 and add Go 1.25 to CI matrix.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-27 19:11:01 -07:00
Kir Kolyshkin 237cc9806a libct/sys/rlimit_linux: drop go:build tag
This is not needed since commit 16d73367 which sets 1.23 to be a
minimally required Go version.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-27 19:09:58 -07:00
Kir Kolyshkin a38f42ab87 tests/int/help: simplify and fix
1. In case runc binary file name is not runc, the test fails like
   below. The fix is to get the binary name from $RUNC.

	 ✗ runc command -h
	   (in test file tests/integration/help.bats, line 27)
	     `[[ ${lines[1]} =~ runc\ checkpoint+ ]]' failed
	   runc-go1.25.0-main checkpoint -h (status=0):
	   NAME:
	      runc-go1.25.0-main checkpoint - checkpoint a running container

2. Simplify the test by adding a loop for all commands. While at it, add
   a loop for -h --help as well.

3. Add missing commands (create, ps, features).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-27 18:08:51 -07:00
Kir Kolyshkin c5e7bc8710 tests/int/selinux: fix for non-standard binary name
The setup in selinux.bats assumes $RUNC binary name ends in runc, and
thus it fails when we run it like this:

	sudo -E RUNC=$(pwd)/runc.patched bats tests/integration/selinux.bats

Fix is easy.

Fixes: b39781b06 ("tests/int: add selinux test case")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-27 18:08:51 -07:00
Aleksa Sarai cc8ab60e1a merge #4858 into opencontainers/runc:main
Aleksa Sarai (3):
  libct: reset CPU affinity by default
  tests: add RUNC_CMDLINE for tests incompatible with functions
  tests: add sane_run helper

LGTMs: lifubang kolyshkin
2025-08-28 10:53:20 +10:00
Aleksa Sarai 121192ade6 libct: reset CPU affinity by default
In certain deployments, it's possible for runc to be spawned by a
process with a restrictive cpumask (such as from a systemd unit with
CPUAffinity=... configured) which will be inherited by runc and thus the
container process by default.

The cpuset cgroup used to reconfigure the cpumask automatically for
joining processes, but kcommit da019032819a ("sched: Enforce user
requested affinity") changed this behaviour in Linux 6.2.

The solution is to try to emulate the expected behaviour by resetting
our cpumask to correspond with the configured cpuset (in the case of
"runc exec", if the user did not configure an alternative one). Normally
we would have to parse /proc/stat and /sys/fs/cgroup, but luckily
sched_setaffinity(2) will transparently convert an all-set cpumask (even
if it has more entries than the number of CPUs on the system) to the
correct value for our usecase.

For some reason, in our CI it seems that rootless --systemd-cgroup
results in the cpuset (presumably temporarily?) being configured such
that sched_setaffinity(2) will allow the full set of CPUs. For this
particular case, all we care about is that it is different to the
original set, so include some special-casing (but we should probably
investigate this further...).

Reported-by: ningmingxiao <ning.mingxiao@zte.com.cn>
Reported-by: Martin Sivak <msivak@redhat.com>
Reported-by: Peter Hunt <pehunt@redhat.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-08-28 08:25:46 +10:00
Aleksa Sarai d1f6acfab0 tests: add RUNC_CMDLINE for tests incompatible with functions
Sometimes we need to run runc through some wrapper (like nohup), but
because "__runc" and "runc" are bash functions in our test suite this
doesn't work trivially -- and you cannot just pass "$RUNC" because you
you need to set --root for rootless tests.

So create a setup_runc_cmdline helper which sets $RUNC_CMDLINE to the
beginning cmdline used by __runc (and switch __runc to use that).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-08-28 08:23:15 +10:00
Aleksa Sarai ea385de40c tests: add sane_run helper
"runc" was a special wrapper around bats's "run" which output some very
useful diagnostic information to the bats log, but this was not usable
for other commands. So let's make it a more generic helper that we can
use for other commands.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-08-28 08:23:15 +10:00
Aleksa Sarai fa0ca2e36d merge #4848 into opencontainers/runc:main
Markus Lehtonen (1):
  CHANGELOG: document breaking change of runc update

LGTMs: AkihiroSuda cyphar
2025-08-28 08:19:41 +10:00
Markus Lehtonen 74c5436b7d Update runtime-spec
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-26 19:55:01 +03:00
Markus Lehtonen a8faf92551 CHANGELOG: document breaking change of runc update
Co-authored-by: lfbzhm <lifubang@acmcoder.com>
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-25 14:54:30 +03:00
Rodrigo Campos a746c53cef Merge pull request #4831 from marquiz/devel/rdt-root
libcontainer/intelrdt: refactor path handling
2025-08-24 02:15:54 -03:00
lfbzhm d2e86c05c8 Merge pull request #4765 from kolyshkin/criu-nits
Refactor/improve prepareCriuRestoreMounts
2025-08-24 13:06:22 +08:00
Rodrigo Campos 835591bab6 Merge pull request #4860 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.36.8
build(deps): bump google.golang.org/protobuf from 1.36.7 to 1.36.8
2025-08-21 10:16:07 -03:00
Rodrigo Campos d3869ed5ef Merge pull request #4861 from opencontainers/dependabot/go_modules/github.com/coreos/go-systemd/v22-22.6.0
build(deps): bump github.com/coreos/go-systemd/v22 from 22.5.0 to 22.6.0
2025-08-21 10:15:41 -03:00
dependabot[bot] a876347d08 build(deps): bump github.com/coreos/go-systemd/v22 from 22.5.0 to 22.6.0
Bumps [github.com/coreos/go-systemd/v22](https://github.com/coreos/go-systemd) from 22.5.0 to 22.6.0.
- [Release notes](https://github.com/coreos/go-systemd/releases)
- [Commits](https://github.com/coreos/go-systemd/compare/v22.5.0...v22.6.0)

---
updated-dependencies:
- dependency-name: github.com/coreos/go-systemd/v22
  dependency-version: 22.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-21 04:38:46 +00:00
dependabot[bot] eedec9c5f0 build(deps): bump google.golang.org/protobuf from 1.36.7 to 1.36.8
Bumps google.golang.org/protobuf from 1.36.7 to 1.36.8.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-21 04:38:43 +00:00
Rodrigo Campos b27d6f3f1a Merge pull request #4856 from kolyshkin/criu-arm
CI: switch to packaged criu on arm
2025-08-19 11:35:22 -03:00
Kir Kolyshkin 96f4a90a6b Switch to packaged criu on arm
The issue on arm [1] is now fixed, so let's get back to using the
packaged criu version for most of the CI matrix.

This reverts commit 105674844e
("ci: use criu built from source on gha arm").

[1]: https://github.com/checkpoint-restore/criu/issues/2709

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-18 10:47:26 -07:00
Rodrigo Campos d754fdaddf Merge pull request #4852 from kolyshkin/golangci-24x
ci: bump golangci-lint to v2.4.x
2025-08-18 09:46:51 -03:00
Kir Kolyshkin 9e0f989015 ci: bump golangci-lint to v2.4.x
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-17 15:40:58 -07:00
Akihiro Suda 37c6f6de70 Merge pull request #4850 from opencontainers/dependabot/github_actions/actions/checkout-5
build(deps): bump actions/checkout from 4 to 5
2025-08-17 13:04:41 +08:00
dependabot[bot] cfb22c9a0f build(deps): bump actions/checkout from 4 to 5
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-15 16:40:45 +00:00
Aleksa Sarai 6b08448f6c merge #4844 into opencontainers/runc:main
Kir Kolyshkin (2):
  ci: use criu built from source on gha arm
  CI: switch to GHA for arm

LGTMs: rata cyphar
2025-08-16 02:39:17 +10:00
Kir Kolyshkin 105674844e ci: use criu built from source on gha arm
Currently, criu package from opensuse build farm times out on GHA arm,
so let's only use criu-dev (i.e. compiled from source on CI machine).

Once this is fixed, this patch can be reverted.

Related to criu issue 2709.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-12 14:48:05 -07:00
Kir Kolyshkin 1cf096803a CI: switch to GHA for arm
Since GHA now provides ARM, we can switch away from actuated.

Many thanks to @alexellis (@self-actuated) for being the sponsor of this
project.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-12 14:00:13 -07:00
dependabot[bot] 1398ba7eb0 Merge pull request #4845 from opencontainers/dependabot/go_modules/golang.org/x/net-0.43.0 2025-08-09 07:57:14 +00:00
dependabot[bot] db26a717b9 build(deps): bump golang.org/x/net from 0.42.0 to 0.43.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.42.0 to 0.43.0.
- [Commits](https://github.com/golang/net/compare/v0.42.0...v0.43.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.43.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-09 07:19:22 +00:00
lfbzhm c332250553 Merge pull request #4847 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.35.0
build(deps): bump golang.org/x/sys from 0.34.0 to 0.35.0
2025-08-09 15:18:01 +08:00
dependabot[bot] 8f0bb87748 build(deps): bump golang.org/x/sys from 0.34.0 to 0.35.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.34.0 to 0.35.0.
- [Commits](https://github.com/golang/sys/compare/v0.34.0...v0.35.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-version: 0.35.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-09 06:55:58 +00:00
dependabot[bot] e6313c010d Merge pull request #4846 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.36.7 2025-08-09 06:54:41 +00:00
dependabot[bot] bf33fe5fdb build(deps): bump google.golang.org/protobuf from 1.36.6 to 1.36.7
Bumps google.golang.org/protobuf from 1.36.6 to 1.36.7.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-08 04:33:24 +00:00
Rodrigo Campos 89c46a9496 Merge pull request #4840 from marquiz/devel/rdt-mkdir-rmdir
libcontainer/intelrdt: use Mkdir/Remove instead of MkdirAll/RemoveAll
2025-08-07 09:49:54 -03:00
Markus Lehtonen 620956c21c libcontainer/intelrdt: use Mkdir/Remove instead of MkdirAll/RemoveAll
The more restricted Mkdir and Rmdir are sufficient in resctrl fs.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-06 10:43:01 +03:00
Kir Kolyshkin 851e100ad5 Merge pull request #4839 from opencontainers/dependabot/go_modules/github.com/seccomp/libseccomp-golang-0.11.1
build(deps): bump github.com/seccomp/libseccomp-golang from 0.11.0 to 0.11.1
2025-08-05 21:52:28 -07:00
dependabot[bot] f6a52d7f5f build(deps): bump github.com/seccomp/libseccomp-golang
Bumps [github.com/seccomp/libseccomp-golang](https://github.com/seccomp/libseccomp-golang) from 0.11.0 to 0.11.1.
- [Release notes](https://github.com/seccomp/libseccomp-golang/releases)
- [Changelog](https://github.com/seccomp/libseccomp-golang/blob/main/CHANGELOG)
- [Commits](https://github.com/seccomp/libseccomp-golang/compare/v0.11.0...v0.11.1)

---
updated-dependencies:
- dependency-name: github.com/seccomp/libseccomp-golang
  dependency-version: 0.11.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-06 03:34:49 +00:00
Rodrigo Campos 9f84df7d03 Merge pull request #4829 from marquiz/devel/rdt-validate
libcontainer/configs/validate: check that intelrdt is enabled
2025-08-05 16:12:51 -03:00
Kir Kolyshkin 67112aaf0d Merge pull request #4825 from cyphar/test-bfq-policy
tests: bfq: skip tests on misbehaving udev systems
2025-08-05 06:17:28 -07:00
Aleksa Sarai 32593a445d merge #4837 into opencontainers/runc:main
Kir Kolyshkin (1):
  script/lib.sh: remove obsoleted comment

LGTMs: AkihiroSuda cyphar
2025-08-05 16:42:20 +10:00
Akihiro Suda 9902a3dad1 Merge pull request #4827 from marquiz/devel/runc-update-rdt-empty-conf
runc update: refuse to create new rdt group
2025-08-05 14:35:04 +09:00
Kir Kolyshkin 3b533b23a6 script/lib.sh: remove obsoleted comment
Since commit 871057d8 we no longer have cc_platform.mk.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-08-04 16:46:57 -07:00
Markus Lehtonen 3a962655f8 libcontainer/intelrdt: use SecureJoin in NewManager
Protects against invalid (non-validated) CLOS names.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-04 09:42:37 +03:00
Aleksa Sarai e6b4b5a128 tests: bfq: skip tests on misbehaving udev systems
openSUSE has an unfortunate default udev setup which forcefully sets all
loop devices to use the "none" scheduler, even if you manually set it.
As this is a property of the host configuration (and udev is monitoring
from the host) we cannot really change this behaviour from inside our
test container.

So we should just skip the test in this (hopefully unusual) case.
Ideally tools running the test suite should disable this behaviour when
running our test suite.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-08-02 20:01:24 +10:00
Aleksa Sarai ceef984fb3 tests: clean up loopback devices properly
If an error occurs during a test which sets up loopback devices, the
loopback device is not freed. Since most systems have very conservative
limits on the number of loopback devices, re-running a failing test
locally to debug it often ends up erroring out due to loopback device
exhaustion.

So let's just move the "losetup -d" to teardown, where it belongs.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-08-02 20:01:24 +10:00
Markus Lehtonen f73e28371f libcontainer/intelrdt: refactor path handling
Also, use GetPath() in Apply to get the resctrl group path, similar to
other methods of intelRdtManager.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-01 15:04:50 +03:00
Markus Lehtonen 85801e845e runc update: refuse to create new rdt group
Error out --l3-cache-schema and --mem-bw-schema if the original
spec didn't specify intelRdt which also means that no CLOS (resctrl
group) was created for the container.

This prevents serious issues in this corner case.

First, a CLOS was created but the schemata of the CLOS was not
correctly updated. Confusingly, calling runc update twice
did the job: the first call created the resctrl group and the seccond
call was able to update the schemata. This issue would be relatively
easily fixable, though.

Second, more severe issue is that creating new CLOSes this way caused
them to be orphaned, not being removed when the container exists. This
is caused by runc not capturing the updated state (original spec was
intelRdt=nil -> no CLOS but after update this is not the case).

The most severe problem is that the update only move (or tried to move)
the original init process pid but all children escaped the update. Doing
this (i.e. migrating all processes of a container from CLOS to another
CLOS) reliably, race-free, would probably require freezing the
container.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-01 14:36:51 +03:00
lfbzhm e20b2c7126 Merge pull request #4828 from marquiz/devel/runc-update-rdt-single-schema
runc update: don't lose intelRdt state
2025-08-01 18:43:22 +08:00
Markus Lehtonen e846add595 libcontainer/configs/validate: check that intelrdt is enabled
If intelRdt is specified in the spec, check that the resctrl fs is
actually mounted. Fixes e.g. the case where "intelRdt.closID" is
specified but runc silently ignores this if resctrl is not mounted.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-08-01 10:03:54 +03:00
Markus Lehtonen 57b6a317bb runc update: don't lose intelRdt state
Prevent --l3-cache-schema from clearing the intel_rdt.memBwSchema state
and --mem-bw-schema clearing l3_cache_schema, respectively.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2025-07-31 17:31:52 +03:00
Kir Kolyshkin 5d04e7f60c Merge pull request #4823 from kolyshkin/unix-conn
Simplify getting net.UnixConn
2025-07-29 14:29:50 -07:00
Kir Kolyshkin 314dd812f5 tests/cmd: simplify getting net.UnixConn
The typecast can't fail, so it doesn't make sense checking for errors
here.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-07-29 14:07:29 -07:00
Kir Kolyshkin 87b8f974c8 setupIO: close conn on error
While it does not make much sense practically, as runc is going to exit
soon and all fds will be closed anyway, various linters (including
SVACE) keep reporting this.

Let's make them happy.

Reported-by: Tigran Sogomonian <tsogomonian@astralinux.ru>
Reported-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-07-29 14:05:40 -07:00
Kir Kolyshkin 7d2161f807 setupIO: simplify getting net.UnixConn
The typecast can't fail, so it doesn't make sense checking for errors
here.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-07-28 16:56:53 -07:00
Aleksa Sarai b64bb16b10 merge #4818 into opencontainers/runc:main
Kir Kolyshkin (1):
  ci: speed up criu-dev install

LGTMs: lifubang cyphar
2025-07-29 01:09:24 +10:00
Kir Kolyshkin 1a26cf3a23 ci: speed up criu-dev install
Employ shallow git clone and parallel build, speeding up build.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-07-25 20:45:15 -07:00
lfbzhm b33b5276c7 Merge pull request #4813 from kolyshkin/golangci-lint-22
ci: bump golangci-lint to v2.3.x
2025-07-25 12:58:18 +08:00
Kir Kolyshkin 1c2810be9e ci: bump golangci-lint to v2.3.x
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-07-25 12:37:46 +08:00
Kir Kolyshkin 79a311f73d Merge pull request #4802 from kolyshkin/ci-events
tests/int/events.bats: don't require root
2025-07-24 16:19:27 -07:00
Kir Kolyshkin 66a533eb3e tests/int/events.bats: don't require root
These tests should work as rootless as long as cgroup access works.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-07-22 16:38:07 -07:00
Aleksa Sarai 6bae6cad47 merge #4817 into opencontainers/runc:main
Aleksa Sarai (1):
  rootfs: remove /proc/net/dev from allowed overmount list

LGTMs: AkihiroSuda lifubang
2025-07-21 23:46:31 +10:00
Aleksa Sarai 3620185d06 rootfs: remove /proc/net/dev from allowed overmount list
This was added in 2ee9cbbd12 ("It's /proc/stat, not /proc/stats") with
no actual justification, and doesn't really make much sense on further
inspection:

 * /proc/net is a symlink to "self/net", which means that /proc/net/dev
   is a per-process file, and so overmounting it would only affect pid1.
   Any other program that cares about /proc/net/dev would see their own
   process's configuration, and unprivileged processes wouldn't be able
   to see /proc/1/... data anyway.

   In addition, the fact that this is a symlink means that runc will
   deny the overmount because /proc/1/net/dev is not in the proc
   overmount allowlist. This means that this has not worked for many
   years, and probably never worked in the first place.

 * /proc/self/net is already namespaced with network namespaces, so the
   primary argument for allowing /proc overmounts (lxcfs-like masking of
   procfs files to emulate namespacing for files that are not properly
   namespaced for containers -- such as /proc/cpuinfo) is moot.

   It goes without saying that lxcfs has never overmounted
   /proc/self/net/... files, so the general "because lxcfs"
   justification doesn't hold water either.

 * The kernel has slowly been moving towards blocking overmounts in
   /proc/self/. Linux 6.12 blocked overmounts for fd, fdinfo, and
   map_files; future Linux versions will probably end up blocking
   everything under /proc/self/.

Fixes: 2ee9cbbd12 ("It's /proc/stat, not /proc/stats")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-07-20 15:40:37 +10:00
Rodrigo Campos 34c64e2a7f Merge pull request #4803 from opencontainers/dependabot/go_modules/golang.org/x/net-0.42.0
build(deps): bump golang.org/x/net from 0.41.0 to 0.42.0
2025-07-17 00:05:35 -03:00
Kir Kolyshkin cac7cf6cbb Merge pull request #4807 from kolyshkin/debug-ci-failure
tests/int/update: fix getting block major
2025-07-16 10:52:45 -07:00
Kir Kolyshkin 46dac589c1 tests/int/update: fix getting block major
Apparently, having a minor of 0 does not always mean it's the
whole device (not a partition):

	 === /proc/partitions (using major: 259) ===
	 major minor  #blocks  name

	    8       16   78643200 sdb
	    8       17   77593583 sdb1
	    8       30       4096 sdb14
	    8       31     108544 sdb15
	  259        0     934912 sdb16
	    8        0   78643200 sda
	    8        1   78641152 sda1

Rewrite the test to not assume minor is 0, and use
lsblk -d to find out whole devices.

This fixes a test case which was added in commit 7696402da.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-07-16 10:31:28 -07:00
dependabot[bot] 6a0644df63 build(deps): bump golang.org/x/net from 0.41.0 to 0.42.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.41.0 to 0.42.0.
- [Commits](https://github.com/golang/net/compare/v0.41.0...v0.42.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-16 10:31:31 +00:00
Rodrigo Campos 8a1335c713 Merge pull request #4766 from jokemanfire/loog
Add audit support for loong64
2025-07-16 06:45:29 -03:00
jokemanfire 859feb8e44 build(seccomp): Add audit support for loong64
Co-authored-by: Rodrigo Campos <rata@users.noreply.github.com>
Signed-off-by: jokemanfire <hu.dingyang@zte.com.cn>
2025-07-16 09:39:11 +08:00
dependabot[bot] a85b5fc4b5 Merge pull request #4808 from opencontainers/dependabot/go_modules/github.com/opencontainers/cgroups-0.0.4 2025-07-15 10:34:21 +00:00
dependabot[bot] fc8162e60e build(deps): bump github.com/opencontainers/cgroups from 0.0.3 to 0.0.4
Bumps [github.com/opencontainers/cgroups](https://github.com/opencontainers/cgroups) from 0.0.3 to 0.0.4.
- [Release notes](https://github.com/opencontainers/cgroups/releases)
- [Changelog](https://github.com/opencontainers/cgroups/blob/main/RELEASES.md)
- [Commits](https://github.com/opencontainers/cgroups/compare/v0.0.3...v0.0.4)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/cgroups
  dependency-version: 0.0.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-15 06:35:26 +00:00
lfbzhm 2a6e143c5f Merge pull request #4806 from kolyshkin/fix-fedora-ci
tests/int/cgroups.bats: exclude dmem controller
2025-07-15 11:52:29 +08:00
Kir Kolyshkin b3432118ed tests/int/cgroups.bats: exclude dmem controller
The dmem controller is added into kernel v6.13 and is now enabled in
Fedora 42 kernels. Yet, systemd is not aware of dmem.

This fixes the test case failure on Fedora.

For the initial test case, see commit 27515719.

For earlier commits similar to this one, see
commits 601cf582, 05272718, e83ca519.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-07-14 16:17:45 -07:00
lfbzhm 61fe4ac73a Merge pull request #4801 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.34.0
build(deps): bump golang.org/x/sys from 0.33.0 to 0.34.0
2025-07-11 18:15:16 +08:00
dependabot[bot] 4a6ef6b9fa build(deps): bump golang.org/x/sys from 0.33.0 to 0.34.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.33.0 to 0.34.0.
- [Commits](https://github.com/golang/sys/compare/v0.33.0...v0.34.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-version: 0.34.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-10 04:54:21 +00:00
lfbzhm 4d4cedd650 Merge pull request #4796 from astrawind/fix/seccomp-agent-conn-leak
libcontainer: close seccomp agent connection to prevent resource leaks
2025-07-04 00:08:21 +08:00
Rodrigo Campos c3d127f6e8 Merge pull request #4797 from kolyshkin/sd-docs
docs/systemd.md: amend
2025-07-02 03:42:15 -03:00
Kir Kolyshkin a09e703853 docs/systemd.md: amend
Include some important previously missed detail about how
linux.cgroupsPath works.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-07-01 18:15:05 -07:00
Pavel Liubimov aa0e7989c4 libcontainer: close seccomp agent connection to prevent resource leaks
Add missing defer conn.Close().

Signed-off-by: Pavel Liubimov <prlyubimov@gmail.com>
2025-07-01 12:31:55 +03:00
Rodrigo Campos b1722d7902 Merge pull request #4775 from kolyshkin/update-resources
runc update: support per-device weight and iops
2025-06-20 11:30:46 -03:00
lfbzhm 94dc2be608 Merge pull request #4757 from HirazawaUi/fix-unable-delete
Preventing containers from being unable to be deleted
2025-06-20 16:59:21 +08:00
Sebastiaan van Stijn ff2494b98d Merge pull request #4785 from kolyshkin/cgroups-v003
deps: bump cgroups to v0.0.3, fix a few regressions
2025-06-19 21:28:00 +02:00
Kir Kolyshkin 71bd84f32e Merge pull request #4784 from kolyshkin/cgr-fup
cgroups separation followup
2025-06-19 10:32:33 -07:00
Kir Kolyshkin da90947848 deps: bump cgroups to v0.0.3, fix tests
For changelog, see https://github.com/opencontainers/cgroups/releases/tag/v0.0.3

This fixes two runc issues:

1. JSON incompatibility introduced in cgroups v0.0.2 (see
   https://github.com/opencontainers/cgroups/pull/22).

2. Bad CPU shares to CPU weight conversion (see
   https://github.com/opencontainers/runc/issues/4772).

Due to item 2, modify some tests accordingly.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-06-19 10:25:22 -07:00
Kir Kolyshkin f24aa06ef6 libct: State: ensure Resources is not nil
Since opencontainers/cgroups v0.0.2 (commit b206a015), all stuct
Resources fields are annotated with "omitempty" attribute.
As a result, the loaded configuration may have Resources == nil.

It is totally OK (rootless containers may have no resources configured)
except since commit 6c5441e5, cgroup v1 fs manager requires Resources to
be set in the call to NewManager (this is a cgroup v1 deficiency,
or maybe our implementation deficiency, or both).

To work around this, let's add code to ensure Resources is never nil
after loading from state.json.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-06-19 10:24:16 -07:00
HirazawaUi 1b39997e73 Preventing containers from being unable to be deleted
Signed-off-by: HirazawaUi <695097494plus@gmail.com>
2025-06-19 20:17:50 +08:00
Rodrigo Campos 82fe6e2d96 Merge pull request #4538 from aojea/netdevices
Linux Network Devices
2025-06-19 07:45:04 -03:00
Kir Kolyshkin d22a42113d libct/configs: stop using deprecated id
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-06-18 18:14:54 -07:00
Kir Kolyshkin b25bcaa8b3 libct/configs: fix/improve deprecation notices
The per-file deprecation in cgroup_deprecated.go is not working,
let's replace it.

Link to Hooks.Run in Hook.Run deprecation notice.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-06-18 18:14:46 -07:00
Kir Kolyshkin a10d338eb2 libct/configs: add package docstring
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-06-18 18:10:51 -07:00
Antonio Ojea 8d180e9658 Add support for Linux Network Devices
Implement support for passing Linux Network Devices to the container
network namespace.

The network device is passed during the creation of the container,
before the process is started.

It implements the logic defined in the OCI runtime specification.

Signed-off-by: Antonio Ojea <aojea@google.com>
2025-06-18 15:52:30 +01:00
Antonio Ojea 889c7b272f update runtime-spec
Signed-off-by: Antonio Ojea <aojea@google.com>
2025-06-18 15:52:30 +01:00
Antonio Ojea ed5df5f96f libcontainer/configs package doc
Signed-off-by: Antonio Ojea <aojea@google.com>
2025-06-18 15:52:30 +01:00
Kir Kolyshkin 0b01dccfbb runc update: handle duplicated devs properly
In case there's a duplicate in the device list, the latter entry
overrides the former one.

So, we need to modify the last entry, not the first one. To do that,
use slices.Backward.

Amend the test case to test the fix.

Reported-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-06-17 15:16:55 -07:00
Kir Kolyshkin 7696402dac runc update: support per-device weight and iops
This support was missing from runc, and thus the example from the
podman-update wasn't working.

To fix, introduce a function to either update or insert new weights and iops.

Add integration tests.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-06-17 15:16:55 -07:00
Kir Kolyshkin 178a58d654 Merge pull request #4783 from opencontainers/dependabot/go_modules/github.com/urfave/cli-1.22.17
build(deps): bump github.com/urfave/cli from 1.22.16 to 1.22.17
2025-06-17 15:16:40 -07:00
dependabot[bot] 99a4f1983d build(deps): bump github.com/urfave/cli from 1.22.16 to 1.22.17
Bumps [github.com/urfave/cli](https://github.com/urfave/cli) from 1.22.16 to 1.22.17.
- [Release notes](https://github.com/urfave/cli/releases)
- [Changelog](https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md)
- [Commits](https://github.com/urfave/cli/compare/v1.22.16...v1.22.17)

---
updated-dependencies:
- dependency-name: github.com/urfave/cli
  dependency-version: 1.22.17
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-16 04:36:33 +00:00
Kir Kolyshkin b04031d708 Merge pull request #4779 from opencontainers/dependabot/go_modules/golang.org/x/net-0.41.0
build(deps): bump golang.org/x/net from 0.40.0 to 0.41.0
2025-06-06 10:18:51 -07:00
dependabot[bot] 31d141e2e7 build(deps): bump golang.org/x/net from 0.40.0 to 0.41.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.40.0 to 0.41.0.
- [Commits](https://github.com/golang/net/compare/v0.40.0...v0.41.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.41.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-06 04:56:47 +00:00
Akihiro Suda 9a0145a001 Merge pull request #4751 from kolyshkin/cgroups-002
deps: bump opencontainers/cgroups to v0.0.2, fix tests
2025-06-03 00:39:47 +09:00
lfbzhm cdf9530701 Merge pull request #4768 from opencontainers/dependabot/go_modules/github.com/containerd/console-1.0.5
build(deps): bump github.com/containerd/console from 1.0.4 to 1.0.5
2025-05-27 13:13:46 +08:00
dependabot[bot] 8b0e7511cf build(deps): bump github.com/containerd/console from 1.0.4 to 1.0.5
Bumps [github.com/containerd/console](https://github.com/containerd/console) from 1.0.4 to 1.0.5.
- [Release notes](https://github.com/containerd/console/releases)
- [Commits](https://github.com/containerd/console/compare/v1.0.4...v1.0.5)

---
updated-dependencies:
- dependency-name: github.com/containerd/console
  dependency-version: 1.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-21 04:22:38 +00:00
Kir Kolyshkin ce3cd4234c criu: simplify isOnTmpfs check in prepareCriuRestoreMounts
Instead of generating a list of tmpfs mount and have a special function
to check whether the path is in the list, let's go over the list of
mounts directly. This simplifies the code and improves readability.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-20 16:56:55 -07:00
Kir Kolyshkin f91fbd34d9 criu: inline makeCriuRestoreMountpoints
Since its code is now trivial, and it is only called from a single
place, it does not make sense to have it as a separate function.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-20 16:56:55 -07:00
Kir Kolyshkin b8aa5481db criu: ignore cgroup early in prepareCriuRestoreMounts
It makes sense to ignore cgroup mounts much early in the code,
saving some time on unnecessary operations.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-20 16:56:55 -07:00
Kir Kolyshkin 0c93d41c65 criu: improve prepareCriuRestoreMounts
1. Replace the big "if !" block with the if block and continue,
   simplifying the code flow.

2. Move comments closer to the code, improving readability.

This commit is best reviewed with --ignore-all-space or similar.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-20 16:56:55 -07:00
Kir Kolyshkin 8eb2f43047 Merge pull request #4760 from kolyshkin/sched
ci: add scheduled run of GHA CI
2025-05-20 12:55:21 -07:00
lfbzhm ced3139319 Merge pull request #4724 from saku3/fix-rootfspropagation
fix rootfs propagation mode to shared / unbindable
2025-05-20 09:16:50 +08:00
Yusuke Sakurai 04be81b6a3 fix rootfs propagation mode
Signed-off-by: Yusuke Sakurai <yusuke.sakurai@3-shake.com>
2025-05-19 12:55:35 +00:00
Kir Kolyshkin 995a39a4cb ci: add scheduled run of GHA CI
This is to ensure that our CI is not rotting away even if there are no
new PRs or merges. This is especially useful for release branches
which tend to cease working over time due to some external reasons.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-14 16:12:37 -07:00
Kir Kolyshkin 74209b739d ci/gha: allow to run jobs manually
... or from another job.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-14 16:12:37 -07:00
Kir Kolyshkin 62e6ab6dda gha/ci: allow validate/all-done to succeed for non-PRs
When we run CI not on a pull request, the commit job is skipped, as a
result, all-done is also skipped.

To allow all-done to succeed, modify the commit job to succeed for
non-PRs.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-14 16:12:33 -07:00
Kir Kolyshkin b39bd10590 ci/gha: fix exclusion rules
Commit 874207492 neglects to update the exclusion rules when bumping Go
releases, and so we no longer exclude running on actuated with older Go
release, or running with criu-dev with older Go release.

Fixes: 874207492 ("CI: add Go 1.24, drop go1.22")

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-14 15:57:10 -07:00
Kir Kolyshkin b206a015b3 deps: bump opencontainers/cgroups to v0.0.2
For changes, see https://github.com/opencontainers/cgroups/releases/tag/v0.0.2

Fix integration tests according to changes in [1] (now the CPU quota value set
is rounded the same way systemd does it).

[1]: https://github.com/opencontainers/cgroups/pull/4
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-13 13:28:36 -07:00
Kir Kolyshkin ae00c2bd09 tests/int: simplify using check_cpu_quota
Instead of providing systemd CPU quota value (CPUQuotaPerSec),
calculate it based on how opencontainers/cgroups/systemd handles
it (see addCPUQuota).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-05-13 13:28:36 -07:00
Rodrigo Campos 17c8e80c40 Merge pull request #4764 from opencontainers/dependabot/go_modules/github.com/vishvananda/netlink-1.3.1
build(deps): bump github.com/vishvananda/netlink from 1.3.0 to 1.3.1
2025-05-13 13:57:19 -03:00
dependabot[bot] fbf1a320d8 build(deps): bump github.com/vishvananda/netlink from 1.3.0 to 1.3.1
Bumps [github.com/vishvananda/netlink](https://github.com/vishvananda/netlink) from 1.3.0 to 1.3.1.
- [Release notes](https://github.com/vishvananda/netlink/releases)
- [Commits](https://github.com/vishvananda/netlink/compare/v1.3.0...v1.3.1)

---
updated-dependencies:
- dependency-name: github.com/vishvananda/netlink
  dependency-version: 1.3.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-12 04:47:59 +00:00
lfbzhm 23cf356f90 Merge pull request #4761 from cyphar/changelog-1.3
CHANGELOG: forward-port entries from 1.3.0
2025-05-08 00:42:30 +08:00
Aleksa Sarai 5cdfeea7c9 CHANGELOG: forward-port entries from 1.3.0
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-05-08 00:06:13 +10:00
Kir Kolyshkin a4b9868323 Merge pull request #4758 from opencontainers/dependabot/go_modules/golang.org/x/net-0.40.0
build(deps): bump golang.org/x/net from 0.39.0 to 0.40.0
2025-05-06 14:51:44 -07:00
ningmingxiao e028228746 bug:fix runc delete run before delete exec.fifo
Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
2025-05-06 14:44:39 -07:00
Kir Kolyshkin 99325b6a7e Merge pull request #4756 from opencontainers/dependabot/github_actions/golangci/golangci-lint-action-8
build(deps): bump golangci/golangci-lint-action from 7 to 8
2025-05-06 12:25:55 -07:00
dependabot[bot] 0623ea108a build(deps): bump golang.org/x/net from 0.39.0 to 0.40.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.39.0 to 0.40.0.
- [Commits](https://github.com/golang/net/compare/v0.39.0...v0.40.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.40.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-06 04:31:36 +00:00
dependabot[bot] c1958d8844 build(deps): bump golangci/golangci-lint-action from 7 to 8
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 7 to 8.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v7...v8)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-05 04:31:04 +00:00
Akihiro Suda 8d90e3dba6 Merge pull request #4750 from rata/go-mod-exclude-linter
ci: Check for exclude/replace directives
2025-05-01 08:50:34 +09:00
Rodrigo Campos 9f86496c33 ci: Check for exclude/replace directives
To not accidentally break `go install`, let's add CI to check it. If in
the future we need those directives, we can remove the CI check.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-04-30 17:30:10 +02:00
Akihiro Suda 8ba0a16844 Merge pull request #4743 from kolyshkin/retry-ppa
ci/cross-i386: retry adding ppa
2025-04-29 18:08:08 +09:00
lfbzhm 57d1c30360 Merge pull request #4748 from rata/main
go.mod: Delete exclude directives
2025-04-29 09:01:49 +08:00
Rodrigo Campos 67b8a68599 go.mod: Delete exclude directives
We already have the indirect require for 1.17.3, that comes
opencontainers/cgroups[1]. That module requires that version as min, so
go can't use older versions. We can just remove the excludes.

There might be cases where people can use runc as a dependency and use
replace to override it (not sure, but probably). We were clear on what
our dependencies are, so we can sleep fine. In the unlikely case that
some project uses runc as a dependency and:

 * Uses a replace for cilium v0.17.x but not the latest patch release (0.17.3 is fixed)
 * they run with 32bits
 * and hit this (that didn't happen always on CI)
 * Ignore the changelog for 0.17.3 that mentions the buffer overflow on
   32 bits platforms[2].

In that case, if we have a bug report, we can point them to the right
place. But 0.17.3 was released for some months now (most people probably
update) and 0.18.0 was released recently. I wouldn't worry about someone
hitting this in real life.

Also, the excludes directives prevent go install from working, so let's
just remove them.

[1]: https://github.com/opencontainers/cgroups/blob/9657f5a18b8d60a0f39fbb34d0cb7771e28e6278/go.mod#L6
[2]: https://github.com/cilium/ebpf/releases/tag/v0.17.3

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-04-28 12:04:46 +02:00
Aleksa Sarai 0e57cc520a merge #4747 into opencontainers/runc:main
Kir Kolyshkin (1):
  ci: bump golangci-lint to v2.1

LGTMs: lifubang cyphar
2025-04-28 15:28:31 +10:00
Kir Kolyshkin b0aa863fc8 ci: bump golangci-lint to v2.1
(The current v2.1 release is v2.1.5 as of today).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-25 15:35:40 -07:00
lfbzhm 51f45cb5c0 Merge pull request #4746 from opencontainers/dependabot/go_modules/github.com/seccomp/libseccomp-golang-0.11.0
build(deps): bump github.com/seccomp/libseccomp-golang from 0.10.0 to 0.11.0
2025-04-25 23:07:54 +08:00
dependabot[bot] d920a72202 build(deps): bump github.com/seccomp/libseccomp-golang
Bumps [github.com/seccomp/libseccomp-golang](https://github.com/seccomp/libseccomp-golang) from 0.10.0 to 0.11.0.
- [Release notes](https://github.com/seccomp/libseccomp-golang/releases)
- [Changelog](https://github.com/seccomp/libseccomp-golang/blob/main/CHANGELOG)
- [Commits](https://github.com/seccomp/libseccomp-golang/compare/v0.10.0...v0.11.0)

---
updated-dependencies:
- dependency-name: github.com/seccomp/libseccomp-golang
  dependency-version: 0.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-04-24 04:50:34 +00:00
Kir Kolyshkin 8e3ee502c8 ci/cross-i386: retry adding ppa
For some reason, launchpad.net is frequently giving us Gateway Timeout.
Let's retry adding the ppa once to mitigate that.

(The alternative is not to install criu and thus run criu-related unit
tests on i386 -- this might actually be better).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-23 14:01:02 -07:00
Kir Kolyshkin 96bb2b0e25 Merge pull request #4718 from kolyshkin/embed-version
Embed version from VERSION
2025-04-23 09:50:44 -07:00
Kir Kolyshkin c12c99b7d2 runc: embed version from VERSION file
This ensures that if runc is built without the provided Makefile, the
version is still properly set.

No change in the output.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-23 09:31:26 -07:00
Kir Kolyshkin d54eaaf2c2 runc --version: use a function
Instead of setting cli.App.Version in main, let's set up
cli.VersionPrinter. This way, we only get various versions
when needed.

Note it does not change the output of runc --version.

It changes the output of runc --help though, and I think it's for the
better.

Before this patch:

> $ runc help
> ...
> USAGE:
>    runc [global options] command [command options] [arguments...]
>
> VERSION:
>    1.3.0-rc.1+dev
> commit: v1.3.0-rc.1-93-g932e8342
> spec: 1.2.1
> go: go1.24.2
> libseccomp: 2.5.5
>
> COMMANDS:
>    checkpoint  checkpoint a running container
> ...

After:

> $ runc help
> ...
> USAGE:
>    runc [global options] command [command options] [arguments...]
>
> VERSION:
>    1.3.0-rc.1+dev
>
> COMMANDS:
>    checkpoint  checkpoint a running container
> ...

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-23 09:31:26 -07:00
lfbzhm a3a8a2e33d Merge pull request #4736 from kolyshkin/fedora-skip-criu-41
ci: update to criu-4.1-2 on Fedora
2025-04-23 11:22:26 +08:00
Kir Kolyshkin 3e3e04824d ci: upgrade to criu-4.1-2 in Fedora
Package criu-4.1-1 has a known bug [1] which is fixed in criu-4.1-2 [2],
which is currently only available in updates-testing. Add a kludge to
install newer criu if necessary to fix CI.

This will not be needed in ~2 weeks once the new package is promoted to
updates.

[1]: https://github.com/checkpoint-restore/criu/issues/2650
[2]: https://bodhi.fedoraproject.org/updates/FEDORA-2025-d374d8ce17

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-22 19:35:09 -07:00
lfbzhm b60a77a199 Merge pull request #4734 from cyphar/mount-errors
rootfs: improve mount-related errors
2025-04-22 12:26:19 +08:00
Aleksa Sarai 58c3ab77b0 rootfs: improve error messages for bind-mount vfs flag setting
While debugging an issue involving failing mounts, I discovered that
just returning the plain mount error message when we are in the fallback
code for handling locked mounts leads to unnecessary confusion.

It also doesn't help that podman currently forcefully sets "rw" on
mounts, which means that rootless containers are likely to hit the
locked mounts issue fairly often.

So we should improve our error messages to explain why the mount is
failing in the locked flags case.

Fixes: 7c71a22705 ("rootfs: remove --no-mount-fallback and finally fix MS_REMOUNT")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-04-21 13:01:03 +10:00
Aleksa Sarai 30302a2850 mount: add string representation of mount flags
When reading mount errors, it is quite hard to make sense of mount flags
in their hex form. As this is the error path, the minor performance
impact of constructing a string is probably not worth hyper-optimising.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-04-21 13:00:59 +10:00
lfbzhm eeae96b181 Merge pull request #4728 from kolyshkin/ci-criu
ci fixes (ssh-keygen and criu version bump for almalinux 8)
2025-04-21 09:10:21 +08:00
Kir Kolyshkin 87ae2f8466 Unify and fix rootless key setup
For some reason, ssh-keygen is unable to write to /root even as root on
AlmaLinux 8:

	# id
	uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
	# id -Z
	ls -ld /root
	# ssh-keygen -t ecdsa -N "" -f /root/rootless.key || cat /var/log/audit/audit.log
	Saving key "/root/rootless.key" failed: Permission denied

The audit.log shows:

> type=AVC msg=audit(1744834995.352:546): avc:  denied  { dac_override } for  pid=13471 comm="ssh-keygen" capability=1  scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:system_r:ssh_keygen_t:s0 tclass=capability permissive=0
> type=SYSCALL msg=audit(1744834995.352:546): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5641c7587520 a2=241 a3=180 items=0 ppid=4978 pid=13471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)␝ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

A workaround is to use /root/.ssh directory instead of just /root.

While at it, let's unify rootless user and key setup into a single place.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-17 16:16:31 -07:00
Kir Kolyshkin b520f750ef ci: install newer criu for almalinux-8
We are seeing a ton on flakes on almalinux-8 CI job, all caused by criu
inability to freeze a cgroup. This was worked around in criu [1], but
obviously we can't rely on a distro vendor to update the package.

Let's use a copr (thanks to Adrian Reber!)

[1]: https://github.com/checkpoint-restore/criu/pull/2545

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-17 16:04:52 -07:00
Kir Kolyshkin e55fe63aed Merge pull request #4727 from askervin/5aY_fix_invalid_workflow
Fix "invalid workflow file" github actions error
2025-04-17 11:54:04 -07:00
Antti Kervinen d7285e46d8 Fix "invalid workflow file" github actions error
The colon after "Error:" caused actionlint to report error on map in
context where map is not allowed.

Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
2025-04-16 14:16:55 +03:00
Akihiro Suda 3d8a278bdd Merge pull request #4722 from kolyshkin/rm-criu-opt
Completely remove --criu option
2025-04-16 15:41:19 +09:00
lfbzhm f1eaad8597 Merge pull request #4725 from kolyshkin/novar
libct/apparmor: don't use vars for public functions
2025-04-15 18:10:28 +08:00
Kir Kolyshkin 5f4d3f3670 libct/apparmor: don't use vars for public functions
Unfortunately, Go documentation formatter does a sloppy job formatting
documentation for variables -- it is rendered as comments (see [1]).

Switch to using wrapper functions, solely for the sake of better
documentation formatting.

[1]: https://pkg.go.dev/github.com/opencontainers/runc@v1.3.0-rc.2/libcontainer/apparmor

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-14 13:59:39 -07:00
Rodrigo Campos 021973353f Merge pull request #4723 from chenx97/stat-uint32-mips
tests/cmd/remap-rootfs: fix mips builds
2025-04-14 05:44:59 -03:00
Rodrigo Campos 35c4d964cc Merge pull request #4721 from kolyshkin/no-toolchain-check
ci: add check for toolchain in go.mod
2025-04-11 06:14:54 -03:00
Henry Chen 08ebbfc8c7 tests/cmd/remap-rootfs: fix mips builds
Similar to #1824, we need to convert the device number to uint64 for
mips.

Signed-off-by: Henry Chen <henry.chen@oss.cipunited.com>
2025-04-10 14:59:58 +08:00
Kir Kolyshkin 1d78cb2112 Completely remove --criu option
This option is ignored since commit 6e1d476a, it's now time to actually
remove it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-09 10:10:50 -07:00
Kir Kolyshkin c899193643 ci: add check for toolchain in go.mod
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-09 10:04:37 -07:00
Kir Kolyshkin 7483452016 Merge pull request #4716 from rata/changelog-1.2-updates
CHANGELOG: Port 1.2.x changes
2025-04-09 09:45:23 -07:00
Rodrigo Campos e34c1a0408 CHANGELOG: Port 1.2.x changes
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-04-09 09:23:13 -07:00
Rodrigo Campos 491e35213b Merge pull request #4709 from kolyshkin/pause-warn
runc pause/unpause/ps: get rid of excessive warning
2025-04-09 07:15:51 -03:00
Rodrigo Campos 636eb4bc6a Merge pull request #4717 from kolyshkin/no-toolchain
go.mod: rm toolchain
2025-04-09 07:12:58 -03:00
Kir Kolyshkin c5ab4b6e30 runc pause/unpause/ps: get rid of excessive warning
This issue was originally reported in podman PR 25792.

When calling runc pause/unpause for an ordinary user, podman do not
provide --systemd-cgroups option, and shouldUseRootlessCgroupManager
returns true. This results in a warning:

	$ podman pause sleeper
	WARN[0000] runc pause may fail if you don't have the full access to cgroups
	sleeper

Actually, it does not make sense to call shouldUseRootlessCgroupManager
at this point, because we already know if we're rootless or not, from
the container state.json (same for systemd).

Also, busctl binary is not available either in this context, so
shouldUseRootlessCgroupManager would not work properly.

Finally, it doesn't really matter if we use systemd or not, because we
use fs/fs2 manager to freeze/unfreeze, and it will return something like
EPERM (or tell that cgroups is not configured, for a true rootless
container).

So, let's only print the warning after pause/unpause failed,
if the error returned looks like a permission error.

Same applies to "runc ps".

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-08 14:00:56 -07:00
Kir Kolyshkin fda034c9ec pause: refactor
This is to simplify code review for the next commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-08 14:00:56 -07:00
Kir Kolyshkin 75a4546b2b go.mod: rm toolchain
This was added by dependabot in commit 0b536265. Seems there is a bug
about it: https://github.com/dependabot/dependabot-core/issues/11933.

Having "toolchain" means instead of using installed go version to
build/test, the version specified in toolchain is [downloaded and] used,
which might not be what we actually want.

For more details on toolchain directive, see
https://go.dev/doc/toolchain.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-08 12:31:03 -07:00
Rodrigo Campos 932e83428a Merge pull request #4715 from opencontainers/dependabot/go_modules/golang.org/x/net-0.39.0
build(deps): bump golang.org/x/net from 0.38.0 to 0.39.0
2025-04-08 06:03:40 -03:00
dependabot[bot] 0a9639e380 build(deps): bump golang.org/x/net from 0.38.0 to 0.39.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.38.0 to 0.39.0.
- [Commits](https://github.com/golang/net/compare/v0.38.0...v0.39.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.39.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-04-08 04:41:06 +00:00
Akihiro Suda a996fe8bf8 Merge pull request #4704 from rata/env-var-fixes
Override HOME if its set to the empty string
2025-04-07 20:49:54 +09:00
Rodrigo Campos bf9e609b3b Merge pull request #4710 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.32.0
build(deps): bump golang.org/x/sys from 0.31.0 to 0.32.0
2025-04-07 07:20:15 -03:00
Akihiro Suda 9edb49733e Merge pull request #4707 from opencontainers/dependabot/go_modules/github.com/moby/sys/user-0.4.0
build(deps): bump github.com/moby/sys/user from 0.3.0 to 0.4.0
2025-04-07 08:53:35 +01:00
dependabot[bot] c5e0ece494 build(deps): bump golang.org/x/sys from 0.31.0 to 0.32.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.31.0 to 0.32.0.
- [Commits](https://github.com/golang/sys/compare/v0.31.0...v0.32.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-version: 0.32.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-04-07 04:09:11 +00:00
Rodrigo Campos 19c6515471 tests: Add env var tests
This adds some e2e tests for environment variables set in the
config.json. These were based on tests that failed on docker CI[1][2] after
the refactor on 06f1e0765 ("libct: speedup process.Env handling") and
some bugs that I had along the way trying to fix it.

These tests pass with runc 1.2 too.

[1]: https://github.com/moby/moby/blob/843e51459f14ebc964d349eba1013dc8a3e9d52e/integration-cli/docker_cli_run_test.go#L822-L843
[2]: https://github.com/moby/moby/blob/843e51459f14ebc964d349eba1013dc8a3e9d52e/integration-cli/docker_cli_links_test.go#L197-L204

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-04-04 15:44:47 +02:00
Rodrigo Campos 09501d96d2 libct: Override HOME if its set to the empty string
Before commit 06f1e0765 ("libct: speedup process.Env handling") we were
overriding HOME if it was set to "" too[1]. But now we only override it
if it wasn't set at all.

This patch restores the old behavior of overriding it if it was set to
an empty value.

Docker relies on this behaviour since ages[2].

[1]: https://github.com/opencontainers/runc/blob/1c508045727231e7342e258ab30add1478c1f981/libcontainer/init_linux.go#L544-L549
[2]: https://github.com/moby/moby/blob/843e51459f14ebc964d349eba1013dc8a3e9d52e/integration-cli/docker_cli_run_test.go#L822-L843

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-04-04 15:37:22 +02:00
dependabot[bot] bb5aa11622 build(deps): bump github.com/moby/sys/user from 0.3.0 to 0.4.0
Bumps [github.com/moby/sys/user](https://github.com/moby/sys) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/moby/sys/releases)
- [Commits](https://github.com/moby/sys/compare/user/v0.3.0...user/v0.4.0)

---
updated-dependencies:
- dependency-name: github.com/moby/sys/user
  dependency-version: 0.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-04-04 04:34:30 +00:00
Rodrigo Campos c3a41d77db Merge pull request #4696 from avagin/criu-vs-exec
criu: Add time namespace to container config after checkpoint/restore
2025-04-01 14:54:33 -03:00
Rodrigo Campos f88669c0c9 Merge pull request #4693 from lifubang/fix-home-env-check-set
libct: we should set envs after we are in the jail of the container
2025-04-01 13:18:00 -03:00
lifubang bf38646497 libct: we should set envs after we are in the jail of the container
Because we have to set a default HOME env for the current container
user, so we should set it after we are in the jail of the container,
or else we'll use host's `/etc/passwd` to get a wrong HOME value.
Please see: #4688.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-04-01 15:22:29 +00:00
lifubang 4a0e282b09 test: check whether runc set a correct default home env or not
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-04-01 15:22:19 +00:00
lfbzhm e2e3c65383 Merge pull request #4703 from kolyshkin/modernize
Use Go 1.22+ features
2025-04-01 18:10:00 +08:00
Kir Kolyshkin 7fdec327a0 Use any instead of interface{}
The keyword is available since Go 1.18 (see
https://pkg.go.dev/builtin#any).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-31 17:15:06 -07:00
Kir Kolyshkin 17570625c0 Use for range over integers
This appears in Go 1.22 (see https://tip.golang.org/ref/spec#For_range).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-31 17:15:06 -07:00
Kir Kolyshkin f64edc4d6d ps: use slices.Contains
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-31 17:15:06 -07:00
Kir Kolyshkin ef5acfab4f libct/configs: use slices.Delete
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-31 17:15:06 -07:00
Kir Kolyshkin 0fc2338d59 libct/specconv: use maps.Clone
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-31 17:15:06 -07:00
Kir Kolyshkin 7a58d8231f .golanci-extra: disable staticcheck QF1008
That is,

> QF1008: could remove embedded field "Resources" from selector (staticcheck)

While occasionally useful, in other cases it actually decreases
readability, so let's disable it even for "extra" (i.e. "new code")
linters.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-31 17:13:26 -07:00
Sebastiaan van Stijn e8a97bae27 Merge pull request #4692 from kolyshkin/golangci-v2
ci: switch to golangci-lint v2
2025-03-31 16:31:28 +02:00
Kir Kolyshkin b3498bd1b8 Merge pull request #4701 from opencontainers/dependabot/github_actions/bats-core/bats-action-3.0.1
build(deps): bump bats-core/bats-action from 3.0.0 to 3.0.1
2025-03-30 00:10:08 -07:00
Kir Kolyshkin 3c9a53a94d Merge pull request #4702 from opencontainers/dependabot/go_modules/golang.org/x/net-0.38.0
build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0
2025-03-30 00:09:25 -07:00
dependabot[bot] 0b5362651f build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.37.0 to 0.38.0.
- [Commits](https://github.com/golang/net/compare/v0.37.0...v0.38.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-28 13:00:18 +00:00
dependabot[bot] 5cfd1a62b3 build(deps): bump bats-core/bats-action from 3.0.0 to 3.0.1
Bumps [bats-core/bats-action](https://github.com/bats-core/bats-action) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/bats-core/bats-action/releases)
- [Commits](https://github.com/bats-core/bats-action/compare/3.0.0...3.0.1)

---
updated-dependencies:
- dependency-name: bats-core/bats-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-28 04:44:14 +00:00
Akihiro Suda f3df2627bd Merge pull request #4697 from kolyshkin/eintr
Introduce/use internal/linux pkg to handle EINTR and error wrapping
2025-03-28 10:10:20 +09:00
lfbzhm 1dc89f73b9 Merge pull request #4672 from kolyshkin/key-selinux-label
tests/int/selinux: test keyring security label
2025-03-27 09:09:42 +08:00
Kir Kolyshkin 131bdac1f3 tests/int/selinux: test keyring security label
This tests the functionality added by commit cd96170c1
("Need to setup labeling of kernel keyrings."), for both
runc run and runc exec, with and without user namespace.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-27 08:42:26 +08:00
Kir Kolyshkin c735c07349 tests/integration/selinux: collect user_avc as well
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-27 08:42:26 +08:00
Kir Kolyshkin 491326cdeb int/linux: add/use Recvfrom
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-26 14:16:53 -07:00
Kir Kolyshkin e655abc0da int/linux: add/use Dup3, Open, Openat
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-26 14:16:53 -07:00
Kir Kolyshkin c690b66d7f int/linux: add/use Exec
Drop the libcontainer/system/exec, and use the linux.Exec instead.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-26 14:16:53 -07:00
Kir Kolyshkin 431b8bb4d8 int/linux: add/use Getwd
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-26 14:16:53 -07:00
Kir Kolyshkin 8cc1eb379b Introduce and use internal/linux
This package is to provide unix.* wrappers to ensure that:
 - they retry on EINTR;
 - a "rich" error is returned on failure.

 A first such wrapper, Sendmsg, is introduced.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-26 14:16:50 -07:00
Andrei Vagin b68cbdff34 criu: Add time namespace to container config after checkpoint/restore
Since v3.14, CRIU always restores processes into a time namespace to
prevent backward jumps of monotonic and boottime clocks. This change
updates the container configuration to ensure that `runc exec` launches
new processes within the container's time namespace.

Fixes #2610

Signed-off-by: Andrei Vagin <avagin@gmail.com>
2025-03-26 15:12:01 +00:00
lfbzhm e5895f1100 Merge pull request #4698 from kolyshkin/codespell241
ci: bump codespell to v2.4.1, fix some typos
2025-03-26 18:40:25 +08:00
lfbzhm a34ee13eea Merge pull request #4694 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.36.6
build(deps): bump google.golang.org/protobuf from 1.36.5 to 1.36.6
2025-03-26 18:39:02 +08:00
Kir Kolyshkin 127e8e68d3 ci: bump to golangci-lint v2.0
The new configuration file was initially generated by golangci-lint
migrate, when tweaked to minimize and simplify.

golangci-lint v2 switches to a new version of staticcheck which shows
much more warnings. Some of them were fixed by a few previous commits,
and the rest of them are disabled.

In particular, ST1005 had to be disabled (an attempt to fix it was made
in https://github.com/opencontainers/runc/pull/3857 but it wasn't
merged).

Also, golangci-extra was modified to include ALL staticcheck linters.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-25 16:06:44 -07:00
Kir Kolyshkin 9b3ccc19a6 libct/intelrdt: fix staticcheck ST1020 warnings
> libcontainer/intelrdt/cmt.go:5:1: ST1020: comment on exported function IsCMTEnabled should be of the form "IsCMTEnabled ..." (staticcheck)
> // Check if Intel RDT/CMT is enabled.
> ^
> libcontainer/intelrdt/intelrdt.go:419:1: ST1020: comment on exported function IsCATEnabled should be of the form "IsCATEnabled ..." (staticcheck)
> // Check if Intel RDT/CAT is enabled
> ^
> libcontainer/intelrdt/intelrdt.go:425:1: ST1020: comment on exported function IsMBAEnabled should be of the form "IsMBAEnabled ..." (staticcheck)
> // Check if Intel RDT/MBA is enabled
> ^
> libcontainer/intelrdt/intelrdt.go:446:1: ST1020: comment on exported method Apply should be of the form "Apply ..." (staticcheck)
> // Applies Intel RDT configuration to the process with the specified pid
> ^
> libcontainer/intelrdt/intelrdt.go:481:1: ST1020: comment on exported method Destroy should be of the form "Destroy ..." (staticcheck)
> // Destroys the Intel RDT container-specific 'container_id' group
> ^
> libcontainer/intelrdt/intelrdt.go:497:1: ST1020: comment on exported method GetPath should be of the form "GetPath ..." (staticcheck)
> // Returns Intel RDT path to save in a state file and to be able to
> ^
> libcontainer/intelrdt/intelrdt.go:506:1: ST1020: comment on exported method GetStats should be of the form "GetStats ..." (staticcheck)
> // Returns statistics for Intel RDT
> ^
> libcontainer/intelrdt/mbm.go:6:1: ST1020: comment on exported function IsMBMEnabled should be of the form "IsMBMEnabled ..." (staticcheck)
> // Check if Intel RDT/MBM is enabled.
> ^
> 8 issues:
> * staticcheck: 8

While at it, add missing periods.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-25 16:06:44 -07:00
Kir Kolyshkin 30f8acabf6 Fix staticcheck ST1020/ST1021 warnings
I was pretty sure we have a linter for these but apparently we did not.

> libcontainer/capabilities/capabilities.go:108:1: ST1020: comment on exported method ApplyCaps should be of the form "ApplyCaps ..." (staticcheck)
> // Apply sets all the capabilities for the current process in the config.
> ^
>
>
> types/events.go:15:1: ST1021: comment on exported type Stats should be of the form "Stats ..." (with optional leading article) (staticcheck)
> // stats is the runc specific stats structure for stability when encoding and decoding stats.
> ^

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-25 16:06:44 -07:00
Kir Kolyshkin 9510ffb658 Fix a few staticcheck QF1001 warnings
Like these:

> libcontainer/criu_linux.go:959:3: QF1001: could apply De Morgan's law (staticcheck)
> 		!(req.GetType() == criurpc.CriuReqType_FEATURE_CHECK ||
> 		^
> libcontainer/rootfs_linux.go:360:19: QF1001: could apply De Morgan's law (staticcheck)
> 	if err == nil || !(errors.Is(err, unix.EPERM) || errors.Is(err, unix.EBUSY)) {
> 	                 ^

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-25 16:06:44 -07:00
Kir Kolyshkin 6405725ca2 libct: fix staticcheck QF1006 warning
> libcontainer/rootfs_linux.go:1255:13: QF1004: could use strings.ReplaceAll instead (staticcheck)
> 	keyPath := strings.Replace(key, ".", "/", -1)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-25 16:06:44 -07:00
Kir Kolyshkin fdb691632d notify_socket.go: fix staticcheck warning
> notify_socket.go:44:24: ST1016: methods on the same type should have the same receiver name (seen 1x "n", 5x "s") (staticcheck)
> func (s *notifySocket) Close() error {
>                        ^

As reported by staticcheck from golangci-lint v2.0.0

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-25 16:06:44 -07:00
Kir Kolyshkin dc7ede67fa Merge pull request #4686 from kolyshkin/golangci
Remove some nolint annotations, add nolintlint linter
2025-03-25 16:06:17 -07:00
dependabot[bot] 4622bb87fd build(deps): bump google.golang.org/protobuf from 1.36.5 to 1.36.6
Bumps google.golang.org/protobuf from 1.36.5 to 1.36.6.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-25 04:06:22 +00:00
lfbzhm 480e7a722a Merge pull request #4691 from rata/issue-template-repro
.github: Improve issue template description
2025-03-25 09:33:17 +08:00
Kir Kolyshkin 8598f6ec4a Merge pull request #4354 from ningmingxiao/dev3
skip read /proc/filesystems if process_label is null
2025-03-24 12:09:03 -07:00
Kir Kolyshkin a638f1330b .golangci.yml: add nolintlint, fix found issues
The errrolint linter can finally ignore errors from Close,
and it also ignores direct comparisons of errors from x/sys/unix.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-24 11:59:54 -07:00
Kir Kolyshkin d00c3be986 ci: bump codespell to v2.4.1, fix some typos
All but one were found by codespell.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-24 10:05:22 -07:00
Kir Kolyshkin 65e0f2b719 libct/int: use destroyContainer
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-24 10:02:47 -07:00
Kir Kolyshkin 1aebfa3eab libct/int: don't use _ = runContainerOk
There is no need to explicitly ignore returned value.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-24 10:02:47 -07:00
Rodrigo Campos 25d4764432 Merge pull request #4689 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.12.0
build(deps): bump github.com/opencontainers/selinux from 1.11.1 to 1.12.0
2025-03-24 08:32:10 -03:00
Rodrigo Campos f55400dce8 .github: Improve issue template description
We received several times issues that the repro steps are human readable
text with ambiguous instructions. That usually ends up in maintainers
asking questions so people provide clear steps.

Let's just make the issue template more clear in that regard.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-03-24 12:22:07 +01:00
lfbzhm 6dd9c9bde8 Merge pull request #4687 from kolyshkin/maps-slices
Use Go 1.23 maps.Keys, slices.Sort more
2025-03-24 17:59:47 +08:00
dependabot[bot] bac338256c build(deps): bump github.com/opencontainers/selinux
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.11.1 to 1.12.0.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.11.1...v1.12.0)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-24 04:56:16 +00:00
Kir Kolyshkin bc96bc8558 libct/seccomp: use maps and slices pkgs
Since we have now switched to Go 1.23, we can use maps and slices pkgs

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-21 16:04:05 -07:00
Kir Kolyshkin 370733b7d9 libct/cap: rm mapKeys, use maps.Keys, slices.Sorted
Since we've switched to Go 1.23 we can now use the new functionality of
maps and slices packages.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-21 16:03:40 -07:00
Akihiro Suda e0bf28b910 Merge pull request #4685 from kolyshkin/smaller-state
Make state.json 25% smaller
2025-03-21 09:14:18 +09:00
Kir Kolyshkin 3a33b6a3df Make state.json 25% smaller
This makes the state.json file 1303 bytes or almost 25% smaller (when
using the default spec, YMMV) by omitting default values.

Before: 5496 bytes
After: 4193 bytes

(With cgroups#9 applied, the new size is 3424, which is almost 40%
savings, compared to the original).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-19 15:51:52 -07:00
Akihiro Suda 8b98e829f0 Merge pull request #4676 from kolyshkin/keyring-log
libct: log a warning on join session keyring failure
2025-03-18 02:32:04 +09:00
Kir Kolyshkin 4c22153982 Merge pull request #4679 from rata/misc
libct: Use chown(uid, -1) to not change the gid
2025-03-14 17:49:40 -07:00
Kir Kolyshkin fde0842083 Merge pull request #4670 from kolyshkin/shell-spring-cleaning
Shell spring cleaning
2025-03-14 17:49:23 -07:00
Rodrigo Campos 9c5e687b6f libct: Use chown(uid, -1) to not change the gid
There is no behavior change, it is just more readable to use -1 to mean
don't touch this.

Please note that if the GID is not mapped in the userns, by using -1 for
that no error is returned. We just avoid dealing with it completely, as
we want here.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2025-03-14 16:52:20 +01:00
Rodrigo Campos 92d1ea4acc Merge pull request #4675 from kolyshkin/nits-33
Misc CI nits
2025-03-14 12:34:24 -03:00
Kir Kolyshkin d31e6b87ca ci: bump bats to v0.11.0
This is the version available from Fedora 41.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-13 10:26:11 -07:00
Kir Kolyshkin 8e653e40c6 script/setup_host_fedora.sh: use bash arrays
This makes the code more robust and allows to remove the
"shellcheck disable=SC2086" annotation.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-13 10:21:55 -07:00
Kir Kolyshkin a76a1361b4 script/setup_host_fedora.sh: remove -p from mkdir
1. There is no need to have -p option in mkdir here, since
   /home/rootless was already created by useradd above.

2. When there is no -p, there is no need to suppress the shellcheck
   warning (which looked like this):

> In script/setup_host_fedora.sh line 21:
> mkdir -m 0700 -p /home/rootless/.ssh
>       ^-- SC2174 (warning): When used with -p, -m only applies to the deepest directory.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-13 10:21:55 -07:00
Kir Kolyshkin af386d1df1 tests/int: rm some "shellcheck disable" annotations
Those are no longer needed with shellcheck v0.10.0 (possibly with an
earlier version, too, but I am too lazy to check that).

While at it, fix a typo in the comment.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-13 10:21:55 -07:00
Kir Kolyshkin b48dd65114 ci: bump shellcheck to v0.10.0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-13 10:21:55 -07:00
Kir Kolyshkin 6e5ffb7cbc Makefile: bump shfmt to v3.11.0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-13 10:21:55 -07:00
Kir Kolyshkin 539315534f libct: log a warning on join session keyring failure
This addresses a TODO item added by commit 40f146841
("keyring: handle ENOSYS with keyctl(KEYCTL_JOIN_SESSION_KEYRING)"),
as we do have runc init logging working fine for quite some time.

While at it, fix a typo in a comment (standart -> standard).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-13 08:42:22 -07:00
Kir Kolyshkin 9aeb7905cf tests/int/selinux: fix skip message
It was a mistake to say that SELinux need to be in the enforcing mode
for these tests to run. It only needs to be enabled.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-13 08:40:37 -07:00
Kir Kolyshkin 5ac77ed6d9 libct/int: add/use needUserNS helper
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-13 08:40:27 -07:00
Rodrigo Campos 67edd6d88e Merge pull request #4671 from kolyshkin/git-core
.cirrus.yml: install less dependencies
2025-03-13 11:35:15 -03:00
Kir Kolyshkin 1d9bea5378 .cirrus.yml: install less dependencies
In a nutshell:
 - use git-core instead of git;
 - do not install weak deps;
 - do not install docs.

This results in less packages to install:
 - 25 instead of 72 for almalinux-8
 - 24 instead of 90 for almalinux-9

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-10 14:39:26 -07:00
lfbzhm 854fb5242f Merge pull request #4666 from kolyshkin/pidfd_send_signal
Use pidfd_send_signal under the hood
2025-03-08 10:41:40 +08:00
Kir Kolyshkin 1afa1b8662 signals: replace unix.Kill with process.Signal
This way, given a recent Go and Linux version, pidfd_send_signal will
be used under the hood.

Keep unix.Signal and unix.SignalName for logging (it is way more
readable than what os.Signal.String() provides).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-07 16:47:06 -08:00
lfbzhm 346c80d714 libct: replace unix.Kill with os.Process.Signal
Because we should switch to unix.PidFDSendSignal in new kernels, it has
been supported in go runtime. We don't need to add fall back to
unix.Kill code here.

Signed-off-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-07 14:07:47 -08:00
Kir Kolyshkin aad4d97d83 Merge pull request #4664 from AkihiroSuda/lima-actions
CI: migrate Vagrant + Cirrus to Lima + GHA
2025-03-07 12:55:43 -08:00
Akihiro Suda 135552e5e4 CI: migrate Vagrant + Cirrus to Lima + GHA
- Unlike proprietary Vagrant, Lima remains to be an open source project
- GHA now natively supports nested virt on Linux runners

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2025-03-07 12:48:02 +09:00
Rodrigo Campos b936081e87 Merge pull request #4660 from lifubang/fix-doc-spec-1.2.1
doc: update spec-conformance.md
2025-03-06 10:23:36 -03:00
lfbzhm 1bb3820760 Merge pull request #4663 from opencontainers/dependabot/go_modules/golang.org/x/net-0.37.0 2025-03-06 18:53:44 +08:00
dependabot[bot] d5fe53030b build(deps): bump golang.org/x/net from 0.36.0 to 0.37.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.36.0 to 0.37.0.
- [Commits](https://github.com/golang/net/compare/v0.36.0...v0.37.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-06 09:52:25 +00:00
dependabot[bot] 5c10e90ec3 Merge pull request #4662 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.31.0 2025-03-06 09:51:12 +00:00
dependabot[bot] 000cdef75d build(deps): bump golang.org/x/sys from 0.30.0 to 0.31.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.30.0 to 0.31.0.
- [Commits](https://github.com/golang/sys/compare/v0.30.0...v0.31.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-06 04:49:01 +00:00
lifubang 79e9cf53e0 doc: update spec-conformance.md
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-03-05 19:26:06 -08:00
Akihiro Suda 25dcdc71ae Merge pull request #4658 from snprajwal/deps
deps: bump go-criu to v7
2025-03-06 09:32:28 +09:00
Akihiro Suda c8c6a8528d Merge pull request #4659 from opencontainers/dependabot/go_modules/golang.org/x/net-0.36.0
build(deps): bump golang.org/x/net from 0.35.0 to 0.36.0
2025-03-06 09:30:59 +09:00
dependabot[bot] 12c2e21f40 build(deps): bump golang.org/x/net from 0.35.0 to 0.36.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.35.0 to 0.36.0.
- [Commits](https://github.com/golang/net/compare/v0.35.0...v0.36.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-05 04:26:18 +00:00
Prajwal S N 05e83fc600 deps: bump go-criu to v7
Signed-off-by: Prajwal S N <prajwalnadig21@gmail.com>
2025-03-05 01:02:53 +05:30
Aleksa Sarai 2f93d663a0 merge #4657 into opencontainers/runc:main
Rodrigo Campos (2):
  VERSION: back to development
  VERSION: release v1.3.0-rc.1

LGTMs: AkihiroSuda lifubang cyphar
2025-03-04 22:57:28 +11:00
Rodrigo Campos 5d6e7e1279 VERSION: back to development
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-03-04 18:42:08 +11:00
Rodrigo Campos a00ce11e91 VERSION: release v1.3.0-rc.1
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
(cyphar: improve changelog)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-03-04 18:42:08 +11:00
lfbzhm 0ebf33109b Merge pull request #4327 from kolyshkin/exec-cpu-aff
runc exec: implement CPU affinity
2025-03-03 17:57:45 +08:00
Kir Kolyshkin 10ca66bff5 runc exec: implement CPU affinity
As per
- https://github.com/opencontainers/runtime-spec/pull/1253
- https://github.com/opencontainers/runtime-spec/pull/1261

CPU affinity can be set in two ways:
1. When creating/starting a container, in config.json's
   Process.ExecCPUAffinity, which is when applied to all execs.
2. When running an exec, in process.json's CPUAffinity, which
   applied to a given exec and overrides the value from (1).

Add some basic tests.

Note that older kernels (RHEL8, Ubuntu 20.04) change CPU affinity of a
process to that of a container's cgroup, as soon as it is moved to that
cgroup, while newer kernels (Ubuntu 24.04, Fedora 41) don't do that.

Because of the above,
 - it's impossible to really test initial CPU affinity without adding
   debug logging to libcontainer/nsenter;
 - for older kernels, there can be a brief moment when exec's affinity
   is different than either initial or final affinity being set;
 - exec's final CPU affinity, if not specified, can be different
   depending on the kernel, therefore we don't test it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-03-02 19:17:41 -08:00
Aleksa Sarai 701516b57a merge #4654 into opencontainers/runc:main
lifubang (1):
  performance improvement: setup signal notify in a new go routine

LGTMs: kolyshkin cyphar
2025-03-02 02:47:28 +11:00
lifubang d92dd22611 performance improvement: setup signal notify in a new go routine
There is a big loop(at least 65 times) in `signal.Notify`, it costs as much
time as `runc init`, so we can call it in parallel ro reduce the container
start time. In a general test, it can be reduced about 38.70%.

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cyphar: move signal channel definition inside goroutine)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-03-01 23:46:25 +11:00
Aleksa Sarai 202ca99fae merge #4655 into opencontainers/runc:main
Kir Kolyshkin (1):
  CHANGELOG: fwd port 1.2.1 to 1.2.5 changes

LGTMs: lifubang cyphar
2025-03-01 21:38:19 +11:00
Aleksa Sarai b0a21af4b1 merge #4638 into opencontainers/runc:main
Kir Kolyshkin (1):
  Switch to opencontainers/cgroups

LGTMs: lifubang cyphar
2025-03-01 21:37:27 +11:00
Kir Kolyshkin a75076b4a4 Switch to opencontainers/cgroups
This removes libcontainer/cgroups packages and starts
using those from github.com/opencontainers/cgroups repo.

Mostly generated by:

  git rm -f libcontainer/cgroups

  find . -type f -name "*.go" -exec sed -i \
    's|github.com/opencontainers/runc/libcontainer/cgroups|github.com/opencontainers/cgroups|g' \
    {} +

  go get github.com/opencontainers/cgroups@v0.0.1
  make vendor
  gofumpt -w .

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-28 15:20:33 -08:00
Kir Kolyshkin 6e01e85054 CHANGELOG: fwd port 1.2.1 to 1.2.5 changes
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-28 11:40:56 -08:00
Kir Kolyshkin 85ba66f059 Merge pull request #4653 from opencontainers/dependabot/go_modules/github.com/opencontainers/runtime-spec-1.2.1
build(deps): bump github.com/opencontainers/runtime-spec from 1.2.0 to 1.2.1
2025-02-28 11:24:49 -08:00
dependabot[bot] 537a2276bb build(deps): bump github.com/opencontainers/runtime-spec
Bumps [github.com/opencontainers/runtime-spec](https://github.com/opencontainers/runtime-spec) from 1.2.0 to 1.2.1.
- [Release notes](https://github.com/opencontainers/runtime-spec/releases)
- [Changelog](https://github.com/opencontainers/runtime-spec/blob/main/ChangeLog)
- [Commits](https://github.com/opencontainers/runtime-spec/compare/v1.2.0...v1.2.1)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/runtime-spec
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-02-28 04:52:38 +00:00
Rodrigo Campos 8c72dfae65 Merge pull request #4627 from beam-cloud/main
Add skip-in-flight and link-remap criu options for checkpoint and restore
2025-02-26 06:06:26 -03:00
Rodrigo Campos 352c8d40ac Merge pull request #4636 from lifubang/fix-exec-timens
libct: don't send config to nsexec when joining an existing timens
2025-02-26 05:53:29 -03:00
Aleksa Sarai cfb643e02b merge #4641 into opencontainers/runc:main
Tomasz Duda (1):
  exeseal: do not use F_SEAL_FUTURE_WRITE

LGTMs: kolyshkin cyphar
2025-02-26 16:56:39 +11:00
Tomasz Duda c43ea7d629 exeseal: do not use F_SEAL_FUTURE_WRITE
Prior to kernel Linux 5.5, F_SEAL_FUTURE_WRITE has a bug which maps
memory as shared between processes even if it is set as private. See
kernel commit 05d351102dbe ("mm, memfd: fix COW issue on MAP_PRIVATE and
F_SEAL_FUTURE_WRITE mappings") for more details.

According to the fcntl(2) man pages, F_SEAL_WRITE is enough:

> Furthermore, trying to create new shared, writable memory-mappings via
> mmap(2) will also fail with EPERM.
>
> Using the F_ADD_SEALS operation to set the F_SEAL_WRITE seal fails
> with EBUSY if any writable, shared mapping exists. Such mappings must
> be unmapped before you can add this seal.

F_SEAL_FUTURE_WRITE only makes sense if a read-write shared mapping in
one process should be read-only in another process. This is not case for
runc, especially not for the /proc/self/exe we are protecting.

Signed-off-by: Tomasz Duda <tomaszduda23@gmail.com>
(cyphar: improve the comment regarding F_SEAL_FUTURE_WRITE)
(cyphar: improve commit message)
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-02-26 16:40:34 +11:00
Daniel Levi-Minzi 1d047e44ed expose criu options for link remap and skip in flight
Signed-off-by: Daniel Levi-Minzi <dleviminzi@gmail.com>
2025-02-25 10:35:31 -05:00
Kir Kolyshkin e0e22d33ea Merge pull request #4643 from cyphar/dmz-rename
libcontainer: rename dmz -> exeseal
2025-02-24 21:42:27 -08:00
Aleksa Sarai 58a599d28a merge #4593 into opencontainers/runc:main
Kir Kolyshkin (1):
  tests/int: add hooks argv[0] test

LGTMs: rata cyphar
2025-02-25 13:54:46 +11:00
Aleksa Sarai 559bd4ebdf libcontainer: rename dmz -> exeseal
The "dmz" name was originally used because the libcontainer/dmz package
housed the runc-dmz binary, but since we removed it in commit
871057d863 ("drop runc-dmz solution according to overlay solution")
the name is an anachronism and we should just give it a more
self-explanatory name.

So, call it libcontainer/exeseal because the purpose of the package is
to provide tools to seal /proc/self/exe against attackers.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-02-25 13:46:05 +11:00
Aleksa Sarai ef9830a0bf merge #4513 into opencontainers/runc:main
Tomasz Duda (1):
  support cgroup v1 mounted with noprefix

LGTMs: kolyshkin cyphar
2025-02-25 13:21:49 +11:00
lfbzhm 5f8abe5754 Merge pull request #4637 from mirendev/evanphx/b-eintr
Retry direct unix package calls if observing EINTR
2025-02-25 08:24:20 +08:00
lfbzhm 7ee017cf04 Merge pull request #4633 from kolyshkin/libct-cg-sep
libct/cg: eliminate remaining libct deps
2025-02-25 08:19:00 +08:00
lifubang ad09197e41 libct: don't send config to nsexec when joining an existing timens
We should configure the process's timens offset only when we need to
create new time namespace, we shouldn't do it if we are joining an
existing time namespace. (#4635)

Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-02-22 16:42:33 +00:00
lfbzhm 74619689ae test: exec into a container with private time ns
Signed-off-by: lifubang <lifubang@acmcoder.com>
2025-02-22 16:42:01 +00:00
Evan Phoenix 28475f12e3 Retry direct unix package calls if observing EINTR
Retry Recvfrom, Sendmsg, Readmsg, and Read as they can return EINTR.

Signed-off-by: Evan Phoenix <evan@phx.io>
2025-02-21 15:19:54 -08:00
Kir Kolyshkin 4e0f7a203d libct/cg/dev: remove specconv dependency
This was needed for a test case only, but we can easily copy the data
needed.

The alternatives are:
 - keep things as is (and have cgroups depend on
   runc/libcontainer/specconv);
 - remove this test case;
 - move AllowedDevices to cgroups/devices/config.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-21 14:23:58 -08:00
Kir Kolyshkin 69792827b4 libct/cg: don't use utils.CleanPath
Instead, we can just do filepath.Clean("/"+path) here.

While at it, add a comment telling why this is needed and important.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-21 14:23:58 -08:00
Kir Kolyshkin 5e1dcdf564 libct/cg: add internal/path.Inner
The code which determines inner cgroup path from cgroup config is
identical in fs and fs2 drivers, and it is using utils.CleanPath.

In preparation to move libcontainer/cgroups to a separate repo,
we have to get rid of libcontainer/utils dependency. So,
 - copy the utils.CleanPath implementation to internal/path;
 - consolidate the two innerPath implementations to internal/path.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-21 14:23:58 -08:00
Kir Kolyshkin 271aa88ed5 libct/cg/fs2: rm _defaultDirPath
The _defaultDirPath was only used for testing, and the test case
is quite easy to adopt to defaultDirPath.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-21 14:23:58 -08:00
Kir Kolyshkin 7bebe68c7a libct/cg: stop using utils.ProcThreadSelf
We were using utils.ProcThreadSelf since commit 8e8b136c,
which provides two things:
1. locking the OS tread;
2. fallback to /proc/self/task/$TID when /proc/thread-self
   is not available (kernel < 3.17).

Now, (1) is not needed since we only call readlink and not perform any
file data operation, and (2) is not needed here as this code is
only running when openat2 syscall is available, meaning kernel >= v5.6.

Also, check the error from readlink, so when it fails, we do not try to
enhance the error message.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-21 14:14:22 -08:00
Rodrigo Campos 91e6621205 Merge pull request #4634 from kolyshkin/gha-rm-ubu2004
CI: gha: rm ubuntu-20.04
2025-02-19 13:26:59 -03:00
Kir Kolyshkin 4244978687 CI: gha: rm ubuntu-20.04
There is an announce that Ubuntu 20.04 will be removed in April,
and in March there will be a few "brown-out" dates/times when
it won't work.

This leaves us with no other options than to remove ubuntu-20.04
from the testing matrix.

As a result, cgroup v1 testing will only be done on AlmaLinux 8
running on CirrusCI. It is probably going to be sufficient for
the time being (until we deprecate cgroup v1).

If not, our options are
 - run Ubuntu 20.04 (or other cgroup v1 distro) in a VM on GHA;
 - switch to cirrus-ci.

[1]: https://github.com/actions/runner-images/issues/11101

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-16 09:38:47 -08:00
lfbzhm c8737446d2 Merge pull request #4584 from kolyshkin/test-int-nits
Misc nits to tests/integration
2025-02-14 19:22:02 +08:00
lfbzhm 885f8f6dff Merge pull request #4628 from kolyshkin/ebpf0173
deps: bump cilium/ebpf to v0.17.3
2025-02-14 09:45:23 +08:00
Rodrigo Campos b0b186e64d Merge pull request #4630 from kolyshkin/clean-path
libc/utils: simplify CleanPath
2025-02-13 13:59:23 -03:00
Rodrigo Campos 199a307569 Merge pull request #4625 from kolyshkin/seccomp256
build: bump libseccomp to v2.5.6
2025-02-13 08:00:38 -03:00
lfbzhm c3c111d2a6 Merge pull request #4585 from kolyshkin/per-process-properties
Fix process/config properties merging
2025-02-13 18:47:32 +08:00
Rodrigo Campos 20727c62d5 Merge pull request #4598 from kolyshkin/go124
Add Go 1.24, drop Go 1.22
2025-02-13 07:46:47 -03:00
Kir Kolyshkin 79a4ac0553 deps: bump cilium/ebpf to v0.17.3
It has a fix for runc issue 4594.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-13 00:07:01 -08:00
Kir Kolyshkin 0f88286077 Merge pull request #4470 from kolyshkin/strings-cut
Use strings.Cut and strings.CutPrefix where possible
2025-02-12 23:35:20 -08:00
Kir Kolyshkin 6400bee7cd Merge pull request #4629 from cyphar/release-explicit-keyserver
release: explicitly set --keyserver in release signing scripts
2025-02-12 22:34:06 -08:00
Kir Kolyshkin 8db6ffbeef libc/utils: simplify CleanPath
This simplifies the code flow and basically removes the last
filepath.Clean, which is not necessary in either case:

 - for absolute path, single filepath.Clean is enough (as it is
   guaranteed to remove all dot and dot-dot elements);

 - for relative path, filepath.Rel calls Clean at the end
   (which is even documented).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-12 20:17:51 -08:00
Aleksa Sarai 26cfe14231 release: explicitly set --keyserver in release signing scripts
On my machine, the --recv-keys steps to get upstream keys started
producing errors recently, and even setting a default keyserver in the
global gpg configuration doesn't seem to help:

  + gpg --homedir=/tmp/runc-sign-tmpkeyring.qm0IP6
        --no-default-keyring --keyring=seccomp.keyring
        --recv-keys 0x47A68FCE37C7D7024FD65E11356CE62C2B524099
  gpg: keybox '/tmp/runc-sign-tmpkeyring.qm0IP6/seccomp.keyring' created
  gpg: keyserver receive failed: No keyserver available

So just explicitly specify a reputable keyserver. Ideally we would use
an .onion-address keyserver to avoid potential targeted attacks but not
everybody runs a Tor proxy on their machine.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-02-13 14:42:24 +11:00
Kir Kolyshkin 0e3b5d5b37 build: bump libseccomp to v2.5.6
A new libseccomp releases (v2.5.6 and v2.6.0) were cut last month.

Theoretically, we could use v2.6.0 but let's stay conservative for now.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-12 07:58:34 -08:00
ningmingxiao 6a3f8ea3b4 skip read /proc/filesystems if process_label is null
Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
2025-02-12 12:44:39 +08:00
Kir Kolyshkin 35a28ad0a4 Merge pull request #4596 from evanphx/evanphx/b-close-range
utils: Handle close_range more gracefully
2025-02-11 18:04:07 -08:00
Kir Kolyshkin d237bc462a .cirrus.yml: use Go 1.24
Also:
1. Change GO_VERSION to GO_VER_PREFIX, and move the "." from the jq
   argument to the variable value. It allows to use something like
   "1.25" to match "1.25rc" etc, but set to "1.24." for now to require
   a released 1.24.x version.

2. Change PREFIX to URL_PREFIX.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-11 18:03:06 -08:00
Kir Kolyshkin 16d7336791 Require Go 1.23.x, drop Go 1.22 support
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-11 18:03:06 -08:00
Kir Kolyshkin 874207492e CI: add Go 1.24, drop go1.22
Also, bump golangci-lint to v1.64 (v1.64.2 added Go 1.24 support).

NOTE we still use Go 1.23.x for official builds.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-11 18:02:48 -08:00
Kir Kolyshkin 99f9ed94dc runc exec: fix setting process.Scheduler
Commit 770728e1 added Scheduler field into both Config and Process,
but forgot to add a mechanism to actually use Process.Scheduler.
As a result, runc exec does not set Process.Scheduler ever.

Fix it, and a test case (which fails before the fix).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-11 18:01:30 -08:00
Kir Kolyshkin b9114d91e2 runc exec: fix setting process.ioPriority
Commit bfbd0305b added IOPriority field into both Config and Process,
but forgot to add a mechanism to actually use Process.IOPriority.
As a result, runc exec does not set Process.IOPriority ever.

Fix it, and a test case (which fails before the fix).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-11 18:01:30 -08:00
Kir Kolyshkin 73849e797f libct: simplify Caps inheritance
For all other properties that are available in both Config and Process,
the merging is performed by newInitConfig.

Let's do the same for Capabilities for the sake of code uniformity.

Also, thanks to the previous commit, we no longer have to make sure we
do not call capabilities.New(nil).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-11 18:01:30 -08:00
Kir Kolyshkin 049a5f76cf libct/cap: allow New(nil)
In runtime-spec, capabilities property is optional, but
libcontainer/capabilities panics when New(nil) is called.

Because of this, there's a kludge in finalizeNamespace to ensure
capabilities.New is not called with nil argument, and there's a
TestProcessEmptyCaps to ensure runc won't panic.

Let's fix this at the source, allowing libct/cap to work with nil
capabilities.

(The caller is fixed by the next commit.)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-11 18:01:30 -08:00
Kir Kolyshkin f26ec92221 libct: rm Rootless* properties from initConfig
They are passed in initConfig twice, so it does not make sense.

NB: the alternative to that would be to remove Config field from
initConfig, but it results in a much bigger patch and more maintenance
down the road.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-11 18:01:30 -08:00
Kir Kolyshkin 2a86c35768 libct: document initConfig and friends
This is one of the dark corners of runc / libcontainer, so let's shed
some light on it.

initConfig is a structure which is filled in [mostly] by newInitConfig,
and one of its hidden aspects is it contains a process config which is
the result of merge between the container and the process configs.

Let's document how all this happens, where the fields are coming from,
which one has a preference, and how it all works.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-11 18:01:30 -08:00
Akihiro Suda 3cfcb6968a Merge pull request #4623 from opencontainers/dependabot/go_modules/golang.org/x/net-0.35.0
build(deps): bump golang.org/x/net from 0.34.0 to 0.35.0
2025-02-12 10:45:11 +09:00
dependabot[bot] 13277b2017 build(deps): bump golang.org/x/net from 0.34.0 to 0.35.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.34.0 to 0.35.0.
- [Commits](https://github.com/golang/net/compare/v0.34.0...v0.35.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-02-11 04:09:22 +00:00
lfbzhm 74b35d8927 Merge pull request #4592 from kolyshkin/exec-nits
Improvements to how `runc exec` is handled
2025-02-10 18:32:33 +08:00
lfbzhm bf0f67f7f2 Merge pull request #4597 from evanphx/evanphx/b-graceful-ambient
capabilities: be more graceful in resetting ambient
2025-02-10 18:28:52 +08:00
Kir Kolyshkin 4b87c7d4fd Fixups for newProcess
1. Pass an argument as a pointer rather than copying the whole structure.
   It was a pointer initially, but this has changed in commit b2d9d996
   without giving a reason why.

2. The newProcess description was added by commit 9fac18329 (yes, the
   very first one) and hasn't changed since. As of commit 29b139f7,
   the part of it which says "and stdio from the current process"
   is no longer valid.

   Remove it, and while at it, rewrite the description entirely.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 22:56:11 -08:00
Kir Kolyshkin 8fbdb7e78e setupIO: optimize
The rootuid and rootgid are only needed when detach and createTTY are
both false. We also call c.Config() twice, every time creating a copy
of struct Config.

Solve both issues by passing container pointer to setupIO, and get
rootuid/rootgid only when we need those.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 22:56:11 -08:00
Kir Kolyshkin c4eb0c61e1 libct: createExecFifo: optimize
Every time we call container.Config(), a new copy of
struct Config is created and returned, and we do it twice here.

Accessing container.config directly fixes this.

Fixes: 805b8c73d ("Do not create exec fifo in factory.Create")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 22:56:11 -08:00
Kir Kolyshkin 5d2e24453f execProcess: move some code to newProcess
Let's move some code from execProcess to newProcess, fixing the
following few issues:

1. container.State (which does quite a lot) is not needed --
   we only need container.Config here.

2. utils.SearchLabels is not needed when "runc exec --process" is used.

3. Context.String("process") is called twice.

4. It is not very clear from the code why checking for
   len(context.Args()) is performed. Move the check to just before
   Args is used, to make it clear why.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 22:56:11 -08:00
Kir Kolyshkin c283ed102c tests/int: add hooks argv[0] test
Looking into old opened runc issues, I noticed #1663 is there without
any resolution, and wrote this simple test checking if we mangle hook's
argv[0] in any way.

Apparently we're good, but the test actually makes sense to have.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 22:54:29 -08:00
Kir Kolyshkin 35b3c16e51 Merge pull request #4621 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.36.5
build(deps): bump google.golang.org/protobuf from 1.36.4 to 1.36.5
2025-02-06 22:54:11 -08:00
dependabot[bot] 8529591ccb build(deps): bump google.golang.org/protobuf from 1.36.4 to 1.36.5
Bumps google.golang.org/protobuf from 1.36.4 to 1.36.5.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-02-07 04:09:32 +00:00
Kir Kolyshkin 746a5c23c9 libcontainer/configs/validate: improve rootlessEUIDMount
1. Avoid splitting mount data into []string if it does not contain
   options we're interested in. This should result in slightly less
   garbage to collect.

2. Use if / else if instead of continue, to make it clearer that
   we're processing one option at a time.

3. Print the whole option as a sting in an error message; practically
   this should not have any effect, it's just simpler.

4. Improve some comments.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 19:47:23 -08:00
Kir Kolyshkin 055041e874 libct: use strings.CutPrefix where possible
Using strings.CutPrefix (available since Go 1.20) instead of
strings.HasPrefix and/or strings.TrimPrefix makes the code
a tad more straightforward.

No functional change.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 19:42:35 -08:00
Kir Kolyshkin 259b71c042 libct/utils: stripRoot: rm useless HasPrefix
Using strings.HasPrefix with strings.TrimPrefix results in doing the
same thing (checking if prefix exists) twice. In this case, using
strings.TrimPrefix right away is sufficient.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 19:42:35 -08:00
Kir Kolyshkin ecf74300c0 libct/cg/fscommon: GetCgroupParam*: unify
1. GetCgroupParamUint: drop strings.TrimSpace since it was already
   done by GetCgroupParamString.

2. GetCgroupParamInt: use GetCgroupParamString, drop strings.TrimSpace.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 19:42:35 -08:00
Kir Kolyshkin ef983f5180 libct/cg/fscommon: ParseKeyValue: stricter check
It makes sense to report an error if a key or a value is empty,
as we don't expect anything like this.

Reported-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 19:42:34 -08:00
Kir Kolyshkin d83d533bba libct/cg/fscommon: GetValueByKey: use strings.CutPrefix
Using strings.CutPrefix (added in Go 1.20, see [1]) results in faster and
cleaner code with less allocations (as the code only allocates memory
for the value, and does it once).

While at it, improve the function documentation.

[1]: https://github.com/golang/go/issues/42537

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 19:42:34 -08:00
Kir Kolyshkin f134871206 libct/cg/fscommon: ParseKeyValue: use strings.Cut
Using strings.Cut (added in Go 1.18, see [1]) results in faster and
cleaner code with less allocations (as we're not using a slice).

[1]: https://github.com/golang/go/issues/46336

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 19:42:02 -08:00
Kir Kolyshkin e9855bdae9 libct/cg/fscommon: use strings.Cut in RDMA parser
Using strings.Cut (added in Go 1.18, see [1]) results in faster and
cleaner code with less allocations (as we're not using a slice).

Also, use switch in parseRdmaKV.

[1]: https://github.com/golang/go/issues/46336

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 19:42:02 -08:00
Kir Kolyshkin 930cd4944a libct/cg/fs2: use strings.Cut in parsePSIData
Using strings.Cut (added in Go 1.18, see [1]) results in faster and
cleaner code with less allocations (as we're not using a slice).

This code is tested by TestStatCPUPSI.

[1]: https://github.com/golang/go/issues/46336

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 19:42:02 -08:00
Kir Kolyshkin 40ce69cc9e libct/cg/fs2: use strings.Cut in setUnified
Using strings.Cut (added in Go 1.18, see [1]) results in faster and
cleaner code with less allocations (as we're not using a slice).

The code is tested by testCgroupResourcesUnified.

[1]: https://github.com/golang/go/issues/46336

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 19:42:02 -08:00
Kir Kolyshkin 037668e501 libct/cg/fs2: simplify parseCgroupFromReader
For cgroup v2, we always expect /proc/$PID/cgroup contents like this:

> 0::/user.slice/user-1000.slice/user@1000.service/app.slice/vte-spawn-f71c3fb8-519d-4e2d-b13e-9252594b1e05.scope

So, it does not make sense to parse it using strings.Split, we can just
cut the prefix and return the rest.

Code tested by TestParseCgroupFromReader.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 19:42:02 -08:00
Kir Kolyshkin 075cea3a45 libcontainer/cgroups/fs: some refactoring
Remove extra global constants that are only used in a single place and
make it harder to read the code.

Rename nanosecondsInSecond -> nsInSec.

This code is tested by unit tests.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 19:42:02 -08:00
Kir Kolyshkin 4271ecf73f libct/cg/fs: refactor getCpusetStat
Using strings.Cut (added in Go 1.18, see [1]) results in faster and
cleaner code with less allocations (as we're not using a slice). This
also drops the check for extra dash (we're unlikely to get it from the
kernel anyway).

While at it, rename min/max -> from/to to avoid collision with Go
min/max builtins.

This code is tested by TestCPUSetStats* tests.

[1]: https://github.com/golang/go/issues/46336

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 19:42:02 -08:00
Kir Kolyshkin bfcd479c5d libct/cg/fs: getPercpuUsage: rm TODO
Nowadays strings.Fields are as fast as strings.SplitN so remove TODO.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 19:42:02 -08:00
Kir Kolyshkin 871d9186ee exec: improve getSubCgroupPaths
1. Document the function.
2. Add sanity checks for empty and repeated controllers.

Reported-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 19:42:02 -08:00
Kir Kolyshkin 7149781fd0 exec: use strings.Cut to parse --cgroup
Using strings.Cut (added in Go 1.18, see [1]) results in faster and
cleaner code with less allocations (as we're not using a slice).

This part of code is covered by tests in tests/integration/exec.bats.

[1]: https://github.com/golang/go/issues/46336

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 19:42:02 -08:00
Akihiro Suda e6c4c9c680 Merge pull request #4616 from kolyshkin/fix-cross-build
libc/int/userns: add build tag to C file
2025-02-07 11:37:34 +09:00
Akihiro Suda dadea505df Merge pull request #4612 from kolyshkin/fix-systemd-reload
libct/cg/sd: set the DeviceAllow property before DevicePolicy
2025-02-07 11:37:10 +09:00
Kir Kolyshkin a509935304 Merge pull request #3999 from kolyshkin/uidgid
Remove /etc/passwd and /etc/group parsing on runc run/exec
2025-02-06 18:19:15 -08:00
Kir Kolyshkin ec9b0b5f72 runc list: use standard os/user
Switch from github.com/moby/sys/user to Go stdlib os/user
(which has both libc-backed and pure Go implementations).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 17:49:17 -08:00
Kir Kolyshkin 52f702af56 libct: earlier Rootless vs AdditionalGroups check
Since the UID/GID/AdditonalGroups fields are now numeric,
we can address the following TODO item in the code (added
by commit d2f49696 back in 2016):

> TODO: We currently can't do
> this check earlier, but if libcontainer.Process.User was typesafe
> this might work.

Move the check to much earlier phase, when we're preparing
to start a process in a container.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 17:49:17 -08:00
Kir Kolyshkin 7dc2486889 libct: switch to numeric UID/GID/groups
This addresses the following TODO in the code (added back in 2015
by commit 845fc65e5):

> // TODO: fix libcontainer's API to better support uid/gid in a typesafe way.

Historically, libcontainer internally uses strings for user, group, and
additional (aka supplementary) groups.

Yet, runc receives those credentials as part of runtime-spec's process,
which uses integers for all of them (see [1], [2]).

What happens next is:

1. runc start/run/exec converts those credentials to strings (a User
   string containing "UID:GID", and a []string for additional GIDs) and
   passes those onto runc init.
2. runc init converts them back to int, in the most complicated way
   possible (parsing container's /etc/passwd and /etc/group).

All this conversion and, especially, parsing is totally unnecessary,
but is performed on every container exec (and start).

The only benefit of all this is, a libcontainer user could use user and
group names instead of numeric IDs (but runc itself is not using this
feature, and we don't know if there are any other users of this).

Let's remove this back and forth translation, hopefully increasing
runc exec performance.

The only remaining need to parse /etc/passwd is to set HOME environment
variable for a specified UID, in case $HOME is not explicitly set in
process.Env. This can now be done right in prepareEnv, which simplifies
the code flow a lot. Alas, we can not use standard os/user.LookupId, as
it could cache host's /etc/passwd or the current user (even with the
osusergo tag).

PS Note that the structures being changed (initConfig and Process) are
never saved to disk as JSON by runc, so there is no compatibility issue
for runc users.

Still, this is a breaking change in libcontainer, but we never promised
that libcontainer API will be stable (and there's a special package
that can handle it -- github.com/moby/sys/user). Reflect this in
CHANGELOG.

For 3998.

[1]: https://github.com/opencontainers/runtime-spec/blob/v1.0.2/config.md#posix-platform-user
[2]: https://github.com/opencontainers/runtime-spec/blob/v1.0.2/specs-go/config.go#L86

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 17:49:17 -08:00
Kir Kolyshkin b55167e04d tests/int/exec --user: check default HOME
Historically, when HOME is not explicitly set in process.Env,
and UID to run as doesn't have a corresponding entry in container's
/etc/passwd, runc sets HOME=/ as a fallback.

Add the corresponding check, for the sake of backward compatibility
preservation.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-06 17:49:17 -08:00
Brad Davidson ccb589bd7d libc/int/userns: add build tag to C file
This fixes k3s cross-compilation on Windows, broken by commit
1912d5988b ("*: actually support joining a userns with a new
container").

[@kolyshkin: commit message]

Fixes: 1912d5988b
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-05 14:09:58 -08:00
Kir Kolyshkin d84388ae10 libct/cg/sd: set the DeviceAllow property before DevicePolicy
Every unit created by runc need daemon reload since systemd v230.
This breaks support for NVIDIA GPUs, see
https://github.com/opencontainers/runc/issues/3708#issuecomment-2216967210

A workaround is to set DeviceAllow before DevicePolicy.

Also:
 - add a test case (which fails before the fix) by @kolyshkin
 - better explain why we need empty DeviceAllow (by @cyphar)

Fixes 4568.

Reported-by: Jian Wen <wenjianhn@gmail.com>
Co-authored-by: Jian Wen <wenjianhn@gmail.com>
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-05 12:16:43 -08:00
Rodrigo Campos a5bfdc9df1 Merge pull request #4613 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.30.0
build(deps): bump golang.org/x/sys from 0.29.0 to 0.30.0
2025-02-05 11:42:21 +01:00
dependabot[bot] a274d27598 build(deps): bump golang.org/x/sys from 0.29.0 to 0.30.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.29.0 to 0.30.0.
- [Commits](https://github.com/golang/sys/compare/v0.29.0...v0.30.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-02-05 04:18:02 +00:00
Evan Phoenix 54fa0c5577 capabilities: be more graceful in resetting ambient
Similar to when SetAmbient() can fail, runc should be graceful about
ResetAmbient failing.

This functionality previously worked under gvisor, which doesn't
implement ambient capabilities atm. The hard error on reset broke gvisor
usage.

Signed-off-by: Evan Phoenix <evan@phx.io>
2025-02-04 16:28:06 -08:00
Akihiro Suda 71cef22161 Merge pull request #4610 from kolyshkin/ebpf-roll-back
deps: roll back to cilium/ebpf v0.16.0
2025-02-05 07:56:34 +09:00
Akihiro Suda 5b186121bf Merge pull request #4609 from kolyshkin/fix-criu-cc
CI: fix criu-dev compile
2025-02-05 07:56:07 +09:00
Kir Kolyshkin f414b5349a CI: fix criu-dev compile
As of [1], criu requires uuid library.

[1]: https://github.com/checkpoint-restore/criu/pull/2550/commits/9a2b7d6b3baa2b3183489ed9cebece039f9f488f

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-02-01 13:27:41 -08:00
Kir Kolyshkin 9ef65ddc64 Merge pull request #4577 from kolyshkin/libct-dev
libct/devices: move config to libct/cg/devices/config
2025-01-31 17:14:33 -08:00
Kir Kolyshkin 8e5bb0d8c4 deps: roll back to cilium/ebpf v0.16.0
Also, exclude v0.17.x until there is a fix for runc issue 4594.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-01-31 16:59:54 -08:00
Kir Kolyshkin 6c9ddcc648 libct: switch from libct/devices to libct/cgroups/devices/config
Use the old package name as an alias to minimize the patch.

No functional change; this just eliminates a bunch of deprecation
warnings.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-01-31 16:51:09 -08:00
Kir Kolyshkin 200f56315e libct/devices: move config to libct/cg/devices/config
Currently, libcontainer/devices contains two things:

1. Device-related configuration data structures and accompanying
   methods. Those are used by runc itself, mostly by libct/cgroups.

2. A few functions (HostDevices, DeviceFromPath, GetDevices).
   Those are not used by runc directly, but have some external users
   (cri-o, microsoft/hcsshim), and they also have a few forks
   (containerd/pkg/oci, podman/pkg/util).

This commit moves (1) to a new separate package, config (under
libcontainer/cgroups/devices), adding a backward-compatible aliases
(marked as deprecated so we will be able to remove those later).

Alas it's not possible to move this to libcontainer/cgroups directly
because some IDs (Type, Rule, Permissions) are too generic, and renaming
them (to DeviceType, DeviceRule, DevicePermissions) will break backward
compatibility (mostly due to Rule being embedded into Device).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-01-31 16:51:09 -08:00
Akihiro Suda f1c0e63252 Merge pull request #4590 from cyphar/securejoin-0.4.0
deps: update to github.com/cyphar/filepath-securejoin@v0.4.1
2025-01-29 16:56:12 +09:00
Rodrigo Campos b94226a9c8 Merge pull request #4604 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.36.4
build(deps): bump google.golang.org/protobuf from 1.36.3 to 1.36.4
2025-01-28 12:37:50 +01:00
Aleksa Sarai 70e500e7d1 deps: update to github.com/cyphar/filepath-securejoin@v0.4.1
This release includes a minor breaking API change that requires us to
rework the types of our wrappers, but there is no practical behaviour
change.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-01-28 22:33:16 +11:00
dependabot[bot] 24ec764a09 build(deps): bump google.golang.org/protobuf from 1.36.3 to 1.36.4
Bumps google.golang.org/protobuf from 1.36.3 to 1.36.4.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-01-27 04:55:54 +00:00
Evan Phoenix 33315a0548 libcontainer: if close_range fails, fall back to the old way
Signed-off-by: Evan Phoenix <evan@phx.io>
2025-01-24 11:54:37 -08:00
Evan Phoenix 111e8dcc0d libcontainer: Use MaxInt32 as the last FD to match kernel size semantics
Signed-off-by: Evan Phoenix <evan@phx.io>
2025-01-24 11:53:36 -08:00
Akihiro Suda 8702864454 Merge pull request #4599 from evanphx/evanphx/b-logs-hang
libcontainer: Prevent startup hang when CloseExecFrom errors
2025-01-22 10:18:42 +09:00
Evan Phoenix 7b26da9ee3 libcontainer: Prevent startup hang when CloseExecFrom errors
The previous logic caused runc to hang if CloseExecFrom returned an
error, as the defer waiting on logsDone never finished as the parent
process was never started (and it controls the closing of logsDone via
it's logsPipe).

This moves the defer to after we have started the parent, with means all
the logic related to managing the logsPipe should also be running.

Signed-off-by: Evan Phoenix <evan@phx.io>
2025-01-21 10:01:19 -08:00
lfbzhm a7d76457f4 Merge pull request #4591 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.36.3
build(deps): bump google.golang.org/protobuf from 1.36.2 to 1.36.3
2025-01-16 20:34:13 +08:00
dependabot[bot] 9af7952249 build(deps): bump google.golang.org/protobuf from 1.36.2 to 1.36.3
Bumps google.golang.org/protobuf from 1.36.2 to 1.36.3.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-01-16 04:05:13 +00:00
Kir Kolyshkin 610aa88ab2 Merge pull request #4557 from cyphar/release-policy
RELEASES: add formal release policy for runc
2025-01-10 12:23:22 -08:00
lfbzhm 4120935737 Merge pull request #4325 from kolyshkin/opt-env
libct: speedup process.Env handling
2025-01-09 18:45:31 +08:00
Kir Kolyshkin 06f1e07655 libct: speedup process.Env handling
The current implementation sets all the environment variables passed in
Process.Env in the current process, one by one, then uses os.Environ to
read those back.

As pointed out in [1], this is slow, as runc calls os.Setenv for every
variable, and there may be a few thousands of those. Looking into how
os.Setenv is implemented, it is indeed slow, especially when cgo is
enabled.

Looking into why it was implemented the way it is, I found commit
9744d72c and traced it to [2], which discusses the actual reasons.
It boils down to these two:

 - HOME is not passed into container as it is set in setupUser by
   os.Setenv and has no effect on config.Env;
 - there is a need to deduplicate the environment variables.

Yet it was decided in [2] to not go ahead with this patch, but
later [3] was opened with the carry of this patch, and merged.

Now, from what I see:

1. Passing environment to exec is way faster than using os.Setenv and
   os.Environ (tests show ~20x speed improvement in a simple Go test,
   and ~3x improvement in real-world test, see below).
2. Setting environment variables in the runc context may result is some
   ugly side effects (think GODEBUG, LD_PRELOAD, or _LIBCONTAINER_*).
3. Nothing in runtime spec says that the environment needs to be
   deduplicated, or the order of preference (whether the first or the
   last value of a variable with the same name is to be used). We should
   stick to what we have in order to maintain backward compatibility.

So, this patch:
 - switches to passing env directly to exec;
 - adds deduplication mechanism to retain backward compatibility;
 - takes care to set PATH from process.Env in the current process
   (so that supplied PATH is used to find the binary to execute),
   also to retain backward compatibility;
 - adds HOME to process.Env if not set;
 - ensures any StartContainer CommandHook entries with no environment
   set explicitly are run with the same environment as before. Thanks
   to @lifubang who noticed that peculiarity.

The benchmark added by the previous commit shows ~3x improvement:

	                │   before    │                after                 │
	                │   sec/op    │    sec/op     vs base                │
	ExecInBigEnv-20   61.53m ± 1%   21.87m ± 16%  -64.46% (p=0.000 n=10)

[1]: https://github.com/opencontainers/runc/pull/1983
[2]: https://github.com/docker-archive/libcontainer/pull/418
[3]: https://github.com/docker-archive/libcontainer/pull/432

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-01-09 18:22:53 +08:00
Kir Kolyshkin 6171da6005 libct/configs: add HookList.SetDefaultEnv
1. Make CommandHook.Command a pointer, which reduces the amount of data
   being copied when using hooks, and allows to modify command hooks.

2. Add SetDefaultEnv, which is to be used by the next commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-01-09 18:22:53 +08:00
Kir Kolyshkin c49b891681 tests: add test to check StartContainer hook env
This is to ensure that changes in Process.Env handling won't affect
StartContainer hook.

Reported-by: lfbzhm <lifubang@acmcoder.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-01-09 18:22:53 +08:00
Kir Kolyshkin 390641d148 libct/int: improve TestExecInEnvironment
This is a slight refactor of TestExecInEnvironment, making it more
strict wrt checking the exec output.

1. Explain why DEBUG is added twice to the env.
2. Reuse the execEnv for the check.
3. Make the check more strict -- instead of looking for substrings,
   check line by line.
4. Add a check for extra environment variables.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-01-09 18:22:53 +08:00
Kir Kolyshkin 9a54594752 libct/int: add BenchmarkExecInBigEnv
Here's what it shows on my laptop (with -count 10 -benchtime 10s,
summarized by benchstat):

	                │   sec/op    │
	ExecTrue-20       8.477m ± 2%
	ExecInBigEnv-20   61.53m ± 1%

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-01-09 18:22:53 +08:00
lfbzhm e5b777f9a9 Merge pull request #4586 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.36.2
build(deps): bump google.golang.org/protobuf from 1.36.1 to 1.36.2
2025-01-09 12:16:44 +08:00
dependabot[bot] a69d289ffd build(deps): bump google.golang.org/protobuf from 1.36.1 to 1.36.2
Bumps google.golang.org/protobuf from 1.36.1 to 1.36.2.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-01-08 04:16:24 +00:00
Kir Kolyshkin a50e6872be tests/int: simplify assignments
Assigning a multi-line value to a bash variable should not be so complex.

While at it, slightly reformat create_runtime_hook.

No functional change.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-01-07 13:54:34 -08:00
Kir Kolyshkin a22ea827a8 tests/int/hooks_so: don't hardcode soname
Reuse the appropriate variables instead.

No functional change.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-01-07 13:54:34 -08:00
Tomasz Duda 1890af6d45 support cgroup v1 mounted with noprefix
Android mounts the v1 cpuset cgroup with the noprefix option.
As a result, runc first attempts to access cpuset files using the prefix format (e.g., cpuset.cpus).
If this fails, it falls back to accessing them without the prefix (e.g., cpus).
Once a successful access method is determined, it is cached and used for all subsequent operations.
Only the v1 cpuset cgroup is allowed to mount with noprefix. See kernel source:
https://github.com/torvalds/linux/blob/2e1b3cc9d7f790145a80cb705b168f05dab65df2/kernel/cgroup/cgroup-v1.c#L1070.
Cpuset cannot be mounted with and without prefix simultaneously.

Signed-off-by: Tomasz Duda <tomaszduda23@gmail.com>
2025-01-07 13:06:27 -08:00
dependabot[bot] 81b13172be Merge pull request #4582 from opencontainers/dependabot/go_modules/golang.org/x/net-0.34.0 2025-01-07 06:37:38 +00:00
dependabot[bot] 061483b62a build(deps): bump golang.org/x/net from 0.33.0 to 0.34.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.33.0 to 0.34.0.
- [Commits](https://github.com/golang/net/compare/v0.33.0...v0.34.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-01-07 04:35:23 +00:00
dependabot[bot] c25c92580f Merge pull request #4579 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.29.0 2025-01-06 23:23:26 +00:00
dependabot[bot] 48ad17f4c6 build(deps): bump golang.org/x/sys from 0.28.0 to 0.29.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.28.0 to 0.29.0.
- [Commits](https://github.com/golang/sys/compare/v0.28.0...v0.29.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-01-06 04:55:38 +00:00
Aleksa Sarai 1c32d39997 merge #4576 into opencontainers/runc:main
Kir Kolyshkin (1):
  libct/system: rm Fexecve

LGTMs: lifubang cyphar
2025-01-04 15:39:05 +11:00
Kir Kolyshkin 83350c24a9 libct/system: rm Fexecve
This helper was added for runc-dmz in commit dac417174, but runc-dmz was
later removed in commit 871057d, which forgot to remove the helper.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-01-03 13:57:05 -08:00
Akihiro Suda 06a4a781a5 Merge pull request #4572 from rinarakaki/main
Fix `go.mod` link in README.md
2025-01-01 02:06:45 +09:00
Akihiro Suda e859f292d6 Merge pull request #4571 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.36.1
build(deps): bump google.golang.org/protobuf from 1.36.0 to 1.36.1
2025-01-01 02:06:31 +09:00
Rin Arakaki c0abf76e0f Update README.md
Signed-off-by: Rin Arakaki <rnarkkx@gmail.com>
2024-12-29 14:36:49 +09:00
lfbzhm d48d9cfefc Merge pull request #4459 from kolyshkin/prio-nits
Fixups to scheduler/priority settings
2024-12-25 23:41:27 +08:00
dependabot[bot] f848304994 build(deps): bump google.golang.org/protobuf from 1.36.0 to 1.36.1
Bumps google.golang.org/protobuf from 1.36.0 to 1.36.1.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-12-25 23:29:14 +08:00
lfbzhm fd932ec301 Merge pull request #4433 from kolyshkin/hasHook
libct: add/use configs.HasHook
2024-12-25 19:28:13 +08:00
Kir Kolyshkin 57462491c1 libct/configs/validate: add IOPriority.Class validation
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-22 18:17:44 -08:00
Kir Kolyshkin 7334ee01e6 libct/configs: rm IOPrioClassMapping
This is an internal implementation detail and should not be either
public or visible.

Amend setIOPriority to do own class conversion.

Fixes: bfbd0305 ("Add I/O priority")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-22 18:17:44 -08:00
Kir Kolyshkin 5d3942eec3 libct: unify IOPriority setting
For some reason, io priority is set in different places between runc
start/run and runc exec:

 - for runc start/run, it is done in the middle of (*linuxStandardInit).Init,
   close to the place where we exec runc init.
 - for runc exec, it is done much earlier, in (*setnsProcess) start().

Let's move setIOPriority call for runc exec to (*linuxSetnsInit).Init,
so it is in the same logical place as for runc start/run.

Also, move the function itself to init_linux.go as it's part of init.

Should not have any visible effect, except part of runc init is run with
a different I/O priority.

While at it, rename setIOPriority to setupIOPriority, and make it accept
the whole *configs.Config, for uniformity with other similar functions.

Fixes: bfbd0305 ("Add I/O priority")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-22 18:15:31 -08:00
Kir Kolyshkin ec465d39f5 utils: simplify newProcess
This code is not in libcontainer, meaning it is only used by a short lived
binary (runc start/run/exec). Unlike code in libcontainer (see
CreateLibcontainerConfig), here we don't have to care about copying the
structures supplied as input, meaning we can just reuse the pointers
directly.

Fixes: bfbd0305 ("Add I/O priority")
Fixes: 770728e1 ("Support `process.scheduler`")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-22 18:06:20 -08:00
Kir Kolyshkin 2dc3ea4b87 libct: simplify setIOPriority/setupScheduler calls
Move the nil check inside, simplifying the callers.

Fixes: bfbd0305 ("Add I/O priority")
Fixes: 770728e1 ("Support `process.scheduler`")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-22 18:06:20 -08:00
Kir Kolyshkin 93091e6ac2 libct: don't pass SpecState to init unless needed
SpecState field of initConfig is only needed to run hooks that are
executed inside a container -- namely CreateContainer and
StartContainer.

If these hooks are not configured, there is no need to fill, marshal and
unmarshal SpecState.

While at it, inline updateSpecState as it is trivial and only has one user.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-22 17:52:15 -08:00
Kir Kolyshkin 8afeb58398 libct: add/use configs.HasHook
This allows to omit a call to c.currentOCIState (which can be somewhat
costly when there are many annotations) when the hooks of a given kind
won't be run.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-22 17:47:09 -08:00
Akihiro Suda 2e906e292e Merge pull request #4312 from lifubang/refactor-process
refactor init and setns process
2024-12-23 08:53:10 +09:00
lfbzhm 171c414904 refactor init and setns process
Introduce a common parent struct `containerProcess`,
let both `initProcess` and `setnsProcess` are inherited
from it.

Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-12-21 19:16:01 -08:00
Aleksa Sarai 30962bdf7a merge #4562 into opencontainers/runc:main
Adam Korczynski (1):
  remove broken fuzzer from oss-fuzz build script

LGTMs: kolyshkin cyphar
2024-12-20 22:53:52 +11:00
dependabot[bot] ef5d2d4e35 Merge pull request #4565 from opencontainers/dependabot/go_modules/github.com/cilium/ebpf-0.17.1 2024-12-20 05:35:35 +00:00
dependabot[bot] 5855ba5303 build(deps): bump github.com/cilium/ebpf from 0.17.0 to 0.17.1
Bumps [github.com/cilium/ebpf](https://github.com/cilium/ebpf) from 0.17.0 to 0.17.1.
- [Release notes](https://github.com/cilium/ebpf/releases)
- [Commits](https://github.com/cilium/ebpf/compare/v0.17.0...v0.17.1)

---
updated-dependencies:
- dependency-name: github.com/cilium/ebpf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-12-20 04:10:23 +00:00
Kir Kolyshkin ae994af502 Merge pull request #4563 from opencontainers/dependabot/go_modules/github.com/cilium/ebpf-0.17.0
build(deps): bump github.com/cilium/ebpf from 0.16.0 to 0.17.0
2024-12-19 16:28:57 -08:00
dependabot[bot] e809db842f build(deps): bump github.com/cilium/ebpf from 0.16.0 to 0.17.0
Bumps [github.com/cilium/ebpf](https://github.com/cilium/ebpf) from 0.16.0 to 0.17.0.
- [Release notes](https://github.com/cilium/ebpf/releases)
- [Commits](https://github.com/cilium/ebpf/compare/v0.16.0...v0.17.0)

---
updated-dependencies:
- dependency-name: github.com/cilium/ebpf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-12-20 00:07:03 +00:00
Kir Kolyshkin 5239b05129 Merge pull request #4564 from opencontainers/dependabot/go_modules/golang.org/x/net-0.33.0
build(deps): bump golang.org/x/net from 0.32.0 to 0.33.0
2024-12-19 16:05:57 -08:00
Aleksa Sarai b5a1957d53 Merge pull request #4560 from opencontainers/dependabot/go_modules/github.com/cyphar/filepath-securejoin-0.3.6
build(deps): bump github.com/cyphar/filepath-securejoin from 0.3.5 to 0.3.6
2024-12-19 15:14:00 +11:00
dependabot[bot] c2b11a6353 build(deps): bump golang.org/x/net from 0.32.0 to 0.33.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.32.0 to 0.33.0.
- [Commits](https://github.com/golang/net/compare/v0.32.0...v0.33.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-12-19 04:09:48 +00:00
dependabot[bot] 71327d7fcd build(deps): bump github.com/cyphar/filepath-securejoin
Bumps [github.com/cyphar/filepath-securejoin](https://github.com/cyphar/filepath-securejoin) from 0.3.5 to 0.3.6.
- [Release notes](https://github.com/cyphar/filepath-securejoin/releases)
- [Changelog](https://github.com/cyphar/filepath-securejoin/blob/main/CHANGELOG.md)
- [Commits](https://github.com/cyphar/filepath-securejoin/compare/v0.3.5...v0.3.6)

---
updated-dependencies:
- dependency-name: github.com/cyphar/filepath-securejoin
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-12-19 01:42:44 +00:00
lfbzhm 90f38e76ae Merge pull request #4561 from kolyshkin/lint162
GHA CI bumps
2024-12-19 09:33:04 +08:00
Aleksa Sarai af929228bb RELEASES: add formal release policy for runc
Historically, our release cadence and support policy has been quite
ad-hoc, which has caused some strife and is not really becoming of a
project as widely used as ours. So, in an attempt to make our releases
more regular and to provide more guidance on our backport policy, add a
document outlining our policy.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-19 12:26:39 +11:00
Adam Korczynski 21c0968bf1 remove broken fuzzer from oss-fuzz build script
Signed-off-by: Adam Korczynski <adam@adalogics.com>
2024-12-18 16:49:44 +00:00
Kir Kolyshkin 9468986a49 ci: use a specific ubuntu version
GHA shows a warning telling that "ubuntu-latest" is going to be switched
to ubuntu-24.04 soon. Let's specify the version explicitly (and switch
to 24.04 for this job ahead of github).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-17 22:52:16 -08:00
Kir Kolyshkin e845f4be86 ci: bump golangci-lint to v1.62
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-17 22:50:44 -08:00
dependabot[bot] aace922de9 Merge pull request #4558 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.36.0 2024-12-18 01:20:22 +00:00
dependabot[bot] 705382ac66 build(deps): bump google.golang.org/protobuf from 1.35.2 to 1.36.0
Bumps google.golang.org/protobuf from 1.35.2 to 1.36.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-12-17 04:53:16 +00:00
Aleksa Sarai 3ddaa9140d merge #4555 into opencontainers/runc:main
Kir Kolyshkin (1):
  Re-add tun/tap to default device rules

LGTMs: AkihiroSuda cyphar
2024-12-17 14:13:05 +11:00
Kir Kolyshkin 394f4c3b70 Re-add tun/tap to default device rules
Since v1.2.0 was released, a number of users complained that the removal
of tun/tap device access from the default device ruleset is causing a
regression in their workloads.

Additionally, it seems that some upper-level orchestration tools
(Docker Swarm, Kubernetes) makes it either impossible or cumbersome
to supply additional device rules.

While it's probably not quite right to have /dev/net/tun in a default
device list, it was there from the very beginning, and users rely on it.
Let's keep it there for the sake of backward compatibility.

This reverts commit 2ce40b6ad7.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-16 12:01:10 -08:00
Akihiro Suda 28b65d3d23 Merge pull request #4472 from kolyshkin/cg-cfg
libct/configs: move cgroup configs to libct/cgroups
2024-12-15 02:01:32 +09:00
Akihiro Suda 2e1559ecd3 Merge pull request #4553 from kolyshkin/keyring
keyring: update @kolyshkin key expiry
2024-12-14 22:12:37 +09:00
Kir Kolyshkin b15fcc1be6 keyring: update @kolyshkin key expiry
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-13 14:28:12 -08:00
Kir Kolyshkin 5a838ccbe0 tests/cmd/sd-helper: switch from configs to cgroups
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-11 19:08:40 -08:00
Kir Kolyshkin a56f85f87b libct/*: switch from configs to cgroups
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-11 19:08:40 -08:00
Kir Kolyshkin 04041f21ac libct/cgroups/*: switch from configs to cgroups
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-11 19:08:40 -08:00
Kir Kolyshkin ae477f15f0 libct/configs: move cgroup stuff to libct/cgroups
We have quite a few external users of libcontainer/cgroups packages,
and they all have to depend on libcontainer/configs as well.

Let's move cgroup-related configuration to libcontainer/croups.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-11 19:08:40 -08:00
Kir Kolyshkin 85c7c99d05 libct/cg/fs2: fix some revive linter warnings
These:

> Error: libcontainer/cgroups/fs2/cpu.go:15:6: var-naming: func isCpuSet should be isCPUSet (revive)
> func isCpuSet(r *cgroups.Resources) bool {
>      ^
> Error: libcontainer/cgroups/fs2/cpu.go:19:6: var-naming: func setCpu should be setCPU (revive)
> func setCpu(dirPath string, r *cgroups.Resources) error {
>      ^

They are going to be shown after next commits because of linter-extra CI
job (which, due to major changes, now thinks it's a new code so extra
linters apply).

Fixing it beforehand.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-11 19:08:25 -08:00
lfbzhm 986451c24e Merge pull request #4383 from kolyshkin/test-cmd
Move test helper binaries
2024-12-12 09:00:37 +08:00
Kir Kolyshkin 66fe7db3bc Move test helper binaries
Instead of having every test helper binary in its own directory, let's
use /tests/cmd/_bin as a destination directory.

This allows for simpler setup/cleanup.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-11 10:46:33 -08:00
Akihiro Suda 4cb480de70 Merge pull request #4546 from kolyshkin/criu-opt
Add `runc_nocriu` build tag to opt out of c/r
2024-12-11 13:04:22 +09:00
Kir Kolyshkin 47dc185880 Add runc_nocriu build tag
This allows to make a 17% smaller runc binary by not compiling in
checkpoint/restore support.

It turns out that google.golang.org/protobuf package, used by go-criu,
is quite big, and go linker can't drop unused stuff if reflection is
used anywhere in the code.

Currently there's no alternative to using protobuf in go-criu, and since
not all users use c/r, let's provide them an option for a smaller
binary.

For the reference, here's top10 biggest vendored packages, as reported
by gsa[1]:

$ gsa runc | grep vendor | head
│ 8.59%   │ google.golang.org/protobuf                  │ 1.3 MB │ vendor    │
│ 5.76%   │ github.com/opencontainers/runc              │ 865 kB │ vendor    │
│ 4.05%   │ github.com/cilium/ebpf                      │ 608 kB │ vendor    │
│ 2.86%   │ github.com/godbus/dbus/v5                   │ 429 kB │ vendor    │
│ 1.25%   │ github.com/urfave/cli                       │ 188 kB │ vendor    │
│ 0.90%   │ github.com/vishvananda/netlink              │ 135 kB │ vendor    │
│ 0.59%   │ github.com/sirupsen/logrus                  │ 89 kB  │ vendor    │
│ 0.56%   │ github.com/checkpoint-restore/go-criu/v6    │ 84 kB  │ vendor    │
│ 0.51%   │ golang.org/x/sys                            │ 76 kB  │ vendor    │
│ 0.47%   │ github.com/seccomp/libseccomp-golang        │ 71 kB  │ vendor    │

And here is a total binary size saving when `runc_nocriu` is used.

For non-stripped binaries:

$ gsa runc-cr runc-nocr | tail -3
│ -17.04% │ runc-cr                                  │ 15 MB    │ 12 MB    │ -2.6 MB │
│         │ runc-nocr                                │          │          │         │
└─────────┴──────────────────────────────────────────┴──────────┴──────────┴─────────┘

And for stripped binaries:

│ -17.01% │ runc-cr-stripped                         │ 11 MB    │ 8.8 MB   │ -1.8 MB │
│         │ runc-nocr-stripped                       │          │          │         │
└─────────┴──────────────────────────────────────────┴──────────┴──────────┴─────────┘

[1]: https://github.com/Zxilly/go-size-analyzer

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-09 11:19:23 -08:00
Kir Kolyshkin c487840f75 Remove main package dependency on criurpc
Commit 7f64fb47 made the main package, and runc/libcontainer's CriuOpts
depend on criu/rpc. This is not good; among the other things, it makes
it complicated to make c/r optional.

Let's switch CriuOpts.ManageCgroupsMode to a string (yes, it's an APIt
breaking change) and move the cgroup mode string parsing to
libcontainer.

While at it, let's better document ManageCgroupsMode.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-09 11:19:23 -08:00
Sebastiaan van Stijn e0752069a5 Merge pull request #4548 from cyphar/ebpf-enotsup
cgroups: ebpf: use link.Anchor to check for BPF_F_REPLACE support
2024-12-07 13:17:20 +01:00
lfbzhm fe371b9dae Merge pull request #4549 from cyphar/racing-mkdirall
deps: update to github.com/cyphar/filepath-securejoin@v0.3.5
2024-12-07 09:30:47 +08:00
Aleksa Sarai 2f1b6626f3 deps: update to github.com/cyphar/filepath-securejoin@v0.3.5
This fixes a regression in use of securejoin.MkdirAll, where multiple
runc processes racing to create the same mountpoint in a shared rootfs
would result in spurious EEXIST errors. In particular, this regression
caused issues with BuildKit.

Fixes: dd827f7b71 ("utils: switch to securejoin.MkdirAllHandle")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-06 19:38:46 +11:00
Aleksa Sarai c0044c7aa4 cgroup: ebpf: make unexpected errors in haveBpfProgReplace louder
If we get an unexpected error here, it is probably because of a library
or kernel change that could cause our detection logic to be invalid. As
a result, these warnings should be louder so users have a chance to tell
us about them sooner (or so we might notice them before doing a release,
as happened with the 1.2.0 regression).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-06 17:54:06 +11:00
Aleksa Sarai 9bc6753d1f cgroups: ebpf: also check for ebpf.ErrNotSupported
It is possible for LinkAttachProgram to return ErrNotSupported if
program attachment is not supported at all (which doesn't matter in this
case), but it seems possible that upstream will start returning
ErrNotSupported for BPF_F_REPLACE at some point so it's best to make
sure we don't cause additional regressions here.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-06 17:52:14 +11:00
Aleksa Sarai dea0e04dd9 cgroups: ebpf: use link.Anchor to check for BPF_F_REPLACE support
In v0.13.0, cilium/ebpf stopped supporting setting BPF_F_REPLACE as an
explicit flag and instead requires us to use link.Anchor to specify
where the program should be attached.

Commit 216175a9ca ("Upgrade Cilium's eBPF library version to 0.16")
did update this correctly for the actual attaching logic, but when
checking for kernel support we still passed BPF_F_REPLACE. This would
result in a generic error being returned, which our feature-support
checking logic would treat as being an error the indicates that
BPF_F_REPLACE *is* supported, resulting in a regression on pre-5.6
kernels.

It turns out that our debug logging saying that this unexpected error
was happening was being output as a result of this change, but nobody
noticed...

Fixes: 216175a9ca ("Upgrade Cilium's eBPF library version to 0.16")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-12-06 17:51:41 +11:00
Akihiro Suda 9453d599a9 Merge pull request #4544 from opencontainers/dependabot/go_modules/golang.org/x/net-0.32.0
build(deps): bump golang.org/x/net from 0.31.0 to 0.32.0
2024-12-05 18:50:50 +09:00
dependabot[bot] d5694eed7c build(deps): bump golang.org/x/net from 0.31.0 to 0.32.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.31.0 to 0.32.0.
- [Commits](https://github.com/golang/net/compare/v0.31.0...v0.32.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-12-05 09:28:56 +00:00
lfbzhm 189749aca4 Merge pull request #4492 from cyphar/nsenter-flexible-joining
nsenter: implement a two-stage join for setns
2024-12-05 17:25:04 +08:00
Akihiro Suda 396a975b50 Merge pull request #4545 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.28.0
build(deps): bump golang.org/x/sys from 0.27.0 to 0.28.0
2024-12-05 18:24:44 +09:00
dependabot[bot] ec7e90b308 build(deps): bump golang.org/x/sys from 0.27.0 to 0.28.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.27.0 to 0.28.0.
- [Commits](https://github.com/golang/sys/compare/v0.27.0...v0.28.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-12-05 04:47:30 +00:00
Kir Kolyshkin 67c8a285e7 Merge pull request #4358 from kolyshkin/rm-cap-init
libct/cap: switch to moby/sys/capability, lazy init
2024-12-02 17:00:15 -08:00
Kir Kolyshkin 66969827c0 Switch to github.com/moby/sys/capability v0.4.0
This removes the last unversioned package in runc's direct dependencies.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-02 13:18:10 -08:00
Kir Kolyshkin fe73f1a9ab libct/cap: switch to lazy init
A map which is created in func init is only used by capSlice, which is
only used by New, which is only used by runc init. Switch to lazy init
to slightly save on startup time.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-02 13:18:10 -08:00
Kir Kolyshkin cdee1b386f libct/cap: preallocate slices
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-12-02 13:18:10 -08:00
dependabot[bot] b7da16731c build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2
Bumps google.golang.org/protobuf from 1.35.1 to 1.35.2.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-18 12:11:47 +08:00
Kir Kolyshkin 9b3fe30e19 Merge pull request #4526 from lifubang/test-cgroup-removepath
libct/cg: add test for remove a non-existent dir in a ro mount point
2024-11-14 16:39:09 -08:00
lfbzhm 119111a0df libct/cg: add test for remove a non-existent dir in a ro mount point
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-14 23:58:35 +00:00
Akihiro Suda 4b24754360 Merge pull request #4529 from lifubang/revert-4514
Revert "Temporary set vagrant to 2.4.1-1"
2024-11-14 00:07:32 -07:00
Kir Kolyshkin d28222a987 Merge pull request #4525 from cyphar/memfd-bind-doc-kernel
memfd-bind: elaborate kernel requirements for overlayfs protection
2024-11-13 11:12:12 -08:00
Aleksa Sarai fffc165d79 tests: add test for 'weird' external namespace joining
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-11-14 00:56:55 +11:00
Aleksa Sarai fadc55eb17 nsenter: implement a two-stage join for setns
If we are running with privileges and are asked to join an externally
created user namespaces as well as some other namespace that was *not*
created underneath said user namespace, the approach we added in commit
2cd9c31b99 ("nsenter: guarantee correct user namespace ordering")
doesn't work.

While in theory you would want all externally created namespaces to be
sane, it seems that some tools really do create unrelated namespaces and
ask us to join them. Luckily we can just loosely copy what nsenter(1)
appears to do -- we first try to join any namespaces we can (with host
root privileges), then we join any user namespaces, and then we join any
remaining namespaces (now with the user namespace's privileges).

Note that we *do not* have to try to join namespaces after we create our
own user namespace. Namespace permissions are based purely on the owning
user namespace (not the rootuid) so we will not have access to any extra
namespaces once we unshare(CLONE_NEWUSER) (in fact we will not be able
to setns(2) to anything!).

Fixes: 2cd9c31b99 ("nsenter: guarantee correct user namespace ordering")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-11-14 00:56:55 +11:00
Aleksa Sarai a97d7cb217 nsenter: refuse to join unknown namespaces
This is basically a no-op change because runc already disallows this,
but it will be needed in future patches when we have to track what
namespaces have already been joined.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-11-14 00:56:55 +11:00
Aleksa Sarai 49bee5c4d4 cfmt: use the Linux { a, b } decl style
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-11-14 00:56:55 +11:00
lfbzhm 068d7da7d6 Revert "Temporary set vagrant to 2.4.1-1"
This reverts commit 5000f1697c.

Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-13 13:45:53 +00:00
Aleksa Sarai ac435895b9 memfd-bind: elaborate kernel requirements for overlayfs protection
Arguably these docs should live elsewhere (especially if we plan to
remove memfd-bind in the future), but for now this is the only place
that fully explains this issue.

Suggested-by: Rodrigo Campos <rodrigoca@microsoft.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-11-13 01:19:50 +11:00
Sebastiaan van Stijn eb596b8d3b Merge pull request #4523 from kolyshkin/fix-4518
runc delete: fix for rootless cgroup + ro cgroupfs
2024-11-12 10:59:29 +01:00
Kir Kolyshkin ba3d026e52 libct/cg: RemovePath: improve comments
Let's explain in greater details what's happening here and why.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-11-11 23:17:42 -08:00
Kir Kolyshkin 12e06a7c4f libct/cg: RemovePath: simplify logic
If the sub-cgroup RemovePath has failed for any reason, return the
error right away. This way, we don't have to check for err != nil
before retrying rmdir.

This is a cosmetic change and should not change any functionality.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-11-11 23:15:01 -08:00
Kir Kolyshkin db59489b68 runc delete: fix for rootless cgroup + ro cgroupfs
An issue with runc 1.2.0 was reported to buildkit, in which
runc delete returns with an error, with the log saying:

> unable to destroy container: unable to remove container's cgroup: open /sys/fs/cgroup/snschvixiy3s74w74fjantrdg: no such file or directory

Apparently, what happens is runc is running with no cgroup access
(because /sys/fs/cgroup is mounted read-only). In this case error to
create a cgroup path (in runc create/run) is ignored, but cgroup removal
(in runc delete) is not.

This is caused by commit d3d7f7d, which changes the cgroup removal
logic in RemovePath. In the current code, if the initial rmdir has
failed (in this case with EROFS), but the subsequent os.ReadDir returns
ENOENT, it is returned (instead of being ignored -- as the path does not
exist and so there is nothing to remove).

Here is the minimal fix for the issue.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-11-11 23:12:32 -08:00
Aleksa Sarai 8ed185031a merge #4519 opencontainers/runc:main
Kir Kolyshkin (1):
  MAINTAINERS: move dqminh and hqhq to EMERITUS

LGTMs: dqminh hqhq cyphar kolyshkin thaJeztah lifubang
2024-11-11 22:55:57 +11:00
dependabot[bot] e5725b1257 Merge pull request #4521 from opencontainers/dependabot/go_modules/golang.org/x/net-0.31.0 2024-11-11 10:04:20 +00:00
dependabot[bot] ca4a7a86f8 build(deps): bump golang.org/x/net from 0.30.0 to 0.31.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.30.0 to 0.31.0.
- [Commits](https://github.com/golang/net/compare/v0.30.0...v0.31.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-11 04:11:55 +00:00
dependabot[bot] e9e86d7a05 Merge pull request #4515 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.27.0 2024-11-10 03:48:14 +00:00
Kir Kolyshkin 43af111e05 MAINTAINERS: move dqminh and hqhq to EMERITUS
Daniel and Qiang are stepping down as runc maintainers,
not being able to contribute as much as they used to.

Thank you for all the hard work!

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-11-09 13:25:03 -08:00
lfbzhm 3a099738ed Merge pull request #4511 from kolyshkin/rm-internal-testutil
ci: rm "skip on CentOS 7" kludges
2024-11-09 10:14:25 +08:00
Akihiro Suda 2fc0caf2c1 Merge pull request #4509 from cyphar/overlay-exe-fixups
dmz: overlay: minor fixups
2024-11-08 20:12:19 +09:00
dependabot[bot] ec5e7eb70a build(deps): bump golang.org/x/sys from 0.26.0 to 0.27.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.26.0 to 0.27.0.
- [Commits](https://github.com/golang/sys/compare/v0.26.0...v0.27.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-08 04:29:56 +00:00
Kir Kolyshkin 9cb59b4659 ci: rm "skip on CentOS 7" kludges
We no longer test on CentOS 7.

Remove the internal/testutil package as it has no other uses.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-11-07 13:16:16 -08:00
Rodrigo Campos ef3999def9 Merge pull request #4514 from lifubang/fix-ci-fedora
ci: temporary set vagrant to 2.4.1-1
2024-11-07 12:02:53 +01:00
lfbzhm 5000f1697c Temporary set vagrant to 2.4.1-1
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-11-06 13:25:06 +00:00
Rodrigo Campos d9eecde965 Merge pull request #4505 from kolyshkin/fedora41
CI: bump Fedora 40 -> 41
2024-11-05 14:38:45 +01:00
Aleksa Sarai b9dfb22dbf readme: drop unused memfd-bind reference
Fixes: 871057d863 ("drop runc-dmz solution according to overlay solution")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-11-05 01:45:05 +11:00
Aleksa Sarai aa505bfa89 memfd-bind: mention that overlayfs obviates the need for it
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-11-05 01:45:05 +11:00
Aleksa Sarai 9bc42d61bb dmz: overlay: set xino=off to disable dmesg spam
If /run/runc and /usr/bin are on different filesystems, overlayfs may
enable the xino feature which results in the following log message:

  kernel: overlayfs: "xino" feature enabled using 3 upper inode bits.

Each time we have to protect /proc/self/exe. So disable xino to remove
the log message (we don't care about the inode numbers of the files
anyway).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-11-04 21:01:06 +11:00
Akihiro Suda 9ce7392b59 Vagrantfile.fedora: bump Fedora to 41
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-11-03 10:16:28 -08:00
Kir Kolyshkin 609e9a5134 Vagrantfile.fedora: stop using dnf shell
In Fedora 41, dnf5 is used and it does not have dnf shell. Let's use
old dnf update; dnf install instead. It is two transactions instead
of one, but dnf5 is faster.

While at it:
 - add `--setopt=tsflags=nodocs` as we don't need docs in CI;
 - change golang-go to golang as this is a new rpm name;
 - remove gcc as it is now required by golang-bin;
 - remove container-selinux, criu, fuse-sshfs, iptables from rpms
   as they are already installed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-11-03 10:15:36 -08:00
Kir Kolyshkin d6e6e7b7ed Merge pull request #4461 from opencontainers/dependabot/go_modules/golang.org/x/net-0.30.0
build(deps): bump golang.org/x/net from 0.24.0 to 0.30.0
2024-11-01 17:59:32 -07:00
dependabot[bot] 80c46d31c4 build(deps): bump golang.org/x/net from 0.24.0 to 0.30.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.24.0 to 0.30.0.
- [Commits](https://github.com/golang/net/compare/v0.24.0...v0.30.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-02 00:36:10 +00:00
Kir Kolyshkin fe461d8c23 Merge pull request #4462 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.26.0
build(deps): bump golang.org/x/sys from 0.22.0 to 0.26.0
2024-11-01 17:35:30 -07:00
Akihiro Suda 519a3f1d5c Merge pull request #4357 from kolyshkin/update-swap-v2
runc update: fix updating swap for cgroup v2
2024-11-02 01:54:00 +09:00
Rodrigo Campos bb6aeedaec Merge pull request #4440 from yangzhao02/main
Terminate execution for criu that does not meet version requirements
2024-11-01 15:04:03 +01:00
lfbzhm 82bf6d1cee Merge pull request #4490 from kolyshkin/nits22
Post overlay addition and dmz removal nits
2024-10-30 09:45:36 +08:00
Aleksa Sarai 867917d509 merge #4489 into opencontainers/runc:main
Kir Kolyshkin (1):
  CHANGELOG: add (forward-port) v1.1.15 changes

LGTMs: lifubang cyphar
2024-10-30 12:39:25 +11:00
Kir Kolyshkin 5586d7caa1 libct: rm obsoleted comment
This was added by commit f2f16213e when runc-dmz was still a thing.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-29 17:11:56 -07:00
Kir Kolyshkin f9fd70b7ff CHANGELOG: add (forward-port) v1.1.15 changes
Those are taken from commit bc20cb44.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-29 17:08:23 -07:00
Kir Kolyshkin 8cc7375447 libct: fix a comment
There is a typo in the comment (ClonedBinary should be CloneBinary), and
the code has changed a bit since then, and it makes more sense to refer
to CloneSelfExe now.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-29 16:57:42 -07:00
Kir Kolyshkin ee1bced18c script/check-config.sh: add OVERLAY_FS check
While this is used by the majority of upper container runtimes, it was
not needed for runc itself. Since commit 515f09f7 runc uses overlay,
too, so let's add a check for this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-29 16:57:25 -07:00
Aleksa Sarai 68bef803eb merge #4482 into opencontainers/runc:main
lifubang (1):
  drop runc-dmz solution according to overlay solution

LGTMs: AkihiroSuda cyphar
2024-10-29 18:14:18 +11:00
Aleksa Sarai f2ec540997 merge #4484 into opencontainers/runc:main
Akihiro Suda (1):
  docs: remove prompt symbols from shell snippets

LGTMs: kolyshkin cyphar
2024-10-29 11:58:35 +11:00
Akihiro Suda c8f5d033c2 docs: remove prompt symbols from shell snippets
Remove prompt symbols (`$`, `%`) for ease of copy-pasting

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-10-29 01:38:24 +09:00
lifubang 871057d863 drop runc-dmz solution according to overlay solution
Because we have the overlay solution, we can drop runc-dmz binary
solution since it has too many limitations.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-28 15:18:07 +00:00
Rodrigo Campos 4ad9f7fd36 Merge pull request #4432 from kolyshkin/exec-bench
libct/int: add exec benchmark
2024-10-25 10:48:26 +02:00
Aleksa Sarai 22106a4c66 merge #4473 into opencontainers/runc:main
lifubang:
  test join other container userns with selinux enabled
  libct/nsenter: become root after joining userns

LGTMs: AkihiroSuda cyphar
2024-10-25 18:22:08 +11:00
lifubang 34a928550f test join other container userns with selinux enabled
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-25 14:01:05 +08:00
lifubang c78f3f2ea0 libct/nsenter: become root after joining userns
Containerd pre-creates userns and netns before calling runc, which
results in the current code not working when SELinux is enabled,
resulting in the following error:

> runc create failed: unable to start container process: error during
container init: error mounting "mqueue" to rootfs at "/dev/mqueue":
setxattr /path/to/rootfs/dev/mqueue: operation not permitted

The solution is to become root in the user namespace right after
we join it.

Fixes #4466.

Co-authored-by: Wei Fu <fuweid89@gmail.com>
Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-25 13:40:49 +08:00
Kir Kolyshkin 1e674098f5 libct/int: add exec benchmark
This is a benchmark which checks how fast we can execute /bin/true
inside a container.

Results from my machine are below. As you can see, in default setup
about 70% of exec time is spent for CVE-2019-5736 (copying runc binary),
and using either RUNC_DMZ=true or memfd-bind helps a lot.

This can also be used for profiling (using -test.cpuprofile option).

=== Default setup ===

[kir@kir-tp1 integration]$ sudo ./integration.test -test.run xxx -test.v -test.benchtime 5s -test.count 5 -test.bench . .
goos: linux
goarch: amd64
pkg: github.com/opencontainers/runc/libcontainer/integration
cpu: 12th Gen Intel(R) Core(TM) i7-12800H
BenchmarkExecTrue
BenchmarkExecTrue-20    	     327	  24475677 ns/op
BenchmarkExecTrue-20    	     244	  25242718 ns/op
BenchmarkExecTrue-20    	     232	  26187174 ns/op
BenchmarkExecTrue-20    	     237	  26780030 ns/op
BenchmarkExecTrue-20    	     318	  18487219 ns/op
PASS

=== With DMZ enabled ===

[kir@kir-tp1 integration]$ sudo -E RUNC_DMZ=true ./integration.test -test.run xxx -test.v -test.benchtime 5s -test.count 5 -test.bench . .
goos: linux
goarch: amd64
pkg: github.com/opencontainers/runc/libcontainer/integration
cpu: 12th Gen Intel(R) Core(TM) i7-12800H
BenchmarkExecTrue
BenchmarkExecTrue-20    	     694	   8263744 ns/op
BenchmarkExecTrue-20    	     778	   8483228 ns/op
BenchmarkExecTrue-20    	     784	   8456018 ns/op
BenchmarkExecTrue-20    	     732	   8160239 ns/op
BenchmarkExecTrue-20    	     769	   8236972 ns/op
PASS

=== With memfd-bind ===

[kir@kir-tp1 integration]$ sudo systemctl start  memfd-bind@$(systemd-escape -p $PWD/integration.test)
[kir@kir-tp1 integration]$ sudo ./integration.test -test.run xxx -test.v -test.benchtime 5s -test.count 5 -test.bench . .
goos: linux
goarch: amd64
pkg: github.com/opencontainers/runc/libcontainer/integration
cpu: 12th Gen Intel(R) Core(TM) i7-12800H
BenchmarkExecTrue
BenchmarkExecTrue-20    	     800	   7538839 ns/op
BenchmarkExecTrue-20    	     717	   7424755 ns/op
BenchmarkExecTrue-20    	     848	   7747787 ns/op
BenchmarkExecTrue-20    	     800	   7668740 ns/op
BenchmarkExecTrue-20    	     751	   7304373 ns/op
PASS

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-24 13:39:26 -07:00
Kir Kolyshkin cb20148703 libct/int: use testing.TB for utils
...so that they can be used for benchmarks, too.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-24 13:39:26 -07:00
Akihiro Suda e37371ebd7 Merge pull request #4471 from kolyshkin/ci-12
ci: use Go 1.23
2024-10-23 17:11:15 +09:00
dependabot[bot] 4df7b1b199 build(deps): bump golang.org/x/sys from 0.22.0 to 0.26.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.22.0 to 0.26.0.
- [Commits](https://github.com/golang/sys/compare/v0.22.0...v0.26.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-23 07:56:22 +00:00
dependabot[bot] f22cee6634 Merge pull request #4460 from opencontainers/dependabot/go_modules/github.com/vishvananda/netlink-1.3.0 2024-10-23 07:55:40 +00:00
Aleksa Sarai b69954038c merge #4465 into opencontainers/runc:main
Kir Kolyshkin (1):
  libct: rm x/sys/execabs usage

LGTMs: AkihiroSuda cyphar
2024-10-23 18:52:54 +11:00
Kir Kolyshkin cbb9b309cd ci: use Go 1.23
Where we only use one Go version, let's use Go 1.23.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-23 00:04:17 -07:00
Kir Kolyshkin 732806e24c runc update: fix updating swap for cgroup v2
This allows to do

	runc update $ID --memory=-1 --memory-swap=$VAL

for cgroup v2, i.e. set memory to unlimited and swap to a specific
value.

This was not possible because ConvertMemorySwapToCgroupV2Value rejected
memory=-1 ("unlimited"). In a hindsight, it was a mistake, because if
memory limit is unlimited, we should treat memory+swap limit as just swap
limit.

Revise the unit test; add description to each case.

Fixes: c86be8a2 ("cgroupv2: fix setting MemorySwap")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-22 23:51:23 -07:00
Kir Kolyshkin cb9f3d6d14 libct/cg: improve ConvertMemorySwapToCgroupV2Value
Improve readability of ConvertMemorySwapToCgroupV2Value by switching
from a bunch of if statements to a switch, and adding a comment
describing each case.

No functional change.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-22 23:51:23 -07:00
dependabot[bot] 69b3be763a build(deps): bump github.com/vishvananda/netlink from 1.1.0 to 1.3.0
Bumps [github.com/vishvananda/netlink](https://github.com/vishvananda/netlink) from 1.1.0 to 1.3.0.
- [Release notes](https://github.com/vishvananda/netlink/releases)
- [Commits](https://github.com/vishvananda/netlink/compare/v1.1.0...v1.3.0)

---
updated-dependencies:
- dependency-name: github.com/vishvananda/netlink
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-23 06:49:47 +00:00
Kir Kolyshkin d123e56739 Merge pull request #4467 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.35.1
build(deps): bump google.golang.org/protobuf from 1.33.0 to 1.35.1
2024-10-22 23:49:04 -07:00
Kir Kolyshkin eb2ff52ace libct: rm x/sys/execabs usage
Since Go 1.19, the same functionality is there in os/exec package.
As we require go 1.22 now, there's no need to have this.

This basically reverts commit 9258eac0 ("libct/start: use execabs for
newuidmap lookup").

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-22 23:45:18 -07:00
Kir Kolyshkin 891d8ff63b Merge pull request #4468 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.11.1
build(deps): bump github.com/opencontainers/selinux from 1.11.0 to 1.11.1
2024-10-22 23:43:57 -07:00
dependabot[bot] f20f273aff build(deps): bump github.com/opencontainers/selinux
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.11.0 to 1.11.1.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.11.0...v1.11.1)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-23 04:20:54 +00:00
dependabot[bot] 139789f1bd build(deps): bump google.golang.org/protobuf from 1.33.0 to 1.35.1
Bumps google.golang.org/protobuf from 1.33.0 to 1.35.1.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-23 04:20:52 +00:00
Akihiro Suda e98851de36 Merge pull request #4464 from opencontainers/dependabot/go_modules/github.com/urfave/cli-1.22.16
build(deps): bump github.com/urfave/cli from 1.22.14 to 1.22.16
2024-10-23 10:46:42 +09:00
Akihiro Suda 70efba8239 Merge pull request #4463 from opencontainers/dependabot/go_modules/github.com/moby/sys/mountinfo-0.7.2
build(deps): bump github.com/moby/sys/mountinfo from 0.7.1 to 0.7.2
2024-10-23 10:45:58 +09:00
dependabot[bot] 93db63ab52 build(deps): bump github.com/urfave/cli from 1.22.14 to 1.22.16
Bumps [github.com/urfave/cli](https://github.com/urfave/cli) from 1.22.14 to 1.22.16.
- [Release notes](https://github.com/urfave/cli/releases)
- [Changelog](https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md)
- [Commits](https://github.com/urfave/cli/compare/v1.22.14...v1.22.16)

---
updated-dependencies:
- dependency-name: github.com/urfave/cli
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-22 13:23:32 +00:00
dependabot[bot] af024b6c2b build(deps): bump github.com/moby/sys/mountinfo from 0.7.1 to 0.7.2
Bumps [github.com/moby/sys/mountinfo](https://github.com/moby/sys) from 0.7.1 to 0.7.2.
- [Release notes](https://github.com/moby/sys/releases)
- [Commits](https://github.com/moby/sys/compare/signal/v0.7.1...mountinfo/v0.7.2)

---
updated-dependencies:
- dependency-name: github.com/moby/sys/mountinfo
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-22 13:23:25 +00:00
Aleksa Sarai d545279974 merge #4458 into opencontainers/runc:main
Aleksa Sarai (2):
  VERSION: back to development
  VERSION: release v1.2.0

LGTMs: AkihiroSuda lifubang hqhq rata
2024-10-22 17:02:21 +11:00
Aleksa Sarai 42f9630578 VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-22 09:21:47 +11:00
Aleksa Sarai 0b9fa21be2 VERSION: release v1.2.0
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-22 09:21:47 +11:00
Rodrigo Campos 5190d6124b Merge pull request #4452 from lifubang/fix-fd-reuse-race
fix an error caused by fd reuse race when starting runc init
2024-10-21 12:55:03 +02:00
Aleksa Sarai ca45a2c52d merge #4446 into opencontainers/runc:main
Aleksa Sarai (1):
  Revert "increase memory.max in cgroups.bats"

LGTMs: rata cyphar
2024-10-21 19:44:58 +11:00
lfbzhm 568231cc4e Revert "increase memory.max in cgroups.bats"
This reverts commit 65a1074c75.

We needed [1] because when we removed the bindfd logic in [2] we had not
yet moved the binary cloning logic to Go and thus it was necessary to
increase the memory limit in CI because the clone was happening after
joining the cgroup. However, [3] finally moved that code to Go and thus
the cloning is now done outside of the container's cgroup and thus is no
longer accounted as part of the container's memory usage at any point.

Now we can properly support running a simple container with lower memory
usage as we did before.

[1]: commit 65a1074c75 ("increase memory.max in cgroups.bats")
[2]: commit b999376fb2 ("nsenter: cloned_binary: remove bindfd logic entirely")
[3]: commit 0e9a3358f8 ("nsexec: migrate memfd /proc/self/exe logic to Go code")

Signed-off-by: lfbzhm <lifubang@acmcoder.com>
[cyphar: fixed commit messages]
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-21 19:34:41 +11:00
lfbzhm e669926691 fix an error caused by fd reuse race when starting runc init
There is a race situation when we are opening a file, if there is a
small fd was closed at that time, maybe it will be reused by safeExe.
Because of Go stdlib fds shuffling bug, if the fd of safeExe is too
small, go stdlib will dup3 it to another fd, or dup3 a other fd to this
fd, then it will cause the fd type cmd.Path refers to a random path,
and it can lead to an error "permission denied" when starting the process.
Please see #4294 and <https://github.com/golang/go/issues/61751>.
So we should not use the original fd of safeExe, but use the fd after
shuffled by Go stdlib. Because Go stdlib will guarantee this fd refers to
the correct file.

Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-10-21 06:53:44 +00:00
Akihiro Suda ca8ca3ce07 Merge pull request #4448 from cyphar/cloned-binary-overlayfs
dmz: use overlayfs to write-protect /proc/self/exe if possible
2024-10-21 04:11:33 +09:00
Akihiro Suda 08faf15106 Merge pull request #4429 from kolyshkin/cap-load
libct/cap: no need to load capabilities
2024-10-21 04:09:07 +09:00
Aleksa Sarai 515f09f7b1 dmz: use overlayfs to write-protect /proc/self/exe if possible
Commit b999376fb2 ("nsenter: cloned_binary: remove bindfd logic
entirely") removed the read-only bind-mount logic from our cloned binary
code because it wasn't really safe because a container with
CAP_SYS_ADMIN could remove the MS_RDONLY bit and get write access to
/proc/self/exe (even with user namespaces this could've been an issue
because it's not clear if the flags are locked).

However, copying a binary does seem to have a minor performance impact.
The only way to have no performance impact would be for the kernel to
block these write attempts, but barring that we could try to reduce the
overhead by coming up with a mount that cannot have it's read-only bits
cleared.

The "simplest" solution is to create a temporary overlayfs using
fsopen(2) which uses the directory where runc exists as a lowerdir,
ensuring that the container cannot access the underlying file -- and we
don't have to do any copies.

While fsopen(2) is not free because mount namespace cloning is usually
expensive (and so it seems like the difference would be marginal), some
basic performance testing seems to indicate there is a ~60% improvement
doing it this way and that it has effectively no overhead even when
compared to just using /proc/self/exe directly:

  % hyperfine --warmup 50 \
  >           "./runc-noclone run -b bundle ctr" \
  >           "./runc-overlayfs run -b bundle ctr" \
  >           "./runc-memfd run -b bundle ctr"

  Benchmark 1: ./runc-noclone run -b bundle ctr
    Time (mean ± σ):      13.7 ms ±   0.9 ms    [User: 6.0 ms, System: 10.9 ms]
    Range (min … max):    11.3 ms …  16.1 ms    184 runs

  Benchmark 2: ./runc-overlayfs run -b bundle ctr
    Time (mean ± σ):      13.9 ms ±   0.9 ms    [User: 6.2 ms, System: 10.8 ms]
    Range (min … max):    11.8 ms …  16.0 ms    180 runs

  Benchmark 3: ./runc-memfd run -b bundle ctr
    Time (mean ± σ):      22.6 ms ±   1.3 ms    [User: 5.7 ms, System: 20.7 ms]
    Range (min … max):    19.9 ms …  26.5 ms    114 runs

  Summary
    ./runc-noclone run -b bundle ctr ran
      1.01 ± 0.09 times faster than ./runc-overlayfs run -b bundle ctr
      1.65 ± 0.15 times faster than ./runc-memfd run -b bundle ctr

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-20 21:35:09 +11:00
Aleksa Sarai 8cfbccb6d9 tests: integration: add helper to check if we're in a userns
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-20 19:58:49 +11:00
lfbzhm 8bebdbafd8 Merge pull request #4456 from kolyshkin/misc-ci-cleanups
Misc tests/int cleanups
2024-10-18 21:29:53 +08:00
lfbzhm d1b0ae62a9 Merge pull request #4455 from kolyshkin/ci-hotfix
tests/int: skip "update memory vs CheckBeforeUpdate" on EL9
2024-10-18 21:26:32 +08:00
Kir Kolyshkin 54ef07d899 tests/int: skip "update memory vs CheckBeforeUpdate" on EL9
This test case is frequently hanging recently. Might be caused
by a recent kernel update from 5.14.0-427.33.1.el9_4.x86_64 to
5.14.0-427.37.1.el9_4.x86_64.

Could not reproduce locally.

Let's skip it for now.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-17 19:11:01 -07:00
Aleksa Sarai 2664c845c9 merge #4441 into opencontainers/runc:main
Kir Kolyshkin (1):
  libct: rm initWaiter

LGTMs: lifubang cyphar
2024-10-18 13:09:43 +11:00
Kir Kolyshkin ff7753636f tests/int: rm centos-7 exclusion
We no longer run tests on CentOS 7, so this is now useless.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-17 18:08:14 -07:00
Kir Kolyshkin 76a821fab7 tests/int: update info about EL9 kernel
The issue quoted is now fixed, so add some information about the fixed
kernel version, and remove links to older discussions about idmapped
mounts security.

We can actually remove all of it for now, but let's keep it. Change
the skip message to say which kernel is required.

Amends commit b460dc39.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-17 18:08:14 -07:00
Kir Kolyshkin b5bdf592f2 libct: rm initWaiter
This initWaiter logic was introduced by commit 4ecff8d9, but since the logic of
/proc/self/exe was moved out of runc init in commit 0e9a335, this
seems unnecessary to have initWaiter.

Remove it.

This essentially reverts commit 4ecff8d9.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-17 08:05:42 -07:00
Aleksa Sarai d82235c9d0 merge #4444 into opencontainers/runc:main
lifubang (1):
  dmz: cloned binary: set +x permissions when creating regular tmpfile

LGTMs: kolyshkin cyphar
2024-10-15 15:06:30 +11:00
Aleksa Sarai 798ba5cd11 merge #4428 into opencontainers/runc:main
Kir Kolyshkin (2):
  memfd-bind: more specific doc URL
  memfd-bind: fixup systemd unit file and README

LGTMs: rata cyphar
2024-10-15 15:04:22 +11:00
lifubang 9fa324c479 dmz: cloned binary: set +x permissions when creating regular tmpfile
While we did set +x when "sealing" regular temporary files, the "is
executable" checks were done before then and would thus fail, causing
the fallback to not work properly.

So just set +x after we create the file. We already have a O_RDWR handle
open when we do the chmod so we won't get permission issues when writing
to the file.

Fixes: e089db3b4a ("dmz: add fallbacks to handle noexec for O_TMPFILE and mktemp()")

Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-10-14 17:48:18 +08:00
yangzhao.hjh 324fcea4ec Terminate execution for criu that does not meet version requirements
Signed-off-by: yangzhao.hjh <yangzhao.hjh@alibaba-inc.com>
2024-10-11 09:56:07 +08:00
Kir Kolyshkin eff6f049bc libct/cap: no need to load capabilities
We are not really interested in the capabilities of the current process,
so there is no need to load those.

This results in some performance improvement since now the capability
package don't have to parse /proc/self/status.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-09 12:08:44 -07:00
Aleksa Sarai 9112335fb2 merge #4350 into opencontainers/runc:main
Sebastiaan van Stijn (1):
  libcontainer/userns: migrate to github.com/moby/sys/userns

LGTMs: AkihiroSuda lifubang cyphar
2024-10-10 05:59:37 +11:00
Sebastiaan van Stijn 9b60a93cf3 libcontainer/userns: migrate to github.com/moby/sys/userns
The userns package was moved to the moby/sys/userns module
at commit 3778ae603c.

This patch deprecates the old location, and adds it as an alias
for the moby/sys/userns package.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-10-09 22:20:25 +08:00
lfbzhm 8bf5f0d441 Merge pull request #4430 from cyphar/securejoin-v0.3.4
go: update github.com/cyphar/filepath-securejoin to v0.3.4
2024-10-09 17:50:56 +08:00
Aleksa Sarai 1623cde125 go: update github.com/cyphar/filepath-securejoin to v0.3.4
This includes a fix to avoid doing import "testing" in non-_test.go
code.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-10-09 15:13:28 +11:00
Kir Kolyshkin 4fdd56169d memfd-bind: more specific doc URL
Let's point to the relevant README directly in the systemd unit file,
as it is hard to find in the whole nine yards of the runc repo.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-08 13:30:59 -07:00
Kir Kolyshkin 9e5545876e memfd-bind: fixup systemd unit file and README
The example of starting memfd-bind via systemd in README did not work
for me (Fedora 40, systemd 255):

	# systemctl status memfd-bind@/usr/bin/runc
	Invalid unit name "memfd-bind@/usr/bin/runc" escaped as "memfd-bind@-usr-bin-runc" (maybe you should use systemd-escape?).
	○ memfd-bind@-usr-bin-runc.service
	     Loaded: bad-setting (Reason: Unit memfd-bind@-usr-bin-runc.service has a bad unit file setting.)
	     Active: inactive (dead)
	       Docs: https://github.com/opencontainers/runc

So, let's use systemd-escape -p ("path") in the README example,
and use %f in the systemd unit file to prepend the slash to the
filename.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-08 13:30:08 -07:00
Kir Kolyshkin f2d56241d8 Merge pull request #4405 from amghazanfari/main
replace strings.SplitN with strings.Cut
2024-10-04 14:01:23 -07:00
Kir Kolyshkin 84529badb5 Merge pull request #4416 from amghazanfari/change_version
change go minimum version in README
2024-10-04 13:59:53 -07:00
Akihiro Suda db25439c60 Merge pull request #4417 from kolyshkin/fix-mount-leak
runc run: fix mount leak
2024-10-04 10:33:52 +09:00
Kir Kolyshkin 13a6f56097 runc run: fix mount leak
When preparing to mount container root, we need to make its parent mount
private (i.e. disable propagation), otherwise the new in-container
mounts are leaked to the host.

To find a parent mount, we use to read mountinfo and find the longest
entry which can be a parent of the container root directory.

Unfortunately, due to kernel bug in all Linux kernels older than v5.8
(see [1], [2]), sometimes mountinfo can't be read in its entirety. In
this case, getParentMount may occasionally return a wrong parent mount.

As a result, we do not change the mount propagation to private, and
container mounts are leaked.

Alas, we can not fix the kernel, and reading mountinfo a few times to
ensure its consistency (like it's done in, say, Kubernetes) does not
look like a good solution for performance reasons.

Fortunately, we don't need mountinfo. Let's just traverse the directory
tree, trying to remount it private until we find a mount point (any
error other than EINVAL means we just found it).

Fixes issue 2404.

[1]: https://github.com/kolyshkin/procfs-test
[2]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9f6c61f96f2d97cbb5f
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-02 13:58:27 -07:00
lfbzhm c611a2146d Merge pull request #4421 from cyphar/filepath-securejoin-0.3.3
vendor: update github.com/cyphar/filepath-securejoin to v0.3.3
2024-10-01 08:21:39 +08:00
Aleksa Sarai b096459a07 vendor: update github.com/cyphar/filepath-securejoin to v0.3.3
This fixes issues we had with spurious MkdirAll failures.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-30 16:26:42 +02:00
dependabot[bot] b2bf58e12e Merge pull request #4419 from opencontainers/dependabot/github_actions/bats-core/bats-action-3.0.0 2024-09-30 14:04:11 +00:00
dependabot[bot] f55957de35 build(deps): bump bats-core/bats-action from 2.1.1 to 3.0.0
Bumps [bats-core/bats-action](https://github.com/bats-core/bats-action) from 2.1.1 to 3.0.0.
- [Release notes](https://github.com/bats-core/bats-action/releases)
- [Commits](https://github.com/bats-core/bats-action/compare/2.1.1...3.0.0)

---
updated-dependencies:
- dependency-name: bats-core/bats-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-09-30 04:20:03 +00:00
Amir M. Ghazanfari bb2bd38d6f change go minimum version in README
Signed-off-by: Amir M. Ghazanfari <a.m.ghazanfari76@gmail.com>

Update go version

Co-authored-by: Akihiro Suda <suda.kyoto@gmail.com>
Signed-off-by: Amir M. Ghazanfari <a.m.ghazanfari76@gmail.com>
2024-09-29 23:20:03 +03:30
Amir M. Ghazanfari faffe1b9ee replace strings.SplitN with strings.Cut
Signed-off-by: Amir M. Ghazanfari <a.m.ghazanfari76@gmail.com>
2024-09-28 10:02:21 +03:30
Kir Kolyshkin 57798c6776 Merge pull request #4403 from Stavrospanakakis/replace-fields-splitn-cgroups-fs
libcontainer/cgroups/fs: remove todo since strings.Fields performs well
2024-09-27 10:26:59 -07:00
Stavros Panakakis 1be06760ed libcontainer/cgroups/fs: remove todo since strings.Fields performs well
Initially, this was a commit to switch from strings.Fields to
strings.SplitN in getCpuUsageBreakdown, since strings.Fields
was probably slower than strings.SplitN in some old Go versions.

Afterwards, strings.Cut was also considered for potential
speed improvements.

After writing a benchmark test, we learned that:
 - strings.Fields performance is now adequate;
 - strings.SplitN is slower than strings.Fields;
 - strings.Cut had <5% performance gain from strings.Fields;

So, remove the TODO and keep the benchmark test.

Signed-off-by: Stavros Panakakis <stavrospanakakis@gmail.com>
2024-09-26 12:34:32 +03:00
Kir Kolyshkin e1635d5d60 Merge pull request #4367 from kolyshkin/ambient-caps
Don't set ambient caps without inheritable ones
2024-09-25 22:11:34 -07:00
Kir Kolyshkin 7a449109f3 libct/README: simplify example, rm inheritable caps
The example is too long since it lists too many capabilities.
Simplify it, leaving only two capabilities.

Also, remove ambient capabilities from the set. Inheritable capabilities
were removed earlier by commit 98fe566c, but ambient capabilities can't
be raised without inheritable ones.

Fixes: 98fe566c
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-09-25 21:48:29 -07:00
Kir Kolyshkin 0de1953333 runc spec, libct/int: do not add ambient capabilities
Commit 98fe566c removed inheritable capabilities from the example spec
(used by runc spec) and from the libcontainer/integration test config,
but neglected to also remove ambient capabilities.

An ambient capability could only be set if the same inheritable
capability is set, so as a result of the above change ambient
capabilities were not set (but due to a bug in gocapability package,
those errors are never reported).

Once we start using a library with the fix [1], that bug will become
apparent (both bats-based and libct/int tests will fail).

[1]: https://github.com/kolyshkin/capability/pull/3

Fixes: 98fe566c ("runc: do not set inheritable capabilities")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-09-25 21:48:29 -07:00
Kir Kolyshkin 3e3f96034f runc exec --cap: do not add capabilities to ambient
Commit 98fe566c removed setting inheritable capabilities from runc exec
--cap, but neglected to also remove ambient capabilities.

An ambient capability could only be set if the same inheritable
capability is set, so as a result of the above change ambient
capabilities were not set (but due to a bug in gocapability package,
those errors are never reported).

Once we start using a library with the fix [1], that bug will become
apparent. Alas, we do not have any tests for runc exec --cap, so add
one.

Yet, if some inheritable bits are already set from spec, let's set
ambient to avoid a possible regression. Add a test case for that, too.

[1]: https://github.com/kolyshkin/capability/pull/3

Fixes: 98fe566c ("runc: do not set inheritable capabilities")
Co-authored-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-09-25 21:48:29 -07:00
Kir Kolyshkin 8e03054c69 Merge pull request #4412 from akhilerm/remove-unused-bats-libs
ci: update bats-action to v2.1.1
2024-09-25 21:46:10 -07:00
Akhil Mohan 5b161e04ae update bats-action to 2.1.1
bats-action@2.1.1 supports:
- ubuntu 20.04
- cache key with multiple arch

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
2024-09-25 20:39:36 +05:30
Akhil Mohan 35f999dded remove installation of unused bats support libs
bats-core/bats-action installs a few support libraries by default which are not used by
runc. Disable the installation, which will remove /usr/bin/tar: Permission denied errors.

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
2024-09-25 11:31:44 +05:30
Kir Kolyshkin 47756ed7ef Merge pull request #4410 from lifubang/feat-add-ErrCgroupNotExist
Add ErrCgroupNotExist
2024-09-24 11:08:24 -07:00
Kir Kolyshkin a1acfcf793 Merge pull request #4398 from kolyshkin/no-shared-pidns
runc create/run: warn on rootless + shared pidns + no cgroup
2024-09-24 11:02:44 -07:00
Akihiro Suda daaed349e3 Merge pull request #4409 from akhilerm/update-actions
ci: update to setup bats action from bats-core
2024-09-24 17:53:30 +09:00
lifubang 10c951e335 add ErrCgroupNotExist
For some rootless container, runc has no access to cgroup,
But the container is still running. So we should return the
`ErrNotRunning` and `ErrCgroupNotExist` error seperatlly.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-09-23 23:27:35 +00:00
Akihiro Suda 5ff9d16e96 Merge pull request #4407 from rata/rata/min-1.22.4
go.mod: Force 1.22.4 as min go version
2024-09-23 21:51:51 +09:00
Rodrigo Campos 319e133c3c go.mod: Use toolchain 1.22.4
Go since 1.21 allows to set a "toolchain" that specifies the minimum Go
toolchain to use when working in runc. In contrast to the go line,
toolchain does not impose a requirement on other modules[1][2].

As documented in the 1.2.0-rc.1 release notes, 1.22.4 is needed for the
nsenter package. Let's suggest this with the toolchain version.

[1]: https://go.dev/doc/toolchain
[2]: https://go.dev/blog/toolchain

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-09-23 11:47:01 +02:00
Akhil Mohan 8671a7dba9 ci: update to setup bats action from bats-core
mig4/setup-bats is now unmaintained(last commit in Sep 2021).
bats-core/bats-action can be used as a replacement maintained
by the bats-core team.

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
2024-09-22 23:00:59 +05:30
Kir Kolyshkin 30f8f51eab runc create/run: warn on rootless + shared pidns + no cgroup
Shared pid namespace means `runc kill` (or `runc delete -f`) have to
kill all container processes, not just init. To do so, it needs a cgroup
to read the PIDs from.

If there is no cgroup, processes will be leaked, and so such
configuration is bad and should not be allowed. To keep backward
compatibility, though, let's merely warn about this for now.

Alas, the only way to know if cgroup access is available is by returning
an error from Manager.Apply. Amend fs cgroup managers to do so (systemd
doesn't need it, since v1 can't work with rootless, and cgroup v2 does
not have a special rootless case).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-09-17 22:49:37 -07:00
Kir Kolyshkin 21c6116557 tests/int: log when teardown starts
This aids in failed test analysis by allowing to distinguish the output
of various commands being run as part of the test case from the output
of teardown command like runc delete.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-09-17 22:49:37 -07:00
Kir Kolyshkin b1449fd510 libct: use Namespaces.IsPrivate more
In these cases, this is exactly what we want to find out.

Slightly improves performance and readability.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-09-17 22:49:29 -07:00
Kir Kolyshkin 15904913c2 Merge pull request #4397 from rafaelroquetto/main
Upgrade Cilium's eBPF library version to 0.16
2024-09-13 18:22:49 -07:00
Kir Kolyshkin d5ee7a5549 Merge pull request #4400 from cyphar/mkdirall-suidsgid-bits
utils: mkdirall: fix handling of suid/sgid bits
2024-09-13 18:20:18 -07:00
Aleksa Sarai d8844e2939 tests: integration: add setgid mkdirall test
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-13 23:34:33 +10:00
Aleksa Sarai 066b109e99 vendor: update to github.com/cyphar/filepath-securejoin@v0.3.2
This includes a fix for the handling of S_ISGID directories.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-13 23:34:33 +10:00
Aleksa Sarai 646efe70b1 utils: mkdirall: mask silently ignored mode bits to match os.MkdirAll
It turns out that the suid and sgid mode bits are silently ignored by
Linux (though the sticky bit is honoured), and some users are requesting
mode bits that are ignored. While returning an error (as securejoin
does) makes some sense, this is a regression.

Ref: https://github.com/cyphar/filepath-securejoin/issues/23
Fixes: dd827f7b71 ("utils: switch to securejoin.MkdirAllHandle")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-13 23:34:33 +10:00
Aleksa Sarai 457e1ffa4c tests: add regression test for CVE-2019-19921 / CVE-2023-27561
We reintroduced this once already because it is quite easy to miss this
subtle aspect of proc mounting. The recent migration to
securejoin.MkdirAllInRoot could have also inadvertently reintroduced
this (though it didn't).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-13 17:57:42 +10:00
Rafael Roquetto 216175a9ca Upgrade Cilium's eBPF library version to 0.16
Signed-off-by: Rafael Roquetto <rafael.roquetto@grafana.com>
2024-09-12 11:13:21 -06:00
Akihiro Suda 7c2e69f1c4 Merge pull request #4399 from kolyshkin/endian
libct/seccomp/patchbpf: use binary.NativeEndian
2024-09-13 01:53:07 +09:00
Kir Kolyshkin a31efe7045 libct/seccomp/patchbpf: use binary.NativeEndian
It is available since Go 1.21 and is defined during compile time
(i.e. based on GOARCH during build).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-09-11 22:06:58 -07:00
Akihiro Suda e8e8c029c7 Merge pull request #4393 from cyphar/mkdirall-inroot-securejoin
utils: switch to securejoin.MkdirAllHandle
2024-09-12 14:04:36 +09:00
Kir Kolyshkin f9f5764175 Merge pull request #4395 from AkihiroSuda/fix-4394
libct: Signal: honor RootlessCgroups
2024-09-11 16:45:29 -07:00
Akihiro Suda 429e06a518 libct: Signal: honor RootlessCgroups
`signalAllProcesses()` depends on the cgroup and is expected to fail
when runc is running in rootless without an access to the cgroup.

When `RootlessCgroups` is set to `true`, runc just ignores the error
from `signalAllProcesses` and may leak some processes running.
(See the comments in PR 4395)
In the future, runc should walk the process tree to avoid such a leak.

Note that `RootlessCgroups` is a misnomer; it is set to `false` despite
the name when cgroup v2 delegation is configured.
This is expected to be renamed in a separate commit.

Fix issue 4394

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-09-11 03:54:52 +09:00
Aleksa Sarai dd827f7b71 utils: switch to securejoin.MkdirAllHandle
filepath-securejoin has a bunch of extra hardening features and is very
well-tested, so we should use it instead of our own homebrew solution.

A lot of rootfs_linux.go callers pass a SecureJoin'd path, which means
we need to keep the wrapper helpers in utils, but at least the core
logic is no longer in runc. In future we will want to remove this dodgy
logic and just use file handles for everything (using libpathrs,
ideally).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 23:06:47 +10:00
Aleksa Sarai 1d308c7da4 vendor: update to github.com/cyphar/filepath-securejoin@v0.3.1
This includes the MkdirAll and OpenInRoot implementations which are
actually secure against races.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 23:05:59 +10:00
Aleksa Sarai 5ab5ef3dc3 deps: update to golang.org/x/sys@v0.22
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 23:03:39 +10:00
Aleksa Sarai 961b8031f6 VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 11:33:06 +10:00
lifubang 45471bc945 VERSION: release v1.2.0-rc.3
Signed-off-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 11:29:51 +10:00
Aleksa Sarai 6c24b2e83e changelog: update to include 1.1.14 notes
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 11:29:21 +10:00
Aleksa Sarai 9e9fdd815a Merge commit from fork
rootfs: try to scope MkdirAll to stay inside the rootfs
2024-09-03 10:55:23 +10:00
Aleksa Sarai 63c2908164 rootfs: try to scope MkdirAll to stay inside the rootfs
While we use SecureJoin to try to make all of our target paths inside
the container safe, SecureJoin is not safe against an attacker than can
change the path after we "resolve" it.

os.MkdirAll can inadvertently follow symlinks and thus an attacker could
end up tricking runc into creating empty directories on the host (note
that the container doesn't get access to these directories, and the host
just sees empty directories). However, this could potentially cause DoS
issues by (for instance) creating a directory in a conf.d directory for
a daemon that doesn't handle subdirectories properly.

In addition, the handling for creating file bind-mounts did a plain
open(O_CREAT) on the SecureJoin'd path, which is even more obviously
unsafe (luckily we didn't use O_TRUNC, or this bug could've allowed an
attacker to cause data loss...). Regardless of the symlink issue,
opening an untrusted file could result in a DoS if the file is a hung
tty or some other "nasty" file. We can use mknodat to safely create a
regular file without opening anything anyway (O_CREAT|O_EXCL would also
work but it makes the logic a bit more complicated, and we don't want to
open the file for any particular reason anyway).

libpathrs[1] is the long-term solution for these kinds of problems, but
for now we can patch this particular issue by creating a more restricted
MkdirAll that refuses to resolve symlinks and does the creation using
file descriptors. This is loosely based on a more secure version that
filepath-securejoin now has[2] and will be added to libpathrs soon[3].

[1]: https://github.com/openSUSE/libpathrs
[2]: https://github.com/cyphar/filepath-securejoin/releases/tag/v0.3.0
[3]: https://github.com/openSUSE/libpathrs/issues/10

Fixes: CVE-2024-45310
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 02:34:13 +10:00
Akihiro Suda 346b818dad Merge pull request #4380 from rata/makefile-no-envs
Makefile: Don't read COMMIT, BUILDTAGS, EXTRA_BUILDTAGS from env vars
2024-08-24 23:46:59 +09:00
Rodrigo Campos 767bc0089c Makefile: Don't read COMMIT, BUILDTAG, EXTRA_BUILDTAGS from env vars
We recently switched VERSION to be read from env vars (#4270). This
broke several projects, as they were building runc and using a `VERSION`
env var for, e.g. the containerd version.

When fixing that in #4370, we discussed to consider doing the same for
these variables too
(https://github.com/opencontainers/runc/pull/4370#pullrequestreview-2240030944).

Let's stop reading them from env vars, as it is very easy to do it by
mistake (e.g. compile runc and define a COMMIT env var, not to override
the commit shown in `runc --version`) and users that want can still
override them if they want to. For example, with:

	make EXTRA_BUILDTAGS=runc_nodmz

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-08-24 14:50:45 +02:00
Akihiro Suda a41b62a5e1 Merge pull request #4376 from kolyshkin/simplify-branch-protection
ci/gha: add all-done jobs
2024-08-22 10:59:47 +09:00
Kir Kolyshkin 2cd24a4dae ci/gha: add all-done jobs
The sole reason is to simplify branch protection rules,
requiring just these to be passed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-21 17:00:59 -07:00
Rodrigo Campos 41831e7635 Merge pull request #4377 from AkihiroSuda/distro-should-not-install-recvtty-etc
mv contrib/cmd tests/cmd (except memfd-bind)
2024-08-21 11:38:48 +02:00
Kir Kolyshkin 376e875fdd Merge pull request #4370 from rata/main
Revert "allow overriding VERSION value in Makefile" and add EXTRA_VERSION
2024-08-16 03:30:13 -07:00
Rodrigo Campos cc2078ccdd Makefile: Add EXTRA_VERSION
Add this new make variable so users can specify build information
without modifying the runc version nor the source code.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-08-15 18:06:03 +02:00
Akihiro Suda f76489f0af mv contrib/cmd tests/cmd (except memfd-bind)
The following commands are moved from `contrib/cmd` to `tests/cmd`:
- fs-idmap
- pidfd-kill
- recvtty
- remap-rootfs
- sd-helper
- seccompagent

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-08-16 00:55:48 +09:00
Rodrigo Campos f4cc3d8313 Revert "allow overriding VERSION value in Makefile"
This reverts commit 9d9273c926.

This commit broke the build for several other projects (see comments
here: https://github.com/opencontainers/runc/pull/4270, after the merge)
and we don't really need this to be able to set the version without
changing the file.

With this commit reverted, we can still run:

	make VERSION="1.2.3"

and it just works. It doesn't take it from an env variable, but that is
what broke all the other projects (VERSION is just too generic as an env
var, especially for a project like runc that is embedded in many
others).

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-08-15 11:09:14 +02:00
lfbzhm 0377d50458 Merge pull request #4360 from kolyshkin/go123
Add Go 1.23, drop 1.21
2024-08-15 12:02:04 +08:00
Kir Kolyshkin 606257c6e1 Bump golangci-lint to v1.60, fix new warnings
The warnings fixed were:

libcontainer/configs/config_test.go:205:12: printf: non-constant format string in call to (*testing.common).Errorf (govet)
		t.Errorf(fmt.Sprintf("Expected error to not occur but it was %+v", err))
		         ^
libcontainer/cgroups/fs/blkio_test.go:481:13: printf: non-constant format string in call to (*testing.common).Errorf (govet)
			t.Errorf(fmt.Sprintf("test case '%s' failed unexpectedly: %s", testCase.desc, err))
			         ^
libcontainer/cgroups/fs/blkio_test.go:595:13: printf: non-constant format string in call to (*testing.common).Errorf (govet)
			t.Errorf(fmt.Sprintf("test case '%s' failed unexpectedly: %s", testCase.desc, err))
			         ^

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-14 20:39:15 +08:00
Kir Kolyshkin adedeb993a ci/gha: add Go 1.23, drop 1.21
- drop Go 1.21;
- add Go 1.23;
- for a few jobs that were using Go 1.21, switch to 1.22;

Also, bump go to 1.22 in go.mod.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-14 20:39:15 +08:00
Rodrigo Campos 2ee5564b58 Merge pull request #4378 from lifubang/fix-ci-curlL
[CI] ensure we can download the specific version's go
2024-08-14 14:05:11 +02:00
lifubang be539412b8 ensure we can download the specific version's go
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-08-14 18:40:49 +08:00
Rodrigo Campos 94eda74ab4 Merge pull request #4374 from kolyshkin/cpu-burst
Fix cpu burst test failure on newer kernels
2024-08-14 12:28:44 +02:00
Akihiro Suda e531ebbca8 Merge pull request #4371 from kolyshkin/simplify
libct/int/seccomp_test: simplify exit code checks
2024-08-14 12:28:08 +09:00
Kir Kolyshkin a7c8d86fc1 tests/int: fix "cpu burst" failure on new kernels
A kernel bug which resulted in cpu.max.burst value read which is 1000
times smaller than it should be has recently been fixed (see [1]).

Adapt the test so it works with either broken or fixed kernel.

[1]: https://lore.kernel.org/all/20240424132438.514720-1-serein.chengyu@huawei.com/

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-13 17:54:23 -07:00
Kir Kolyshkin b437ed3063 tests/int: check_{systemd,cgroup}_value: better log
1. Rename current -> got, expected -> want.
2. check_cgroup_value: add file name to output.
3. Improve functions description.

This is mostly to simplify debugging test failures.
Example output before:

	current 500000 !? 500

After:

	cpu.max.burst: got 500000, want 500

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-13 17:44:31 -07:00
Kir Kolyshkin 2c398bb41d libct/int/seccomp_test: simplify exit code checks
In all the three cases, we check that the program returned non-zero exit
code. This can be done in a much simpler manner.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-10 14:46:43 -07:00
Akihiro Suda 6602681d52 Merge pull request #4369 from TheSiman/patch-1
Fix link to gvariant documentation in systemd docs.
2024-08-09 17:02:44 +10:00
ver4a 171304c8a3 docs/systemd: fix a broken link
Documentation was moved from https://docs.gtk.org/glib/gvariant-text.html to https://docs.gtk.org/glib/gvariant-text-format.html.

Signed-off-by: ver4a <verca@uncontrol.me>
2024-08-07 00:27:57 +02:00
Rodrigo Campos ad5b481dac Merge pull request #4344 from kolyshkin/nilness
ci bumps
2024-08-01 16:00:32 +02:00
Akihiro Suda 3d7bc3bec9 Merge pull request #4359 from cyphar/rootfs-create-mountpoint-refactor
rootfs: consolidate mountpoint creation logic
2024-07-30 02:15:15 +09:00
Akihiro Suda 459ce2f9a8 Merge pull request #4353 from deitch/alpine-build-docs
document how to build under alpine
2024-07-25 23:19:37 +09:00
Aleksa Sarai 1410a6988d rootfs: consolidate mountpoint creation logic
The logic for how we create mountpoints is spread over each mountpoint
preparation function, when in reality the behaviour is pretty uniform
with only a handful of exceptions. So just move it all to one function
that is easier to understand.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-07-25 14:16:05 +10:00
Avi Deitcher 6fc2733a91 document build prerequsites for different platforms
Signed-off-by: Avi Deitcher <avi@deitcher.net>
2024-07-22 20:33:43 +03:00
Kir Kolyshkin 15ec295bb1 ci/gha: bump golangci-lint to v1.59
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-07-10 16:25:30 -07:00
Kir Kolyshkin bb2db7b4fd libct: drop error from (*Container).currentState return
This function never returns error since 2016 (commit 556f798a),
so let's remove it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-07-10 16:24:36 -07:00
Kir Kolyshkin c8395b6e53 Enable govet nilness, fix an issue
The code already checked if err == nil above, so the linter complains:

> libcontainer/container_linux.go:534:18: nilness: tautological condition: non-nil != nil (govet)
> 			} else if err != nil {
> 			              ^

Fix the issue, enable the check.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-07-10 16:04:38 -07:00
Akihiro Suda 3778ae603c Merge pull request #4337 from AkihiroSuda/fix-4328
Revert "libcontainer: seccomp: pass around *os.File for notifyfd"
2024-07-09 15:49:37 +09:00
lfbzhm 8a324d67a8 Merge pull request #4332 from kolyshkin/fix-tags
ci/gha: add go-fix job
2024-07-05 12:40:28 +08:00
Kir Kolyshkin 309a6d91a4 ci/gha: add go-fix job
Add a CI job to ensure go fix produces no result. Quoting
`go doc cmd/fix`:

> Fix finds Go programs that use old APIs and rewrites them to use newer
> ones. After you update to a new Go release, fix helps make the
> necessary changes to your programs.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-07-03 10:12:25 -07:00
Akihiro Suda a5e660ca5b seccomp-notify.bats: add fcntl to the important syscall list
For issue 4328

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-07-04 02:05:31 +09:00
Akihiro Suda e7848482e2 Revert "libcontainer: seccomp: pass around *os.File for notifyfd"
This reverts commit 20b95f23ca.

> Conflicts:
>	libcontainer/init_linux.go

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-07-03 17:28:12 +09:00
Aleksa Sarai 81d63f265a merge #4331 into opencontainers/runc:main
Sebastiaan van Stijn (1):
  libct/userns: split userns detection from internal userns code

LGTMs: kolyshkin cyphar
2024-07-03 14:24:05 +10:00
Aleksa Sarai 7ea37b94b7 merge #4335 into opencontainers/runc:main
Kir Kolyshkin (1):
  ci/cirrus: switch from CentOS to Almalinux

LGTMs: AkihiroSuda cyphar
2024-07-03 10:48:58 +10:00
Akihiro Suda 683a6345e6 Merge pull request #4326 from kolyshkin/rc2-fixups
CHANGELOG.md: dedup v1.2.0-rc.2 notes
2024-07-03 08:54:55 +09:00
Kir Kolyshkin b18d052bb8 ci/cirrus: switch from CentOS to Almalinux
Remove CentOS 7 as it is EOL.

Add back RHEL 8 clone (CentOS Stream 8 was removed by commit
40bb9c468e).

Switch from CentOS Stream 9 to Almalinux 9.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-07-02 15:51:31 -07:00
Kir Kolyshkin cc062598cb Merge pull request #4330 from thaJeztah/better_alias
libct/userns: assorted (godoc) improvements
2024-07-01 12:39:28 -07:00
Kir Kolyshkin 8b1c0f7e47 CHANGELOG.md: dedup v1.2.0-rc.2 notes
Remove changes that are already reflected in v1.1.13 changelog:
 - rlimit_nofile fix;
 - rt_period vs rt_runtime fix;
 - gpg vs keyboxd fix;
 - nsexec debug log fix;
 - fips faking;
 - vagrant Fedora 39 bump;
 - golangci-lint bump;
 - x/net bump;
 - centos stream 8 removal;
 - codespell ci fixes.

Compact some of the entries that are related (e.g. about actuated-ci).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-07-01 10:24:22 -07:00
Sebastiaan van Stijn 6980adb67c libct/userns: implement RunningInUserNS with sync.OnceValue
Now that we dropped support for go < 1.21, we can use this; moving
the sync.once out of the runningInUserNS() implementation would also
allow for it to be more easily tested if we'd decide to.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-01 19:20:58 +02:00
Sebastiaan van Stijn b3b31ff27c libct/userns: make fuzzer Linux-only, and remove stub for uidMapInUserNS
The fuzzer for this only runs on Linux; rename the file to be Linux-only
so that we don't have to stub out the uidMapInUserNS function.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-01 19:20:58 +02:00
Sebastiaan van Stijn 5b09a71228 libct/userns: change RunningInUserNS to a wrapper instead of an alias
This was a poor decision on my side; 4316df8b53
moved this utility to a separate package, and split the exported function
from the implementation (and stubs). Out of convenience, I used an alias
for the latter part, but there's two downsides to that;

- `RunningInUserNS` being an exported var means that (technically) it can
  be replaced by other code; perhaps that's a "feature", but not one we
  intended it to be used for.
- `RunningInUserNS` being implemented through a var / alias means it's
  also documented as such on [pkg.go.dev], which is confusing.

This patch changes it to a regular function, acting as a wrapper for
the underlying implementations. While at it, also slightly touching
up the GoDoc to describe its functionality / behavior.

[pkg.go.dev]: https://pkg.go.dev/github.com/opencontainers/runc@v1.1.13/libcontainer/userns#RunningInUserNS

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-01 19:20:35 +02:00
Kir Kolyshkin 7bcb61118b Merge pull request #4329 from thaJeztah/rm_old_buildtags
remove pre-go1.17 build-tags
2024-07-01 10:18:11 -07:00
Sebastiaan van Stijn 30b530ca94 libct/userns: split userns detection from internal userns code
Commit 4316df8b53 isolated RunningInUserNS
to a separate package to make it easier to consume without bringing in
additional dependencies, and with the potential to move it separate in
a similar fashion as libcontainer/user was moved to a separate module
in commit ca32014adb. While RunningInUserNS
is fairly trivial to implement, it (or variants of this utility) is used
in many codebases, and moving to a separate module could consolidate
those implementations, as well as making it easier to consume without
large dependency trees (when being a package as part of a larger code
base).

Commit 1912d5988b and follow-ups introduced
cgo code into the userns package, and code introduced in those commits
are not intended for external use, therefore complicating the potential
of moving the userns package separate.

This commit moves the new code to a separate package; some of this code
was included in v1.1.11 and up, but I could not find external consumers
of `GetUserNamespaceMappings` and `IsSameMapping`. The `Mapping` and
`Handles` types (added in ba0b5e2698) only
exist in main and in non-stable releases (v1.2.0-rc.x), so don't need
an alias / deprecation.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-06-30 20:06:30 +02:00
Sebastiaan van Stijn c14213399a remove pre-go1.17 build-tags
Removed pre-go1.17 build-tags with go fix;

    go fix -mod=readonly ./...

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-06-29 15:45:25 +02:00
Kir Kolyshkin ab010ae1ef Merge pull request #4319 from lifubang/fix-execfifo-delete-error
Try to delete exec fifo file when failure in creation
2024-06-26 11:53:34 -07:00
Kir Kolyshkin 213fefd25d Merge pull request #4317 from lifubang/release-1.2.0-rc.2
Release 1.2.0-rc.2
2024-06-26 10:23:31 -07:00
lifubang 5ea7625401 VERSION: back to development
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-06-26 20:03:03 +08:00
lifubang f2d2ee5e45 VERSION: release 1.2.0-rc.2
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-06-26 20:03:03 +08:00
Kir Kolyshkin 095e9e5c02 Merge pull request #4324 from kolyshkin/michael
MAINTAINERS: move crosbymichael to EMERITUS; remove chief maintainer role
2024-06-24 18:21:38 -07:00
Kir Kolyshkin ee601b87f9 MAINTAINERS_GUIDE: rm chief maintainer role
Since Michael Crosby is stepping down, and we don't want to nominate
someone else to be a chief maintainer, let's remove the position.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-24 16:50:52 -07:00
Kir Kolyshkin d6563f6bcd MAINTAINERS: move crosbymichael to EMERITUS
I talked to Michael, he says he is stepping down as a maintainer, being
busy with other stuff.

Thank you for all the hard work that you did!

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-23 12:53:57 -07:00
Kir Kolyshkin 90ebcca8f1 Merge pull request #4314 from kolyshkin/maint-rata
MAINTAINERS: add Rodrigo Campos

LGTMs: crosbymichael mrunalp dqminh hqhq cyphar AkihiroSuda kolyshkin thaJeztah lifubang
Vote: +8 -0 #1
2024-06-20 17:00:07 -07:00
Akihiro Suda 8256a9384f Merge pull request #4322 from lifubang/changelog-sortby-ver
Put the changelog of v1.1.13 after v1.2.0-rc.1
2024-06-20 14:55:10 +09:00
lfbzhm ad976aa155 put the changelog of v1.1.13 after v1.2.0-rc.1
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-06-19 14:09:02 +00:00
Sebastiaan van Stijn fd5675e386 Merge pull request #4321 from lifubang/update-changelog-release-1.1.13
update changelog after v1.1.13 released
2024-06-14 01:35:57 +02:00
Akihiro Suda ac26d3d158 Merge pull request #4320 from kolyshkin/nits
Some nits I found from older PRs
2024-06-14 07:45:34 +09:00
lfbzhm 4e2d7c0a6e update changelog after v1.1.13 released
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-06-13 22:45:00 +00:00
Kir Kolyshkin 2cb46c6e0d script/keyring_validate.sh: fix a typo
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-13 08:03:08 -07:00
Kir Kolyshkin d6e427e1ea runc exec: avoid stuttering in error messages
An error from strconv.Atoi already contains the text it fails to parse.
Because of that, errors look way too verbose, e.g.:

	[root@kir-rhat runc-tst]# ./runc exec --user 1:1:1 2345 true
	ERRO[0000] exec failed: parsing 1:1 as int for gid failed: strconv.Atoi: parsing "1:1": invalid syntax

With this patch, the error looks like this now:

	[root@kir-rhat runc]# ./runc exec --user 1:1:1 2345 true
	ERRO[0000] exec failed: bad gid: strconv.Atoi: parsing "1:1": invalid syntax

Still not awesome, but better.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-12 21:03:10 -07:00
Kir Kolyshkin a6d46ed1a7 runc exec: improve options parsing
1. Do not ask for the same option value twice.

2. For tty, we always want false, unless specified, and this is what
   GetBool gets us.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-12 20:59:01 -07:00
lfbzhm 9d600197be Merge pull request #4271 from kolyshkin/two-inits
libct.Start: fix locking, do not allow a second container init
2024-06-11 18:37:40 +08:00
Kir Kolyshkin 42cea2ecb4 libct: don't allow to start second init process
By definition, every container has only 1 init (i.e. PID 1) process.

Apparently, libcontainer API supported running more than 1 init, and
at least one tests mistakenly used it.

Let's not allow that, erroring out if we already have init. Doing
otherwise _probably_ results in some confusion inside the library.

Fix two cases in libct/int which ran two inits inside a container.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-10 22:30:03 -07:00
Kir Kolyshkin e3e1072575 libct: fix locking in Start/Run/Exec
1. The code to call c.exec from c.Run was initially added by commit
   3aacff695. At the time, there was a lock in c.Run. That lock was
   removed by commit bd3c4f84, which resulted in part of c.Run executing
   without the lock.

2. All the Start/Run/Exec calls were a mere wrappers for start/run/exec
   adding a lock, but some more code crept into Start at some point,
   e.g. by commits 805b8c73 and 108ee85b8. Since the reason mentioned in
   commit 805b8c73 is no longer true after refactoring, we can fix this.

Fix both issues by moving code out of wrappers, and adding locking into
c.Run.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-10 22:30:03 -07:00
Kir Kolyshkin 304a4c0fee libct: createExecFifo: rm unneeded os.Stat
In case file already exists, mknod(2) will return EEXIST.

This os.Stat call was (inadvertently?) added by commit 805b8c73.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-10 22:30:03 -07:00
lifubang e7294527e2 try to delete exec fifo file when failure in creation
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-06-10 19:51:48 +08:00
lfbzhm 349e5ab7c1 Merge pull request #4283 from kolyshkin/revert-cpu-aff
Revert "Set temporary single CPU affinity before cgroup cpuset transition"
2024-06-10 06:54:53 +08:00
Kir Kolyshkin 1c505fffdc Revert "Set temporary single CPU affinity..."
There's too much logic here figuring out which CPUs to use. Runc is a
low level tool and is not supposed to be that "smart". What's worse,
this logic is executed on every exec, making it slower. Some of the
logic in (*setnsProcess).start is executed even if no annotation is set,
thus making ALL execs slow.

Also, this should be a property of a process, rather than annotation.

The plan is to rework this.

This reverts commit afc23e3397.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-10 06:31:03 +08:00
Kir Kolyshkin 67a1477959 Merge pull request #4285 from kolyshkin/f40
Vagrantfile.fedora: bump to F40
2024-06-09 15:26:38 -07:00
Akihiro Suda 30a7d9b863 Merge pull request #4186 from kolyshkin/multi-line
libct/cg: write unified resources line by line
2024-06-10 06:27:07 +09:00
Kir Kolyshkin f8f1bc9a30 Vagrantfile.fedora: bump to F40
Get the image from Fedora directly.

Also, remove the comment about cgroup v2 as it is also tested on Ubuntu
22.04 now.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-09 14:15:18 -07:00
Kir Kolyshkin 771903608c libct/cg: write unified resources line by line
It has been pointed out that some controllers can not accept multiple
lines of output at once. In particular, io.max can only set one device
at a time.

Practically, the only multi-line resource values we can get come from
unified.* -- let's write those line by line.

Add a test case.

Reported-by: Tao Shen <shentaoskyking@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-09 14:01:45 -07:00
Akihiro Suda 30b7b63974 Merge pull request #4311 from lifubang/fix-debug-msg-in-nsexec
fix a debug msg for user ns in nsexec
2024-06-08 19:57:50 +09:00
Akihiro Suda 865224d4e3 Merge pull request #4292 from kolyshkin/go122
Stop blacklisting Go 1.22+, drop Go < 1.21 support, use Go 1.22 in CI
2024-06-08 18:01:30 +09:00
lfbzhm a35a4c6807 Merge pull request #4189 from kolyshkin/fix-gpg-validate
script/*: fix gpg usage wrt keyboxd
2024-06-08 08:19:03 +08:00
Kir Kolyshkin 40dd884a00 MAINTAINERS: add Rodrigo Campos
I am nominating @rata for the role of runc maintainer.

He is pretty active in the project, did some substantial work
and is helping with PR review and releases.

As noted in MAINTAINERS_GUIDE.md, we have a week to vote, and need to
get 66% of current maintainers' votes.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 14:23:14 -07:00
Kir Kolyshkin 3019e842de libct/cg: use clear built-in
As we no longer support Go < 1.21.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 10:18:59 -07:00
Kir Kolyshkin b7fdd524cb libct: use slices package
As we're no longer supporting Go < 1.21.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 10:18:59 -07:00
Kir Kolyshkin a1e87f8d76 libct: rm eaccess
It is not needed since Go 1.20 (which was released in February 2023 and
is no longer supported since February 2024).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 10:18:59 -07:00
Kir Kolyshkin 6b2eb52fb0 go.mod,README: require Go 1.21
Go 1.20 was released in February 2023 and is no longer supported since
February 2024. Time to move on.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 10:18:59 -07:00
Kir Kolyshkin 17380da277 Dockerfile: switch to Go 1.22 and Debian 12
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 10:18:59 -07:00
Kir Kolyshkin a3302f2054 ci: switch to go 1.22 as main version
Now when Go 1.22.4 is out it should no longer be a problem.

Leave Go 1.21 for CentOS testing (CentOS 7 and 8 have older glibc)
and Dockerfile (Debian 11 have older glibc).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 10:18:59 -07:00
Kir Kolyshkin e660ef61a5 libct/nsenter: stop blacklisting go 1.22+
Go 1.23 includes a fix (https://go.dev/cl/587919) so go1.23.x can be
used. This fix is also backported to 1.22.4, so go1.22.x can also be
used (when x >= 4). Finally, for glibc >= 2.32 it doesn't really matter.

Add a note about Go 1.22.x > 1.22.4 to README as well.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 10:18:56 -07:00
lfbzhm a4b0857529 Merge pull request #4188 from kolyshkin/ci-swap
tests/int: swap-related fixes
2024-06-07 22:03:31 +08:00
lfbzhm 24c2d28d1f fix a debug msg for user ns in nsexec
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-06-06 14:30:29 +00:00
Kir Kolyshkin 3083bd443f tests/cgroups: separate cgroup v2 swap test
There are cgroup v2 systems out there that do not have cgroup swap enabled,
and this test will probably fail in there.

Move it to a separate case, guarded with requires cgroups_swap.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-06 18:52:34 +08:00
Kir Kolyshkin 4209439b5f libct/cg/fs/v2: ignore setting swap in some cases
When swap is being disabled (as set to 0), or set to max, ignore
non-existent memory.swap.max cgroup file.

If swap is being set explicitly to some value, do return an error like
before.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-06 18:52:34 +08:00
Kir Kolyshkin dbb011ecd9 tests/int/helpers: fix cgroups_swap check for v2
In case of cgroup v2, there's no memory.swap.max in the top-level
cgroup, so we have to use find.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-06 18:52:34 +08:00
Kir Kolyshkin 8626c7173e tests/int: fixup find statements
1. Add "-maxdepth 2" to not dive too deep into cgroup hierarchy.

2. Add "-type f" to look for a regular file.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-06 18:52:34 +08:00
Kir Kolyshkin e530b2a668 tests/int/update: fix v2 swap check
If swap is disabled, we should not run swap tests.

Fixes 4166.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-06 18:52:34 +08:00
Akihiro Suda 8fc5be4e60 Merge pull request #3908 from deitch/trimpath-optional
make trimpath optional
2024-06-06 11:23:09 +09:00
Avi Deitcher 024c2711f3 make trimpath optional
Signed-off-by: Avi Deitcher <avi@deitcher.net>
2024-06-05 18:56:20 -07:00
Kir Kolyshkin 760105ab11 script/*: fix gpg usage wrt keyboxd
I used script/keyring_validate.sh, which gave me this error:

> [*] User cyphar in runc.keyring is not a maintainer!

Apparently, when gnupg 2.4.1+ sees a fresh install (i.e. no ~/.gnupg
directory), it configures itself to use keyboxd instead of keyring
files, and when just silently ignores options like --keyring and
--no-default-keyring, working with keyboxd all the time.

The only way I found to make it not use keyboxd is to set --homedir.
Let's do that when we explicitly want a separate keyring.

Similar change is made to script/release_key.sh.

Also, change "--import --import-options=show-only" to "--show-keys"
which is a shortcut. When using this, there is no need to protect
the default keyring since this command does not read or modify it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-05 17:05:05 -07:00
lfbzhm 7cce7e2653 Merge pull request #4286 from kolyshkin/u24.04
ci/gha: switch to ubuntu 24.04
2024-06-05 18:32:09 +08:00
Kir Kolyshkin 67f6c37bc2 ci/gha: switch to ubuntu 24.04
Let's replace ubuntu-22.04 with ubuntu-24.04 where we can, and keep
ubuntu-20.04 to test cgroup v1 stuff.

Leave ubuntu-22.04 for ci/cross-i386 (issue with systemctl restart hang
after apt install). This can be addressed separately later.

The only kludge we have to add is enable userns for runc binary being
tested (as userns is disabled by apparmor system-wide by default now,
see [1]).

[1] https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-04 23:43:12 -07:00
Akihiro Suda 73bb57e9ab Merge pull request #4307 from kolyshkin/rm-cs8
ci/cirrus: rm centos stream 8
2024-06-05 14:04:11 +09:00
Kir Kolyshkin 40bb9c468e ci/cirrus: rm centos stream 8
It is past EOL and has been removed from GCE public images.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-04 18:19:33 -07:00
Akihiro Suda 3e8f48d215 Merge pull request #4304 from kolyshkin/cs8eol
ci: workaround for centos stream 8 being EOLed
2024-06-04 16:58:52 +09:00
Kir Kolyshkin 48c4e733f4 ci: workaround for centos stream 8 being EOLed
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-03 17:16:24 -07:00
lfbzhm 66379d9ef1 Merge pull request #4298 from kolyshkin/fixup-sched-test
tests/int/scheduler: require smp
2024-06-03 09:34:24 +08:00
lfbzhm 75c9f5cefc Merge pull request #4301 from kolyshkin/pin-codespell
ci: pin codespell
2024-06-03 09:02:35 +08:00
Kir Kolyshkin 5c5ebe772b tests/int/scheduler: require smp
This test case fails when there's a single CPU. Fix this by adding
"require smp".

While at it, document the test case and add a FIXME to maybe remove
this test later.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-02 11:02:40 -07:00
Kir Kolyshkin b24fc9d2c4 ci: pin codespell
CI should not fail and require attention every time a new codespell
version is released.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-02 10:51:43 -07:00
lfbzhm 854c4af3ba Merge pull request #4290 from kolyshkin/rlimit-rework
Rlimit cache rework for Go 1.23+
2024-06-02 06:03:44 +08:00
Kir Kolyshkin 584afc6756 libct/system: ClearRlimitNofileCache for go 1.23
Go 1.23 tightens access to internal symbols, and even puts runc into
"hall of shame" for using an internal symbol (recently added by commit
da68c8e3). So, while not impossible, it becomes harder to access those
internal symbols, and it is a bad idea in general.

Since Go 1.23 includes https://go.dev/cl/588076, we can clean the
internal rlimit cache by setting the RLIMIT_NOFILE for ourselves,
essentially disabling the rlimit cache.

Once Go 1.22 is no longer supported, we will remove the go:linkname hack.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-01 13:02:29 -07:00
Akihiro Suda ba4b52d372 Merge pull request #4295 from kolyshkin/fix-setv1-panic
libct/cg/dev: fix TestSetV1Allow panic
2024-06-02 02:13:36 +09:00
Akihiro Suda 94d255bca4 Merge pull request #4296 from kolyshkin/bookworm
Dockerfile: bump Debian to 12, Go to 1.21
2024-06-02 02:12:48 +09:00
Kir Kolyshkin b74b33c439 Dockerfile: bump Debian to 12, Go to 1.21
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-30 11:23:03 -07:00
Kir Kolyshkin d697725a4d libct/cg/dev: fix TestSetV1Allow panic
This test panics if userns is detected (such as when run in a rootless
docker container) because SetV1 does nothing in this case.

We could fix the panic, but it doesn't make sense to run the test at
all.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-30 11:18:01 -07:00
Akihiro Suda 1aeefd9cbd Merge pull request #4291 from kolyshkin/codespell-2.3.0
Fix codespell warnings
2024-05-25 02:10:32 +09:00
Kir Kolyshkin 177c7d4f59 Fix codespell warnings
./features.go:30: tru ==> through, true
...
./utils_linux.go:147: infront ==> in front

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-23 22:02:45 -07:00
Akihiro Suda 68564eecde Merge pull request #4258 from kolyshkin/fix-4094
libct/cg/fs: fix setting rt_period vs rt_runtime
2024-05-21 11:21:53 +09:00
Akihiro Suda 492dc558cd Merge pull request #4276 from kolyshkin/arm-cpt-test-fixes
fix checkpoint/restore tests on actuated-arm64
2024-05-20 10:09:11 +09:00
Akihiro Suda 3d07cbc9a1 Merge pull request #4282 from lifubang/fix-comment-ClearRlimitNofileCache
Add a correct GoDoc format comment for ClearRlimitNofileCache
2024-05-16 22:16:53 +09:00
lifubang a35f7d8093 fix comments for ClearRlimitNofileCache
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-05-16 20:34:43 +08:00
Sebastiaan van Stijn 4e8cf2793a Merge pull request #4280 from austinvazquez/vendor-x-net-0.24.0
vendor: golang.org/x/net@v0.24.0
2024-05-16 09:38:29 +02:00
Austin Vazquez 6ab3d8ad1e vendor: golang.org/x/net@v0.24.0
This change vendors golang.org/x/net@v0.24.0 to silence security
warnings for https://pkg.go.dev/vuln/GO-2024-2687.

runc takes a dependency on net/bpf only and would not be impacted by the
HTTP2 vulnerability reported.

Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-05-14 13:16:18 +00:00
lfbzhm 9d02c20df7 Merge pull request #4279 from kolyshkin/rm-fixme
.cirrus.yml: rm FIXME from rootless fs on CentOS 7
2024-05-14 17:57:55 +08:00
Kir Kolyshkin f805206611 libct/cg/fs: fix setting rt_period vs rt_runtime
The issue is the same as in commit 1b2adcf but for RT scheduler;
the fix is also the same.

Test case by ls-ggg.

Co-authored-by: ls-ggg <335814617@qq.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-13 17:47:39 -07:00
Kir Kolyshkin e5e8f33695 .cirrus.yml: rm FIXME from rootless fs on CentOS 7
I tried to fix it, but it looks like older CentOS 7 kernel is the
ultimate reason why it doesn't work.

So, remove FIXME and add some explanation.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-13 17:47:17 -07:00
Kir Kolyshkin 36be6d0510 libct/int: checkpoint test: skip pre-dump if not avail
Since we're now testing on ARM, the test case fails when trying to do
pre-dump since MemTrack is not available.

Skip the pre-dump part if so.

This also reverts part of commit 3f4a73d6 as it is no longer needed
(now, instead of skipping the whole test, we're just skipping the
pre-dump).

[Review with --ignore-all-space]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-10 11:04:58 -07:00
Kir Kolyshkin e42d981d67 libct/int: rm double logging in checkpoint_test
Since commit c77aaa3f the tail of criu log is printed by runc, so
there's no need to do the same thing in tests.

This also fixes a test failure on ARM where showLog fails (because
there's no log file) and thus the conditional t.Skip is not called.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-09 15:18:29 -07:00
Kir Kolyshkin 62a314656a libct/int/cpt: simplify test pre-check
criu check --feature userns also tests for the /proc/self/ns/user
presense, so remove the redundant check, and simplify the error message.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-09 15:18:29 -07:00
Kir Kolyshkin e676dac523 libct/criu: simplify checkCriuFeatures
Since criu 2.12, rpcOpts is not needed when checking criu features.
As we requires criu >= 3.0 in Checkpoint, we can remove rpcOpts.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-09 15:18:29 -07:00
Kir Kolyshkin f6a8c9b816 libct: checkCriuFeatures: return underlying error
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-09 15:18:29 -07:00
Akihiro Suda e8bec1ba40 Merge pull request #4265 from lifubang/fix-set-RLIMIT_NOFILE-race
Fix set nofile rlimit error
2024-05-09 09:44:53 +09:00
lifubang 4ea0bf88fd update/add some tests for rlimit
issues:
https://github.com/opencontainers/runc/issues/4195
https://github.com/opencontainers/runc/pull/4265#discussion_r1588599809

Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-05-08 10:57:10 +00:00
ls-ggg da68c8e37b libct: clean cached rlimit nofile in go runtime
As reported in issue #4195, the new version(since 1.19) of go runtime
will cache rlimit-nofile. Before executing execve, the rlimit-nofile
of the process will be restored with the cache. In runc, this will
cause the rlimit-nofile set by the parent process for the container
to become invalid. It can be solved by clearing the cache.

Signed-off-by: ls-ggg <335814617@qq.com>
(cherry picked from commit f9f8abf310)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-05-08 10:40:13 +00:00
lifubang a853a82677 runc exec: setupRlimits after syscall.rlimit.init() completed
Issue: https://github.com/opencontainers/runc/issues/4195
Since https://go-review.googlesource.com/c/go/+/476097, there is
a get/set race between runc exec and syscall.rlimit.init, so we
need to call setupRlimits after syscall.rlimit.init() completed.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-05-08 10:40:07 +00:00
Aleksa Sarai 151f480cc0 merge #4268 into opencontainers/runc:main
Kir Kolyshkin (2):
  libct: fix a comment
  libct/system: rm Execv

LGTMs: AkihiroSuda cyphar
2024-05-08 16:34:13 +10:00
lfbzhm 6cf790cc94 Merge pull request #4275 from kolyshkin/bump-golangci-lint-action
ci/gha: bump golangci-lint-action from 5 to 6
2024-05-08 12:56:32 +08:00
Kir Kolyshkin f452f667c0 ci/gha: bump golangci-lint-action from 5 to 6
Note that github-actions output format is deprecated and no longer supported,
and it is also no longer needed since setup-go problem matcher already
handles default golangci-lint output format ("colored-line-number").

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-07 14:26:41 -07:00
Kir Kolyshkin bac506463d libct: fix a comment
Do not refer to the function which was removed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-07 14:10:16 -07:00
Kir Kolyshkin dbd0c3349f libct/system: rm Execv
This is not used since commit dac41717.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-05-07 14:09:22 -07:00
lfbzhm 83ea9e5f62 Merge pull request #4251 from kolyshkin/test-cr
tests/int/checkpoint: rm double logging
2024-05-07 23:07:34 +08:00
Aleksa Sarai 0d37745e61 merge #4269 into opencontainers/runc:main
Akhil Mohan (1):
  allow overriding VERSION value in Makefile

LGTMs: AkihiroSuda cyphar
2024-05-07 02:32:43 +10:00
Akhil Mohan 9d9273c926 allow overriding VERSION value in Makefile
this allows using a custom version string while building runc
without modifying the VERSION file

Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
2024-05-05 16:52:37 +05:30
Akihiro Suda 7a017af5e4 Merge pull request #4264 from lifubang/upgrade-spec.bat
[ci] use go mod instead of go get in spec.bats
2024-04-30 15:12:27 +09:00
lifubang 75e02193c2 use go mod instead of go get in spec.bats
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-04-30 05:20:54 +00:00
Akihiro Suda 03db4d633d Merge pull request #4259 from kolyshkin/fix-cpu-burst
libct/cg/fs: don't write cpu_burst twice on ENOENT
2024-04-27 12:22:24 +09:00
Akihiro Suda 488c077bcc Merge pull request #4260 from kolyshkin/tty-timeout
tests/int/tty: increase the timeout
2024-04-27 04:46:41 +09:00
lfbzhm c9f624eafe Merge pull request #4255 from kolyshkin/golangci-lint-action
ci/gha: bump golangci-lint[-action]
2024-04-26 22:04:57 +08:00
Kir Kolyshkin b032fead22 libct/cg/fs: don't write cpu_burst twice on ENOENT
If CPU burst knob is non-existent, the current implementation (added in
commit e1584831) still tries to set it again after setting the new CPU
quota, which is useless (and we have to ignore ENOENT again).

Fix this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-25 18:27:28 -07:00
lfbzhm 426c04b6db Merge pull request #4248 from kolyshkin/mv-dev
libct: decouple libct/cg/devices
2024-04-26 09:18:52 +08:00
Kir Kolyshkin 6bf1d3adbe tests/int/tty: increase the timeout
Earlier, commit fce8dd4d already increased this timeout from 1 to 5 seconds.
Yet, I just saw this timeout being hit in actuated-arm CI.

Increase the timeout again, this time from 5 to 50 (100 * 0.5) seconds.

Also, use wait_pids_gone, and improve some comments.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-25 18:17:37 -07:00
lfbzhm 57d01a791d Merge pull request #4256 from kolyshkin/f39
Vagrantfile.fedora: bump Fedora to 39
2024-04-26 08:44:36 +08:00
Kir Kolyshkin 8732eada62 Vagrantfile.fedora: bump Fedora to 39
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-25 10:49:02 -07:00
Kir Kolyshkin d63018c252 ci/gha: bump golangci-lint to v1.57
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-25 08:39:26 -07:00
Kir Kolyshkin 0eb8bb5f66 Format sources with gofumpt v0.6
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-25 08:39:26 -07:00
Kir Kolyshkin 6bcc736122 ci/gha: bump golangci/golangci-lint-action to v5
Since v5 removes caching [1], re-enable setup-go cache.

[1] https://github.com/golangci/golangci-lint-action/pull/1024

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-25 08:25:02 -07:00
lfbzhm e74ff0f4c1 Merge pull request #4252 from kolyshkin/test-actuated-cr
ci/actuated: re-enable CRIU tests
2024-04-25 11:39:00 +08:00
Kir Kolyshkin baba55e278 ci/actuated: re-enable CRIU tests
They were failing earlier but are working now.

This includes a fix to criu repo path assignment so it works for actuated case.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-24 19:40:45 -07:00
Kir Kolyshkin f6b7167bc5 tests/int/checkpoint: add requires criu_feature_xxx
1. A few tests use "criu check --feature" to check for a specific
   feature. Let's generalize it.

2. Fix "checkpoint --pre-dump and restore" test to require memory
   tracking (which is missing on ARM).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-24 19:40:45 -07:00
Kir Kolyshkin e5c82f00e1 tests/int/checkpoint: rm double logging
Since commit c77aaa3f the tail of criu.log is printed by runc, so
there's no need to do the same thing in tests.

Related to 3711, 3816.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-24 17:23:43 -07:00
lfbzhm 52bd9fde20 Merge pull request #4142 from AkihiroSuda/actuated
CI: add actuated-arm64
2024-04-24 18:44:37 +08:00
Akihiro Suda 00238f5d2b CI: add actuated-arm64
See <https://actuated.dev/blog/arm-ci-cncf-ampere>.
Thanks to Alex Ellis, Ampere Computing, and Equinix.

Host information:
* CPU: aarch64 (ARMv8)
* Kernel: 5.10.201
  * Lacks ~CONFIG_CHECKPOINT_RESTORE~, CONFIG_BLK_CGROUP_IOCOST, etc.
* Cgroup: v2
* OS: Ubuntu 22.04
  * Lacks newuidmap, newgidmap, etc. (still apt-gettable)
  * sshd is not running

vmmeter is added from:
https://gist.github.com/alexellis/1f33e581c75e11e161fe613c46180771#file-metering-gha-md

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-04-24 17:22:33 +09:00
Akihiro Suda 758b2e2bda helpers.bats: cgroups_cpu_burst: check kernel version
On cgroup v2, cpu burst needs kernel >= 5.14
https://github.com/torvalds/linux/commit/f4183717b370ad28dd0c0d74760142b20e6e7931

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-04-23 09:11:30 +09:00
Akihiro Suda d618c6fe84 cgroups.bats: check cgroups_io_weight
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-04-23 09:11:27 +09:00
Akihiro Suda 053f6a0dca seccomp_syscall_test1: use ftruncate instead of kcmp
kcmp is often missing: https://man7.org/linux/man-pages/man2/kcmp.2.html

> Before Linux 5.12, this system call is available only if the
> kernel is configured with CONFIG_CHECKPOINT_RESTORE, since the
> original purpose of the system call was for the
> checkpoint/restore in user space (CRIU) feature.  (The
> alternative to this system call would have been to expose
> suitable process information via the proc(5) filesystem; this was
> deemed to be unsuitable for security reasons.)  Since Linux 5.12,
> this system call is also available if the kernel is configured
> with CONFIG_KCMP.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-04-23 09:10:13 +09:00
Akihiro Suda 30dc98f577 CI: run apt with -y
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-04-23 09:10:09 +09:00
Kir Kolyshkin 4f3319b56d libct: decouple libct/cg/devices
Commit b6967fa84c moved the functionality of managing cgroup devices
into a separate package, and decoupled libcontainer/cgroups from it.

Yet, some software (e.g. cadvisor) may need to use libcontainer package,
which imports libcontainer/cgroups/devices, thus making it impossible to
use libcontainer without bringing in cgroup/devices dependency.

In fact, we only need to manage devices in runc binary, so move the
import to main.go.

The need to import libct/cg/dev in order to manage devices is already
documented in libcontainer/cgroups, but let's
 - update that documentation;
 - add a similar note to libcontainer/cgroups/systemd;
 - add a note to libct README.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-17 15:05:38 -07:00
Kir Kolyshkin 6a2813f16a Merge pull request #3923 from cclerget/issue-3922
Set temporary single CPU affinity before cgroup cpuset transition.
2024-04-16 11:31:12 -07:00
Cédric Clerget afc23e3397 Set temporary single CPU affinity before cgroup cpuset transition.
This handles a corner case when joining a container having all
the processes running exclusively on isolated CPU cores to force
the kernel to schedule runc process on the first CPU core within the
cgroups cpuset.

The introduction of the kernel commit
46a87b3851f0d6eb05e6d83d5c5a30df0eca8f76 has affected this deterministic
scheduling behavior by distributing tasks across CPU cores within the
cgroups cpuset. Some intensive real-time application are relying on this
deterministic behavior and use the first CPU core to run a slow thread
while other CPU cores are fully used by real-time threads with SCHED_FIFO
policy. Such applications prevents runc process from joining a container
when the runc process is randomly scheduled on a CPU core owned by a
real-time thread.

Introduces isolated CPU affinity transition OCI runtime annotation
org.opencontainers.runc.exec.isolated-cpu-affinity-transition to restore
the behavior during runc exec.

Fix issue with kernel >= 6.2 not resetting CPU affinity for container processes.

Signed-off-by: Cédric Clerget <cedric.clerget@gmail.com>
2024-04-16 08:59:49 +02:00
lfbzhm d0f803e584 Merge pull request #4246 from sohankunkerkar/runc-fips
libcontainer: force apps to think fips is enabled/disabled for testing
2024-04-12 11:15:29 +08:00
Sohan Kunkerkar cde1d0908a libcontainer: force apps to think fips is enabled/disabled for testing
The motivation behind this change is to provide a flexible mechanism for
containers within a Kubernetes cluster to opt out of FIPS mode when necessary.
This change enables apps to simulate FIPS mode being enabled or disabled for testing
purposes. Users can control whether apps believe FIPS mode is on or off by manipulating
`/proc/sys/crypto/fips_enabled`.

Signed-off-by: Sohan Kunkerkar <sohank2602@gmail.com>
2024-04-10 18:58:34 -04:00
Akihiro Suda f2bd18480d Merge pull request #4211 from lifubang/fix-update-cpu-burst
set the default value of CpuBurst to nil instead of 0
2024-04-10 11:03:40 +09:00
Kir Kolyshkin c42ba59d20 Merge pull request #4245 from kinvolk/rata/fix-tests-debian-testing-minimal-fix
Fix tests in debian testing (mount_sshfs.bats) - minimal fix
2024-04-09 17:04:18 -07:00
Rodrigo Campos 6b1f73088b tests/integration: Fix remount on debian testing
When we run this:

	mount --bind -o remount,diratime,strictatime "$DIR"

It fails in debian testing, when it is the second time we call this
function in the same bats test (i.e. when $DIR is defined already).

strace shows this syscall failing:

	mount_setattr(3, "", AT_EMPTY_PATH, {attr_set=MOUNT_ATTR_NOSUID|MOUNT_ATTR_NODEV|MOUNT_ATTR_NOEXEC|MOUNT_ATTR_NOATIME|MOUNT_ATTR_STRICTATIME, attr_clr=MOUNT_ATTR_RDONLY|MOUNT_ATTR_NOATIME|MOUNT_ATTR_STRICTATIME|MOUNT_ATTR_NODIRATIME|0x40, propagation=0 /* MS_??? */, userns_fd=0}, 32) = -1 EINVAL (Invalid argument)

Note it has `MOUNT_ATTR_NOATIME` and `MOUNT_ATTR_STRICTATIME` which
probably causes it to return EINVAL.

This patch simply adds atime to the options, so the mount command now
works and fixes most of the tests in debian testing.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-04-09 13:16:55 +01:00
Rodrigo Campos 5052c07510 tests/integration/mounts_sshfs.bats: Fix test on debian testing
relatime is not shown on some debian systems. Let's check that no other
setting that removes the relatime effect is set, as that should be
enough too.

For more info, see the issue linked in the comments.

Signed-off-by: Rodrigo Campos <rodrigo@sdfg.com.ar>
2024-04-09 11:48:53 +01:00
Aleksa Sarai 5e0ec3fbbf merge #4238 opencontainers/runc:main
Kir Kolyshkin (1):
  ci/test: exclude some runc_nodmz jobs

LGTMs: AkihiroSuda cyphar
2024-04-04 22:43:34 +11:00
Akihiro Suda e4bf49ff2c runc update: distinguish nil from zero
Prior to this commit, commands like `runc update --cpuset-cpus=1`
were implying to set cpu burst to "0" (which does not mean "leave it as is").

This was failing when the kernel does not support cpu burst:
`openat2 /sys/fs/cgroup/runc-cgroups-integration-test/test-cgroup-22167/cpu.max.burst: no such file or directory`

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-04-04 00:56:19 +08:00
lifubang afcb9c2ebf add a test case for runc update cpu burst
In issue #4210, if we don't provide `--cpu-burst` in `runc update`,
the value of cpu burst will always set to 0.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-04-04 00:56:19 +08:00
Aleksa Sarai 0680e2b6c4 merge #4221 into opencontainers/runc:main
Aleksa Sarai (5):
  VERSION: back to development
  VERSION: release v1.2.0-rc.1
  changelog: update to include all new changes since 1.1.0
  changelog: sync changelog entries up to runc 1.1.12
  changelog: mention key breaking changes for mount options

LGTMs: lifubang AkihiroSuda kolyshkin cyphar
2024-04-03 22:01:35 +11:00
Aleksa Sarai 5194bd8df3 VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-03 21:43:25 +11:00
Aleksa Sarai 275e6d85f7 VERSION: release v1.2.0-rc.1
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-03 21:43:24 +11:00
Aleksa Sarai fc3e04dc35 changelog: update to include all new changes since 1.1.0
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
[ cyphar: restructuring and removal of outdated or incorrect info ]
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 15:46:49 +11:00
Aleksa Sarai b47fb3fda4 changelog: sync changelog entries up to runc 1.1.12
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 15:46:24 +11:00
Aleksa Sarai d4b670fca6 changelog: mention key breaking changes for mount options
Just to make sure we don't forget to fully explain these when we do
-rc1.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 15:46:23 +11:00
Kir Kolyshkin 851e3882b7 ci/test: exclude some runc_nodmz jobs
1. Sort the list of matrix excludes in the order of matrix,
   add comments explaining why we disable some jobs.

2. Exclude some jobs:
 - runc_nodmz && go 1.20.x
 - runc_nodmz && -race

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-04-01 17:06:40 -07:00
Kir Kolyshkin 4641f17e86 Merge pull request #4234 from cyphar/go122
[hotfix] nsenter: refuse to build with Go 1.22
2024-04-01 17:05:51 -07:00
Aleksa Sarai e377e16846 [hotfix] nsenter: refuse to build with Go 1.22 on glibc
We will almost certainly need to eventually rework nsenter to:

 1. Figure out a way to make pthread_self() not break after nsenter runs
    (probably not possible, because the core issue is likely that we are
    ignoring the rules of signal-safety(7)); or
 2. Do an other re-exec of /proc/self/exe to execute the Go half of
    "runc init" -- after we've done the nsenter setup. This would reset
    all of the process state and ensure we have a clean glibc state for
    Go, but it would make runc slower...

For now, just block Go 1.22 builds to avoid having broken runcs floating
around until we resolve the issue. It seems possible for musl to also
have an issue, but it appears to work and so for now just block glibc
builds.

Note that this will only block builds for anything that uses nsenter --
so users of our (internal) libcontainer libraries should be fine. Only
users that are starting containers using nsenter to actually start
containers will see the error (which is precisely what we want).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 01:59:46 +11:00
Kir Kolyshkin ac31da6b80 ci/cross-i386: pin Go to 1.21.x
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-04-02 01:55:50 +11:00
lfbzhm ea38465a37 Merge pull request #3783 from utam0k/io-prio
Add I/O priority
2024-03-31 09:56:25 +08:00
utam0k bfbd0305ba Add I/O priority
Signed-off-by: utam0k <k0ma@utam0k.jp>
2024-03-30 22:31:54 +09:00
Aleksa Sarai a1acca9acb merge #4219 into opencontainers/runc:main
Aleksa Sarai (2):
  seccomp: patchbpf: always include native architecture in stub
  seccomp: patchbpf: rename nativeArch -> linuxAuditArch

LGTMs: AkihiroSuda kolyshkin
2024-03-29 12:44:51 +11:00
Aleksa Sarai ccc500c427 seccomp: patchbpf: always include native architecture in stub
It turns out that on ppc64le (at least), Docker doesn't include any
architectures in the list of allowed architectures. libseccomp
interprets this as "just include the default architecture" but patchbpf
would return a no-op ENOSYS stub, which would lead to the exact issues
that commit 7a8d7162f9 ("seccomp: prepend -ENOSYS stub to all
filters") fixed for other architectures.

So, just always include the running architecture in the list. There's
no real downside.

Ref: https://bugzilla.suse.com/show_bug.cgi?id=1192051#c6
Reported-by: Fabian Vogt <fvogt@suse.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-29 12:01:47 +11:00
Aleksa Sarai b288abeaa5 seccomp: patchbpf: rename nativeArch -> linuxAuditArch
Calling the Linux AUDIT_* architecture constants "native" leads to
confusing code when we are getting the actual native architecture of the
running system.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-29 12:01:47 +11:00
Akihiro Suda 8e69225e2e Merge pull request #4220 from cyphar/runc-dmz-no-selinux-magic
dmz: remove SELinux special-casing
2024-03-27 14:16:52 +09:00
lfbzhm 3db0871f1c Merge pull request #4217 from AkihiroSuda/features-unsafe
features: implement returning potentiallyUnsafeConfigAnnotations list
2024-03-25 19:00:01 +08:00
lfbzhm 18c313be72 Merge pull request #4223 from cyphar/seccomp-2.5.5
build: update libseccomp to v2.5.5
2024-03-16 08:02:10 +08:00
lfbzhm d6df41c767 Merge pull request #4224 from SuperQ/update_urfave_cli
Remove dependabot ignore
2024-03-16 07:59:02 +08:00
SuperQ ab6788d307 Remove dependabot ignore
The referenced issue was fixed in `github.com/urfave/cli` v1.22.6. We
can now remove the dependabot ignore for this package.

Signed-off-by: SuperQ <superq@gmail.com>
2024-03-15 08:38:53 +01:00
Aleksa Sarai cdccf6d615 build: update libseccomp to v2.5.5
This adds support for syscalls up to Linux 6.7-rc3.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-15 17:57:54 +11:00
Aleksa Sarai 44114d32df merge #4179 into opencontainers/runc:main
Kir Kolyshkin (1):
  tests/int: fix flaky kill tests

LGTMs: AkihiroSuda cyphar
2024-03-15 17:57:12 +11:00
Aleksa Sarai e0cfcb3f85 merge #4222 into opencontainers/runc:main
lifubang (1):
  fix runc-dmz bin path error in Makefile

LGTMs: AkihiroSuda cyphar
2024-03-15 17:34:36 +11:00
lifubang da79b616a3 fix runc-dmz bin path error in Makefile
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-03-14 18:16:09 +08:00
Aleksa Sarai 37581ad340 dmz: remove SELinux special-casing
Now that runc-dmz is opt-in, we no longer need to try to detect whether
SELinux would cause issues for us. We can also remove the
special-purpose build-tag we added.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-03-13 18:18:09 +11:00
Aleksa Sarai 1950892f69 merge #4174 into opencontainers/runc:main
Rodrigo Campos (3):
  Makefile: Fix runc-dmz removal
  contrib/cmd/memfd-bind: Mention runc-dmz needs RUNC_DMZ=true
  libct/dmz: Require RUNC_DMZ=true to opt-in

LGTMs: AkihiroSuda cyphar
2024-03-13 16:22:16 +11:00
Akihiro Suda eefc6ae254 features: implement returning potentiallyUnsafeConfigAnnotations list
See https://github.com/opencontainers/runtime-spec/blob/v1.2.0/features.md#unsafe-annotations-in-configjson

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-03-09 21:31:49 +09:00
dependabot[bot] 109a7a0478 Merge pull request #4203 from opencontainers/dependabot/go_modules/github.com/opencontainers/runtime-spec-1.2.0 2024-03-09 12:18:19 +00:00
dependabot[bot] 606251ab33 build(deps): bump github.com/opencontainers/runtime-spec
Bumps [github.com/opencontainers/runtime-spec](https://github.com/opencontainers/runtime-spec) from 1.1.1-0.20230823135140-4fec88fd00a4 to 1.2.0.
- [Release notes](https://github.com/opencontainers/runtime-spec/releases)
- [Changelog](https://github.com/opencontainers/runtime-spec/blob/main/ChangeLog)
- [Commits](https://github.com/opencontainers/runtime-spec/commits/v1.2.0)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/runtime-spec
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-03-07 14:43:33 +09:00
Akihiro Suda ee7100854c Merge pull request #4216 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.33.0
build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0
2024-03-07 14:41:36 +09:00
Akihiro Suda 9120ac6aa4 Merge pull request #4215 from opencontainers/dependabot/go_modules/golang.org/x/net-0.22.0
build(deps): bump golang.org/x/net from 0.21.0 to 0.22.0
2024-03-07 14:41:17 +09:00
dependabot[bot] bb5673f265 build(deps): bump golang.org/x/net from 0.21.0 to 0.22.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.21.0 to 0.22.0.
- [Commits](https://github.com/golang/net/compare/v0.21.0...v0.22.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-03-06 12:59:33 +00:00
dependabot[bot] 7ab66b187c build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0
Bumps google.golang.org/protobuf from 1.32.0 to 1.33.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-03-06 12:59:30 +00:00
dependabot[bot] 1491dec992 Merge pull request #4214 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.18.0 2024-03-06 12:58:37 +00:00
dependabot[bot] 6056ed2dd6 build(deps): bump golang.org/x/sys from 0.17.0 to 0.18.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.17.0 to 0.18.0.
- [Commits](https://github.com/golang/sys/compare/v0.17.0...v0.18.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-03-05 04:18:12 +00:00
Rodrigo Campos fc76b136e1 Makefile: Fix runc-dmz removal
Signed-off-by: Rodrigo Campos <rodrigo@sdfg.com.ar>
2024-02-28 15:38:04 -03:00
Rodrigo Campos 46b72107f1 contrib/cmd/memfd-bind: Mention runc-dmz needs RUNC_DMZ=true
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-02-28 12:15:57 -03:00
Rodrigo Campos 1dae66f748 libct/dmz: Require RUNC_DMZ=true to opt-in
If it is compiled, the user needs to opt-in with this env variable to
use it.

While we are there, remove the RUNC_DMZ=legacy as that is now the
default.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-02-28 12:15:57 -03:00
lfbzhm 6cf6ddc358 Merge pull request #4208 from opencontainers/dependabot/github_actions/tim-actions/get-pr-commits-1.3.1
build(deps): bump tim-actions/get-pr-commits from 1.3.0 to 1.3.1
2024-02-28 18:23:56 +08:00
dependabot[bot] 935d586b39 build(deps): bump tim-actions/get-pr-commits from 1.3.0 to 1.3.1
Bumps [tim-actions/get-pr-commits](https://github.com/tim-actions/get-pr-commits) from 1.3.0 to 1.3.1.
- [Release notes](https://github.com/tim-actions/get-pr-commits/releases)
- [Commits](https://github.com/tim-actions/get-pr-commits/compare/v1.3.0...v1.3.1)

---
updated-dependencies:
- dependency-name: tim-actions/get-pr-commits
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-27 04:45:06 +00:00
Kir Kolyshkin d5e4c33001 Merge pull request #4205 from santidhammo/4204-fix-vendor
Fixed spelling mistake in the Makefile at .PHONY vendor
2024-02-16 10:28:32 -08:00
Kir Kolyshkin 86360598bd tests/int: fix flaky kill tests
It takes some time for the kernel to kill the process (and remove its
PID from cgroup.procs). To ensure we don't have flakes from reading
cgroup.procs right after the kill, check and wait for processes to
actually be gone.

Fixes: 4163
Reported-by: lifubang@acmcoder.com
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-15 13:32:33 -08:00
Sjoerd van Leent 82499d428a Fixed spelling mistake in the Makefile at .PHONY vendor
* Simple error correction of a spelling mistake which was
  introduced at commit b8f75f3

Signed-off-by: Sjoerd van Leent <sjoerd.van.leent@alliander.com>
2024-02-15 16:27:37 +01:00
Mrunal Patel 675292473b Merge pull request #4202 from kolyshkin/golangci-annot
ci/golangci-lint: add checks permission
2024-02-14 11:05:21 -08:00
Mrunal Patel bb56ed9e5f Merge pull request #4201 from kolyshkin/cleanups
libct/nsenter: rm dead code
2024-02-14 11:04:46 -08:00
Mrunal Patel aa8ba5bd59 Merge pull request #4187 from kolyshkin/gawk
tests/int: use gawk where needed
2024-02-14 11:04:09 -08:00
Kir Kolyshkin 93e377233f ci/golangci-lint: add checks permission
This permission is now needed so that the linter can annotate code in a
PR (see [1]).

[1] https://github.com/golangci/golangci-lint-action/pull/931/commits/bc1904f0c946172fc1821908fc41649db49f0334

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 22:14:41 -08:00
Kir Kolyshkin 302b2e89a6 tests/int: use gawk where needed
This expression is specific to GNU awk (gawk), so if someone has other version
of awk installed, this won't work and it's not easy to see why.

Explicitly requiring gawk here is better.

Revert "tests/int/helpers: gawk -> awk"

This reverts commit 4e65118d02.

Reported-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 14:44:42 -08:00
Kir Kolyshkin 9d2842debb Merge pull request #4200 from opencontainers/dependabot/github_actions/golangci/golangci-lint-action-4
build(deps): bump golangci/golangci-lint-action from 3 to 4
2024-02-12 14:35:20 -08:00
Kir Kolyshkin 3a9859bdc0 libct/nsenter: rm unused include
This was added by commit 9c444070 (to use LONG_MAX and INT_MAX) but the
code was later removed by commit ba0b5e26.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 13:19:12 -08:00
Kir Kolyshkin ea140db712 libct/nsenter: rm unused code
Commits b999376f and b999376f removed all users of this code.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-02-12 13:17:05 -08:00
dependabot[bot] 27cbabd00d build(deps): bump golangci/golangci-lint-action from 3 to 4
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3 to 4.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 04:07:38 +00:00
lfbzhm fd4533aff2 Merge pull request #4196 from opencontainers/dependabot/go_modules/golang.org/x/net-0.21.0
build(deps): bump golang.org/x/net from 0.20.0 to 0.21.0
2024-02-10 01:15:48 +08:00
dependabot[bot] afd90f44e8 build(deps): bump golang.org/x/net from 0.20.0 to 0.21.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.20.0 to 0.21.0.
- [Commits](https://github.com/golang/net/compare/v0.20.0...v0.21.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-10 00:50:10 +08:00
Akihiro Suda 66bdcbca46 Merge pull request #4190 from opencontainers/dependabot/go_modules/github.com/containerd/console-1.0.4
build(deps): bump github.com/containerd/console from 1.0.3 to 1.0.4
2024-02-10 01:38:13 +09:00
dependabot[bot] 97632a6d1b build(deps): bump github.com/containerd/console from 1.0.3 to 1.0.4
Bumps [github.com/containerd/console](https://github.com/containerd/console) from 1.0.3 to 1.0.4.
- [Release notes](https://github.com/containerd/console/releases)
- [Commits](https://github.com/containerd/console/compare/v1.0.3...v1.0.4)

---
updated-dependencies:
- dependency-name: github.com/containerd/console
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-09 15:20:19 +00:00
Akihiro Suda 0147f9eb74 Merge pull request #4197 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.17.0
build(deps): bump golang.org/x/sys from 0.16.0 to 0.17.0
2024-02-10 00:19:40 +09:00
dependabot[bot] 174940a7eb build(deps): bump golang.org/x/sys from 0.16.0 to 0.17.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.16.0 to 0.17.0.
- [Commits](https://github.com/golang/sys/compare/v0.16.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-08 22:29:27 +00:00
Kir Kolyshkin 56cc1be9db Merge pull request #4198 from lifubang/feat-TestCentos_Go1.21
[ci] update go version to 1.21 in cirrus ci
2024-02-08 14:23:55 -08:00
lfbzhm a596a05510 update go version to 1.21 in cirrus ci
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-02-08 08:24:13 -08:00
Kir Kolyshkin 7c004d8e05 Merge pull request #4192 from lifubang/feat-ClosePipeInExec
Close sync pipe explicitly in exec
2024-02-08 08:23:52 -08:00
lifubang bc4a869d5a test: no execve error msg synced to parent process
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-02-08 01:45:26 +00:00
lifubang d075058717 close the sync pipe explicitly in exec
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-02-08 01:45:06 +00:00
Aleksa Sarai 02120488a4 Merge pull request from GHSA-xr7r-f8xq-vfvv
fix GHSA-xr7r-f8xq-vfvv and harden fd leaks
2024-02-01 07:04:29 +11:00
Kir Kolyshkin 8454bbb613 Merge pull request #4175 from cyphar/fd-file-switch
init: use *os.File for passed file descriptors
2024-01-31 10:40:28 -08:00
Akihiro Suda 2dfc2feb43 Merge pull request #4173 from lifubang/fix-syncPipeClose
never send procError to parent process after sent procReady
2024-01-28 00:37:58 +09:00
lfbzhm 0bc4732c07 test for execve error without runc-dmz
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-01-25 04:52:29 +00:00
lifubang 35aa63ea87 never send procError after the socket closed
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-01-25 04:52:11 +00:00
Aleksa Sarai d8edada9f2 init: don't special-case logrus fds
We close the logfd before execve so there's no need to special case it.
In addition, it turns out that (*os.File).Fd() doesn't handle the case
where the file was closed and so it seems suspect to use that kind of
check.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:20:59 +11:00
Aleksa Sarai ee73091a8d libcontainer: mark all non-stdio fds O_CLOEXEC before spawning init
Given the core issue in GHSA-xr7r-f8xq-vfvv was that we were unknowingly
leaking file descriptors to "runc init", it seems prudent to make sure
we proactively prevent this in the future. The solution is to simply
mark all non-stdio file descriptors as O_CLOEXEC before we spawn "runc
init".

For libcontainer library users, this could result in unrelated files
being marked as O_CLOEXEC -- however (for the same reason we are doing
this for runc), for security reasons those files should've been marked
as O_CLOEXEC anyway.

Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:20:59 +11:00
Aleksa Sarai 89c93ddf28 cgroup: plug leaks of /sys/fs/cgroup handle
We auto-close this file descriptor in the final exec step, but it's
probably a good idea to not possibly leak the file descriptor to "runc
init" (we've had issues like this in the past) especially since it is a
directory handle from the host mount namespace.

In practice, on runc 1.1 this does leak to "runc init" but on main the
handle has a low enough file descriptor that it gets clobbered by the
ForkExec of "runc init".

OPEN_TREE_CLONE would let us protect this handle even further, but the
performance impact of creating an anonymous mount namespace is probably
not worth it.

Also, switch to using an *os.File for the handle so if it goes out of
scope during setup (i.e. an error occurs during setup) it will get
cleaned up by the GC.

Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:20:58 +11:00
Aleksa Sarai f2f16213e1 init: close internal fds before execve
If we leak a file descriptor referencing the host filesystem, an
attacker could use a /proc/self/fd magic-link as the source for execve
to execute a host binary in the container. This would allow the binary
itself (or a process inside the container in the 'runc exec' case) to
write to a host binary, leading to a container escape.

The simple solution is to make sure we close all file descriptors
immediately before the execve(2) step. Doing this earlier can lead to very
serious issues in Go (as file descriptors can be reused, any (*os.File)
reference could start silently operating on a different file) so we have
to do it as late as possible.

Unfortunately, there are some Go runtime file descriptors that we must
not close (otherwise the Go scheduler panics randomly). The only way of
being sure which file descriptors cannot be closed is to sneakily
go:linkname the runtime internal "internal/poll.IsPollDescriptor"
function. This is almost certainly not recommended but there isn't any
other way to be absolutely sure, while also closing any other possible
files.

In addition, we can keep the logrus forwarding logfd open because you
cannot execve a pipe and the contents of the pipe are so restricted
(JSON-encoded in a format we pick) that it seems unlikely you could even
construct shellcode. Closing the logfd causes issues if there is an
error returned from execve.

In mainline runc, runc-dmz protects us against this attack because the
intermediate execve(2) closes all of the O_CLOEXEC internal runc file
descriptors and thus runc-dmz cannot access them to attack the host.

Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:20:58 +11:00
Aleksa Sarai 8e1cd2f56d init: verify after chdir that cwd is inside the container
If a file descriptor of a directory in the host's mount namespace is
leaked to runc init, a malicious config.json could use /proc/self/fd/...
as a working directory to allow for host filesystem access after the
container runs. This can also be exploited by a container process if it
knows that an administrator will use "runc exec --cwd" and the target
--cwd (the attacker can change that cwd to be a symlink pointing to
/proc/self/fd/... and wait for the process to exec and then snoop on
/proc/$pid/cwd to get access to the host). The former issue can lead to
a critical vulnerability in Docker and Kubernetes, while the latter is a
container breakout.

We can (ab)use the fact that getcwd(2) on Linux detects this exact case,
and getcwd(3) and Go's Getwd() return an error as a result. Thus, if we
just do os.Getwd() after chdir we can easily detect this case and error
out.

In runc 1.1, a /sys/fs/cgroup handle happens to be leaked to "runc
init", making this exploitable. On runc main it just so happens that the
leaked /sys/fs/cgroup gets clobbered and thus this is only consistently
exploitable for runc 1.1.

Fixes: GHSA-xr7r-f8xq-vfvv CVE-2024-21626
Co-developed-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
[refactored the implementation and added more comments]
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-24 00:20:58 +11:00
Akihiro Suda 313ec8bcab Merge pull request #4176 from cyphar/cyphar-gpg-key
keyring: update key expiries
2024-01-23 21:18:51 +09:00
lfbzhm 4baaf18cfd Merge pull request #4172 from kinvolk/rata/runc-dmz
Fix runc-dmz error printing
2024-01-22 18:01:27 +08:00
Aleksa Sarai 7094efb192 init: use *os.File for passed file descriptors
While it doesn't make much of a practical difference, it seems far more
reasonable to use os.NewFile to wrap all of our passed file descriptors
to make sure they're tracked by the Go runtime and that we don't
double-close them.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-22 17:34:14 +11:00
Aleksa Sarai 093c83e13e keyring: update AkihiroSuda key expiry
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-22 16:16:17 +11:00
Aleksa Sarai 34eceb21e2 keyring: update cyphar@cyphar.com key expiry
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-01-22 16:15:52 +11:00
Rodrigo Campos fe95a2a06a tests/integration: Test exec failures
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-01-21 15:35:46 +01:00
Rodrigo Campos 8afeccc827 libct/dmz: Print execve() errors
This error code is using functions that are present in nolibc too.

When using nolibc, the error is printed like:

	exec /runc.armel: errno=8

When using libc, as its perror() implementation translates the errno to
a message, it is printed like:

	exec /runc.armel: exec format error

Note that when using libc, the error is printed in the same way as
before.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2024-01-21 15:35:46 +01:00
Akihiro Suda 10754b3d68 Merge pull request #4126 from ChHapp/patch-1
check-config.sh: Add CONFIG_NETFILTER_XT_MATCH_COMMENT to check
2024-01-18 11:28:53 +09:00
Akihiro Suda 0c5a735355 Merge pull request #4167 from opencontainers/dependabot/go_modules/golang.org/x/net-0.20.0
build(deps): bump golang.org/x/net from 0.19.0 to 0.20.0
2024-01-09 15:48:28 +09:00
dependabot[bot] b1e3c3c75c build(deps): bump golang.org/x/net from 0.19.0 to 0.20.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.19.0 to 0.20.0.
- [Commits](https://github.com/golang/net/compare/v0.19.0...v0.20.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-09 04:20:08 +00:00
Christian Happ 2a473a7630 Add CONFIG_NETFILTER_XT_MATCH_COMMENT to check
It seems that newer podman versions need the kernel comment flag too.

By podman run, iptables using -m comment in the iptables-command to add the corresponding network rules.

Signed-off-by: Christian Happ <Christian.Happ@jumo.net>
2024-01-08 12:00:08 +01:00
Aleksa Sarai cbd852b330 merge #4152 into opencontainers/runc:main
Akihiro Suda (1):
  script/check-config.sh: check CONFIG_CHECKPOINT_RESTORE

Kir Kolyshkin (4):
  script/check-config.sh: check CONFIG_BLK_CGROUP_IOCOST
  scripts/check-config: fix kernel version checks
  script/check-config: disable colors
  scripts/check-config: don't check MEMCG_SWAP on newer kernels

LGTMs: AkihiroSuda cyphar
2024-01-08 09:50:14 +11:00
Aleksa Sarai c255024a82 merge #4146 into opencontainers/runc:main
Akihiro Suda (1):
  TestCheckpoint: skip on ErrCriuMissingFeatures

LGTMs: cyphar kolyshkin lifubang
2024-01-07 00:32:33 +11:00
dependabot[bot] ab146f2335 Merge pull request #4161 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.16.0 2024-01-05 09:36:48 +00:00
Aleksa Sarai 03f46d7185 merge #4159 into opencontainers/runc:main
lfbzhm (2):
  we have implemented idmapped-mounts with no limitations
  we have supported rsvd hugetlb cgroup

LGTMs: AkihiroSuda cyphar
2024-01-05 20:08:27 +11:00
dependabot[bot] e1e3ca02d9 build(deps): bump golang.org/x/sys from 0.15.0 to 0.16.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.15.0 to 0.16.0.
- [Commits](https://github.com/golang/sys/compare/v0.15.0...v0.16.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-05 04:27:10 +00:00
lfbzhm f4f282c259 Merge pull request #4151 from lengrongfu/fix/scheudle-validate
fix scheduler validate
2024-01-05 11:30:06 +08:00
lengrongfu 68438ba272 fix scheduler validate
Signed-off-by: lengrongfu <lenronfu@gmail.com>
2024-01-05 09:50:41 +08:00
lfbzhm 55c9d6bf01 we have implemented idmapped-mounts with no limitations
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-01-04 19:24:21 +08:00
lfbzhm e90d8cb8fe we have supported rsvd hugetlb cgroup
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2024-01-04 19:24:21 +08:00
Akihiro Suda 827c707823 Merge pull request #4139 from lifubang/fix-clean-remap-rootfs
remove remap-rootfs bin when running make clean
2024-01-04 17:36:08 +09:00
lfbzhm 35988abe20 Merge pull request #4157 from kinvolk/rata/idmap-errormsg
libct: Improve error msg when idmap is not supported
2023-12-29 22:48:53 +08:00
Rodrigo Campos a7c3e07c8f libct: Improve error msg when idmap is not supported
This gives a more clear error message when idmap mounts are not
supported on the source filesystem. For example, a k8s user will see
this now in kubectl describe pod:

	  Warning  Failed     2s (x2 over 4s)  kubelet, 127.0.0.1  Error: failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: failed to fulfil mount request: failed to set MOUNT_ATTR_IDMAP on /var/lib/kubelet/pods/f037a704-742c-40fe-8dbf-17ed9225c4df/volumes/kubernetes.io~empty-dir/hugepage: invalid argument (maybe the source filesystem doesn't support idmap mounts on this kernel?): unknown

This gives a hint on where to look at.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-12-28 14:15:24 +01:00
Akihiro Suda c48c428b1d Merge pull request #4155 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.32.0
build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0
2023-12-26 03:30:33 +09:00
dependabot[bot] 43306be3f0 build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0
Bumps google.golang.org/protobuf from 1.31.0 to 1.32.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-25 04:35:41 +00:00
Kir Kolyshkin 5a4f52178d script/check-config.sh: check CONFIG_BLK_CGROUP_IOCOST
For `io.weight`

Co-authored-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-12-20 10:07:43 -08:00
Kir Kolyshkin d87366f019 scripts/check-config: fix kernel version checks
Looking at the code, I found out that kernel_lt function was actually
doing le ("less than or equal") rather than lt ("less than") operation.
Let's fix this and do exactly what the name says.

A bigger issue is, the function use was not consistent (some uses
implied "less than or equal").

To fix the usage, find out all relevant kernel commits and kernel
versions that have them (the latter is done using "git describe
--contains $sha"), and fix the wrong cases. While at it, add references
to all these kernel commits for the future generations of
check-config.sh hackers.

Also, add kernel_ge function which is the opposite of kernel_lt,
and document both.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-12-20 10:07:43 -08:00
Akihiro Suda 7f65cc75c7 script/check-config.sh: check CONFIG_CHECKPOINT_RESTORE
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-12-20 10:07:43 -08:00
Kir Kolyshkin 6aa4c1a13e script/check-config: disable colors
...when the stdout is not a terminal, and also when NO_COLOR environment
variable is set to any non-empty value (as per no-color.org).

Co-authored-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-12-20 10:06:52 -08:00
Kir Kolyshkin b94b559058 scripts/check-config: don't check MEMCG_SWAP on newer kernels
Kernel commit e55b9f96860f (which made its way into Linux v6.1-rc1)
removes CONFIG_MEMCG_SWAP entirely, so there's no sense to check for in
on newer kernels.

Make the check conditional.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-12-19 17:28:32 -08:00
Akihiro Suda 3f4a73d632 TestCheckpoint: skip on ErrCriuMissingFeatures
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-12-19 18:47:03 +09:00
lfbzhm c811308582 remove remap-rootfs bin when running make clean
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2023-12-18 07:20:50 +00:00
lfbzhm 0bbb7e9fcf move the target 'clean' next to 'all'
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2023-12-18 07:20:50 +00:00
Akihiro Suda 29222735a7 Merge pull request #4150 from lifubang/fix-int64err
fix a (u|g)IDMappings type value convertion error
2023-12-18 15:49:02 +09:00
lfbzhm d08ba9ca89 fix a (u|g)IDMappings type value convertion error
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2023-12-18 05:36:10 +00:00
lfbzhm 371ff9c5e7 Merge pull request #3985 from cyphar/idmap-generic
libcontainer: remove all mount logic from nsexec
2023-12-18 13:10:45 +08:00
dependabot[bot] 3878ef5657 Merge pull request #4148 from opencontainers/dependabot/github_actions/actions/upload-artifact-4 2023-12-15 12:09:05 +00:00
dependabot[bot] 7b655782bf build(deps): bump actions/upload-artifact from 3 to 4
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-15 04:57:18 +00:00
lfbzhm a31262c1e3 Merge pull request #4134 from cyphar/ns-path-regression
specconv: temporarily allow userns path and mapping if they match
2023-12-14 12:39:02 +08:00
Aleksa Sarai 482e56379a configs: make id mappings int64 to better handle 32-bit
Using ints for all of our mapping structures means that a 32-bit binary
errors out when trying to parse /proc/self/*id_map:

  failed to cache mappings for userns: failed to parse uid_map of userns /proc/1/ns/user:
  parsing id map failed: invalid format in line "         0          0 4294967295": integer overflow on token 4294967295

This issue was unearthed by commit 1912d5988b ("*: actually support
joining a userns with a new container") but the underlying issue has
been present since the docker/libcontainer days.

In theory, switching to uint32 (to match the spec) instead of int64
would also work, but keeping everything signed seems much less
error-prone. It's also important to note that a mapping might be too
large for an int on 32-bit, so we detect this during the mapping.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 12:14:32 +11:00
Aleksa Sarai fa93c8b05b tests: mounts: add some tests to check mount ordering
Our previous implementation of idmapped mounts and bind-mount sources
would open all of the source paths before we did any mounts, meaning
that mounts using sources from inside the container rootfs would not be
correct.

This has been fixed with the new on-demand system, and so add some
regression tests.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:43 +11:00
Aleksa Sarai 3b57e45cbf mount: add support for ridmap and idmap
ridmap indicates that the id mapping should be applied recursively (only
really relevant for rbind mount entries), and idmap indicates that it
should not be applied recursively (the default). If no mappings are
specified for the mount, we use the userns configuration of the
container. This matches the behaviour in the currently-unreleased
runtime-spec.

This includes a minor change to the state.json serialisation format, but
because there has been no released version of runc with commit
fbf183c6f8 ("Add uid and gid mappings to mounts"), we can safely make
this change without affecting running containers. Doing it this way
makes it much easier to handle m.IsIDMapped() and indicating that a
mapping has been specified.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:42 +11:00
Aleksa Sarai 7795ca4668 specconv: handle recursive attribute clearing more consistently
If a user specifies a configuration like "rro, rrw", we should have
similar behaviour to "ro, rw" where we clear the previous flags so that
the last specified flag takes precendence.

Fixes: 382eba4354 ("Support recursive mount attrs ("rro", "rnosuid", "rnodev", ...)")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:42 +11:00
Aleksa Sarai cdff09ab87 rootfs: fix 'can we mount on top of /proc' check
Our previous test for whether we can mount on top of /proc incorrectly
assumed that it would only be called with bind-mount sources. This meant
that having a non bind-mount entry for a pseudo-filesystem (like
overlayfs) with a dummy source set to /proc on the host would let you
bypass the check, which could easily lead to security issues.

In addition, the check should be applied more uniformly to all mount
types, so fix that as well. And add some tests for some of the tricky
cases to make sure we protect against them properly.

Fixes: 331692baa7 ("Only allow proc mount if it is procfs")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:42 +11:00
Aleksa Sarai 8e8b136c49 tree-wide: use /proc/thread-self for thread-local state
With the idmap work, we will have a tainted Go thread in our
thread-group that has a different mount namespace to the other threads.
It seems that (due to some bad luck) the Go scheduler tends to make this
thread the thread-group leader in our tests, which results in very
baffling failures where /proc/self/mountinfo produces gibberish results.

In order to avoid this, switch to using /proc/thread-self for everything
that is thread-local. This primarily includes switching all file
descriptor paths (CLONE_FS), all of the places that check the current
cgroup (technically we never will run a single runc thread in a separate
cgroup, but better to be safe than sorry), and the aforementioned
mountinfo code. We don't need to do anything for the following because
the results we need aren't thread-local:

 * Checks that certain namespaces are supported by stat(2)ing
   /proc/self/ns/...

 * /proc/self/exe and /proc/self/cmdline are not thread-local.

 * While threads can be in different cgroups, we do not do this for the
   runc binary (or libcontainer) and thus we do not need to switch to
   the thread-local version of /proc/self/cgroups.

 * All of the CLONE_NEWUSER files are not thread-local because you
   cannot set the usernamespace of a single thread (setns(CLONE_NEWUSER)
   is blocked for multi-threaded programs).

Note that we have to use runtime.LockOSThread when we have an open
handle to a tid-specific procfs file that we are operating on multiple
times. Go can reschedule us such that we are running on a different
thread and then kill the original thread (causing -ENOENT or similarly
confusing errors). This is not strictly necessary for most usages of
/proc/thread-self (such as using /proc/thread-self/fd/$n directly) since
only operating on the actual inodes associated with the tid requires
this locking, but because of the pre-3.17 fallback for CentOS, we have
to do this in most cases.

In addition, CentOS's kernel is too old for /proc/thread-self, which
requires us to emulate it -- however in rootfs_linux.go, we are in the
container pid namespace but /proc is the host's procfs. This leads to
the incredibly frustrating situation where there is no way (on pre-4.1
Linux) to figure out which /proc/self/task/... entry refers to the
current tid. We can just use /proc/self in this case.

Yes this is all pretty ugly. I also wish it wasn't necessary.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:41 +11:00
Aleksa Sarai a04d88ec73 vendor: update to github.com/moby/sys/mountinfo@v0.7.1
The primary change is a switch to using /proc/thread-self, which is
needed for when we add a CLONE_FS thread to runc.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:41 +11:00
Aleksa Sarai 5ae88daf06 idmap: allow arbitrary idmap mounts regardless of userns configuration
With the rework of nsexec.c to handle MOUNT_ATTR_IDMAP in our Go code we
can now handle arbitrary mappings without issue, so remove the primary
artificial limit of mappings (must use the same mapping as the
container's userns) and add some tests.

We still only support idmap mounts for bind-mounts because configuring
mappings for other filesystems would require switching our entire mount
machinery to the new mount API. The current design would easily allow
for this but we would need to convert new mount options entirely to the
fsopen/fsconfig/fsmount API. This can be done in the future.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:41 +11:00
Aleksa Sarai ba0b5e2698 libcontainer: remove all mount logic from nsexec
With open_tree(OPEN_TREE_CLONE), it is possible to implement both the
id-mapped mounts and bind-mount source file descriptor logic entirely in
Go without requiring any complicated handling from nsexec.

However, implementing it the naive way (do the OPEN_TREE_CLONE in the
host namespace before the rootfs is set up -- which is what the existing
implementation did) exposes issues in how mount ordering (in particular
when handling mount sources from inside the container rootfs, but also
in relation to mount propagation) was handled for idmapped mounts and
bind-mount sources. In order to solve this problem completely, it is
necessary to spawn a thread which joins the container mount namespace
and provides mountfds when requested by the rootfs setup code (ensuring
that the mount order and mount propagation of the source of the
bind-mount are handled correctly). While the need to join the mount
namespace leads to other complicated (such as with the usage of
/proc/self -- fixed in a later patch) the resulting code is still
reasonable and is the only real way to solve the issue.

This allows us to reduce the amount of C code we have in nsexec, as well
as simplifying a whole host of places that were made more complicated
with the addition of id-mapped mounts and the bind sourcefd logic.
Because we join the container namespace, we can continue to use regular
O_PATH file descriptors for non-id-mapped bind-mount sources (which
means we don't have to raise the kernel requirement for that case).

In addition, we can easily add support for id-mappings that don't match
the container's user namespace. The approach taken here is to use Go's
officially supported mechanism for spawning a process in a user
namespace, but (ab)use PTRACE_TRACEME to avoid actually having to exec a
different process. The most efficient way to implement this would be to
do clone() in cgo directly to run a function that just does
kill(getpid(), SIGSTOP) -- we can always switch to that if it turns out
this approach is too slow. It should be noted that the included
micro-benchmark seems to indicate this is Fast Enough(TM):

  goos: linux
  goarch: amd64
  pkg: github.com/opencontainers/runc/libcontainer/userns
  cpu: Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz
  BenchmarkSpawnProc
  BenchmarkSpawnProc-8        1670            770065 ns/op

Fixes: fda12ab101 ("Support idmap mounts on volumes")
Fixes: 9c444070ec ("Open bind mount sources from the host userns")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-14 11:36:40 +11:00
Aleksa Sarai ebcef3e651 specconv: temporarily allow userns path and mapping if they match
It turns out that the error added in commit 09822c3da8 ("configs:
disallow ambiguous userns and timens configurations") causes issues with
containerd and CRIO because they pass both userns mappings and a userns
path.

These configurations are broken, but to avoid the regression in this one
case, output a warning to tell the user that the configuration is
incorrect but we will continue to use it if and only if the configured
mappings are identical to the mappings of the provided namespace.

Fixes: 09822c3da8 ("configs: disallow ambiguous userns and timens configurations")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-10 20:49:43 +11:00
dependabot[bot] 99f7fa1413 Merge pull request #4135 from opencontainers/dependabot/github_actions/actions/setup-go-5 2023-12-07 07:56:45 +00:00
dependabot[bot] e66ba70f50 build(deps): bump actions/setup-go from 4 to 5
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4 to 5.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-07 04:18:24 +00:00
Akihiro Suda 4516c25538 Merge pull request #4124 from cyphar/ns-path-handling
*: fix several issues with namespace path handling
2023-12-05 16:40:14 +09:00
Aleksa Sarai c045886f71 tests: remap rootfs for userns tests
Previously, all of our userns tests worked around the remapping issue by
creating the paths that runc would attempt to create (like /proc).
However, this isn't really accurate to how real userns containers are
created, so it's much better to actually remap the rootfs.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:46:10 +11:00
Aleksa Sarai 6fa8d06843 integration: add mega-test for joining namespaces
Given we've had several bugs in this behaviour that have now been fixed,
add an integration test that makes sure that you can start a container
that joins all of the namespaces of a second container.

The only namespace we do not join is the mount namespace, because
joining a namespace that has been pivot_root'd leads to a bunch of
errors. In principle, removing everything from config.json that requires
a mount _should_ work, but the root.path configuration is mandatory and
we cannot just ignore setting up the rootfs in the namespace joining
scenario (if the user has configured a different rootfs, we need to use
it or error out, and there's no reasonable way of checking if if the
rootfs paths are the same that doesn't result in spaghetti logic).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:46:10 +11:00
Aleksa Sarai e6fb7fe515 nsexec: allow timens to work with non-rootless userns
The owner of /proc/self/timens_offsets doesn't change after creating a
userns, meaning that we need to request stage-0 to write our timens
mappings for us. Before this patch, attempting to use timens with a
proper userns resulted in:

  FATA[0000] nsexec-1[18564]: failed to update /proc/self/timens_offsets: Permission denied
  FATA[0000] nsexec-0[18562]: failed to sync with stage-1: next state: Success
  ERRO[0000] runc run failed: unable to start container process: can't get final child's PID from pipe: EOF

Fixes: ebc2e7c435 ("Support time namespace")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:46:09 +11:00
Aleksa Sarai 09822c3da8 configs: disallow ambiguous userns and timens configurations
For userns and timens, the mappings (and offsets, respectively) cannot
be changed after the namespace is first configured. Thus, configuring a
container with a namespace path to join means that you cannot also
provide configuration for said namespace. Previously we would silently
ignore the configuration (and just join the provided path), but we
really should be returning an error (especially when you consider that
the configuration userns mappings are used quite a bit in runc with the
assumption that they are the correct mapping for the userns -- but in
this case they are not).

In the case of userns, the mappings are also required if you _do not_
specify a path, while in the case of the time namespace you can have a
container with a timens but no mappings specified.

It should be noted that the case checking that the user has not
specified a userns path and a userns mapping needs to be handled in
specconv (as opposed to the configuration validator) because with this
patchset we now cache the mappings of path-based userns configurations
and thus the validator can't be sure whether the mapping is a cached
mapping or a user-specified one. So we do the validation in specconv,
and thus the test for this needs to be an integration test.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:46:09 +11:00
Aleksa Sarai 3bab7e9223 configs: clean up error messages for Host[UG]ID
If a user has misconfigured their userns mappings, they need to know
which id specifically is not mapped. There's no need to be vague.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:46:09 +11:00
Aleksa Sarai 9387eac3a5 init: don't pre-flight-check the set[ug]id arguments
While we do cache the mappings when using userns paths, there's no need
to do this in this particular case, since we are in the namespace and
set[ug]id() give unambiguous EINVAL error codes if the id is unmapped.
This appears to also be the only code which does Host[UG]ID calculations
from inside "runc init".

Ref: 1a5fdc1c5f ("init: support setting -u with rootless containers")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:46:08 +11:00
Aleksa Sarai 1912d5988b *: actually support joining a userns with a new container
Our handling for name space paths with user namespaces has been broken
for a long time. In particular, the need to parse /proc/self/*id_map in
quite a few places meant that we would treat userns configurations that
had a namespace path as if they were a userns configuration without
mappings, resulting in errors.

The primary issue was down to the id translation helper functions, which
could only handle configurations that had explicit mappings. Obviously,
when joining a user namespace we need to map the ids but figuring out
the correct mapping is non-trivial in comparison.

In order to get the mapping, you need to read /proc/<pid>/*id_map of a
process inside the userns -- while most userns paths will be of the form
/proc/<pid>/ns/user (and we have a fast-path for this case), this is not
guaranteed and thus it is necessary to spawn a process inside the
container and read its /proc/<pid>/*id_map files in the general case.

As Go does not allow us spawn a subprocess into a target userns,
we have to use CGo to fork a sub-process which does the setns(2). To be
honest, this is a little dodgy in regards to POSIX signal-safety(7) but
since we do no allocations and we are executing in the forked context
from a Go program (not a C program), it should be okay. The other
alternative would be to do an expensive re-exec (a-la nsexec which would
make several other bits of runc more complicated), or to use nsenter(1)
which might not exist on the system and is less than ideal.

Because we need to logically remap users quite a few times in runc
(including in "runc init", where joining the namespace is not feasable),
we cache the mapping inside the libcontainer config struct. A future
patch will make sure that we stop allow invalid user configurations
where a mapping is specified as well as a userns path to join.

Finally, add an integration test to make sure we don't regress this again.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:46:08 +11:00
Aleksa Sarai 884117471c tests: integration: fix spurious SC203[01] shellcheck errors
We had ignore lines for these warnings, but it turns out this is most
likely a bug in shellcheck and we can work around it by moving the
helper function definition before any of the functions that use the
helper function. Hopefully it'll be fixed soon.

Ref: https://github.com/koalaman/shellcheck/issues/2873
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-12-05 17:39:37 +11:00
dependabot[bot] 9fffadae83 Merge pull request #4127 from opencontainers/dependabot/go_modules/golang.org/x/net-0.19.0 2023-11-28 11:25:35 +00:00
Aleksa Sarai c9019ea9eb merge #4102 into opencontainers/runc:main
Kir Kolyshkin (8):
  libct: replace runType with hasInit
  libct: Signal: slight refactor
  runc kill: fix sending KILL to non-pidns container
  runc delete -f: fix for no pidns + no init case
  libct/cg: improve cgroup removal logic
  runc delete: do not ignore error from destroy
  runc delete, container.Destroy: kill all processes
  libct: Destroy: don't proceed in case of errors

LGTMs: lifubang cyphar
2023-11-28 17:51:06 +11:00
dependabot[bot] c25493fce4 build(deps): bump golang.org/x/net from 0.17.0 to 0.19.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.17.0 to 0.19.0.
- [Commits](https://github.com/golang/net/compare/v0.17.0...v0.19.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-28 06:40:44 +00:00
dependabot[bot] eb2443076f Merge pull request #4128 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.15.0 2023-11-28 06:40:07 +00:00
dependabot[bot] b278296513 build(deps): bump golang.org/x/sys
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.14.1-0.20231108175955-e4099bfacb8c to 0.15.0.
- [Commits](https://github.com/golang/sys/commits/v0.15.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-28 04:47:32 +00:00
Kir Kolyshkin a6f4081766 libct: Destroy: don't proceed in case of errors
For some reason, container destroy operation removes container's state
directory even if cgroup removal fails (and then still returns an
error). It has been that way since commit 5c246d038f, which added
cgroup removal.

This is problematic because once the container state dir is removed, we
no longer know container's cgroup and thus can't remove it.

Let's return the error early and fail if cgroup can't be removed.

Same for other operations: do not proceed if we fail.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-11-27 09:15:39 -08:00
Kir Kolyshkin ab3cd8d73e runc delete, container.Destroy: kill all processes
(For a container with no private PID namespace, that is).

When runc delete (or container.Destroy) is called on a stopped
container without private PID namespace and there are processes
in its cgroup, kill those.

Add a test case.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-11-27 09:15:39 -08:00
Kir Kolyshkin 7396ca90fa runc delete: do not ignore error from destroy
If container.Destroy() has failed, runc destroy still return 0, which is
wrong and can result in other issues down the line.

Let's always return error from destroy in runc delete.

For runc checkpoint and runc run, we still treat it as a warning.

Co-authored-by: Zhang Tianyang <burning9699@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-11-27 09:15:39 -08:00
Kir Kolyshkin d3d7f7d85a libct/cg: improve cgroup removal logic
The current code is only doing retries in RemovePaths, which is only
used for cgroup v1 (cgroup v2 uses RemovePath, which makes no retries).

Let's remove all retry logic and logging from RemovePaths, together
with:

 - os.Stat check from RemovePaths (its usage probably made sense before
   commit 19be8e5ba5 but not after);

 - error/warning logging from RemovePaths (this was added by commit
   19be8e5ba5 in 2020 and so far we've seen no errors other
   than EBUSY, so reporting the actual error proved to be useless).

Add the retry logic to rmdir, and the second retry bool argument.
Decrease the initial delay and increase the number of retries from the
old implementation so it can take up to ~1 sec before returning EBUSY
(was about 0.3 sec).

Hopefully, as a result, we'll have less "failed to remove cgroup paths"
errors.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-11-27 09:15:39 -08:00
Kir Kolyshkin 29283bb7db runc delete -f: fix for no pidns + no init case
Commit f8ad20f moved the kill logic from container destroy to container
kill (which is the right thing to do).

Alas, it broke the use case of doing "runc delete -f" for a container
which does not have its own private PID namespace, when its init process
is gone. In this case, some processes may still be running, and runc
delete -f should kill them (the same way as "runc kill" does).

It does not do that because the container status is "stopped" (as runc
considers the container with no init process as stopped), and so we only
call "destroy" (which was doing the killing before).

The fix is easy: if --force is set, call killContainer no matter what.

Add a test case, similar to the one in the previous commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-11-27 09:15:39 -08:00
Kir Kolyshkin dcf1b731f5 runc kill: fix sending KILL to non-pidns container
Commit f8ad20f made it impossible to kill leftover processes in a
stopped container that does not have its own PID namespace. In other
words, if a container init is gone, it is no longer possible to use
`runc kill` to kill the leftover processes.

Fix this by moving the check if container init exists to after the
special case of handling the container without own PID namespace.

While at it, fix the minor issue introduced by commit 9583b3d:
if signalAllProcesses is used, there is no need to thaw the
container (as freeze/thaw is either done in signalAllProcesses already,
or not needed at all).

Also, make signalAllProcesses return an error early if the container
cgroup does not exist (as it relies on it to do its job). This way, the
error message returned is more generic and easier to understand
("container not running" instead of "can't open file").

Finally, add a test case.

Fixes: f8ad20f
Fixes: 9583b3d
Co-authored-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-11-27 09:15:39 -08:00
Kir Kolyshkin 542cce0122 libct: Signal: slight refactor
Let's use c.hasInit and c.isPaused where needed instead of
c.curentStatus for simplicity.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-11-27 09:15:39 -08:00
Kir Kolyshkin d9f2a24a5b libct: replace runType with hasInit
The semantics of runType is slightly complicated, and the only place
where we need to distinguish between Created and Running is
refreshState.

Replace runType with simpler hasInit, simplifying its users (except the
refreshState, which now figures out on its own whether the container is
Created or Running).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-11-27 09:15:39 -08:00
lfbzhm 95a93c132c Merge pull request #4045 from fuweid/support-pidfd-socket
[feature request] *: introduce pidfd-socket flag
2023-11-22 09:13:55 +08:00
Wei Fu 94505a046a *: introduce pidfd-socket flag
The container manager like containerd-shim can't use cgroup.kill feature or
freeze all the processes in cgroup to terminate the exec init process.
It's unsafe to call kill(2) since the pid can be recycled. It's good to
provide the pidfd of init process through the pidfd-socket. It's similar to
the console-socket. With the pidfd, the container manager like containerd-shim
can send the signal to target process safely.

And for the standard init process, we can have polling support to get
exit event instead of blocking on wait4.

Signed-off-by: Wei Fu <fuweid89@gmail.com>
2023-11-21 18:28:50 +08:00
Aleksa Sarai 32d433cf52 merge #3990 into opencontainers/runc:main
Aleksa Sarai (1):
  configs: validate: add validation for bind-mount fsflags

LGTMs: kolyshkin AkihiroSuda
2023-11-18 16:46:33 +11:00
Aleksa Sarai a2ba98557d merge #4119 into opencontainers/runc:main
lfbzhm (2):
  fix some unit test error after bump ebpf to 0.12.3
  bump github.com/cilium/ebpf from 0.12.2 to 0.12.3

LGTMs: kolyshkin cyphar
2023-11-11 23:00:05 +11:00
lfbzhm 3bde5111b4 fix some unit test error after bump ebpf to 0.12.3
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2023-11-10 13:56:34 +00:00
lfbzhm b2f7614afc bump github.com/cilium/ebpf from 0.12.2 to 0.12.3
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
2023-11-10 13:48:36 +00:00
Akihiro Suda 5bcffdffdb Merge pull request #4101 from cyphar/runc-dmz-go-get-build
libcontainer: dmz: fix "go get" builds
2023-11-06 20:00:27 -06:00
Kir Kolyshkin 2705c9c5d6 Merge pull request #4095 from kolyshkin/flake-tmpfs-perm
tests/int: fix flaky "runc run with tmpfs perm"
2023-11-06 17:46:35 -08:00
Akihiro Suda 0580863679 Merge pull request #4107 from kolyshkin/dmz-selinux-followup
ci/cirrus: disable selinux-dmz kludge for centos-stream-8
2023-11-06 16:46:33 -06:00
Kir Kolyshkin 823636c3dd ci/cirrus: disable selinux-dmz kludge for centos-stream-8
It now comes with container-selinux 2:2.224.0-1.module_el8+712+4cd1bd69,
so we only need the kludge for CentOS 7 (which, I guess, is the sole
reason why we have this kludge at all).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-11-06 13:41:22 -08:00
Kir Kolyshkin 2f67370fa1 Merge pull request #4099 from kolyshkin/skip-centos-7
Skip TestWriteCgroupFileHandlesInterrupt on CentOS 7
2023-11-06 13:37:45 -08:00
Aleksa Sarai 9d8fa6d695 libcontainer: dmz: fix "go get" builds
Because runc-dmz is not checked into Git, go get will end up creating a
copy of libcontainer/dmz with no runc-dmz binary, which causes external
libcontainer users to have compilation errors.

Unfortunately, we cannot get go:embed to just ignore that there are no
files matching the provided pattern, so instead we need to create a
dummy file that matches the go:embed (which we check into Git and so go
get _will_ copy) and switch to embed.FS.

This is a little bit uglier, but at least it will fix external
libcontainer users.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-11-03 08:23:14 +11:00
Aleksa Sarai 1f9d9a3a6a merge #4053 into opencontainers/runc:main
Kir Kolyshkin (3):
  Add dmz-vs-selinux kludge and a way to disable it
  README: fix reference to memfd-bind
  tests/int: add selinux test case

LGTMs: AkihiroSuda cyphar
2023-11-02 12:41:16 +11:00
Aleksa Sarai 669f4dbef8 configs: validate: add validation for bind-mount fsflags
Bind-mounts cannot have any filesystem-specific "data" arguments,
because the kernel ignores the data argument for MS_BIND and
MS_BIND|MS_REMOUNT and we cannot safely try to override the flags
because those would affect mounts on the host (these flags affect the
superblock).

It should be noted that there are cases where the filesystem-specified
flags will also be ignored for non-bind-mounts but those are kernel
quirks and there's no real way for us to work around them. And users
wouldn't get any real benefit from us adding guardrails to existing
kernel behaviour.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-11-02 07:50:03 +11:00
Kir Kolyshkin da44f6923f Merge pull request #4104 from kinvolk/rata/relax-dst-path-rel
libct: Remove old comment
2023-11-01 10:53:35 -07:00
Rodrigo Campos 4bf8b55594 libct: Remove old comment
We changed it in PR:
	https://github.com/opencontainers/runtime-spec/pull/1225

But we missed to remove this comment.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-11-01 12:48:42 +01:00
Kir Kolyshkin 87bd784614 Add dmz-vs-selinux kludge and a way to disable it
Add a workaround for a problem of older container-selinux not allowing
runc to use dmz feature. If runc sees that SELinux is in enforced mode
and the container's SELinux label is set, it disables dmz.

Add a build tag, runc_dmz_selinux_nocompat, which disables the workaround.
Newer distros that ship container-selinux >= 2.224.0 (currently CentOS
Stream 8 and 9, RHEL 8 and 9, and Fedora 38+) may build runc with this
build tag set to benefit from dmz working with SELinux.

Document the build tag in the top-level and libct/dmz READMEs.

Use the build tag in our CI builds for CentOS Stream 9 and Fedora 38,
as they already has container-selinux 2.224.0 available in updates.

Add a TODO to use the build tag for CentOS Stream 8 once it has
container-selinux updated.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-30 16:55:41 -07:00
Kir Kolyshkin 393c7a81c9 README: fix reference to memfd-bind
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-30 16:55:41 -07:00
Kir Kolyshkin b39781b067 tests/int: add selinux test case
This is a test case to demonstrate the selinux vs dmz issue.

The issue is, runc calls selinux.SetExecLabel and then execs the
runc-dmz binary, but the execve is denied by selinux:

> type=PROCTITLE msg=audit(10/05/2023 22:54:07.911:10904) : proctitle=/tmp/bats-run-sGk2sn/runc.Ql243q/bundle/runc init
> type=SYSCALL msg=audit(10/05/2023 22:54:07.911:10904) : arch=x86_64 syscall=execveat success=no exit=EACCES(Permission denied) a0=0x6 a1=0xc0000b90fa a2=0xc0000a26a0 a3=0xc000024660 items=0 ppid=105316 pid=105327 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=8 comm=runc:[2:INIT] exe=/tmp/bats-run-sGk2sn/runc.Ql243q/bundle/runc subj=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(10/05/2023 22:54:07.911:10904) : avc:  denied  { entrypoint } for  pid=105327 comm=runc:[2:INIT] path=/memfd:runc_cloned:runc-dmz (deleted) dev="tmpfs" ino=2341 scontext=system_u:system_r:container_t:s0:c4,c5 tcontext=unconfined_u:object_r:container_runtime_tmpfs_t:s0 tclass=file permissive=0

Once that error is fixed (by adding a selinux rule that enables it), we
see one more error, also related to executing a file on tmpfs.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-30 16:55:41 -07:00
Kir Kolyshkin b2539a7dc3 libct/cg: skip TestWriteCgroupFileHandlesInterrupt on CentOS 7
It's flaky (kernel bug?) and there's probably nothing we can do about
it.

Fixes #3418.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-30 16:54:17 -07:00
Kir Kolyshkin a2f7c6add8 internal/testutil: create, add SkipOnCentOS
CentOS 7 is showing its age and we'd rather skip some tests on it than
find out why they are flaky.

Add internal/testutil package, and move the generalized version of
SkipOnCentOS7 from libcontainer/cgroups/devices to there.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-30 16:54:17 -07:00
Aleksa Sarai ef1166a554 Merge pull request from GHSA-5g49-rx9x-qfc6
libct/cgroups.OpenFile: clean "file" argument
2023-10-30 18:37:05 +11:00
lfbzhm 6aa4d8d791 Merge pull request #4082 from Zheaoli/manjusaka/support-personality
carry #3126: linux: Support setting execution domain via linux personality
2023-10-28 22:18:42 +08:00
Kir Kolyshkin 2c9598c886 libct/cgroups.OpenFile: clean "file" argument
This prevents potential exploit of using "../" in cgroups.OpenFile
(as well as other methods that use OpenFile) to read or write to
other cgroups.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-27 10:46:32 -07:00
Zheao.Li 98511bb40e linux: Support setting execution domain via linux personality
carry #3126

Co-authored-by: Aditya R <arajan@redhat.com>
Signed-off-by: Zheao.Li <me@manjusaka.me>
2023-10-27 19:33:37 +08:00
Kir Kolyshkin 6d27922005 tests/int: fix flaky "runc run with tmpfs perm"
Apparently, sometimes a short-lived "runc run" produces result with \r
and sometimes without. As a result, we have an occasional failure of
"runc run with tmpfs perms" test.

The solution (to the flaky test) is to use the first line of the output
(like many other tests do).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-25 18:57:29 -07:00
lfbzhm edd00eb3cb Merge pull request #4010 from HeRaNO/use-peak
feat: add `swapOnlyUsage` in `MemoryStats`
2023-10-25 22:18:02 +08:00
lfbzhm 1947d0c4b1 Merge pull request #3972 from mythi/misc-stats
libct/cg/stats: support misc for cgroup v2
2023-10-25 19:39:35 +08:00
Heran Yang 104b8dc951 libct/cg: add swapOnlyUsage in MemoryStats
This field reports swap-only usage. For cgroupv1, `Usage` and `Failcnt`
are set by subtracting memory usage from memory+swap usage. For cgroupv2,
`Usage`, `Limit`, and `MaxUsage` are set. This commit also export `MaxUsage`
of memory under cgroupv2 mode, using `memory.peak` introduced in kernel 5.19.

Signed-off-by: Heran Yang <heran55@126.com>
2023-10-25 09:47:25 +08:00
lfbzhm a68529ce5b Merge pull request #3967 from cyphar/remove-mount-fallback-flag
rootfs: remove --no-mount-fallback and finally fix MS_REMOUNT
2023-10-24 21:02:40 +08:00
Aleksa Sarai 7c71a22705 rootfs: remove --no-mount-fallback and finally fix MS_REMOUNT
The original reasoning for this option was to avoid having mount options
be overwritten by runc. However, adding command-line arguments has
historically been a bad idea because it forces strict-runc-compatible
OCI runtimes to copy out-of-spec features directly from runc and these
flags are usually quite difficult to enable by users when using runc
through several layers of engines and orchestrators.

A far more preferable solution is to have a heuristic which detects
whether copying the original mount's mount options would override an
explicit mount option specified by the user. In this case, we should
return an error. You only end up in this path in the userns case, if you
have a bind-mount source with locked flags.

During the course of writing this patch, I discovered that several
aspects of our handling of flags for bind-mounts left much to be
desired. We have completely botched the handling of explicitly cleared
flags since commit 97f5ee4e6a ("Only remount if requested flags differ
from current"), with our behaviour only becoming increasingly more weird
with 50105de1d8 ("Fix failure with rw bind mount of a ro fuse") and
da780e4d27 ("Fix bind mounts of filesystems with certain options
set"). In short, we would only clear flags explicitly request by the
user purely by chance, in ways that it really should've been reported to
us by now. The most egregious is that mounts explicitly marked "rw" were
actually mounted "ro" if the bind-mount source was "ro" and no other
special flags were included. In addition, our handling of atime was
completely broken -- mostly due to how subtle the semantics of atime are
on Linux.

Unfortunately, while the runtime-spec requires us to implement
mount(8)'s behaviour, several aspects of the util-linux mount(8)'s
behaviour are broken and thus copying them makes little sense. Since the
runtime-spec behaviour for this case (should mount options for a "bind"
mount use the "mount --bind -o ..." or "mount --bind -o remount,..."
semantics? Is the fallback code we have for userns actually
spec-compliant?) and the mount(8) behaviour (see [1]) are not
well-defined, this commit simply fixes the most obvious aspects of the
behaviour that are broken while keeping the current spirit of the
implementation.

NOTE: The handling of atime in the base case is left for a future PR to
deal with. This means that the atime of the source mount will be
silently left alone unless the fallback path needs to be taken, and any
flags not explicitly set will be cleared in the base case. Whether we
should always be operating as "mount --bind -o remount,..." (where we
default to the original mount source flags) is a topic for a separate PR
and (probably) associated runtime-spec PR.

So, to resolve this:

* We store which flags were explicitly requested to be cleared by the
  user, so that we can detect whether the userns fallback path would end
  up setting a flag the user explicitly wished to clear. If so, we
  return an error because we couldn't fulfil the configuration settings.

* Revert 97f5ee4e6a ("Only remount if requested flags differ from
  current"), as missing flags do not mean we can skip MS_REMOUNT (in
  fact, missing flags are how you indicate a flag needs to be cleared
  with mount(2)). The original purpose of the patch was to fix the
  userns issue, but as mentioned above the correct mechanism is to do a
  fallback mount that copies the lockable flags from statfs(2).

* Improve handling of atime in the fallback case by:
    - Correctly handling the returned flags in statfs(2).
    - Implement the MNT_LOCK_ATIME checks in our code to ensure we
      produce errors rather than silently producing incorrect atime
      mounts.

* Improve the tests so we correctly detect all of these contingencies,
  including a general "bind-mount atime handling" test to ensure that
  the behaviour described here is accurate.

This change also inlines the remount() function -- it was only ever used
for the bind-mount remount case, and its behaviour is very bind-mount
specific.

[1]: https://github.com/util-linux/util-linux/issues/2433

Reverts: 97f5ee4e6a ("Only remount if requested flags differ from current")
Fixes: 50105de1d8 ("Fix failure with rw bind mount of a ro fuse")
Fixes: da780e4d27 ("Fix bind mounts of filesystems with certain options set")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-10-24 17:28:25 +11:00
Kir Kolyshkin 153865d0fe tests/int: fix teardown in mounts_sshfs.bats
Function teardown assumes that every test case will call
setup_sshfs. Currently, this assumption is true, but once
a test case that won't call setup_sshfs is added (say because
it has some extra "requires" or "skip"), it will break bats,
so any bats invocation involving such a test case will end up
hanging after the last test case is run.

The reason is, we have set -u in helpers.bash to help catching the use
of undefined variables. In the above scenario, such a variable is DIR,
which is referenced in teardown but is only defined after a call to
setup_sshfs. As a result, bash that is running the teardown function
will exit upon seeing the first $DIR, and thus teardown_bundle won't be
run. This, in turn, results in a stale recvtty process, which inherits
bats' fd 3. Until that fd is closed, bats waits for test logs.

Long story short, the fix is to
 - check if DIR is set before referencing it;
 - unset it after unmount.

PS it is still not clear why there is no diagnostics about the failed
teardown.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-10-24 17:28:13 +11:00
Kir Kolyshkin 3272edfe3b Merge pull request #4085 from kolyshkin/fix-check_cgroup_value
CI fixes
2023-10-23 17:29:56 -07:00
Kir Kolyshkin 7f5daa8805 libct/cg/fs.Set: fix error message
There is no point in showing the underlying error when path == "",
because it is ENOENT.

Revert the change done in commit e1584831b6.

Fixes: e1584831b6
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-23 11:25:57 -07:00
Kir Kolyshkin 5ea7c60f33 tests/int: fix cgroup tests
Commit e1584831b6 did two modifications to check_cgroup_value():

1. It now skips the test if the file is not found.

2. If the comparison failed, a second comparison, with value divided by 1000,
   is performed.

These modifications were only needed for cpu.burst, but instead were done
in a generic function used from many cgroup tests. As a result, we can
no longer be sure about the test coverage (item 1) and the check being
correct (item 2) anymore. In fact, part of "update cgroup cpu limits"
test is currently skipped on CentOS 7 and 8 because of item 1.

To fix:
 - replace item 1 with a new "cgroups_cpu_burst" argument for "requires",
   and move the test to a separate case;
 - replace item 2 with a local change in check_cpu_burst.

Fixes: e1584831b6
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-23 11:25:57 -07:00
Kir Kolyshkin bbf8eff818 tests/int: fix "runc run (hugetlb limits)"
Recent commit 4a7d3ae5cd had a bug (extra period).

Fixes: 4a7d3ae5cd
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-23 11:25:48 -07:00
dependabot[bot] 37ad02b601 Merge pull request #4087 from opencontainers/dependabot/go_modules/github.com/cilium/ebpf-0.12.2 2023-10-23 15:15:49 +00:00
lfbzhm 0090e2acc1 Merge pull request #4084 from kolyshkin/no-retry
libct/cg: remove retry on EINTR in
2023-10-23 23:11:57 +08:00
dependabot[bot] d60d17a6ec build(deps): bump github.com/cilium/ebpf from 0.12.1 to 0.12.2
Bumps [github.com/cilium/ebpf](https://github.com/cilium/ebpf) from 0.12.1 to 0.12.2.
- [Release notes](https://github.com/cilium/ebpf/releases)
- [Commits](https://github.com/cilium/ebpf/compare/v0.12.1...v0.12.2)

---
updated-dependencies:
- dependency-name: github.com/cilium/ebpf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-23 04:08:30 +00:00
Kir Kolyshkin 9cd5d6cddf libct/cg: remove retry on EINTR in
Commit f34eb2c00 introduced a workaround to retry on EINTR due to changes in Go 1.14.
It was fixed in Go 1.15 [1], meaning a custom retry loop is no longer
necessary.

Keep the test case to avoid future regressions.

[1] https://github.com/golang/go/issues/38033

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-20 10:08:54 -07:00
dependabot[bot] cf4c7c902b Merge pull request #4080 from opencontainers/dependabot/go_modules/github.com/cilium/ebpf-0.12.1 2023-10-20 10:38:38 +00:00
dependabot[bot] 54d38c6143 build(deps): bump github.com/cilium/ebpf from 0.12.0 to 0.12.1
Bumps [github.com/cilium/ebpf](https://github.com/cilium/ebpf) from 0.12.0 to 0.12.1.
- [Release notes](https://github.com/cilium/ebpf/releases)
- [Commits](https://github.com/cilium/ebpf/compare/v0.12.0...v0.12.1)

---
updated-dependencies:
- dependency-name: github.com/cilium/ebpf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-20 15:03:40 +08:00
Aleksa Sarai 27eb67a649 merge #4079 into opencontainers/runc:main
Kir Kolyshkin (1):
  ci/gha: fix downloading Release.key

LGTMs: lifubang cyphar
2023-10-20 18:02:24 +11:00
Kir Kolyshkin f944d7b653 ci/gha: fix downloading Release.key
Since today, the URL from download.opensuse.org started returning a
HTTP 302 redirect, so -L option for curl is needed to follow it.

While at it, remove apt-key as per its man page recommendation:

> Note: Instead of using this command a keyring should be placed
> directly in the /etc/apt/trusted.gpg.d/ directory with a descriptive
> name and either "gpg" or "asc" as file extension.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-19 21:12:30 -07:00
Kir Kolyshkin 93d16178d6 Merge pull request #4076 from kinvolk/rata/smaller-runc-dmz
libct/dmz: Support compiling on all arches
2023-10-19 17:08:53 -07:00
Mrunal Patel 437725c5cf Merge pull request #4073 from kolyshkin/hugetlb-rsvd
libct/cg: support hugetlb rsvd
2023-10-19 16:08:19 -07:00
Rodrigo Campos b6a0c483b7 libct/dmz: Support compiling on all arches
When we added nolibc, we started using it unconditionally. But runc is
currently being compiled on more arches than supported by nolibc, like
MIPS.

Let's compile using stdlib if the arch we are compiling on is not
supported by nolibc.

If compilation is broken in some arch, just removing it from the
NOLIBC_GOARCHES variable should fix the compilation, as it will fallback
to use the C stdlib.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-10-19 11:11:10 +02:00
Kir Kolyshkin 4a7d3ae5cd libct/cg: support hugetlb rsvd
This adds support for hugetlb.<pagesize>.rsvd limiting and accounting.

The previous non-rsvd max/limit_in_bytes does not account for reserved
huge page memory, making it possible for a processes to reserve all the
huge page memory, without being able to allocate it (due to cgroup
restrictions).

In practice this makes it possible to successfully mmap more huge page
memory than allowed via the cgroup settings, but when using the memory
the process will get a SIGBUS and crash. This is bad for applications
trying to mmap at startup (and it succeeds), but the program crashes
when starting to use the memory. eg. postgres is doing this by default.

This also keeps writing to the old max/limit_in_bytes, for backward
compatibility.

More info can be found here: https://lkml.org/lkml/2020/2/3/1153

(commit message mostly written by Odin Ugedal)

Co-authored-by: Odin Ugedal <odin@ugedal.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-13 22:55:24 -07:00
Akihiro Suda ac78d13271 Merge pull request #4070 from opencontainers/dependabot/go_modules/github.com/cilium/ebpf-0.12.0
build(deps): bump github.com/cilium/ebpf from 0.11.0 to 0.12.0
2023-10-13 02:46:01 +09:00
Sebastiaan van Stijn c494c475bd Merge pull request #4064 from kolyshkin/ce7-skip-flake
ci: skip TestPodSkipDevicesUpdate on CentOS 7
2023-10-12 10:55:22 +02:00
dependabot[bot] aec0dc7dcd build(deps): bump github.com/cilium/ebpf from 0.11.0 to 0.12.0
Bumps [github.com/cilium/ebpf](https://github.com/cilium/ebpf) from 0.11.0 to 0.12.0.
- [Release notes](https://github.com/cilium/ebpf/releases)
- [Commits](https://github.com/cilium/ebpf/compare/v0.11.0...v0.12.0)

---
updated-dependencies:
- dependency-name: github.com/cilium/ebpf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-12 04:42:12 +00:00
Akihiro Suda 0274ca2580 Merge pull request #4025 from lifubang/feat-sched-carry-3962
[Carry 3962] Support `process.scheduler`
2023-10-12 08:07:50 +09:00
Akihiro Suda 4232286180 Merge pull request #4067 from neersighted/syscall_cleanup
libcontainer: drop system.Setxid
2023-10-12 08:06:14 +09:00
Bjorn Neergaard 6f7266c3f7 libcontainer: drop system.Setxid
Since Go 1.16, [Go issue 1435][1] is solved, and the stdlib syscall
implementations work on Linux. While they are a bit more
flexible/heavier-weight than the implementations that were copied to
libcontainer/system (working across all threads), we compile with Cgo,
and using the libc wrappers should be just as suitable.

  [1]: https://github.com/golang/go/issues/1435

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-10-11 13:04:34 -06:00
dependabot[bot] 520a3d5c62 Merge pull request #4066 from opencontainers/dependabot/go_modules/golang.org/x/net-0.17.0 2023-10-11 05:19:21 +00:00
dependabot[bot] 2860708d73 build(deps): bump golang.org/x/net from 0.16.0 to 0.17.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.16.0 to 0.17.0.
- [Commits](https://github.com/golang/net/compare/v0.16.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-11 04:07:02 +00:00
Akihiro Suda 7809d6c614 Merge pull request #4061 from kolyshkin/makefile
Makefile: fixups and improvements
2023-10-11 07:36:03 +09:00
Kir Kolyshkin b8f75f3955 Makefile: move .PHONY to before each target
All the targets in the Makefile we have are phony (as we mostly rely on
go to figure out dependencies and whether to rebuild something), and
they have to be marked as such. We do that at the end of the file, and
the list is pretty long.

Instead, let's just add .PHONY before each target. That way it is easier
to spot any omissions.

Alternative solutions:
 - add ".PHONY: %"; it won't work as wildcards are not recongized in
   this context;
 - add "MAKEFLAGS += --always-make".

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-10 13:30:20 -07:00
Kir Kolyshkin bdf78b446b libct/cg/dev: add sync.Once to test case
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-10 13:27:22 -07:00
Kir Kolyshkin 46bfcac814 Makefile: avoid calling sub-make
Instead, rewrite the rules so that the targets are executed in the
needed order.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-06 15:10:31 -07:00
Kir Kolyshkin 961d0f124b Makefile: make verify-dmz-arch less talkative
Every `make` now produces something like this:

	make[1]: Entering directory '/home/kir/go/src/github.com/opencontainers/runc'
	readelf -h runc
	  Machine:                           Advanced Micro Devices X86-64
	  Flags:                             0x0
	readelf -h libcontainer/dmz/runc-dmz
	  Machine:                           Advanced Micro Devices X86-64
	  Flags:                             0x0
	runc-dmz architecture matches runc binary.
	make[1]: Leaving directory '/home/kir/go/src/github.com/opencontainers/runc'

That is a bit too much. Let's make it less verbose.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-06 15:10:31 -07:00
Kir Kolyshkin 90cbd1164c Merge pull request #4062 from opencontainers/dependabot/go_modules/golang.org/x/net-0.16.0
build(deps): bump golang.org/x/net from 0.15.0 to 0.16.0
2023-10-06 13:26:55 -07:00
Kir Kolyshkin fa8f38171c ci: skip TestPodSkipDevicesUpdate on CentOS 7
This test is as flaky as TestSkipDevices*, let's also t skip it on CentOS 7.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-06 13:11:40 -07:00
dependabot[bot] 927a5836f9 build(deps): bump golang.org/x/net from 0.15.0 to 0.16.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.15.0 to 0.16.0.
- [Commits](https://github.com/golang/net/compare/v0.15.0...v0.16.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-06 20:05:17 +00:00
Kir Kolyshkin 033cc7aedb Merge pull request #4063 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.13.0
build(deps): bump golang.org/x/sys from 0.12.0 to 0.13.0
2023-10-06 13:04:30 -07:00
dependabot[bot] 0ab58aa208 build(deps): bump golang.org/x/sys from 0.12.0 to 0.13.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.12.0 to 0.13.0.
- [Commits](https://github.com/golang/sys/compare/v0.12.0...v0.13.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-06 04:21:54 +00:00
lfbzhm 141835c4de Merge pull request #4056 from kolyshkin/umask-II
Fix directory perms vs umask for tmpcopyup
2023-10-05 13:03:21 +08:00
Kir Kolyshkin 730bc84418 Fix directory perms vs umask for tmpcopyup
Bump fileutils to v0.5.1, which fixes permissions of newly created directories
to not depend on the value of umask.

Add a test case which fails like this before the fix:

	mounts.bats
	 ✗ runc run [tmpcopyup]
	   (in test file tests/integration/mounts.bats, line 28)
	     `[[ "${lines[0]}" == *'drwxrwxrwx'* ]]' failed
	   runc spec (status=0):

	   runc run test_busybox (status=0):
	   drwxr-xr-x    2 root     root            40 Oct  4 22:35 /dir1/dir2

Fixes 3991.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-04 15:35:44 -07:00
utam0k 770728e16e Support process.scheduler
Spec: https://github.com/opencontainers/runtime-spec/pull/1188
Fix: https://github.com/opencontainers/runc/issues/3895

Co-authored-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: utam0k <k0ma@utam0k.jp>
Signed-off-by: lifubang <lifubang@acmcoder.com>
2023-10-04 15:53:18 +08:00
Aleksa Sarai d8d576ca4f merge #4031 into opencontainers/runc:main
Akihiro Suda (1):
  docs: clarify the supported architectures (No MIPS)

LGTMs: kolyskin cyphar
2023-10-04 16:08:08 +11:00
Aleksa Sarai ce961443cb merge #4051 into opencontainers/runc:main
Kir Kolyshkin (1):
  libc: rm _LIBCONTAINER_STATEDIR
  libct: rename root to stateDir in struct Container

LGTMs: thaJeztah cyphar
2023-10-04 16:04:15 +11:00
Kir Kolyshkin efbebb39b5 libct: rename root to stateDir in struct Container
The name "root" (or "containerRoot") is confusing; one might think it is
the root of container's file system (the directory we chroot into).

Rename to stateDir for clarity.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-04 14:57:10 +11:00
Kir Kolyshkin c89faacc13 libc: rm _LIBCONTAINER_STATEDIR
It's only user was recently removed.

Fixes: 0e9a3358f8
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-04 14:57:10 +11:00
Aleksa Sarai 9350f9013e merge #4039 into opencontainers/runc:main
Kir Kolyshkin (1):
  libct: use chmod instead of umask

LGTMs: lifubang cyphar
2023-10-04 14:55:07 +11:00
lfbzhm 634280f5ab Merge pull request #4054 from kolyshkin/codespell-226
libct: fix a typo
2023-10-04 11:23:00 +08:00
Kir Kolyshkin 6538e6d0bd libct: fix a typo
syncrhonisation ==> synchronisation

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-10-03 17:51:54 -07:00
Kir Kolyshkin f56b007b1e Merge pull request #4003 from lifubang/carry3985-01-syncPipe
[Carry #3985 Part I] code refactor for process sync
2023-10-03 13:13:52 -07:00
Sebastiaan van Stijn e712b87b6c Merge pull request #4050 from lifubang/fix-Typeo
fix two typos
2023-10-03 12:39:25 -07:00
lifubang 109dcadd9d fix two typos
Signed-off-by: lifubang <lifubang@acmcoder.com>
2023-10-03 20:08:17 +08:00
Mikko Ylinen f755c8089b libct/cg/stats: support misc for cgroup v2
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2023-10-02 11:17:12 +03:00
Kir Kolyshkin ee45b9bf60 Merge pull request #4034 from AkihiroSuda/fix-goarm
script/lib.sh: set GOARM=5 for armel, GOARM=6 for armhf
2023-09-28 15:40:22 -07:00
Kir Kolyshkin 2e2ecf29ff libct: use chmod instead of umask
Umask is problematic for Go programs as it affects other goroutines
(see [1] for more details).

Instead of using it, let's just prop up with Chmod.

Note this patch misses the MkdirAll call in createDeviceNode. Since the
runtime spec does not say anything about creating intermediary
directories for device nodes, let's assume that doing it via mkdir with
the current umask set is sufficient (if not, we have to reimplement
MkdirAll from scratch, with added call to os.Chmod).

[1] https://github.com/opencontainers/runc/pull/3563#discussion_r990293788

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-09-27 16:46:53 -07:00
Kir Kolyshkin 4d948b1e64 Merge pull request #4035 from Zheaoli/manjusaka/fix-docs
Update feature status in docs
2023-09-27 10:34:53 -07:00
Zheao Li 4b3b7e9973 docs/spec-conformance: update
Since PR 3876 was merged, let's remove time namespace from the list of unimplemented features.

Signed-off-by: Zheao Li <me@manjusaka.me>
2023-09-27 20:24:43 +08:00
Kir Kolyshkin 96a61d3bf0 Merge pull request #4030 from kinvolk/rata/smaller-runc-dmz
libct/dmz: Move comment out of the Makefile rule
2023-09-26 15:04:40 -07:00
Akihiro Suda 531e29e192 script/lib.sh: set GOARM=5 for armel, GOARM=6 for armhf
"armhf" means ARMv7 for Debian, ARMv6 for Raspbian.
ARMv6 is chosen here for compatibility.

https://wiki.debian.org/RaspberryPi

> Raspberry Pi OS builds a single image for all of the Raspberry families,
> so you will get an armhf 32-bit, hard floating-point system, but built
> for the ARMv6 ISA (with VFP2), unlike Debian's ARMv7 ISA (with VFP3)
> port.

Prior to this commit, the script was setting GOARM=6 for armel,
GOARM=7 for armhf.

Fix issue 4033

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-09-27 05:48:02 +09:00
Akihiro Suda 9060666531 docs: clarify the supported architectures (No MIPS)
In reviewing PR 4024 ("libct/dmz: Reduce the binary size using nolibc"),
we noticed that we do not intend to actively support MIPS.

We do not intend to support i386 either.

This might be a breaking change for Debian, which has been officially
providing runc packages for `i386`, `mips64el` and `mipsel`:
https://packages.debian.org/bookworm/runc

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-09-27 05:39:47 +09:00
Rodrigo Campos 9976be86b3 libct/dmz: Move comment out of the Makefile rule
Otherwise it is shown when compiling, like this:
	# We use the flags suggested in nolibc/nolibc.h, it makes the binary very small.
	gcc  -fno-asynchronous-unwind-tables -fno-ident -s -Os -nostdlib -lgcc -static -o runc-dmz _dmz.c
	strip -gs runc-dmz

Having it before the target is equally clear and will not be shown while
compiling.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-09-26 18:46:01 +02:00
Aleksa Sarai 1a8b5588a5 merge #4024 into opencontainers/runc:main
Rodrigo Campos (1):
  libct/dmz: Reduce the binary size using nolibc

LGTMs: AkihiroSuda cyphar
2023-09-27 02:21:59 +10:00
Rodrigo Campos 90f5da651a libct/dmz: Reduce the binary size using nolibc
Linux repo has under `tools/include/nolibc` very simple include files
that we can use to generate very small binaries that don't depend on
libc.

To make things even better, since Linux 6.6 it supports all the
architectures we support in runc, which is just beautiful.

The runc-dmz binary on x86_64 before this patch (on my debian host) was
taking 636K, with this patch it takes only 8K.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-09-26 14:55:04 +02:00
Akihiro Suda a32ad76da3 Merge pull request #4018 from jrife/main
Handle kmem.limit_in_bytes removal
2023-09-25 09:53:08 +09:00
Aleksa Sarai 8da42aaec2 sync: split init config (stream) and synchronisation (seqpacket) pipes
We have different requirements for the initial configuration and
initWaiter pipe (just send netlink and JSON blobs with no complicated
handling needed for message coalescing) and the packet-based
synchronisation pipe.

Tests with switching everything to SOCK_SEQPACKET lead to endless issues
with runc hanging on start-up because random things would try to do
short reads (which SOCK_SEQPACKET will not allow and the Go stdlib
explicitly treats as a streaming source), so splitting it was the only
reasonable solution. Even doing somewhat dodgy tricks such as adding a
Read() wrapper which actually calls ReadPacket() and makes it seem like
a stream source doesn't work -- and is a bit too magical.

One upside is that doing it this way makes the difference between the
modes clearer -- INITPIPE is still used for initWaiter syncrhonisation
but aside from that all other synchronisation is done by SYNCPIPE.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-24 20:31:14 +08:00
Aleksa Sarai ccc76713a7 sync: rename procResume -> procHooksDone
The old name was quite confusing, and with the addition of the
procMountPlease sync message there are now multiple sync messages that
are related to "resuming" runc-init.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-24 20:02:11 +08:00
Akihiro Suda f235fa6763 Merge pull request #3987 from cyphar/cloned-binary-rework
nsexec: cloned binary rework
2023-09-24 19:27:52 +09:00
Jordan Rife 99469eba3e Handle kmem.limit_in_bytes removal
kmem.limit_in_bytes has been removed in upstream linux and this patch
is queued to be backported to linux 6.1 stable:

- https://lore.kernel.org/linux-mm/20230705134434.GA156754@cmpxchg.org/T/
- https://www.spinics.net/lists/stable-commits/msg316619.html

Without this change to libcontainerd, GetStats() will return an error
on the latest kernel(s). A downstream effect is that Kubernetes's
kubelet does not start up. This fix was tested by ensuring that it
unblocks kubelet startup when running on the latest kernel.

Signed-off-by: Jordan Rife <jrife0@gmail.com>
2023-09-24 02:17:21 +00:00
Aleksa Sarai 90c8d36afe dmz: use sendfile(2) when cloning /proc/self/exe
This results in a 5-20% speedup of dmz.CloneBinary(), depending on the
machine.

io.Copy:

  goos: linux
  goarch: amd64
  pkg: github.com/opencontainers/runc/libcontainer/dmz
  cpu: Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz
  BenchmarkCloneBinary
  BenchmarkCloneBinary-8               139           8075074 ns/op
  PASS
  ok      github.com/opencontainers/runc/libcontainer/dmz 2.286s

unix.Sendfile:

  goos: linux
  goarch: amd64
  pkg: github.com/opencontainers/runc/libcontainer/dmz
  cpu: Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz
  BenchmarkCloneBinary
  BenchmarkCloneBinary-8               192           6382121 ns/op
  PASS
  ok      github.com/opencontainers/runc/libcontainer/dmz 2.415s

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:51:36 +10:00
Aleksa Sarai f8348f64ae tests: integration: add runc-dmz smoke tests
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:38:21 +10:00
Aleksa Sarai 6be763eeaa tests: integration: fix capability setting for CAP_DAC_OVERRIDE
Due to the way capabilities have to be set by runc, capabilities need to
be included in the inheritable and ambient sets anyway. Otherwise, the
container process would not have the correct privileges. This test only
functioned because adding CAP_DAC_OVERRIDE to the inherited,
permissible, and bounding sets means that only "runc init" has these
capabilities -- everything other than the bounding set is cleared on the
first execve(). This breaks with runc-dmz, but the behaviour was broken
from the outset.

Docker appears to not handle this properly at all (the logic for
capability sets changed with the introduction of ambient capabilities,
and while Docker was updated it seems the behaviour is still incorrect
for non-root users).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:38:20 +10:00
Aleksa Sarai b9a4727f54 contrib: memfd-bind: add helper for memfd-sealed-bind trick
This really isn't ideal but it can be used to avoid the largest issues
with the memfd-based runc binary protection. There are several caveats
with using this tool, see the help page for the new binary for details.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:38:20 +10:00
lifubang dac4171746 runc-dmz: reduce memfd binary cloning cost with small C binary
The idea is to remove the need for cloning the entire runc binary by
replacing the final execve() call of the container process with an
execve() call to a clone of a small C binary which just does an execve()
of its arguments.

This provides similar protection against CVE-2019-5736 but without
requiring a >10MB binary copy for each "runc init". When compiled with
musl, runc-dmz is 13kB (though unfortunately with glibc, it is 1.1MB
which is still quite large).

It should be noted that there is still a window where the container
processes could get access to the host runc binary, but because we set
ourselves as non-dumpable the container would need CAP_SYS_PTRACE (which
is not enabled by default in Docker) in order to get around the
proc_fd_access_allowed() checks. In addition, since Linux 4.10[1] the
kernel blocks access entirely for user namespaced containers in this
scenario. For those cases we cannot use runc-dmz, but most containers
won't have this issue.

This new runc-dmz binary can be opted out of at compile time by setting
the "runc_nodmz" buildtag, and at runtime by setting the RUNC_DMZ=legacy
environment variable. In both cases, runc will fall back to the classic
/proc/self/exe-based cloning trick. If /proc/self/exe is already a
sealed memfd (namely if the user is using contrib/cmd/memfd-bind to
create a persistent sealed memfd for runc), neither runc-dmz nor
/proc/self/exe cloning will be used because they are not necessary.

[1]: https://github.com/torvalds/linux/commit/bfedb589252c01fa505ac9f6f2a3d5d68d707ef4

Co-authored-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
[cyphar: address various review nits]
[cyphar: fix runc-dmz cross-compilation]
[cyphar: embed runc-dmz into runc binary and clone in Go code]
[cyphar: make runc-dmz optional, with fallback to /proc/self/exe cloning]
[cyphar: do not use runc-dmz when the container has certain privs]
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:38:19 +10:00
Aleksa Sarai e089db3b4a dmz: add fallbacks to handle noexec for O_TMPFILE and mktemp()
Previously, if /var/run was mounted noexec, our cloned binary logic
would not work if memfd_create(2) was not available because we would try
to exec a binary that is on a noexec filesystem.

We cannot guarantee there will be an executable filesystem on the system
(other than mounting one ourselves, which would cause a bunch of other
headaches) but we can at least try the obvious options (/tmp, /bin, and
/). If none of these work, we will have to fail.

Reported-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:13:19 +10:00
Aleksa Sarai 0e9a3358f8 nsexec: migrate memfd /proc/self/exe logic to Go code
This allow us to remove the amount of C code in runc quite
substantially, as well as removing a whole execve(2) from the nsexec
path because we no longer spawn "runc init" only to re-exec "runc init"
after doing the clone.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:13:18 +10:00
Aleksa Sarai 321aa20c49 scripts: add proper 386 and amd64 target triples and builds
We need these to match the Makefile detection of the right gcc for
runc-dmz, as well as making sure that everything builds properly for our
cross-i386 tests. While we're at it, add x86 to the list of build
targets for release builds (presumably nobody will use it, but since we
do test builds of this anyway it probably won't hurt).

In addition, clean up the handling of the native architecture build by
treating it the same as any other build (ensuring that building runc
from a different platform will work the same way regardless of the
native architecture). In practice, the build works the same way as
before.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-09-22 15:13:18 +10:00
Akihiro Suda 1d9b158056 Merge pull request #4017 from thaJeztah/migrate_libcontainer_user
Deprecate libcontainer/user, and migrate to github.com/moby/sys/user
2023-09-21 19:14:59 +09:00
Sebastiaan van Stijn d9ea71bf96 deprecate libcontainer/user
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-19 10:22:29 +02:00
Sebastiaan van Stijn ca32014adb migrate libcontainer/user to github.com/moby/sys/user
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-19 10:22:23 +02:00
Akihiro Suda 1614cab553 Merge pull request #4020 from lifubang/fix-ci-cs9oom
[CI] increase memory.max in cgroups.bats
2023-09-19 11:27:46 +09:00
lifubang 65a1074c75 increase memory.max in cgroups.bats
Signed-off-by: lifubang <lifubang@acmcoder.com>
2023-09-17 09:55:12 +08:00
lfbzhm a3a0ec48c4 Merge pull request #4013 from kinvolk/rata/relax-dst-path-rel
validator: Relax warning for not abs mount dst path
2023-09-12 19:19:40 +08:00
Rodrigo Campos b17c6f237d validator: Relax warning for not abs mount dst path
The runtime spec now allows relative mount dst paths, so remove the
comment saying we will switch this to an error later and change the
error messages to reflect that.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-09-11 16:02:41 +02:00
lfbzhm e897a16e1d Merge pull request #4012 from Juneezee/specconv/remove-redundant-nil-check
libct/specconv: remove redundant nil check
2023-09-09 07:32:23 +08:00
Eng Zer Jun c378602bf6 libct/specconv: remove redundant nil check
From the Go specification:

  "1. For a nil slice, the number of iterations is 0." [1]

Therefore, an additional nil check for before the loop is unnecessary.

[1]: https://go.dev/ref/spec#For_range

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2023-09-08 23:40:51 +08:00
dependabot[bot] dc886433d2 Merge pull request #4011 from opencontainers/dependabot/go_modules/github.com/cyphar/filepath-securejoin-0.2.4 2023-09-07 05:38:18 +00:00
dependabot[bot] c7ad2749fd build(deps): bump github.com/cyphar/filepath-securejoin
Bumps [github.com/cyphar/filepath-securejoin](https://github.com/cyphar/filepath-securejoin) from 0.2.3 to 0.2.4.
- [Release notes](https://github.com/cyphar/filepath-securejoin/releases)
- [Commits](https://github.com/cyphar/filepath-securejoin/compare/v0.2.3...v0.2.4)

---
updated-dependencies:
- dependency-name: github.com/cyphar/filepath-securejoin
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-07 04:30:28 +00:00
Akihiro Suda 6b8a45d16f Merge pull request #3749 from Zheaoli/manjusaka/carry-burst
[Carry #3205] libct/cg: add CFS bandwidth burst for CPU
2023-09-07 00:55:16 +09:00
Akihiro Suda f0eea9926a Merge pull request #4009 from opencontainers/dependabot/go_modules/golang.org/x/net-0.15.0
build(deps): bump golang.org/x/net from 0.14.0 to 0.15.0
2023-09-07 00:48:26 +09:00
Kailun Qin e1584831b6 libct/cg: add CFS bandwidth burst for CPU
Burstable CFS controller is introduced in Linux 5.14. This helps with
parallel workloads that might be bursty. They can get throttled even
when their average utilization is under quota. And they may be latency
sensitive at the same time so that throttling them is undesired.

This feature borrows time now against the future underrun, at the cost
of increased interference against the other system users, by introducing
cfs_burst_us into CFS bandwidth control to enact the cap on unused
bandwidth accumulation, which will then used additionally for burst.

The patch adds the support/control for CFS bandwidth burst.

runtime-spec: https://github.com/opencontainers/runtime-spec/pull/1120

Co-authored-by: Akihiro Suda <suda.kyoto@gmail.com>
Co-authored-by: Nadeshiko Manju <me@manjusaka.me>
Signed-off-by: Kailun Qin <kailun.qin@intel.com>
2023-09-06 23:23:30 +08:00
dependabot[bot] 1fe9447f65 build(deps): bump golang.org/x/net from 0.14.0 to 0.15.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.14.0 to 0.15.0.
- [Commits](https://github.com/golang/net/compare/v0.14.0...v0.15.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-06 04:09:10 +00:00
dependabot[bot] 319b2ba730 Merge pull request #4008 from opencontainers/dependabot/github_actions/actions/checkout-4 2023-09-06 01:21:12 +00:00
dependabot[bot] 2d0cd0b381 build(deps): bump actions/checkout from 3 to 4
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-05 04:50:22 +00:00
Akihiro Suda a0466dd76f Merge pull request #2868 from thaJeztah/userns_simplify
libcontainer/userns: simplify, and separate from "user" package.
2023-09-04 22:28:52 +09:00
Sebastiaan van Stijn d8e9ed3e08 libcontainer/userns: simplify, and separate from "user" package.
This makes libcontainer/userns self-dependent, largely returning to
the original implementation from lxc. The `uiMapInUserNS` is kept as
a separate function for unit-testing and fuzzing.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-04 10:57:48 +02:00
Akihiro Suda 3b47c5e8de Merge pull request #4006 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.12.0
build(deps): bump golang.org/x/sys from 0.11.0 to 0.12.0
2023-09-04 16:36:20 +09:00
dependabot[bot] 5f05b96ead build(deps): bump golang.org/x/sys from 0.11.0 to 0.12.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.11.0 to 0.12.0.
- [Commits](https://github.com/golang/sys/compare/v0.11.0...v0.12.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-04 04:09:40 +00:00
Kir Kolyshkin 8feecba2bb Merge pull request #4004 from hangscer8/fix_file_to_close
Fix File to Close
2023-09-01 10:45:40 -07:00
hang.jiang 937ca107c3 Fix File to Close
Signed-off-by: hang.jiang <hang.jiang@daocloud.io>
2023-09-01 16:17:13 +08:00
lfbzhm 24ae5c258c Merge pull request #3996 from kolyshkin/double-hooks
Fix for host mount ns containers
2023-08-29 10:28:08 +08:00
Kir Kolyshkin e852523885 tests/int: add a test for host mntns vs hooks
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-28 12:46:59 -07:00
Kir Kolyshkin 41778ddc2c Fix for host mount ns containers
If the container does not have own mount namespace configured (i.e. it
shares the mount namespace with the host), its "prestart" (obsoleted)
and "createRuntime" hooks are called twice, and its cgroups and Intel
RDT settings are also applied twice.

The code being removed was originally added by commit 2f2764984 ("Move
pre-start hooks after container mounts", Feb 17 2016). At that time,
the syncParentHooks() was called from setupRootfs(), which was only
used when the container config has mount namespace (NEWNS) enabled.

Later, commit 244c9fc426 ("*: console rewrite", Jun 4 2016) spli
the relevant part of setupRootfs() into prepareRootfs(). It was still
called conditionally (only if mount namespace was enabled).

Finally, commit 91ca331474 ("chroot when no mount namespaces is
provided", Jan 25 2018) removed the above condition, meaning
prepareRootfs(), and thus syncParentHooks(), is now called for any
container.

Meaning, the special case for when mount namespace is not enabled is no
longer needed.

Remove it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-28 12:45:39 -07:00
Kir Kolyshkin b322e31b4f Merge pull request #3997 from opencontainers/dependabot/github_actions/tim-actions/commit-message-checker-with-regex-0.3.2
build(deps): bump tim-actions/commit-message-checker-with-regex from 0.3.1 to 0.3.2
2023-08-28 12:32:34 -07:00
dependabot[bot] fe6f33b2c0 build(deps): bump tim-actions/commit-message-checker-with-regex
Bumps [tim-actions/commit-message-checker-with-regex](https://github.com/tim-actions/commit-message-checker-with-regex) from 0.3.1 to 0.3.2.
- [Release notes](https://github.com/tim-actions/commit-message-checker-with-regex/releases)
- [Commits](https://github.com/tim-actions/commit-message-checker-with-regex/compare/v0.3.1...v0.3.2)

---
updated-dependencies:
- dependency-name: tim-actions/commit-message-checker-with-regex
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-28 04:21:42 +00:00
Akihiro Suda 0a5cd69462 Merge pull request #3995 from kolyshkin/rm-unix-nolint
bump golangci-lint; remove nolint annotations for unix errno comparisons
2023-08-25 16:54:57 +09:00
lfbzhm 57617e3bec Merge pull request #3869 from kolyshkin/hooks-better-error
Better hooks errors and more tests
2023-08-25 11:42:56 +08:00
Kir Kolyshkin 0f3eeb9bad tests/int: add failed hooks tests
To ensure that if a hook has failed, the container won't be started.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-24 19:45:06 -07:00
Kir Kolyshkin cadf0a14ae tests/int: rename hooks.bats to hooks_so.bats
This file contains a test that tests .so hooks. It has a complicated
setup and teardown, and has special requirements (root and no_systemd).

Rename it to hooks_so.bats, so we can add hooks.bats for hooks tests
that do not have such complicated setup and requirements.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-24 19:45:06 -07:00
Kir Kolyshkin 6a4870e4ac libct: better errors for hooks
When a hook has failed, the error message looks like this:

> error running hook: error running hook #1: exit status 1, stdout: ...

The two problems here are:
1. it is impossible to know what kind of hook it was;
2. "error running hook" stuttering;

Change that to

> error running createContainer hook #1: exit status 1, stdout: ...

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-24 19:44:05 -07:00
Kir Kolyshkin f62f0bdfbf Remove nolint annotations for unix errno comparisons
golangci-lint v1.54.2 comes with errorlint v1.4.4, which contains
the fix [1] whitelisting all errno comparisons for errors coming from
x/sys/unix.

Thus, these annotations are no longer necessary. Hooray!

[1] https://github.com/polyfloyd/go-errorlint/pull/47
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-24 17:28:10 -07:00
Kir Kolyshkin 17e7e230bd ci/gha: bump golangci-lint to v1.54
Currently, it is at v1.54.2.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-24 17:22:23 -07:00
Kir Kolyshkin b3e972141f Add issue reference to nolint annotation
Usually errorlint allows io.EOF comparison (based on a whitelist of
functions that can return bare io.EOF), thus there is no need for nolint
annotation.

In this very case, though, the need for nolint is caused by issue with
errorlint, which fails to see where err is coming from.

Refer to the issue so when it is fixed we can remove the annotation.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-24 17:19:03 -07:00
Aleksa Sarai 693d1c6ec4 merge #3993 into main
Rodrigo Campos (2):
  features: Expose idmap support
  vendor: Update runtime-spec to expose mountExtensions

LGTMs: AkihiroSuda cyphar
2023-08-24 09:00:13 +10:00
Rodrigo Campos cc7e607a49 features: Expose idmap support
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-08-23 17:55:09 +02:00
Rodrigo Campos 671e211ef8 vendor: Update runtime-spec to expose mountExtensions
Future commits will expose this info in the features sub-command.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-08-23 16:17:02 +02:00
lfbzhm ff8c4c7b72 Merge pull request #3984 from kolyshkin/gha-timeouts
ci/gha: add job timeouts
2023-08-17 09:27:33 +08:00
Kir Kolyshkin b22073c5fe ci/gha: add job timeouts
The default timeout is 360 minutes, which is way long for these jobs.
If the CI (or a test) has stuck, we'd better know about it earlier than
in 6 hours.

Set the timeouts for some [relatively] long running jobs conservatively:
 - test and release jobs usually take ~10 minutes;
 - lint job takes 1 minute (but can be a few times slower when we switch
   Go or golangci-lint version);
 - cross-386 job takes about 2 minutes;
 - the rest is seconds (and I am lazy to set timeouts everywhere).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-16 16:08:35 -07:00
lfbzhm fe5e2b3c31 Merge pull request #3982 from kolyshkin/nsexec-spring-cleaning-p1
Nsexec spring cleaning part I
2023-08-16 22:34:32 +08:00
Aleksa Sarai 1f25724a96 configs: fix idmapped mounts json field names
In the runc state JSON we always use snake_case. This is a no-op change,
but it will cause any existing container state files to be incorrectly
parsed. Luckily, commit fbf183c6f8 ("Add uid and gid mappings to
mounts") has never been in a runc release so we can change this before a
1.2.z release.

Fixes: fbf183c6f8 ("Add uid and gid mappings to mounts")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-08-15 19:54:24 -07:00
Aleksa Sarai 8aa97ad3a3 nsexec: remove cgroupns special-casing
The original implementation of cgroupns had additional synchronisation
to "ensure" that the process is in the correct cgroup before unsharing
the cgroupns. This behaviour was actually never necessary, and after
commit 5110bd2fc0 ("nsenter: remove cgroupns sync mechanism") there is
no synchronisation at all, meaning that CLONE_NEWCGROUP should not get
any special treatment.

Fixes: 5110bd2fc0 ("nsenter: remove cgroupns sync mechanism")
Fixes: df3fa115f9 ("Add support for cgroup namespace")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-08-15 19:54:24 -07:00
Aleksa Sarai 5c7839b503 rootfs: use empty src for MS_REMOUNT
The kernel ignores these arguments, and passing them can lead to
confusing error messages (the old source is irrelevant for MS_REMOUNT),
as well as causing issues for a future patch where we switch to
move_mount(2).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-08-15 19:54:24 -07:00
Aleksa Sarai 20b95f23ca libcontainer: seccomp: pass around *os.File for notifyfd
*os.File is correctly tracked by the garbage collector, and there's no
need to use raw file descriptors for this code.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-08-15 19:54:24 -07:00
Aleksa Sarai f81ef1493d libcontainer: sync: cleanup synchronisation code
This includes quite a few cleanups and improvements to the way we do
synchronisation. The core behaviour is unchanged, but switching to
embedding json.RawMessage into the synchronisation structure will allow
us to do more complicated synchronisation operations in future patches.

The file descriptor passing through the synchronisation system feature
will be used as part of the idmapped-mount and bind-mount-source
features when switching that code to use the new mount API outside of
nsexec.c.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-15 19:54:24 -07:00
Kir Kolyshkin c6e7b1a8ec libct: initProcess.start: fix sync logic
The code in this function became quite complicated and not entirely
correct over time. As a result, if an error is returned from parseSync,
it might end up stuck waiting for the child to finish.

1. Let's not wait() for the child twice. We already do it in the
defer statement (call p.terminate()) when we are returning an error.

2. Remove sentResume and sentRun since we do not want to check if
these were sent or not. Instead, introduce and check seenProcReady, as
procReady is always expected from runc init.

3. Eliminate the possibility to wrap nil as an error.

4. Make sure we always call shutdown on the sync socket, and do not let
   shutdown error shadow the ierr.

This fixes the issue of stuck `runc runc` with the optimization patch
(sending procSeccompDone earlier) applied.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-15 19:54:24 -07:00
Aleksa Sarai b0c7ce5158 makefile: quote TESTFLAGS when passing to containerised make
Otherwise TESTFLAGS="-run FooBar" will result in TESTFLAGS=-run being
executed in the container.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-08-15 19:54:24 -07:00
Akihiro Suda a6985522a6 Merge pull request #3980 from cyphar/timens-cleanups
timens: minor cleanups
2023-08-10 19:36:22 +09:00
Aleksa Sarai aa5f4c1137 tests: add several timens tests
These are not exhaustive, but at least confirm that the feature is not
obviously broken (we correctly set the time offsets).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-08-10 19:01:31 +10:00
Aleksa Sarai 9acfd7b1a3 timens: minor cleanups
Fix up a few things that were flagged in the review of the original
timens PR, namely around error handling and validation.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-08-10 18:59:55 +10:00
Aleksa Sarai 0866112e81 merge #3876 into opencontainers/runc:main
Chethan Suresh (1):
  Support time namespace

LGTMs: kolyskin cyphar
Closes #3876
2023-08-10 18:27:17 +10:00
Kir Kolyshkin cb44958162 Merge pull request #3385 from kolyshkin/init-logger-setup
init simplification
2023-08-08 19:05:02 -07:00
lfbzhm 33ce0dc744 Merge pull request #3971 from kinvolk/rata/abs-dest-path-warn
Revert "libct/validator: Error out on non-abs paths"
2023-08-09 09:00:00 +08:00
Akihiro Suda 80320b76b9 Merge pull request #3974 from kolyshkin/ci-cache
ci/gha: re-enable go caching
2023-08-09 08:53:27 +09:00
Kir Kolyshkin 46d6089fb5 ci/gha: re-enable go caching
Since https://github.com/actions/setup-go/issues/368 is now fixed
(in https://github.com/actions/setup-go/releases/tag/v4.1.0), there
is no need to disable caching when using different distros.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-08 15:18:21 -07:00
Mrunal Patel c62bbb2d7c Merge pull request #3920 from kolyshkin/go121
ci: add go 1.21, rm go 1.19, fix cirrus jobs
2023-08-08 13:09:18 -07:00
Kir Kolyshkin 5741ea230a ci: add go 1.21, remove go 1.19
Go 1.21 is out, and go 1.19 is no longer supported.

This also fixes cirrus-ci failure.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-08 12:34:55 -07:00
Rodrigo Campos ec2ffae5f1 libct: Allow rel paths for idmap mounts
The idea was to make them strict on dest path from the beginning for
idmap mounts, as runc would do that for all mounts in the future. But
that is causing too many problems.

For now, let's just allow relative paths for idmap mounts too. It just
seems safer.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-08-08 13:45:31 +02:00
Rodrigo Campos 19d26a6596 Revert "libct/validator: Error out on non-abs paths"
This reverts commit 881e92a3fd and adjust
the code so the idmap validations are strict.

We now only throw a warning and the container is started just fine.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-08-08 13:45:31 +02:00
lfbzhm 74c125d877 Merge pull request #3968 from opencontainers/dependabot/go_modules/golang.org/x/net-0.14.0
build(deps): bump golang.org/x/net from 0.13.0 to 0.14.0
2023-08-07 21:51:00 +08:00
dependabot[bot] 61a454cc08 build(deps): bump golang.org/x/net from 0.13.0 to 0.14.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.13.0 to 0.14.0.
- [Commits](https://github.com/golang/net/compare/v0.13.0...v0.14.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-07 04:19:31 +00:00
lfbzhm acab6f6416 Merge pull request #3931 from cyphar/remove-bindfd
nsexec: cloned_binary: remove bindfd logic entirely
2023-08-05 23:38:44 +08:00
lfbzhm 7b1fc9882f Merge pull request #3816 from kolyshkin/show-criu-errors
criu checkpoint/restore: print errors from criu log
2023-08-05 10:50:32 +08:00
Kir Kolyshkin 883aef789b libct/init: unify init, fix its error logic
This commit does two things:

1. Consolidate StartInitialization calling logic into Init().
2. Fix init error handling logic.

The main issues at hand are:
- the "unable to convert _LIBCONTAINER_INITPIPE" error from
  StartInitialization is never shown;
- errors from WriteSync and WriteJSON are never shown;
- the StartInit calling code is triplicated;
- using panic is questionable.

Generally, our goals are:
 - if there's any error, do our best to show it;
 - but only show each error once;
 - simplify the code, unify init implementations.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-04 13:00:35 -07:00
Kir Kolyshkin 789a73db22 init.go: move logger setup to StartInitialization
Currently, logrus is used from the Go part of runc init, mostly for a
few debug messages (see setns_init_linux.go and standard_init_linux.go),
and a single warning (see rootfs_linux.go).

This means logrus is part of init implementation, and thus, its setup
belongs to StartInitialization().

Move the code there. As a nice side effect, now we don't have to convert
_LIBCONTAINER_LOGPIPE twice.

Note that since this initialization is now also called from libct/int
tests, which do not set _LIBCONTAINER_LOGLEVEL, let's make
_LIBCONTAINER_LOGLEVEL optional.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-04 13:00:34 -07:00
Aleksa Sarai 0d890ad66f nsenter: cloned_binary: use MFD_EXEC and F_SEAL_EXEC
With the new vm.memfd_noexec sysctl, we need to make sure we explicitly
request MFD_EXEC, otherwise an admin could inadvertently break
containers in a somewhat-annoying-to-debug fashion.

It should be noted that vm.memfd_noexec=2 is broken on Linux 6.4
(MFD_EXEC works even in the most restrictive mode) and the most severe
breakage is going to be fixed in Linux 6.6[1].

[1]: https://lore.kernel.org/20230705063315.3680666-2-jeffxu@google.com/

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-08-04 23:39:36 +10:00
Aleksa Sarai b999376fb2 nsenter: cloned_binary: remove bindfd logic entirely
While the ro-bind-mount trick did eliminate the memory overhead of
copying the runc binary for each "runc init" invocation, on machines
with very significant container churn, creating a temporary mount
namespace on every container invocation can trigger severe lock
contention on namespace_sem that makes containers fail to spawn.

The only reason we added bindfd in commit 16612d74de ("nsenter:
cloned_binary: try to ro-bind /proc/self/exe before copying") was due to
a Kubernetes e2e test failure where they had a ridiculously small memory
limit. It seems incredibly unlikely that real workloads are running
without 10MB to spare for the very short time that runc is interacting
with the container.

In addition, since the original cloned_binary implementation, cgroupv2
is now almost universally used on modern systems. Unlike cgroupv1, the
cgroupv2 memcg implementation does not migrate memory usage when
processes change cgroups (even cgroupv1 only did this if you had
memory.move_charge_at_immigrate enabled). In addition, because we do the
/proc/self/exe clone before synchronising the bootstrap data read, we
are guaranteed to do the clone before "runc init" is moved into the
container cgroup -- meaning that the memory used by the /proc/self/exe
clone is charged against the root cgroup, and thus container workloads
should not be affected at all with memfd cloning.

The long-term fix for this problem is to block the /proc/self/exe
re-opening attack entirely in-kernel, which is something I'm working
on[1]. Though it should also be noted that because the memfd is
completely separate to the host binary, even attacks like Dirty COW
against the runc binary can be defended against with the memfd approach.
Of course, once we have in-kernel protection against the /proc/self/exe
re-opening attack, we won't have that protection anymore...

[1]: https://lwn.net/Articles/934460/

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-08-04 14:49:05 +10:00
Kir Kolyshkin 38676931ed criu: do not add log file into error message
As we now log the log file name in logCriuErrors.

While at it, there is no need to use var.String() with %s as it is done
by the runtime.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-03 10:39:33 -07:00
Kir Kolyshkin c77aaa3f95 criu checkpoint/restore: print errors from criu log
When criu fails, it does not give us much context to understand what
was the cause of an error -- for that, we need to take a look into its
log file.

This is somewhat complicated to do (as you can see in parts of
checkpoint.bats removed by this commit), and not very user-friendly.

Add a function to find and log errors from criu logs, together with some
preceding context, in case either checkpoint or restore has failed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-03 10:33:20 -07:00
Kir Kolyshkin e4478e9fff criuSwrk: simplify switch
1. Use "switch t" since we only check t.

2. Remove unneeded t assignment.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-03 10:33:20 -07:00
Kir Kolyshkin cb981e510b libct: move criu-related stuff to separate file
No code change, only added periods to some comments to make godot happy.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-03 10:16:01 -07:00
Akihiro Suda 23e41ef04d Merge pull request #3960 from kolyshkin/local-ci-v2
Fix running tests under Docker/Podman and cgroup v2
2023-08-03 16:02:46 +09:00
Kir Kolyshkin f88a765460 ci: fix flaky test "update memory vs CheckBeforeUpdate"
This test fails in CI sometimes with the following error:

> `testcontainer test_update stopped' failed

Give OOM killer some time to do its job.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-02 23:00:46 -07:00
Kir Kolyshkin 5c6b334c88 ci: fix TestOpenat2 when no systemd is used
A few cases relied on the fact that systemd is used, and thus
/sys/fs/cgroup/user.slice is available.

Guess what, in case of "make unittest" it might not be.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-02 23:00:46 -07:00
Kir Kolyshkin 962019d64e ci: fix TestNilResources when systemd not available
Split the test into two -- for fs and systemd cgroup managers, and only
run the second one if systemd is available.

Prevents the following failure during `make unittest`:

> === RUN   TestNilResources
>     manager_test.go:27: systemd not running on this host, cannot use systemd cgroups manager
> --- FAIL: TestNilResources (0.22s)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-02 23:00:46 -07:00
Kir Kolyshkin cfc801b7ed Fix running tests under Docker/Podman and cgroup v2
For "make integration", the tests are run inside a Docker/Podman
container. Problem is, if cgroup v2 is used, the in-container
/sys/fs/cgroup/cgroup.subtree_control is empty.

The added script, used as Docker entrypoint, moves the current process
into a sub-cgroup, and then adds all controllers in top-level
cgroup.subtree_control.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-08-02 23:00:46 -07:00
Akihiro Suda f0a5e6b96f Merge pull request #3930 from cyphar/close_range
utils: use close_range(2) to close leftover file descriptors
2023-08-03 14:58:15 +09:00
Kir Kolyshkin 2da710ca2f Merge pull request #3933 from alexeldeib/ace/v2root
libct/cg/fs2: use file + anon + swap for usage
2023-08-02 22:30:13 -07:00
Chethan Suresh ebc2e7c435 Support time namespace
"time" namespace was introduced in Linux v5.6
support new time namespace to set boottime and monotonic time offset

Example runtime spec

"timeOffsets": {
    "monotonic": {
        "secs": 172800,
        "nanosecs": 0
    },
    "boottime": {
        "secs": 604800,
        "nanosecs": 0
    }
}

Signed-off-by: Chethan Suresh <chethan.suresh@sony.com>
2023-08-03 10:12:01 +05:30
Kir Kolyshkin cbf8c67a5e Merge pull request #3954 from kinvolk/rata/idmap-tests
contrib/fs-idmap: Minor cleanups
2023-08-02 19:55:38 -07:00
Kir Kolyshkin 534fa8e114 Merge pull request #3956 from lifubang/fix-ModeSticky
Fix some file mode bits missing when doing mount syscall
2023-08-02 19:51:10 -07:00
lifubang 83137c6884 add a test case about missing stricky bit
Signed-off-by: lifubang <lifubang@acmcoder.com>
2023-08-03 09:04:27 +08:00
lifubang 6092a4b42d fix some file mode bits missing when doing mount syscall
Signed-off-by: lifubang <lifubang@acmcoder.com>
2023-08-03 08:44:00 +08:00
lfbzhm a73602846b Merge pull request #3957 from opencontainers/dependabot/go_modules/golang.org/x/net-0.13.0
build(deps): bump golang.org/x/net from 0.12.0 to 0.13.0
2023-08-03 08:32:00 +08:00
Rodrigo Campos 0688288876 contrib/fs-idmap: Move logic to a new function
We can't call log.Fatalf() and defer functions, as the former doesn't
call any defers. Let's just move the code to a new function and call
os.Exit() only in main, when all defer executed.

Now that all the code is one function, we only print twice to stderr. It
is simpler to just print to stderr instead of logging and having also
the timestamp we don't really want.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-08-02 15:36:01 +02:00
Rodrigo Campos 855c5a0e8b contrib/fs-idmap: Don't hardcode sleep path
Let's just rely on the lookup performed to find the sleep binary.

This didn't cause any issues as far as I know, I just saw this while
doing other cleanups.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-08-02 15:36:01 +02:00
Rodrigo Campos 882e5fe3ba contrib/fs-idmap: Check exactly 2 args are received
If more args are passed, let's just throw an error.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-08-02 15:36:01 +02:00
Rodrigo Campos 821d0018f5 contrib/fs-idmap: Remove not needed flags
We don't really need to check if AT_RECURSIVE is possible here. We just
want to check if we can idmap the src, it doesn't matter other nested
mounts.

While we are there, allow relative paths too.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-08-02 15:35:43 +02:00
Alexander Eldeib 7d2becdf2c libct/cg/fs2: use file + anon + swap for usage
This aligns v2 usage calculations more closely with v1.
Current node-level reporting for v1 vs v2 on the same
machine under similar load may differ by ~250-750Mi.

Also return usage as combined swap + memory usage, aligned
with v1 and non-root v2 cgroups.

`mem_cgroup_usage` in the kernel counts NR_FILE_PAGES
+ NR_ANON_MAPPED + `nr_swap_pages` (if swap enabled) [^0].

Using total - free results in higher "usage" numbers.
This is likely due to various types of reclaimable
memory technically counted as in use (e.g. inactive anon).

See also https://github.com/kubernetes/kubernetes/issues/118916 for more context

[^0]: https://github.com/torvalds/linux/blob/06c2afb862f9da8dc5efa4b6076a0e48c3fbaaa5/mm/memcontrol.c#L3673-L3680

Signed-off-by: Alexander Eldeib <alexeldeib@gmail.com>
2023-08-02 15:18:22 +02:00
Rodrigo Campos 99340bb0bd contrib/fs-idmap: Reap childs
This is what we should do, although in practice this probably won't be a
big issue as the parent also exits.

While we are there, instead of waiting for the child to finish, kill it
if we did everything we wanted to do.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-08-02 11:52:16 +02:00
dependabot[bot] c537cb3d59 build(deps): bump golang.org/x/net from 0.12.0 to 0.13.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.12.0 to 0.13.0.
- [Commits](https://github.com/golang/net/compare/v0.12.0...v0.13.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-02 04:55:22 +00:00
Aleksa Sarai 70f4e46e68 utils: use close_range(2) to close leftover file descriptors
close_range(2) is far more efficient than a readdir of /proc/self/fd and
then doing a syscall for each file descriptor.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-08-01 15:37:58 +10:00
Kir Kolyshkin dbe8434359 Merge pull request #3949 from kinvolk/rata/idmap-improve-errors
libct/nsenter: Show better errors for idmap mounts
2023-07-31 17:27:35 -07:00
Rodrigo Campos 57f31c68dc libct/nsenter: Show better errors for idmap mounts
While testing this with old kernel versions and kernels that don't
support idmap mounts for some of the filesystems used by a container, I
realized we can throw a more clear errors.

Let's make it clear which syscall we are using, when it is not supported
and when if the fs doesn't support idmap mounts, which path it is.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-07-31 13:44:37 +02:00
lfbzhm 14c7ab7f4d Merge pull request #3843 from kolyshkin/skip-proc-devices
libct/cg/sd: use systemd v240+ new MAJOR:* syntax
2023-07-30 15:46:18 +08:00
Kir Kolyshkin 701dff798d libct/cg/sd: use systemd v240+ new MAJOR:* syntax
Since systemd v240 (commit 8e8b5d2e6d91180a), one can use
/dev/{char,block}-MAJOR syntax to specify that all MAJOR:*
devices are allowed.

Use it, if available, since it's more straightforward, plus
we can skip somewhat expensive parsing of /proc/devices.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-07-29 22:41:05 +08:00
Kir Kolyshkin b15a6a3da7 Merge pull request #3805 from rpluem-vf/nodev_noexec_nosuid
Allow bind mounts of nodev,nosuid,noexec filesystems
2023-07-29 04:12:02 -07:00
Ruediger Pluem da780e4d27 Fix bind mounts of filesystems with certain options set
Currently bind mounts of filesystems with nodev, nosuid, noexec,
noatime, relatime, strictatime, nodiratime options set fail in rootless
mode if the same options are not set for the bind mount.
For ro filesystems this was resolved by #2570 by remounting again
with ro set.

Follow the same approach for nodev, nosuid, noexec, noatime, relatime,
strictatime, nodiratime but allow to revert back to the old behaviour
via the new `--no-mount-fallback` command line option.

Add a testcase to verify that bind mounts of filesystems with nodev,
nosuid, noexec, noatime options set work in rootless mode.
Add a testcase that mounts a nodev, nosuid, noexec, noatime filesystem
with a ro flag.
Add two further testcases that ensure that the above testcases would
fail if the `--no-mount-fallback` command line option is set.

* contrib/completions/bash/runc:
      Add `--no-mount-fallback` command line option for bash completion.

* create.go:
      Add `--no-mount-fallback` command line option.

* restore.go:
      Add `--no-mount-fallback` command line option.

* run.go:
      Add `--no-mount-fallback` command line option.

* libcontainer/configs/config.go:
      Add `NoMountFallback` field to the `Config` struct to store
      the command line option value.

* libcontainer/specconv/spec_linux.go:
      Add `NoMountFallback` field to the `CreateOpts` struct to store
      the command line option value and store it in the libcontainer
      config.

* utils_linux.go:
      Store the command line option value in the `CreateOpts` struct.

* libcontainer/rootfs_linux.go:
      In case that `--no-mount-fallback` is not set try to remount the
      bind filesystem again with the options nodev, nosuid, noexec,
      noatime, relatime, strictatime or nodiratime if they are set on
      the source filesystem.

* tests/integration/mounts_sshfs.bats:
      Add testcases and rework sshfs setup to allow specifying
      different mount options depending on the test case.

Signed-off-by: Ruediger Pluem <ruediger.pluem@vodafone.com>
2023-07-28 16:32:02 -07:00
Kir Kolyshkin 465cb34a4b Merge pull request #3945 from opencontainers/dependabot/go_modules/github.com/opencontainers/runtime-spec-1.1.0
build(deps): bump github.com/opencontainers/runtime-spec from 1.1.0-rc.3 to 1.1.0
2023-07-28 15:41:35 -07:00
Kir Kolyshkin cd5caa02ae Merge pull request #3946 from lifubang/forword-port-changelog-after-1.1.5
[CHANGELOG] Forword port changelog after release 1.1.5
2023-07-28 15:41:11 -07:00
lifubang 237acdd813 add some important announcements in unreleased section
Signed-off-by: lifubang <lifubang@acmcoder.com>
2023-07-23 18:48:31 +08:00
Sebastiaan van Stijn a5777e8716 Merge pull request #3947 from lifubang/followup-3939
use the length of UIDMappings/GIDMappings to check whether empty or not
2023-07-23 09:02:23 +02:00
lifubang c875ea8529 use the length of UIDMappings/GIDMappings to check whether empty or not
Signed-off-by: lifubang <lifubang@acmcoder.com>
2023-07-23 11:59:18 +08:00
lifubang d9494fc6b4 CHANGELOG: forward-port 1.1.6-1.1.8 changes
Signed-off-by: lifubang <lifubang@acmcoder.com>
2023-07-23 10:31:34 +08:00
Aleksa Sarai b4f38918a4 merge #3861 into opencontainers/runc:main
Akihiro Suda (1):
  features: graduate from experimental

LGTMs: kolyshkin cyphar
Closes #3861
2023-07-22 19:38:45 +10:00
dependabot[bot] 11b6c9b638 build(deps): bump github.com/opencontainers/runtime-spec
Bumps [github.com/opencontainers/runtime-spec](https://github.com/opencontainers/runtime-spec) from 1.1.0-rc.3 to 1.1.0.
- [Release notes](https://github.com/opencontainers/runtime-spec/releases)
- [Changelog](https://github.com/opencontainers/runtime-spec/blob/main/ChangeLog)
- [Commits](https://github.com/opencontainers/runtime-spec/compare/v1.1.0-rc.3...v1.1.0)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/runtime-spec
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-07-22 13:03:35 +09:00
Kir Kolyshkin 74895d4552 Merge pull request #3939 from eiffel-fl/francis/caps-naming
Renaming *Mappings fields and use int* for mountEntry.fd
2023-07-21 09:13:41 -07:00
Francis Laniel a3785c88ec Remove idmapFD field for mountEntry
We cannot have both srcFD and idMapFD set at the same time.
So, we can simplify this struct to only have one field which is used a srcFD
most of the time and as idMapFD when we do an id map mount.

Signed-off-by: Francis Laniel <flaniel@linux.microsoft.com>
2023-07-21 13:55:34 +02:00
Francis Laniel 46ada59ba2 Use an *int for srcFD
Previously to this commit, we used a string for srcFD as /proc/self/fd/NN.
This commit modified to this behavior, so srcFD is only an *int and the full path
is constructed in mountViaFDs() if srcFD is different than nil.

Signed-off-by: Francis Laniel <flaniel@linux.microsoft.com>
2023-07-21 13:55:34 +02:00
Francis Laniel c47f58c4e9 Capitalize [UG]idMappings as [UG]IDMappings
Signed-off-by: Francis Laniel <flaniel@linux.microsoft.com>
2023-07-21 13:55:34 +02:00
lfbzhm b338accc78 Merge pull request #3826 from kolyshkin/ps-rootless
tests/int/ps: enable for rootless
2023-07-17 23:39:32 +08:00
Kir Kolyshkin f92057aa1e tests/int: update set_cgroups_path doc
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-07-17 23:16:55 +08:00
Kir Kolyshkin 19f76b66c1 tests/int/ps: enable for rootless
runc ps requires cgroup, but all the tests but one required root. Let's
fix this.

1. Add rootless cgroup requirement to setup() to avoid repetition.

2. Add set_cgroups_path to setup() for rootless containers because
   there is no default cgroup path.

3. Modify output checks to use $output rather than $lines because in case
   of rootless the first line of output contains the following warning:

> runc ps may fail if you don't have the full access to cgroups

4. While at it, move the common part of every test (creating the
   container and making sure it's running) to setup().

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-07-17 23:16:55 +08:00
Akihiro Suda c99e6c6c5d Merge pull request #3750 from kinvolk/rata/idmap-merged
docs: Update spec conformance for idmap mounts
2023-07-17 23:49:20 +09:00
Rodrigo Campos 867ee90534 docs: Update spec conformance for idmap mounts
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-07-17 16:29:07 +02:00
lfbzhm f73b05dee6 Merge pull request #3717 from kinvolk/rata/idmap
Support idmap mounts for volumes
2023-07-17 21:55:50 +08:00
Rodrigo Campos b460dc39b7 tests/integration: Add tests for idmap mounts
Co-authored-by: Francis Laniel <flaniel@linux.microsoft.com>
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-07-17 13:30:12 +02:00
Rodrigo Campos fda12ab101 Support idmap mounts on volumes
This commit adds support for idmap mounts as specified in the runtime-spec.

We open the idmap source paths and call mount_setattr() in runc PARENT,
as we need privileges in the init userns for that, and then sends the
fds to the child process. For this fd passing we use the same mechanism
used in other parts of thecode, the _LIBCONTAINER_ env vars.

The mount is finished (unix.MoveMount) from go code, inside the userns,
so we reuse all the prepareBindMount() security checks and the remount
logic for some flags too.

This commit only supports idmap mounts when userns are used AND the mappings
are the same specified for the userns mapping. This limitation is to
simplify the initial implementation, as all our users so far only need
this, and we can avoid sending over netlink the mappings, creating a
userns with this custom mapping, etc. Future PRs will remove this
limitation.

Co-authored-by: Francis Laniel <flaniel@linux.microsoft.com>
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-07-17 13:30:12 +02:00
lfbzhm 4338e972fe Merge pull request #3919 from kolyshkin/golint153
ci: bump golangci-lint to v1.53, remove fixed exception
2023-07-16 18:26:26 +08:00
Kir Kolyshkin 98317c16ed ci: bump golangci-lint, remove fixed exception
The exception was fixed by https://github.com/polyfloyd/go-errorlint/pull/12
which eventually made its way into golangci-lint.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-07-16 15:02:26 +08:00
lfbzhm caa6e523f2 Merge pull request #3900 from kolyshkin/psi
libct/cg/stats: support PSI for cgroup v2
2023-07-14 09:06:31 +08:00
Rodrigo Campos fe4528b176 libcontainer: Just print the mountFds slice len on errors
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-07-11 16:17:48 +02:00
Rodrigo Campos 73b649705a libcontainer: Add mountFds struct
We will need to pass more slices of fds to these functions in future
patches. Let's add a struct that just contains them all, instead of
adding lot of parameters to these functions.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-07-11 16:17:48 +02:00
Rodrigo Campos 0172016a53 libcontainer: Add generic parseFdsFromEnv()
We will add code that uses this function in future patches. So let's
just split it to a new function now and reuse it later.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-07-11 16:17:48 +02:00
Rodrigo Campos f5814a1007 libcontainer: Add generic sendFdsSources()
Let's move the code to send mount sources to a generic function. Future
patches will use it for idmap sources too.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-07-11 16:17:48 +02:00
Rodrigo Campos 96bd487590 nsenter: Add idmap helpers
We add idmap.h with the needed includes and defines in case the system
headers don't have the definition for the idmap syscalls we need.

Future patches will use these helpers.

Co-authored-by: Francis Laniel <flaniel@linux.microsoft.com>
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-07-11 16:17:48 +02:00
Rodrigo Campos 5166164ded nsexec: Add generic receive_sources()
Future patches will use this with another env var.

Co-authored-by: Francis Laniel <flaniel@linux.microsoft.com>
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-07-11 16:17:48 +02:00
Rodrigo Campos 4b668a8224 Switch setupUserNamespace() to use the toConfigIDMap() helper
We just added this helper for other parts of the code, let's switch this
function to use the helper too.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-07-11 16:17:48 +02:00
Rodrigo Campos fbf183c6f8 Add uid and gid mappings to mounts
Co-authored-by: Francis Laniel <flaniel@linux.microsoft.com>
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-07-11 16:17:48 +02:00
Akihiro Suda 05669c8aba Merge pull request #3929 from opencontainers/dependabot/go_modules/github.com/cilium/ebpf-0.11.0
build(deps): bump github.com/cilium/ebpf from 0.10.0 to 0.11.0
2023-07-11 10:55:12 +08:00
dependabot[bot] 83418f8878 build(deps): bump github.com/cilium/ebpf from 0.10.0 to 0.11.0
Bumps [github.com/cilium/ebpf](https://github.com/cilium/ebpf) from 0.10.0 to 0.11.0.
- [Release notes](https://github.com/cilium/ebpf/releases)
- [Commits](https://github.com/cilium/ebpf/compare/v0.10.0...v0.11.0)

---
updated-dependencies:
- dependency-name: github.com/cilium/ebpf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-07-11 01:40:04 +00:00
Akihiro Suda 3e2c42abe2 Merge pull request #3928 from opencontainers/dependabot/go_modules/golang.org/x/net-0.12.0
build(deps): bump golang.org/x/net from 0.11.0 to 0.12.0
2023-07-11 09:39:19 +08:00
dependabot[bot] 2c844977d4 build(deps): bump golang.org/x/net from 0.11.0 to 0.12.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.11.0 to 0.12.0.
- [Commits](https://github.com/golang/net/compare/v0.11.0...v0.12.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-07-08 23:14:46 +08:00
Rodrigo Campos 881e92a3fd libct/validator: Error out on non-abs paths
This was a warning already and it was requested to make this an error
while we will add validation of idmap mounts:
	https://github.com/opencontainers/runc/pull/3717#discussion_r1154705318

I've also tested a k8s cluster and the config.json generated by
containerd didn't use any relative paths. I tested one pod, so it was
definitely not an extensive test.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-07-07 12:00:33 +02:00
Aleksa Sarai 628256245e merge pr #3924 into opencontainers/runc:main
Kir Kolyshkin (1):
  MAINTAINERS: add Li Fu Bang

LGTMs: kolyshkin AkihiroSuda cyphar hqhq mrunalp crosbymichael
Vote: +6 -0 *2
Closes #3924
2023-07-07 10:18:55 +10:00
Akihiro Suda a1d47f0171 Merge pull request #3927 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.10.0
build(deps): bump golang.org/x/sys from 0.9.0 to 0.10.0
2023-07-06 22:41:10 +08:00
Mrunal Patel 369ad5a503 Merge pull request #3888 from kolyshkin/reset-failed
runc delete: call systemd's reset-failed
2023-07-06 00:09:25 -04:00
dependabot[bot] 45c75ac7ed build(deps): bump golang.org/x/sys from 0.9.0 to 0.10.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.9.0 to 0.10.0.
- [Commits](https://github.com/golang/sys/compare/v0.9.0...v0.10.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-07-05 04:35:31 +00:00
Aleksa Sarai 35eff7cdb2 merge pr #3599 into opencontainers/runc:main
Cory Snider (5):
  libct/nsenter: namespace the bindfd shuffle
  libct/nsenter: set FD_CLOEXEC on received fd
  libct/nsenter: refactor ipc funcs for reusability
  libct/nsenter: annotate write_log() prototype
  chore(libct/nsenter): extract utility code

LGTMs: AkihiroSuda kolyshkin cyphar
Closes #3599
2023-07-04 19:49:47 +10:00
Cory Snider 017d6996c0 libct/nsenter: namespace the bindfd shuffle
Processes can watch /proc/self/mounts or /mountinfo, and the kernel
will notify them whenever the namespace's mount table is modified. The
notified process still needs to read and parse the mountinfo to
determine what changed once notified. Many such processes, including
udisksd and SystemD < v248, make no attempt to rate-limit their
mountinfo notifications. This tends to not be a problem on many systems,
where mount tables are small and mounting and unmounting is uncommon.
Every runC exec which successfully uses the try_bindfd container-escape
mitigation performs two mount()s and one umount() in the host's mount
namespace, causing any mount-watching processes to wake up and parse the
mountinfo file three times in a row. Consequently, using 'exec' health
checks on containers has a larger-than-expected impact on system load
when such mount-watching daemons are running. Furthermore, the size of
the mount table in the host's mount namespace tends to be proportional
to the number of OCI containers as a unique mount is required for the
rootfs of each container. Therefore, on systems with mount-watching
processes, the system load increases *quadratically* with the number of
running containers which use health checks!

Prevent runC from incidentally modifying the host's mount namespace for
container-escape mitigations by setting up the mitigation in a temporary
mount namespace.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-07-04 17:56:25 +10:00
Cory Snider 3b191ff710 libct/nsenter: set FD_CLOEXEC on received fd
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-07-04 17:56:25 +10:00
Cory Snider 8f67178139 libct/nsenter: refactor ipc funcs for reusability
Modify receive_fd() and send_fd() so they can be more readily reused in
cloned_binary.c. Change receive_fd() to have a single responsibility:
receiving and returning a single file descriptor over a UNIX domain
socket. Make send_fd() useable in precarious execution contexts such as
a clone(CLONE_VFORK|CLONE_VM) "thread" where allocating heap memory or
calling exit() would be dangerous.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-07-04 17:56:25 +10:00
Cory Snider 890dceeebf libct/nsenter: annotate write_log() prototype
...so the compiler can warn about mismatches between the format string
and varargs.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-07-04 17:56:25 +10:00
Cory Snider 35fddfd28f chore(libct/nsenter): extract utility code
...from nsexec.c so they can be used in cloned_binary.c.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-07-04 17:56:25 +10:00
Kir Kolyshkin 37732d1e7d MAINTAINERS: add Li Fu Bang
I am nominating @lifubang for the role of runc maintainer.

He provided a number of valuable contributions to runc, and demonstrated
both deep technical expertise and the long term commitment to the
project.

As noted in MAINTAINERS_GUIDE.md, we have a week to vote, and need to
get 66% of current maintainers' votes.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-30 10:50:49 -07:00
Kir Kolyshkin 164e4bc5f6 Merge pull request #3915 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.31.0
build(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0
2023-06-28 09:54:16 -07:00
Kir Kolyshkin ad040b1caf tests/int/delete: make sure runc delete removes failed unit
The passing run (with the fix) looks like this:

----
delete.bats
 ✓ runc delete removes failed systemd unit [4556]
   runc spec (status=0):

   runc run -d --console-socket /tmp/bats-run-B08vu1/runc.lbQwU5/tty/sock test-failed-unit (status=0):

   Warning: The unit file, source configuration file or drop-ins of runc-cgroups-integration-test-12869.scope changed on disk. Run 'systemctl daemon-reload' to reload units.
   × runc-cgroups-integration-test-12869.scope - libcontainer container integration-test-12869
        Loaded: loaded (/run/systemd/transient/runc-cgroups-integration-test-12869.scope; transient)
     Transient: yes
       Drop-In: /run/systemd/transient/runc-cgroups-integration-test-12869.scope.d
                └─50-DevicePolicy.conf, 50-DeviceAllow.conf
        Active: failed (Result: timeout) since Tue 2023-06-13 14:41:38 PDT; 751ms ago
      Duration: 2.144s
           CPU: 8ms

   Jun 13 14:41:34 kir-rhat systemd[1]: Started runc-cgroups-integration-test-12869.scope - libcontainer container integration-test-12869.
   Jun 13 14:41:37 kir-rhat systemd[1]: runc-cgroups-integration-test-12869.scope: Scope reached runtime time limit. Stopping.
   Jun 13 14:41:38 kir-rhat systemd[1]: runc-cgroups-integration-test-12869.scope: Stopping timed out. Killing.
   Jun 13 14:41:38 kir-rhat systemd[1]: runc-cgroups-integration-test-12869.scope: Killing process 1107438 (sleep) with signal SIGKILL.
   Jun 13 14:41:38 kir-rhat systemd[1]: runc-cgroups-integration-test-12869.scope: Failed with result 'timeout'.
   runc delete test-failed-unit (status=0):

   Unit runc-cgroups-integration-test-12869.scope could not be found.
----

Before the fix, the test was failing like this:

----
delete.bats
 ✗ runc delete removes failed systemd unit
   (in test file tests/integration/delete.bats, line 194)
     `run -4 systemctl status "$SD_UNIT_NAME"' failed, expected exit code 4, got 3
  ....
----

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-28 09:28:35 -07:00
Kir Kolyshkin 58a811f6aa tests/int: add/use "requires systemd_vNNN"
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-28 09:28:35 -07:00
Kir Kolyshkin 43564a7b55 runc delete: call systemd's reset-failed
runc delete is supposed to remove all the container's artefacts.
In case systemd cgroup driver is used, and the systemd unit has failed
(e.g. oom-killed), systemd won't remove the unit (that is, unless the
"CollectMode: inactive-or-failed" property is set).

Call reset-failed from manager.Destroy so the failed unit will be
removed during "runc delete".

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-28 09:28:35 -07:00
Kir Kolyshkin 91b4cd25b7 libct/cg/sd: remove logging from resetFailedUnit
Sometimes we call resetFailedUnit as a cleanup measure, and we don't
care if it fails or not. So, move error reporting to its callers, and
ignore error in cases we don't really expect it to succeed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-28 09:28:35 -07:00
Kir Kolyshkin dacb3aaa0d tests/int/cgroups: remove useless/wrong setting
There is no such thing as linux.resources.memorySwap (the mem+swap is
set as linux.resources.memory.swap).

As it is not used in this test anyway, remove it.

Fixes: 4929c05ad1
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-28 09:28:35 -07:00
Sebastiaan van Stijn e42446f7c6 Merge pull request #3912 from cpuguy83/fix_tmpfs_mode
Fix tmpfs mode opts when dir already exists
2023-06-28 16:15:28 +02:00
Sebastiaan van Stijn f9bd4a5a2f Merge pull request #3827 from kolyshkin/no-panic
libct/cg: IsCgroup2UnifiedMode: don't panic
2023-06-28 15:29:46 +02:00
Sebastiaan van Stijn 17b335a2ee Merge pull request #3902 from kolyshkin/skip-less
ci/gha: don't skip rootless+systemd on ubuntu 22.04
2023-06-28 15:28:08 +02:00
Sebastiaan van Stijn 651c044a2b Merge pull request #3889 from kolyshkin/shellcheck-0.9
ci: bump shellcheck to 0.9.0, fix new SC2016 warnings
2023-06-28 15:26:43 +02:00
Sebastiaan van Stijn aacc27b7fe Merge pull request #3852 from kolyshkin/doc-log-level
libct: document process.LogLevel field
2023-06-28 15:22:46 +02:00
Kir Kolyshkin 5cdf76719e libct/cg: IsCgroup2UnifiedMode: don't panic
Replace a panic with a warning, unless it's ENOENT and we're running in
a user namespace. In the latter case, do the same as before, i.e. report
the error but using a Debug logging level.

This prevents software that uses libcontainer from panicking in
some exotic setups.

This will also print a warning on some very old systems which does not
use /sys/fs/cgroup for cgroup mount point. My bet is such systems no
longer exist.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-27 11:29:37 -07:00
Akihiro Suda 92c71e725f Merge pull request #3804 from jiusanzhou/bugfix/skip-update-while-frozen-faield
libct/cg/sd/v1: do not update non-frozen cgroup after frozen failed.
2023-06-28 03:19:53 +09:00
Kir Kolyshkin 5e53e6592a ci: bump shellcheck to 0.9.0, fix new SC2016 warnings
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-27 08:44:21 -07:00
dependabot[bot] a57d94d3ad build(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0
Bumps google.golang.org/protobuf from 1.30.0 to 1.31.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-27 04:58:59 +00:00
Brian Goff 9fa8b9de3e Fix tmpfs mode opts when dir already exists
When a directory already exists (or after a container is restarted) the
perms of the directory being mounted to were being used even when a
different permission is set on the tmpfs mount options.

This prepends the original directory perms to the mount options.
If the perms were already set in the mount opts then those perms will
win.
This eliminates the need to perform a chmod after mount entirely.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2023-06-26 21:53:21 +00:00
Kir Kolyshkin 1bc2999b77 Merge pull request #3913 from fish98/main
Fix checkpoints integration tests failure
2023-06-26 11:07:03 -07:00
TTFISH eb55472ee1 Fix integration tests failure when calling "ip"
Signed-off-by: TTFISH <jiongchiyu@gmail.com>
2023-06-25 17:32:23 +08:00
Kir Kolyshkin bcaee38a9a Merge pull request #3903 from opencontainers/dependabot/go_modules/golang.org/x/net-0.11.0
build(deps): bump golang.org/x/net from 0.10.0 to 0.11.0
2023-06-22 09:21:26 -07:00
dependabot[bot] a52efc1ffd build(deps): bump golang.org/x/net from 0.10.0 to 0.11.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.10.0 to 0.11.0.
- [Commits](https://github.com/golang/net/compare/v0.10.0...v0.11.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-21 18:13:29 +00:00
Aleksa Sarai e099ffb8df merge pr #3907 into main
Kir Kolyshkin (1):
  .codespellrc: update for 2.2.5
2023-06-22 01:12:56 +10:00
Kir Kolyshkin e3627658fa .codespellrc: update for 2.2.5
Remove some old exceptions (no longer needed), add a new one
(codespell 2.2.5 flags "(mis)features" in docs/terminal.md).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-16 10:07:40 -07:00
Akihiro Suda 5cf9bb229f Merge pull request #3883 from kolyshkin/space-at-eol
ci/gha: add space-at-eol check, fix existing issues
2023-06-14 12:39:09 +09:00
Kir Kolyshkin c9209fd223 ci/gha: don't skip rootless+systemd on ubuntu 22.04
We used to skip testing rootless integration tests for systemd, because
in case of cgroup v1 it does not support user delegation.

Since we added ubuntu 22.04 to the testing matrix, we can actually test
rootless+systemd there (with the proper systemd setup).

Fixes: 953e1cc485
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-13 18:01:09 -07:00
Sebastiaan van Stijn 4f5c350513 Merge pull request #3899 from kolyshkin/fix-sd-linl
docs/systemd: fix a broken link
2023-06-14 01:12:46 +02:00
Daniel Dao 1aa7ca8046 libct/cg/stats: support PSI for cgroup v2
We read output from the following files if they exists:
- cpu.pressure
- memory.pressure
- io.pressure

Each are in format:

```
some avg10=0.00 avg60=0.00 avg300=0.00 total=0
full avg10=0.00 avg60=0.00 avg300=0.00 total=0
```

Signed-off-by: Daniel Dao <dqminh89@gmail.com>
Co-authored-by: Sandor Szücs <sandor.szuecs@zalando.de>
Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-13 15:43:39 -07:00
Kir Kolyshkin 2f42992a34 Merge pull request #3896 from AkihiroSuda/spec-v1.1.0-rc.3
go.mod: runtime-spec v1.1.0-rc.3
2023-06-13 10:37:03 -07:00
dependabot[bot] d161491c25 Merge pull request #3901 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.9.0 2023-06-13 06:49:27 +00:00
dependabot[bot] bc390b2e67 build(deps): bump golang.org/x/sys from 0.8.0 to 0.9.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.8.0 to 0.9.0.
- [Commits](https://github.com/golang/sys/compare/v0.8.0...v0.9.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-13 04:58:49 +00:00
Kir Kolyshkin 73b5dc027d docs/systemd: fix a broken link
Apparently, developer.gnome.org/documentation no longer hosts the
documentation we used to refer to. Link to docs.gtk.org instead.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-12 16:10:06 -07:00
Zoe 62963fef9f libct/cg/sd/v1: do not update non-frozen cgroup after frozen failed.
In code we have frozen the cgroup to avoid the processes get
an occasional "permission denied" error, while the systemd's application of device
rules is done disruptively. When the processes in the container can not
be frozen over 2 seconds (which defined in fs/freezer.go),
we still update the cgroup which resulting the container get an occasional
"permission denied" error in some cases.

Return error directly without updating cgroup, when freeze fails.

Fixes: #3803

Signed-off-by: Zoe <hi@zoe.im>
2023-06-12 10:10:04 +08:00
Akihiro Suda 0ac3376c20 go.mod: runtime-spec v1.1.0-rc.3
https://github.com/opencontainers/runtime-spec/releases/tag/v1.1.0-rc.3

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-06-10 17:19:11 +09:00
Akihiro Suda 0b9d545d02 Merge pull request #3553 from kolyshkin/moar-ci
ci/cirrus: enable some rootless tests on cs9
2023-06-10 15:40:21 +09:00
Aleksa Sarai 14456efde1 merge pr #3825
Kir Kolyshkin (7):
  libct: implement support for cgroup.kill
  runc kill: drop -a option
  libct: move killing logic to container.Signal
  libct: fix shared pidns detection
  libct: signalAllProcesses: remove child reaping
  tests/int/kill: add kill -a with host pidns test
  tests/rootless.sh: drop set -x

LGTMs: AkihiroSuda cyphar
Closes #3825
2023-06-10 14:26:06 +10:00
Kir Kolyshkin 78d31a4941 ci/cirrus: enable rootless tests on cs9
We were not running localrootlessintegration test on CentOS Stream 9
because of some failures fixed by previous commits.

Enable rootless integration with both systemd and fs drivers.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-09 12:51:22 -07:00
Kir Kolyshkin 41e04aa683 tests/int: rename a variable
Rename CGROUP_PATH to CGROUP_V2_PATH so it is more clear that it can
only be used for CGROUP_V2, and to resolve ambiguity with CGROUP_PATH
variable used in tests/rootless.sh.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-09 12:51:22 -07:00
Kir Kolyshkin e83ca51913 tests/int/cgroups: filter out rdma
Filter out rdma controller since systemd is unable to delegate it.
Similar to commits 05272718f4 and 601cf5825f.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-09 12:51:22 -07:00
dependabot[bot] 5f3f55929c Merge pull request #3884 from opencontainers/dependabot/go_modules/github.com/sirupsen/logrus-1.9.3 2023-06-09 01:59:47 +00:00
dependabot[bot] 31e3c229ac build(deps): bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-08 17:23:42 +00:00
Kir Kolyshkin 7d09ba10cc libct: implement support for cgroup.kill
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-08 09:30:42 -07:00
Kir Kolyshkin f8ad20f500 runc kill: drop -a option
As of previous commit, this is implied in a particular scenario. In
fact, this is the one and only scenario that justifies the use of -a.

Drop the option from the documentation. For backward compatibility, do
recognize it, and retain the feature of ignoring the "container is
stopped" error when set.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-08 09:30:40 -07:00
Kir Kolyshkin 9583b3d1c2 libct: move killing logic to container.Signal
By default, the container has its own PID namespace, and killing (with
SIGKILL) its init process from the parent PID namespace also kills all
the other processes.

Obviously, it does not work that way when the container is sharing its
PID namespace with the host or another container, since init is no
longer special (it's not PID 1). In this case, killing container's init
will result in a bunch of other processes left running (and thus the
inability to remove the cgroup).

The solution to the above problem is killing all the container
processes, not just init.

The problem with the current implementation is, the killing logic is
implemented in libcontainer's initProcess.wait, and thus only available
to libcontainer users, but not the runc kill command (which uses
nonChildProcess.kill and does not use wait at all). So, some workarounds
exist:
 - func destroy(c *Container) calls signalAllProcesses;
 - runc kill implements -a flag.

This code became very tangled over time. Let's simplify things by moving
the killing all processes from initProcess.wait to container.Signal,
and documents the new behavior.

In essence, this also makes `runc kill` to automatically kill all container
processes when the container does not have its own PID namespace.
Document that as well.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-08 09:29:25 -07:00
Kir Kolyshkin 2a7dcbbb40 libct: fix shared pidns detection
When someone is using libcontainer to start and kill containers from a
long lived process (i.e. the same process creates and removes the
container), initProcess.wait method is used, which has a kludge to work
around killing containers that do not have their own PID namespace.

The code that checks for own PID namespace is not entirely correct.
To be exact, it does not set sharePidns flag when the host/caller PID
namespace is implicitly used. As a result, the above mentioned kludge
does not work.

Fix the issue, add a test case (which fails without the fix).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-08 09:23:29 -07:00
Kir Kolyshkin 5b8f8712a4 libct: signalAllProcesses: remove child reaping
There are two very distinct usage scenarios for signalAllProcesses:

* when used from the runc binary ("runc kill" command), the processes
  that it kills are not the children of "runc kill", and so calling
  wait(2) on each process is totally useless, as it will return ECHLD;

* when used from a program that have created the container (such as
  libcontainer/integration test suite), that program can and should call
  wait(2), not the signalling code.

So, the child reaping code is totally useless in the first case, and
should be implemented by the program using libcontainer in the second
case. I was not able to track down how this code was added, my best
guess is it happened when this code was part of dockerd, which did not
have a proper child reaper implemented at that time.

Remove it, and add a proper documentation piece.

Change the integration test accordingly.

PS the first attempt to disable the child reaping code in
signalAllProcesses was made in commit bb912eb00c, which used a
questionable heuristic to figure out whether wait(2) should be called.
This heuristic worked for a particular use case, but is not correct in
general.

While at it:
 - simplify signalAllProcesses to use unix.Kill;
 - document (container).Signal.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-08 09:23:29 -07:00
Kir Kolyshkin e0e8d9c886 tests/int/kill: add kill -a with host pidns test
This is roughly the same as TestPIDHostInitProcessWait in libct/int,
except that here we use separate processes to create and to kill a
container, so the processes inside a container are not children of "runc kill", and
also we hit different codepaths (nonChildProcess.signal rather than
initProcess.signal).

One other thing is, rootless is also tested.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-08 09:23:29 -07:00
Kir Kolyshkin 67bc4bc240 tests/rootless.sh: drop set -x
It seems that set -x was temporarily added as a debug measure, but
slipped into the final commit.

Remove it, for the sake of test logs brevity.

Fixes: 9f656dbb11
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-08 09:23:29 -07:00
Kir Kolyshkin f075e26bdb Merge pull request #3874 from kolyshkin/fix-cs9-oom
tests/int: increase num retries for oom tests
2023-06-07 17:20:45 -07:00
Kir Kolyshkin 9c6b9131e6 Merge pull request #3887 from kolyshkin/manman
man/runc: fixes
2023-06-07 14:39:16 -07:00
Kir Kolyshkin fed0b12436 tests/int: increase num retries for oom tests
This test is occasionally failing on CS9.

The test case always takes about 7 seconds on my laptop (decreasing
memory, using a different memory eater in shell etc. doesn't help).

Increase the number of iterations from 10 to 30 to make sure we don't
see any flakes.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-07 11:30:07 -07:00
Kir Kolyshkin 5929b01989 ci/gha: add space-at-eol check, fix existing issues
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-07 11:27:27 -07:00
Kir Kolyshkin 511c76143b man/runc: fixes
1. Fix some missing punctuation, use proper case.

2. Remove "runc init" (previously removed from "runc --help" by commit
   7a0302f0d7).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-07 11:23:59 -07:00
Kir Kolyshkin df57f74f87 Merge pull request #3880 from kolyshkin/fix-vagrant-cache
Fix Vagrant caching
2023-06-06 14:32:27 -07:00
Kir Kolyshkin bb4dbbc4f5 ci/cirrus: limit numcpu
... so we can run all four jobs in parallel.

While at it, fix the comment in the file.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-06-05 17:24:59 -07:00
Kir Kolyshkin 650efb2c22 Fix Vagrant caching
As of today, vagrant stopped working, my best guess is due to bad
caching. Here's an excerpt from logs:

...
vagrant plugin install vagrant-libvirt
Installing the 'vagrant-libvirt' plugin. This can take a few minutes...
Building native extensions. This could take a while...
Installed the plugin 'vagrant-libvirt (0.12.1)'!
...
uname -s ; cat Vagrantfile.$DISTRO
Linux
...

Downloaded 481Mb in 4.096201s.
Cache hit for vagrant-8be35383dc00f23d080ff00b2a724c938d650254861f26b67624c28e3fe5e6ae!
...
Vagrant failed to initialize at a very early stage:
The plugins failed to initialize correctly. This may be due to manual
modifications made within the Vagrant home directory.
...
Error message given during initialization: Unable to resolve dependency:
user requested 'vagrant-libvirt (= 0.12.0)'
...

The problem is, vagrant cache overwrites newer plugin with an older one.

Let's only cache the downloaded image.

Also, change the cache fingerprint script (remove "Linux").

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-05-23 11:21:54 -07:00
Kir Kolyshkin ba58ee9c3b Merge pull request #3873 from opencontainers/dependabot/go_modules/github.com/sirupsen/logrus-1.9.2
build(deps): bump github.com/sirupsen/logrus from 1.9.0 to 1.9.2
2023-05-18 12:03:08 -07:00
dependabot[bot] b9d2d8d8a6 build(deps): bump github.com/sirupsen/logrus from 1.9.0 to 1.9.2
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.2.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.2)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-18 05:00:24 +00:00
Mrunal Patel a2b60cf268 Merge pull request #3854 from kolyshkin/refff
Some init code refactoring
2023-05-17 14:50:00 -07:00
Kir Kolyshkin 7e481ee2eb libct/int: remove logger from init
Currently, TestInit sets up logrus, and init uses it to log an error
from StartInitialization(). This is solely used by TestExecInError
to check that error returned from StartInitialization is the one it
expects.

Note that the very same error is communicated to the runc init parent
and is ultimately returned by container.Run(), so checking what
StartInitialization returned is redundant.

Remove logrus setup and use from TestMain/init.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-05-17 12:46:27 -07:00
Kir Kolyshkin eba31a7c6c libct/StartInitialization: rename returned error
This is a cosmetic change to improve code readability, making it easier
to distinguish between a local error and the error being returned.

While at it, rename e to err (it was originally called e to not clash
with returned error named err) and ee to err2.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-05-17 12:46:27 -07:00
Kir Kolyshkin 4f0a7e78c3 libct/init: call Init from containerInit
Instead of having newContainerInit return an interface, and let its
caller call Init(), it is easier to call Init directly.

Do that, and rename newContainerInit to containerInit.

I think it makes the code more readable and straightforward.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-05-17 12:46:27 -07:00
Kir Kolyshkin 72657eac2e libct: move StartInitialization
No code change, just moving a function from factory_linux.go to
init_linux.go.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-05-17 12:46:27 -07:00
Kir Kolyshkin 8cbf64055a Merge pull request #3871 from opencontainers/dependabot/github_actions/tim-actions/get-pr-commits-1.3.0
build(deps): bump tim-actions/get-pr-commits from 1.2.0 to 1.3.0
2023-05-17 12:44:52 -07:00
dependabot[bot] 2a3470456e build(deps): bump tim-actions/get-pr-commits from 1.2.0 to 1.3.0
Bumps [tim-actions/get-pr-commits](https://github.com/tim-actions/get-pr-commits) from 1.2.0 to 1.3.0.
- [Release notes](https://github.com/tim-actions/get-pr-commits/releases)
- [Commits](https://github.com/tim-actions/get-pr-commits/compare/v1.2.0...v1.3.0)

---
updated-dependencies:
- dependency-name: tim-actions/get-pr-commits
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-17 05:00:09 +00:00
Kir Kolyshkin b492357d8b Merge pull request #3822 from kolyshkin/gha-rm-cache
ci/gha: disable double caching
2023-05-16 12:27:04 -07:00
Kir Kolyshkin 62cc13ea1a gha: disable setup-go cache for golangci job
Since commit e3cf217cf1 actions/setup-go@v4 uses caching
implicitly, and olangci/golangci-lint-action also uses caching.

These two caches clash, resulting in multiple warnings in CI logs.

The official golangci-lint-action solution is to disable caching
for setup-go job (see [1]). Do the same.

[1] https://github.com/golangci/golangci-lint-action/pull/704

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-05-16 11:22:31 -07:00
Kir Kolyshkin 083e9789b8 ci/gha: rm actions/cache from validate/deps job
Since commit e3cf217cf1 actions/setup-go@v4 uses caching
implicitly, so it is no longer required.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-05-16 11:22:31 -07:00
Mrunal Patel 57952fe231 Merge pull request #3870 from kolyshkin/ci-386
ci/gha: cross-i386: fix build, rm kludges
2023-05-16 11:17:12 -07:00
Kir Kolyshkin da5cdfed7c ci/gha: fix cross-i386
As of today, installing fails with

> libc6:i386 : Depends: libgcc-s1:i386 but it is not going to be installed

Add the package explicitly to work around that.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-05-15 16:19:39 -07:00
Kir Kolyshkin b32655d2bc ci/gha: rm kludges for cross-i386 job
The first kludge is not needed since the switch to Ubuntu 22.04 in
commit 953e1cc48.

The second one is not needed since Go 1.20.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-05-15 15:13:25 -07:00
Akihiro Suda f6c393da9e features: graduate from experimental
The type definition was merged into the OCI Runtime Spec v1.1.0-rc.2:
https://github.com/opencontainers/runtime-spec/blob/v1.1.0-rc.2/features.md

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-05-11 11:41:22 +09:00
Kir Kolyshkin 268511680f Merge pull request #3858 from opencontainers/dependabot/go_modules/golang.org/x/net-0.10.0
build(deps): bump golang.org/x/net from 0.9.0 to 0.10.0
2023-05-10 15:51:10 -07:00
Sebastiaan van Stijn d782db4536 Merge pull request #3830 from AkihiroSuda/spec-v1.1.0-rc.2
go.mod: runtime-spec v1.1.0-rc.2
2023-05-10 18:06:13 +02:00
Akihiro Suda 6beb3c6a3e go.mod: runtime-spec v1.1.0-rc.2
See https://github.com/opencontainers/runtime-spec/releases/tag/v1.1.0-rc.2
for the spec changes.

The `runc features` json is now defined in
https://github.com/opencontainers/runtime-spec/blob/v1.1.0-rc.2/specs-go/features/features.go

Replaces PR 3829

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-05-10 22:23:29 +09:00
Kir Kolyshkin 8eb801dff5 Merge pull request #3512 from kolyshkin/fix-mntns-userns-II
Refactor mountFd code
2023-05-09 01:37:25 -07:00
dependabot[bot] 882a2cc887 build(deps): bump golang.org/x/net from 0.9.0 to 0.10.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.9.0 to 0.10.0.
- [Commits](https://github.com/golang/net/compare/v0.9.0...v0.10.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-09 08:36:13 +00:00
Akihiro Suda 712a781fe5 Merge pull request #3856 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.8.0
build(deps): bump golang.org/x/sys from 0.7.0 to 0.8.0
2023-05-09 17:35:38 +09:00
dependabot[bot] 02afa9f142 build(deps): bump golang.org/x/sys from 0.7.0 to 0.8.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.7.0 to 0.8.0.
- [Commits](https://github.com/golang/sys/compare/v0.7.0...v0.8.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-05 04:58:43 +00:00
Kir Kolyshkin a60933bb24 libct/rootfs: introduce and use mountEntry
Adding fd field to mountConfig was not a good thing since mountConfig
contains data that is not specific to a particular mount, while fd is
a mount entry attribute.

Introduce mountEntry structure, which embeds configs.Mount and adds
srcFd to replace the removed mountConfig.fd.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-05-02 18:54:38 -07:00
Kir Kolyshkin 976748e8d6 libct: add mountViaFDs, simplify mount
1. Simplify mount call by removing the procfd argument, and use the new
   mount() where procfd is not used. Now, the mount() arguments are the
   same as for unix.Mount.

2. Introduce a new mountViaFDs function, which is similar to the old
   mount(), except it can take procfd for both source and target.
   The new arguments are called srcFD and dstFD.

3. Modify the mount error to show both srcFD and dstFD so it's clear
   which one is used for which purpose. This fixes the issue of having
   a somewhat cryptic errors like this:

> mount /proc/self/fd/11:/sys/fs/cgroup/systemd (via /proc/self/fd/12), flags: 0x20502f: operation not permitted

  (in which fd 11 is actually the source, and fd 12 is the target).

   After this change, it looks like

> mount src=/proc/self/fd/11, dst=/sys/fs/cgroup/systemd, dstFD=/proc/self/fd/12, flags=0x20502f: operation not permitted

   so it's clear that 12 is a destination fd.

4. Fix the mountViaFDs callers to use dstFD (rather than procfd) for the
   variable name.

5. Use srcFD where mountFd is set.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-05-02 18:41:09 -07:00
Sebastiaan van Stijn 5a9266b068 Merge pull request #3851 from kolyshkin/bump-urfave
deps: bump urfave/cli
2023-05-01 02:06:29 +02:00
Akihiro Suda 253707d8fc Merge pull request #3850 from cyphar/env-nul-byte
init: do not print environment variable value
2023-04-29 14:45:27 +09:00
Kir Kolyshkin 5a17746302 deps: bump urfave/cli
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-28 12:43:08 -07:00
Aleksa Sarai 20e38fb2b1 init: do not print environment variable value
When given an environment variable that is invalid, it's not a good idea
to output the contents in case they are supposed to be private (though
such a container wouldn't start anyway so it seems unlikely there's a
real way to use this to exfiltrate environment variables you didn't
already know).

Reported-by: Carl Henrik Lunde <chlunde@ifi.uio.no>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-04-28 16:32:15 +10:00
Kir Kolyshkin 5f6aafb309 libct: document process.LogLevel field
This field used to hold a string representation of log level (like
"debug" or "info"). Since commit 6c4a3b13d1 this is now a string
holding a numeric representation of log level (e.g. "4"). This was done
in preparation to commit f1b703fc45, and simplifies things in
a few places.

Let's document it.

Fixes: 6c4a3b13d1
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-27 11:59:09 -07:00
Sebastiaan van Stijn 8af2f48d9f Merge pull request #3357 from kolyshkin/more-bytes-less-strings
libct/cg/sd: optimize and test findDeviceGroup
2023-04-27 18:36:47 +02:00
Kir Kolyshkin defb1cc718 libct/cg/dev: optimize and test findDeviceGroup
1. Use strings.TrimPrefix instead of fmt.Sscanf and simplify the code.

2. Add a test case and a benchmark.

The benchmark shows some improvement, compared to the old
implementation:

name               old time/op    new time/op    delta
FindDeviceGroup-4    39.7µs ± 2%    26.8µs ± 2%  -32.63%  (p=0.008 n=5+5)

name               old alloc/op   new alloc/op   delta
FindDeviceGroup-4    6.08kB ± 0%    4.23kB ± 0%  -30.39%  (p=0.008 n=5+5)

name               old allocs/op  new allocs/op  delta
FindDeviceGroup-4       117 ± 0%         6 ± 0%  -94.87%  (p=0.008 n=5+5)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-27 09:12:08 -07:00
Sebastiaan van Stijn 39fe1c39fc Merge pull request #3848 from kolyshkin/bump-vagrant
ci/cirrus: use vagrant from hashicorp repo, bump Fedora to 38, bump bats
2023-04-27 12:22:16 +02:00
Kir Kolyshkin 13091eeefa ci: bump bats 1.8.2 -> 1.9.0
As Fedora 38 uses bats 1.9.0, let's switch to this version in other
places.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-26 18:56:37 -07:00
Kir Kolyshkin a19200096e Vagrantfile.fedora: bump to 38
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-26 18:56:37 -07:00
Kir Kolyshkin 33b6ec2925 ci/cirrus: use vagrant from hashicorp repo
A version of vagrant available from the stock repos (2.2.19) is too old
and contains a bug that prevents downloading Fedora 38 image (see [1]).

Use packages from hashicorp repo, which currently has vagrant 2.3.4.
This resolves the problem of downloading the latest Fedora image.

Also, vagrant-libvirt plugin from Ubuntu repos is not working with
vagrant from hashicorp, so switch to using "vagrant plugin install".
The downside it, this takes extra 4 minutes or so in our CI, and I
am not sure how to cache it or speed it up.

[1] https://github.com/opencontainers/runc/pull/3835#issuecomment-1519321619

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-26 18:56:30 -07:00
Aleksa Sarai 30f9f8086d merge #3844 into main
Akihiro Suda (1):
  runc.keyring: add Akihiro Suda

LGTMs: kolyshkin cyphar
Closes #3844
2023-04-26 08:00:02 +10:00
Mrunal Patel bf6a78c140 Merge pull request #3842 from kolyshkin/rm-warning
libct/cg/sd: use systemd version when generating device properties
2023-04-25 09:22:02 -07:00
Akihiro Suda 14d6c7dfcb runc.keyring: add Akihiro Suda
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-04-25 10:33:12 +09:00
Kir Kolyshkin d7208f5910 libct/cg/sd: use systemd version when generating dev props
Commit 343951a22b added a call to os.Stat for the device path
when generating systemd device properties, to avoid systemd warning for
non-existing devices. The idea was, since systemd uses stat(2) to look
up device properties for a given path, it will fail anyway. In addition,
this allowed to suppress a warning like this from systemd:

> Couldn't stat device /dev/char/10:200

NOTE that this was done because:
 - systemd could not add the rule anyway;
 - runs puts its own set of rules on top of what systemd does.

Apparently, the above change broke some setups, resulting in inability
to use e.g. /dev/null inside a container. My guess is this is because
in cgroup v2 we add a second eBPF program, which is not used if the
first one (added by systemd) returns "access denied".

Next, commit 3b9582895b fixed that by adding a call to os.Stat for
"/sys/"+path (meaning, if "/dev/char/10:200" does not exist, we retry
with "/sys/dev/char/10:200", and if it exists, proceed with adding a
device rule with the original (non-"/sys") path).

How that second fix ever worked was a mystery, because the path we gave
to systemd still doesn't exist.

Well, I think now I know.

Since systemd v240 (commit 74c48bf5a8005f20) device access rules
specified as /dev/{block|char}/MM:mm are no longer looked up on the
filesystem, instead, if possible, those are parsed from the string.

So, we need to do different things, depending on systemd version:

 - for systemd >= v240, use the /dev/{char,block}/MM:mm as is, without
   doing stat() -- since systemd doesn't do stat() either;
 - for older version, check if the path exists, and skip passing it on
   to systemd otherwise.
 - the check for /sys/dev/{block,char}/MM:mm is not needed in either
   case.

Pass the systemd version to the function that generates the rules, and
fix it accordingly.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-24 17:05:26 -07:00
Kir Kolyshkin 3e76cc4774 Merge pull request #3840 from cyphar/keyring-script-extra-info
scripts: keyring validate: print some more information
2023-04-24 12:43:02 -07:00
Aleksa Sarai cfc3c6da39 scripts: keyring validate: print some more information
Add a little bit more diagnostic information to "make validate-keyring".

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-04-23 13:45:03 +10:00
Aleksa Sarai 5f5b35dad4 merge #3836 into main
Kir Kolyshkin (1):
  runc.keyring: add Kolyshkin

LGTMs: AkihiroSuda cyphar
Closes #3836
2023-04-22 17:10:31 +10:00
Kir Kolyshkin a75831037f runc.keyring: add Kolyshkin
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-21 17:09:22 -07:00
Akihiro Suda dac38522e2 Merge pull request #3812 from kolyshkin/sd-rm-race
libct: fix a race with systemd removal
2023-04-21 16:50:54 +02:00
Akihiro Suda e61ce723db Merge pull request #3834 from kolyshkin/doc-kill-a
runc-kill(8): amend the --all description
2023-04-21 16:50:09 +02:00
Kir Kolyshkin 42a109198c runc-kill(8): amend the --all description
Document the aspects of --all.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-20 18:00:02 -07:00
Kir Kolyshkin fe278b9caa libct: fix a race with systemd removal
For a previous attempt to fix that (and added test cases), see commit
9087f2e827.

Alas, it's not always working because of cgroup directory TOCTOU.

To solve this and avoid the race, add an error _after_ the operation.
Implement it as a method that ignores the error that should be ignored.
Instead of currentStatus(), use faster runType(), since we are not
interested in Paused status here.

For Processes(), remove the pre-op check, and only use it after getting
an error, making the non-error path more straightforward.

For Signal(), add a second check after getting an error. The first check
is left as is because signalAllProcesses might print a warning if the
cgroup does not exist, and we'd like to avoid that.

This should fix an occasional failure like this one:

	not ok 84 kill detached busybox
	# (in test file tests/integration/kill.bats, line 27)
	#   `[ "$status" -eq 0 ]' failed
	....
	# runc kill test_busybox KILL (status=0):
	# runc kill -a test_busybox 0 (status=1):
	# time="2023-04-04T18:24:27Z" level=error msg="lstat /sys/fs/cgroup/devices/system.slice/runc-test_busybox.scope: no such file or directory"

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-20 17:50:23 -07:00
Akihiro Suda 3a2c0c2565 Merge pull request #3824 from cyphar/release-gpgkeys
release: add runc.keyring file
2023-04-19 20:11:31 +02:00
Kir Kolyshkin fdc2515187 Merge pull request #3600 from utam0k/domainname
Implement to set a domainname
2023-04-19 10:16:34 -07:00
Aleksa Sarai 056ec0caa6 keyring: add Aleksa's <cyphar@cyphar.com> signing key
keyid C9C370B246B09F6DBCFC744C34401015D1D2D386

This is my personal signing key, which I've used to sign the vast
majority of my commits on GitHub. While I usually sign releases using my
<asarai@suse.de> signing key, it doesn't hurt to include this key too.

Ref: https://keyserver.ubuntu.com/pks/lookup?search=C9C370B246B09F6DBCFC744C34401015D1D2D386&fingerprint=on&op=index
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-04-19 13:48:22 +10:00
Aleksa Sarai 0c9c60aa18 keyring: add Aleksa's <asarai@suse.com> signing key
keyid 5F36C6C61B5460124A75F5A69E18AA267DDB8DB4

This is the signing key I have used for all previous runc releases. You
can also verify that this is the key trusted by openSUSE for all of our
releases.

Ref: https://keyserver.ubuntu.com/pks/lookup?search=5F36C6C61B5460124A75F5A69E18AA267DDB8DB4&fingerprint=on&op=index
Ref: https://build.opensuse.org/package/view_file/openSUSE:Factory/runc/runc.keyring?expand=1&rev=54
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2023-04-19 13:48:17 +10:00
Aleksa Sarai 22538f896a keyring: verify runc.keyring has legitimate maintainer keys
These checks ensure that all of the keys in the runc.keyring list are
actually the keys of the specified user and that the users themselves
are actually maintainers.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-04-19 13:48:14 +10:00
Aleksa Sarai 957bccfe2f scripts: release: add verification checks for signing keys
We need to make sure the release is being signed by a key that is
actually listed as a trusted signing key, and we also need to ask the
person cutting the release whether the list of trusted keys is
acceptable.

Also add some verification checks after a release is signed to make sure
everything was signed with the correct keys.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-04-19 13:48:14 +10:00
Aleksa Sarai 872149470b release: add runc.keyring file and script
In order to allow any of the maintainers to cut releases for runc,
create a keyring file that distributions can use to verify that releases
are signed by one of the maintainers.

The format matches the gpg-offline format used by openSUSE packaging,
but it can be easily imported with "gpg --import" so any distribution
should be able to handle this keyring format wtihout issues.

Each key includes the GitHub handle of the associated user. There isn't
any way for this information to be automatically verified (outside of
using something like keybase.io) but since all changes of this file need
to be approved by maintainers this is okay for now.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2023-04-14 01:00:27 +10:00
utam0k d9230602e9 Implement to set a domainname
opencontainers/runtime-spec#1156

Signed-off-by: utam0k <k0ma@utam0k.jp>
2023-04-12 13:31:20 +00:00
Aleksa Sarai 11983894a8 merge #3790 into main
Kazuki Hasegawa (1):
  Fix undefined behavior. Do not accept setjmp return value as variable.

LGTMs: AkihiroSuda cyphar
Closes #3790
2023-04-12 19:48:18 +10:00
Kazuki Hasegawa 6053aea46f Fix undefined behavior.
Do not accept setjmp return value as variable.

Signed-off-by: Kazuki Hasegawa <nanasi880@gmail.com>
2023-04-12 14:27:43 +10:00
Kir Kolyshkin e42c219fea Merge pull request #3820 from kolyshkin/ubu-22.04
ci/gha: add ubuntu 22.04
2023-04-11 13:40:27 -07:00
Kir Kolyshkin 953e1cc485 ci/gha: switch to or add ubuntu 22.04
For test jobs, add ubuntu 22.04 into the matrix, so we can test of both
cgroup v1 and v2.

For validate jobs, just switch to ubuntu 22.04

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-10 10:32:02 -07:00
Mrunal Patel d8a3daacbd Merge pull request #3815 from kolyshkin/bump-bats
bump bats-core, fix some tests, use new features
2023-04-08 08:55:21 -07:00
Kir Kolyshkin 1789002048 Merge pull request #3819 from opencontainers/dependabot/go_modules/golang.org/x/net-0.9.0
build(deps): bump golang.org/x/net from 0.8.0 to 0.9.0
2023-04-07 15:44:40 -07:00
dependabot[bot] 439673d510 build(deps): bump golang.org/x/net from 0.8.0 to 0.9.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.8.0 to 0.9.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.8.0...v0.9.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-07 04:59:18 +00:00
Mrunal Patel 941e5924ef Merge pull request #3814 from kolyshkin/go-1.19-minor
ci/cirrus: use Go 1.19.x not 1.19
2023-04-06 14:27:14 -07:00
Kir Kolyshkin fd1a79ffc8 ci/cirrus: improve host_info
1. Do not use echo, as this results in lines like this:

	...
	echo "-----"
	-----
	...

2. Move "cat /proc/cpuinfo" to be the last one, as the output is usually
   very long.

3. Add "go version" to CentOS jobs.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-06 10:52:05 -07:00
Kir Kolyshkin 873d7bb3a3 ci/cirrus: use Go 1.19.x not 1.19
This variable is used in curl to download a go release, so we are using
the initial Go 1.19 release in Cirrus CI, not the latest Go 1.19.x
release.

From the CI perspective, it makes more sense to use the latest release.

Add some jq magic to extract the latest minor release information
from the download page, and use it.

This brings Cirrus CI jobs logic in line with all the others (GHA,
Dockerfile), where by 1.20 we actually mean "latest 1.20.x".

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-06 10:51:43 -07:00
Kir Kolyshkin 611bbacb3b libct/cg: add misc controller to v1 drivers
This is just so that the container can join the misc controller.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-05 15:49:58 -07:00
Kir Kolyshkin 9b71787be0 tests/int: fix some checks
Apparently, bash with set -e deliberately ignores non-zero return codes
from ! cmd, unless this is the last command. The workaround is to either
use "! cmd || false', "or run ! cmd". Choose the latter, and require
bash-core 1.5.0 (since this is when "run !" was added), replacing the
older check.

Alas I only learned this recently from the bash-core documentation.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-05 15:22:23 -07:00
Kir Kolyshkin 9dbb9f90b9 ci: bump bats 1.3.0 -> 1.8.2
This version is already used by Cirrus CI Fedora 37 job, but other CI
jobs are still using 1.3.0.

Bump it everywhere so we can enjoy new version features and fixes.

For one thing, I noticed that new bats is reporting error location
correctly.

We will also be able to use "run !" and "run -N" commands.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-05 15:22:23 -07:00
Sebastiaan van Stijn 5726682966 Merge pull request #3813 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.7.0
build(deps): bump golang.org/x/sys from 0.6.0 to 0.7.0
2023-04-05 21:01:27 +02:00
dependabot[bot] a6e95c53f4 build(deps): bump golang.org/x/sys from 0.6.0 to 0.7.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.6.0 to 0.7.0.
- [Release notes](https://github.com/golang/sys/releases)
- [Commits](https://github.com/golang/sys/compare/v0.6.0...v0.7.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-05 04:59:43 +00:00
Akihiro Suda 67b542bb4e Merge pull request #3810 from kolyshkin/rm-get-init-cgroup-path
libct/cg: rm GetInitCgroup[Path]
2023-04-05 10:59:37 +09:00
Akihiro Suda 1b4cf1d2ae Merge pull request #3809 from opencontainers/dependabot/github_actions/lumaxis/shellcheck-problem-matchers-2
build(deps): bump lumaxis/shellcheck-problem-matchers from 1 to 2
2023-04-05 03:26:36 +09:00
Akihiro Suda 0cab3b3dda Merge pull request #3779 from fish98/main
tests: Fix fuzzer location in oss-fuzz config
2023-04-05 03:26:04 +09:00
Kir Kolyshkin fd5debf3aa libct/cg: rm GetInitCgroup[Path]
These functions were added in ancient times, facilitating the
docker-in-docker case when cgroup namespace was not available.

As pointed out in commit 2b28b3c276, using init 1 cgroup is not
correct because it won't work in case of host PID namespace.

The last user of GetInitCgroup was removed by commit
54e20217a8. GetInitCgroupPath was never used
as far as I can see, nor was I able to find any external users.

Remove both functions. Modify the comment in libct/cg/fs.subsysPath
to not refer to GetInitCgroupPath.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-04 11:19:25 -07:00
dependabot[bot] 1034cfa826 build(deps): bump lumaxis/shellcheck-problem-matchers from 1 to 2
Bumps [lumaxis/shellcheck-problem-matchers](https://github.com/lumaxis/shellcheck-problem-matchers) from 1 to 2.
- [Release notes](https://github.com/lumaxis/shellcheck-problem-matchers/releases)
- [Commits](https://github.com/lumaxis/shellcheck-problem-matchers/compare/v1...v2)

---
updated-dependencies:
- dependency-name: lumaxis/shellcheck-problem-matchers
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-04 17:44:14 +00:00
Kir Kolyshkin cc60a390ad Merge pull request #3784 from haircommander/root-cgroup-no-init
libctr/cgroups: don't take init's cgroup into account
2023-04-04 09:34:26 -07:00
Mrunal Patel 7ba53a1526 Merge pull request #3788 from kolyshkin/systemd-cpu-idle
cg/sd: support CPUWeight=idle (aka cpu.idle=1)
2023-04-04 08:07:34 -07:00
Kir Kolyshkin ed9651bc71 libct/cg/sd: support setting cpu.idle via systemd
Systemd v252 (available in CentOS Stream 9 in our CI) added support
for setting cpu.idle (see [1]). The way it works is:
 - if CPUWeight == 0, cpu.idle is set to 1;
 - if CPUWeight != 0, cpu.idle is set to 0.

This commit implements setting cpu.idle in systemd cgroup driver via a
unit property. In case CPUIdle is set to non-zero value, the driver sets
adds CPUWeight=0 property, which will result in systemd setting cpu.idle
to 1.

Unfortunately, there's no way to set cpu.idle to 0 without also changing
the CPUWeight value, so the driver doesn't do anything if CPUIdle is
explicitly set to 0. This case is handled by the fs driver which is
always used as a followup to setting systemd unit properties.

Also, handle cpu.idle set via unified map. In case it is set to non-zero
value, add CPUWeight=0 property, and ignore cpu.weight (otherwise we'll
get two different CPUWeight properties set).

Add a unit test for new values in unified map, and an integration test case.

[1] https://github.com/systemd/systemd/pull/23299
[2] https://github.com/opencontainers/runc/issues/3786

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-03 18:25:07 -07:00
Kir Kolyshkin b5ecad7ba3 tests/int/update: test bad cpu.idle values
Values other than 1 or 0 are ignored by the kernel,
see sched_group_set_idle() in kernel/sched/fair.c

If the added test case ever fails, it means that the kernel now accepts
values other than 0 or 1, and runc needs to adopt to that.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-03 18:25:07 -07:00
Kir Kolyshkin 3ffbd4c85a tests/int: fix update cpu.idle failure on CS9
Systemd v252 (available in CentOS Stream 9 in our CI) added support
for setting cpu.idle (see [1]). The way it works is:
 - if CPUWeight == 0, cpu.idle is set to 1;
 - if CPUWeight != 0, cpu.idle is set to 0.

This behavior breaks the existing test case, as described in [2].

To fix, skip the last check in the test case in case a newer systemd
is used.

Fixes: #3786

[1] https://github.com/systemd/systemd/pull/23299
[2] https://github.com/opencontainers/runc/issues/3786

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-03 18:25:07 -07:00
Kir Kolyshkin 509b312cfb libct/cg/sd/v2: unifiedResToSystemdProps nit
In code that checks that the resource name is in the for
Using strings.SplitN is an overkill in this case, resulting in
allocations and thus garbage to collect.

Using strings.IndexByte and checking that result is not less than 1
(meaning there is a period, and it is not the first character) is
sufficient here.

Fixes: 0cb8bf67a3
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-04-03 18:24:47 -07:00
Kir Kolyshkin 9f2451346e Merge pull request #3782 from kolyshkin/fix-sd-start
Fix systemd cgroup driver's Apply
2023-04-03 11:27:17 -07:00
Akihiro Suda 17922e3612 Merge pull request #3800 from kolyshkin/fp-ch
CHANGELOG: forward-port 1.1.4 and 1.1.5 changes
2023-04-03 18:12:10 +09:00
Kir Kolyshkin ba618705f8 Merge pull request #3797 from kolyshkin/enter-pid
libct/cg: rm EnterPid
2023-03-31 13:01:39 -07:00
Kir Kolyshkin 82bc89cd10 runc run: refuse a non-empty cgroup
Commit d08bc0c1b3 ("runc run: warn on non-empty cgroup") introduced
a warning when a container is started in a non-empty cgroup. Such
configuration has lots of issues.

In addition to that, such configuration is not possible at all when
using the systemd cgroup driver.

As planned, let's promote this warning to an error, and fix the test
case accordingly.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-30 19:55:39 -07:00
Kir Kolyshkin 1d18743f9e libct/cg/sd: reset-failed and retry startUnit on UnitExists
In case a systemd unit fails (for example, timed out or OOM-killed),
systemd keeps the unit. This prevents starting a new container with
the same systemd unit name.

The fix is to call reset-failed in case UnitExists error is returned,
and retry once.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-30 19:55:39 -07:00
Kir Kolyshkin c253342061 libct/cg/sd: ignore UnitExists only for Apply(-1)
Commit d223e2adae ("Ignore error when starting transient unit
that already exists" modified the code handling errors from startUnit
to ignore UnitExists error.

Apparently it was done so that kubelet can create the same pod slice
over and over without hitting an error (see [1]).

While it works for a pod slice to ensure it exists, it is a gross bug
to ignore UnitExists when creating a container. In this case, the
container init PID won't be added to the systemd unit (and to the
required cgroup), and as a result the container will successfully
run in a current user cgroup, without any cgroup limits applied.

So, fix the code to only ignore UnitExists if we're not adding a process
to the systemd unit. This way, kubelet will keep working as is, but
runc will refuse to create containers which are not placed into a
requested cgroup.

[1] https://github.com/opencontainers/runc/pull/1124

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-30 19:55:39 -07:00
Kir Kolyshkin c6e8cb7926 libct/cg/sd: refactor startUnit
Move error handling earlier, removing "if err == nil" block.

No change of logic.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-30 19:55:39 -07:00
Kir Kolyshkin 9f32ce6a2d CHANGELOG: forward-port 1.1.4 and 1.1.5 changes
...from the tip of release-1.1 branch (commit 060a61c69d).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-30 19:46:53 -07:00
Kir Kolyshkin 73acc77be5 libct/cg: rm EnterPid
Since commit 39914db679 this function is not used by runc (see
that commit to learn why this function is not that good).

I was not able to find any external users either.

Since it's not a good function, with no users, and it is rather trivial,
let's remove it right away (rather than mark as deprecated).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-31 13:33:00 +11:00
Kir Kolyshkin 4ff4904603 Makefile: add verify-changelog as release dependency
... as a way to maybe catch some CHANGELOG.md bugs at the last moment.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 54cfb25d69)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-30 19:11:31 -07:00
Kir Kolyshkin b2fc0a589c verify-changelog: allow non-ASCII
Previously (see commit 91fa032da4) we found a few issues
using this check, but apparently the CHANGELOG.md is in UTF-8, and
the recently added quote is breaking this, so remove.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 7b3ac330f7)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-30 19:11:11 -07:00
Kir Kolyshkin 8edf478e34 Merge pull request #3798 from kolyshkin/fix-mount-test
Fix mount test
2023-03-30 18:32:27 -07:00
Kir Kolyshkin 370e3be202 tests/int/mounts: only check non-shadowed mounts
This fixes a bogus failure in "ro cgroup" test cases when running as
rootless.

The test finds the following mount that is not read-only:

> cgroup2 /sys/fs/cgroup/unified cgroup2 rw,nosuid,nodev,noexec,relatime,nsdelegate 0 0

This happens because:

1. runc spec --rootless adds an rbind /sys mounts, so we have all the
   /sys/fs/cgroup/XXX mounts inside the container;

2. Those /sys/fs/cgroup/XXX mounts are shadowed by the /sys/fs/cgroup
   tmpfs mount created by mountCgroupV1().

This means that this mount is shadowed, inaccessible, and it can not be
unshadowed, thus it should not be checked.

The fix is to check whether the directory exists, to exclude such
shadowed mounts.

NOTE that item 2 comes from commit ff692f289b60e19b3079cb; before it, we
had the whole hierarchy of host /sys/fs/cgroup visible (though not
writable -- because rootless) from inside of any rootless container.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-30 14:45:14 -07:00
Kir Kolyshkin a37109ce02 tests/int/mount: fix issues with ro cgroup test
Fix the following issues with the "ro /sys/fs/cgroup" test:

1. Disable bogus SC2016 warning from shellcheck.

2. Split the test into two -- with and without cgroupns. This is done
   because not all systems have cgroupns available (so the "+cgroupns"
   test will be skipped).

3. This splitting resulted in a few more bogus shellcheck warnings that
   we have to suppress -- due to a known bug in shellcheck (see [1]).

4. s/mount/mounts/ in the test name, because in case of cgroup v1 there
   are multiple mounts.

[1] https://github.com/koalaman/shellcheck/issues/2431

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-30 14:44:03 -07:00
Qiang Huang 0d62b950e6 Merge pull request from GHSA-m8cg-xc2p-r3fc
rootless: fix /sys/fs/cgroup mounts
2023-03-29 14:18:15 +08:00
Akihiro Suda 7f3f4bee8a Merge pull request #3753 from kolyshkin/user-exec
Fix runc run "permission denied" when rootless
2023-03-29 00:39:12 +09:00
Akihiro Suda 2b221a6ab7 Merge pull request #3787 from kolyshkin/rec-fixup
mountToRootfs: minor refactor
2023-03-28 12:53:38 +09:00
Kir Kolyshkin 8293ef2e74 tests/int: test for CAP_DAC_OVERRIDE
This is a test case for issue reported as #3715. In short, even if a
(non-root) user that the container is run as does not have execute
permission bit set for the executable, it should still work in case runc
has the CAP_DAC_OVERRIDE capability set.

Note that since the upstream golang is also broken (see [1]), this test
will fail for Go 1.20 and 1.20.1 (fix is in Go 1.20.2 as per [2]).

[1] https://go.dev/issue/58552
[2] https://go-review.googlesource.com/c/go/+/469956

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-27 15:16:15 -07:00
Kir Kolyshkin 8491d33482 Fix runc run "permission denied" when rootless
Since commit 957d97bcf4 was made to fix issue [7],
a few things happened:

- a similar functionality appeared in go 1.20 [1], so the issue
  mentioned in the comment (being removed) is no longer true;
- a bug in runc was found [2], which also affects go [3];
- the bug was fixed in go 1.21 [4] and 1.20.2 [5];
- a similar fix was made to x/sys/unix.Faccessat [6].

The essense of [2] is, even if a (non-root) user that the container is
run as does not have execute permission bit set for the executable, it
should still work in case runc has the CAP_DAC_OVERRIDE capability set.

To fix this [2] without reintroducing the older bug [7]:
- drop own Eaccess implementation;
- use the one from x/sys/unix for Go 1.19 (depends on [6]);
- do not use anything when Go 1.20+ is used.

NOTE it is virtually impossible to fix the bug [2] when Go 1.20 or Go
1.20.1 is used because of [3].

A test case is added by a separate commit.

Fixes: #3715.

[1] https://go-review.googlesource.com/c/go/+/414824
[2] https://github.com/opencontainers/runc/issues/3715
[3] https://go.dev/issue/58552
[4] https://go-review.googlesource.com/c/go/+/468735
[5] https://go-review.googlesource.com/c/go/+/469956
[6] https://go-review.googlesource.com/c/sys/+/468877
[7] https://github.com/opencontainers/runc/issues/3520

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-27 15:15:48 -07:00
Kir Kolyshkin 99a337f66d Dockefile: bump go go 1.20
Go 1.20.2 has an important fix to an issue described in [1].

Switch from using Go 1.19 from Dockerfile, which is used for release
binaries and some CI.

[1] https://github.com/golang/go/issues/58624

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-27 15:13:43 -07:00
Kir Kolyshkin 3e3db2883b Merge pull request #3778 from kolyshkin/skip-flaky-ce7
libct/cg/dev: skip flaky test of CentOS 7
2023-03-27 13:39:36 -07:00
Kir Kolyshkin da98076c97 mountToRootfs: minor refactor
The setRecAttr is only called for "bind" case, as cases end with a
return statement. Indeed, recursive mount attributes only make sense for
bind mounts.

Move the code to under case "bind" to improve readability. No change in
logic.

Fixes: 382eba4354
Reported-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-27 12:47:05 -07:00
Peter Hunt~ 54e20217a8 libctr/cgroups: don't take init's cgroup into account
Sometimes, the init process is not in the root cgroup.
This can be noted by GetInitPath, which already scrubs the path of `init.scope`.

This was encountered when trying to patch the Kubelet to handle systemd being in a separate cpuset
from root (to allow load balance disabling for containers). At present, there's no way to have libcontainer or runc
manage cgroups in a hierarchy outside of the one init is in (unless the path contains `init.scope`, which is limiting)

Signed-off-by: Peter Hunt <pehunt@redhat.com>
2023-03-27 13:16:46 -04:00
Akihiro Suda da5047c5d8 Merge pull request #3781 from yanggangtony/fix-typo
fix wrong notes for `const MaxNameLen`
2023-03-26 07:02:40 +09:00
Akihiro Suda 948ef27c7a Merge pull request #3773 from kolyshkin/no-symlinks
Prohibit /proc and /sys to be symlinks
2023-03-25 22:58:27 +09:00
Kir Kolyshkin a7a836effa libct/cg/dev: skip flaky test of CentOS 7
There is some kind of a race in CentOS 7 which sometimes result in one
of these tests failing like this:

    systemd_test.go:136: mkdir /sys/fs/cgroup/hugetlb/system.slice/system-runc_test_pods.slice: no such file or directory

or

    systemd_test.go:187: open /sys/fs/cgroup/cpuset/system.slice/system-runc_test_pods.slice/cpuset.mems: no such file or directory

As this is only happening on CentOS 7, let's skip this test on this
platform.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-22 20:01:39 -07:00
yanggang 65df6b91b9 fix wrong notes for const MaxNameLen
Signed-off-by: yanggang <gang.yang@daocloud.io>
2023-03-23 10:31:15 +08:00
TTFISH 9d45ae8d34 tests: Fix fuzzer location in oss-fuzz config
Signed-off-by: TTFISH <jiongchiyu@gmail.com>
2023-03-23 03:21:17 +08:00
Akihiro Suda efad7a3b80 Merge pull request #3735 from kolyshkin/int-fix-flake
libct/int: make TestFdLeaks more robust
2023-03-21 06:15:43 +09:00
Kir Kolyshkin e67dc399ba Merge pull request #3739 from AkihiroSuda/fix-acl
specconv: avoid mapping "acl" to MS_POSIXACL
2023-03-20 14:15:15 -07:00
Akihiro Suda f08b4a9c43 Merge pull request #3775 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.30.0
build(deps): bump google.golang.org/protobuf from 1.29.1 to 1.30.0
2023-03-18 19:15:44 +09:00
Kir Kolyshkin 0d72adf96d Prohibit /proc and /sys to be symlinks
Commit 3291d66b98 introduced a check for /proc and /sys, making sure
the destination (dest) is a directory (and not e.g. a symlink).

Later, a hunk from commit 0ca91f44f switched from using filepath.Join
to SecureJoin for dest. As SecureJoin follows and resolves symlinks,
the check whether dest is a symlink no longer works.

To fix, do the check without/before using SecureJoin.

Add integration tests to make sure we won't regress.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-17 11:03:44 -07:00
Kir Kolyshkin c6624e66b2 Merge pull request #3772 from kolyshkin/retry-unshare
nsexec: retry unshare on EINVAL
2023-03-17 09:54:14 -07:00
dependabot[bot] 8f0d0c4dc8 build(deps): bump google.golang.org/protobuf from 1.29.1 to 1.30.0
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.29.1 to 1.30.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.29.1...v1.30.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-17 05:00:52 +00:00
Kir Kolyshkin cecb039d24 nsexec: retry unshare on EINVAL
Older kernels may return EINVAL on unshare when a process is reading
runc's /proc/$PID/status or /proc/$PID/maps. This was fixed by kernel
commit 12c641ab8270f ("unshare: Unsharing a thread does not require
unsharing a vm") in Linuxt  v4.3.

For CentOS 7, the fix was backported to CentOS 7.7 (kernel 3.10.0-1062).

To work around this kernel bug, let's retry on EINVAL a few times.

Reported-by: zzyyzte <zhang.yu58@zte.com.cn>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-03-16 10:45:02 -07:00
Kir Kolyshkin 206008ab9c Merge pull request #3767 from AkihiroSuda/fix-issue-template-config
.github/ISSUE_TEMPLATE/config.yml: fix contact links
2023-03-16 10:41:23 -07:00
Kir Kolyshkin 784f583884 Merge pull request #3771 from opencontainers/dependabot/github_actions/actions/setup-go-4
build(deps): bump actions/setup-go from 3 to 4
2023-03-16 10:35:09 -07:00
dependabot[bot] e3cf217cf1 build(deps): bump actions/setup-go from 3 to 4
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-16 05:11:04 +00:00
Akihiro Suda b3a68fe77b Merge pull request #3769 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.29.1
build(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1
2023-03-16 09:40:59 +09:00
dependabot[bot] a7046b8387 build(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.29.0 to 1.29.1.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.29.0...v1.29.1)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-15 05:10:21 +00:00
Akihiro Suda df4eae457b rootless: fix /sys/fs/cgroup mounts
It was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons:

1. when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared
   (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl)
2. or, when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro`
   (e.g., `runc spec --rootless`; this condition is very rare)

A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host.
Other users's cgroup hierarchies are not affected.

To fix the issue, this commit does:
1. Remount `/sys/fs/cgroup` to apply `MS_RDONLY` when it is being bind-mounted
2. Mask `/sys/fs/cgroup` when the bind source is unavailable

Fix CVE-2023-25809 (GHSA-m8cg-xc2p-r3fc)

Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-03-14 14:16:25 +09:00
Akihiro Suda afeffb7ea8 .github/ISSUE_TEMPLATE/config.yml: fix contact links
`contact_links` without `about` properties are not shown in
https://github.com/opencontainers/runc/issues/new/choose

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-03-10 09:45:41 +09:00
Akihiro Suda d5be3e2605 Merge pull request #3766 from AkihiroSuda/issue-template
Add `.github/ISSUE_TEMPLATE/config.yml`
2023-03-10 09:36:44 +09:00
Kir Kolyshkin 4ec7b90489 Merge pull request #3764 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.29.0
build(deps): bump google.golang.org/protobuf from 1.28.1 to 1.29.0
2023-03-09 14:46:39 -08:00
Akihiro Suda 7d940bdf99 Add .github/ISSUE_TEMPLATE/config.yml
After merging this PR, the "Report a security vulnerability" button
will appear in "New issue" screen.

Demo: https://github.com/containerd/nerdctl/issues

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-03-10 00:03:41 +09:00
dependabot[bot] 6b41f8ed26 build(deps): bump google.golang.org/protobuf from 1.28.1 to 1.29.0
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.28.1 to 1.29.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.28.1...v1.29.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-09 04:59:44 +00:00
Kir Kolyshkin 6d0261c1ac Merge pull request #3757 from opencontainers/dependabot/go_modules/golang.org/x/net-0.8.0
build(deps): bump golang.org/x/net from 0.7.0 to 0.8.0
2023-03-07 11:00:03 -08:00
dependabot[bot] 6faef164f5 build(deps): bump golang.org/x/net from 0.7.0 to 0.8.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.7.0 to 0.8.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.7.0...v0.8.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-06 05:03:16 +00:00
Kir Kolyshkin 69225fa919 Merge pull request #3724 from kinvolk/rata/nsexec-fixes
nsexec: Remove bogus kill to stage_2_pid
2023-03-01 15:50:00 -08:00
Kir Kolyshkin 58c192a1be Merge pull request #3661 from Wang-squirrel/dev1
Add support for umask when exec container
2023-02-27 19:33:03 -08:00
Wang-squirrel 7b4c3fc111 Add support for umask when exec container
Signed-off-by: WangXiaoSong <wang.xiaosong1@zte.com.cn>
2023-02-23 10:04:47 +08:00
Kir Kolyshkin f2e71b085d libct/int: make TestFdLeaks more robust
The purpose of this test is to check that there are no extra file
descriptors left open after repeated calls to runContainer. In fact,
the first call to runContainer leaves a few file descriptors opened,
and this is by design.

Previously, this test relied on two things:
1. some other tests were run before it (and thus all such opened-once
   file descriptors are already opened);
2.  explicitly excluding fd opened to /sys/fs/cgroup.

Now, if we run this test separately, it will fail (because of 1 above).
The same may happen if the tests are run in a random order.

To fix this, add a container run before collection the initial fd list,
so those fds that are opened once are included and won't be reported.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-02-22 02:58:47 -08:00
Kir Kolyshkin be7e03940f libct/int: wording nits
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-02-22 02:58:47 -08:00
Kir Kolyshkin 7c75e84e22 libc/int: add/use runContainerOk wrapper
This is to de-duplicate the code that checks that err is nil
and that the exit code is zero.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-02-22 02:58:47 -08:00
Kir Kolyshkin 5a0642d6fd Merge pull request #3728 from AITsygunka/3727-bug-fix
Fix runc crushes when parsing invalid JSON specification file
2023-02-22 02:57:20 -08:00
Akihiro Suda 71f8b2af5c Merge pull request #3734 from kinvolk/rata/nsexec-add-debug-log
nsexec: Add debug logs to send mount sources
2023-02-22 13:19:06 +09:00
Akihiro Suda 7d4fde26f8 Merge pull request #3716 from AkihiroSuda/spec-v1.1.0-rc.1
go:mod: runtime-spec v1.1.0-rc.1; add docs/spec-conformance.md
2023-02-22 09:23:41 +09:00
Andrey Tsygunka 97ea1255ed Fix runc crushes when parsing invalid JSON
Signed-off-by: Andrey Tsygunka <dreamsider@mail.ru>
2023-02-16 15:45:19 +03:00
Kir Kolyshkin 537645fd52 Merge pull request #3747 from opencontainers/dependabot/go_modules/golang.org/x/net-0.7.0
build(deps): bump golang.org/x/net from 0.6.0 to 0.7.0
2023-02-15 17:31:13 -08:00
dependabot[bot] b3b0bde69b build(deps): bump golang.org/x/net from 0.6.0 to 0.7.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.6.0 to 0.7.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.6.0...v0.7.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-15 04:59:08 +00:00
Akihiro Suda 4e3699c74c Merge pull request #3746 from crazy-max/fix-static-pie
Makefile: fix typo in LDFLAGS_STATIC
2023-02-15 11:35:09 +09:00
CrazyMax 2e44a20280 Makefile: fix typo in LDFLAGS_STATIC
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-02-14 21:27:26 +01:00
Kir Kolyshkin b199fb2e3f Merge pull request #3573 from chuanchang/add_tests_for_capabilities
tests: add tests for capabilities
2023-02-13 17:49:54 -08:00
Akihiro Suda 514ea70993 Merge pull request #3740 from kinvolk/rata/fix-basename-test
tests: Fix weird error on centos-9
2023-02-11 22:52:10 +09:00
Akihiro Suda 92a4ccb84e specconv: avoid mapping "acl" to MS_POSIXACL
From https://github.com/torvalds/linux/commit/caaef1ba8c9ee7a54b53dd8bf4bb7e8658185583 :

> In fact SB_POSIXACL is an internal flag, and accepting MS_POSIXACL on
> the mount(2) interface is possibly a bug.

Fix issue 3738

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-02-11 22:50:41 +09:00
Rodrigo Campos 2adeb6f952 nsexec: Remove bogus kill to stage_2_pid
stage_2_pid is not yet assigned, so this kills the PID -1, but as
the sane_kill() wrapper is just a nop in that case. Just remove these
calls to kill stage_2_pid before it is cloned/assigned.

I've checked by executing the error paths that no binary is left by mistake.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-02-10 16:07:51 +01:00
Rodrigo Campos 4d0a60ca7f tests: Fix weird error on centos-9
centos-9 unit test sometimes fails with:

	=== RUN   TestPodSkipDevicesUpdate
	    systemd_test.go:114: container stderr not empty: basename: missing operand
	        Try 'basename --help' for more information.
	--- FAIL: TestPodSkipDevicesUpdate (0.11s)

I'm not sure why the container output is an error in basename. It seems
likely that the bashrc in that distro is kind of broken. Let's just run
a sleep command and forget about bash.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-02-10 14:49:56 +01:00
Rodrigo Campos 2ca3d230e2 nsexec: Add debug logs to send mount sources
I was adding it to new code I was writing, and for completeness I added
to this case too.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-02-10 08:25:08 -03:00
Akihiro Suda e412b4e88c docs: add docs/spec-conformance.md
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-02-10 12:10:18 +09:00
Akihiro Suda 787fcf09e7 go.mod: github.com/opencontainers/runtime-spec v1.1.0-rc.1
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-02-10 12:10:14 +09:00
Kir Kolyshkin 5c2a1a0191 Merge pull request #3733 from opencontainers/dependabot/go_modules/golang.org/x/net-0.6.0
build(deps): bump golang.org/x/net from 0.5.0 to 0.6.0
2023-02-09 18:05:27 -08:00
Kir Kolyshkin aa21df97d0 Merge pull request #3732 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.11.0
build(deps): bump github.com/opencontainers/selinux from 1.10.2 to 1.11.0
2023-02-09 18:03:54 -08:00
Alex Jia fbfc6afe30 tests: add tests for capabilities
Signed-off-by: Alex Jia <ajia@redhat.com>
2023-02-09 16:36:08 -08:00
dependabot[bot] bc8d6e3b1f build(deps): bump github.com/opencontainers/selinux
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.10.2 to 1.11.0.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.10.2...v1.11.0)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-10 00:34:56 +00:00
dependabot[bot] 0e1346fe6d build(deps): bump golang.org/x/net from 0.5.0 to 0.6.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.5.0 to 0.6.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.5.0...v0.6.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-09 16:55:01 +00:00
Sebastiaan van Stijn ca398783c0 Merge pull request #3730 from kolyshkin/fix-build
Dockerfile: fix build wrt new git
2023-02-09 17:21:27 +01:00
Kir Kolyshkin 42dffaaa4e Dockerfile: fix build wrt new git
With the updated git in golang:1.19-bullseye image, building fails with:

	make -C /go/src/github.com/opencontainers/runc PKG_CONFIG_PATH=/opt/libseccomp/lib/pkgconfig COMMIT_NO= EXTRA_FLAGS=-a 'EXTRA_LDFLAGS=-w -s -buildid=' static
	make[1]: Entering directory '/go/src/github.com/opencontainers/runc'
	fatal: detected dubious ownership in repository at '/go/src/github.com/opencontainers/runc'
	To add an exception for this directory, call:
		git config --global --add safe.directory /go/src/github.com/opencontainers/runc
	go build -trimpath -buildmode=pie -a -tags "seccomp urfave_cli_no_docs netgo osusergo" -ldflags "-X main.gitCommit= -X main.version=1.1.0+dev -linkmode external -extldflags --static-pie -w -s -buildid=" -o runc .
	error obtaining VCS status: exit status 128
		Use -buildvcs=false to disable VCS stamping.

This commit should fix it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-02-08 19:41:46 -08:00
Kir Kolyshkin 99968fc087 Merge pull request #3718 from austinvazquez/upgrade-go-compiler
Add Go 1.20, require Go 1.19, drop Go 1.18
2023-02-08 18:04:35 -08:00
Akihiro Suda dee9f5fc5d Merge pull request #3725 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.5.0
build(deps): bump golang.org/x/sys from 0.4.0 to 0.5.0
2023-02-08 11:56:36 +09:00
Sebastiaan van Stijn f8e2629e19 Merge pull request #3707 from Dzejrou/main
libcontainer: skip chown of /dev/null caused by fd redirection
2023-02-08 00:21:31 +01:00
Sebastiaan van Stijn 70df83fa5d Merge pull request #3719 from kolyshkin/no-clang-format
Disable clang-format
2023-02-07 15:50:35 +01:00
dependabot[bot] 14e3ce9edb build(deps): bump golang.org/x/sys from 0.4.0 to 0.5.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/golang/sys/releases)
- [Commits](https://github.com/golang/sys/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-07 04:03:31 +00:00
Sebastiaan van Stijn df47453562 Merge pull request #3460 from kolyshkin/no-regexp
Do not use regexp
2023-02-06 15:35:29 +01:00
Kir Kolyshkin 1bb6209aa1 tests/int: test for /dev/null owner regression
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-02-03 01:24:45 +01:00
Jaroslav Jindrak 7e5e017dba libcontainer: skip chown of /dev/null caused by fd redirection
In 18c4760a (libct: fixStdioPermissions: skip chown if not needed)
the check whether the STDIO file descriptors point to /dev/null was
removed which can cause /dev/null to change ownership e.g. when using
docker exec on a running container:

$ ls -l /dev/null
crw-rw-rw- 1 root root 1, 3 Aug 1 14:12 /dev/null
$ docker exec -u test 0ad6d3064e9d ls
$ ls -l /dev/null
crw-rw-rw- 1 test root 1, 3 Aug 1 14:12 /dev/null

Signed-off-by: Jaroslav Jindrak <dzejrou@gmail.com>
2023-02-03 01:24:02 +01:00
Austin Vazquez 5ecd40b9bd Add Go 1.20, require Go 1.19, drop Go 1.18
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2023-02-02 19:56:26 +00:00
Kir Kolyshkin 81ca678f81 Disable clang-format
For the sake of developers who have LSP configured to auto-format the
code upon save (that would me with my new nvim setup), let's not
autoformat the C code when using clangd.

Initially I tried to write a set of rules for clang-format which is
identical to what we use (indent with a handful of options invoked
from cfmt target in Makefile), but it appears to be impossible.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-02-02 10:42:30 -08:00
Kir Kolyshkin 32d741358f Merge pull request #3377 from wineway/main
libct/cg: support SCHED_IDLE for runc cgroupfs
2023-01-31 19:19:03 -08:00
wineway 81c379fa8b support SCHED_IDLE for runc cgroupfs
Signed-off-by: wineway <wangyuweihx@gmail.com>
2023-01-31 15:19:05 +08:00
Akihiro Suda 8c5d3f09e3 Merge pull request #3712 from kinvolk/rata/nsexec-fixes
nsexec: Check for errors in write_log()
2023-01-31 09:45:55 +09:00
Rodrigo Campos 5ce511d6a6 nsexec: Check for errors in write_log()
First, check if strdup() fails and error out.

While we are there, the else case was missing brackets, as we only need
to check ret in the else case. Fix that too

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-01-27 18:40:08 +01:00
Mrunal Patel 01479215a9 Merge pull request #3546 from kolyshkin/criu-add-ignore-cgroup
checkpoint/restore: implement --manage-cgroups-mode ignore
2023-01-26 16:38:54 -08:00
Akihiro Suda a1c51c5698 Merge pull request #3701 from tianon/pin-busybox-debian
Explicitly pin busybox and debian downloads
2023-01-25 12:01:04 +09:00
Kir Kolyshkin 3fbc5ba7ca ci: add tests/int/get-images.sh check
This is to check that tests/integration/get-images.sh is in sync
with tests/integration/bootstrap-get-images.sh.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2023-01-24 16:43:12 -08:00
Tianon Gravi 6d28928c87 Explicitly pin busybox and debian downloads
Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
2023-01-24 16:42:50 -08:00
Kir Kolyshkin 947a616b3e Merge pull request #3703 from opencontainers/dependabot/go_modules/github.com/cilium/ebpf-0.10.0
build(deps): bump github.com/cilium/ebpf from 0.9.3 to 0.10.0
2023-01-23 14:50:37 -08:00
Akihiro Suda a2f27f05e8 Merge pull request #3588 from kolyshkin/seccomp-flags-rework
seccomp: refactor flags support; add flags to features, set SPEC_ALLOW by default
2023-01-20 21:24:38 +09:00
Akihiro Suda ba994dce04 Merge pull request #3697 from egernst/fixup-configs
libcontainer: configs: ensure can build on darwin
2023-01-19 09:07:02 +09:00
Eric Ernst e29e57b5fc libcontainer: configs: ensure can build on darwin
configs package can no longer be built on non-Linux OS, such as Darwin.

When running `GOOS=darwin go build` on the packge, we had the following
errors:
```
./configs/mount.go:34:16: undefined: unix.MountAttr
./configs/mount.go:47:22: undefined: unix.MS_BIND
```

Let's ensure that the linux specific bits are handled in mount_linux.go,
and introduce a _unsupported file, similar to how cgroups file is
handled within the package. This'll facilitate utilization of the pkg
for other projects that care about Darwin.

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2023-01-17 15:57:08 -08:00
dependabot[bot] cc63d074e6 build(deps): bump github.com/cilium/ebpf from 0.9.3 to 0.10.0
Bumps [github.com/cilium/ebpf](https://github.com/cilium/ebpf) from 0.9.3 to 0.10.0.
- [Release notes](https://github.com/cilium/ebpf/releases)
- [Commits](https://github.com/cilium/ebpf/compare/v0.9.3...v0.10.0)

---
updated-dependencies:
- dependency-name: github.com/cilium/ebpf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-17 23:24:59 +00:00
Kir Kolyshkin 3c12cbda39 Merge pull request #3700 from AkihiroSuda/fix-3699
tests/integration/get-images.sh: fix busybox.tar.xz URL
2023-01-17 15:19:37 -08:00
Akihiro Suda 6676f9807f tests/integration/get-images.sh: fix busybox.tar.xz URL
Fix issue 3699

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-01-12 08:54:02 +09:00
Akihiro Suda da548c1c1b Merge pull request #3693 from opencontainers/dependabot/go_modules/golang.org/x/net-0.5.0
build(deps): bump golang.org/x/net from 0.4.0 to 0.5.0
2023-01-11 03:17:19 +09:00
dependabot[bot] eacada7630 build(deps): bump golang.org/x/net from 0.4.0 to 0.5.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-05 04:08:48 +00:00
Akihiro Suda dfd1aefd1d Merge pull request #3660 from yzxiu/fix-example
fix libcontainer example
2022-12-24 15:57:31 +09:00
Qiang Huang 7c143086cd Merge pull request #3542 from kolyshkin/ci-fix-vs-azsec
ci: fix delete.bats for GHA
2022-12-16 11:23:51 +08:00
Kir Kolyshkin 0ac98807c3 libct/cg/sd: stop using regex, fix systemdVersionAtoi
Rewrite systemdVersionAtoi to not use regexp, and fix two issues:

1. It was returning 0 (rather than -1) for some errors.

2. The comment was saying that the input string is without quotes,
   while in fact it is.

Note the new function, similar to the old one, works on input either
with or without quotes. Amend the test to add test cases without quotes.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-12-15 18:51:13 -08:00
Kir Kolyshkin b44da4c05f libct: validateID: stop using regexp
Replace a regex with a simple for loop. Document the function.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-12-15 18:50:54 -08:00
Kir Kolyshkin 15677e7b03 ci: fix delete.bats for GHA
A couple of test cases in delete.bats check that a particular cgroup
exists (or doesn't exist) using find. This is now resulting in errors
like these:

        find: ‘/sys/fs/cgroup/blkio/azsec’: Permission denied
        find: ‘/sys/fs/cgroup/blkio/azsec_clamav’: Permission denied
        find: ‘/sys/fs/cgroup/cpu,cpuacct/azsec’: Permission denied
        find: ‘/sys/fs/cgroup/cpu,cpuacct/azsec_clamav’: Permission denied
        find: ‘/sys/fs/cgroup/memory/azsec’: Permission denied
        find: ‘/sys/fs/cgroup/memory/azsec_clamav’: Permission denied

leading to test case failures.

Apparently, GHA runs something else on a test box, so we get this.

To fix, ignore non-zero exit code from find, and redirect its stderr
to /dev/null.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-12-15 15:43:06 -08:00
Kir Kolyshkin c4aa452b18 tests/int/checkpoint: fix lazy migration flakiness
When doing a lazy checkpoint/restore, we should not restore into the
same cgroup, otherwise there is a race which result in occasional
killing of the restored container (GH #2760, #2924).

The fix is to use --manage-cgroup-mode=ignore, which allows to restore
into a different cgroup.

Note that since cgroupsPath is not set in config.json, the cgroup is
derived from the container name, so calling set_cgroups_path is not
needed.

For the previous (unsuccessful) attempt to fix this, as well as detailed
(and apparently correct) analysis, see commit 36fe3cc28c.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-12-15 15:37:42 -08:00
Kir Kolyshkin 683528783e man/runc-restore: describe restore into different cgroup
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-12-15 15:37:42 -08:00
Kir Kolyshkin d4582ae2f1 tests/int: add "--manage-cgroups-mode ignore" test
This test checks that the container is restored into a different cgroup.

To do so, a user should
 - use --manage-cgroups-mode ignore on both checkpoint and restore;
 - change the cgroupsPath value in config.json before restoring.

The test does some checks to ensure that its logic is correct, and that
after the restore the old (original) cgroup does not exist, the new one
exists, and the container's init is in that new cgroup.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-12-15 15:37:42 -08:00
Kir Kolyshkin e8cf8783d1 libct/criuApplyCgroups: add a TODO
I don't want to implement it now, because this might result in some
new issues, but this is definitely something that is worth implementing.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-12-15 15:37:42 -08:00
Kir Kolyshkin 3438ef30b2 restore: fix --manage-cgroups-mode ignore on cgroup v2
When manage-cgroups-mode: ignore is used, criu still needs to know the
cgroup path to work properly (see [1]).

Revert "libct/criuApplyCgroups: don't set cgroup paths for v2"

This reverts commit d5c57dcea6.

[1]: https://github.com/checkpoint-restore/criu/issues/1793#issuecomment-1086675168

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-12-15 15:37:42 -08:00
Kir Kolyshkin 212d25e853 checkpoint/restore: add --manage-cgroups-mode ignore
- add the new mode and document it;
 - slightly improve the --help output;
 - slightly simplify the parsing code.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-12-15 15:37:42 -08:00
Kir Kolyshkin ff3b4f3bb4 restore: fix ignoring --manage-cgroups-mode
Merge the logic of setPageServer, setManageCgroupsMode, and
setEmptyNsMask into criuOptions. This does three things:

1. Fixes ignoring --manage-cgroups-mode on restore;
2. Simplifies the code in checkpoint.go and restore.go;
3. Ensures issues like 1 won't happen again.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-12-15 15:37:39 -08:00
Kir Kolyshkin e7461c8c29 Merge pull request #3291 from indyjo/fix/sd-notify-barrier
notify_socket.go: use sd_notify_barrier mechanism
2022-12-08 15:33:15 -08:00
Kir Kolyshkin 0b21e02038 Merge pull request #3681 from opencontainers/dependabot/go_modules/golang.org/x/net-0.4.0
build(deps): bump golang.org/x/net from 0.2.0 to 0.4.0
2022-12-08 12:39:26 -08:00
dependabot[bot] 4f2af60520 build(deps): bump golang.org/x/net from 0.2.0 to 0.4.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.2.0 to 0.4.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.2.0...v0.4.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-12-08 04:04:47 +00:00
Kir Kolyshkin 19a9d9fc9e tests/int: use runc features in seccomp flags test
This test (initially added by commit 58ea21daef and later amended in
commit 26dc55ef1a) currently has two major deficiencies:

1. All possible flag combinations, and their respective numeric values,
   have to be explicitly listed. Currently we support 3 flags, so
   there is only 2^3 - 1 = 7 combinations, but adding more flags will
   become increasingly difficult (for example, 5 flags will result in
   31 combinations).

2. The test requires kernel 4.17 (for SECCOMP_FILTER_FLAG_SPEC_ALLOW),
   and not doing any tests when running on an older kernel. This, too,
   will make it more difficult to add extra flags in the future.

Both issues can be solved by using runc features which now prints all
known and supported runc flags. We still have to hardcode the numeric
values of all flags, but most of the other work is coded now.

In particular:

 * The test only uses supported flags, meaning it can be used with
   older kernels, removing the limitation (2) above.

 * The test calculates the powerset (all possible combinations) of
   flags and their numeric values. This makes it easier to add more
   flags, removing the limitation (1) above.

 * The test will fail (in flags_value) if any new flags will be added
   to runc but the test itself is not amended.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-11-29 17:24:32 -08:00
Kir Kolyshkin ac04154f0b seccomp: set SPEC_ALLOW by default
If no seccomps flags are set in OCI runtime spec (not even the empty
set), set SPEC_ALLOW as the default (if it's supported).

Otherwise, use the flags as they are set (that includes no flags for
empty seccomp.Flags array).

This mimics the crun behavior, and makes runc seccomp performance on par
with crun.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-11-29 17:24:32 -08:00
Kir Kolyshkin 076745a40f runc features: add seccomp filter flags
Amend runc features to print seccomp flags. Two set of flags are added:
 * known flags are those that this version of runc is aware of;
 * supported flags are those that can be set; normally, this is the same
   set as known flags, but due to older version of kernel and/or
   libseccomp, some known flags might be unsupported.

This commit also consolidates three different switch statements dealing
with flags into one, in func setFlag. A note is added to this function
telling what else to look for when adding new flags.

Unfortunately, it also adds a list of known flags, that should be
kept in sync with the switch statement.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-11-29 17:24:32 -08:00
Kir Kolyshkin ab8480893e types/features: fix docstrings
Fix a few copy-paste errors.

Fixes: 520702dac
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-11-29 17:24:32 -08:00
Kir Kolyshkin 2da0194236 Merge pull request #3670 from AkihiroSuda/fedora-37
Vagrantfile.fedora: upgrade Fedora to 37
2022-11-29 17:23:45 -08:00
Mrunal Patel 25c9e88868 Merge pull request #3655 from kolyshkin/cpt-destroy-on-err
runc checkpoint: destroy only on success
2022-11-22 18:40:52 -05:00
Mrunal Patel c1045cc8de Merge pull request #3662 from vipulnewaskar7/3659-wrong-error-variable-fix
Fixed Init State Error Variable
2022-11-22 18:39:11 -05:00
Akihiro Suda 8e9128ffce Vagrantfile.fedora: upgrade Fedora to 37
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2022-11-18 09:27:57 +09:00
Akihiro Suda 23389fc74d Merge pull request #3658 from opencontainers/dependabot/go_modules/golang.org/x/net-0.2.0
build(deps): bump golang.org/x/net from 0.1.0 to 0.2.0
2022-11-17 06:27:26 +09:00
Vipul Newaskar 9fc707e703 Fixed init state error variable
Init State Error message was using the err variable instead of uerr, which has been fixed now.
The error message should not show "nil" now.

Signed-off-by: Vipul Newaskar <vipulnewaskar7@gmail.com>
2022-11-15 09:41:16 +05:30
Jonas Eschenburg 067ca8f5c8 notify_socket.go: use sd_notify_barrier mechanism
Signed-off-by: Jonas Eschenburg <jonas.eschenburg@kuka.com>
2022-11-14 10:41:22 +01:00
Jonas Eschenburg ee88b90032 notify_socket.go: avoid use of bytes.Buffer
Signed-off-by: Jonas Eschenburg <jonas.eschenburg@kuka.com>
2022-11-14 10:41:22 +01:00
yaozhenxiu 313723fd5f fix libcontainer example
Signed-off-by: yaozhenxiu <946666800@qq.com>
2022-11-11 14:50:21 +08:00
dependabot[bot] 9f38379308 build(deps): bump golang.org/x/net from 0.1.0 to 0.2.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.1.0 to 0.2.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.1.0...v0.2.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-10 01:07:13 +00:00
Akihiro Suda f264cf91fa Merge pull request #3657 from opencontainers/dependabot/go_modules/golang.org/x/sys-0.2.0
build(deps): bump golang.org/x/sys from 0.1.0 to 0.2.0
2022-11-10 10:06:25 +09:00
dependabot[bot] 467dd23402 build(deps): bump golang.org/x/sys from 0.1.0 to 0.2.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.1.0 to 0.2.0.
- [Release notes](https://github.com/golang/sys/releases)
- [Commits](https://github.com/golang/sys/compare/v0.1.0...v0.2.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-09 04:04:06 +00:00
Sebastiaan van Stijn 627e815f20 Merge pull request #3654 from AkihiroSuda/go-mod-sys-v0.1.0
go.mod: golang.org/x/*: use tagged versions
2022-11-08 22:32:06 +01:00
Kir Kolyshkin 0b0244323f Merge pull request #3656 from opencontainers/dependabot/go_modules/github.com/coreos/go-systemd/v22-22.5.0
build(deps): bump github.com/coreos/go-systemd/v22 from 22.4.0 to 22.5.0
2022-11-08 12:01:51 -08:00
dependabot[bot] e0d3c3e07f build(deps): bump github.com/coreos/go-systemd/v22 from 22.4.0 to 22.5.0
Bumps [github.com/coreos/go-systemd/v22](https://github.com/coreos/go-systemd) from 22.4.0 to 22.5.0.
- [Release notes](https://github.com/coreos/go-systemd/releases)
- [Commits](https://github.com/coreos/go-systemd/compare/v22.4.0...v22.5.0)

---
updated-dependencies:
- dependency-name: github.com/coreos/go-systemd/v22
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-08 04:10:57 +00:00
Kir Kolyshkin 783f9ffeeb runc checkpoint: destroy only on success
If checkpointing has failed, the container is kept running. We do not
want to, and we can't remove it in such case.

Do not try to remove the container if there's an error from
checkpointing.

This avoids an unclear error message from destroy() saying "container
still running" or "container paused".

While at it, avoid using defer since it does not make a lot of sense
here.

Fixes: #3577
Reported-by: gosoon <tianfeiyu0@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-11-03 16:14:01 -07:00
Akihiro Suda 79aedac186 go.mod: golang.org/x/*: use tagged versions
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2022-11-03 11:11:19 +09:00
Kir Kolyshkin 2a8e5d3c62 Merge pull request #3579 from kolyshkin/v2-low-mem
runc update: implement memory.checkBeforeUpdate
2022-11-02 18:29:15 -07:00
Kir Kolyshkin 6462e9de67 runc update: implement memory.checkBeforeUpdate
This is aimed at solving the problem of cgroup v2 memory controller
behavior which is not compatible with that of cgroup v1.

In cgroup v1, if the new memory limit being set is lower than the
current usage, setting the new limit fails.

In cgroup v2, same operation succeeds, and the container is OOM killed.

Introduce a new setting, memory.checkBeforeUpdate, and use it to mimic
cgroup v1 behavior.

Note that this is not 100% reliable because of TOCTOU, but this is the
best we can do.

Add some test cases.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-11-02 17:15:26 -07:00
Kir Kolyshkin b34a547d67 Merge pull request #3379 from kolyshkin/bump-shfmt
ci: bump shfmt to 3.5.1, simplify CI setup
2022-11-02 15:00:24 -07:00
Kir Kolyshkin 56edc41ca6 ci: bump shfmt to 3.5.1, simplify CI setup
1. Bump shfmt to v3.5.1. Release notes:
   https://github.com/mvdan/sh/releases

2. Since shfmt v3.5.0, specifying -l bash (or -l bats) is no longer
   necessary. Therefore, we can use shfmt to find all the files.
   Add .editorconfig to ignore vendor subdirectory.

3. Use shfmt docker image, so that we don't have to install anything
   explicitly. This greatly simplifies the shfmt CI job. Add
   localshfmt target so developers can still use a local shfmt binary
   when necessary.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-11-02 11:08:36 -07:00
Kir Kolyshkin 8da0a0b567 Merge pull request #3631 from godsarmy/3612-sigkill_comment
Fix comment of signalAllProcesses for process wait due to sigkill
2022-11-02 10:31:34 -07:00
Walt Chen 18f8f482b1 Fix comment of signalAllProcesses for process wait due to sigkill
Signed-off-by: Walt Chen <godsarmycy@gmail.com>
2022-11-02 10:08:09 -07:00
Aleksa Sarai df2043af5d merge 'refs/pull/3635/head' of github.com:opencontainers/runc
Kir Kolyshkin (1):
  libct/seccomp/patchbpf: rm duplicated code

LGTMs: cyphar thaJeztah
Closes #3635
2022-11-02 15:46:03 +11:00
Kir Kolyshkin 2cd05e44b6 libct/seccomp/patchbpf: rm duplicated code
In findLastSyscalls, we convert libseccomp.ArchNative to the real
libseccomp architecture, but archToNative already does that, so
this code is redundant.

Remove the redundant code, and move its comment to archToNative.

Fixes: 7a8d7162f
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-11-01 18:47:16 -07:00
Kir Kolyshkin c393d16cea Merge pull request #3652 from rst0git/deps-go-criu
deps: bump github.com/checkpoint-restore/go-criu to 6.3.0
2022-11-01 18:42:14 -07:00
Radostin Stoyanov fbce47a6b6 deps: bump github.com/checkpoint-restore/go-criu to 6.3.0
Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
2022-11-01 10:08:14 +00:00
Kir Kolyshkin fdc4d67cc7 Merge pull request #3405 from kolyshkin/seccomp-bintree
libct/seccomp: enable seccomp binary tree optimization
2022-10-31 17:57:08 -07:00
Kir Kolyshkin b265d1288f libct/seccomp: enable binary tree optimization
This makes libseccomp produce a BPF which uses a binary tree for
syscalls (instead of linear set of if statements).

It does not make sense to enable binary tree for small set of rules,
so don't do that if we have less than 8 syscalls (the number is chosen
arbitrarily).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-10-31 16:59:49 -07:00
Sebastiaan van Stijn 6e2b46e259 Merge pull request #3636 from kolyshkin/gha-v
ci/gha: use v3 tag for actions/cache
2022-10-27 21:36:47 -04:00
Qiang Huang 3049057feb Merge branch 'main' into gha-v 2022-10-28 09:17:47 +08:00
Kir Kolyshkin d61b45163f Merge pull request #3650 from kolyshkin/fix-seccomp-test-on-arm
tests/int/seccomp: fix flags test on ARM
2022-10-27 11:29:53 -07:00
Kir Kolyshkin 65840f64ef tests/int/seccomp: fix flags test on ARM
On ARM, mkdirat(2) is used instead of mkdir(2), thus the seccomp rules
needs to be amended accordingly.

This is a change similar to one in commit e119db7a23, but but it
evaded the test case added in commit 58ea21dae as it took a long time to
merge, and we don't have ARM CI.

Fixes: 58ea21dae ("seccomp: add support for flags")
Reported-by: Ryan Phillips <rphillips@redhat.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-10-26 11:13:34 -07:00
Kir Kolyshkin 6bf2c3b67e ci/gha: use v3 tag for actions/cache
This tag points to the latest v3 version (currently v3.0.11). Mainly
done to avoid cluttering git history with multiple minor v3 upgrades.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-10-17 10:05:17 -07:00
Kir Kolyshkin 6d1e1ee07d Merge pull request #3634 from opencontainers/dependabot/github_actions/actions/cache-3.0.11
build(deps): bump actions/cache from 3.0.10 to 3.0.11
2022-10-17 09:56:21 -07:00
dependabot[bot] a04363c1b9 build(deps): bump actions/cache from 3.0.10 to 3.0.11
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.10 to 3.0.11.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.10...v3.0.11)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-14 04:11:15 +00:00
Mrunal Patel 70e3b757c0 Merge pull request #3611 from yukariatlas/main
cgroups: cpuset: fix byte order while parsing cpuset range to bits
2022-10-13 12:19:44 -07:00
Mrunal Patel a187c84e42 Merge pull request #3626 from thaJeztah/more_idiomatic
libcontainer/cgroups: return concrete types
2022-10-13 12:14:11 -07:00
Chengen, Du 4a8750d93a tests/int: add a "update cpuset cpus range via v2 unified map" test
Add a test case for an issue fixed by the previous commit.
The env should has more than 8 core CPU to meet the test requirement.

Signed-off-by: Chengen, Du <chengen.du@canonical.com>
2022-10-13 11:14:13 +08:00
Chengen, Du 77cae9addc cgroups: cpuset: fix byte order while parsing cpuset range to bits
Runc parses cpuset range to bits in the case of cgroup v2 + systemd as cgroup driver.
The byte order representation differs from systemd expectation, which will set
different cpuset range in systemd transient unit if the length of parsed byte array exceeds one.

	# cat config.json
	...
	"resources": {
		...
		"cpu": {
			"cpus": "10-23"
		}
	},
	...
	# runc --systemd-cgroup run test
	# cat /run/systemd/transient/runc-test.scope.d/50-AllowedCPUs.conf
	# This is a drop-in unit file extension, created via "systemctl set-property"
	# or an equivalent operation. Do not edit.
	[Scope]
	AllowedCPUs=0-7 10-15

The cpuset.cpus in cgroup will also be set to wrong value after reloading systemd manager configuration.

	# systemctl daemon-reload
	# cat /sys/fs/cgroup/system.slice/runc-test.scope/cpuset.cpus
	0-7,10-15

Signed-off-by: seyeongkim <seyeong.kim@canonical.com>
Signed-off-by: Chengen, Du <chengen.du@canonical.com>
2022-10-13 11:13:29 +08:00
Aleksa Sarai 56b01e7beb merge branch 'pr-3623'
Evan Phoenix (1):
  Fixes inability to use /dev/null when inside a container

LGTMs: kolyshkin cyphar
Closes #3623
2022-10-13 01:40:57 +11:00
Evan Phoenix 462e719cae Fixes inability to use /dev/null when inside a container
This is a forward port of https://github.com/opencontainers/runc/pull/3620

The original code depended on the origin filesystem to have
/dev/{block,char} populated. This is done by udev normally and while is
very common non-containerized systemd installs, it's very easy to start
systemd in a container created by runc itself and not have
/dev/{block,char} populated. When this occurs, the following error
output is observed:

$ docker run hello-world
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error reopening /dev/null inside container: open /dev/null: operation not permitted: unknown.

/dev/null can't be opened because it was not added to the
deviceAllowList, as there was no /dev/char directory. The change here
utilizes the fact that when sysfs in in use, there is a
/sys/dev/{block,char} that is kernel maintained that we can check.

Signed-off-by: Evan Phoenix <evan@phx.io>
2022-10-08 10:53:18 -07:00
Akihiro Suda 526d3b3374 Merge pull request #3603 from kolyshkin/drop-inh
tests/int: do not set inheritable capabilities
2022-10-08 08:04:14 +09:00
Sebastiaan van Stijn fa47a92f67 Merge pull request #3565 from dharmicksai/3547
Add check for CONFIG_CGROUP_BPF in check-config.sh
2022-10-07 18:06:46 +02:00
Sebastiaan van Stijn 04389ae99b libcontainer/cgroups: return concrete types
It's more idiomatic Go to define interfaces on the receiver, and constructors to
return concrete types.

This patch changes various constructors to return a concrete type, with the
exceptions of NewWithPaths, which needs the abstraction as it switches between
implementations.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-07 17:31:11 +02:00
Sebastiaan van Stijn d811a7154c Merge pull request #3628 from kolyshkin/fix-centos-7-ci-again
cirrus-ci: install EPEL on CentOS 7 conditionally
2022-10-07 17:28:57 +02:00
Kir Kolyshkin ae53cde3ff cirrus-ci: install EPEL on CentOS 7 conditionally
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-10-06 12:10:26 -07:00
Kir Kolyshkin 1102f3fc9d Merge pull request #3624 from opencontainers/dependabot/github_actions/actions/cache-3.0.10
build(deps): bump actions/cache from 3.0.9 to 3.0.10
2022-10-04 19:06:08 -07:00
dependabot[bot] 8584900e50 build(deps): bump actions/cache from 3.0.9 to 3.0.10
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.9 to 3.0.10.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.9...v3.0.10)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-04 04:12:20 +00:00
Akihiro Suda 535b8b716a Merge pull request #3619 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.10.2
build(deps): bump github.com/opencontainers/selinux from 1.10.1 to 1.10.2
2022-10-04 09:29:25 +09:00
Kir Kolyshkin 967552cff5 Merge pull request #3621 from opencontainers/dependabot/github_actions/actions/cache-3.0.9
build(deps): bump actions/cache from 3.0.8 to 3.0.9
2022-10-03 10:34:47 -07:00
Sebastiaan van Stijn fa0f7f5c97 Merge pull request #3622 from opencontainers/dependabot/go_modules/github.com/cilium/ebpf-0.9.3
build(deps): bump github.com/cilium/ebpf from 0.9.1 to 0.9.3
2022-10-03 09:27:48 +02:00
dependabot[bot] 1be5d45df9 build(deps): bump github.com/cilium/ebpf from 0.9.1 to 0.9.3
Bumps [github.com/cilium/ebpf](https://github.com/cilium/ebpf) from 0.9.1 to 0.9.3.
- [Release notes](https://github.com/cilium/ebpf/releases)
- [Commits](https://github.com/cilium/ebpf/compare/v0.9.1...v0.9.3)

---
updated-dependencies:
- dependency-name: github.com/cilium/ebpf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-03 04:15:32 +00:00
dependabot[bot] 79a5c1109b build(deps): bump actions/cache from 3.0.8 to 3.0.9
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.8 to 3.0.9.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.8...v3.0.9)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-03 04:15:17 +00:00
dependabot[bot] da9126f788 build(deps): bump github.com/opencontainers/selinux
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.10.1 to 1.10.2.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.10.1...v1.10.2)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-29 04:09:47 +00:00
Sebastiaan van Stijn 1c3b8dbaf4 Merge pull request #3606 from opencontainers/dependabot/go_modules/github.com/coreos/go-systemd/v22-22.4.0
build(deps): bump github.com/coreos/go-systemd/v22 from 22.3.2 to 22.4.0
2022-09-29 00:11:52 +02:00
dependabot[bot] 7189ba8dfe build(deps): bump github.com/coreos/go-systemd/v22 from 22.3.2 to 22.4.0
Bumps [github.com/coreos/go-systemd/v22](https://github.com/coreos/go-systemd) from 22.3.2 to 22.4.0.
- [Release notes](https://github.com/coreos/go-systemd/releases)
- [Commits](https://github.com/coreos/go-systemd/compare/v22.3.2...v22.4.0)

---
updated-dependencies:
- dependency-name: github.com/coreos/go-systemd/v22
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-28 21:26:56 +00:00
Mrunal Patel a92bcd72fe Merge pull request #3614 from kolyshkin/fix-centos-7-ci
Fix centos 7 ci
2022-09-28 14:24:47 -07:00
Kir Kolyshkin 491713e841 cirrus-ci: enable EPEL for CentOS 7
It used to be enabled by default, but not as of last few weeks.

While at it, add rpm -q command to make sure all required RPMS were in
fact installed (at least CentOS 7 yum exits with 0 when some packages
requested are not available).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-09-28 11:04:15 -07:00
Kir Kolyshkin 4e65118d02 tests/int/helpers: gawk -> awk
We use awk in other 9 or so places, and here it's gawk.
Since this is on Linux, most probably awk is gawk.

So s/gawk/awk/.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-09-27 22:22:29 -07:00
Kir Kolyshkin 0ffb49dba0 tests/int: suppress bogus error
The situation when /sys/fs/cgroup/unified is not present normal and
should not result in anything on stderr. Suppress it.

Fixes: cc15b887a0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-09-27 22:22:29 -07:00
Kir Kolyshkin 4ff59f81fd Merge pull request #3607 from opencontainers/dependabot/go_modules/github.com/checkpoint-restore/go-criu/v6-6.2.0
build(deps): bump github.com/checkpoint-restore/go-criu/v6 from 6.1.0 to 6.2.0
2022-09-20 18:11:15 -07:00
dependabot[bot] 6fce0a1c67 build(deps): bump github.com/checkpoint-restore/go-criu/v6
Bumps [github.com/checkpoint-restore/go-criu/v6](https://github.com/checkpoint-restore/go-criu) from 6.1.0 to 6.2.0.
- [Release notes](https://github.com/checkpoint-restore/go-criu/releases)
- [Commits](https://github.com/checkpoint-restore/go-criu/compare/v6.1.0...v6.2.0)

---
updated-dependencies:
- dependency-name: github.com/checkpoint-restore/go-criu/v6
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-19 04:24:11 +00:00
Kir Kolyshkin e965e10c32 tests/int: do not set inheritable capabilities
Amends commit 98fe566c52 ("runc: do not set inheritable
capabilities").

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-09-15 11:49:32 -07:00
Mrunal Patel 91c0a7ac8d Merge pull request #3580 from kolyshkin/fix-seccomp-ssb
seccomp: do not ignore SPEC_ALLOW flag
2022-09-13 16:45:57 -07:00
Kir Kolyshkin 2e8b7a1283 Merge pull request #3586 from snprajwal/go-criu/v6
Upgrade go-criu to v6
2022-09-09 18:49:28 -07:00
dharmicksai 29a28848de Add check for CONFIG_CGROUP_BPF in check-config.sh
cgroup v2 requires CONFIG_CGROUP_BPF kernel option to be set
else runc can not start containers.

check-config.sh script checks if the CONFIG_CGROUP_BPF option
is set. The script checks if version of kernel is atleast
4.15 and cgroup v2 is being used before checking if the
CONFIG_CGROUP_BPF option is set.

Closes #3547

Signed-off-by: dharmicksai <dharmicksaik@gmail.com>
2022-09-08 14:28:47 +05:30
Prajwal S N 746f45807d deps: bump go-criu to v6
The v6.0.0 release of go-criu has deprecated the `rpc` package in favour
of the `crit` package. This commit provides the changes required to use
this version in runc.

Signed-off-by: Prajwal S N <prajwalnadig21@gmail.com>
2022-09-06 11:55:17 +05:30
Kir Kolyshkin bc13e33270 Merge pull request #3566 from opencontainers/dependabot/github_actions/actions/cache-3.0.8
build(deps): bump actions/cache from 3.0.7 to 3.0.8
2022-09-02 16:54:35 -07:00
Kir Kolyshkin 5808663ceb Merge pull request #3585 from opencontainers/dependabot/go_modules/github.com/docker/go-units-0.5.0
build(deps): bump github.com/docker/go-units from 0.4.0 to 0.5.0
2022-09-01 17:00:28 -07:00
dependabot[bot] 45041985e3 build(deps): bump github.com/docker/go-units from 0.4.0 to 0.5.0
Bumps [github.com/docker/go-units](https://github.com/docker/go-units) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/docker/go-units/releases)
- [Commits](https://github.com/docker/go-units/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: github.com/docker/go-units
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-01 04:15:34 +00:00
Kir Kolyshkin 26dc55ef1a seccomp: fix flag test to actually check the value
Add a debug print of seccomp flags value, so the test can check
those (without using something like strace, that is).

Amend the flags setting test with the numeric values expected, and the
logic to check those.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-30 19:16:08 -07:00
Kir Kolyshkin c7dc8b1fed libct/seccomp/patchbpf: support SPEC_ALLOW
Commit 58ea21daef added support for seccomp flags such as
SPEC_ALLOW, but it does not work as expected, because since commit
7a8d7162f9 we do not use libseccomp-golang's Load(), but
handle flags separately in patchbfp.

This fixes setting SPEC_ALLOW flag.

Add a comment to not forget to amend filterFlags when adding new flags.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-29 15:48:10 -07:00
dependabot[bot] 8206f5b2aa build(deps): bump actions/cache from 3.0.7 to 3.0.8
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.7 to 3.0.8.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.7...v3.0.8)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-23 04:19:26 +00:00
Kir Kolyshkin 4a51b04703 Merge pull request #3559 from kolyshkin/fix-dev-pts
Fix failed exec after systemctl daemon-reload
2022-08-18 15:03:31 -07:00
Kir Kolyshkin 58b1374f0a Fix failed exec after systemctl daemon-reload
A regression reported for runc v1.1.3 says that "runc exec -t" fails
after doing "systemctl daemon-reload":

> exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown

Apparently, with commit 7219387eb7 we are no longer adding
"DeviceAllow=char-pts rwm" rule (because os.Stat("char-pts") returns
ENOENT).

The bug can only be seen after "systemctl daemon-reload" because runc
also applies the same rules manually (by writing to devices.allow for
cgroup v1), and apparently reloading systemd leads to re-applying the
rules that systemd has (thus removing the char-pts access).

The fix is to do os.Stat only for "/dev" paths.

Also, emit a warning that the path was skipped. Since the original idea
was to emit less warnings, demote the level to debug.

Note this also fixes the issue of not adding "m" permission for block-*
and char-* devices.

A test case is added, which reliably fails before the fix
on both cgroup v1 and v2.

Fixes: https://github.com/opencontainers/runc/issues/3551
Fixes: 7219387eb7
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-18 14:41:16 -07:00
Akihiro Suda a98ad5e61d Merge pull request #3561 from kolyshkin/ci-codespell-2.2
ci: fix for codespell 2.2
2022-08-18 10:20:00 +09:00
Kir Kolyshkin df9e32bc6a ci: fix for codespell 2.2
Recently released codespell 2.2 adds some more false positives,
such as:

	./Makefile:78: ro ==> to, row, rob, rod, roe, rot
	./Makefile:88: ro ==> to, row, rob, rod, roe, rot
	./notify_socket.go:51: ro ==> to, row, rob, rod, roe, rot
	./LICENSE:128: complies ==> compiles
	./go.sum:59: BU ==> BY
	./types/features/features.go:17: ro ==> to, row, rob, rod, roe, rot
	./libcontainer/rootfs_linux.go:52: ro ==> to, row, rob, rod, roe, rot
	./libcontainer/rootfs_linux.go:166: ro ==> to, row, rob, rod, roe, rot
	....
	./tests/integration/cgroup_delegation.bats:38: inh ==> in
	...

To fix:
 - exclude go.sum;
 - add ro and complies to the list of ignored words;
 - s/inh/inherit in cgroup_delegation.bats.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-17 16:37:44 -07:00
Sebastiaan van Stijn 7b6f5153b8 Merge pull request #3514 from kolyshkin/go119
Add go 1.19, require go 1.18, drop go 1.17
2022-08-16 22:38:40 +02:00
Kir Kolyshkin 4ada984fb3 Merge pull request #3557 from opencontainers/dependabot/github_actions/actions/cache-3.0.7
build(deps): bump actions/cache from 3.0.5 to 3.0.7
2022-08-16 10:12:53 -07:00
Kir Kolyshkin b7dcdcecb4 Add go 1.19, require go 1.18, drop go 1.17
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-16 09:53:54 -07:00
Kir Kolyshkin 0f4bf2c840 ci/gha: bump golangci-lint to 1.48
This version works with go 1.19, i.e. it fixes
https://github.com/golangci/golangci-lint/issues/2922.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-16 09:53:54 -07:00
Kir Kolyshkin 45cc290f02 libct: fixes for godoc 1.19
Since Go 1.19, godoc recognizes lists, code blocks, headings etc. It
also reformats the sources making it more apparent that these features
are used.

Fix a few places where it misinterpreted the formatting (such as
indented vs unindented), and format the result using the gofumpt
from HEAD, which already incorporates gofmt 1.19 changes.

Some more fixes (and enhancements) might be required.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-16 09:53:54 -07:00
dependabot[bot] bf8d7c713b build(deps): bump actions/cache from 3.0.5 to 3.0.7
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.5 to 3.0.7.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.5...v3.0.7)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-13 16:56:03 +00:00
Akihiro Suda 480e1298d8 Merge pull request #3556 from kolyshkin/go119-fix-386
ci/gha: fix cross-386 job vs go 1.19
2022-08-13 11:49:35 +09:00
Kir Kolyshkin 589a9d5082 ci/gha: fix cross-386 job vs go 1.19
When golang 1.19 is used to build unit tests on 386, it fails like this:

 sudo -E PATH="$PATH" -- make GOARCH=386 CGO_ENABLED=1 localunittest
 <...>
 go test -timeout 3m -tags "seccomp"  -v ./...
 <...>
 # github.com/opencontainers/runc/libcontainer/capabilities.test
 runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel
 runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel
 runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel
 runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel
 runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel
 runtime/cgo(.text): relocation target __stack_chk_fail_local not defined
 runtime/cgo(.text): relocation target __stack_chk_fail_local not defined

The fix is to add CGO_CFLAGS=-fno-stack-protector.

See also:
 - https://github.com/docker-library/golang/pull/426
 - https://go.dev/issue/52919
 - https://go.dev/issue/54313
 - https://go-review.googlesource.com/c/go/+/421935

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-08-10 18:43:52 -07:00
Kir Kolyshkin 7e54290f11 Merge pull request #3530 from opencontainers/dependabot/go_modules/github.com/cilium/ebpf-0.9.1
build(deps): bump github.com/cilium/ebpf from 0.9.0 to 0.9.1
2022-08-04 15:38:07 -07:00
Akihiro Suda 2a14cecca3 Merge pull request #3543 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.28.1
build(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1
2022-08-04 09:25:09 +09:00
Aleksa Sarai bd69483df5 merge branch 'pr-3522'
Kir Kolyshkin (1):
  Fix error from runc run on noexec fs

LGTMs: AkihiroSuda thaJeztah cyphar
Closes #3522
2022-08-02 12:40:43 +10:00
dependabot[bot] 450dd3e237 build(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.28.0 to 1.28.1.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.28.0...v1.28.1)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-29 23:51:56 +00:00
Kir Kolyshkin f835196e80 Merge pull request #3531 from opencontainers/dependabot/go_modules/github.com/sirupsen/logrus-1.9.0
build(deps): bump github.com/sirupsen/logrus from 1.8.1 to 1.9.0
2022-07-29 16:51:08 -07:00
dependabot[bot] 6d00bf6cc3 build(deps): bump github.com/sirupsen/logrus from 1.8.1 to 1.9.0
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.8.1 to 1.9.0.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.8.1...v1.9.0)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-29 14:49:27 +00:00
Akihiro Suda d11f4d756e Merge pull request #3390 from kinvolk/alban_log
seccomp: add support for flags
2022-07-29 23:48:29 +09:00
Kir Kolyshkin 3a5294f039 Merge pull request #3485 from corhere/3181-rdt-init-without-cpuinfo
libct/intelrdt: skip reading /proc/cpuinfo
2022-07-28 12:38:05 -07:00
Cory Snider ea0bd78268 libct/intelrdt: check if available iff configured
Unless the container's runtime config has intelRdt configuration set,
any checks for whether Intel RDT is supported or the resctrl filesystem
is mounted are a waste of time as, per the OCI Runtime Spec, "the
runtime MUST NOT manipulate any resctrl pseudo-filesystems." And in the
likely case where Intel RDT is supported by both the hardware and
kernel but the resctrl filesystem is not mounted, these checks can get
expensive as the intelrdt package needs to parse mountinfo to check
whether the filesystem has been mounted to a non-standard path.
Optimize for the common case of containers with no intelRdt
configuration by only performing the checks when the container has opted
in.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-07-28 12:06:03 -07:00
Cory Snider 56daf36be2 libct/intelrdt: skip remove unless configured
The OCI runtime spec mandates "[i]f intelRdt is not set, the runtime
MUST NOT manipulate any resctrl pseudo-filesystems." Attempting to
delete files counts as manipulating, so stop doing that when the
container's RDT configuration is nil.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-07-28 12:06:03 -07:00
Cory Snider c156bde7cc libct/intelrdt: elide parsing mountinfo
The intelrdt package only needs to parse mountinfo to find the mount
point of the resctrl filesystem. Users are generally going to mount the
resctrl filesystem to the pre-created /sys/fs/resctrl directory, so
there is a common case where mountinfo parsing is not required. Optimize
for the common case with a fast path which checks both for the existence
of the /sys/fs/resctrl directory and whether the resctrl filesystem was
mounted to that path using a single statfs syscall.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-07-28 12:06:03 -07:00
Cory Snider 9f107489b0 libct/intelrdt: skip reading /proc/cpuinfo
Reading /proc/cpuinfo is a surprisingly expensive operation. Since
kernel version 4.12 [1], opening /proc/cpuinfo on an x86 system can
block for around 20 milliseconds while the kernel samples the current
CPU frequency. There is a very recent patch [2] which gets rid of the
delay, but has yet to make it into the mainline kenel. Regardless,
kernels for which opening /proc/cpuinfo takes 20ms will continue to be
run in production for years to come. libcontainer only opens
/proc/cpuinfo to read the processor feature flags so all the delays to
get an accurate snapshot of the CPU frequency are just wasted time.

If we wanted to, we could interrogate the CPU features directly from
userspace using the `CPUID` instruction. However, Intel and AMD CPUs
have flags in different positions for their analogous sub-features and
there are CPU quirks [3] which would need to be accounted for. Some
Haswell server CPUs support RDT/CAT but are missing the `CPUID` flags
advertising their support; the kernel checks for support on that
processor family by probing the the hardware using privileged
RDMSR/WRMSR instructions [4]. This sort of probing could not be
implemented in userspace so it would not be possible to check for RDT
feature support in userspace without false negatives on some hardware
configurations.

It looks like libcontainer reads the CPU feature flags as a kind of
optimization so that it can skip checking whether the kernel supports an
RDT sub-feature if the hardware support is missing. As the kernel only
exposes subtrees in the `resctrl` filesystem for RDT sub-features with
hardware and kernel support, checking the CPU feature flags is redundant
from a correctness point of view. Remove the /proc/cpuinfo check as it
is an optimization which actually hurts performance.

[1]: https://unix.stackexchange.com/a/526679
[2]: https://lore.kernel.org/all/20220415161206.875029458@linutronix.de/
[3]: https://github.com/torvalds/linux/blob/7cf6a8a17f5b134b7e783c2d45c53298faef82a7/arch/x86/kernel/cpu/resctrl/core.c#L834-L851
[4]: https://github.com/torvalds/linux/blob/a6b450573b912316ad36262bfc70e7c3870c56d1/arch/x86/kernel/cpu/resctrl/core.c#L111-L153

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-07-28 12:06:03 -07:00
Cory Snider 13674f43d3 libct/intelrdt: delete IsMBAScEnabled()
This function is unused, and removing it simplifies the changes which
follow this commit.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-07-28 12:06:03 -07:00
dependabot[bot] d9a3acb9fc build(deps): bump github.com/cilium/ebpf from 0.9.0 to 0.9.1
Bumps [github.com/cilium/ebpf](https://github.com/cilium/ebpf) from 0.9.0 to 0.9.1.
- [Release notes](https://github.com/cilium/ebpf/releases)
- [Commits](https://github.com/cilium/ebpf/compare/v0.9.0...v0.9.1)

---
updated-dependencies:
- dependency-name: github.com/cilium/ebpf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-28 19:05:50 +00:00
Alban Crequy 58ea21daef seccomp: add support for flags
List of seccomp flags defined in runtime-spec:
* SECCOMP_FILTER_FLAG_TSYNC
* SECCOMP_FILTER_FLAG_LOG
* SECCOMP_FILTER_FLAG_SPEC_ALLOW

Note that runc does not apply SECCOMP_FILTER_FLAG_TSYNC. It does not
make sense to apply the seccomp filter on only one thread; other threads
will be terminated after exec anyway.

See similar commit in crun:
https://github.com/containers/crun/commit/fefabffa2816ea343068ed036a86944393db189a

Note that SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV (introduced by
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?id=c2aa2dfef243
in Linux 5.19-rc1) is not added yet because Linux 5.19 is not released
yet.

Signed-off-by: Alban Crequy <albancrequy@microsoft.com>
2022-07-28 16:25:26 +02:00
Alban Crequy c152e8310f go.mod: update runtime-spec
Signed-off-by: Alban Crequy <albancrequy@microsoft.com>
2022-07-28 16:25:26 +02:00
Aleksa Sarai 6f8cb8b4c1 merge branch 'pr-3539'
Kir Kolyshkin (1):
  CI: workaround CentOS Stream 9 criu issue

LGTMs: AkihiroSuda cyphar
Closes #3539
2022-07-28 21:15:14 +10:00
Kir Kolyshkin 4fd4af5b1c CI: workaround CentOS Stream 9 criu issue
Older criu builds fail to work properly on CentOS Stream 9 due to
changes in glibc's rseq.

Skip criu tests if an older criu version is found.

Fixes: https://github.com/opencontainers/runc/issues/3532

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-07-27 17:51:41 -07:00
Aleksa Sarai c0d44ea9fc merge branch 'pr-3523'
Kir Kolyshkin (1):
  CHANGELOG.md: forward-port 1.1.x changes

LGTMs: AkihiroSuda cyphar
Closes #3523
2022-07-20 14:26:51 +10:00
Kir Kolyshkin 93ad6a8513 Merge pull request #3528 from opencontainers/dependabot/github_actions/actions/cache-3.0.5
build(deps): bump actions/cache from 3.0.4 to 3.0.5
2022-07-14 11:42:51 -07:00
dependabot[bot] 5fd3d09e25 build(deps): bump actions/cache from 3.0.4 to 3.0.5
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.4...v3.0.5)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-07-14 04:15:30 +00:00
Kir Kolyshkin a776ec9c90 Merge pull request #3525 from zhsj/seccomp-arm64
tests: enable seccomp default action tests on arm
2022-07-11 13:49:34 -07:00
Kir Kolyshkin 7928a0ddf7 Merge pull request #3526 from zhsj/replace-hello-image
tests: replace local hello world bundle with busybox bundle
2022-07-11 13:48:34 -07:00
Kir Kolyshkin 2c692a973b Merge pull request #3442 from AkihiroSuda/fedora-36
Vagrantfile.fedora: upgrade Fedora to 36
2022-07-07 10:50:38 -07:00
Shengjing Zhu 66bf3718b4 tests: replace local hello world bundle with busybox bundle
Currently only amd64 and arm64v8 tarball have been checked in testdata,
while busybox bundle is downloaded on fly, and supports multiple architectures.

To enable integration tests for more architectures, the hello world
bundle is replaced by busybox one.

Signed-off-by: Shengjing Zhu <zhsj@debian.org>
2022-07-05 02:19:57 +08:00
Shengjing Zhu e119db7a23 tests: enable seccomp default action tests on arm
Signed-off-by: Shengjing Zhu <zhsj@debian.org>
2022-07-04 16:06:03 +08:00
Kir Kolyshkin d2a5acd22a CHANGELOG.md: forward-port 1.1.x changes
This is a forward-port of commit 91fa032da4 ("ci: add basic checks for
CHANGELOG.md"), plus whatever changes were made in release-1.1 branch
(up to v1.1.3).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-07-01 15:57:34 -07:00
Kir Kolyshkin 957d97bcf4 Fix error from runc run on noexec fs
When starting a new container, and the very last step of executing of a
user process fails (last lines of (*linuxStandardInit).Init), it is too
late to print a proper error since both the log pipe and the init pipe
are closed.

This is partially mitigated by using exec.LookPath() which is supposed
to say whether we will be able to execute or not. Alas, it fails to do
so when the binary to be executed resides on a filesystem mounted with
noexec flag.

A workaround would be to use access(2) with X_OK flag. Alas, it is not
working when runc itself is a setuid (or setgid) binary. In this case,
faccessat2(2) with AT_EACCESS can be used, but it is only available
since Linux v5.8.

So, use faccessat2(2) with AT_EACCESS if available. If not, fall back to
access(2) for non-setuid runc, and do nothing for setuid runc (as there
is nothing we can do). Note that this check if in addition to whatever
exec.LookPath does.

Fixes https://github.com/opencontainers/runc/issues/3520

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-07-01 10:02:42 -07:00
Mrunal Patel eca233d286 Merge pull request #3515 from kolyshkin/linter
Bump golangci-lint, fix an error path
2022-06-29 14:38:02 -07:00
Akihiro Suda 086ddb1542 Vagrantfile.fedora: upgrade Fedora to 36
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2022-06-29 14:33:13 +09:00
Aleksa Sarai 641d5c19ed merge branch 'pr-3501'
Guodong Zhu (1):
  libct/nsenter: switch to sane_kill()

LGTMs: kolyshkin cyphar
Closes #3501
2022-06-27 15:43:57 +10:00
guodong 35e6c3bf79 libct/nsenter: switch to sane_kill()
Signed-off-by: guodong <guodong9211@gmail.com>
2022-06-27 15:43:07 +10:00
Akihiro Suda 214c16fd9a Merge pull request #3510 from kolyshkin/fix-mntns-userns
libct: fix mounting via wrong proc fd
2022-06-23 18:43:25 -05:00
Akihiro Suda 8b9452f75c Merge pull request #3508 from cdoern/blkio
export blockIODevice
2022-06-17 23:25:45 +09:00
Kir Kolyshkin 7481c3c97b ci: bump golangci-lint to 1.46
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-06-16 16:33:55 -07:00
Kir Kolyshkin 6662570110 libct: fix staticcheck warning
A new version of staticcheck (included into golangci-lint 1.46.2) gives
this new warning:

> libcontainer/factory_linux.go:230:59: SA9008: e refers to the result of a failed type assertion and is a zero value, not the value that was being type-asserted (staticcheck)
> 				err = fmt.Errorf("panic from initialization: %v, %s", e, debug.Stack())
> 				                                                      ^
> libcontainer/factory_linux.go:226:7: SA9008(related information): this is the variable being read (staticcheck)
> 			if e, ok := e.(error); ok {
> 			   ^

Apparently, this is indeed a bug. Fix by using a different name for a
new variable, so we can access the old one under "else".

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-06-16 16:31:42 -07:00
Kir Kolyshkin d370e3c046 libct: fix mounting via wrong proc fd
Due to a bug in commit 9c444070ec, when the user and mount namespaces
are used, and the bind mount is followed by the cgroup mount in the
spec, the cgroup is mounted using the bind mount's mount fd.

This can be reproduced with podman 4.1 (when configured to use runc):

$ podman run --uidmap 0:100:10000 quay.io/libpod/testimage:20210610 mount
Error: /home/kir/git/runc/runc: runc create failed: unable to start container process: error during container init: error mounting "cgroup" to rootfs at "/sys/fs/cgroup": mount /proc/self/fd/11:/sys/fs/cgroup/systemd (via /proc/self/fd/12), flags: 0x20502f: operation not permitted: OCI permission denied

or manually with the spec mounts containing something like this:

    {
      "destination": "/etc/resolv.conf",
      "type": "bind",
      "source": "/userdata/resolv.conf",
      "options": [
        "bind"
      ]
    },
    {
      "destination": "/sys/fs/cgroup",
      "type": "cgroup",
      "source": "cgroup",
      "options": [
        "rprivate",
        "nosuid",
        "noexec",
        "nodev",
        "relatime",
        "ro"
      ]
    }

The issue was not found earlier since it requires using userns, and even then
mount fd is ignored by mountToRootfs, except for bind mounts, and all the bind
mounts have mountfd set, except for the case of cgroup v1's /sys/fs/cgroup
which is internally transformed into a bunch of bind mounts.

This is a minimal fix for the issue, suitable for backporting.

A test case is added which reproduces the issue without the fix applied.

Fixes: 9c444070ec ("Open bind mount sources from the host userns")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-06-16 11:54:42 -07:00
Aleksa Sarai fa49e3ba2c merge branch 'pr-3506'
Davanum Srinivas (1):
  Switch to newer v0.10.0 release of libseccomp-golang

LGTMs: AkihiroSuda cyphar
Closes #3506
2022-06-14 13:20:45 +10:00
cdoern c0be1aa2d1 export blockIODevice
the struct blockIODevice is used in an exported struct but it is not itself exported rendering that type inaccessible to
outside projects

Signed-off-by: cdoern <cdoern@redhat.com>
2022-06-13 13:40:39 -04:00
Akihiro Suda d799f7a075 Merge pull request #3505 from opencontainers/dependabot/github_actions/actions/cache-3.0.4
build(deps): bump actions/cache from 3.0.2 to 3.0.4
2022-06-12 15:59:13 +09:00
Davanum Srinivas 56fcc9385c Switch to newer v0.10.0 release of libseccomp-golang
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2022-06-10 15:27:30 -04:00
Sebastiaan van Stijn 258eff101c Merge pull request #3498 from cyphar/systemd-devices-nonexistent-files
cgroups: systemd: skip adding device paths that don't exist
2022-06-08 19:03:26 +02:00
dependabot[bot] cc0feb4b6c build(deps): bump actions/cache from 3.0.2 to 3.0.4
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.2 to 3.0.4.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.2...v3.0.4)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-08 04:12:16 +00:00
Sebastiaan van Stijn a7a45d7d27 Merge pull request #3503 from opencontainers/dependabot/go_modules/github.com/moby/sys/mountinfo-0.6.2
build(deps): bump github.com/moby/sys/mountinfo from 0.6.1 to 0.6.2
2022-06-07 09:24:41 +02:00
dependabot[bot] 5ed3fdff8f build(deps): bump github.com/moby/sys/mountinfo from 0.6.1 to 0.6.2
Bumps [github.com/moby/sys/mountinfo](https://github.com/moby/sys) from 0.6.1 to 0.6.2.
- [Release notes](https://github.com/moby/sys/releases)
- [Commits](https://github.com/moby/sys/compare/mountinfo/v0.6.1...mountinfo/v0.6.2)

---
updated-dependencies:
- dependency-name: github.com/moby/sys/mountinfo
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-07 04:14:12 +00:00
Akihiro Suda 2bc61bb01a Merge pull request #3486 from kolyshkin/gha-ci-shellcheck
ci: shellcheck job nits
2022-06-03 00:31:17 +09:00
Aleksa Sarai 343951a22b cgroups: systemd: skip adding device paths that don't exist
systemd emits very loud warnings when the path specified doesn't exist
(which can be the case for some of our default rules). We don't need the
ruleset we give systemd to be completely accurate (we discard some kinds
of wildcard rules anyway) so we can safely skip adding these.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-06-02 12:10:57 +10:00
Sebastiaan van Stijn a51ea7c477 Merge pull request #3489 from eriksjolund/relax_sanity_check_in_getenv_int
libcontainer: relax getenv_int sanity check
2022-06-01 21:49:40 +02:00
Kir Kolyshkin bd718784af Merge pull request #3495 from AkihiroSuda/update-cgroup2-distros
docs/cgroup-v2.md: update the distro list
2022-06-01 10:55:00 -07:00
Erik Sjölund 03a210d0f2 libcontainer: relax getenv_int sanity check
Remove upper bound in integer sanity check
to not restrict the number of socket-activated
sockets passed in.

Closes #3488

Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
2022-06-01 13:54:02 +10:00
Akihiro Suda 72ad20994b docs/cgroup-v2.md: update the distro list
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2022-05-27 17:41:24 +09:00
Sebastiaan van Stijn 182d77c1a9 Merge pull request #3491 from kolyshkin/bump-ebpf-0.9.0
vendor: bump cilium/ebpf to v0.9.0
2022-05-27 10:24:26 +02:00
Kir Kolyshkin 1505379ca3 Merge pull request #3482 from kolyshkin/seccomp-sha
script/seccomp.sh: check tarball sha256
2022-05-26 18:26:07 -07:00
Mrunal Patel e1889c4bf2 Merge pull request #3484 from kolyshkin/bump-urfave-cli-nodocs
vendor: bump urfave/cli, add urfave_cli_no_docs tag
2022-05-26 17:59:41 -07:00
Kir Kolyshkin 65f41d57d9 vendor: bump urfave/cli, add urfave_cli_no_docs tag
This removes the runc dependency on cpuguy83/md2man and
russross/blackfriday, which saves more than 400 KB (more than 300 KB
once stripped) from the binary.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-26 13:51:48 -07:00
Kir Kolyshkin e0406b4ba6 vendor: bump cilium/ebpf to v0.9.0
Also, change the deprecated Sym to WithSymbol.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-26 13:35:32 -07:00
Kir Kolyshkin 6b96cbdd59 ci: improve shellcheck job
1. Use env directive instead of adding to $GITHUB_ENV.

2. Use bash herefile to feed sha256sum instead of pipe to grep.

3. Fix the hardcoded checksum (it was missing the first character).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-25 18:57:25 -07:00
Kir Kolyshkin e1d04cdfeb script/seccomp.sh: check tarball sha256
Add checking of downloaded tarball checksum.

In case it doesn't match the hardcoded value, the error is like this:

	libseccomp-2.5.4.tar.gz: FAILED
	sha256sum: WARNING: 1 computed checksum did NOT match

In case the checksum for a particular version is not specified in the
script, the error will look like this:

	./script/seccomp.sh: line 29: SECCOMP_SHA256[${ver}]: unbound variable

In case the the hardcoded value in the file is of wrong format/length,
we'll get:

	sha256sum: 'standard input': no properly formatted SHA256 checksum lines found

In any of these cases, the script aborts (due to set -e).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-25 18:29:07 -07:00
Akihiro Suda 016a0d29d1 Merge pull request #3452 from kolyshkin/separate-devices
Decouple setting cgroup device rules from cgroup manager
2022-05-25 18:11:36 +09:00
Aleksa Sarai 436b86f5d9 merge branch 'pr-3483'
Kir Kolyshkin:
  ci: drop docker layer caching from release job

LGTMs: thaJeztah cyphar
Closes #3483
2022-05-25 08:46:15 +10:00
Kir Kolyshkin fbafaf315e ci: drop docker layer caching from release job
This job is failing with "No space left on device" lately, and this
helps to fix it.

Besides, it seems that caching does not help to shorten execution times
(validate/release job succeeds in under 8 minutes now; ymmv).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-24 11:22:27 -07:00
Akihiro Suda 3f0daac908 Merge pull request #3480 from kolyshkin/bump-libseccomp
Dockerfile,scripts/release: bump libseccomp to v2.5.4
2022-05-24 13:13:19 +09:00
Kir Kolyshkin f7b07fd54c Dockerfile,scripts/release: bump libseccomp to v2.5.4
Release notes: https://github.com/seccomp/libseccomp/releases/tag/v2.5.4

This affects the released static binaries (as they are statically linked
against libseccomp).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-23 12:56:35 -07:00
Kir Kolyshkin 848aa38b8e Merge pull request #3474 from cyphar/seccomp-enosys-setup
seccomp: enosys: always return -ENOSYS for setup(2)
2022-05-23 10:43:54 -07:00
Aleksa Sarai 6a79271c31 seccomp: patchbpf: minor cleanups
Define sizeof(int) as a constant, and also return ENOSYS earlier in the
filter if it doesn't increase the number of instructions we generate
(this is a negligible performance improvement but it does make it easier
to understand the generated filter stub).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-05-23 16:36:07 +10:00
Aleksa Sarai be6488a5a9 seccomp: enosys: always return -ENOSYS for setup(2) on s390(x)
On s390x, syscalls above 255 are multiplexed using the (now otherwise
unused) setup(2) syscall (syscall number 0). If the kernel supports the
syscall then it will correctly translate the syscall number such that
seccomp will correctly detect it -- however, for unknown syscalls the
syscall number remains unchanged. This can be verified by running the
following program under strace:

	int main(void)
	{
		scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP);
		seccomp_load(ctx);

		return syscall(439, AT_FDCWD, "asdf", X_OK, 0);
	}

Which will then die with the following signal (on pre-5.8 kernels):

	--- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP,
	            si_call_addr=0x3ffb3006c22, si_syscall=__NR_setup,
	            si_arch=AUDIT_ARCH_S390X} ---

(Note that the si_syscall is __NR_setup, not __NR_faccessat2.)

As a result, the -ENOSYS handling we had previously did not work
completely correctly on s390x because any syscall not supported by the
kernel would be treated as syscall number 0 rather than the actual
syscall number.

Always returning -ENOSYS will not cause any issues because in all of the
cases where this multiplexing occurs, seccomp will see the remapped
syscall number -- and no userspace program will call setup(2)
intentionally (the syscall has not existed in Linux for decades and was
originally a hack used early in Linux init prior to spawning pid1 -- so
you will get -ENOSYS from the kernel anyway).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-05-23 16:36:07 +10:00
Kir Kolyshkin 967079dfc1 Merge pull request #3475 from chenk008/fix_dbus_connection_closed
libct/cg/sd: check dbus.ErrClosed instead of isDbusError
2022-05-20 11:07:06 -07:00
Kang Chen 0ca0bb9fee libct/cg/sd: check dbus.ErrClosed instead of isDbusError
Signed-off-by: Kang Chen <kongchen28@gmail.com>
2022-05-20 14:47:19 +08:00
Akihiro Suda 8093c54d91 Merge pull request #3446 from kolyshkin/risc
release: build riscv64 binary, build static PIE if supported
2022-05-19 18:49:27 +09:00
Kir Kolyshkin 47e09976a3 libct/cg/dev: privatize some functions
These are only used from inside the package, and we don't want them to
be public.

The only two methods left are Enable and Disable.

While at it, fix or suppress found lint-extra warnings.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-18 11:17:13 -07:00
Kir Kolyshkin b6967fa84c Decouple cgroup devices handling
This commit separates the functionality of setting cgroup device
rules out of libct/cgroups to libct/cgroups/devices package. This
package, if imported, sets the function variables in libct/cgroups and
libct/cgroups/systemd, so that a cgroup manager can use those to manage
devices. If those function variables are nil (when libct/cgroups/devices
are not imported), a cgroup manager returns the ErrDevicesUnsupported
in case any device rules are set in Resources.

It also consolidates the code from libct/cgroups/ebpf and
libct/cgroups/ebpf/devicefilter into libct/cgroups/devices.

Moved some tests in libct/cg/sd that require device management to
libct/sd/devices.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-18 11:17:08 -07:00
Kir Kolyshkin 25f1856236 libct/cg/sd: factor out devices.go
This moves the functionality related to devices, SkipDevices, and
SkipFreezeOnSet to a separate file, in preparation for the next commit.

No code changes.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-18 11:14:03 -07:00
Aleksa Sarai 9524366183 merge branch 'pr-3384'
wineway (2):
  libct: use `unix.Getwd` instead of `os.Getwd` to avoid symlink
  go.mod: golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5

LGTMs: kolyshkin cyphar
Closes #3384
2022-05-13 09:01:16 +10:00
wineway d160116055 libct: use unix.Getwd instead of os.Getwd to avoid symlink
Signed-off-by: wineway <wangyuweihx@gmail.com>
2022-05-11 17:25:34 -07:00
wineway cab3888575 go.mod: golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5
to include https://go-review.googlesource.com/c/sys/+/387194 which ensured unix::Getwd returned path is absolute

Signed-off-by: wineway <wangyuweihx@gmail.com>
2022-05-11 17:25:34 -07:00
Kir Kolyshkin a14cc4059d release: add riscv64 binary
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Akihiro Suda 1d7b297128 libct/seccomp: add riscv64
Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin dafcacb522 Makefile: set CGO_ENABLED=1 when needed
It doesn't matter whether static or dynamic linking is used, runc
always needs libcontainer/nsenter, which is written in C and thus
requires cgo. Same is true for libcontainer/integration.

In addition, contrib/pkg/seccompagent also needs cgo (if seccomp build
tag is set), as it need to be linked against libseccomp C library.

By default, cgo is disabled when cross-compiling, meaning that
CGO_ENABLED=1 has to be set explicitly in such cases.

In all other cases (e.g. other contrib binaries) we do not need cgo.

Remove CGO_ENABLED=1 from GO_BUILD_STATIC (as it does not have anything
to do with static linking), and add it to all targets that require it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin 21e32d47d3 Makefile: add support for static PIE
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin ab5c60d02f Makefile: fix GO_BUILDMODE setting
1. Set to empty value by default.

2. Assume Linux (remove GOOS check, since we do not support other OSes).

3. Instead of using a "not-supported" list, use a "supported" list
   (as Go release notes usually say which platforms are supported).
   As of today, -buildmode=pie is supported for:

 * linux/386, linux/amd64, linux/arm, linux/arm64, and linux/ppc64le
   (since Go 1.6, see https://tip.golang.org/doc/go1.6#compiler)

 * linux/s390x (since Go 1.7, which adds the initial port)

 * linux/riscv64 (since Go 1.16, see
   https://tip.golang.org/doc/go1.16#riscv)

   NOTE this does not mean we support these architectures; it is merely
   a way to see if -buildmode=pie can be used.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin f2f6e59937 Makefile: add LDFLAGS_COMMON and LDFLAGS_STATIC
LDFLAGS_COMMON are used from two places, so it makes sense to dedup.

LDFLAGS_STATIC is a preparation for the next commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin f0f1b5f969 Dockerfile: don't use crossbuild-essential-*
All we need is gcc, libc-dev, and binutils. In addition to that,
crossbuild-essential installs g++, libstdc++-dev, and a bunch of perl
packages and libraries which we do not need.

This should speed up image building, as well as make it smaller.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin 476aa18abe Dockerfile: rm dpkg --add-architecture lines
Dockerfile used to install libseccomp-dev packages for different
architectures. This is no longer true since commit f30244ee1b, which
changed to cross-compiling libseccomp (so we can get a static library
to link against).

Thus, adding extra architectures is no longer needed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Kir Kolyshkin d542ad65ba Dockerfile: nit
We do not use all the files from scripts, only seccomp.sh and lib.sh.

This prevents unneeded rebuild of the image if e.g.
scripts/release_build.sh has changed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 17:23:45 -07:00
Akihiro Suda 2661d59287 Merge pull request #3471 from kolyshkin/fix-fedora-ci-git
Vagrantfile.fedora: fix build wrt new git
2022-05-12 09:05:58 +09:00
Aleksa Sarai d04de3a9b7 Merge pull request from GHSA-f3fp-gc8g-vw66
runc: do not set inheritable capabilities
2022-05-12 08:15:42 +10:00
Kir Kolyshkin 98fe566c52 runc: do not set inheritable capabilities
Do not set inheritable capabilities in runc spec, runc exec --cap,
and in libcontainer integration tests.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-12 08:14:50 +10:00
Kir Kolyshkin 009e627cb0 Vagrantfile.fedora: fix build wrt new git
With the updated git in Fedora 35, we can't build it via sudo:

	ssh default 'sudo -i make -C /vagrant localunittest'
	make: Entering directory '/vagrant'
	fatal: unsafe repository ('/vagrant' is owned by someone else)
	To add an exception for this directory, call:

		git config --global --add safe.directory /vagrant
	go build -trimpath "-buildmode=pie"  -tags "seccomp" -ldflags "-X main.gitCommit= -X main.version=1.1.0+dev " -o runc .
	error obtaining VCS status: exit status 128
		Use -buildvcs=false to disable VCS stamping.
	make: Leaving directory '/vagrant'

This commit should fix this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-11 15:03:32 -07:00
Sebastiaan van Stijn 94105ca31d Merge pull request #3468 from kolyshkin/no-tun
Remove tun/tap from the default device rules
2022-05-11 00:28:55 +02:00
Akihiro Suda 33946701db Merge pull request #3469 from kolyshkin/fix-ci-typo
tests/int: fix a bad typo
2022-05-07 15:25:27 +09:00
Kir Kolyshkin 4d3e52f207 tests/int: fix a bad typo
As a result, cgroup v1 only tests are being skipped.

Fixes: a2123baf63
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-06 13:46:21 -07:00
Sebastiaan van Stijn aac018175e Merge pull request #3369 from kolyshkin/more-tests-nits
tests/int: nits and cleanups
2022-05-06 13:22:11 +02:00
Kir Kolyshkin 2ce40b6ad7 Remove tun/tap from the default device rules
Looking through git blame, this was added by commit 9fac18329
aka "Initial commit of runc binary", most probably by mistake.

Obviously, a container should not have access to tun/tap device, unless
it is explicitly specified in configuration.

Now, removing this might create a compatibility issue, but I see no
other choice.

Aside from the obvious misconfiguration, this should also fix the
annoying

> Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory

messages from systemd on every container start, when runc uses systemd
cgroup driver, and the system runs an old (< v240) version of systemd
(the message was presumably eliminated by [1]).

[1] https://github.com/systemd/systemd/pull/10996/commits/d5aecba6e0b7c73657c4cf544ce57289115098e7

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-05-04 15:38:58 -07:00
Sebastiaan van Stijn da6f3b06e2 Merge pull request #3465 from crazy-max/update-libseccomp
vendor: bump seccomp/libseccomp-golang to f33da4d
2022-05-04 21:00:17 +02:00
Kir Kolyshkin 68427f33d0 libct/seccomp/config: add missing KillThread, KillProcess
OCI spec added SCMP_ACT_KILL_THREAD and SCMP_ACT_KILL_PROCESS almost two
years ago ([1], [2]), but runc support was half-finished [3].

Add these actions, and modify the test case to check them.

In addition, "runc features" now lists the new actions.

[1] https://github.com/opencontainers/runtime-spec/pull/1044
[2] https://github.com/opencontainers/runtime-spec/pull/1064
[3] https://github.com/opencontainers/runc/pulls/3204

Fixes: 4a4d4f109b
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit e74fdeb88a)
2022-05-04 16:22:09 +02:00
CrazyMax df2bc1380e vendor: bump seccomp/libseccomp-golang to f33da4d
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-05-03 13:15:02 +02:00
CrazyMax 29a56b5206 fix deprecated ActKill
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-05-03 13:15:01 +02:00
Mrunal Patel 48464417f4 Merge pull request #3461 from kolyshkin/bump-urfave-cli
vendor: bump urfave/cli to v1.22.6
2022-04-25 16:06:37 -07:00
Sebastiaan van Stijn 255fe4099e Merge pull request #3445 from kolyshkin/gha-ro
ci/gha: limit jobs permissions
2022-04-22 20:44:37 +02:00
Sebastiaan van Stijn 062fc87995 Merge pull request #3451 from dsouzai/ns_last_pid
Allow mounting of /proc/sys/kernel/ns_last_pid
2022-04-22 20:41:58 +02:00
Kir Kolyshkin 9c710564fd vendor: bump urfave/cli to v1.22.6
This finally fixes the regression of not allowing -1 as an argument,
which is reported in https://github.com/urfave/cli/pull/1135.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-04-21 19:36:49 -07:00
Sebastiaan van Stijn 238717ddd3 Merge pull request #3457 from kolyshkin/ci-merge-lint-extra
ci/gha: convert lint-extra from a job to a step
2022-04-14 13:42:40 +02:00
Sebastiaan van Stijn 727aa42fd7 Merge pull request #3378 from kolyshkin/ci-verify-more
shellcheck/shfmt more files; run check-config in CI
2022-04-14 13:39:29 +02:00
Kir Kolyshkin 4642d5282e Merge pull request #3458 from opencontainers/dependabot/github_actions/actions/cache-3.0.2
build(deps): bump actions/cache from 3.0.1 to 3.0.2
2022-04-13 22:35:00 -07:00
Kir Kolyshkin fa83a17c57 ci/gha: convert lint-extra from a job to a step
There is no need to parallelize lint and lint-extra jobs,
and they only differ with the arguments to golangci-lint.
Given that the longest time spent in these jobs is installing
libseccomp-dev, and that the second linter run can probably
benefit a lot from caching, it makes sense to merge them.

Move lint-extra from a separate job to a step in lint job.

The implementation is motivated by [1] and relies on the fact
that the last commit being fetched is the merge commit. So,
we need to set fetch-depth to 2 to be able to see the diff of
the merge commit -- and this is what golangci-lint is using.

[1] https://github.com/golangci/golangci-lint-action/issues/449#issuecomment-1096995821

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-04-13 20:20:15 -07:00
Akihiro Suda b6e337ac93 Merge pull request #3459 from opencontainers/dependabot/go_modules/github.com/moby/sys/mountinfo-0.6.1
build(deps): bump github.com/moby/sys/mountinfo from 0.6.0 to 0.6.1
2022-04-13 16:05:56 +09:00
dependabot[bot] de25777a4b build(deps): bump github.com/moby/sys/mountinfo from 0.6.0 to 0.6.1
Bumps [github.com/moby/sys/mountinfo](https://github.com/moby/sys) from 0.6.0 to 0.6.1.
- [Release notes](https://github.com/moby/sys/releases)
- [Commits](https://github.com/moby/sys/compare/signal/v0.6.0...mountinfo/v0.6.1)

---
updated-dependencies:
- dependency-name: github.com/moby/sys/mountinfo
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-13 04:17:00 +00:00
Kir Kolyshkin 98d3b5a495 Merge pull request #3455 from opencontainers/dependabot/github_actions/actions/upload-artifact-3
build(deps): bump actions/upload-artifact from 2 to 3
2022-04-12 14:31:53 -07:00
Sebastiaan van Stijn 66d12b5a0b Merge pull request #3456 from kolyshkin/ci-rm-stable
ci/gha: remove stable: when installing Go
2022-04-12 09:28:18 +02:00
dependabot[bot] d73579cabc build(deps): bump actions/cache from 3.0.1 to 3.0.2
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.1...v3.0.2)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-12 06:35:18 +00:00
Kir Kolyshkin 66be704d02 ci/gha: remove stable: when installing Go
Since the recent bump of actions/setup-go to v3 (commit
9d2268b9db), specifying "stable:" is no longer needed
when we want to try a beta or rc version of Go.

Remove it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-04-11 17:14:13 -07:00
Sebastiaan van Stijn 36585a8f0a Merge pull request #3454 from opencontainers/dependabot/github_actions/actions/setup-go-3
build(deps): bump actions/setup-go from 2 to 3
2022-04-12 00:01:17 +02:00
dependabot[bot] b6eb94762a build(deps): bump actions/upload-artifact from 2 to 3
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 2 to 3.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-11 04:16:44 +00:00
dependabot[bot] 9d2268b9db build(deps): bump actions/setup-go from 2 to 3
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2 to 3.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-11 04:16:41 +00:00
Irwin D'Souza b76b6b9338 Allow mounting of /proc/sys/kernel/ns_last_pid
The CAP_CHECKPOINT_RESTORE linux capability provides the ability to
update /proc/sys/kernel/ns_last_pid. However, because this file is under
/proc, and by default both K8s and CRI-O specify that /proc/sys should
be mounted as Read-Only, by default even with the capability specified,
a process will not be able to write to ns_last_pid.

To get around this, a pod author can specify a volume mount and a
hostpath to bind-mount /proc/sys/kernel/ns_last_pid. However, runc does
not allow specifying mounts under /proc.

This commit adds /proc/sys/kernel/ns_last_pid to the validProcMounts
string array to enable a pod author to mount ns_last_pid as read-write.
The default remains unchanged; unless explicitly requested as a volume
mount, ns_last_pid will remain read-only regardless of whether or not
CAP_CHECKPOINT_RESTORE is specified.

Signed-off-by: Irwin D'Souza <dsouzai.gh@gmail.com>
2022-04-07 14:08:59 -04:00
Kir Kolyshkin 67e06706ef ci/gha: limit jobs permissions
Most jobs only require to read the repo. Some require to read PRs as
well.

For details, see
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

Reported-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-04-06 14:25:22 -07:00
Kir Kolyshkin b802def2f6 Merge pull request #3444 from opencontainers/dependabot/github_actions/actions/cache-3.0.1
build(deps): bump actions/cache from 2 to 3.0.1
2022-03-31 09:36:24 -07:00
dependabot[bot] 7260bae675 build(deps): bump actions/cache from 2 to 3.0.1
Bumps [actions/cache](https://github.com/actions/cache) from 2 to 3.0.1.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v2...v3.0.1)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-31 04:15:06 +00:00
Kir Kolyshkin ae6cb653f4 man/*sh: fix shellcheck warnings, add to shellcheck
Now the only remaining file that needs shellcheck warnings to be fixed
is bash-completion. Note that in Makefile's TODO.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin cacc823724 ci: add call to check-config.sh
This is done to make sure the script is working correctly in different
environments (distro and kernel versions). In addition, we can see in
test logs which kernel features are enabled.

Note that I didn't want to have a separate job for GHA CI, so I just
added this to the end of shellcheck one.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin 5d1ef78cad script/check-config.sh: enable set -u, fix issues
One particularly bad one is ${codes[@]} which is fine in bash 4.4+,
but gives "codes[@]: unbound variable" with older bash versions,
such as with bash 4.2 used on CentOS 6. It's good that this is the only
array in the script that can potentially be empty.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin d66498e771 script/check-config.sh: fix remaining shellcheck warnings
... and add this file to shellcheck target in Makefile.

These:

	In script/check-config.sh line 27:
	kernelMinor="${kernelVersion#$kernelMajor.}"
				     ^----------^ SC2295 (info): Expansions inside ${..} need to be quoted separately, otherwise they match as patterns.

	Did you mean:
	kernelMinor="${kernelVersion#"$kernelMajor".}"

	In script/check-config.sh line 103:
		source /etc/os-release 2>/dev/null || /bin/true
		       ^-------------^ SC1091 (info): Not following: /etc/os-release was not specified as input (see shellcheck -x).

	In script/check-config.sh line 267:
		NET_CLS_CGROUP $netprio
			       ^------^ SC2206 (warning): Quote to prevent word splitting/globbing, or split robustly with mapfile or read -a.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin baa06227a4 script/check-config.sh: fix SC2166 warnings
Like this one:

	In ./script/check-config.sh line 215:
	if [ "$kernelMajor" -lt 5 ] || [ "$kernelMajor" -eq 5 -a "$kernelMinor" -le 1 ]; then
							      ^-- SC2166 (warning): Prefer [ p ] && [ q ] as [ p -a q ] is not well defined.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin dc73d236ea script/check-config.sh: fix wrap_color usage
1. Allow wrap_bad and wrap_good to have an optional arguments.

2. Remove unneeded echos; this fixes the shellcheck warnings like

	In ./script/check-config.sh line 178:
			echo "$(wrap_bad 'cgroup hierarchy' 'nonexistent??')"
                             ^-- SC2005 (style): Useless echo? Instead of 'echo $(cmd)', just use 'cmd'.

3. Fix missing color argument in calls to wrap_color (when printing the
   hint about how to install apparmor).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Kir Kolyshkin 6b16d0051f shfmt: add more files
…and fix a single format issue found.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 20:47:45 -07:00
Mrunal Patel 8cf61d9b15 Merge pull request #3441 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.10.1
build(deps): bump github.com/opencontainers/selinux from 1.10.0 to 1.10.1
2022-03-30 20:32:57 -07:00
Mrunal Patel 885cfd7b46 Merge pull request #3443 from kolyshkin/ci-main
ci/gha: run on main branch
2022-03-30 20:04:35 -07:00
Kir Kolyshkin 01f30162d2 ci/gha: run on main branch
Since we have renamed our default branch, GHA CI is no longer testing
it (see https://github.com/opencontainers/runc/actions).

Fix this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 11:06:25 -07:00
dependabot[bot] d77f898ff5 build(deps): bump github.com/opencontainers/selinux
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.10.0 to 1.10.1.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.10.0...v1.10.1)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-30 04:16:27 +00:00
Kir Kolyshkin 08a7e18dbf Merge pull request #3440 from masahir0y/trivial
Trivial changes
2022-03-29 16:09:34 -07:00
Masahiro Yamada 5222928650 libct/specconv: use a local variable in CreateCgroupConfig()
Use r instead of spec.Linux.Resources to be consistent throughout
this code hunk.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
2022-03-29 22:48:06 +09:00
Akihiro Suda 8d48ce2c69 Merge pull request #3433 from kolyshkin/dont-panic
libct/cg: IsCgroup2HybridMode: don't panic
2022-03-28 20:06:25 +09:00
Kir Kolyshkin d0c89dfac3 libct/cg: IsCgroup2HybridMode: don't panic
In case statfs("/sys/fs/cgroup/unified") fails with any error other
than ENOENT, current code panics. As IsCgroup2HybridMode is called from
libcontainer/cgroups/fs's init function, this means that any user of
libcontainer may panic during initialization, which is ugly.

Avoid panicking; instead, do not enable hybrid hierarchy support and
report the error (under debug level, not to confuse anyone).

Basically, replace the panic with "turn off hybrid mode support"
(which makes total sense since we were unable to statfs its root).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-26 18:14:08 -07:00
Sebastiaan van Stijn 86d6898f30 Merge pull request #3375 from kolyshkin/rm-container-iface
libct: rm BaseContainer and Container interfaces
2022-03-23 21:23:50 +01:00
Akihiro Suda cae822862c Merge pull request #3428 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.28.0
build(deps): bump google.golang.org/protobuf from 1.27.1 to 1.28.0
2022-03-24 04:37:01 +09:00
dependabot[bot] 82bc042d27 build(deps): bump google.golang.org/protobuf from 1.27.1 to 1.28.0
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.27.1 to 1.28.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.27.1...v1.28.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-23 18:14:30 +00:00
Kir Kolyshkin d620a401d7 tests/int: remove $ROOTLESS, use $EUID
The variable $ROOTLESS, as set by helpers.bash and used in many places,
provides the same value as $EUID which is always set by bash. Since we
are using bash, we can rely on $EUID being omnipresent.

Modify all uses accordingly, and since the value is known to be a
number, omit the quoting.

Similarly, replace all uses of $(id -u) to $EUID.

Do some trivial cleanups along the way, such as
 - simplify some if A; then B; to A && B;
 - do not use [[ instead of [ where not necessary.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-23 11:12:44 -07:00
Kir Kolyshkin d330f94b57 tests/int/update.bats: fix extra reqs
This test requires both rootless and root, which does not make sense.

Remove the rootless part.

Fixes: d41a273da
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-23 11:12:44 -07:00
Kir Kolyshkin a2123baf63 tests/int: replace CGROUP_UNIFIED with CGROUP_V{1,2}
This makes it work similar to all the other variables we use as binary
flags.

The new 'shellcheck disable' is due to a bug in shellcheck (basically,
it does not track the scope of variables or execution order, assuming
everything is executed as soon as it is seen).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-23 11:12:44 -07:00
Kir Kolyshkin 25ef852ad6 tests/int: use = in test for strings comparison
Strictly speaking, == is for [[ only, not for [ / test,
and, unlike =, the right side is a pattern.

To avoid confusion, use =. In cases where we compare with empty string,
use -z instead.

Keep using [[ in some cases since it does not require quoting the left
and right side of comparison (I trust shellcheck on that one).

This should have no effect (other than the code being a tad more
strict).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-23 11:12:44 -07:00
Kir Kolyshkin 102b8abd26 libct: rm BaseContainer and Container interfaces
The only implementation of these is linuxContainer. It does not make
sense to have an interface with a single implementation, and we do not
foresee other types of containers being added to runc.

Remove BaseContainer and Container interfaces, moving their methods
documentation to linuxContainer.

Rename linuxContainer to Container.

Adopt users from using interface to using struct.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-23 11:04:12 -07:00
Sebastiaan van Stijn c4c48896eb Merge pull request #3427 from kolyshkin/add-centos-stream-9
CI/cirrus: add centos-stream-9
2022-03-23 13:46:00 +01:00
Sebastiaan van Stijn eba9367000 Merge pull request #3373 from kolyshkin/less-interfaces
Remove Factory and LinuxFactory
2022-03-23 10:14:05 +01:00
Kir Kolyshkin 6a3fe1618f libcontainer: remove LinuxFactory
Since LinuxFactory has become the means to specify containers state
top directory (aka --root), and is only used by two methods (Create
and Load), it is easier to pass root to them directly.

Modify all the users and the docs accordingly.

While at it, fix Create and Load docs (those that were originally moved
from the Factory interface docs).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-22 23:44:31 -07:00
Kir Kolyshkin 6a29787bc9 libct/factory: make some methods functions
These do not have to be methods.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-22 23:29:24 -07:00
Kir Kolyshkin 8358a0ecbb libct: StartInitialization: decouple from factory
StartInitialization does not have to be a method of Factory (while
it is clear why it was done that way initially, now we only have
Linux containers so it does not make sense).

Fix callers and docs accordingly.

No change in functionality.

Also, since this was the only user of libcontainer.New with the empty
string as an argument, the corresponding check can now be removed
from it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-22 23:29:24 -07:00
Kir Kolyshkin a78c9a0184 libct: remove Factory interface
The only implementation is LinuxFactory, let's use this directly.

Move the piece of documentation about Create from removed factory.go to
the factory_linux.go.

The LinuxFactory is to be removed later.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-22 23:29:24 -07:00
Kir Kolyshkin 71bc308b7f libct/New: remove options argument
It is not used by anyone.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-22 23:29:24 -07:00
Kir Kolyshkin b6514469a8 libct: remove TmpfsRoot
Is is not used by anyone

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-22 23:29:24 -07:00
Kir Kolyshkin 87cf5d2027 CI/cirrus: add centos-stream-9
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-22 18:03:13 -07:00
Kir Kolyshkin 6e624d6f20 Merge pull request #3419 from kolyshkin/go1.18
Add / switch to Go 1.18
2022-03-22 18:02:37 -07:00
Sebastiaan van Stijn 404d9162b4 Merge pull request #3424 from kolyshkin/fix-badges
README,libct/README: fix pkg.go.dev badges
2022-03-23 00:33:06 +01:00
Mrunal Patel b9d55d5852 Merge pull request #3367 from kolyshkin/tests-add-set-u
tests: add `set -u`
2022-03-22 14:24:31 -07:00
Kir Kolyshkin a0f8847e2a Drop go 1.16
Require go 1.17 from now on, since go 1.16 is no longer supported.
Drop go1.16 compatibility.

NOTE we also have to install go 1.18 from Vagrantfile, because
Fedora 35 comes with Go 1.16.x which can't be used.

Note the changes to go.mod and vendor are due to
https://go.dev/doc/go1.17#tools

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-22 12:22:22 -07:00
Kir Kolyshkin 5211cc3f7e Add / switch to Go 1.18
Switch to Go 1.18 as the default Go version.

Support for Go 1.16 is removed by the next commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-22 12:22:22 -07:00
Kir Kolyshkin 7cec81e060 libct: suppress strings.Title deprecation warning
Function strings.Title is deprecated as of Go 1.18, because it does not
handle some corner cases good enough. In this case, though, it is
perfectly fine to use it since we have a single ASCII word as an
argument, and strings.Title won't be removed until at least Go 2.0.

Suppress the deprecation warning.

The alternative is to not capitalize the namespace string; this will break
restoring of a container checkpointed by earlier version of runc.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-22 12:22:10 -07:00
Kir Kolyshkin fcab941e4d ci: switch to golangci-lint 1.45
For release notes, see
https://github.com/golangci/golangci-lint/releases/tag/v1.45.0

Notably, it adds support for Go 1.18.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-22 12:16:23 -07:00
Qiang Huang c258ed0fc3 Merge pull request #3392 from kolyshkin/test-runc-delete-flake
tests/int: runc delete: fix flake, enable for rootless
2022-03-22 09:02:26 +08:00
Kir Kolyshkin 3618079cab README.md: add cirrus-ci badge
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-21 17:19:06 -07:00
Kir Kolyshkin f309a69a48 README,libct/README: fix pkg.go.dev badges
What used to be godoc.org is now pkg.go.dev, and while the old URLs
still work, they might be broken in the future.

Updated badges are generated via https://pkg.go.dev/badge/

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-21 17:05:41 -07:00
Sebastiaan van Stijn f6e5831cd0 Merge pull request #3420 from kolyshkin/rootlessEUIDMount
libct/configs/validate: rootlessEUIDMount: speedup
2022-03-21 17:09:54 +01:00
Kir Kolyshkin 48006d0007 libct/configs/validate: rootlessEUIDMount: speedup
1. Fix function docs. In particular, remove the part
   which is not true ("verifies that the user isn't trying to set up any
   mounts they don't have the rights to do"), and fix the part that
   says "that doesn't resolve to root" (which is no longer true since
   commit d8b669400a).

2. Replace fmt.Sscanf (which is slow and does lots of allocations)
   with strings.TrimPrefix and strconv.Atoi.

3. Add a benchmark for rootlessEUIDMount. Comparing the old and the new
   implementations:

	name                 old time/op    new time/op    delta
	RootlessEUIDMount-4    1.01µs ± 2%    0.16µs ± 1%  -84.15%  (p=0.008 n=5+5)

	name                 old alloc/op   new alloc/op   delta
	RootlessEUIDMount-4      224B ± 0%       80B ± 0%  -64.29%  (p=0.008 n=5+5)

	name                 old allocs/op  new allocs/op  delta
	RootlessEUIDMount-4      7.00 ± 0%      1.00 ± 0%  -85.71%  (p=0.008 n=5+5)

Note this code is already tested (in rootless_test.go).

Fixes: d8b669400a
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-17 13:39:55 -07:00
Akihiro Suda 98b75befc4 Merge pull request #3416 from kinvolk/rata/seccomp-misc
tests: Improve seccomp-notify test names and description
2022-03-17 13:02:03 +09:00
Rodrigo Campos a99f82add1 tests: Add comment to clarify intent of seccomp-notify tests
While doing the previous fix, I went over all the tests in this file and
made sure they were named correctly. This patch just adds a small
sentence to clarify the intent, and does some minor improvements to some
other test names.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2022-03-15 11:09:20 +01:00
Rodrigo Campos 9f9acd1a0c tests: Improve name of seccomp notify test
There was a typo and instead of "empty" we should have used "non-empty".

Let's add a small sentence explaining the intent (like other tests in
this file) and let's highlight what we expect to happen in this test (to
ignore the listenerPath).

Fixes: #3415

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2022-03-15 11:09:00 +01:00
Sebastiaan van Stijn 51e607f2cd Merge pull request #3356 from kolyshkin/user-dbus
libct/cg/sd: simplify DetectUserDbusSessionBusAddress
2022-03-09 17:36:02 +01:00
Akihiro Suda 7fd8b57001 Merge pull request #3374 from kolyshkin/cli-nits
Assorted CLI nitpicks
2022-03-09 12:49:23 +09:00
Sebastiaan van Stijn 4e0d6898f6 Merge pull request #3370 from kolyshkin/bump-gofumpt
ci: bump golangci-lint to v1.44, golangci-lint-action to v3
2022-03-08 12:57:11 +01:00
Kir Kolyshkin 728571c16f tests/int: runc delete: fix flake, enable for rootless
The following failure was observed in CI (on centos-stream-8 in
integration-cgroup suite):

	not ok 42 runc delete
	 (from function `fail' in file tests/integration/helpers.bash, line 338,
	  in test file tests/integration/delete.bats, line 30)
	   `[ "$output" = "" ] || fail "cgroup not cleaned up correctly: $output"' failed
	....
	cgroup not cleaned up correctly: /sys/fs/cgroup/pids/system.slice/tmp-bats\x2drun\x2d68012-runc.IPOypI-state-testbusyboxdelete-runc.zriC8C.mount
	/sys/fs/cgroup/cpu,cpuacct/system.slice/tmp-bats\x2drun\x2d68012-runc.IPOypI-state-testbusyboxdelete-runc.zriC8C.mount
	...

Apparently, this is a cgroup systemd creates for a mount unit which
appears then runc does internal /proc/self/exe bind-mount. The test
case should not take it into account.

The second problem with this test is it does not check that cgroup
actually exists when the container is running (so checking that it
was removed after makes less sense). For example, in rootless mode
the cgroup might not have been created.

Fix the find arguments to look for a specific cgroup name, and add
a check that these arguments are correct (i.e. the cgroup is found
when the container is running).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-07 15:33:29 -08:00
Kir Kolyshkin f7637defb8 ci: use golangci-lint-action v3, GO_VERSION
golangci-lint-action v3 no longer installs golang itself, and the
version that comes with Ubuntu is not new/good enough.

Install go 1.17.x explicitly.

Introduce GO_VERSION environment variable to avoid duplication,
and use it instead of 1.x in other places, so that implicit go update
won't bring some unexpected failures.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-07 10:57:35 -08:00
Kir Kolyshkin f7d4613492 ci: bump golangci-lint to v1.44
Also, remove "must be specified without patch version" as this is no
longer true.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-07 10:42:01 -08:00
Kir Kolyshkin 89733cd055 Format sources using gofumpt 0.2.1
... which adds a wee more whitespace fixes.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-07 10:42:01 -08:00
Kir Kolyshkin ec9e81bfb0 Merge pull request #3400 from opencontainers/dependabot/github_actions/actions/checkout-3
build(deps): bump actions/checkout from 2 to 3
2022-03-07 10:33:42 -08:00
Akihiro Suda f7bce6b769 Merge pull request #3382 from marquiz/devel/rdt-validation
configs/validate: looser validation for RDT
2022-03-07 14:36:23 +09:00
Akihiro Suda 4d2e4f1a6b Merge pull request #3381 from lifubang/exec-subcgroup
ensure the path is a sub-cgroup path
2022-03-07 14:35:49 +09:00
Sebastiaan van Stijn 1515d93639 Merge pull request #3389 from kolyshkin/delegate-enoent
libct/cg/sd/v2: fix ENOENT on cgroup delegation
2022-03-04 10:00:12 +01:00
dependabot[bot] a43485c92c build(deps): bump actions/checkout from 2 to 3
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-02 04:20:24 +00:00
Kir Kolyshkin 1a93520841 libct/cg/sd: simplify DetectUserDbusSessionBusAddress
Apparently, "systemctl --user --no-pager show-environment" is useless
without DBUS_SESSION_BUS_ADDRESS or XDG_RUNTIME_DIR set:

	$ echo $DBUS_SESSION_BUS_ADDRESS, $XDG_RUNTIME_DIR
	unix:path=/run/user/1000/bus, /run/user/1000
	$ systemctl --user --no-pager show-environment | grep DBUS_SESS
	DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
	$ unset DBUS_SESSION_BUS_ADDRESS
	$ systemctl --user --no-pager show-environment | grep DBUS_SESS
	DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
	$ unset XDG_RUNTIME_DIR
	$ systemctl --user --no-pager show-environment | grep DBUS_SESS
	Failed to connect to bus: $DBUS_SESSION_BUS_ADDRESS and $XDG_RUNTIME_DIR not defined (consider using --machine=<user>@.host --user to connect to bus of other user)

So, it does not make sense to try it to get the address.

Also, it does not make sense to suggest  "systemctl --user start dbus"
either, for the same reason, so remove that suggestion from the error
message text.

Since DBUS_SESSION_BUS_ADDRESS environment variable, on which the code
relies, is et by dbus-run-session (or dbus-launch, or something similar
that is supposed to be run during the login process), add a suggestion
to re-login.

Finally, fix the following linter warning:

> error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-01 11:39:01 -08:00
Kir Kolyshkin 11895cd087 libct/cg/sd: escape dbus address value
D-Bus specification [1] requires that the values in server address need
to be escaped in a special way, and other clients perform the needed
escaping (e.g. systemd [2] does that, as well as recent godbus [3]).

More to say, it is important to perform such escaping, since if dbus
sees a character that should have been escaped but it's not, it returns
an error [4].

Fix tryDiscoverDbusSessionBusAddress to use dbus.EscapeBusAddressValue
function, recently added to godbus [3].

[1] https://dbus.freedesktop.org/doc/dbus-specification.html#addresses
[2] https://github.com/systemd/systemd/blob/5efbd0bf897a990ebe43d7dc69141d87c404ac9a/src/libsystemd/sd-bus/bus-internal.c#L294-L318
[3] https://github.com/godbus/dbus/pull/302
[4] https://gitlab.freedesktop.org/dbus/dbus/-/blob/37b76d13738e782fe2eb12abdd0179745c0b3f81/dbus/dbus-address.c#L330

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-01 11:39:01 -08:00
Kir Kolyshkin 38c21694ba tests/integration/helpers: set -u
This is a way to prevent the code doing something really bad when a
variable it uses is not set. Good to have since it helps to catch some
logical errors etc.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-28 18:41:39 -08:00
Kir Kolyshkin c8c3e8526d tests: fix checks for non-existent variables
Audit all checks for non-empty variables (i.e. ' -z ', ' -n ',
' != ""' and '= ""'), and fix those cases where a variable might be
unset. Those variables (that might not be set) are

 - RUNC_USE_SYSTEMD
 - BATS_RUN_TMPDIR
 - AUX_UID
 - AUX_DIR
 - SD_PARENT_NAME
 - REL_PARENT_PATH
 - ROOT
 - HAVE_CRIU
 - ROOTLESS_FEATURES
 - and a few test-specific or file-specific variables

This should allow us to enable set -u.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-28 18:41:35 -08:00
Kir Kolyshkin 99d5c0231f tests/int/{root,list}.bats: ALT_ROOT fixups in teardown
1. Add "unset ALT_ROOT" since it should not be used after teardown is
   called.

2. Remove "rm -rf $ALT_ROOT". It is not needed, because ALT_ROOT is a
   subdirectory of ROOT, which is removed in teardown_bundle.

3. Checking for ALT_ROOT being non-empty is a leftover from the era when
   teardown() was called as the first step from setup(). Since commit
   41670e21f0 this is no longer the case, so the condition
   is no longer needed (plus, the `set -u` which is about to be added
   should catch any possible use of unset ALT_ROOT).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-28 18:39:08 -08:00
Kir Kolyshkin 7da77d802e tests/int: don't add --root if $ROOT is not set
Some tests (those in help.bats and version.bats) do not use setup_bundle
(as they do not need to start any containers), and thus they do not set
$ROOT. As a consequence, these tests now call "runc --root /state" which
is not nice.

Make adding --root conditional (only if $ROOT is set).

Amazingly, this change breaks help.bats tests under rootless, because
"sudo rootless" does not change the value of XDG_RUNTIME_DIR which still
points to root-owned directory, and as a result we have this:

> runc foo -h (status=1):
> the path in $XDG_RUNTIME_DIR must be writable by the user
> time="2022-02-08T07:04:57Z" level=error msg="mkdir /run/user/0/runc: permission denied"

This could be fixed by adding proper $ROOT, but it's easier just to skip
those tests under non-root.

NOTE that version.bats is not broken because -v is handled by urfave/cli
very early, so app.Before function is not run.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-28 18:32:10 -08:00
Kir Kolyshkin 9e2a0463e5 tests/int: fix runc_spec for set -u
Older bash versions treats variable as unset if nothing has been
assigned to it. Here is an example from CentOS 7 system:

	[kir@localhost ~]$ bash -u -c 'x() { local args=(); echo "${args[@]}"; }; x'
	bash: args[@]: unbound variable
	[kir@localhost ~]$ echo $BASH_VERSION
	4.2.46(2)-release

Rewrite to work around this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-28 18:32:10 -08:00
Akihiro Suda ad93b0c6c9 Merge pull request #3398 from opencontainers/dependabot/go_modules/github.com/godbus/dbus/v5-5.1.0
build(deps): bump github.com/godbus/dbus/v5 from 5.0.6 to 5.1.0
2022-03-01 11:00:14 +09:00
dependabot[bot] ab9609dbc2 build(deps): bump github.com/godbus/dbus/v5 from 5.0.6 to 5.1.0
Bumps [github.com/godbus/dbus/v5](https://github.com/godbus/dbus) from 5.0.6 to 5.1.0.
- [Release notes](https://github.com/godbus/dbus/releases)
- [Commits](https://github.com/godbus/dbus/compare/v5.0.6...v5.1.0)

---
updated-dependencies:
- dependency-name: github.com/godbus/dbus/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-02-28 04:22:13 +00:00
Kir Kolyshkin 8c04b98100 libct/cg/sd/v2: fix ENOENT on cgroup delegation
Apparently, not all files listed in /sys/kernel/cgroup/delegate must
exist in every cgroup, so we should ignore ENOENT.

Dot not ignore ENOENT on the directory itself though.

Change cgroupFilesToChown to not return ".", and refactor it to not do
any dynamic slice appending in case we're using the default built-in
list of files.

Fixes: 35d20c4e0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-21 10:41:56 -08:00
lifubang 01f00e1fd5 ensure the path is a sub-cgroup path
Signed-off-by: lifubang <lifubang@acmcoder.com>
2022-02-19 09:45:09 +08:00
Kir Kolyshkin 40b0088681 loadFactory: remove
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-18 16:05:29 -08:00
Kir Kolyshkin d1fca8e599 list: report error when non-existent --root is specified
It is questionable whether runc list should return an empty list of
containers when non-existent --root is specified or not.

The current behavior is the directory is always created and then the
empty list of container is shown.

To my mind, specifying a non-existent root is an error and should be
reported as such. This is what this patch does.

For backward compatibility, if --root is not set (i.e. a default is
used), ENOENT is not reported.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-18 16:05:29 -08:00
Kir Kolyshkin 2b07e751b5 reviseRootDir: skip default values, add validation
1. In case --root option is not provided, do nothing.

2. Instead of checking if root value is empty string, check it after
   filepath.Abs, and reject "/". Improve docstring while at it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-18 16:05:29 -08:00
Kir Kolyshkin 899342b5d4 main: improve XDG_RUNTIME_DIR handling
1. Variable xdgRuntimeDir is only checked to be non-empty. Change it to
   a boolean.

2. Refactor so that os.Getenv is not called twice.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-18 16:05:29 -08:00
Kir Kolyshkin eb2f08dc4e checkpoint,restore,list: don't call fatal
There is a mix of styles when handling CLI commands. In most cases we
return an error, which is handled from app.Run in main.go (it calls
fatal if there is an error).

In a few cases, though, we call fatal(err) from random places.

Let's be consistent and always return an error. The only exception is
runc exec, which needs to exit with a particular exit code.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-18 16:05:29 -08:00
Kir Kolyshkin 36786c361a list, utils: remove redundant code
The value of root is already an absolute path since commit
ede8a86ec1, so it does not make sense to call filepath.Abs()
again.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-18 16:05:29 -08:00
Markus Lehtonen 1d5c331042 configs/validate: looser validation for RDT
Don't require CAT or MBA because we don't detect those correctly (we
don't support L2 or L3DATA/L3CODE for example, and in the future
possibly even more). With plain "ClosId mode" we don't really care: we
assign the container to a pre-configured CLOS without trying to do
anything smarter.

Moreover, this was a duplicate/redundant check anyway, as for CAT and
MBA there is another specific sanity check that is done if L3 or MB
is specified in the config.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2022-02-18 16:24:50 +02:00
Akihiro Suda 2436322fef Merge pull request #3365 from kolyshkin/checkPropertyName-speedup
libct/specconv: checkPropertyName speedup
2022-02-17 12:59:23 +09:00
Daniel, Dao Quang Minh c6487533f1 Merge pull request #3342 from kolyshkin/cloned-binary
libct/nsenter: fix extra runc re-exec on tmpfs
2022-02-16 16:17:56 +00:00
Sebastiaan van Stijn 949111237a Merge pull request #3303 from kolyshkin/labels
libcontainer: optimize utils.SearchLabels
2022-02-16 16:37:00 +01:00
Sebastiaan van Stijn e420659b2a Merge pull request #3371 from kolyshkin/bump-shellcheck
ci: shellcheck: update to 0.8.0, fix/suppress new warnings
2022-02-16 16:33:57 +01:00
Kir Kolyshkin 2bce144192 Merge pull request #3376 from opencontainers/dependabot/go_modules/github.com/cilium/ebpf-0.8.1
build(deps): bump github.com/cilium/ebpf from 0.8.0 to 0.8.1
2022-02-15 16:44:49 -08:00
dependabot[bot] 0f0f1f61e2 build(deps): bump github.com/cilium/ebpf from 0.8.0 to 0.8.1
Bumps [github.com/cilium/ebpf](https://github.com/cilium/ebpf) from 0.8.0 to 0.8.1.
- [Release notes](https://github.com/cilium/ebpf/releases)
- [Commits](https://github.com/cilium/ebpf/compare/v0.8.0...v0.8.1)

---
updated-dependencies:
- dependency-name: github.com/cilium/ebpf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-02-15 04:14:16 +00:00
Qiang Huang 657ed0d4a0 Merge pull request #3354 from kolyshkin/factory-cleanup
Factory cleanup, some of the changes might make code less scalable, but we can add them back when we really want to scale someday.
2022-02-11 11:56:39 +08:00
Kir Kolyshkin be00ae07c3 ci: shellcheck: update to 0.8.0, fix/suppress new warnings
1. This valid warning is reported by shellcheck v0.8.0:

	In tests/integration/helpers.bash line 38:
	KERNEL_MINOR="${KERNEL_VERSION#$KERNEL_MAJOR.}"
				       ^-----------^ SC2295 (info): Expansions inside ${..} need to be quoted separately, otherwise they match as patterns.

	Did you mean:
	KERNEL_MINOR="${KERNEL_VERSION#"$KERNEL_MAJOR".}"

Fix this.

2. These (invalid) warnings are also reported by the new version:

	In tests/integration/events.bats line 13:
	@test "events --stats" {
	^-- SC2030 (info): Modification of status is local (to subshell caused by @bats test).

	In tests/integration/events.bats line 41:
		[ "$status" -eq 0 ]
		   ^-----^ SC2031 (info): status was modified in a subshell. That change might be lost.

Basically, this is happening because shellcheck do not really track
the call tree and/or local variables. This is a known (and reported)
deficiency, and the alternative to disabling these warnings is moving
the code around, which is worse due to more changes in git history.

So we have to silence/disable these.

3. Update shellcheck to 0.8.0.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-10 17:24:04 -08:00
Sebastiaan van Stijn 43186447b9 Merge pull request #3368 from kolyshkin/ignore-sigurg
runc run/exec: ignore SIGURG
2022-02-08 09:56:49 +01:00
Akihiro Suda e43546caff Merge pull request #3366 from opencontainers/dependabot/go_modules/github.com/moby/sys/mountinfo-0.6.0
build(deps): bump github.com/moby/sys/mountinfo from 0.5.0 to 0.6.0
2022-02-08 11:08:35 +09:00
Kir Kolyshkin 0b74e49d48 runc run/exec: ignore SIGURG
Foreground runc exec and runc run forwards all the signals (that it can)
to the process being run.

Since Go 1.14, go runtime uses SIGURG for async preemptive scheduling.
This means that runc regularly receives SIGURG and, in case of
foreground runc run/exec, it gets forwarded to the container process.

For example:

[kir@kir-rhat runc]$ sudo ./runc --debug exec xx67 sleep 1m
...
DEBU[0000] child process in init()
DEBU[0000] setns_init: about to exec
DEBU[0000]signals.go:102 main.(*signalHandler).forward() sending signal to process urgent I/O condition
DEBU[0000]signals.go:102 main.(*signalHandler).forward() sending signal to process urgent I/O condition
DEBU[0000]signals.go:102 main.(*signalHandler).forward() sending signal to process urgent I/O condition
...

Or, with slightly better debug messages from commit 58c1ff39a5:

DEBU[0000]signals.go:102 main.(*signalHandler).forward() forwarding SIGURG to 819784
DEBU[0000]signals.go:102 main.(*signalHandler).forward() forwarding SIGURG to 819784

Obviously, this signal is an internal implementation detail of Go
runtime, and should not be forwarded to the container process.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-07 15:22:17 -08:00
dependabot[bot] 24ab543f58 build(deps): bump github.com/moby/sys/mountinfo from 0.5.0 to 0.6.0
Bumps [github.com/moby/sys/mountinfo](https://github.com/moby/sys) from 0.5.0 to 0.6.0.
- [Release notes](https://github.com/moby/sys/releases)
- [Commits](https://github.com/moby/sys/compare/signal/v0.5.0...signal/v0.6.0)

---
updated-dependencies:
- dependency-name: github.com/moby/sys/mountinfo
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-02-04 04:16:30 +00:00
Kir Kolyshkin dbd990d555 libct: rm intelrtd.Manager interface, NewIntelRdtManager
Remove intelrtd.Manager interface, since we only have a single
implementation, and do not expect another one.

Rename intelRdtManager to Manager, and modify its users accordingly.

Remove NewIntelRdtManager from factory.

Remove IntelRdtfs. Instead, make intelrdt.NewManager return nil if the
feature is not available.

Remove TestFactoryNewIntelRdt as it is now identical to TestFactoryNew.

Add internal function newManager to be used for tests (to make sure
some testing is done even when the feature is not available in
kernel/hardware).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-03 17:33:03 -08:00
Kir Kolyshkin 85932850ec libct: rm TestGetContainerStats, mockIntelRdtManager
TestGetContainerStats test a function that is smaller than the test
itself, and only calls a couple of other functions (which are
represented by mocks). It does not make sense to have it.

mockIntelRdtManager is only needed for TestGetContainerStats
and TestGetContainerState, which basically tests that Path
is called. Also, it does not make much sense to have it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-03 17:33:03 -08:00
Kir Kolyshkin 9258eac072 libct/start: use execabs for newuidmap lookup
Since we are looking up the path to newuidmap/newgidmap in one context,
and executing those in another (libct/nsenter), it might make sense to
use a stricter rules for looking up path to those binaries.

Practically it means that if someone wants to use custom newuidmap and
newgidmap binaries from $PATH, it would be impossible to use these from
the current directory by means of PATH=.:$PATH; instead one would have
to do something like PATH=$(pwd):$PATH.

See https://go.dev/blog/path-security for background.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-03 17:33:00 -08:00
Kir Kolyshkin 39bd7b7217 libct: Container, Factory: rm newuidmap/newgidmap
These were introduced in commit d8b669400 back in 2017, with a TODO
of "make binary names configurable". Apparently, everyone is happy with
the hardcoded names. In fact, they *are* configurable (by prepending the
PATH with a directory containing own version of newuidmap/newgidmap).

Now, these binaries are only needed in a few specific cases (when
rootless is set etc.), so let's look them up only when needed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-03 11:40:29 -08:00
Kir Kolyshkin 0d21515038 libct: remove Validator interface
We only have one implementation of config validator, which is always
used. It makes no sense to have Validator interface.

Having validate.Validator field in Factory does not make sense for all
the same reasons.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-03 11:40:29 -08:00
Kir Kolyshkin 630c0d7e8c libct: Container, Factory: rm InitPath, InitArgs
Those are *always* /proc/self/exe init, and it does not make sense
to ever change these. More to say, if InitArgs option func (removed
by this commit) is used to change these parameters, it will break
things, since "init" is hardcoded elsewhere.

Remove this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-03 11:40:29 -08:00
Sebastiaan van Stijn ede712786c Merge pull request #3363 from kolyshkin/debug-nit
signals: fix signal name debug print
2022-02-03 10:41:56 +01:00
Sebastiaan van Stijn 7173c53906 Merge pull request #3350 from kolyshkin/mount-cmds
libct: Mount: rm {Pre,Post}mountCmds
2022-02-03 10:12:56 +01:00
Sebastiaan van Stijn e4e2a9dda4 Merge pull request #3360 from danishprakash/remove-pausing
libcontainer: remove "pausing" state
2022-02-01 23:40:31 +01:00
Kir Kolyshkin 376c988618 libct/specconv: improve checkPropertyName
Commit 029b73c1b replaced a regular expression with code checking the
characters. Despite what the comment said about ASCII, the check was
performed rune by rune, not byte by byte.

Note the check was still correct, basically comparing int32's, but the
byte by byte way is a tad faster and more straightforward. The change
also fixes the issue of a misleading comment.

Benchmark before/after shows a modest improvement:

name                 old time/op    new time/op    delta
CheckPropertyName-4     164ns ± 2%     123ns ± 2%  -24.73%  (p=0.029 n=4+4)

name                 old alloc/op   new alloc/op   delta
CheckPropertyName-4     96.0B ± 0%     64.0B ± 0%  -33.33%  (p=0.029 n=4+4)

name                 old allocs/op  new allocs/op  delta
CheckPropertyName-4      6.00 ± 0%      4.00 ± 0%  -33.33%  (p=0.029 n=4+4)

Fixes: 029b73c1b
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-01 11:47:31 -08:00
Kir Kolyshkin d37a9726f3 libct/specconv: test nits
Commit 643f8a2b40 renamed isValidName to checkPropertyName, but fell
short of renaming its test and benchmark. Fix that.

Fixes: 643f8a2b40
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-02-01 10:46:14 -08:00
Kir Kolyshkin 58c1ff39a5 signals: fix signal name debug print
Here's how it looks now:

$ runc --debug exec ctid sleep 1h
...
DEBU[0000]signals.go:102 main.(*signalHandler).forward() sending signal to process urgent I/O condition
DEBU[0000]signals.go:102 main.(*signalHandler).forward() sending signal to process urgent I/O condition
DEBU[0022]signals.go:102 main.(*signalHandler).forward() sending signal to process terminated
DEBU[0022]signals.go:102 main.(*signalHandler).forward() sending signal to process urgent I/O condition

This is obviously not very readable.

Use unix.SignalName, plus a numeric representation of the signal, since
SignalName does not know all signals.

Add PID while we're at it.

With this commit:

DEBU[0000]signals.go:103 main.(*signalHandler).forward() forwarding signal 23 (SIGURG) to 891345
DEBU[0020]signals.go:103 main.(*signalHandler).forward() forwarding signal 45 () to 891345
DEBU[0020]signals.go:103 main.(*signalHandler).forward() forwarding signal 23 (SIGURG) to 891345
DEBU[0020]signals.go:103 main.(*signalHandler).forward() forwarding signal 23 (SIGURG) to 891345

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-31 18:45:41 -08:00
Akihiro Suda e9190d3ae1 Merge pull request #3353 from kolyshkin/rm-criu-opt
runc: remove --criu option
2022-02-01 08:28:14 +09:00
Kir Kolyshkin 667518e583 Merge pull request #3362 from opencontainers/dependabot/github_actions/tim-actions/get-pr-commits-1.2.0
build(deps): bump tim-actions/get-pr-commits from 1.1.0 to 1.2.0
2022-01-31 11:23:09 -08:00
dependabot[bot] 0767b782c4 build(deps): bump tim-actions/get-pr-commits from 1.1.0 to 1.2.0
Bumps [tim-actions/get-pr-commits](https://github.com/tim-actions/get-pr-commits) from 1.1.0 to 1.2.0.
- [Release notes](https://github.com/tim-actions/get-pr-commits/releases)
- [Commits](https://github.com/tim-actions/get-pr-commits/compare/v1.1.0...v1.2.0)

---
updated-dependencies:
- dependency-name: tim-actions/get-pr-commits
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-31 04:15:58 +00:00
danishprakash 7346dda332 libcontainer: remove "pausing" state
Signed-off-by: danishprakash <grafitykoncept@gmail.com>
2022-01-29 14:27:11 +05:30
Kir Kolyshkin 18e286261e libct/nsenter: fix extra runc re-exec on tmpfs
After adding some debug info to cloned_binary.c I found out that
is_self_cloned() is not working right when runc binary is on tmpfs,
resulting in one extra re-exec of runc.

With some added debug:

	$ mkdir bin
	$ sudo mount -t tmpfs tmp bin
	$ sudo cp runc bin
	$ sudo ./bin/runc --debug exec xxx true
	DEBU[0000] nsexec[763590]: => is_self_cloned
	DEBU[0000] nsexec[763590]: got seals 1 (want 15)
	DEBU[0000] nsexec[763590]: <= is_self_cloned, is_cloned = 0
	DEBU[0000] nsexec[763590]: try_bindfd: 5
	DEBU[0000] nsexec[763590]: re-exec itself...
	DEBU[0000] nsexec[763590]: => is_self_cloned
	DEBU[0000] nsexec[763590]: got seals 1 (want 15)
	DEBU[0000] nsexec[763590]: <= is_self_cloned, is_cloned = 0
	DEBU[0000] nsexec[763590]: try_bindfd: -1
	DEBU[0000] nsexec[763590]: fallback to make_execfd: 5
	DEBU[0000] nsexec[763590]: re-exec itself...
	DEBU[0000] nsexec[763590]: => is_self_cloned
	DEBU[0000] nsexec[763590]: got seals 15 (want 15)
	DEBU[0000] nsexec[763590]: <= is_self_cloned, is_cloned = 1

From the above, it is seen that
 - `is_self_cloned` returns 0,
 - `try_bindfd` is called and succeeds,
 - runc re-execs itself,
 - the second call to `is_self_cloned` returns 0 again (because GET_SEALS returns 1),
 - runc falls back to `make_execfd`, and re-execs again,
 - finally, the third `is_self_cloned` returns 1.

I guess that the code relied on the following (quoting fcntl(2)):

> Currently, file seals can be applied only to a file descriptor
> returned by memfd_create(2) (if the MFD_ALLOW_SEALING was employed).
> On other filesystems, all fcntl() operations that operate on seals
> will return EINVAL.

It looks like in case of a file on tmpfs it returns 1 (F_SEAL_SEAL).

With the fix:

	DEBU[0000] nsexec[768367]: => is_self_cloned
	DEBU[0000] nsexec[768367]: got seals 1 (want 15)
	DEBU[0000] nsexec[768367]: no CLONED_BINARY_ENV
	DEBU[0000] nsexec[768367]: <= is_self_cloned, is_cloned = 0
	DEBU[0000] nsexec[768367]: try_bindfd: 5
	DEBU[0000] nsexec[768367]: re-exec itself...
	DEBU[0000] nsexec[768367]: => is_self_cloned
	DEBU[0000] nsexec[768367]: got seals 1 (want 15)
	DEBU[0000] nsexec[768367]: fstatfs says ro = 1
	DEBU[0000] nsexec[768367]: fstat says nlink = 1
	DEBU[0000] nsexec[768367]: <= is_self_cloned, is_cloned = 1

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-27 08:42:11 -08:00
Sebastiaan van Stijn eddf35e546 Merge pull request #3349 from kolyshkin/list-nits
runc list: fix race with runc delete + nits
2022-01-27 10:30:16 +01:00
Sebastiaan van Stijn ca03eb7c1c Merge pull request #3352 from kolyshkin/misc
Misc nits
2022-01-27 10:24:58 +01:00
Kir Kolyshkin 6e1d476aad runc: remove --criu option
This was introduced in an initial commit, back in the day when criu was
a highly experimental thing. Today it's not; most users who need it have
it packaged by their distro vendor.

The usual way to run a binary is to look it up in directories listed in
$PATH. This is flexible enough and allows for multiple scenarios (custom
binaries, extra binaries, etc.). This is the way criu should be run.

Make --criu a hidden option (thus removing it from help). Remove the
option from man pages, integration tests, etc. Remove all traces of
CriuPath from data structures.

Add a warning that --criu is ignored and will be removed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-26 20:25:56 -08:00
Kir Kolyshkin 485e6c84e7 Fix some revive warnings
This is needed since the future commits will touch this code, and then
the lint-extra CI job complains.

> libcontainer/factory.go#L245
> var-naming: var fdsJson should be fdsJSON (revive)

and

> libcontainer/init_linux.go#L181
> error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)

and

> notify_socket.go#L94
> receiver-naming: receiver name n should be consistent with previous receiver name s for notifySocket (revive)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-26 19:14:14 -08:00
Kir Kolyshkin bb6a838876 libct: initContainer: rename Id -> ID
Since the next commit is going to touch this structure, our CI
(lint-extra) is about to complain about improperly named field:

>  Warning: var-naming: struct field ContainerId should be ContainerID (revive)

Make it happy.

Brought to use by gopls rename.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-26 18:59:47 -08:00
Kir Kolyshkin 1b14d97484 libct/configs: rm Windows TODO
It's clear at this point that runc won't support Windows.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-26 18:59:47 -08:00
Kir Kolyshkin 76c398f89d libct/README: rm Cgroupfs
This method was removed earlier by commit 097c6d7425,
but the documentation was not updated. Fix it.

Fixes: 097c6d7425
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-26 18:59:47 -08:00
Kir Kolyshkin 0fec1c2d8c libct: Mount: rm {Pre,Post}mountCmds
Those were added by commit 59c5c3ac0 back in Apr 2015, but AFAICS were
never used and are obsoleted by more generic container hooks (initially
added by commit 05567f2c94 in Sep 2015).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-26 15:51:55 -08:00
Kir Kolyshkin dffb8db7e1 libct: handleCriuConfigurationFile: use utils.SearchLabels
The utils.Annotations was used here before only because it made it
possible to distinguish between "key not found" and "empty value" cases.

With the previous commit, utils.SearchLabels can do that, and so it
makes sense to use it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-26 14:01:11 -08:00
Kir Kolyshkin 3d86d31b9f libct/utils: SearchLabels: optimize
Using strings.Split generates temporary strings for GC to collect.
Rewrite the function to not do that.

Also, add a second return value, so that the caller can distinguish
between an empty value found and no key found cases.

Fix the test accordingly.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-26 14:01:11 -08:00
Mrunal Patel 403cda19e4 Merge pull request #3326 from kolyshkin/go118beta
ci: add go 1.18beta1
2022-01-25 16:01:25 -08:00
Kir Kolyshkin 1a3ee4966c list: use Info(), fix race with delete
Since commit 551629417 we can (and should) use Info() to get access to
file stat. Do this.

While going over directory entries, a parallel runc delete can remove
an entry, and with the current code it results in a fatal error (which
was not observed in practice, but looks quite possible). To fix,
add a special case to continue on ErrNotExist.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-25 15:34:04 -08:00
Kir Kolyshkin 095929b15e list: getContainers: less indentation
Instead of a huge if {} block, use continue.

Best reviewed with --ignore-all-space.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-25 15:31:54 -08:00
Mrunal Patel a1727ef58c Merge pull request #3345 from kolyshkin/rodev
Fix working with read-only /dev
2022-01-25 13:27:36 -08:00
Sebastiaan van Stijn a934123d21 Merge pull request #3319 from kolyshkin/chown-not-needed
libct: Create: rm unneeded chown
2022-01-24 14:55:09 +01:00
Akihiro Suda c9ad96f63e Merge pull request #3335 from kolyshkin/mount-prop-empty-key
libct/specconv: rm empty key from mountPropagationMapping
2022-01-24 16:29:58 +09:00
Akihiro Suda a2805a31e1 Merge pull request #3339 from kolyshkin/rtd-faster-followup
libct/intelrdt: explain why mountinfo is required
2022-01-24 16:29:37 +09:00
Akihiro Suda 4ebd33aa6a Merge pull request #3346 from opencontainers/dependabot/go_modules/github.com/cilium/ebpf-0.8.0
build(deps): bump github.com/cilium/ebpf from 0.7.0 to 0.8.0
2022-01-24 16:28:33 +09:00
dependabot[bot] cb36410868 build(deps): bump github.com/cilium/ebpf from 0.7.0 to 0.8.0
Bumps [github.com/cilium/ebpf](https://github.com/cilium/ebpf) from 0.7.0 to 0.8.0.
- [Release notes](https://github.com/cilium/ebpf/releases)
- [Commits](https://github.com/cilium/ebpf/compare/v0.7.0...v0.8.0)

---
updated-dependencies:
- dependency-name: github.com/cilium/ebpf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-24 04:15:07 +00:00
Kir Kolyshkin 146c8c0c62 libct: fixStdioPermissions: ignore EROFS
In case of a read-only /dev, it's better to move on and let whatever is
run in a container to handle any possible errors.

This solves runc exec for a user with read-only /dev.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-21 17:53:03 -08:00
Kir Kolyshkin 18c4760aed libct: fixStdioPermissions: skip chown if not needed
Since we already called fstat, we know the current file uid. In case it
is the same as the one we want it to be, there's no point in trying
chown.

Remove the specific /dev/null check, as the above also covers it
(comparing /dev/null uid with itself is true).

This also fixes runc exec with read-only /dev for root user.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-21 17:46:10 -08:00
Kir Kolyshkin b7fdb68848 libct: fixStdioPermissions: minor refactoring
Use os/file Chown method instead of bare unix.Fchown as it already have
access to underlying fd, and produces nice-looking errors. This allows
us to remove our error wrapping and some linter annotations.

We still use unix.Fstat since os.Stat access to os-specific fields
like uid/gid is not very straightforward. The only change here is to use
file name (rather than fd) in the error text.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-21 17:39:50 -08:00
Aleksa Sarai 2a62093dbb merge branch 'pr-3344'
Kir Kolyshkin (2):
  CHANGELOG: add #3306
  CHANGELOG.md: nit

LGTMs: AkihiroSuda cyphar
Closes #3344
2022-01-21 16:54:29 +11:00
Kir Kolyshkin 2eb6ac5347 CHANGELOG: add #3306
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-20 18:47:52 -08:00
Kir Kolyshkin e4d23d50fa CHANGELOG.md: nit
The 1.1.0 "Changed" heading level is not proper.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-20 18:42:21 -08:00
Kir Kolyshkin 5e201e7ce2 libct/intelrdt: explain why mountinfo is required
For the Nth time I wanted to replace parsing mountinfo with
statfs and the check for superblock magic, but it is not possible
since some code relies of mount options check which can only
be obtained via mountinfo.

Add a note about it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-20 10:36:45 -08:00
Sebastiaan van Stijn 62133e3840 Merge pull request #3306 from kolyshkin/rdt-faster
Faster Intel RDT init if the feature is unavailable
2022-01-19 11:24:41 +01:00
Aleksa Sarai 17543edd15 merge branch 'pr-3338'
Aleksa Sarai (2):
  VERSION: back to development
  VERSION: release runc v1.1.0

LGTMs: AkihiroSuda thaJeztah hqhq
Closes #3338
2022-01-18 09:44:11 +11:00
Aleksa Sarai d7f7b22a85 VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-01-17 19:16:33 +11:00
Aleksa Sarai 067aaf8548 VERSION: release runc v1.1.0
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-01-17 19:16:31 +11:00
Kir Kolyshkin c45eed9a4a libct/specconv: rm empty key from mountPropagationMapping
It is a tad cleaner this way.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-07 11:22:22 -08:00
Akihiro Suda c83abc503d Merge pull request #3331 from kolyshkin/nsenter-unsup
Refuse to build runc without nsenter
2022-01-05 14:18:02 +09:00
Kir Kolyshkin c0e300f109 Refuse to build runc without nsenter
Commit 4d1d6185ab added this
nsenter_unsupported.go file in order for nsenter to be a valid (but
empty, non-functional) Go package on unsupported platforms.

As a result, runc can be build successfully without CGO, which results
in a non-working and hard-to-debug binary (see issue 3330).

As the functionality of being able to compile a package which is
definitely not working is questionable, and I can't think of any use
cases, let's remove the file.

With this, runc can no longer be build without CGO:

	[kir@kir-rhat runc]$ CGO_ENABLED=0 make runc
	go build -trimpath "-buildmode=pie"  -tags "seccomp" -ldflags "-X main.gitCommit=v1.0.0-452-g00f56786-dirty -X main.version=1.1.0-rc.1+dev " -o runc .
	go build github.com/opencontainers/runc/libcontainer/nsenter: build constraints exclude all Go files in /home/kir/go/src/github.com/opencontainers/runc/libcontainer/nsenter

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-01-04 15:49:41 -08:00
Akihiro Suda 00f56786bb Merge pull request #3328 from opencontainers/dependabot/go_modules/github.com/checkpoint-restore/go-criu/v5-5.3.0
build(deps): bump github.com/checkpoint-restore/go-criu/v5 from 5.2.0 to 5.3.0
2021-12-23 11:00:22 +09:00
dependabot[bot] e155b3322c build(deps): bump github.com/checkpoint-restore/go-criu/v5
Bumps [github.com/checkpoint-restore/go-criu/v5](https://github.com/checkpoint-restore/go-criu) from 5.2.0 to 5.3.0.
- [Release notes](https://github.com/checkpoint-restore/go-criu/releases)
- [Commits](https://github.com/checkpoint-restore/go-criu/compare/v5.2.0...v5.3.0)

---
updated-dependencies:
- dependency-name: github.com/checkpoint-restore/go-criu/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-12-22 04:18:26 +00:00
Kir Kolyshkin b5cb405629 ci: add go 1.18beta1
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-15 17:20:09 -08:00
Kir Kolyshkin 907aefd43c libct: StartInitialization: fix %w related warning
(on Go 1.18 this is actually an error)

> libcontainer/factory_linux.go:341:10: fmt.Errorf format %w has arg e of wrong type interface{}

Unfortunately, fixing it results in an errorlint warning:

> libcontainer/factory_linux.go#L344 non-wrapping format verb for fmt.Errorf. Use `%w` to format errors (errorlint)

so we have to silence that one.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-15 17:20:09 -08:00
Akihiro Suda 81044ad7c9 Merge pull request #3325 from kolyshkin/rm-go115
libct/cg: rm go 1.15 compatibility
2021-12-15 11:39:50 +09:00
Kir Kolyshkin 5c7e898186 libct/cg: rm go 1.15 compatibility
Since commit 12e99a0f8d we do require Go >= 1.16, so this file
is no longer needed.

Also, this actually ensures that go >= 1.16 is used (otherwise
libcontainer/cgroups/getallpids.go won't compile).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-14 13:08:47 -08:00
Aleksa Sarai 7113a40898 merge branch 'pr-3323'
Aleksa Sarai (2):
  VERSION: back to development
  VERSION: release v1.1.0-rc.1

LGTMs: AkihiroSuda kolyshkin
Closes #3323
2021-12-14 15:27:16 +11:00
Aleksa Sarai 4773769ce1 VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-12-14 14:23:02 +11:00
Aleksa Sarai 55df1fc4c8 VERSION: release v1.1.0-rc.1
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-12-14 14:23:00 +11:00
Kir Kolyshkin 6c1e2ecc20 Merge pull request #3320 from cyphar/changelog
CHANGELOG: add an in-repo changelog file
2021-12-13 12:51:14 -08:00
Aleksa Sarai a8f9d5defc CHANGELOG: add an in-repo changelog file
This will make releases much simpler. I've back-filled the changelog
with everything since runc 1.0.0 (there's not much point going further
back than that).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-12-13 13:22:11 +11:00
Kir Kolyshkin 024adbb1b9 libct: Create: rm unneeded chown
Commit 7cfb107f2c started using unix.Geteuid(), unix.Getegid() as
uid/gid argument for chown. It seems that it should have removed chown
entirely, since, according to mkdir(2),

> The newly created directory will be owned by the effective user ID of
> the process. If the directory containing the file has the
> set-group-ID bit set, or if the filesystem is mounted with BSD
> group semantics (mount -o bsdgroups or, synonymously mount -o grpid),
> the new directory will inherit the group ownership from its parent;
> otherwise it will be > owned by the effective group ID of the process.

So, the only effect of the chown after mkdir is ignoring the sgid bit
on the parent directory (which is probably not the right thing to do).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-10 18:49:25 -08:00
Aleksa Sarai 7e792c9236 merge branch 'pr-3301'
Kir Kolyshkin (1):
  libct/utils: ResolveRootfs: remove

LGTMs: AkihiroSuda cyphar
Closes #3301
2021-12-09 23:11:12 +11:00
Akihiro Suda 4e56a2b35e Merge pull request #3313 from kolyshkin/int-nits
libct/int: minor improvements
2021-12-09 19:20:59 +09:00
Aleksa Sarai e7dfcc93af Merge pull request #3314 from kolyshkin/seccomp-2.5.3
release: update libseccomp to 2.5.3, minor script fixes
2021-12-09 20:36:54 +11:00
Kir Kolyshkin 6d2067a4bf script/seccomp.sh: fix argc check
This check was always broken, and it slipped through the cracks because
we never run it without additional architectures now.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-09 00:59:47 -08:00
Kir Kolyshkin 457ca62f1f script/release_*.sh: fix usage
- release_build: fix -H <hash_cmd> option (was -h)
- release_sign: add -H and -S options

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-09 00:59:43 -08:00
Kir Kolyshkin c729594cdd deps: update libseccomp to 2.5.3
It was released about a month ago. I don't see anything major
in the changelog but it makes sense to keep tracking upstream deps.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-09 00:38:25 -08:00
Aleksa Sarai 1b747a43f0 merge branch 'pr-3309'
Aleksa Sarai (1):
  release: correctly handle binary signing for "make releaseall"

LGTMs: AkihiroSuda kolyshkin
Closes #3309
2021-12-09 16:47:31 +11:00
Kir Kolyshkin 5d77962099 tests/int: use update_config in hooks test
Using "$@" instead of $1 in update_config() allows us to use it from
hooks.bats, where jq is used with more options than usual.

We need to disable SC2016 as otherwise shellcheck sees $something inside
single quotes and think we are losing the shell expansion (we are not).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-08 21:36:27 -08:00
Kir Kolyshkin 9e798e26cb tests/int: ability to specify binary
This can be used to specify a different runc binary, for example:

	sudo -E RUNC=$PWD/runc.mine tests/integration/cwd.bats

A different (but compatible enough) runtime also works:

	sudo -E RUNC=/usr/local/bin/crun tests/integration/cwd.bats

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-08 21:25:05 -08:00
Kir Kolyshkin 13b0806f12 Merge pull request #3272 from AkihiroSuda/mount-rro
Support recursive mount attrs ("rro", "rnosuid", "rnodev", ...)
2021-12-08 11:02:26 -08:00
Aleksa Sarai 4b22d8e446 Merge branch 'pr-3310'
Akihiro Suda (2):
  types/features: clarify MountOptions
  Mark `runc features` experimental

LGTMs: cyphar mrunalp
Closes #3310
2021-12-08 17:07:21 +11:00
Mrunal Patel cd07af28ce Merge pull request #3304 from kolyshkin/lint-extra
ci: enable extra linters for new code
2021-12-07 15:58:10 -08:00
Akihiro Suda 97688ddff3 types/features: clarify MountOptions
`MountOptions` does not contain `const void *data` options.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-12-07 18:36:04 +09:00
Akihiro Suda deb0a5f2ef Mark runc features experimental
Follow-up to PR 3296

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-12-07 17:51:39 +09:00
Akihiro Suda 382eba4354 Support recursive mount attrs ("rro", "rnosuid", "rnodev", ...)
The new mount option "rro" makes the mount point recursively read-only,
by calling `mount_setattr(2)` with `MOUNT_ATTR_RDONLY` and `AT_RECURSIVE`.
https://man7.org/linux/man-pages/man2/mount_setattr.2.html

Requires kernel >= 5.12.

The "rro" option string conforms to the proposal in util-linux/util-linux Issue 1501.

Fix issue 2823

Similary, this commit also adds the following mount options:
- rrw
- r[no]{suid,dev,exec,relatime,atime,strictatime,diratime,symfollow}

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-12-07 17:39:57 +09:00
Akihiro Suda ba935a51a6 Support nosymfollow mount option (kernel 5.10)
See MS_NOSYMFOLLOW in mount(2)

https://man7.org/linux/man-pages/man2/mount.2.html

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-12-07 17:33:49 +09:00
Akihiro Suda f8c48e4617 go.mod: golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-12-07 17:33:46 +09:00
Aleksa Sarai acd8f12f24 release: correctly handle binary signing for "make releaseall"
My GPG keys are not available inside the container, so it makes little
sense to try to sign the binaries inside the container's release.sh. The
solution is to split things into separate build and sign stages, with
signing ocurring after the in-Docker build.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-12-07 18:10:34 +11:00
Aleksa Sarai cdce249635 merge branch 'pr-3057'
Fraser Tweedale (1):
  chown cgroup to process uid in container namespace

LGTMs: kolyshkin cyphar
Closes #3057
2021-12-07 17:06:19 +11:00
Aleksa Sarai 2b0ca195d6 merge branch 'pr-3296'
Akihiro Suda (1):
  Add `runc features` command

LGTMs: kolyshkin cyphar
Closes #3296
2021-12-07 16:15:37 +11:00
Aleksa Sarai f50369af4b Merge pull request from GHSA-v95c-p5hm-xq8f
runc init: avoid netlink message length overflows
2021-12-06 15:30:29 +11:00
Kir Kolyshkin edeb3b376c libct/intelrdt: faster init if rdt is unsupported
In a (quite common) case RDT is not supported by the kernel/hardware,
it does not make sense to parse /proc/cpuinfo and /proc/self/mountinfo,
and yet the current code does it (on every runc exec, for example).

Fortunately, there is a quick way to check whether RDT is available --
if so, kernel creates /sys/fs/resctrl directory. Check its existence,
and skip all the other initialization if it's not present.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-03 15:59:30 -08:00
Kir Kolyshkin 6c6b14e075 libct/intelrdt: remove findMountpointDir test
This test was written back in the day when findIntelRdtMountpointDir
was using its own mountinfo parser. Commit f1c1fdf911 changed that,
and thus this test is actually testing moby/sys/mountinfo parser, which
does not make much sense.

Remove the test, and drop the io.Reader argument since we no longer need
to parse a custom file.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-03 15:59:24 -08:00
Kir Kolyshkin 02e961bcf9 libct/intelrdt: wrap Root in sync.Once
In case resctrl filesystem can not be found in /proc/self/mountinfo
(which is pretty common on non-server or non-x86 hardware), subsequent
calls to Root() will result in parsing it again and again.

Use sync.Once to avoid it. Make unit tests call it so that Root() won't
actually parse mountinfo in tests.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-12-03 15:58:43 -08:00
Aleksa Sarai d72d057ba7 runc init: avoid netlink message length overflows
When writing netlink messages, it is possible to have a byte array
larger than UINT16_MAX which would result in the length field
overflowing and allowing user-controlled data to be parsed as control
characters (such as creating custom mount points, changing which set of
namespaces to allow, and so on).

Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-12-03 16:07:40 +11:00
Sebastiaan van Stijn 45c31f9e1f Merge pull request #3305 from kolyshkin/rdt-4
libct/intelrdt: remove unused type
2021-12-02 18:06:57 +01:00
Kir Kolyshkin 25112dd179 libct/intelrdt: remove unused type
Since commit 7296dc1712, type intelRdtData is only used by tests,
and since commit 79d292b9f, its only member is config.

Change the test to use config directly, and remove the type.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-30 18:03:28 -08:00
Kir Kolyshkin c4a61aa918 ci: enable extra linters for new code
This adds a new GHA CI job which runs a few extra linters. This is only
done for pull requests, and should only warn about new code.

The justification is simple: we want more linters, but since this is not
a new project, adding a new linter meaning we have to fix all the
existing warnings. In some cases having all the warnings fixed is
difficult and takes time, plus it is usually a low priority task.

Therefore, we are stuck with inability to add new linters because we
can't fix all their warnings. Meanwhile, new pull requests add more
code which is not linted.

This is an attempt to break this vicious cycle. Let's enable godot
and revive for now and see how it is going.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-30 16:51:55 -08:00
Sebastiaan van Stijn 0c0ec3f53f Merge pull request #3302 from kolyshkin/ci-unparam
Enable unparam linter; fix/mute existing warnings
2021-11-30 23:21:30 +01:00
Akihiro Suda 520702dac5 Add runc features command
Fix issue 3274

See `types/features/features.go`.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-11-30 16:40:39 +09:00
Kir Kolyshkin 02475d9c8b .golangci.lint: add unparam linter
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-29 20:10:22 -08:00
Kir Kolyshkin 953e56c56f libct/int: runContainer: drop console arg
It is not and was never ever used.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-29 20:10:22 -08:00
Kir Kolyshkin 6c0bfcb1c8 libct/cg/fs/blkio_test: ignore unparam warning
Ignore the following warning:

> libcontainer/cgroups/fs/blkio_test.go:167:78: `appendBlkioStatEntry` - `minor` always receives `0` (unparam)
> func appendBlkioStatEntry(blkioStatEntries *[]cgroups.BlkioStatEntry, major, minor, value uint64, op string) {

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-29 20:10:22 -08:00
Kir Kolyshkin 06b3fd9d19 libct/cg/ebpf: drop finalize return value
It never returns any error, so let's drop it (in case it needs to be
re-added, it is easy to do so).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-29 20:10:22 -08:00
Kir Kolyshkin 86733013cc notify_socket: setupSpec: drop ctx arg and return value
Those were never used (ctx was added by the initial commit, and
error was added by commit 25fd4a6757).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-29 20:10:22 -08:00
Kir Kolyshkin 741568ebf1 libct/cg/devices: addRule: ignore unparam warning
This function has a return value for consistency, let it stay.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-29 20:10:22 -08:00
Kir Kolyshkin fc44e3f687 tty: Close: rm return value
This function never returned anything other than nil, and its return
value is discarded since it is only called from defer.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-29 20:10:22 -08:00
Kir Kolyshkin 3648346572 tty: ClosePostStart: rm return value
It is not and was not ever used.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-29 20:10:22 -08:00
Kir Kolyshkin f3f4b6d155 tty: recvtty: rm process arg
It is not used since commit 00a0ecf554.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-29 20:10:22 -08:00
Kir Kolyshkin e63186351b tty: rm inheritStdio return value
Since commit eebdb644f9 this function never returns any error.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-29 20:10:22 -08:00
Kir Kolyshkin d23b810927 checkpoint: rm getDefaultImagePath arg
It was never used.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-29 20:10:22 -08:00
Kir Kolyshkin dd14040145 libct: fixStdioPermissions: rm config arg
Since commit ff5075c33f it is no longer used.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-29 20:10:22 -08:00
Kir Kolyshkin b357bc1349 libct/factory: rm id param from loadState
It is not used since commit e918d0213.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-29 20:10:22 -08:00
Kir Kolyshkin b950b778c2 libct/utils: ResolveRootfs: remove
Since commit 8850636eb3 (February 2015) this function is no longer
used (replaced by (*ConfigValidator).rootfs), so let's remove it,
together with its unit tests (which were added by commit 917c1f6d6 in
April 2016).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-29 19:21:26 -08:00
Fraser Tweedale 35d20c4e0b chown cgroup to process uid in container namespace
Delegating cgroups to the container enables more complex workloads,
including systemd-based workloads.  The OCI runtime-spec was
recently updated to explicitly admit such delegation, through
specification of cgroup ownership semantics:

  https://github.com/opencontainers/runtime-spec/pull/1123

Pursuant to the updated OCI runtime-spec, change the ownership of
the container's cgroup directory and particular files therein, when
using cgroups v2 and when the cgroupfs is to be mounted read/write.

As a result of this change, systemd workloads can run in isolated
user namespaces on OpenShift when the sandbox's cgroupfs is mounted
read/write.

It might be possible to implement this feature in other cgroup
managers, but that work is deferred.

Signed-off-by: Fraser Tweedale <ftweedal@redhat.com>
2021-11-30 08:52:59 +10:00
Akihiro Suda 6ff042023c Merge pull request #3234 from kolyshkin/hugepage-v2
libct/cg: refactor/improve/rename GetHugePageSize -> HugePageSizes
2021-11-29 18:14:14 +09:00
Aleksa Sarai 19d696ec29 merge branch 'pr-3276'
Kir Kolyshkin (2):
  runc run: fix ro /dev
  test/int/mount.bats: refer to github issue

LGTMs: thaJeztah cyphar
Closes #3276
2021-11-26 09:37:43 +11:00
Sebastiaan van Stijn 0e79754c9b Merge pull request #3294 from kolyshkin/xattr
libct/system/xattrs: remove
2021-11-24 20:07:43 +01:00
Kir Kolyshkin ec0f35bc68 libct/system/xattrs: remove
This is not used since commit 5e7b48f7c0 (23 Mar 2017).

In case there are external users, they should switch to
opencontainers/selinux.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-23 08:40:49 -08:00
Kir Kolyshkin 20feb5d315 Merge pull request #3290 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.10.0
build(deps): bump github.com/opencontainers/selinux from 1.9.1 to 1.10.0
2021-11-22 13:40:34 -08:00
Sebastiaan van Stijn e23602ebba Merge pull request #3284 from kolyshkin/ci-fedora-revert-fix
Vagrantfile.fedora: revert excluding systemd
2021-11-22 20:40:43 +01:00
Sebastiaan van Stijn 02fe5f4734 Merge pull request #3283 from kolyshkin/rootless-ro-bind-rw
Fix failure with rw bind mount of a ro fuse
2021-11-22 18:39:44 +01:00
dependabot[bot] e9ed200031 build(deps): bump github.com/opencontainers/selinux from 1.9.1 to 1.10.0
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.9.1 to 1.10.0.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.9.1...v1.10.0)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-11-22 04:21:12 +00:00
Sebastiaan van Stijn d1f316f324 Merge pull request #3286 from chendave/cleanup
Avoid non-op when the list of `Hooks` is empty
2021-11-19 21:29:14 +01:00
Kir Kolyshkin e3dd80fa06 Vagrantfile.fedora: revert excluding systemd
Since https://bugzilla.redhat.com/2022041 is fixed (in
systemd-249.7-2.fc35), the exclude kludge can be dropped.

This partially reverts commit b028ecb352.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-19 12:13:24 -08:00
Kir Kolyshkin 1da84d1aff libct/cg: TestGetHugePageSizeImpl: use t.Run
Move test case comments to doc strings, and use t.Run.

Suggested-by:  Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-19 12:03:12 -08:00
Dave Chen 1362291a6d Avoid non-op when the list of Hooks is empty
There is no need to run hooks when `Config.Hooks` is just an empty map,

(dlv) p p.config.Config.Hooks
github.com/opencontainers/runc/libcontainer/configs.Hooks []

Signed-off-by: Dave Chen <dave.chen@arm.com>
2021-11-19 22:37:27 +08:00
Akihiro Suda eba6097aba Merge pull request #3287 from cyphar/netlink-embedded-nulls
specconv: do not permit null bytes in mount fields
2021-11-19 14:06:59 +09:00
Kir Kolyshkin f13a932570 libct/cg: HugePageSizes: simplify code and test
1. Instead of distinguishing between errors and warnings, let's treat all
   errors as warnings, thus simplifying the code. This changes the
   function behaviour for input like hugepages-BadNumberKb --
   previously, the error from Atoi("BadNumber") was considered fatal,
   now it's just another warnings.

2. Move the warning logging to HugePageSizes, thus simplifying the test
   case, which no longer needs to read what logrus writes. Note that we
   do not want to log all the warnings (as chances are very low we'll
   get any, and if we do this means the code need to be updated), only
   the first one.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-18 18:20:49 -08:00
Kir Kolyshkin 39d4c8d5f9 libct/cg: lazy init for HugePageSizes
I have noticed that libct/cg/fs allocates 8K during init on every runc
execution:

> init github.com/opencontainers/runc/libcontainer/cgroups/fs @1.5 ms, 0.028 ms clock, 8512 bytes, 13 allocs

Apparently this is caused by global HugePageSizes variable init, which
is only used from GetStats (i.e. it is never used by runc itself).

Remove it, and use HugePageSizes() directly instead. Make it init-once,
so that GetStats (which, I guess, is periodically called by kubernetes)
does not re-read huge page sizes over and over.

This also removes 12 allocs and 8K from libct/cg/fs init section:

> $ time GODEBUG=inittrace=1 ./runc --help 2>&1 | grep cgroups/fs
> init github.com/opencontainers/runc/libcontainer/cgroups/fs @1.5 ms, 0.003 ms clock, 16 bytes, 1 allocs

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-18 18:20:49 -08:00
Kir Kolyshkin a4d4c4dd9f libct/cg: GetHugePageSize -> HugePageSizes
1. Since GetHugePageSize do not have any external users (checked by
   sourcegraph), and no internal user ever uses its second return value
   (the error), let's drop it.

2. Rename GetHugePageSize -> HugePageSizes (drop the Get prefix as per
   Go guidelines, add suffix since we return many sizes).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-18 18:20:49 -08:00
Aleksa Sarai 8b4a8f093d merge branch 'pr-3289'
Kir Kolyshkin (1):
  libct/standard_init: fix linter warning

LGTMs: thaJeztah cyphar
Closes #3289
2021-11-19 11:44:57 +11:00
Aleksa Sarai dde509df4e specconv: do not permit null bytes in mount fields
Using null bytes as control characters for sending strings via netlink
opens us up to a user explicitly putting a null byte in a mount string
(which JSON will happily let you do) and then causing us to open a mount
path different to the one expected.

In practice this is more of an issue in an environment such as
Kubernetes where you may have path-based access control policies (which
are more susceptible to these kinds of flaws).

Found by Google Project Zero.

Fixes: 9c444070ec ("Open bind mount sources from the host userns")
Reported-by: Felix Wilhelm <fwilhelm@google.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-11-19 11:41:05 +11:00
Kir Kolyshkin 50105de1d8 Fix failure with rw bind mount of a ro fuse
As reported in [1], in a case where read-only fuse (sshfs) mount
is used as a volume without specifying ro flag, the kernel fails
to remount it (when adding various flags such as nosuid and nodev),
returning EPERM.

Here's the relevant strace line:

> [pid 333966] mount("/tmp/bats-run-PRVfWc/runc.RbNv8g/bundle/mnt", "/proc/self/fd/7", 0xc0001e9164, MS_NOSUID|MS_NODEV|MS_REMOUNT|MS_BIND|MS_REC, NULL) = -1 EPERM (Operation not permitted)

I was not able to reproduce it with other read-only mounts as the source
(tried tmpfs, read-only bind mount, and an ext2 mount), so somehow this
might be specific to fuse.

The fix is to check whether the source has RDONLY flag, and retry the
remount with this flag added.

A test case (which was kind of hard to write) is added, and it fails
without the fix. Note that rootless user need to be able to ssh to
rootless@localhost in order to sshfs to work -- amend setup scripts
to make it work, and skip the test if the setup is not working.

[1] https://github.com/containers/podman/issues/12205

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-18 13:09:41 -08:00
Kir Kolyshkin 982b9a1dd3 libct/standard_init: fix linter warning
The staticcheck linter points out that the err != nil comparison
after system.Exec is always true:

> libcontainer/standard_init_linux.go#L253
> SA4023: this comparison is always true (staticcheck)
> libcontainer/system/linux.go#L43
> SA4023(related information): github.com/opencontainers/runc/libcontainer/system.Exec never returns a nil interface value (staticcheck)

Indeed, Exec either returns an error or does not return at all.

Remove the (useless) check.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-18 08:53:50 -08:00
Akihiro Suda 0d5ac13200 Merge pull request #3285 from kolyshkin/3281-followups
libct/specconv: nits
2021-11-18 14:23:50 +09:00
Kir Kolyshkin 643f8a2b40 libct/specconv: nits
1. Decapitalize errors.
2. Rename isValidName to checkPropertyName.
3. Make it return a specific error.

Suggested-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-17 17:32:28 -08:00
Sebastiaan van Stijn 20e928875a Merge pull request #3275 from kolyshkin/rm-prlimit
libcontainer/system: rm Prlimit
2021-11-17 14:38:27 +01:00
Sebastiaan van Stijn e49007f3ad Merge pull request #3281 from kolyshkin/specconv-maps
libct/specconv: reduce init allocations, use global maps, refactor
2021-11-17 13:40:59 +01:00
Kir Kolyshkin b247cd392a runc run: fix ro /dev
Commit fb4c27c4b7 (went into v1.0.0-rc93) fixed a bug with
read-only tmpfs, but introduced a bug with read-only /dev.

This happens because /dev is a tmpfs mount and is therefore remounted
read-only a bit earlier than before.

To fix,

1. Revert the part of the above commit which remounts all tmpfs mounts
   as read-only in mountToRootfs.

2. Reuse finalizeRootfs (which is already used to remount /dev
   read-only) to also remount all ro tmpfs mounts that were previously
   mounted rw in mountPropagate.

3. Remove the break in finalizeRootfs, as now we have more than one
   mount to care about.

4. Reorder the if statements in finalizeRootfs to perform the fast check
   (for ro flag) first, and compare the strings second. Since /dev is
   most probably also a tmpfs mount, do the m.Device check first.

Add a test case to validate the fix and prevent future regressions;
make sure it fails before the fix:

 ✗ runc run [ro /dev mount]
   (in test file tests/integration/mounts.bats, line 45)
     `[ "$status" -eq 0 ]' failed
   runc spec (status=0):

   runc run test_busybox (status=1):
   time="2021-11-12T12:19:48-08:00" level=error msg="runc run failed: unable to start container process: error during container init: error mounting \"devpts\" to rootfs at \"/dev/pts\": mkdir /tmp/bats-run-VJXQk7/runc.0Fj70w/bundle/rootfs/dev/pts: read-only file system"

Fixes: fb4c27c4b7
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-15 10:37:16 -08:00
Sebastiaan van Stijn 7c219d814f Merge pull request #3270 from kolyshkin/wrap-err
libct: wrap more unix errors
2021-11-14 21:16:34 +01:00
Sebastiaan van Stijn f247ad2067 Merge pull request #3280 from kolyshkin/ci-revert-kludge
Revert "ci: temporarily disable criu repo gpg check"
2021-11-13 09:44:03 +01:00
Kir Kolyshkin 029b73c1b0 libct/spec: replace isValidName regex with a function
Also, add a simple test and a benchmark (just out of sheer curiosity).

Benchmark results:

name           old time/op  new time/op  delta
IsValidName-4   540ns ± 3%    45ns ± 1%  -91.76%  (p=0.008 n=5+5)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-12 20:23:49 -08:00
Kir Kolyshkin 6907becaf9 libct/specconv: remove isSecSuffix regex
Commit 1cd71dfd7 added isSecSuffix, but the same thing can be done
easily without a regex. This is faster and saves some init time and
memory.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-12 20:23:47 -08:00
Kir Kolyshkin 37c5fd554e libct/specconv: make parseMountOptions return Mount
parseMountOption already returns way too many values, making the code
kind of hard to read.

Since all of the return values are used as is to populate the fields of
configs.Mount, let's change it to return (semi-)populated *configs.Mount
instead.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-12 20:23:30 -08:00
Kir Kolyshkin 2c3792baf9 libct/specconv: make mountFlags and extensionFlags global
This makes the repeated calls to parseMountOptions faster,
and decreases the amount of garbage to collect.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-12 20:16:04 -08:00
Kir Kolyshkin 81586e1935 libct/specconv: reuse mountPropagationMapping in parseMountOptions
These two maps are the same, except that mountPropagationMapping
has an extra element with key of "" and value of 0. Since the
code already checks for f != 0, this extra element is not a problem.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-12 20:15:54 -08:00
Kir Kolyshkin 8fe1e8bf8c libct/specconv: rm some init allocations
Eliminate some of these allocations when starting runc:

> init github.com/opencontainers/runc/libcontainer/specconv @10 ms, 0.11 ms clock, 5408 bytes, 70 allocs

Most of this (4K) is the two regexes, which are left intact for now.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-12 20:15:37 -08:00
Kir Kolyshkin 712157f663 Revert "ci: temporarily disable criu repo gpg check"
This was a temporary kludge, which is no longer required.

This reverts commit c5ca778fa8.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-12 13:27:31 -08:00
Kir Kolyshkin f252eb5436 test/int/mount.bats: refer to github issue
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-12 12:10:46 -08:00
Kir Kolyshkin 7563a8f06d libct: wrap more unix errors
When I tried to start a rootless container under a different/wrong user,
I got:

	$ ../runc/runc --systemd-cgroup --root /tmp/runc.$$ run 445
	ERRO[0000] runc run failed: operation not permitted

This is obviously not good enough. With this commit, the error is:

	ERRO[0000] runc run failed: fchown fd 9: operation not permitted

Alas, there are still some code that returns unwrapped errnos from
various unix calls.

This is a followup to commit d8ba4128b2 which wrapped many, but not
all, bare unix errors. Do wrap some more, using either os.PathError or
os.SyscallError.

While at it,
 - use os.SyscallError instead of os.NewSyscallError;
 - use errors.Is(err, os.ErrXxx) instead of os.IsXxx(err).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-12 00:33:59 -08:00
Kir Kolyshkin db4ad6a7f1 libcontainer/system: rm Prlimit
It is now available from golang.org/x/sys/unix
(https://go-review.googlesource.com/c/sys/+/332029)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-11 19:57:56 -08:00
Aleksa Sarai c1103d986f merge branch 'pr-3273'
Kir Kolyshkin (2):
  .cirrus.yml: silence vagrant up
  Vagrantfile.fedora: exclude systemd from upgrade

LGTMs: AkihiroSuda cyphar
2021-11-12 14:51:07 +11:00
Kir Kolyshkin 0880c001ab .cirrus.yml: silence vagrant up
This skips printing endless "Progress 0%" messages.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-11 19:19:57 -08:00
Kir Kolyshkin b028ecb352 Vagrantfile.fedora: exclude systemd from upgrade
A bug in systemd-249.6-2.fc35.x86_64 prevents rootless containers from
start when systemd manager is used.

Apparently, "config exclude" is not working in F35 dnf shell either, so
use a workaround of specifying --exclude from the command line.

This should fix runc CI for the time being.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-11 19:06:48 -08:00
Akihiro Suda cbd725e6ef Merge pull request #3223 from kolyshkin/refuse-bad-cgroup
run create/run/exec: refuse bad cgroup
2021-11-08 16:19:43 +09:00
Kir Kolyshkin 5948764a40 Merge pull request #3263 from thaJeztah/bump_mountinfo
go.mod: github.com/moby/sys/mountinfo v0.5.0
2021-11-07 23:14:44 -08:00
Kir Kolyshkin 8682983648 Merge pull request #3264 from thaJeztah/cirrus_go_version
ci/cirrus: update to Go 1.17.3
2021-11-07 23:12:53 -08:00
Sebastiaan van Stijn 12a36265c0 ci/cirrus: update to Go 1.17.3
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-05 17:17:12 +01:00
Sebastiaan van Stijn 02d527d26d go.mod: github.com/moby/sys/mountinfo v0.5.0
full diff: https://github.com/moby/sys/compare/mountinfo/v0.4.1...mountinfo/v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-05 17:10:46 +01:00
Sebastiaan van Stijn 0e21d56ed8 go.mod: golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359
full diff: https://github.com/golang/sys/compare/6f6e22806c34...69cdffdb9359

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-05 17:09:21 +01:00
Kir Kolyshkin ecdc966471 Merge pull request #3262 from opencontainers/dependabot/go_modules/github.com/checkpoint-restore/go-criu/v5-5.2.0
build(deps): bump github.com/checkpoint-restore/go-criu/v5 from 5.1.0 to 5.2.0
2021-11-04 22:42:52 -07:00
dependabot[bot] b2d64fed31 build(deps): bump github.com/checkpoint-restore/go-criu/v5
Bumps [github.com/checkpoint-restore/go-criu/v5](https://github.com/checkpoint-restore/go-criu) from 5.1.0 to 5.2.0.
- [Release notes](https://github.com/checkpoint-restore/go-criu/releases)
- [Commits](https://github.com/checkpoint-restore/go-criu/compare/v5.1.0...v5.2.0)

---
updated-dependencies:
- dependency-name: github.com/checkpoint-restore/go-criu/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-11-05 04:16:40 +00:00
Kir Kolyshkin b6475489e3 Merge pull request #3257 from mengjiao-liu/sysctl-allow-slash
Fix the conversion of sysctl variable dots and slashes
2021-11-04 20:34:28 -07:00
Mengjiao Liu a9bb11ec3c Fix the conversion of sysctl variable dots and slashes
Signed-off-by: Mengjiao Liu <mengjiao.liu@daocloud.io>
2021-11-04 11:45:15 +08:00
Mengjiao Liu 0f933d54fe Rename package validate_test to package validate
Signed-off-by: Mengjiao Liu <mengjiao.liu@daocloud.io>
2021-11-04 11:45:15 +08:00
Kir Kolyshkin 68c2b6a7d9 runc run: refuse a frozen cgroup
Sometimes a container cgroup already exists but is frozen.
When this happens, runc init hangs, and it's not clear what is going on.

Refuse to run in a frozen cgroup; add a test case.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-03 20:36:27 -07:00
Kir Kolyshkin d08bc0c1b3 runc run: warn on non-empty cgroup
Currently runc allows multiple containers to share the same cgroup (for
example, by having the same cgroupPath in config.json). While such
shared configuration might be OK, there are some issues:

 - When each container has its own resource limits, the order of
   containers start determines whose limits will be effectively applied.

 - When one of containers is paused, all others are paused, too.

 - When a container is paused, any attempt to do runc create/run/exec
   end up with runc init stuck inside a frozen cgroup.

 - When a systemd cgroup manager is used, this becomes even worse -- such
   as, stop (or even failed start) of any container results in
   "stopTransientUnit" command being sent to systemd, and so (depending on
   unit properties) other containers can receive SIGTERM, be killed after a
   timeout etc.

Any of the above may lead to various hard-to-debug situations in production
(runc init stuck, cgroup removal error, wrong resource limits, init not
reaping zombies etc.).

One obvious solution is to refuse a non-empty cgroup when starting a new
container. This would be a breaking change though, so let's make it in
steps, with the first step is issue a warning and a deprecated notice
about a non-empty cgroup.

Later (in runc 1.2) we will replace this warning with an error.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-03 20:36:27 -07:00
Kir Kolyshkin dd696235a4 runc exec: reject paused container unless --ignore-paused
Currently, if a container is paused (i.e. its cgroup is frozen), runc exec
just hangs, and it is not obvious why.

Refuse to exec in a paused container. Add a test case.

In case runc exec in a paused container is a legit use case,
add --ignore-paused option to override the check. Document it,
add a test case.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-03 20:36:27 -07:00
Mrunal Patel 931eb942aa Merge pull request #3261 from kolyshkin/test-f35
ci/cirrus: use Fedora 35
2021-11-03 20:29:47 -07:00
Akihiro Suda 4b25a4e82a CI: update Fedora to 35
Also rename `Vagrantfile.fedora%d` to `Vagrantfile.fedora` so that
we do not need to reset the commit log on upgrading the Fedora release.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-11-03 19:12:40 -07:00
Kir Kolyshkin 7324496f1a tests/int: fix userns for Fedora 35
Some test directories are created using mktemp -d, and so they have
permissions set to 0700 and are thus inaccessible to a user inside
userns. This was workarounded for $ROOT in userns.bats before.

Now, when we have updated Cirrus CI config to use Fedora 35 (rather than
34), userns tests fail:

> runc run failed: unable to start container process: error during
> container init: error preparing rootfs: mount
> /tmp/bats-run-4pCERd/runc.f66gCC/bundle/rootfs:/tmp/bats-run-4pCERd/runc.f66gCC/bundle/rootfs,
> flags: 0x5000: permission denied

Fedora 34 image used kernel v5.11, while Fedora 35 has v5.15.
Apparently, the newer kernel also checks that the parent directories
are accessible by the user before doing mount.

Move the old workaround from userns.bats to helpers.bats, drop the r bit
(not needed), and add $BATS_RUN_TMPDIR (also created by mktemp -d) to
fix userns.bats test failures under Fedora 35.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-03 19:07:37 -07:00
Kir Kolyshkin 05272718f4 tests/int/cgroups: fix for misc controller
The misc cgroup controller, introduced in Linux 5.13, is still unknown
to systemd, and thus it cannot delegate it. Add an appropriate fixup
to the test case, similar to an earlier commit 601cf5825f.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-11-03 18:54:16 -07:00
Akihiro Suda a7ccc02fd5 Merge pull request #3251 from opencontainers/dependabot/go_modules/github.com/godbus/dbus/v5-5.0.6
build(deps): bump github.com/godbus/dbus/v5 from 5.0.5 to 5.0.6
2021-10-30 13:20:41 +09:00
Mrunal Patel a9761c4b35 Merge pull request #3254 from kolyshkin/sysctl-slash
libct/configs/validate: allow / in sysctl names
2021-10-29 12:43:07 -07:00
dependabot[bot] fc658fb611 build(deps): bump github.com/godbus/dbus/v5 from 5.0.5 to 5.0.6
Bumps [github.com/godbus/dbus/v5](https://github.com/godbus/dbus) from 5.0.5 to 5.0.6.
- [Release notes](https://github.com/godbus/dbus/releases)
- [Commits](https://github.com/godbus/dbus/compare/v5.0.5...v5.0.6)

---
updated-dependencies:
- dependency-name: github.com/godbus/dbus/v5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-10-29 16:55:45 +00:00
Kir Kolyshkin 972aea3af0 libct/configs/validate: allow / in sysctl names
Runtime spec says:

> sysctl (object, OPTIONAL) allows kernel parameters to be modified at
> runtime for the container. For more information, see the sysctl(8)
> man page.

and sysctl(8) says:

> variable
>    The name of a key to read from. An example is
>    kernel.ostype. The '/' separator is also accepted in place of a '.'.

Apparently, runc config validator do not support sysctls with / as a
separator. Fortunately this is a one-line fix.

Add some more test data where / is used as a separator.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-29 09:45:55 -07:00
Mrunal Patel fac268b4ff Merge pull request #3252 from AkihiroSuda/fix-libcontainer-integration-compilation-failure
fix `libcontainer/integration/exec_test.go:1859:8: undefined: ioutil`
2021-10-29 09:45:34 -07:00
Akihiro Suda 95f8ecdd53 fix libcontainer/integration/exec_test.go:1859:8: undefined: ioutil
Fix 4d17654479

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-10-28 14:56:03 +09:00
Akihiro Suda 4d17654479 Merge pull request #2576 from kinvolk/alban/userns-2484-take2
Open bind mount sources from the host userns
2021-10-28 14:50:33 +09:00
Mrunal Patel af16f56a17 Merge pull request #3242 from opencontainers/dependabot/go_modules/github.com/cilium/ebpf-0.7.0
build(deps): bump github.com/cilium/ebpf from 0.6.2 to 0.7.0
2021-10-18 13:56:44 -07:00
Mrunal Patel 0bbd7bd7e4 Merge pull request #3231 from najohnsn/no-linux-section
fix createDevices when no Linux section
2021-10-18 13:53:35 -07:00
Mrunal Patel d5c9905be8 Merge pull request #3235 from kolyshkin/rm-exc-lock
libct: Init: remove LockOSThread
2021-10-18 13:52:26 -07:00
dependabot[bot] dc473cad80 build(deps): bump github.com/cilium/ebpf from 0.6.2 to 0.7.0
Bumps [github.com/cilium/ebpf](https://github.com/cilium/ebpf) from 0.6.2 to 0.7.0.
- [Release notes](https://github.com/cilium/ebpf/releases)
- [Commits](https://github.com/cilium/ebpf/compare/v0.6.2...v0.7.0)

---
updated-dependencies:
- dependency-name: github.com/cilium/ebpf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-10-18 17:50:42 +00:00
Sebastiaan van Stijn 6d35069b5e Merge pull request #3245 from kolyshkin/go116
Drop Go 1.15 support
2021-10-17 21:14:33 +02:00
Mauricio Vásquez 8542322dfe libcontainer: Add unit tests with userns and mounts
Add a unit test to check that bind mounts that have a part of its
path non accessible by others still work when using user namespaces.

To do this, we also modify newRoot() to return rootfs directories that
can be traverse by others, so the rootfs created works for all test
(either running in a userns or not).

Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
Co-authored-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-10-16 17:29:33 +02:00
Akihiro Suda d8a3446acd Merge pull request #3002 from iholder-redhat/feature/TestingSkipFinalCheckPublic
Make DevicesGroup's "TestingSkipFinalCheck" attribute public
2021-10-16 16:15:32 +09:00
Kir Kolyshkin 5516294172 Remove io/ioutil use
See https://golang.org/doc/go1.16#ioutil

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-14 13:46:02 -07:00
Kir Kolyshkin 6a4f4a6a37 libcontainer/ignoreTerminateErrors: simplify for Go 1.16+
One less TODO in the code, yay!

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-14 13:46:02 -07:00
Kir Kolyshkin 12e99a0f8d Require Go >= 1.16
Go 1.15 is not supported since Go 1.17 release (16 Aug 2021), and some
packages that we use already require Go 1.16+ (notably,
github.com/cilium/ebpf v0.7.0).

Let's require Go 1.16+.

Remove Go version requirement from README when describing dependencies,
since it is no longer needed:

	$ GO=go1.15.15 make vendor
	go1.15.15 mod tidy
	go mod tidy: go.mod file indicates go 1.16, but maximum supported version is 1.15
	make: *** [Makefile:141: vendor] Error 1

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-14 13:46:02 -07:00
Kir Kolyshkin 3d98676626 ci/gha: install latest stable Go version
Jobs verify/compile-buildtags and verify/deps relied on whatever Go
version is available from the Ubuntu-20.04 image, which seems to be
1.15.x).

Job test/cross-i386 was installing whatever Go version is considered to
be the default one by actions/setup-go@v2, which seems to be go 1.15.15
at the moment.

Fix all three jobs to install Go 1.x (which should translate to latest
stable Go version, i.e. 1.17.2 as of now).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-14 13:46:02 -07:00
Akihiro Suda 97875b0abf Merge pull request #3246 from kolyshkin/fix-ci
ci: temporarily disable criu repo gpg check
2021-10-15 05:14:05 +09:00
Kir Kolyshkin c5ca778fa8 ci: temporarily disable criu repo gpg check
This unblocks our CI, which is broken by the repo's expired signing key.

Stolen-from: https://github.com/moby/moby/pull/42935
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-14 12:50:17 -07:00
Rodrigo Campos 81fdc8ce1c New integration tests for user namespaces bind sources
The previous commit fixed an issue opening bind mount sources. This
commit just adds integration tests to make sure we don't regress on this
in the future.

Signed-off-by: Alban Crequy <alban@kinvolk.io>
Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
Co-authored-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-10-12 15:13:45 +02:00
Alban Crequy 9c444070ec Open bind mount sources from the host userns
The source of the bind mount might not be accessible in a different user
namespace because a component of the source path might not be traversed
under the users and groups mapped inside the user namespace. This caused
errors such as the following:

  # time="2020-06-22T13:48:26Z" level=error msg="container_linux.go:367:
  starting container process caused: process_linux.go:459:
  container init caused: rootfs_linux.go:58:
  mounting \"/tmp/busyboxtest/source-inaccessible/dir\"
  to rootfs at \"/tmp/inaccessible\" caused:
  stat /tmp/busyboxtest/source-inaccessible/dir: permission denied"

To solve this problem, this patch performs the following:

1. in nsexec.c, it opens the source path in the host userns (so we have
   the right permissions to open it) but in the container mntns (so the
   kernel cross mntns mount check let us mount it later:
   https://github.com/torvalds/linux/blob/v5.8/fs/namespace.c#L2312).

2. in nsexec.c, it passes the file descriptors of the source to the
   child process with SCM_RIGHTS.

3. In runc-init in Golang, it finishes the mounts while inside the
   userns even without access to the some components of the source
   paths.

Passing the fds with SCM_RIGHTS is necessary because once the child
process is in the container mntns, it is already in the container userns
so it cannot temporarily join the host mntns.

This patch uses the existing mechanism with _LIBCONTAINER_* environment
variables to pass the file descriptors from runc to runc init.

This patch uses the existing mechanism with the Netlink-style bootstrap
to pass information about the list of source mounts to nsexec.c.

Rootless containers don't use this bind mount sources fdpassing
mechanism because we can't setns() to the target mntns in a rootless
container (we don't have the privileges when we are in the host userns).

This patch takes care of using O_CLOEXEC on mount fds, and close them
early.

Fixes: #2484.

Signed-off-by: Alban Crequy <alban@kinvolk.io>
Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
Co-authored-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-10-12 15:13:45 +02:00
Akihiro Suda 2357eab8ca Merge pull request #3233 from kolyshkin/hugepage-fix
libct/cg/fs2: fix GetStats for unsupported hugetlb
2021-10-12 12:20:51 +09:00
Akihiro Suda a5a45c731d Merge pull request #3239 from kolyshkin/rdt-path
libct/intelrdt: add Root()
2021-10-11 13:08:06 +09:00
Sebastiaan van Stijn b098f33caf Merge pull request #3238 from kolyshkin/wrap-exec-err
libct/system: Exec: wrap the error
2021-10-08 21:18:39 +02:00
Kir Kolyshkin a80e1217d2 libct/intelrdt: add Root()
Export getIntelRdtRoot function as Root.

This is needed by google/cadvisor, which is (ab)using GetIntelRdtPath,
removed by commit 7296dc1712.

While at it, do some minimal refactoring to always use Root()
internally, not relying on variable value. Other than that it's just
some renaming.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-07 20:23:21 -07:00
Kir Kolyshkin 794cd66df8 libct/system: Exec: wrap the error
If the container binary to be run is removed in between runc create
and runc start, the latter spits the following error:

> can't exec user process: no such file or directory

This is a bit confusing since we don't see what file is missing.

Wrap the unix.Exec error into os.PathError, like in many other cases,
to provide some context. Remove the error wrapping from
(*linuxStandardInit).Init as it is now redundant.

With this patch, the error is now:

> exec /bin/false: no such file or directory

Reported-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-07 11:09:08 -07:00
Aleksa Sarai 3a5223d010 merge branch 'pr-3236'
dependabot[bot] (1):
  build(deps): bump github.com/opencontainers/selinux from 1.8.5 to 1.9.1

LGTMs: AkihiroSuda cyphar
2021-10-07 17:37:33 +11:00
dependabot[bot] 6eba68deae build(deps): bump github.com/opencontainers/selinux from 1.8.5 to 1.9.1
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.8.5 to 1.9.1.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.8.5...v1.9.1)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-10-07 04:21:41 +00:00
Kir Kolyshkin f594edee21 Merge pull request #3059 from kolyshkin/cgroup-clean
runc exec --cgroup
2021-10-06 18:02:46 -07:00
Kir Kolyshkin e395d2dc50 libct: Init: remove LockOSThread
This call is already made in init.go, no need for a duplicate.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-05 19:19:40 -07:00
Kir Kolyshkin 916c6a1539 libct/cg/fs2: fix GetStats for unsupported hugetlb
In case hugetlb is not supported, GetStats() should not error out,
and yet it does.

Assume that if GetHugePageSize return an error, hugetlb is
not supported (this is what cgroup v1 manager do).

Fixes: 89a87adb
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-05 16:48:15 -07:00
Kir Kolyshkin c670691ee8 Merge pull request #3226 from chenk008/fix_delete_cgroupv2
Remove sub cgroup when container exits
2021-10-05 14:06:25 -07:00
Itamar Holder f9667e633b Make DevicesGroup's "TestingSkipFinalCheck" attribute public
Users would like to have the possibility to skip checks for their
tests the same way they are skipped within the tests in runc.

Not exposing this variable makes it very hard to test components
that use this library. To avoid copying-and-pasting the code
into outside projects this variable sould be exposed to the users.

Signed-off-by: Itamar Holder <iholder@redhat.com>
2021-10-05 17:36:39 +03:00
Sebastiaan van Stijn 8e7ab26104 Merge pull request #3230 from kolyshkin/release-arch-followup
Dockerfile: fix for seccomp
2021-10-05 10:06:24 +02:00
Neil Johnson 2e0ceaa935 fix createDevices when no Linux section
Signed-off-by: Neil Johnson <najohnsn@us.ibm.com>
2021-10-04 17:37:19 -04:00
Kir Kolyshkin fae5d8b568 release: add s390x
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-01 10:25:30 -07:00
Kir Kolyshkin f95063ede4 Dockerfile: fix for seccomp
Commit f30244ee1b broke the scenario of using Dockefile for
anything but making a release. This happened because it installed
native libseccomp build to a temporary directory, and so linking against
libseccomp required setting a few environment variables.

Let's fix this, and simplify libseccomp installation. Instead of using
temporary directories, let's install native libseccomp to a specified
directory, all the cross-builds to its subdirectories, and set
PKG_CONFIG_PATH and LD_LIBRARY_PATH in Dockerfile so that the built
library will found by pkg-config and the dynamic linker (without setting
LD_LIBRARY_PATH, ld picks up distro-provided libseccomp.so).

While at it, fix some bugs introduced by the abovementioned commit.

This fixes building runc in  make targets like shell, dbuild,
integration, unittest -- i.e. those that depend on runcimage.

Fixes: f30244ee1b
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-01 10:20:56 -07:00
Kang Chen 7758d3fb02 libct/cg/sd/v2: Destroy: remove cgroups recursively
Currently, we can create subcgroup in a rootless container with systemd cgroupv2 on centos8.
But after the container exited, the container cgroup and its subcgroup will not be removed.

Fix this by removing all directories recursively.

Fixes: https://github.com/opencontainers/runc/issues/3225

Signed-off-by: Kang Chen <kongchen28@gmail.com>
2021-10-01 22:07:02 +08:00
Aleksa Sarai d1c9b43e94 merge branch 'pr-3228'
Kir Kolyshkin (1):
  contrib: rm init from bash completion

LGTMs: AkihiroSuda cyphar
Closes #3228
2021-09-28 15:06:33 +10:00
Kir Kolyshkin 580e43ec25 contrib: rm init from bash completion
Commit 7a0302f0d7 already removed "runc init" from runc help output,
as this is an internal option not supposed to be used by the end user.

Let's remove runc init completion, too.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-27 16:54:38 -07:00
Kir Kolyshkin 0202c398ff runc exec: implement --cgroup
In some setups, multiple cgroups are used inside a container,
and sometime there is a need to execute a process in a particular
sub-cgroup (in case of cgroup v1, for a particular controller).
This is what this commit implements.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-27 10:25:42 -07:00
Mauricio Vásquez cc15b887a0 tests: add integration test for cgroups hybrid
Check that runc run and runc exec put the process on the same cgroups v2
when using hybrid mode.

Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-27 10:25:12 -07:00
Mauricio Vásquez a8435007d9 cgroups: join cgroup v2 when using hybrid mode
Currently the parent process of the container is moved to the right
cgroup v2 tree when systemd is using a hybrid model (last line with 0::):

$ runc --systemd-cgroup run myid
/ # cat /proc/self/cgroup
12:cpuset:/system.slice/runc-myid.scope
11:blkio:/system.slice/runc-myid.scope
10:devices:/system.slice/runc-myid.scope
9:hugetlb:/system.slice/runc-myid.scope
8:memory:/system.slice/runc-myid.scope
7:rdma:/
6:perf_event:/system.slice/runc-myid.scope
5:net_cls,net_prio:/system.slice/runc-myid.scope
4:freezer:/system.slice/runc-myid.scope
3:pids:/system.slice/runc-myid.scope
2:cpu,cpuacct:/system.slice/runc-myid.scope
1:name=systemd:/system.slice/runc-myid.scope
0::/system.slice/runc-myid.scope

However, if a second process is executed in the same container, it is
not moved to the right cgroup v2 tree:

$ runc exec myid /bin/sh -c 'cat /proc/self/cgroup'
12:cpuset:/system.slice/runc-myid.scope
11:blkio:/system.slice/runc-myid.scope
10:devices:/system.slice/runc-myid.scope
9:hugetlb:/system.slice/runc-myid.scope
8:memory:/system.slice/runc-myid.scope
7:rdma:/
6:perf_event:/system.slice/runc-myid.scope
5:net_cls,net_prio:/system.slice/runc-myid.scope
4:freezer:/system.slice/runc-myid.scope
3:pids:/system.slice/runc-myid.scope
2:cpu,cpuacct:/system.slice/runc-myid.scope
1:name=systemd:/system.slice/runc-myid.scope
0::/user.slice/user-1000.slice/session-8.scope

This commit makes that processes executed with exec are placed into the
right cgroup v2 tree. The implementation checks if systemd is using a
hybrid mode (by checking if cgroups v2 is mounted in
/sys/fs/cgroup/unified), if yes, the path of the cgroup v2 slice for
this container is saved into the cgroup path list.

The fs group driver has a similar issue, in this case none of the runc
run or runc exec commands put the process in the right cgroups v2. This
commit also fixes that.

Having the processes of the container in its own cgroup v2 is useful
for any BPF programs that rely on bpf_get_current_cgroup_id(), like
https://github.com/kinvolk/inspektor-gadget/ for instance.

[@kolyshkin: rebased]

Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 19:29:11 -07:00
Kir Kolyshkin 39914db679 runc exec: don't skip non-existing cgroups
The function used here, cgroups.EnterPid, silently skips non-existing
paths, and it does not look like a good idea to do so for an existing
container with already configured cgroups.

Switch to cgroups.WriteCgroupProc which does not do that, so in case
a cgroup does not exist, we'll get an error.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 19:26:57 -07:00
Kir Kolyshkin 7d446c63d0 libct/cg.WriteCgroupProcs: improve errors
No need to add a file name to the error messages, as errors from
OpenFile and (*os.File).Write both contain the file name already.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 19:26:57 -07:00
Kir Kolyshkin cc1d746643 exec.go: nit
No need to have an intermediate variable here.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 19:26:57 -07:00
Aleksa Sarai e999e29a28 merge branch 'pr-3222'
Kir Kolyshkin (5):
  ci/gha: test criu-dev with latest go
  ci/gha: remove debug info
  CI/GHA: switch to OBS criu repo
  Dockerfile: fix apt-key warning
  Dockerfile: use Debian_11 repo for criu

LGTMs: mrunalp cyphar
2021-09-24 11:05:57 +10:00
Mrunal Patel b1b0e7f8d9 Merge pull request #3216 from kolyshkin/manager-new
cgroup: make paths available, simplify getting manager
2021-09-23 14:44:13 -07:00
Kir Kolyshkin 0d297b7190 ci/gha: test criu-dev with latest go
As commits 120f74060 and a58718013 were added independently,
criu-dev go version was left at 1.16.x. Fix this.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 12:58:26 -07:00
Kir Kolyshkin 16aedc3130 ci/gha: remove debug info
This was supposed to be added temporarily, but slipped into the final
commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 12:58:26 -07:00
Kir Kolyshkin 3fd1851ce9 CI/GHA: switch to OBS criu repo
This will bring criu 3.16, which is available from OBS but not (yet?) PPA.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 12:58:21 -07:00
Kir Kolyshkin 81dc559993 Dockerfile: fix apt-key warning
This fixes

> Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

Apparently, "the internets" disagree with the above, instead suggesting
using /usr/share/keyrings and a signed-by= declaration in sources.list.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 12:20:11 -07:00
Kir Kolyshkin 2bf560fbd7 Dockerfile: use Debian_11 repo for criu
The Debian_11 was not available in this repo at the time when commit 24d318b8b
was made, so we had to use Debian_10 URL for Debian 11 (apparently without any
consequences).

Now Debian_11 is available, so let's switch to it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 11:23:18 -07:00
Kir Kolyshkin 99ddc1be16 libct/cg/fs: rm m.config == nil checks
It is assumed that m.config is not nil, so these checks are redundant
(in case it is nil, NewManager panics and this code is unreachable).

Note that cgroups/manager.New checks that config is not nil.

Remove them.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 09:12:14 -07:00
Kir Kolyshkin 57edce4659 libct/cg: add Resources=nil unit test
Cgroup controllers should never panic, and yet sometimes they do.

Add a unit test to check that controllers never panic when called with
nil arguments and/or resources, and fix a few found cases.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 09:12:14 -07:00
Kir Kolyshkin 1af4ed1110 libct/cg/sd/v2: move fsMgr init to NewUnifiedManager
Many operations require fsMgr, so let's create it right in
NewUnifiedManager and reuse.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 09:12:14 -07:00
Kir Kolyshkin 9a2146fa3d libct/cg/sd/v2: move path init to NewUnifiedManager
This fixes the same issue as e.g. commit 4f8ccc5ff5
but in a more universal way.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 09:12:14 -07:00
Kir Kolyshkin 39be6e9768 libct/cg/fs2: minor optimization
cgName and cgParent are only used when cgPath is empty, so move
their cleaning to the body of the appropriate "if" statement.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 09:12:14 -07:00
Kir Kolyshkin b14a6cf9a6 libct/cg/sd/v1: move path init to NewLegacyManager
This way we
 - won't re-initialize the paths if they were provided;
 - will always have paths ready for every method.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 09:12:14 -07:00
Kir Kolyshkin fcc4816818 libct/cg/fs: document path removal
This is already documented but I guess more explanations (in particular,
why the path is being removed from paths) won't hurt.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 09:12:14 -07:00
Kir Kolyshkin 6c5441e5cb libct/cg/fs: move paths init to NewManager
1. Separate path initialization logic from Apply to initPaths,
   and call initPaths from NewManager, so:
   - we can error out early (in NewManager rather than Apply);
   - always have m.paths available (e.g. in Destroy or Exists).
   - do not unnecessarily call subsysPath from Apply in case
     the paths were already provided.

2. Add a check for non-nil cgroups.Resources to NewManager,
   since initPaths, as well as some controller's Apply methods,
   need it.

3. Move cgroups.Resources.Unified check from Apply to NewManager,
   so we can error out early (same check exists in Set).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 09:12:14 -07:00
Kir Kolyshkin 097c6d7425 libct/cg: simplify getting cgroup manager
1. Make Rootless and Systemd flags part of config.Cgroups.

2. Make all cgroup managers (not just fs2) return error (so it can do
   more initialization -- added by the following commits).

3. Replace complicated cgroup manager instantiation in factory_linux
   by a single (and simple) libcontainer/cgroups/manager.New() function.

4. getUnifiedPath is simplified to check that only a single path is
   supplied (rather than checking that other paths, if supplied,
   are the same).

[v2: can't -> cannot]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-23 09:11:44 -07:00
Mrunal Patel 147ad561e8 Merge pull request #3197 from kolyshkin/release-arm64
*: add cross-build, CI job, update to libseccomp 2.5.2
2021-09-22 13:34:01 -07:00
Kir Kolyshkin 79185bc806 Merge pull request #3215 from kolyshkin/cgroupv1-opts
cgroupv1: refactor and optimize
2021-09-21 11:51:03 -07:00
Kir Kolyshkin 03244ef2cf Merge pull request #3217 from kolyshkin/delete-paused
runc delete -f: fix for cg v1 + paused container
2021-09-20 10:51:40 -07:00
Kir Kolyshkin 3c8db638e7 script/release.sh: update libseccomp to 2.5.2
Release notes:
 https://github.com/seccomp/libseccomp/releases/tag/v2.5.2

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-20 10:08:42 -07:00
Kir Kolyshkin f30244ee1b make release: add cross-build
This implements cross-build for "make release", moving the build into a
container. This way we can support arm, arm64, ppc, and whatnot.

* script/seccomp.sh: separate out of script/release.sh, amend to support
  cross-compile and save needed environment variables to a file.

* Dockerfile: add installing libseccomp from source, as this is needed
  for release builds.

* script/release.sh: amend to support more architectures in addition to
  the native build. Additional arches can be added by specifying
  "-a <arch>" argument (can be specified multiple times), or
  "make RELEASE_ARGS="-a arm64" release" if called via make.
  All supported architectures can be enabled via "make releaseall".

* Makefile: move "release" target to "localrelease", add "release" and
  "releaseall" targets to build via the Dockerfile. This is done because
  most distros (including Fedora and openSUSE) lack cross-glibc, which is
  needed to cross-compile libseccomp.

* Makefile: remove 'cross' and 'localcross' targets, as this is now done
  by the release script.

* .github/workflows/validate.yum: amend the release CI job to cross-build
  for supported architectures, remove cross job.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-20 10:05:58 -07:00
Sebastiaan van Stijn 206c16a7bf Merge pull request #3068 from adrianreber/2021-07-07-lsm-mount-context
support changing of lsm mount context on restore
2021-09-20 18:53:04 +02:00
Kir Kolyshkin 23d79aae86 Makefile: only build runc for static target
There is no need to have a static version of recvtty and/or sd-helper
binary.

This speeds up script/release.sh a bit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-20 09:35:33 -07:00
Kir Kolyshkin d2b6899ea9 Makefile: fixes for seccompagent
1. The seccompagent target it built in the same way as others in contrib,
   so there is no need to have a separate rule.

2. Mark seccompagent as phony, because it is (it rarely happens, but I
   actually just had an issue because this was absent).

3. Add seccompagent binary to clean target.

Fixes: e21a9ee81

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-20 09:35:33 -07:00
Adrian Reber 43b36dc4ac Support changing of lsm mount context on restore
Wire through CRIU's support to change the mount context on restore.

This is especially useful if restoring a container in a different pod.

Single container restore uses the same SELinux process label and
same mount context as during checkpointing. If a container is being
restored into an existing pod the process label and the mount context
needs to be changed to the context of the pod.

Changing process label on restore is already supported by runc. This
patch adds the possibility to change the mount context.

Signed-off-by: Adrian Reber <areber@redhat.com>
2021-09-20 10:01:16 +02:00
Adrian Reber 412d68d1bd Vendor in go-criu v5.1.0
Signed-off-by: Adrian Reber <areber@redhat.com>
2021-09-20 10:01:16 +02:00
Akihiro Suda d362b7acf5 Merge pull request #3219 from zhsj/simple-bits
libct/cg: replace bitset with std math/big library
2021-09-20 15:05:21 +09:00
Shengjing Zhu 163e2523d7 libct/cg: replace bitset with std math/big library
Cut down third party dependency.

Signed-off-by: Shengjing Zhu <zhsj@debian.org>
2021-09-19 23:38:15 +08:00
Kir Kolyshkin 6806b2c1c4 runc delete -f: fix for cg v1 + paused container
runc delete -f is not working for a paused container, since in cgroup v1
SIGKILL does nothing if a process is frozen (unlike cgroup v2, in which
you can kill a frozen process with a fatal signal).

Theoretically, we only need this for v1, but doing it for v2 as well is
OK.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-15 14:55:14 -07:00
Aleksa Sarai dbc294fc1e merge branch 'pr-3214'
Kir Kolyshkin (3):
  create, run: amend final errors
  startContainer: minor refactor
  delete, start: remove newline from errors

LGTMs: AkihiroSuda cyphar
2021-09-15 15:16:11 +10:00
Kir Kolyshkin e692886563 libct/cg/fs: refactor
1. Dismantle and remove struct cgroupData. It contained three unrelated
   entities (cgroup paths, pid, and resources), and made the code
   harder to read. Most importantly, though, it is not needed.
   Now, subsystems' Apply methods take path, resources, and pid.

   To a reviewer -- the core of the changes is in fs.go and paths.go,
   the rest of it is adapting to the new signatures and related test
   changes.

2. Dismantle and remove struct cgroupTestUtil. This is a followup
   to the previous item -- since cgroupData is gone, there is nothing
   to hold in cgroupTestUtil. The change itself is very small (see
   util_test.go), but this patch is big because of it -- mostly
   because we had to replace helper.cgroup.Resources with
   &config.Resources{}.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-14 12:06:21 -07:00
Kir Kolyshkin 7d1cb320ad libct/cg/fs: rename join to apply
As this is called from the Apply() method, it's a natural name.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-14 12:06:02 -07:00
Kir Kolyshkin 5c7cb837c7 libct/cg/fs: micro optimization
In case c.Path is set, c.Name and c.Parent are not used, and so
calls to utils.CleanPath are entirely unnecessary. Move them to
inside of the "if" statement body.

Get rid of the intermediate cgPath variable, it is not needed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-14 12:05:49 -07:00
Kir Kolyshkin 19b542a576 libct/cg/fs: move internal code out of fs.go
Now fs.go is not very readable as its public API functions are
intermixed with internal stuff about getting cgroup paths.

Move that out to paths.go, without changing any code.

Same for the tests -- move paths-related tests to paths_test.go.

This commit is separate to make the review easier.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-14 12:05:34 -07:00
Kir Kolyshkin eb09df749a libct/cg/sd/v1: initPaths: minor optimization
As ExpandSlice("system.slice") returns "/system.slice", there is no need
to call it for such paths (and the slash will be added by path.Join
anyway).

The same optimization was already done for v2 as part of commit
bf15cc99b1.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-14 11:58:52 -07:00
Kir Kolyshkin 63c84917f3 libct/cg/sd/v1: optimize initPaths
It does not make sense to calculate slice and unit 10+ times.
Move those out of the loop.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-14 11:58:34 -07:00
Kir Kolyshkin c7e0864d5f libct/cg/sd/v1: factor out initPaths
No functional change.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-14 11:58:20 -07:00
Kir Kolyshkin dc907e8d11 libct/cg/sd/v*.go: nit
We were checking if a unit is a slice two times. Consolidate those
checks, and improve comments while we're at it.

The code is the same in v1 and v2 but it's too complicated to factor it
out, thus we just do the same changes in v1.go and v2.go.

No functional change.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-14 11:57:34 -07:00
Kir Kolyshkin d974b22ac4 create, run: amend final errors
As the error may contain anything, it may not be clear to a user that
the whole (create or run) operation failed. Amend the errors.

Also, change the code flow in create to match that of run, so we don't
have to add the fake "return nil" at the end.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-14 10:53:11 -07:00
Kir Kolyshkin 9ba2f65d6b startContainer: minor refactor
All three callers* of startContainer call revisePidFile and createSpec
before calling it, so it makes sense to move those calls to inside of
the startContainer, and drop the spec argument.

* -- in fact restore does not call revisePidFile, but it should.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-14 10:53:11 -07:00
Kir Kolyshkin 1545ea69b7 delete, start: remove newline from errors
Error messages should not usually contain newlines.

Testing shows that the error runc delete prints is the same before and
after this commit:

	[kir@kir-rhat runc-tst]$ sudo ../runc/runc delete xx3
	ERRO[0000] cannot delete container xx3 that is not stopped: running
	[kir@kir-rhat runc-tst]$

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-14 10:52:03 -07:00
Kir Kolyshkin bcadc5bf3e Merge pull request #3206 from kinvolk/rata/notify
Add tests for seccomp agent example
2021-09-13 16:10:36 -07:00
Kir Kolyshkin cd7df39ac5 Merge pull request #3201 from kolyshkin/nsexec-less-logs
nsexec.c: don't write logs that are to be discarded
2021-09-13 13:40:15 -07:00
Sebastiaan van Stijn 2eaeea77c2 Merge pull request #3207 from kolyshkin/update-shfmt
ci/gha: bump shfmt to 3.3.1
2021-09-10 23:36:56 +02:00
Rodrigo Campos af641cd587 seccomp: Add test using the seccomp agent example
This commit adds the config.json as generated by the script. Note that
the diff is minimal if you see this commit with "git show -w". The
differences are mostly whitespaces and some ordering.

We add a simple test that runs this and expects sucess.

Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-09-10 12:44:43 +02:00
Aleksa Sarai 5906c67371 merge branch 'pr-3208'
Kir Kolyshkin (2):
  ci/gha: update golangci-lint to 1.42.1
  contrib/cmd/seccompagent: fix build tags

LGTMs: AkihiroSuda cyphar
2021-09-10 18:09:46 +10:00
Akihiro Suda 7e9fd9941a Merge pull request #3211 from opencontainers/dependabot/go_modules/github.com/bits-and-blooms/bitset-1.2.1
build(deps): bump github.com/bits-and-blooms/bitset from 1.2.0 to 1.2.1
2021-09-10 16:03:40 +09:00
Akihiro Suda eedf585a04 Merge pull request #3210 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.8.5
build(deps): bump github.com/opencontainers/selinux from 1.8.4 to 1.8.5
2021-09-10 16:03:09 +09:00
dependabot[bot] 0865908023 build(deps): bump github.com/bits-and-blooms/bitset from 1.2.0 to 1.2.1
Bumps [github.com/bits-and-blooms/bitset](https://github.com/bits-and-blooms/bitset) from 1.2.0 to 1.2.1.
- [Release notes](https://github.com/bits-and-blooms/bitset/releases)
- [Commits](https://github.com/bits-and-blooms/bitset/compare/v1.2.0...v1.2.1)

---
updated-dependencies:
- dependency-name: github.com/bits-and-blooms/bitset
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-09-10 04:22:43 +00:00
dependabot[bot] 622acd24fb build(deps): bump github.com/opencontainers/selinux from 1.8.4 to 1.8.5
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.8.4 to 1.8.5.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.8.4...v1.8.5)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-09-10 04:22:23 +00:00
Kir Kolyshkin 47abdceef1 ci/gha: update golangci-lint to 1.42.1
v1.42.1 was released tagged a few days ago.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-09 17:06:48 -07:00
Kir Kolyshkin 704a1878ef contrib/cmd/seccompagent: fix build tags
* cgo tag is not required;
* add new style (go1.17+) build tags.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-09 17:06:48 -07:00
Kir Kolyshkin 49137c2aa0 ci/gha: bump shfmt to 3.3.1
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-09 16:37:00 -07:00
Kir Kolyshkin f1b703fc45 libct/nsenter/nsexec.c: honor _LIBCONTAINER_LOGLEVEL
Currently, if the log level is not set to e.g. "debug", runc init sends
some debug logs to the parent, which parses and discards it.

It is better to not send those in the first place.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-09 15:01:26 -07:00
Kir Kolyshkin d5ffe83f94 libct/nsenter/nsexec.c: factor out getenv_int
The code already parses an environment variable into an integer twice,
and we're about to add a third one.

Factor it out to getenv_int().

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-09 14:57:20 -07:00
Kir Kolyshkin d2f49d4563 libct/nsenter/nsexec.c: improve bail
This makes it possible to use bail() even if logging is not set up
(yet), so we don't have to think whether it's OK to use it or not.
In addition, this might help some unit tests that do not set log
forwarding.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-09 14:57:20 -07:00
Kir Kolyshkin 6c4a3b13d1 runc init: pass _LIBCONTAINER_LOGLEVEL as int
Instead of passing _LIBCONTAINER_LOGLEVEL as a string
(like "debug" or "info"), use a numeric value.

Also, simplify the init log level passing code -- since we actually use
the same level as the runc binary, just get it from logrus.

This is a preparation for the next commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-09 14:57:20 -07:00
Kir Kolyshkin 0a3577c680 utils_linux: simplify newProcess
newProcess do not need those extra arguments, they can be handled
in the caller.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-09 14:57:20 -07:00
Kir Kolyshkin 9e22bca54a Merge pull request #3204 from cyphar/seccomp-kill-thread-process
Add support for seccomp actions ActKillThread and ActKillProcess
2021-09-09 08:50:39 -07:00
Rodrigo Campos 51cd519e4c seccomp agent: Return non-zero on failures
This is useful for future patches, that will run the config in tests.

Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-09-09 17:05:28 +02:00
Rodrigo Campos 8b790e4f4f seccomp agent: Use arch SCMP_ARCH_X86_64
Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-09-09 16:48:07 +02:00
Sascha Grunert 4a4d4f109b Add support for seccomp actions ActKillThread and ActKillProcess
Two new seccomp actions have been added to the libseccomp-golang
dependency, which can be now supported by runc, too.

ActKillThread kills the thread that violated the rule. It is the same as
ActKill. All other threads from the same thread group will continue to
execute.

ActKillProcess kills the process that violated the rule. All threads in
the thread group are also terminated. This action is only usable when
libseccomp API level 3 or higher is supported.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-09-09 17:47:00 +10:00
Aleksa Sarai 4a751b05a9 seccomp: drop unnecessary const SCMP_ACT_* defines
These are just boilerplate and are only really useful for the two
actions which require us to set a default errno/aux value (ActErrno and
ActTrace).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-09-09 17:46:34 +10:00
dependabot[bot] 41936bf8c1 Merge pull request #3203 from opencontainers/dependabot/go_modules/github.com/godbus/dbus/v5-5.0.5 2021-09-09 06:16:17 +00:00
Aleksa Sarai 76c1583413 merge branch 'pr-3186'
Akihiro Suda (1):
  improve error message when dbus-user-session is not installed

LGTMs: kolyshkin cyphar
2021-09-09 14:57:03 +10:00
Aleksa Sarai 3eccbe995e merge branch 'pr-3157'
Kir Kolyshkin (6):
  runc --debug: shorter caller info
  libct/logs: do not show caller in nsexec logs
  libct/logs: parse log level implicitly
  libct/logs: test: make more robust
  libct/logs: remove ConfigureLogging
  init.go, main.go: don't use logs.ConfigureLogging

LGTMs: thaJeztah cyphar
2021-09-09 14:54:53 +10:00
Aleksa Sarai 1e5fe26f4e merge branch 'pr-2696'
Kir Kolyshkin (3):
  libct/system: add I and P process states
  libct/system.Stat: fix/improve/speedup
  libct/system/proc_test: fix, improve, add benchmark

LGTMs: thaJeztah cyphar
2021-09-09 14:37:19 +10:00
Aleksa Sarai 8bf032602a merge branch 'pr-3047'
Liu Hua (1):
  checkpoint: resolve symlink for external bind mount(fix ci broken)

LGTMs: kolyshkin cyphar
2021-09-09 14:24:26 +10:00
dependabot[bot] 72b5c3ca18 build(deps): bump github.com/godbus/dbus/v5 from 5.0.4 to 5.0.5
Bumps [github.com/godbus/dbus/v5](https://github.com/godbus/dbus) from 5.0.4 to 5.0.5.
- [Release notes](https://github.com/godbus/dbus/releases)
- [Commits](https://github.com/godbus/dbus/compare/v5.0.4...v5.0.5)

---
updated-dependencies:
- dependency-name: github.com/godbus/dbus/v5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-09-09 04:21:44 +00:00
Aleksa Sarai 9a0419b920 merge branch 'pr-2682'
Alban Crequy (3):
  vendoring: Use libseccomp with notify support
  Implement Seccomp Notify
  contrib: add sample seccomp agent

Mauricio Vásquez (4):
  libcontainer/utils: introduce SendFds
  libcontainer/specconv: extend SetupSeccomp tests
  tests: add functional tests for seccomp
  tests: add functional tests for seccomp notify

Co-developed-by: Rodrigo Campos
LGTMs: kolyshkin cyphar
2021-09-08 14:31:43 +10:00
Akihiro Suda 110bdb02e6 Merge pull request #3200 from kolyshkin/release-fix-for-opensuse
script/release.sh: fix for opensuse
2021-09-07 20:17:27 +09:00
Mauricio Vásquez 00772caec7 tests: add functional tests for seccomp notify
Add functional test to check seccomp notify end-to-end. This test uses the
sample seccomp agent from the contrib/cmd folder.

Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
Co-authored-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-09-07 13:04:24 +02:00
Mauricio Vásquez 5ae831d9b3 tests: add functional tests for seccomp
Test KILL and ERRNO actions.

Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
2021-09-07 13:04:24 +02:00
Alban Crequy e21a9ee813 contrib: add sample seccomp agent
Implement sample seccomp agent. It's also used in integration tests in
the following commit.

Instructions how to use it in contrib/cmd/seccompagent/README.md

Signed-off-by: Alban Crequy <alban@kinvolk.io>
Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
Co-authored-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-09-07 13:04:24 +02:00
Mauricio Vásquez c64aaf0e0b libcontainer/specconv: extend SetupSeccomp tests
Extend the SetupSeccomp tests by adding the following cases:
- Test nil config
- Test empty config
- Test bad action and architecture
- Test all possible actions

Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
2021-09-07 13:04:24 +02:00
Alban Crequy 2b025c0173 Implement Seccomp Notify
This commit implements support for the SCMP_ACT_NOTIFY action. It
requires libseccomp-2.5.0 to work but runc still works with older
libseccomp if the seccomp policy does not use the SCMP_ACT_NOTIFY
action.

A new synchronization step between runc[INIT] and runc run is introduced
to pass the seccomp fd. runc run fetches the seccomp fd with pidfd_get
from the runc[INIT] process and sends it to the seccomp agent using
SCM_RIGHTS.

As suggested by @kolyshkin, we also make writeSync() a wrapper of
writeSyncWithFd() and wrap the error there. To avoid pointless errors,
we made some existing code paths just return the error instead of
re-wrapping it. If we don't do it, error will look like:

	writing syncT <act>: writing syncT: <err>

By adjusting the code path, now they just look like this
	writing syncT <act>: <err>

Signed-off-by: Alban Crequy <alban@kinvolk.io>
Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
Co-authored-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-09-07 13:04:24 +02:00
Mauricio Vásquez 4e7aeff610 libcontainer/utils: introduce SendFds
SendFds is a helper function for sending a set of file descriptors and a message
over a unix domain socket.

Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
2021-09-07 12:38:12 +02:00
Alban Crequy c55530bedc vendoring: Use libseccomp with notify support
The notify support has been merged in libseccomp-golang in this PR:
	https://github.com/seccomp/libseccomp-golang/pull/59

Also, we update to new API of libseccomp-golang so code doesn't break.

Signed-off-by: Alban Crequy <alban@kinvolk.io>
Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
Co-authored-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-09-07 12:38:12 +02:00
Akihiro Suda a244d57906 Merge pull request #3198 from Vanient/master
optimize log: move WriteJSON defer as early as possible
2021-09-07 15:19:16 +09:00
xiadanni 64358c4de9 optimize log: move WriteJSON defer as early as possible
if function returns error before WriteJSON defer, error will not be
printed out, so move this defer as early as possible and use logrus to
print out error if returns before it.

Signed-off-by: xiadanni <xiadanni1@huawei.com>
2021-09-07 07:00:57 +08:00
Kir Kolyshkin 39d0ee18e9 script/release.sh: fix for opensuse
openSUSE comes with site-config package, which makes configure select
${prefix}/lib64 as libdir on x86_64, unless explicitly specified.

Since release.sh relies on a particular libdir path (for pkgconfig), it
breaks things:

> + make -C /home/kir/git/runc PKG_CONFIG_PATH=/tmp/tmp.QgIJ1sR5c9/lib/pkgconfig COMMIT_NO= EXTRA_FLAGS=-a 'EXTRA_LDFLAGS=-w -s -buildid=' static
> make[1]: Entering directory '/home/kir/git/runc'
> CGO_ENABLED=1 go build -trimpath -a -tags "seccomp netgo osusergo" -ldflags "-extldflags -static -X main.gitCommit=v1.0.0-204-g963e0146 -X main.version=1.0.0+dev -w -s -buildid=" -o runc .
> Package libseccomp was not found in the pkg-config search path.
> Perhaps you should add the directory containing `libseccomp.pc'

To fix, we have to explicitly specify libdir.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-06 12:56:04 -07:00
Kir Kolyshkin a20c8b29d4 runc --debug: shorter caller info
Commit 9f3d7534ea enabled logrus to show information about log
caller, if --debug is set.

The problem is, the file name and in many cases the function name have a
long prefix of github.com/opencontainers/runc (this is with -trimpath,
and without it it's worse).

Add a function to trim the prefix.

Note all this happens only when --debug is given.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-04 11:47:31 -07:00
Kir Kolyshkin b55b308143 libct/logs: do not show caller in nsexec logs
Commit 9f3d7534ea enabled logrus to show information about log
caller, if --debug is set. It is helpful in many scenarios, but does
not work very well when we are debugging runc init, for example:

	# runc --debug run -d xx4557
	DEBU[0000]libcontainer/logs/logs.go:45 github.com/opencontainers/runc/libcontainer/logs.processEntry() nsexec[279687]: logging set up
	DEBU[0000]libcontainer/logs/logs.go:45 github.com/opencontainers/runc/libcontainer/logs.processEntry() nsexec[279687]: logging set up
	DEBU[0000]libcontainer/logs/logs.go:45 github.com/opencontainers/runc/libcontainer/logs.processEntry() nsexec[279687]: => nsexec container setup
	DEBU[0000]libcontainer/logs/logs.go:45 github.com/opencontainers/runc/libcontainer/logs.processEntry() nsexec[279687]: update /proc/self/oom_score_adj to '30'

As we're merely forwarding the logs here, printing out filename:line and
function is useless and clutters the logs a log.

To fix, create and use a copy of the standard logger with caller info
turned off.

With this in place, nsexec logs are sane again:

	# runc --debug --log-format=text run -d xe34
	DEBU[0000] nsexec[293595]: logging set up
	DEBU[0000] nsexec[293595]: logging set up
	DEBU[0000] nsexec[293595]: => nsexec container setup
	DEBU[0000] nsexec[293595]: update /proc/self/oom_score_adj to '30'

This patch also changes Logf to Log in processEntry, as this is what it
should be.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-04 11:47:31 -07:00
Kir Kolyshkin c3910e7331 libct/logs: parse log level implicitly
There's no need to call logrus.ParseLevel as logrus.Level already
implements encoding.TextUnmarshaler interface.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-04 11:47:31 -07:00
Kir Kolyshkin c4826905f1 libct/logs: test: make more robust
When playing with the log forwarder, I broke it, but all the units tests
were still passing. This happened because test cases were merely looking
for a word (like "kitten") in the log output, which also happened to be
there in case of an error (as a part of an error message produced by log
forwarder).

Make the test a bit more robust by
 - looking for a complete log message, not just part of it;
 - also checking that log file does NOT contain errors.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-04 11:47:09 -07:00
Sebastiaan van Stijn 963e0146a4 Merge pull request #3158 from kolyshkin/nsenter-tests
libct/nsenter/nsenter_test.go: fix and improve
2021-09-03 16:55:58 +02:00
Sebastiaan van Stijn 7fcfb3fad6 Merge pull request #3030 from kolyshkin/openat2-improve
libct/cg/OpenFile: fix/improve openat2 handling
2021-09-03 16:54:39 +02:00
Kir Kolyshkin 33dcb994f4 libct/nsenter/nsenter_test.go: logging nits
- add missing colons before error message;
 - unify error messages after cmd.Start and cmd.Wait, so that they show
   context and the error itself.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-02 10:43:54 -07:00
Kir Kolyshkin 78b271555e libct/nsenter: test: rm misleading comments
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-02 10:37:05 -07:00
Kir Kolyshkin 2c46455c3f libct/nsenter: test: improve TestNsenterChildLogging
Instead of reading a single message, do read all the logs from the init,
and use DisallowUnknownFields for stricter checking.

While at it, use reapChildren to reap zombies (and add an extra check).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-02 10:37:05 -07:00
Kir Kolyshkin feb1fe11a1 libct/nsenter: test: fix TestNsenterValidPaths
The test was not working since at least commit 64bb59f592
renamed pid to stage2_pid (or maybe even earlier), so the pid
was never received (i.e. pid.Pid was 0).

The problem was not caught because os.FindProcess never return an error
on Unix.

Factor out and fix pid decode function:
 - use DisallowUnknownInput to get error if JSON will be changed;
 - check pids to make sure they are valid
 - and use unix.Wait4 to reap zombies.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-02 10:37:05 -07:00
Kir Kolyshkin 3df6a02f5d libct/nsenter: test: improve newPipe
1. Make sure we close all file descriptors at the end of the test.

2. Make sure we close child fds after the start.

3. Use newPipe for logs as well, for simplicity and uniformity.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-09-02 10:37:02 -07:00
Akihiro Suda bd75bc2dc6 Merge pull request #3176 from kolyshkin/rm-config-error-alt
libct/error.go: rm ConfigError (alt)
2021-09-02 14:34:32 +09:00
Akihiro Suda bde65de7b1 Merge pull request #3192 from kinvolk/rata/cgo-warnings
CI: Mark CGO warnings as errors
2021-09-02 14:13:56 +09:00
Akihiro Suda 5fb9b2a006 Merge pull request #3185 from kolyshkin/go117-build-tags
Add go:build tags
2021-09-02 13:35:33 +09:00
Rodrigo Campos 347c371bf4 CI: Mark CGO warnings as errors
Treat warning as errors only in the CI. We can enforce it in the source
code (like setting CFLAGS in libcontainer/nsenter/nsenter.go), but that
can force other downstream to patch the code if thei C compiler produces
warnings. For that reason, we do it only on the CI.

Todays CGO warnings are quite hidden in the CI (only shown for the
compilation step, that is collapsed) and CI is green anyways. With this
patch, CI fails if a warning is introduced.

Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-08-31 18:08:29 +02:00
Sebastiaan van Stijn b144f3d382 Merge pull request #2825 from lifubang/nodelete
proposal: add --keep to runc run
2021-08-31 10:04:58 +02:00
Akihiro Suda 0d193edbee Merge pull request #3190 from presztak/nsexec_bail_message_typo_fix
Fix typo in bail message
2021-08-31 14:29:02 +09:00
Kir Kolyshkin d8da00355e *: add go-1.17+ go:build tags
Go 1.17 introduce this new (and better) way to specify build tags.
For more info, see https://golang.org/design/draft-gobuild.

As a way to seamlessly switch from old to new build tags, gofmt (and
gopls) from go 1.17 adds the new tags along with the old ones.

Later, when go < 1.17 is no longer supported, the old build tags
can be removed.

Now, as I started to use latest gopls (v0.7.1), it adds these tags
while I edit. Rather than to randomly add new build tags, I guess
it is better to do it once for all files.

Mind that previous commits removed some tags that were useless,
so this one only touches packages that can at least be built
on non-linux.

Brought to you by

        go1.17 fmt ./...

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-30 20:58:22 -07:00
Kir Kolyshkin 1b17ec95af libct/cg: rm "unsupported.go" files
These are not needed as these packages (libcontainer/cgroups,
libcontainer/cgroups/fs, and libcontainer/cgroups/systemd) can
not be built under non-linux anyway (for various reasons).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-30 20:56:35 -07:00
Kir Kolyshkin dbb9fc03ae libct/*: remove linux build tag from some pkgs
Only some libcontainer packages can be built on non-linux platforms
(not that it make sense, but at least go build succeeds). Let's call
these "good" packages.

For all other packages (i.e. ones that fail to build with GOOS other
than linux), it does not make sense to have linux build tag (as they
are broken already, and thus are not and can not be used on anything
other than Linux).

Remove linux build tag for all non-"good" packages.

This was mostly done by the following script, with just a few manual
fixes on top.

function list_good_pkgs() {
	for pkg in $(find . -type d -print); do
		GOOS=freebsd go build $pkg 2>/dev/null \
		&& GOOS=solaris go build $pkg 2>/dev/null \
		&& echo $pkg
	done | sed -e 's|^./||' | tr '\n' '|' | sed -e 's/|$//'
}

function remove_tag() {
	sed -i -e '\|^// +build linux$|d' $1
	go fmt $1
}

SKIP="^("$(list_good_pkgs)")"
for f in $(git ls-files . | grep .go$); do
	if echo $f | grep -qE "$SKIP"; then
		echo skip $f
		continue
	fi
	echo proc $f
	remove_tag $f
done

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-30 20:52:07 -07:00
Kir Kolyshkin c5b0be78e8 Rm build tags from main pkg
This was added by commit 5aa82c950 back in the day when we thought
runc is going to be cross-platform. It's very clear now it's Linux-only
package.

While at it, further clarify it in README that we're Linux only.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-30 20:15:01 -07:00
Kir Kolyshkin 9ff64c3d97 *: rm redundant linux build tag
For files that end with _linux.go or _linux_test.go, there is no need to
specify linux build tag, as it is assumed from the file name.

In addition, rename libcontainer/notify_linux_v2.go -> libcontainer/notify_v2_linux.go
for the file name to make sense.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-30 20:15:00 -07:00
Kir Kolyshkin 3c7db3827c Merge pull request #2883 from flouthoc/master
Add support for rdma cgroup introduced in Linux Kernel 4.11
2021-08-30 20:02:04 -07:00
Kir Kolyshkin 62ec6dc973 Merge pull request #2920 from marquiz/devel/rdt
libcontainer/intelrdt: support ClosID parameter
2021-08-30 19:36:03 -07:00
Piotr Resztak 895e0a5cb3 nsenter: fix typo in bail message
Signed-off-by: Piotr Resztak <piotr.resztak@gmail.com>
2021-08-30 23:24:31 +02:00
Akihiro Suda 11d141bed2 Merge pull request #3090 from kolyshkin/cfq_quota_period
libct/cg/v1: work around CPU quota period set failure
2021-08-31 04:20:58 +09:00
Akihiro Suda 1f5798f784 improve error message when dbus-user-session is not installed
Before:

```console
$ docker --context=rootless run -it --rm alpine
docker: Error response from daemon: OCI runtime create failed: unable to start
container process: unable to apply cgroup configuration: unable to start unit
"docker-7ef2c29ccafc1ed9c7fd9859337e5b79870d8ccb282f560e43060a847a6c5310.scope"
(properties [{Name:Description Value:"libcontainer container
7ef2c29ccafc1ed9c7fd9859337e5b79870d8ccb282f560e43060a847a6c5310"} {Name:Slice
Value:"user.slice"} {Name:PIDs Value:@au [6286]} {Name:Delegate Value:true}
{Name:MemoryAccounting Value:true} {Name:CPUAccounting Value:true}
{Name:IOAccounting Value:true} {Name:TasksAccounting Value:true}
{Name:DefaultDependencies Value:false}]): read unix @->/run/systemd/private:
read: connection reset by peer: unknown.
```

After:

```console
$ docker --context=rootless run -it --rm alpine
docker: Error response from daemon: OCI runtime create failed: unable to start
container process: unable to apply cgroup configuration: unable to start unit
"docker-8527d83e046da46d1b56b1c6a89324e687da1c365e044b8dde52cfbf1c461c5a.scope"
(properties [{Name:Description Value:"libcontainer container
8527d83e046da46d1b56b1c6a89324e687da1c365e044b8dde52cfbf1c461c5a"} {Name:Slice
Value:"user.slice"} {Name:PIDs Value:@au [10012]} {Name:Delegate Value:true}
{Name:MemoryAccounting Value:true} {Name:CPUAccounting Value:true}
{Name:IOAccounting Value:true} {Name:TasksAccounting Value:true}
{Name:DefaultDependencies Value:false}]): failed to connect to dbus (hint: for
rootless containers, maybe you need to install dbus-user-session package, see
https://github.com/opencontainers/runc/blob/master/docs/cgroup-v2.md): read
unix @->/run/systemd/private: read: connection reset by peer: unknown.
```

For moby/moby issue 42793

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-08-27 17:19:02 +09:00
Kir Kolyshkin 639445789d tests/int: add a "update cpu period with pod limit set" test
Add a test case for an issue fixed by the previous commit.

Unfortunately, this is somewhat complicated as there's no easy way to
create a transient unit, so a binary, sd-helper, had to be added. On top
of that, an ability to create a parent/pod cgroup is added to
helpers.bash, which might be useful for future integration tests.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-26 13:11:22 -07:00
Kir Kolyshkin 1b2adcfe56 libct/cg/v1: workaround CPU quota period set failure
As reported in issue 3084, sometimes setting CPU quota period fails
when a new period is lower and a parent cgroup has CPU quota limit set.

This happens as in cgroup v1 the quota and the period can not be set
together (this is fixed in v2), and since the period is being set first,
new_limit = old_quota/new_period may be higher than the parent cgroup
limit.

The fix is to retry setting the period after the quota, to cover all
possible scenarios.

Add a test case to cover a regression caused by an earlier version of
this patch (ignoring a failure of setting invalid period when quota is
not set).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-26 13:11:22 -07:00
Mrunal Patel 654f331976 Merge pull request #3175 from kolyshkin/tests-int-cleanups
tests/int/helpers: cleanup, enable shellcheck
2021-08-25 16:18:37 -07:00
Sebastiaan van Stijn 8b59b768a9 Merge pull request #3182 from cyphar/revert-3159
Revert "libct/devices: change devices.Type to be a string"
2021-08-25 10:55:04 +02:00
Qiang Huang b4b797200e Merge pull request #3136 from kolyshkin/cg-d-c
libct/cg: rm dead code to improve clarity
2021-08-25 14:46:27 +08:00
Aleksa Sarai 09b80811f6 Revert "libct/devices: change devices.Type to be a string"
This reverts commit 814f3ae1d9. This
changed the on-disk state which breaks runc when it has to operate on
containers started with an older runc version. Working around this is
far more complicated than just reverting it.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-08-25 14:11:32 +10:00
Sebastiaan van Stijn f67f1efc70 Merge pull request #3110 from kolyshkin/parse-devices
libct/cg/devices: stop using regex
2021-08-24 08:49:19 +02:00
Kir Kolyshkin 538ba846dd libct/error.go: rm ConfigError
ConfigError was added by commit e918d02139, while removing runc own
error system, to preserve a way for a libcontainer user to distinguish
between a configuration error and something else.

The way ConfigError is implemented requires a different type of check
(compared to all other errors defined by error.go). An attempt was made
to rectify this, but the resulting code became even more complicated.

As no one is using this functionality (of differentiating a "bad config"
type of error from other errors), let's just drop the ConfigError type.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-23 18:56:08 -07:00
Kir Kolyshkin 6145628fff configs/validate: audit all returned errors
All the errors returned from Validate should tell about a configuration
error. Some were lacking a context, so add it.

While at it, fix abusing fmt.Errorf and logrus.Warnf where the argument
do not contain %-style formatting.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-23 18:54:47 -07:00
Kir Kolyshkin bbcf96f91f libct/cg/devices: stop using regex
Looking into data generated by setting

	GODEBUG="inittrace=1"

I have noticed this line:

init github.com/opencontainers/runc/libcontainer/cgroups/devices @1.2 ms, 0.020 ms clock, 10512 bytes, 133 allocs

This is the leader for both bytes and allocs among the packages from
this repo, and all of it is caused by a single regex:

> var devicesListRegexp = regexp.MustCompile(`^([abc])\s+(\d+|\*):(\d+|\*)\s+([rwm]+)$`)

It seems that the same parsing can be done without relying on
a regular expression, no decrease in readability, and 2x faster
(according to the benchmark added), and also makes runc start
slightly faster and leaner.

Before:
    BenchmarkParseLine-4   	  176240	      6768 ns/op	    6576 B/op	      64 allocs/op

After:
    BenchmarkParseLine-4   	  322441	      3535 ns/op	    5520 B/op	      53 allocs/op

[v2: single split with SplitFunc; fix a typo in error message]
[v3: rebase after 3159 merge; re-ran benchmarks (results are similar)]

Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-23 17:04:09 -07:00
Kir Kolyshkin 34df203d13 Merge pull request #3159 from thaJeztah/norunes
libct/devices: change devices.Type to be a string
2021-08-23 16:58:34 -07:00
Kir Kolyshkin fb629db693 tests/int/helpers: fix shellcheck warnings
... and add the file to be checked by shellcheck.

The warnings fixed are:

In tests/integration/helpers.bash line 10:
INTEGRATION_ROOT=$(dirname "$(readlink -f "$BASH_SOURCE")")
                                           ^----------^ SC2128: Expanding an array without an index only gives the first element.

In tests/integration/helpers.bash line 22:
TESTDATA="${INTEGRATION_ROOT}/testdata"
^------^ SC2034: TESTDATA appears unused. Verify use (or export if used externally).

In tests/integration/helpers.bash line 42:
	echo "runc $@ (status=$status):" >&2
                   ^-- SC2145: Argument mixes string and array. Use * or separate argument.
                              ^-----^ SC2154: status is referenced but not assigned.

In tests/integration/helpers.bash line 43:
	echo "$output" >&2
              ^-----^ SC2154: output is referenced but not assigned.

In tests/integration/helpers.bash line 77:
			| .linux.gidMappings += [{"hostID": '"$(($ROOTLESS_GIDMAP_START + 10))"', "containerID": 1, "size": 20}]
                                                                 ^--------------------^ SC2004: $/${} is unnecessary on arithmetic variables.

In tests/integration/helpers.bash line 78:
			| .linux.gidMappings += [{"hostID": '"$(($ROOTLESS_GIDMAP_START + 100))"', "containerID": 1000, "size": '"$(($ROOTLESS_GIDMAP_LENGTH - 1000))"'}]'
                                                                 ^--------------------^ SC2004: $/${} is unnecessary on arithmetic variables.
                                                                                                                                     ^---------------------^ SC2004: $/${} is unnecessary on arithmetic variables.

In tests/integration/helpers.bash line 125:
			base_path=$(gawk '$(NF-2) == "cgroup" && $NF ~ /\<'${g}'\>/ { print $5; exit }' /proc/self/mountinfo)
                                                                           ^--^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean:
			base_path=$(gawk '$(NF-2) == "cgroup" && $NF ~ /\<'"${g}"'\>/ { print $5; exit }' /proc/self/mountinfo)

In tests/integration/helpers.bash line 127:
			eval CGROUP_${g^^}_BASE_PATH="${base_path}"
                                    ^----^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean:
			eval CGROUP_"${g^^}"_BASE_PATH="${base_path}"

In tests/integration/helpers.bash line 229:
	if [ "x$CGROUP_UNIFIED" = "xyes" ]; then
             ^----------------^ SC2268: Avoid x-prefix in comparisons as it no longer serves a purpose.

Did you mean:
	if [ "$CGROUP_UNIFIED" = "yes" ]; then

In tests/integration/helpers.bash line 234:
		eval cgroup=\$${var}${REL_CGROUPS_PATH}
                              ^----^ SC2086: Double quote to prevent globbing and word splitting.
                                    ^-----------------^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean:
		eval cgroup=\$"${var}""${REL_CGROUPS_PATH}"

In tests/integration/helpers.bash line 236:
	cat $cgroup/$source
            ^-----^ SC2086: Double quote to prevent globbing and word splitting.
                    ^-----^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean:
	cat "$cgroup"/"$source"

In tests/integration/helpers.bash line 242:
	current="$(get_cgroup_value $1)"
                                    ^-- SC2086: Double quote to prevent globbing and word splitting.

Did you mean:
	current="$(get_cgroup_value "$1")"

In tests/integration/helpers.bash line 245:
	echo "current" $current "!?" "$expected"
                       ^------^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean:
	echo "current" "$current" "!?" "$expected"

In tests/integration/helpers.bash line 257:
	[ $(id -u) != "0" ] && user="--user"
          ^------^ SC2046: Quote this to prevent word splitting.

In tests/integration/helpers.bash line 259:
	current=$(systemctl show $user --property $source $SD_UNIT_NAME | awk -F= '{print $2}')
                                                  ^-----^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean:
	current=$(systemctl show $user --property "$source" $SD_UNIT_NAME | awk -F= '{print $2}')

In tests/integration/helpers.bash line 261:
	[ "$current" = "$expected" ] || [ -n "$expected2" -a "$current" = "$expected2" ]
                                                          ^-- SC2166: Prefer [ p ] && [ q ] as [ p -a q ] is not well defined.

In tests/integration/helpers.bash line 309:
	check_cgroup_value "cpu.weight" $weight
                                        ^-----^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean:
	check_cgroup_value "cpu.weight" "$weight"

In tests/integration/helpers.bash line 310:
	check_systemd_value "CPUWeight" $weight
                                        ^-----^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean:
	check_systemd_value "CPUWeight" "$weight"

In tests/integration/helpers.bash line 383:
			if [ $CGROUP_UNIFIED = "no" -a ! -e "${CGROUP_MEMORY_BASE_PATH}/memory.memsw.limit_in_bytes" ]; then
                                                    ^-- SC2166: Prefer [ p ] && [ q ] as [ p -a q ] is not well defined.

In tests/integration/helpers.bash line 412:
			local cpu_count=$(grep -c '^processor' /proc/cpuinfo)
                              ^-------^ SC2155: Declare and assign separately to avoid masking return values.

In tests/integration/helpers.bash line 450:
		sleep $delay
                      ^----^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean:
		sleep "$delay"

In tests/integration/helpers.bash line 453:
	echo "Command \"$@\" failed $attempts times. Output: $output"
                        ^-- SC2145: Argument mixes string and array. Use * or separate argument.

In tests/integration/helpers.bash line 471:
	runc state $1
                   ^-- SC2086: Double quote to prevent globbing and word splitting.

Did you mean:
	runc state "$1"

In tests/integration/helpers.bash line 472:
	if [ $2 == "checkpointed" ]; then
             ^-- SC2086: Double quote to prevent globbing and word splitting.

Did you mean:
	if [ "$2" == "checkpointed" ]; then

In tests/integration/helpers.bash line 484:
	mkdir $dir
              ^--^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean:
	mkdir "$dir"

In tests/integration/helpers.bash line 497:
		kill -9 $(cat "$dir/pid")
                        ^---------------^ SC2046: Quote this to prevent word splitting.

In tests/integration/helpers.bash line 508:
	export ROOT=$(mktemp -d "$BATS_RUN_TMPDIR/runc.XXXXXX")
               ^--^ SC2155: Declare and assign separately to avoid masking return values.

In tests/integration/helpers.bash line 512:
	cd "$ROOT/bundle"
        ^---------------^ SC2164: Use 'cd ... || exit' or 'cd ... || return' in case cd fails.

Did you mean:
	cd "$ROOT/bundle" || exit

In tests/integration/helpers.bash line 535:
	cd "$INTEGRATION_ROOT"
        ^--------------------^ SC2164: Use 'cd ... || exit' or 'cd ... || return' in case cd fails.

Did you mean:
	cd "$INTEGRATION_ROOT" || exit

For more information:
  https://www.shellcheck.net/wiki/SC2145 -- Argument mixes string and array. ...
  https://www.shellcheck.net/wiki/SC2034 -- TESTDATA appears unused. Verify u...
  https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-23 15:53:26 -07:00
Kir Kolyshkin f65276db35 tests/int/helpers: rm $bundle handling
It is not used since PR 2757, as all tests are run with cd to bundle
directory.

runc_spec argument count checking is removed since otherwise shellcheck
complains:

> SC2120: runc_spec references arguments, but none are ever passed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-23 15:49:45 -07:00
flouthoc b3d14488b5 Add support for rdma cgroup introduced in Linux Kernel 4.11
Signed-off-by: Aditya Rajan <flouthoc.git@gmail.com>
2021-08-23 12:25:33 +05:30
Kir Kolyshkin 8d8415ee46 libct/logs: remove ConfigureLogging
Previous commits removed all its users -- the only one left is package's
own unit tests.

Modify those unit tests to configure logrus directly, and remove
ConfigureLogging for good. The world is better without it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-20 11:02:09 -07:00
Kir Kolyshkin f77fb7a3ee init.go, main.go: don't use logs.ConfigureLogging
This function is somewhat strange and I always wanted to remove it,
as it tries to satisfy both init.go and main.go, which have somewhat
different needs.

It is more straightforward and readable to configure logrus directly.

While at it, simplify errors on panic (errors from logrus.ParseLevel
and strconv.Atoi already contain value which they fail to parse, and
panic already contains enough context to figure out what's wrong).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-20 10:59:46 -07:00
Markus Lehtonen 9393700003 libcontainer/intelrdt: update code comments
Use the term "clos group" instead of "container_id group" as the group
that a container belongs to is not necessarily tied to its container id.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2021-08-20 07:47:07 +03:00
Kir Kolyshkin a37a89f4db libct/system: add I and P process states
Those states are available since Linux 4.14 (kernel commits
8ef9925b02c23e3838d5 and 06eb61844d841d003). Before this
patch, they were shown as unknown.

This is mostly cosmetical.

Note that I is described in /proc/pid/status as just "idle", although
elsewhere it says it's an idle kernel thread. Let's have it as "idle"
for brevity.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-19 19:49:18 -07:00
Kir Kolyshkin f90008aec8 libct/system.Stat: fix/improve/speedup
1. Remove PID field as it is useless.

2. Rewrite parseStat() to make it faster and more correct:

 - do not use fmt.Scanf as it is very slow;
 - avoid splitting data into 20+ fields, of which we only need 2;
 - make sure to not panic on short lines and other bad input;
 - add some bad input tests (some fail with old code);
 - use LastIndexByte instead of LastIndex.

Benchmarks:

before (from the previous commit message):

> BenchmarkParseStat-4              116415             10804 ns/op
> BenchmarkParseRealStat-4             240           4781769 ns/op

after:

> BenchmarkParseStat-4       	 1164948	      1068 ns/op
> BenchmarkParseRealStat-4   	     331	   3458315 ns/op

We are seeing 10x speedup in a synthetic benchmark, and about 1.4x
speedup in a real world benchmark.

While at it, do not ignore any possible errors, and properly wrap those.

[v2: use pkg/errors more, remove t.Logf from test]
[v3: rebased; drop pkg/errors; gofumpt'ed]
[v4: rebased; improved description]
[v5: rebased; mention bad input tests, added second benchmark results]
[v6: remove PID field, do not use strings.Split, further speedup]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-19 19:48:39 -07:00
Kir Kolyshkin 412c6f0630 libct/system/proc_test: fix, improve, add benchmark
1. Add a test case that tests parentheses in command.

2. Replace individual comparisons with reflect.DeepEqual.
   This also fixes wrong %-style types in Fatalf statements.

3. Replace Fatalf with Errorf so we don't bail out on the first
   failure, and do not check result on error.

4. Add two benchmarks. On my laptop, they show:

BenchmarkParseStat-4       	  116415	     10804 ns/op
BenchmarkParseRealStat-4   	     240	   4781769 ns/op

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-19 19:46:57 -07:00
Kir Kolyshkin 3023e6c625 Merge pull request #3166 from kolyshkin/fix-freeze-before-set-alt-2
libct/cg/sd/v1: fix freezeBeforeSet (alt 2)
2021-08-19 11:40:06 -07:00
Sebastiaan van Stijn 926a9a088f Merge pull request #3171 from kolyshkin/try-bullseye
Dockerfile: switch to bullseye
2021-08-19 18:16:11 +02:00
Liu Hua 74ae9e0fc9 checkpoint: resolve symlink for external bind mount(fix ci broken)
runc resolves symlink before doing bind mount. So
we should save original path while formatting CriuReq for
dump and restore.

"checkpoint: resolve symlink for external bind mount" is merged as
da22625f6986f0ef196eaa1f8bb6adce098f0fb7(PR 2902) previously. And reverted
in commit 70fdc0573dced3464e9c31d674559f77c1de3973(PR 3043) duo to behavior changes
caused by commit 0ca91f44f1664da834bc61115a849b56d22f595f(Fixes: CVE-2021-30465)

Signed-off-by: Liu Hua <weldonliu@tencent.com>
2021-08-19 18:42:42 +08:00
Sebastiaan van Stijn 8e6871a3b1 Merge pull request #3116 from kolyshkin/ci-add-criu-dev
ci/gha: add latest criu-dev test run
2021-08-19 09:46:52 +02:00
Kir Kolyshkin 24d318b8bb Dockerfile: switch to bullseye
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-18 15:59:22 -07:00
Mrunal Patel 9835e9c6b2 Merge pull request #3021 from kolyshkin/go-1.17beta1
ci: add go1.17
2021-08-18 13:32:05 -07:00
Kir Kolyshkin 9a095e44db libct/cg/sd/v1: add SkipFreezeOnSet knob
This is helpful to kubernetes in cases it knows for sure that the freeze
is not required (since it created the systemd unit with no device
restrictions).

As the code is trivial, no tests are required.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-18 12:43:55 -07:00
Kir Kolyshkin fec49f2a6c libct/cg/sd/v1: add freezeBeforeSet unit test
Add a test for freezeBeforeSet, checking various scenarios including
those that were failing before the fix in the previous commit.

[v2: add more cases, add a check before creating a unit.]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-18 12:43:55 -07:00
Odin Ugedal 41043673b7 libct/cg/sd/v1: Fix unnecessary freeze/thaw
This fixes the behavior intended to avoid freezing containers/control
groups without it being necessary. This is important for end users of
libcontainer who rely on the behavior of no freeze.

The previous implementation would always get error trying to get
DevicePolicy from the Unit via dbus, since the Unit interface doesn't
contain DevicePolicy.

Signed-off-by: Odin Ugedal <odin@uged.al>
2021-08-18 12:43:36 -07:00
Akihiro Suda 4d26c4a0a1 Merge pull request #3144 from kolyshkin/codespell
Fix codespell warnings, add codespell to ci
2021-08-18 11:42:36 +09:00
Akihiro Suda ba7a87730d Merge pull request #3168 from kolyshkin/fix-cc-warn
libct/nsenter: fix unused-result warning
2021-08-18 11:37:59 +09:00
Kir Kolyshkin a587180136 ci: add go1.17
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-17 17:49:44 -07:00
Kir Kolyshkin 75761bccf7 Fix codespell warnings, add codespell to ci
The two exceptions I had to add to codespellrc are:
 - CLOS (used by intelrtd);
 - creat (syscall name used in tests/integration/testdata/seccomp_*.json).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-17 16:12:35 -07:00
Kir Kolyshkin db8330c9e5 libct/nsenter: fix unused-result warning
Commit 2bab4a5 resulted in a warning from gcc:

	nsexec.c: In function ‘write_log’:
	nsexec.c:171:2: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result]
	  171 |  write(logfd, json, ret);
	      |  ^~~~~~~~~~~~~~~~~~~~~~~

As there's nothing we can or want to do in case write fails,
let's just tell the compiler we're not going to use it.

Fixes: 2bab4a5
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-17 15:19:31 -07:00
Sebastiaan van Stijn e53e97a875 Merge pull request #3164 from kinvolk/rata/make-no-buildtags
CI: Validate compilation without buildtags
2021-08-17 23:04:50 +02:00
Akihiro Suda dff416868e Merge pull request #3160 from kailun-qin/fix-check
libct/nsenter: no need to check size_t less than 0
2021-08-18 02:34:33 +09:00
Sebastiaan van Stijn ca4433f613 Merge pull request #3153 from kolyshkin/cirrus-robust
.cirrus.yml: simplify for centos, retry yum
2021-08-17 15:34:39 +02:00
Kir Kolyshkin 10f179c8c2 Merge pull request #3162 from kailun-qin/null-on-error
libct/nsenter: nullify pointer on asprintf error
2021-08-16 16:18:52 -07:00
Rodrigo Campos 844d6774e0 CI: Validate compilation without buildtags
Today we support the seccomp build tag only that is used by default.
However, we are not testing that compiling without any build tag works.

I found the CI didn't catch this when working on #2682, that the CI was
green but compilation without build tags was broken.

We test compilation without build tags only, compilation with the only
build tag supported is done extensively in other actions.

Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-08-16 17:44:54 +02:00
Akihiro Suda 55e93b89f1 Merge pull request #3150 from kolyshkin/maintainers
MAINTAINERS: add Sebastiaan van Stijn
2021-08-16 22:51:53 +09:00
Kailun Qin 515082102e libct/nsenter: nullify pointer on asprintf error
The contents of the pointer returned on asprintf() error are undefined
i.e., it can be anything there. We set it to NULL on error so that
free() afterwards won't get a garbage pointer.

This patch applies the above to message and stage as well to be
consistent with what we do for json.

Signed-off-by: Kailun Qin <kailun.qin@intel.com>
2021-08-14 04:15:45 -04:00
Kailun Qin 2ab6484ff6 libct/nsenter: no need to check size_t less than 0
According to C standards, `size_t` is always an unsigned integer type.
Thus, checking unsigned expressions to be less than zero is not needed.

Signed-off-by: Kailun Qin <kailun.qin@intel.com>
2021-08-13 09:26:07 -04:00
Kir Kolyshkin f0dbefac61 .cirrus.yum: retry yum if failed
Add a sleep + retry loop in case yum install has failed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-12 20:19:25 -07:00
Sebastiaan van Stijn 814f3ae1d9 libct/devices: change devices.Type to be a string
Possibly there was a specific reason to use a rune for this, but I noticed
that there's various parts in the code that has to convert values from a
string to this type. Using a string as type for this can simplify some of
that code.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-13 00:55:22 +02:00
Kir Kolyshkin 74b5c34e6e .cirrus.yml: simplify
GCP images description at [1] claims that:

 - For CentOS 8 and CentOS Stream 8, the PowerTools repository is
   enabled.
 - For CentOS 7, EPEL is enabled.

Apparently,
 - we do not need epel for centos-stream-8;
 - powertools is not enabled on centos-stream-8 despite [1].

Anyway, the less yum commands the better, as we have seen those fail
sometimes due to occasional networking problems etc.

[1] https://cloud.google.com/compute/docs/images/os-details#centos
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-12 00:10:14 -07:00
Akihiro Suda bb34048f93 Merge pull request #3152 from opencontainers/dependabot/go_modules/github.com/containerd/console-1.0.3
build(deps): bump github.com/containerd/console from 1.0.2 to 1.0.3
2021-08-12 15:20:35 +09:00
dependabot[bot] 77fb9aff56 build(deps): bump github.com/containerd/console from 1.0.2 to 1.0.3
Bumps [github.com/containerd/console](https://github.com/containerd/console) from 1.0.2 to 1.0.3.
- [Release notes](https://github.com/containerd/console/releases)
- [Commits](https://github.com/containerd/console/compare/v1.0.2...v1.0.3)

---
updated-dependencies:
- dependency-name: github.com/containerd/console
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-08-12 04:15:47 +00:00
Kir Kolyshkin bd50e7c420 libct/cg/OpenFile: check cgroupFd on error
opencontainers/runc issue 3026 describes a scenario in which OpenFile
failed to open a legitimate existing cgroupfs file. Added debug
(similar to what this commit does) shown that cgroupFd is no longer
opened to "/sys/fs/cgroup", but to "/" (it's not clear what caused it,
and the source code is not available, but they might be using the same
process on the both sides of the container/chroot/pivot_root/mntns
boundary, or remounting /sys/fs/cgroup).

Consider such use incorrect, but give a helpful hint as two what is
going on by wrapping the error in a more useful message.

NB: this can potentially be fixed by reopening the cgroupFd once we
detected that it's screwed, and retrying openat2. Alas I do not have
a test case for this, so left this as a TODO suggestion.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-11 17:00:05 -07:00
Mrunal Patel b114862c53 Merge pull request #3120 from kolyshkin/nsexec-log-race
libct/nsenter: fix logging race in nsexec (regression in rc94)
2021-08-11 16:21:11 -07:00
Kir Kolyshkin ab577f6fc4 MAINTAINERS: add Sebastiaan van Stijn
Sebastiaan is one of the most active contributors recently:
https://github.com/opencontainers/runc/graphs/contributors?from=2019-08-11&to=2021-08-11&type=c

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-11 16:10:57 -07:00
Kir Kolyshkin 2bab4a56f1 libct/nsenter: fix logging race in nsexec
As reported in issue 3119, there is a race in nsexec logging
that can lead to garbled json received by log forwarder, which
complains about it with a "failed to decode" error.

This happens because dprintf (used since the very beginning of nsexec
logging introduced in commit ba3cabf932) relies on multiple write(2)
calls, and with additional logging added by 64bb59f592 a race is
possible between runc init parent and its children.

The fix is to prepare a string and write it using a single call to
write(2).

[v2: NULLify json on error from asprintf]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-11 10:01:00 -07:00
Kir Kolyshkin 16027b814d Merge pull request #3140 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.8.4
build(deps): bump github.com/opencontainers/selinux from 1.8.3 to 1.8.4
2021-08-10 10:19:47 -07:00
dependabot[bot] bda1bd7a2f build(deps): bump github.com/opencontainers/selinux from 1.8.3 to 1.8.4
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.8.3 to 1.8.4.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.8.3...v1.8.4)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-08-10 04:22:14 +00:00
Aleksa Sarai 7d4bac6810 merge branch 'pr-3133'
Kir Kolyshkin (3):
  libct/cg: GetAllPids: optimize for go 1.16+
  libct/cg: improve GetAllPids and readProcsFile
  libct/cg: move GetAllPids out of utils.go

LGTMs: AkihiroSuda cyphar
Closes #3133
2021-08-10 14:16:59 +10:00
Kir Kolyshkin c2d9668cc5 libct/cg/OpenFile: fix openat2 vs top cgroup dir
Fix reading cgroup files from the top cgroup directory, i.e.
/sys/fs/cgroup.

The code was working for for any subdirectory of /sys/fs/cgroup, but
for dir="/sys/fs/cgroup" a fallback (open and fstatfs) was used, because
of the way the function worked with the dir argument.

Fix those cases, and add unit tests to make sure they work. While at it,
make the rules for dir and name components more relaxed, and add test
cases for this, too.

While at it, improve OpenFile documentation, and remove a duplicated
doc comment for openFile.

Without these fixes, the unit test fails the following cases:

    file_test.go:67: case {path:/sys/fs/cgroup name:cgroup.controllers}: fallback
    file_test.go:67: case {path:/sys/fs/cgroup/ name:cgroup.controllers}: openat2 /sys/fs/cgroup//cgroup.controllers: invalid cross-device link
    file_test.go:67: case {path:/sys/fs/cgroup/ name:/cgroup.controllers}: openat2 /sys/fs/cgroup///cgroup.controllers: invalid cross-device link
    file_test.go:67: case {path:/ name:/sys/fs/cgroup/cgroup.controllers}: fallback
    file_test.go:67: case {path:/ name:sys/fs/cgroup/cgroup.controllers}: fallback
    file_test.go:67: case {path:/sys/fs/cgroup/cgroup.controllers name:}: openat2 /sys/fs/cgroup/cgroup.controllers/: not a directory

Here "fallback" means openat2-based implementation fails, and the fallback code
is used (and works).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-09 11:17:05 -07:00
Markus Lehtonen 1b4c30fd8b libcontainer/intelrdt: always run unit tests
Run unit tests irrespective of the underlying system configuration, i.e.
even if RDT has not been enabled or is not supported. The tests do not
depend on real kernel interfaces.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2021-08-09 16:59:58 +03:00
Markus Lehtonen 79d292b9ff libcontainer/intelrdt: verify ClosID existence
Check that the ClosID directory pre-exists if no L3 or MB schema has
been specified. Conform with the following line from runtime-spec
(config-linux):

  If closID is set, and neither of l3CacheSchema and memBwSchema are
  set, runtime MUST check if corresponding pre-configured directory
  closID is present in mounted resctrl. If such pre-configured directory
  closID exists, runtime MUST assign container to this closID and
  generate an error if directory does not exist.

Add a TODO note for verifying existing schemata against L3/MB
parameters.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2021-08-09 16:18:59 +03:00
Markus Lehtonen 17e3b41dd0 libcontainer/intelrdt: support ClosID parameter
Handle ClosID parameter of IntelRdt. Makes it possible to use
pre-configured classes/ClosIDs and avoid running out of available IDs
which easily happens with per-container classes.

Remove validator checks for empty L3CacheSchema and MemBwSchema fields
in order to be able to leave them empty, and only specify ClosID for
a pre-configured class.

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2021-08-09 15:58:03 +03:00
Markus Lehtonen 7296dc1712 libcontainer/intelrdt: refactor clos path handling
Simplify the code and make path a property of the container (via
intelRdtManager).

Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
2021-08-09 15:58:03 +03:00
Kir Kolyshkin 1cbfe23464 libct/cg: rm dead code
This was initially added by commits 41d9d26513 and 4a8f0b4db4,
apparently to implement docker run --cgroup container:ID, which was
never merged. Therefore, this code is not and was never used.

It needs to be removed mainly because having it makes it much harder to
understand how cgroup manager works (because with this in place we have
not one or two but three sets of cgroup paths to think about).

Note if the paths are known and there is a need to add a PID to existing
cgroup, cgroup manager is not needed at all -- something like
cgroups.WriteCgroupProc or cgroups.EnterPid is sufficient (and the
latter is what runc exec uses in (*setnsProcess).start).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-08 13:03:51 -07:00
Kir Kolyshkin d0c3bc44e7 libct/cg: GetAllPids: optimize for go 1.16+
filepath.WalkDir function, introduced in Go 1.16, doesn't do stat(2)
on every entry, and is therefore somewhat faster (see below).

Since we have to support Go 1.15, keep the old version for backward
compatibility.

Add a quick benchmark, which shows approximately 3x improvement:

        $ go1.15.15 test -bench AllPid -run xxx .
	BenchmarkGetAllPids-4   	      48	  23528839 ns/op

        $ go version
        go version go1.16.6 linux/amd64
        $ go test -bench AllPid -run xxx .
	BenchmarkGetAllPids-4   	     147	   7700170 ns/op

(Unrelated but worth noting -- go 1.17rc2 is pushing it even further)

        $ go1.17rc2 test -bench AllPid -run xxx .
	BenchmarkGetAllPids-4   	     164	   6820994 ns/op

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-05 16:22:18 -07:00
Kir Kolyshkin 363468d0e4 libct/cg: improve GetAllPids and readProcsFile
Since every cgroup directory is guaranteed to have cgroup.procs file,
we don't have to do filename comparison in GetAllPids() and just read
cgroup.procs in every directory.

While at it, switch readProcsFile to use our own OpenFile.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-05 16:22:11 -07:00
Kir Kolyshkin 504271a374 libct/cg: move GetAllPids out of utils.go
This is just moving the code around to ease the code review, no other
changes.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-05 16:00:03 -07:00
Mrunal Patel 8772c4dd2f Merge pull request #3109 from kolyshkin/seccomp
seccomp: skip redundant rules
2021-08-03 23:09:00 -04:00
Mrunal Patel 64b3fe91bd Merge pull request #3117 from kolyshkin/cirrus-nit
ci/cirrus: remove unused code
2021-08-03 23:06:20 -04:00
Mrunal Patel c9b8b4f35e Merge pull request #3073 from kolyshkin/runc-exec-255
runc exec: fail with exit code of 255
2021-08-03 23:05:57 -04:00
Kir Kolyshkin 907c8defe0 Merge pull request #3125 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.8.3
build(deps): bump github.com/opencontainers/selinux from 1.8.2 to 1.8.3
2021-08-03 16:40:07 -07:00
dependabot[bot] fc99ab7e65 build(deps): bump github.com/opencontainers/selinux from 1.8.2 to 1.8.3
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.8.2 to 1.8.3.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.8.2...v1.8.3)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-08-03 04:21:49 +00:00
Kir Kolyshkin 0f94799eae man/runc-run.8: document --keep option
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-02 12:51:36 -07:00
lifubang cb824629ba proposal: add --keep to runc run
Signed-off-by: lifubang <lifubang@acmcoder.com>
2021-08-02 12:51:36 -07:00
Kir Kolyshkin 2aabb29741 Merge pull request #3113 from kolyshkin/init-rm-code
runc init: remove some code
2021-07-29 16:54:47 -07:00
Aleksa Sarai d962bb0cb0 merge branch 'pr-3099'
Kir Kolyshkin (1):
  script/release.sh: make builds reproducible

Kailun Qin (1):
  makefile: update ldflags and add strip for static builds

LGTMs: AkihiroSuda cyphar
Closes #3099
2021-07-29 18:03:56 +10:00
Kir Kolyshkin e06465acd4 ci/cirrus: remove unused code
Since commit 9f656dbb11 these conditions are not needed.

Fixes: 9f656dbb11
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-28 17:28:23 -07:00
Kir Kolyshkin 120f740601 ci/gha: add latest criu-dev test run
Add testing against criu-dev branch instead of a released version
(happens to be criu v3.15 at the moment), to check how it works.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-28 17:00:58 -07:00
Kir Kolyshkin 60e02b4b25 runc exec: fail with exit code of 255
Currently there's no way to distinguish between the two cases:
 - runc exec failed;
 - the command executed returned 1.

This was possible before commit 8477638aab, as runc exec exited with
the code of 255 if exec itself has failed. The code of 255 is the same
convention as used by e.g. ssh.

Re-introduce the feature, document it, and add some tests so it won't be
broken again.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-28 13:46:13 -07:00
Kir Kolyshkin 18f434e10a script/release.sh: make builds reproducible
What it takes is add an empty buildid, which, together with previously
added strip invocation, results in reproducible build!

NB: earlier versions of this patch also added the following:

1. non-random libseccomp install $prefix;

2. "objcopy --enable-deterministic-archives $prefix/lib/libseccomp.a"
   to strip ar dates and UIDs/GIDs;

3. "-B=0x00" to EXTRA_LDFLAGS to have non-variable NT_GNU_BUILD_ID.

Apparently, all this is not needed with strip.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-27 13:58:29 -07:00
Kailun Qin 61e201abb2 makefile: update ldflags and add strip for static builds
This patch
* drops the default `-w` flag for `make static`, which helps with
  debugging the static runc binary;
* adds `EXTRA_LDFLAGS="-w -s"` to `script/release.sh` to disable DWARF
  generation and symbol table for the release runc binary;
* adds strip in `script/release.sh` for a further size-optimized release
  runc binary.

Signed-off-by: Kailun Qin <kailun.qin@intel.com>
2021-07-27 13:58:22 -07:00
Kir Kolyshkin 1f5f237b37 Merge pull request #3100 from kolyshkin/drop-go-1.13
Drop Go 1.13 support, require go 1.15+
2021-07-27 13:19:10 -07:00
Kir Kolyshkin 5110bd2fc0 nsenter: remove cgroupns sync mechanism
As pointed out in TODO item added by commit 64bb59f59, it is not
necessary to have a special sync mechanism for cgroupns, as the parent
adds runc init to cgroup way earlier (before sending nl bootstrap data.

This sync was added by commit df3fa115f9, which was also added a
second cgroup manager.Apply() call, later removed in commit
d1ba8e39f8. It seems the original author had the idea to wait for
that second Apply().

Fixes: df3fa115f9
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-27 12:17:47 -07:00
Kir Kolyshkin 7a0302f0d7 runc init: simplify
runc init is special. For one thing, it needs to do a few things before
main(), so we have func init() that checks if we're init and does that.

What happens next is main() is called, which does some options parsing,
figures out it needs to call initCommand.Action and so it does.

Now, main() is entirely unnecessary -- we can do everything right from
init().

Hopefully the change makes things slightly less complicated.

From a user's perspective, the only change is runc help no longer
lists 'runc init` (which I think it also good).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-27 12:16:09 -07:00
Kir Kolyshkin a91ce3062f libct/*_test.go: use t.TempDir
Replace ioutil.TempDir (mostly) with t.TempDir, which require no
explicit cleanup.

While at it, fix incorrect usage of os.ModePerm in libcontainer/intelrdt
test. This is supposed to be a mask, not mode bits.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-27 01:41:47 -07:00
Kir Kolyshkin 3bc606e9d3 libct/int: adapt to Go 1.15
1. Use t.TempDir instead of ioutil.TempDir. This means no need for an
   explicit cleanup, which removes some code, including newTestBundle
   and newTestRoot.

2. Move newRootfs invocation down to newTemplateConfig, removing a need
   for explicit rootfs creation. Also, remove rootfs from tParam as it
   is no longer needed (there was a since test case in which two
   containers shared the same rootfs, but it does not look like it's
   required for the test).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-27 01:41:47 -07:00
Kir Kolyshkin 1eeaf11301 libct/intelrdt/*_test.go: use t.TempDir
This simplifies the code as no explicit cleanup is required.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-27 01:41:47 -07:00
Kir Kolyshkin f6a56f603c libct/cg/fs/*_test.go: use t.TempDir
This simplifies the code as no explicit cleanup is required.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-27 01:41:47 -07:00
Kir Kolyshkin 2d1645d2e5 libct/cg/fscommon: drop go 1.13 compatibility
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-27 01:41:47 -07:00
Kir Kolyshkin 6215b2f33f ci/gha: drop Go 1.13
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-27 01:41:47 -07:00
Kir Kolyshkin a952b5aaae README, go.mod: require go 1.15+
This mostly reverts commit e2dd9220dd, and bumps
the min Go version to 1.15.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-27 01:41:47 -07:00
Kir Kolyshkin 12a1dccb9c Revert "libcontainer: avoid using t.Cleanup"
This reverts commit 45f49e8fca.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-27 01:41:47 -07:00
Kir Kolyshkin 015fa29afd Revert "Revert "Makefile: rm go 1.13 workaround""
This reverts commit 1a659bc68e,
essentially reinstating commit d0cbef576f.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-27 01:41:47 -07:00
Kir Kolyshkin 5dd92fd9b4 libct/seccomp: skip redundant rules
This fixes using runc with podman on my system (Fedora 34).

> $ podman --runtime `pwd`/runc run --rm --memory 4M fedora echo it works
> Error: unable to start container process: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied

The problem is, libseccomp returns EPERM when a redundant rule (i.e. the
rule with the same action as the default one) is added, and podman (on
my machine) sets the following rules in config.json:

    <....>
    "seccomp": {
      "defaultAction": "SCMP_ACT_ERRNO",
      "architectures": [
        "SCMP_ARCH_X86_64",
        "SCMP_ARCH_X86",
        "SCMP_ARCH_X32"
      ],
      "syscalls": [
        {
          "names": [
            "bdflush",
            "io_pgetevents",
            <....>
          ],
          "action": "SCMP_ACT_ERRNO",
          "errnoRet": 1
        },
        <....>

(Note that defaultErrnoRet is not set, but it defaults to 1).

With this commit, it works:

> $ podman --runtime `pwd`/runc run --memory 4M fedora echo it works
> it works

Add an integration test (that fails without the fix).

Similar crun commit:
 * https://github.com/containers/crun/commit/08229f3fb904c5ea19a7d9

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-27 00:04:59 -07:00
Kir Kolyshkin e44bee1026 libct/seccomp: warn about unknown syscalls
Rather than silently ignoring unknown syscalls, print a warning.

While at it, fix imports ordering (stdlib, others, ours).

[v2: demote Warn to Debug]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-27 00:04:59 -07:00
Kir Kolyshkin 073e085ca4 libct/seccomp: ConvertStringToAction: fix doc
As of commit caca840972 (Nov 12 2015) SCMP_ACT_TRACE
is supported.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-27 00:04:59 -07:00
Kir Kolyshkin 4071c3cd57 Merge pull request #3104 from adrianreber/2021-07-20-vagrant
Do not use Vagrant for CentOS 7/8
2021-07-26 15:31:55 -07:00
Adrian Reber 9f656dbb11 Do not use Vagrant for CentOS 7/8
As Cirrus CI does not provide a real terminal this uses the same
'ssh -tt' workaround as the Vagrant setup. This sets up the
CentOS 7 and 8 to allow SSH as root to localhost so that we can run
all the tests via 'ssh -tt'.

Not going through vagrant reduces CI times for CentOS 7 and 8 from 6
minutes to 4 minutes.

Signed-off-by: Adrian Reber <areber@redhat.com>
2021-07-23 09:23:23 +02:00
Kir Kolyshkin d448016486 tests/rootless.sh: fixup for "update rt" test
Without this, the test case fails with

> Writing 1000000 to /sys/fs/cgroup/cpu,cpuacct/runc-cgroups-integration-test/cpu.rt_period_us
> /tmp/bats-run-106836/bats.116418.src: line 548: /sys/fs/cgroup/cpu,cpuacct/runc-cgroups-integration-test/cpu.rt_period_us: Permission denied

Since we do not currently have a setup to test this, this went
unnoticed (can be seen in RHEL8 though).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Adrian Reber <areber@redhat.com>
2021-07-23 09:23:23 +02:00
Kir Kolyshkin 86af524866 tests/int: fix "update rt period and runtime" for rootless
Since commit f09a3e1b8d, the value passed on to read starts with
a slash, resulting in the first element of the array to be empty.

As a result, the test tries to write to the top-level cgroup, which
fails when rootless:

> # Writing 1000000 to /sys/fs/cgroup/cpu,cpuacct//cpu.rt_period_us
> # /tmp/bats-run-106184/bats.115768.src: line 548: /sys/fs/cgroup/cpu,cpuacct//cpu.rt_period_us: Permission denied

To fix, remove the leading slash.

An alternative fix would be to do "for ((i = 1;" instead of "i = 0", but
that seems less readable.

Fixes: f09a3e1b8d
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-23 09:23:23 +02:00
Kir Kolyshkin 713748d4a8 Merge pull request #3103 from AkihiroSuda/remove-abandoned-policy
README.md: remove abandoned versioning policy
2021-07-21 13:02:02 -07:00
Akihiro Suda cc0b16444f README.md: remove abandoned versioning policy
"`runc` X.Y.Z should implement the X.Y version of the specification." is no longer correct.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-21 14:05:35 +09:00
Kir Kolyshkin 6e210a1d53 Merge pull request #3088 from AkihiroSuda/cirrus
Use Cirrus CI for Vagrant tests
2021-07-19 18:22:10 -07:00
Akihiro Suda 87bfd20fbd Evaluate Cirrus CI for Vagrant tests
ref: issue 3078

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-18 20:32:40 +09:00
Mrunal Patel 2749f1f18b Merge pull request #3082 from kolyshkin/freeze-less
cgroups: Set: fix freeze, avoid unnecessary freeze from systemd v1
2021-07-15 18:51:26 -04:00
Kir Kolyshkin a71102624d libct/cg/sd: add TestPodSkipDevicesUpdate
TestPodSkipDevicesUpdate checks that updating a pod having SkipDevices: true
does not result in spurious "permission denied" errors in a container
running under the pod. The test is somewhat similar in nature to the
@test "update devices [minimal transition rules]" in tests/integration,
but uses a pod.

This tests the validity of freezeBeforeSet in v1.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-15 00:07:22 -07:00
Kir Kolyshkin 52dd96db6b libct/cg/sd: TestFreezePodCgroup: rm explicit freeze
This was initially added by commit 3e5c199708 because Set (with
r.Freezer = Frozen) was not able to freeze a container.

Now (see a few previous commits) Set can do the freeze, so the explicit
Freeze is no longer needed.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-15 00:07:19 -07:00
Kir Kolyshkin f2db87986c libct/cg/sd/v1: Set: avoid unnecessary freeze/thaw
Introduce freezeBeforeSet, which contains the logic of figuring out
whether we need to freeze/thaw around setting systemd unit properties.

In particular, if SkipDevices is set, and the current unit properties
allow all devices, there is no need to freeze and thaw, as systemd
won't write any device rules in this case.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-15 00:07:10 -07:00
Kir Kolyshkin 5dc3260431 libct/int/TestFreeze: test freeze/thaw via Set
In addition to freezing and thawing a container via Pause/Resume,
there is a way to also do so via Set.

This way was broken though and is being fixed by a few preceding
commits. The test is added to make sure this is fixed and won't regress.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-14 23:42:35 -07:00
Kir Kolyshkin af1688a544 libct/int: allow subtests
The t.Name() usage in libcontainer/integration prevented subtests
to be used, since in such case it returns a string containing "/",
and thus it can't be used to name a container.

Fix this by replacing slashes with underscores where appropriate.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-14 23:42:35 -07:00
Kir Kolyshkin 67cfd3d400 libct/cg/sd/v1: Set: don't overwrite r.Freezer
m.Freeze method changes m.cgroups.Resources.Freezer field, which should
not be done while we're temporarily freezing the cgroup in Set. If this
field is changed, and r == m.cgroups.Resources (as it often happens),
this results in inability to freeze the container using Set().

To fix, add and use a method which does not change r.Freezer field.

A test case for the bug will be added separately.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-14 23:42:35 -07:00
Aleksa Sarai 8de0a5c836 merge branch 'pr-3089'
Kir Kolyshkin (1):
  ci/gha: run on release-* branches after a push

LGTMs: mrunalp cyphar
Closes #3089
2021-07-15 12:38:50 +10:00
Kir Kolyshkin d02b0061d2 ci/gha: run on release-* branches after a push
A CI is needed after PR merges.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-14 09:42:10 -07:00
Akihiro Suda fceadf2386 Merge pull request #3055 from cyphar/cgroup-bpf-replace-selinux
cgroupv2: ebpf: ignore inaccessible existing programs
2021-07-14 11:31:07 +09:00
Aleksa Sarai 57e3c54182 cgroupv2: ebpf: ignore inaccessible existing programs
This is necessary in order for runc to be able to configure device
cgroups with --systemd-cgroup on distributions that have very strict
SELinux policies such as openSUSE MicroOS[1].

The core issue here is that systemd is adding its own BPF policy that
has an SELinux label such that runc cannot interact with it. In order to
work around this, we can just ignore the policy -- in theory this
behaviour is not correct but given that the most obvious case
(--systemd-cgroup) will still handle updates correctly, this logic is
reasonable.

[1]: https://bugzilla.suse.com/show_bug.cgi?id=1182428

Fixes: d0f2c25f52 ("cgroup2: devices: replace all existing filters when attaching")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-07-14 11:17:19 +10:00
Aleksa Sarai fe518a0678 vendor: update github.com/cilium/ebpf
We need to update the eBPF library so that we can get the raw syscall
errors from bpf(2) syscalls using errors.Is.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-07-14 11:17:15 +10:00
Aleksa Sarai 2c01cec8ac merge branch 'pr-3067'
Odin Ugedal (2):
  libct/cg/sd: Don't freeze cgroup on cgroup v2 Set
  Update device update tests

LGTMs: kolyshkin mrunalp cyphar
Closes #3067
2021-07-13 12:59:29 +10:00
Mrunal Patel dc3236f957 Merge pull request #3070 from kolyshkin/unconvert
ci: enable unconvert linter, fix its warnings
2021-07-12 16:47:14 -04:00
Akihiro Suda 3a041e9654 Merge pull request #3081 from kolyshkin/carry-3065
Make cgroup freezer only care about current control group (carry #3065)
2021-07-12 13:09:40 +09:00
Qiang Huang 9493bb8268 Merge pull request #3041 from kolyshkin/rtd-cleanups
libcontainer/intelrdt: cleanups
2021-07-10 11:54:43 +08:00
Mrunal Patel 4f3fab9bfe Merge pull request #3069 from odinuge/devices-caps
tests/int/dev: add CAP_SYSLOG to /dev/kmsg tests
2021-07-09 17:23:07 -04:00
Kir Kolyshkin 497e4032bd Merge pull request #3058 from kinvolk/rata/nsexec-close-bug
libcontainer: Don't close already closed fds and bail on close(2) failures
2021-07-09 11:35:36 -07:00
Odin Ugedal 3e5c199708 libct/cg/sd: Add freezer tests
This test the issues fixed by the two preceding commits.

Co-Authored-By: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Odin Ugedal <odin@uged.al>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-08 19:32:39 -07:00
Odin Ugedal 294c4866ea libct/cg/fs/freezer.GetState: report current cgroup state
If a control group is frozen, all its descendants will report FROZEN
in freezer.state cgroup file.

OTOH cgroup v2 cgroup.freeze is not reporting the cgroup as frozen
unless it is frozen directly (i.e. not via an ancestor).

Fix the discrepancy between v1 and v2 drivers behavior by
looking into freezer.self_freezing cgroup file, which, according
to kernel documentation, will show 1 iff the cgroup was frozen directly.

Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Odin Ugedal <odin@uged.al>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-08 19:32:08 -07:00
Aleksa Sarai 262f294a2a merge branch 'pr-3062'
Kir Kolyshkin (3):
  libct/user: use []byte more, avoid allocations
  libct/user: ParseGroupFilter: use TrimSpace
  libct/user: fix parsing long /etc/group lines

LGTMs: AkihiroSuda cyphar
Closes #3062
2021-07-08 17:10:26 +10:00
Kir Kolyshkin ccf6a94f95 Merge pull request #3045 from anmaxvl/retry-unix-eintr
retry unix.EINTR for container init process
2021-07-07 18:25:17 -07:00
Odin Ugedal f33be7cc98 libct/cg/sd: Don't freeze cgroup on cgroup v2 Set
Since device updates in cgroup v2 are atomic for systemd, there is no
need to freeze the processes before running the updates.

Signed-off-by: Odin Ugedal <odin@uged.al>
2021-07-07 22:44:08 +02:00
Odin Ugedal d41a273dae Update device update tests
Run device update tests on cgroup v2, and add a test verifying that we
don't allow access to devices when we don't intend to.

Signed-off-by: Odin Ugedal <odin@uged.al>
2021-07-07 22:44:08 +02:00
Kir Kolyshkin be1d5f83c0 ci: enable unconvert linter, fix its warnings
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-07 10:42:48 -07:00
Odin Ugedal 6be088d69d tests/int/dev: add CAP_SYSLOG to /dev/kmsg tests
Add CAP_SYSLOG to ensure that /dev/kmsg can be accesses on systems where
the sysctl kernel.dmesg_restrict = 1.

Signed-off-by: Odin Ugedal <odin@uged.al>
2021-07-07 15:44:16 +02:00
Kir Kolyshkin 71a3756b19 Merge pull request #3063 from cyphar/filepath-securejoin-update
deps: update to github.com/cyphar/filepath-securejoin@v0.2.3
2021-07-06 15:13:22 -07:00
Aleksa Sarai 9f2a1f4df1 deps: update to github.com/cyphar/filepath-securejoin@v0.2.3
The main change is the switch to Go 1.13-style "%w" error wrapping,
dropping one of the github.com/pkg/errors dependencies we have left.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-07-04 21:24:12 +10:00
Kir Kolyshkin 24d5daf54d libct/user: fix parsing long /etc/group lines
Lines in /etc/group longer than 64 characters breaks the current
implementation of group parser. This is caused by bufio.Scanner
buffer limit.

Fix by re-using the fix for a similar problem in golang os/user,
namely https://go-review.googlesource.com/c/go/+/283601.

Add some tests.

Co-authored-by: Andrey Bokhanko <andreybokhanko@gmail.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-02 13:19:42 -07:00
Kir Kolyshkin 226dfab0bc libct/user: ParseGroupFilter: use TrimSpace
Same as in other places (other parsers here, as well as golang os/user
parser and glibc parser all tolerate extra space at BOL and EOL).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-02 12:25:51 -07:00
Kir Kolyshkin 120e3a77d8 libct/user: use []byte more, avoid allocations
Every []byte to string conversion results in a new allocation.
Avoid some by using []byte more.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-07-02 12:25:45 -07:00
Rodrigo Campos 83776dd8b3 libcontainer: Bail on close(2) failures
Don't ignore close(2) return code, rather bail if there is any
unexpected failures. By checking the close return code we make sure we
don't introduce the same bug (closing an already closed fd) I've fixed
in the previous patch.

As a side note, we are not handling in this patch when close(2) returns
EINTR and the go runtime, since go 1.14, sends SIGURG to preempt
goroutines. This should not happen here though, as nsenter is guaranteed
to be executed before the go runtime starts.

Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-07-02 16:43:25 +02:00
Rodrigo Campos 7d479e6beb libcontainer: Don't close fds already closed
This was closed in the child[1], before calling clone_parent (so runc
INIT will have this fd closed too), there is no point closing it again.

This was not causing issues because we ignore the return code of
close(2) and no one was opening a new fd between both calls to close.
However, with the new patches that I'm working on (PR #2576), this
problem is no longer inocuos: we do open a new fd in that PR, sometimes
that fd is allocated between the two close(2) calls and, as the lowest
fd is allocated to the new fd, sometimes the second close ends up
incorrectly closing this new fd.

Before it was not a problem in practice, but it was incorrect
nevertheless.

This seems to be long standing bug, present since at least 2018
(a54316bae), when SYNC_GRANDCHILD was introduced.

[1]: https://github.com/opencontainers/runc/blob/5547b5774f71f75a088e7432fa961778750a0fbd/libcontainer/nsenter/nsexec.c#L888

Co-authored-by: Alban Crequy <alban@kinvolk.io>
Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-07-02 15:55:11 +02:00
Maksim An e39ad65059 retry unix.EINTR for container init process
When running a script from an azure file share interrupted syscall
occurs quite frequently, to remedy this add retries around execve
syscall, when EINTR is returned.

Signed-off-by: Maksim An <maksiman@microsoft.com>
2021-06-30 22:22:31 -07:00
Akihiro Suda 5547b5774f Merge pull request #3033 from kolyshkin/rm-own-errors
libcontainer: rm own error system
2021-07-01 13:47:27 +09:00
Kir Kolyshkin 4e56bb446a Merge pull request #3053 from kailun-qin/consolidate-utils
libct/rootfs: consolidate utils imports
2021-06-30 15:54:05 -07:00
Kailun Qin c508a7bc0a libct/rootfs: consolidate utils imports
Signed-off-by: Kailun Qin <kailun.qin@intel.com>
2021-06-30 06:49:38 -04:00
Akihiro Suda b12e6bcaa2 Merge pull request #3051 from kolyshkin/test-int-fix-unshare
tests/int/no_pivot: fixup for new kernels
2021-06-30 11:45:47 +09:00
Kir Kolyshkin 1bbeadae72 tests/int/no_pivot: fix for new kernels
The test is failing like this:

	not ok 70 runc run --no-pivot must not expose bare /proc
	# (in test file tests/integration/no_pivot.bats, line 20)
	#   `[[ "$output" == *"mount: permission denied"* ]]' failed
	# runc spec (status=0):
	#
	# runc run --no-pivot test_no_pivot (status=1):
	# unshare: write error: Operation not permitted

Apparently, a recent kernel commit db2e718a47984b9d prevents
root from doing unshare -r unless it has CAP_SETFPCAP.

Add the capability for this specific test.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-29 13:31:54 -07:00
Akihiro Suda 24aff17be2 Merge pull request #3048 from opencontainers/dependabot/go_modules/google.golang.org/protobuf-1.27.1
build(deps): bump google.golang.org/protobuf from 1.26.0 to 1.27.1
2021-06-29 13:36:47 +09:00
Kir Kolyshkin 0229a77a80 libcontainer/intelrdt: privatize some ids
These are not used anywhere outside of the package
(I have also checked the only external user of the package
(github.com/google/cadvisor).

No changes other than changing the case. The following
identifiers are now private:

 * IntelRdtTasks
 * NewLastCmdError
 * NewStats

Brought to you by gorename.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-28 12:45:28 -07:00
Kir Kolyshkin 8f8dfc498a libcontainer/intelrdt: move NewLastCmdError down
... the stack, so every caller will automatically benefit from it.

The only change that it causes is the user in
libcontainer/process_linux.go will get a better error message.

[v2: typo fix]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-28 12:45:28 -07:00
Kir Kolyshkin 00d1562967 libct/intelrdt: simplify NewLastCmdError
For errors that only have a string and an underlying error, using
fmt.Errorf with %w to wrap an error is sufficient.

In this particular case, the code is simplified, and now we have
unwrappable errors as a bonus (same could be achieved by adding
(*LastCmdError).Unwrap() method, but that's adding more code).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-28 12:45:28 -07:00
Kir Kolyshkin e0ce428bce libct/intelrdt: remove NotFoundError type
Initially, this was copied over from libcontainer/cgroups, where it made
sense as for cgroup v1 we have multiple controllers and mount points.

Here, we only have a single mount, so there's no need for the whole
type.

Replace all that with a simple error (which is currently internal since
the only user is our own test case).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-28 12:45:28 -07:00
Kir Kolyshkin feff2c451e libct/intelrdt: fix potential nil dereference
In case getIntelRdtData() returns an error, d is set to nil.

In case the error returned is of NotFoundError type (which happens
if resctlr mount is not found in /proc/self/mountinfo), the function
proceeds to call d.join(), resulting in a nil deref and a panic.

In practice, this never happens in runc because of the checks in
intelrdt() function in libcontainer/configs/validate, which raises
an error in case any of the parameters are set in config but
the IntelRTD itself is not available (that includes checking
that the mount point is there).

Nevertheless, the code is wrong, and can result in nil dereference
if some external users uses Apply on a system without resctrl mount.

Fix this by removing the exclusion.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-28 12:45:28 -07:00
Kir Kolyshkin 82498e3d77 libct/specconf: remove unneeded checks
In cases we have something like

	if y != "" {
		x = y
	}

where both x and y are strings, and x was not set before,
it makes no sense to have a condition, as such code is
equivalent to mere

	x = y

Simplify such cases by removing "if".

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-28 12:45:28 -07:00
dependabot[bot] bc96a59dd7 build(deps): bump google.golang.org/protobuf from 1.26.0 to 1.27.1
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.26.0 to 1.27.1.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.26.0...v1.27.1)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-28 19:34:10 +00:00
Aleksa Sarai e5ccc4b971 merge branch 'pr-3043'
Kir Kolyshkin (1):
  Revert "checkpoint: resolve symlink for external bind mount"

Closes #3043
LGTMs: AkihiroSuda cyphar
2021-06-28 14:51:53 +10:00
Kir Kolyshkin 70fdc0573d Revert "checkpoint: resolve symlink for external bind mount"
This reverts commit da22625f69
(PR 2902).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-24 20:52:43 -07:00
Mrunal Patel 1079288bef Merge pull request #2902 from liusdu/checkpoint
checkpoint: resolve symlink for external bind mount
2021-06-24 22:52:02 -04:00
Mrunal Patel 245fe2b678 Merge pull request #3029 from liusdu/work
checkpoint: set default work-dir to image-path
2021-06-24 22:44:48 -04:00
Kir Kolyshkin e618c02d85 libct/stacktrace: remove
This removes the libcontainer/stacktrace package, which, as of previous
commit, is no longer used.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-24 10:21:51 -07:00
Kir Kolyshkin e918d02139 libcontainer: rm own error system
This removes libcontainer's own error wrapping system, consisting of a
few types and functions, aimed at typization, wrapping and unwrapping
of errors, as well as saving error stack traces.

Since Go 1.13 now provides its own error wrapping mechanism and a few
related functions, it makes sense to switch to it.

While doing that, improve some error messages so that they start
with "error", "unable to", or "can't".

A few things that are worth mentioning:

1. We lose stack traces (which were never shown anyway).

2. Users of libcontainer that relied on particular errors (like
   ContainerNotExists) need to switch to using errors.Is with
   the new errors defined in error.go.

3. encoding/json is unable to unmarshal the built-in error type,
   so we have to introduce initError and wrap the errors into it
   (basically passing the error as a string). This is the same
   as it was before, just a tad simpler (actually the initError
   is a type that got removed in commit afa844311; also suddenly
   ierr variable name makes sense now).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-24 10:21:04 -07:00
Kir Kolyshkin 60c647a783 libct/error: rm ConsoleExists
It is not used since commit 244c9fc426.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-24 08:24:58 -07:00
Aleksa Sarai 51beb5c436 merge branch 'pr-3011'
Kir Kolyshkin (24):
  *: stop using pkg/errors
  libct/cg: stop using pkg/errors
  libct/cg/ebpf: stop using pkg/errors
  libct/cg/devices: stop using pkg/errors
  .golangci.yml: enable errorlint
  *: ignore errorlint warnings about unix.* errors
  *: use errors.As and errors.Is
  tty.go: don't use pkg/errors, use errors.Is
  libct/keys: stop using pkg/errors
  libct: fix errorlint warning about strconv.NumError
  *: fmt.Errorf: use %w when appropriate
  libct/rootfs: improve some errors
  libct: wrap unix.Mount/Unmount errors
  libct/cg/fs2: fix/unify parsing errors
  libct/cg/fs: fix/unify parsing errors
  libct/cg/fscommon: introduce and use ParseError
  libct/cg/fs[2]: simplify getting pid stats
  libct/cg/fs/stats_util_test: fix errors
  libct/StartInitialization: fix errors
  libct/cg/fs/*_test: simplify errors
  ...

LGTMs: AkihiroSuda cyphar
Closes #3011
2021-06-24 22:15:02 +10:00
Kir Kolyshkin a7cfb23b88 *: stop using pkg/errors
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 16:09:47 -07:00
Kir Kolyshkin b60e2edf75 libct/cg: stop using pkg/errors
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 16:09:47 -07:00
Kir Kolyshkin a6cc36a836 libct/cg/ebpf: stop using pkg/errors
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 16:09:47 -07:00
Kir Kolyshkin f137aaa2c8 libct/cg/devices: stop using pkg/errors
Use Go native errors wrapping.

Introduce wrapErr helper to minimise the patch size.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 16:09:47 -07:00
Kir Kolyshkin ebb0812886 .golangci.yml: enable errorlint
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 16:09:47 -07:00
Kir Kolyshkin 56e478046a *: ignore errorlint warnings about unix.* errors
Errors from unix.* are always bare and thus can be used directly.

Add //nolint:errorlint annotation to ignore errors such as these:

libcontainer/system/xattrs_linux.go:18:7: comparing with == will fail on wrapped errors. Use errors.Is to check for a specific error (errorlint)
	case errno == unix.ERANGE:
	     ^
libcontainer/container_linux.go:1259:9: comparing with != will fail on wrapped errors. Use errors.Is to check for a specific error (errorlint)
					if e != unix.EINVAL {
					   ^
libcontainer/rootfs_linux.go:919:7: comparing with != will fail on wrapped errors. Use errors.Is to check for a specific error (errorlint)
			if err != unix.EINVAL && err != unix.EPERM {
			   ^
libcontainer/rootfs_linux.go:1002:4: switch on an error will fail on wrapped errors. Use errors.Is to check for specific errors (errorlint)
			switch err {
			^

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 16:09:47 -07:00
Kir Kolyshkin f6a0899b7f *: use errors.As and errors.Is
Do this for all errors except one from unix.*.

This fixes a bunch of errorlint warnings, like these

libcontainer/generic_error.go:25:15: type assertion on error will fail on wrapped errors. Use errors.As to check for specific errors (errorlint)
	if le, ok := err.(Error); ok {
	             ^
libcontainer/factory_linux_test.go:145:14: type assertion on error will fail on wrapped errors. Use errors.As to check for specific errors (errorlint)
	lerr, ok := err.(Error)
	            ^
libcontainer/state_linux_test.go:28:11: type assertion on error will fail on wrapped errors. Use errors.As to check for specific errors (errorlint)
	_, ok := err.(*stateTransitionError)
	         ^
libcontainer/seccomp/patchbpf/enosys_linux.go:88:4: switch on an error will fail on wrapped errors. Use errors.Is to check for specific errors (errorlint)
			switch err {
			^

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 16:09:47 -07:00
Kir Kolyshkin 5d2a11ad2e tty.go: don't use pkg/errors, use errors.Is
Instead of using errors.Wrap, use fmt.Errorf with %w for error wrapping.

Also, use errors.Is instead of direct error comparison.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 16:09:47 -07:00
Kir Kolyshkin c6fed264da libct/keys: stop using pkg/errors
Use fmt.Errorf with %w instead.

Convert the users to the new wrapping.

This fixes an errorlint warning.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 16:09:47 -07:00
Kir Kolyshkin adbac31d88 libct: fix errorlint warning about strconv.NumError
This one is tough as errorlint insists on using errors.Is, and the
latter is known to not work for Go 1.13 which we still support.

So, add a nolint annotation to suppress the warning, and a TODO to
address it later.

For intelrdt, we can do the same, but it is easier to reuse the very
same function from fscommon (note we can't use fscommon for other stuff
as it expects cgroupfs).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 16:09:47 -07:00
Kir Kolyshkin 7be93a66b9 *: fmt.Errorf: use %w when appropriate
This should result in no change when the error is printed, but make the
errors returned unwrappable, meaning errors.As and errors.Is will work.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 16:09:47 -07:00
Kir Kolyshkin d8ba4128b2 libct/rootfs: improve some errors
Errors from os.Open, os.Symlink etc do not need to be wrapped, as they
are already wrapped into os.PathError.

Error from unix are bare errnos and need to be wrapped. Same
os.PathError is a good candidate.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 16:09:47 -07:00
Kir Kolyshkin 36aefad45d libct: wrap unix.Mount/Unmount errors
Errors returned by unix are bare. In some cases it's impossible to find
out what went wrong because there's is not enough context.

Add a mountError type (mostly copy-pasted from github.com/moby/sys/mount),
and mount/unmount helpers. Use these where appropriate, and convert error
checks to use errors.Is.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 16:09:37 -07:00
Kir Kolyshkin 825335b2b7 libct/cg/fs2: fix/unify parsing errors
This builds on top of recently introduced fscommon.ParseError.

Errors returned from parsers (mostly ones used by GetStats()) are all
different, and many are incomplete. For example, in many cases errors
from strconv.ParseUint are returned as is, meaning there is no context
telling which file we were reading. Similarly, errors from
fscommon.ParseKeyValue should be wrapped to add more context.
Same is true for scanner.Err().

OTOH, errors from fscommon.GetCgroup* do have enough context and there
is no need to wrap them.

Fix all the above.

While at it, add missing scanner.Err() checks.

[v2: use parseError, not ParseError]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 12:00:54 -07:00
Kir Kolyshkin 5a186d390f libct/cg/fs: fix/unify parsing errors
This builds on top of recently introduced fscommon.ParseError.

Errors returned from parsers (mostly ones used by GetStats()) are all
different, and many are incomplete. For example, in many cases errors
from strconv.ParseUint are returned as is, meaning there is no context
telling which file we were reading. Similarly, errors from
fscommon.ParseKeyValue should be wrapped to add more context.
Same is true for scanner.Err().

One special case that repeats a few times is "malformed line: xxx".
Add and use a helper for that to simplify things.

OTOH, errors from fscommon.GetCgroup* do have enough context and there
is no need to wrap them.

Fix all the above.

While at it, add a missing scanner.Err() check.

[v2: use parseError not ParseError]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 11:59:54 -07:00
Kir Kolyshkin f813174d5e libct/cg/fscommon: introduce and use ParseError
1. Introduce ParseError type as a way to unify error messages related to
   file parsing. Use it from GetCgroup* functions.

2. Do not discard the error from strconv.Parse{Int,Uint} -- it contains
   the value being parsed, and the details about the error.

2. As the error above already contains the value, drop it from format.

[v2: use path.Join in Error]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 11:52:26 -07:00
Kir Kolyshkin adcd3b4451 libct/cg/fs[2]: simplify getting pid stats
1. Do not wrap errors returned from fscommon.GetCgroupParamUint -- those
   errors already have enough context.

2. Instead of parsing "max" ourselves, use GetCgroupParamUint which does
   it, and then convert MaxUint64 to 0 (we do it historically since
   commit 087b953dc5, and while using MaxUint64 as is seems fine,
   there may be some existing users who rely on the old behavior).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 11:44:31 -07:00
Kir Kolyshkin 4e33094277 libct/cg/fs/stats_util_test: fix errors
1. No \n needed in t.Errorf/t.Fatalf.

2. Some cosmetic changes.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 11:44:12 -07:00
Kir Kolyshkin 563225d55f libct/StartInitialization: fix errors
Errors from strconv.Atoi are already descriptive enough, and contain the
value being converted, so our error messages do not need to contain it.

While at it, use %w to wrap errors.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 11:43:44 -07:00
Kir Kolyshkin 3fee59f9da libct/cg/fs/*_test: simplify errors
The error from fscommon.GetCgroup* already contains the file name and so
on, so there's no need to wrap it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 11:43:24 -07:00
Kir Kolyshkin fdf4e90e89 libct/cg/fscommon.ParseKeyValue: no need to wrap err
The error returned from strconv.ParseUint is already pretty descriptive,
something like:

	strconv.ParseUint: parsing "000d": invalid syntax

So, there is no need to add more context to it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 11:42:59 -07:00
Kir Kolyshkin 627a06ad92 Replace fmt.Errorf w/o %-style to errors.New
Using fmt.Errorf for errors that do not have %-style formatting
directives is an overkill. Switch to errors.New.

Found by

	git grep fmt.Errorf | grep -v ^vendor | grep -v '%'

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 11:42:07 -07:00
Kir Kolyshkin 242b3283fd libct/cg/fscommon: rm unused var
It is not used since commit 494f900e91

Fixes: 494f900e91
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 11:42:00 -07:00
Kir Kolyshkin 92e8d9b91a libct/intelrdt: error message nits
An errror from ioutil.WriteFile already contains file name, so there is
no need to duplicate that information.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 11:41:41 -07:00
Aleksa Sarai 2fc269d7af merge branch 'pr-2971'
Aleksa Sarai (2):
  VERSION: release runc 1.0.0
  VERSION: back to development

LGTMs: cyphar hqhq AkihiroSuda kolyshkin thaJeztah
Closes #2971
2021-06-22 16:01:02 +10:00
Aleksa Sarai 9f93778291 merge branch 'pr-3032'
Kir Kolyshkin (4):
  exec: rm --no-subreaper flag
  runc update: hide --kernel* options
  runc --help: improve log options description
  man/*: revamp

LGTMs: cyphar mrunalp AkihiroSuda
Closes #3032
2021-06-18 17:22:54 +10:00
Aleksa Sarai 041caf107f VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-06-17 18:11:39 +10:00
Aleksa Sarai 84113eef6f VERSION: release runc 1.0.0
🎉

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-06-17 18:11:36 +10:00
Aleksa Sarai 47d37b33cd merge branch 'pr-3022'
Kir Kolyshkin (3):
  libct/cg/fs/blkio: do not set weight == 0
  libct/cg/fs2: set per-device io weight if available
  tests/int/cgroups: add test for bfq per-device weight

LGTMs: AkihiroSuda mrunalp cyphar
Closes #3022
2021-06-17 17:50:36 +10:00
Kir Kolyshkin dfc0f0695a man/*: revamp
Current runc man pages are ugly (no proper man page formatting)
and very short (mostly just a copy-paste from the "runc <command>
--help" output. They are also somewhat obsoleted as not all CLI updates
were propagated to man/*.

This commits makes the first step to solving this.

In short:
 - added some more information about some options;
 - lots of formatting fixes;
 - use references to other man pages and web pages;
 - fix SYNOPSYS (formatting, mostly);
 - removed the repeated description of <container_id> from every page;
 - added SEE ALSO;
 - something else I forgot.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-16 12:42:06 -07:00
Liu Hua 85aabe233e C/R: let criu use its default if --work-path is not set
Now runc puts dump/restore logs in c.root defaultly, which will be deleted
when container exits. So if checkpinting/restoring failed, we can not get
these logs and analyze why.

This patch lets criu use its default if --work-path is not set:
 - Use WorkDirectory found in criu's configfile.
 - Use ImageDirectory.

Signed-off-by: Liu Hua <weldonliu@tencent.com>
2021-06-16 20:47:25 +08:00
Kir Kolyshkin 2916817278 tests/int/cgroups: add test for bfq per-device weight
This works for both cgroup v1 and v2.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-16 04:51:40 -07:00
Kir Kolyshkin 1036f3f995 libct/cg/fs2: set per-device io weight if available
Per-device weight is supported since kernel v5.4 (kernel commit
795fe54c2a8), so let's set those if supplied.

[v2: implement a more relaxed check in bfqDeviceWeightSupported]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-16 04:51:19 -07:00
Kir Kolyshkin e8bd33ae28 runc --help: improve log options description
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-15 17:49:56 -07:00
Kir Kolyshkin cf4ecaed08 runc update: hide --kernel* options
Commit 52390d6804 made this parameters obsoleted, but they are
still shown in e.g. runc update --help output.

Hide them (and maybe in 5 years we can remove them).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-15 17:48:40 -07:00
Kir Kolyshkin 4065c394a3 exec: rm --no-subreaper flag
This was removed from runc exec by commit f61c6e413f about 5 years ago,
so it's time to remove it entirely.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-15 15:40:10 -07:00
Kir Kolyshkin 30d83d4d2f libct/cg/fs/blkio: do not set weight == 0
For per-device weight, you can set weight and/or leaf weight.
The problem is, with the recent fix to use BFQ on cgroup v1,
if per-device weights are set, the code tries to set device
weight to blkio.bfq.weight, and the leaf weight to
blkio.leaf_weight_device. The latter file does not exist on
kernels v5.0, meaning one can not set any per-device weights
at all.

The fix is to only set weights if they are non-zero (i.e. set).

The test case will come in a following commit.

Fixes: 6339d8a0dd
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-14 12:52:30 -07:00
Kir Kolyshkin f093cca13d Merge pull request #3024 from kolyshkin/fscommon-mv
libct/cg: mv fscommon.{Open,Read,Write}File to cgroups
2021-06-14 12:49:18 -07:00
Kir Kolyshkin 8726c701a1 Merge pull request #3017 from wzshiming/fix/setenv
Returns clearer error message for Setenv
2021-06-14 11:13:13 -07:00
Akihiro Suda c4359f8e7d Merge pull request #3005 from adrianreber/2021-06-07-lsm-profile 2021-06-15 01:16:43 +09:00
Kir Kolyshkin d7fc302860 libct/cg/fs*: mark {Open,Read,Write}File as deprecated
... and switch to using the ones from cgroups.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-13 17:17:48 -07:00
Kir Kolyshkin 8f1b4d4a6f libct/cg: mv fscommon.{Open,Read,Write}File to cgroups
This is a better place as cgroups itself is using these.
Should help with moving more stuff common in between fs and fs2 to
fscommon.

Looks big, but this is just moving the code around:

 fscommon/{fscommon,open}.go -> cgroups/file.go
 fscommon/fscommon_test.go   -> cgroups/file_test.go

and fixes for TestMode moved to a different package.

There's no functional change.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-13 12:38:21 -07:00
Shiming Zhang 322c8fd36b Returns clearer error message for setenv
Signed-off-by: Shiming Zhang <wzshiming@foxmail.com>
2021-06-12 14:32:48 +08:00
Mrunal Patel 93a01cd4d0 Merge pull request #3009 from AkihiroSuda/update-ebpf-wrap
update cilium/ebpf to fix haveBpfProgReplace() check
2021-06-11 15:38:01 -04:00
Mrunal Patel a3813ca249 Merge pull request #3000 from kolyshkin/test-dev-update
libct/int: add device update test
2021-06-11 14:36:49 -04:00
Kir Kolyshkin 0ca4cdad35 Merge pull request #3010 from askervin/5D6_blkio_bfq_weight
libcontainer/cgroups/fs/blkio: support BFQ weight[_device]
2021-06-11 11:30:05 -07:00
Akihiro Suda 46940ed80c update cilium/ebpf to fix haveBpfProgReplace() check
The `errors.Is(err, unix.EINVAL)` check in `haveBpfProgReplace()` was
broken because the `cilium/ebpf` library did not "wrap" errors.
https://github.com/cilium/ebpf/blob/v0.6.0/link/program.go#L72

So the eBPF support of runc was broken for kernel prior to 5.6.

This commit bumps up cilium/ebpf to contain cilium/ebpf PR 320.

Fix opencontainers/runc issue 3008

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-06-12 02:12:25 +09:00
dependabot[bot] 7eb5c527c8 Merge pull request #3023 from opencontainers/dependabot/github_actions/tim-actions/get-pr-commits-1.1.0 2021-06-11 14:43:08 +00:00
Antti Kervinen 6339d8a0dd libcontainer/cgroups/fs/blkio: support BFQ weight[_device]
- Update the blkio cgroup to support the BFQ I/O Scheduler, that has
  replaced CFQ in the Linux kernel.
- BFQ is controlled through blkio.bfq.weight[_device] instead of
  CFQ's blkio.weight[_device] in cgroups v1.
- BFQ does not support blkio.leaf_weight[_device], so that behavior
  remains untouched.
- Do not change behavior on legacy CFQ systems.
- Enable using blkio weights on BFQ systems.

Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
2021-06-11 11:11:06 +03:00
dependabot[bot] 01f5dcaeb7 build(deps): bump tim-actions/get-pr-commits from 1.0.0 to 1.1.0
Bumps [tim-actions/get-pr-commits](https://github.com/tim-actions/get-pr-commits) from 1.0.0 to 1.1.0.
- [Release notes](https://github.com/tim-actions/get-pr-commits/releases)
- [Commits](https://github.com/tim-actions/get-pr-commits/compare/v1.0.0...v1.1.0)

---
updated-dependencies:
- dependency-name: tim-actions/get-pr-commits
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-11 06:31:30 +00:00
Akihiro Suda b44f48c945 Merge pull request #3018 from oss-qm/submit/tests-fix-spelling
github: workflows: fix tiny typo
2021-06-11 14:19:21 +09:00
Akihiro Suda 196eee13e5 Merge pull request #3019 from kolyshkin/sd-skip-dev
libct/cg/sd: fix "SkipDevices" handling
2021-06-11 14:09:58 +09:00
Kir Kolyshkin bd8e070109 libct/cg/sd: fix "SkipDevices" handling
1. The meaning of SkipDevices is what it is -- do not set any
   device-related options.

2. Reverts the part of commit 108ee85b82 which skipped the freeze
   when the SkipDevices is set. Apparently, the freeze is needed on
   update even if no Device* properties are being set.

3. Add "runc update" to "runc run [device cgroup deny]" test.

Fixes: 752e7a8249
Fixes: 108ee85b82
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-10 12:01:21 -07:00
Aleksa Sarai f454bb10d7 merge branch 'pr-3004'
Sebastiaan van Stijn (2):
  libcontainer: relax validation for absolute paths
  configs/validator: move cgroup validation to the list of checks

LGTMs: kolyshkin cyphar
Closes #3004
2021-06-11 00:22:03 +10:00
Enrico Weigelt, metux IT consult 1b2abc89ae github: workflows: fix tiny typo
Tiny spelling fix - it's called "docker", not "dockre".

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2021-06-10 13:03:16 +02:00
Sebastiaan van Stijn b31a9340f9 libcontainer: relax validation for absolute paths
Commits 1f1e91b1a0 and 2192670a24
added validation for mountpoints to be an absolute path, to match the OCI
specs.

Unfortunately, the old behavior (accepting the path to be a relative path)
has been around for a long time, and although "not according to the spec",
various higher level runtimes rely on this behavior.

While higher level runtime have been updated to address this requirement,
there will be a transition period before all runtimes are updated to carry
these fixes.

This patch relaxes the validation, to generate a WARNING instead of failing,
allowing runtimes to update (but allowing them to update runc to the current
version, which includes security fixes).

We can remove this exception in a future patch release.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-09 13:20:28 +02:00
Sebastiaan van Stijn dbb35411f8 configs/validator: move cgroup validation to the list of checks
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-09 13:15:54 +02:00
Aleksa Sarai dcdf6b631d merge branch 'pr-3006'
Kir Kolyshkin (1):
  libct/cg/sd/dbus: fix NewDbusConnManager

LGTMs: AkihiroSuda cyphar
Closes #3006
2021-06-09 20:09:00 +10:00
Aleksa Sarai f2e0e8f9d0 merge branch 'pr-3012'
Kir Kolyshkin (1):
  libct/cg/fs: don't forget to close a file

LGTMs: AkihiroSuda cyphar
Closes #3012
2021-06-09 15:02:00 +10:00
Kir Kolyshkin 9573e4b68e libct/cg/fs: don't forget to close a file
Fixes: 7fe0a98e79
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-08 21:04:41 -07:00
Akihiro Suda 4d6b9297c7 Merge pull request #2986 from cyphar/ebpf-replacefd-support-check
cgroupv2: ebpf: check for BPF_F_REPLACE support and degrade gracefully
2021-06-08 15:35:30 +09:00
Aleksa Sarai 9ebc573a38 cgroupv2: ebpf: debug info when detaching programs in fallback mode
It seems that we are triggering the mutli-attach fallback in the fedora
CI, but we don't have enough debugging information to really know what's
going on, so add some. Unfortunately the amount of information we have
available with eBPF programs in general is fairly limited (we can't get
their bytecode for instance).

We also demote the "more than one filter" warning to an info message
because it happens very often under the systemd cgroup driver (likely
when systemd configures the cgroup it isn't deleting our old program, so
when our apply code runs after the systemd one there are two running
programs).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-06-08 13:23:59 +10:00
Aleksa Sarai a3ca7b47fc cgroupv2: ebpf: check for BPF_F_REPLACE support and degrade gracefully
It turns out that the cilium eBPF library doesn't degrade gracefully if
BPF_F_REPLACE is not supported, so we need to work around it by treating
that case as we treat the more-than-one program case.

It also turns out that we weren't passing BPF_F_REPLACE explicitly, but
this is required by the cilium library (causing EINVALs).

Fixes: d0f2c25f52 ("cgroup2: devices: replace all existing filters when attaching")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-06-08 13:23:56 +10:00
Kir Kolyshkin d06bda60c5 libct/cg/sd/dbus: fix NewDbusConnManager
Noticed that the check of trying to use both rootful and rootless
in NewDbusConnManager never worked, as we never set dbusInited to true.

Do that. While at it, protect this with the mutex (against the
case of two goroutines simultaneously calling NewDbusConnManager).
This is a rare call, so taking read-only then read-write mutex does not
make sense.

Fixes: c7f847ed3a

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-07 12:23:01 -07:00
Adrian Reber 535f25c44f Allow restoring with a different LSM profile
Restoring an SELinux enabled container with Podman will result in
a container with the exactly same SELinux process labels as during
checkpointing. CRIU takes care of all the process labels.

Restoring multiple copies of a checkpointed container will result in all
containers having the same SELinux process labels, which might be
undesired.

When looking at Pods all container in a Pod share the process label
of the infrastructure container. To restore a container into and
existing Pod it is necessary to tell CRIU to restore the container
with the infrastructure container process label.

CRIU supports setting different process labels using --lsm-profile for a
long time and this just passes the process label information from runc
to CRIU.

Unfortunately CRIU has a bug as no one was using the --lsm-profile
option so this changes requires the upcoming CRIU version 3.16.

Signed-off-by: Adrian Reber <areber@redhat.com>
2021-06-07 18:05:24 +02:00
Kir Kolyshkin 508f5bf665 libct/int: add device update test
... and remove the one from tests/integration.

The idea is similar to the one for the test case being removed -- try
updating device rules many times to make sure we are not leaking eBPF
programs after every update/Set(). This is better though as we can
really change the device rules every time (which "runc update" can't)
and check that the rule is applied.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-05 16:11:29 -07:00
Kir Kolyshkin 2f8e8e9d97 Merge pull request #2994 from kolyshkin/skip-devices-on-update
runc update: skip devices
2021-06-04 15:33:26 -07:00
Kir Kolyshkin 123a34d4e3 Merge pull request #2999 from thaJeztah/remove_deprecated_stubs
libcontainer: remove aliases for deprecated functions
2021-06-04 14:05:55 -07:00
Sebastiaan van Stijn 8fe3dfbb88 libcontainer/system: remove alias for deprecated RunningInUserNS
These were deprecated and moved; the stubs were included in the
last two (rc94, rc95) releases, so external consumers would have
the chance to update their code.

Removing this so that this doesn't get into v1.0.0 GA

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-04 17:48:48 +02:00
Sebastiaan van Stijn 3f23a736cb libcontainer/configs: remove stubs for deprecated Devices funcs
These were deprecated and moved; the stubs were included in the
last two (rc94, rc95) releases, so external consumers would have
the chance to update their code.

Removing this so that this doesn't get into v1.0.0 GA

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-04 17:46:25 +02:00
Akihiro Suda 7362fa2d28 Merge pull request #2997 from kolyshkin/fix-dbus-err
[rc94 regression] libct/cg/sd: fix dbus error handling
2021-06-04 14:01:32 +09:00
Kir Kolyshkin b2d28c5df2 libct/cg/sd: fix dbus error handling
This fixes isDbusError function, introduced by commit bacfc2c. Due to a
type error it was not working at all.

This also fixes the whole "retry on dbus disconnect" logic.

This also fixes a regression in startUnit (and cgroupManager.Apply()),
which should never return "unit already exists" error but it did.

Fixes: bacfc2c
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-03 12:40:41 -07:00
Kir Kolyshkin bf7492ee5d runc update: skip devices
The runc update CLI is not able to modify devices, so let's set SkipDevices
(so that a cgroup controller won't try to update devices cgroup).

This helps use cases when some other device management (NVIDIA GPUs)
applies its configuration on top of what runc does.

Make sure we do not save SkipDevices into state.json.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-03 10:40:55 -07:00
Mrunal Patel c8653a2506 Merge pull request #2985 from kolyshkin/term-doc
docs/terminals.md: add troubleshooting
2021-06-03 13:13:06 -04:00
Aleksa Sarai 13acae7376 merge branch 'pr-2992'
Kir Kolyshkin (3):
  libct/cg/fs/stats_util_test: use t.Helper
  libct/cg/fs/memory_test: fix formatting
  libct/int/testPids: logging nits

LGTMs: AkihiroSuda cyphar
Closes #2992
2021-06-03 21:05:42 +10:00
Aleksa Sarai a77d031114 merge branch 'pr-2991'
Kir Kolyshkin (2):
  vendor: willf/bitset@v1.1.11 -> bits-and-blooms/bitset@v1.2.0
  Bump selinux to v1.8.2

LGTMs: AkihiroSuda cyphar
Closes #2991
2021-06-03 21:03:55 +10:00
Kir Kolyshkin 2888e6e543 Merge pull request #2989 from crosbymichael/cm-email
update crosbymichael email
2021-06-02 17:46:16 -07:00
Kir Kolyshkin c3831d646d libct/cg/fs/stats_util_test: use t.Helper
These functions are called from multiple places,
and if t.Helper() is not used, the context is not clear.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-02 17:43:02 -07:00
Kir Kolyshkin 9eb0371bab libct/cg/fs/memory_test: fix formatting
Make it more readable.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-02 17:42:19 -07:00
Kir Kolyshkin e969d42156 libct/int/testPids: logging nits
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-02 17:31:03 -07:00
Kir Kolyshkin 48d76adf7b Merge pull request #2974 from thaJeztah/fix_some_linting
Fix various linting issues
2021-06-02 16:53:26 -07:00
Kir Kolyshkin a5bd78ef52 vendor: willf/bitset@v1.1.11 -> bits-and-blooms/bitset@v1.2.0
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-02 16:28:38 -07:00
Kir Kolyshkin 65cf0e61fb Bump selinux to v1.8.2
This is to include willf/bitset@v1.1.11 ->
bits-and-blooms/bitset@v1.2.0.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-02 16:27:27 -07:00
Kir Kolyshkin c1ec39235d Merge pull request #2981 from opencontainers/dependabot/go_modules/github.com/opencontainers/selinux-1.8.1
build(deps): bump github.com/opencontainers/selinux from 1.8.0 to 1.8.1
2021-06-02 11:31:14 -07:00
Kir Kolyshkin 2d1608cd3f Merge pull request #2980 from opencontainers/dependabot/go_modules/github.com/cilium/ebpf-0.6.0
build(deps): bump github.com/cilium/ebpf from 0.5.0 to 0.6.0
2021-06-02 11:29:56 -07:00
Kir Kolyshkin f99d252d2b docs/terminals.md: add troubleshooting
Explain where the "/dev/tty: no such device or address" error is coming
from, and provide ways to solve the issue.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-02 09:36:10 -07:00
Michael Crosby 49ea4b373b update crosbymichael email
Signed-off-by: Michael Crosby <michael@thepasture.io>
2021-06-02 11:59:24 -04:00
Sebastiaan van Stijn 3e1bcb1f5d libcontainer/keys: var should be sessKeyID/ringID (golint)
libcontainer/keys/keyctl.go:17:2: var `sessKeyId` should be `sessKeyID` (golint)
        sessKeyId, err := unix.KeyctlJoinSessionKeyring(name)
        ^

    libcontainer/keys/keyctl.go:27:21: func parameter `ringId` should be `ringID` (golint)
    func ModKeyringPerm(ringId KeySerial, mask, setbits uint32) error {
                        ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-02 17:46:34 +02:00
Sebastiaan van Stijn 1fb56f9f1f libcontainer/cgroups/devices: if block ends with a return statement
libcontainer/cgroups/devices/devices_emulator.go:261:9: `if` block ends with a `return` statement, so drop this `else` and outdent its block (golint)
    	} else {
    	       ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-02 17:46:32 +02:00
Sebastiaan van Stijn c2416fb4d4 libcontainer/system: fix godoc (golint)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-02 17:46:29 +02:00
Sebastiaan van Stijn 9be156cb9d libcontainer/devices: fix godoc (golint)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-02 17:46:22 +02:00
Sebastiaan van Stijn 340fdd9366 libcontainer/nsenter: fix captalization (golint)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-02 17:45:27 +02:00
Sebastiaan van Stijn 81fc5c8725 libcontainer/user: fix capitalization (golint)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-02 17:45:21 +02:00
Sebastiaan van Stijn e204d6a9e7 libcontainer/configs: add / fix godoc (golint)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-02 17:44:11 +02:00
Sebastiaan van Stijn c064304692 libcontainer/apparmor: split api (exported) from implementation
This prevents having to maintain GoDoc for the stub implementations,
and makes sure that the "stub" implementations have the same signature
as the "non-stub" versions.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-02 17:35:55 +02:00
Sebastiaan van Stijn 02fb18ed5a libcontainer/user: remove unused ErrUnsupported
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-02 17:35:52 +02:00
dependabot[bot] 9e964dfc38 build(deps): bump github.com/opencontainers/selinux from 1.8.0 to 1.8.1
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.8.0 to 1.8.1.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.8.0...v1.8.1)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-02 06:49:52 +00:00
dependabot[bot] 470610d0cc build(deps): bump github.com/cilium/ebpf from 0.5.0 to 0.6.0
Bumps [github.com/cilium/ebpf](https://github.com/cilium/ebpf) from 0.5.0 to 0.6.0.
- [Release notes](https://github.com/cilium/ebpf/releases)
- [Commits](https://github.com/cilium/ebpf/compare/v0.5.0...v0.6.0)

---
updated-dependencies:
- dependency-name: github.com/cilium/ebpf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-02 06:49:06 +00:00
dependabot[bot] c8ffd8f3bb Merge pull request #2983 from opencontainers/dependabot/go_modules/github.com/sirupsen/logrus-1.8.1 2021-06-02 05:52:03 +00:00
Aleksa Sarai c23426457c merge branch 'pr-2984'
dependabot[bot]:
  build(deps): bump github.com/coreos/go-systemd/v22 from 22.3.1 to 22.3.2

LGTMs: AkihiroSuda cyphar
PR #2984
2021-06-02 15:23:00 +10:00
Aleksa Sarai 663ad55b59 merge branch 'pr-2982'
dependabot[bot]:
  build(deps): bump google.golang.org/protobuf from 1.25.0 to 1.26.0

LGTMs: AkihiroSuda cyphar
Closes #2982
2021-06-02 15:21:46 +10:00
Akihiro Suda 02b4b5f4da Merge pull request #2975 from kolyshkin/gofumpt 2021-06-02 11:10:43 +09:00
dependabot[bot] 31f5882913 build(deps): bump github.com/coreos/go-systemd/v22 from 22.3.1 to 22.3.2
Bumps [github.com/coreos/go-systemd/v22](https://github.com/coreos/go-systemd) from 22.3.1 to 22.3.2.
- [Release notes](https://github.com/coreos/go-systemd/releases)
- [Commits](https://github.com/coreos/go-systemd/compare/v22.3.1...v22.3.2)

---
updated-dependencies:
- dependency-name: github.com/coreos/go-systemd/v22
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-02 01:57:21 +00:00
dependabot[bot] c836265b58 build(deps): bump github.com/sirupsen/logrus from 1.7.0 to 1.8.1
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.7.0 to 1.8.1.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.7.0...v1.8.1)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-02 01:57:12 +00:00
dependabot[bot] 074aa0448d build(deps): bump google.golang.org/protobuf from 1.25.0 to 1.26.0
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.25.0 to 1.26.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.25.0...v1.26.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-02 01:57:04 +00:00
Aleksa Sarai 8beafa937d merge branch 'pr-2978'
Kir Kolyshkin (1):
  Enable dependabot

LGTMs: AkihiroSuda cyphar
Closes #2978
2021-06-02 11:54:53 +10:00
Kir Kolyshkin 7ca5456299 Enable dependabot
This should enable a bot that auto-creates PRs to update dependencies.

For more info, see
https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically

Once enabled, dependabot work should be seen at
https://github.com/opencontainers/runc/network/updates
(as well as new PRs).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-01 17:40:35 -07:00
Kir Kolyshkin e6048715e4 Use gofumpt to format code
gofumpt (mvdan.cc/gofumpt) is a fork of gofmt with stricter rules.

Brought to you by

	git ls-files \*.go | grep -v ^vendor/ | xargs gofumpt -s -w

Looking at the diff, all these changes make sense.

Also, replace gofmt with gofumpt in golangci.yml.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-01 12:17:27 -07:00
Daniel, Dao Quang Minh 3a0234e1fe Merge pull request #2968 from cyphar/cgroup2-io-stats
cgroup2: map io.stats to v1 blkio.stats correctly
2021-06-01 10:07:26 +01:00
Aleksa Sarai 1eea9253a1 cgroup2: io: add io.stats parsing test
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-06-01 10:47:39 +10:00
Aleksa Sarai 0fef122f87 cgroup2: io: handle 64-bit values correctly on 32-bit architectures
strconv.ParseUint(..., 0) is not really safe, because on 32-bit
architectures it will trigger runtime errors when trying to parse large
numbers (which in the case of the cgroupv2 io controller, is almost
certainly going to happen).

Fixes: 1932917b71 ("libcontainer: add initial support for cgroups v2")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-06-01 10:35:09 +10:00
Aleksa Sarai efca32c799 cgroup2: io: map io.stats to v1 blkio.stats correctly
Kubelet and cAdvisor depend on the metrics having the same values as in
cgroupv1, but we didn't correctly map the number of read and write IOs
to the correct cgroupv1 stats table (blkio.io_serviced).

In addition, don't leak any extra stats in our output -- if users need
that information we can always add a new field for it.

Reported-by: Yashpal Choudhary <yashpal.c1995@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-06-01 10:35:03 +10:00
Aleksa Sarai a2d86b7961 merge branch 'pr-2965'
Yashpal Choudhary (1):
  cgroup2: capitalize io stats read and write Op values

LGTMs: AkihiroSuda cyphar
Closes #2965
2021-05-28 14:25:55 +10:00
Aleksa Sarai 63ee74376e merge branch 'pr-2958'
Kir Kolyshkin (2)
  libct/cg/sd: fix SkipDevices for systemd
  libct/cg/sd: add SkipDevices unit test

LGTMs: mrunalp AkihiroSuda cyphar
Closes #2958
2021-05-28 14:24:05 +10:00
Akihiro Suda 960b5fdb5a Merge pull request #2961 from kolyshkin/test-dev 2021-05-27 14:33:48 +09:00
Yashpal Choudhary 49d293a56d cgroup2: capitalize io stats read and write Op values
Signed-off-by: Yashpal Choudhary <yashpal.c1995@gmail.com>
2021-05-27 03:32:01 +05:30
Kir Kolyshkin 0e16e7c202 libct/cg/sd: add SkipDevices unit test
The idea is to mimic what kubelet is doing, with minimum amount of code.

First, create a slice with SkipDevices=true. It should have access to
all devices.

Next, create a scope within the above slice, allowing access to /dev/full
only.

Check that within that scope we can only access /dev/full and not other
devices (such as /dev/null).

Repeat the test with SkipDevices=false, make sure we can not access any
devices (as they are disallowed by a parent cgroup). This is done only
to assess the test correctness.

NOTE that cgroup v1 and v2 behave differently for SkipDevices=false
case, and thus the check is different. Cgroup v1 returns EPERM on
writing to devices.allow, so cgroup manager's Set() fails, and we check
for a particular error from m.Set(). Cgroup v2 allows to create a child
cgroup, but denies access to any device (despite access being enabled)
-- so we check the error from the shell script running in that cgroup.
Again, this is only about SkipDevices=false case.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-26 10:20:24 -07:00
Akihiro Suda e005fee9d3 Merge pull request #2946 from kolyshkin/systemd-stop-timeout
libct/cg/sd: return error from stopUnit
2021-05-26 15:27:57 +09:00
Akihiro Suda 19d75e1ccb Merge pull request #2956 from kolyshkin/version
Fix/improve runc -v
2021-05-26 13:09:15 +09:00
Kir Kolyshkin f5a2c9cced tests/int/dev: only call lsblk once
The "runc run [device cgroup allow rm block device]" test calls lsblk
three times to get device name, minor and major number. This creates a
potential problem when the devices are changed between the calls.

Simplify the code by using bash read together with IFS (as there's no
way to have lsblk output MAJOR:MINOR pair without a semicolon).

Note that head -n 1 is not needed as read already reads a single line.

[v2: don't use PATH as CentOS7's lsblk does not support it.]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-25 12:21:42 -07:00
Kir Kolyshkin aa934af087 runc -v: set default for, always show main.version
Apparently not everyone compiles runc via the provided Makefile. For
example, one can just run "go build", in which case Version variable
is left empty, which leads to:

	$ ./runc -v
	runc version spec: 1.0.2-dev
	go: go1.16.3

Surely, the main problem here is runc was built in a wrong way, but the
second problem is such output is very confusing -- it may seem that we
have runc 1.0.2.

To solve, make sure to _always_ add version (even if empty), and set the
default to "unknown".

NOTE this does not change anything in case runc is compiled via the
Makefile.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-25 12:07:12 -07:00
Qiang Huang bfcbc947d5 Merge pull request #2962 from cyphar/golint-fixes
*: clean up remaining golangci-lint failures
2021-05-25 14:10:47 +08:00
Aleksa Sarai 37767c0510 ci: lint: show all errors in PRs
It seems that golangci-lint didn't warn us about new lint errors that
were added after we enabled it, so just run the full thing and give us
all the errors on every PR run -- as long as we keep master lint-clean
it doesn't matter whether we set this or not.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-25 14:33:02 +10:00
Aleksa Sarai 07ca0be07b *: clean up remaining golangci-lint failures
Most of these were false positives or cases where we want to ignore the
lint, but the change to the BPF generation is actually useful.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-25 14:19:39 +10:00
Aleksa Sarai ed4781029f merge branch 'pr-2781'
Sebastiaan van Stijn (7):
  errcheck: utils
  errcheck: signals
  errcheck: tty
  errcheck: libcontainer
  errcheck: libcontainer/nsenter
  errcheck: libcontainer/configs
  errcheck: libcontainer/integration

LGTM: AkihiroSuda cyphar
Closes #2781
2021-05-25 12:31:52 +10:00
Kir Kolyshkin 752e7a8249 libct/cg/sd: fix SkipDevices for systemd
Commit 108ee85b82 adds SkipDevices flag, which is used by kubernetes
to create cgroups for pods.

Unfortunately the above commit falls short, and systemd DevicePolicy and
DeviceAllow properties are still set, which requires kubernetes to set
"allow everything" rule.

This commit fixes this: if SkipDevices flag is set, we return
Device* properties to allow all devices.

Fixes: 108ee85b82
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-24 17:00:37 -07:00
Akihiro Suda e051128219 Merge pull request #2951 from cyphar/cgroup2-devices-cleanup
cgroup2: devices filtering cleanup
2021-05-24 21:52:42 +09:00
Aleksa Sarai 00119c85a9 integration: add repeated "runc update" test
This is to ensure that we aren't leaking eBPF programs after "runc
update". Unfortunately we cannot directly test the behaviour of cgroup
program updates in an integration test because "runc update" doesn't
support that behaviour at the moment.

So instead we rely on the fact that each "runc update" implicitly
triggers the devices rules to be updated. Without the previous patches
applied, this new test will fail with errors (on cgroupv2 systems).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-23 17:55:24 +10:00
Aleksa Sarai d0f2c25f52 cgroup2: devices: replace all existing filters when attaching
In the normal cases (only one existing filter or no existing filters),
just make use of BPF_F_REPLACE if there is one existing filter. However
if there is more than one filter applied, we should probably remove all
other filters since the alternative is that we will never remove our old
filters.

The only two other viable ways of solving this problem would be to use
BPF pins to either pin the eBPF program using a predictable name (so we
can always only replace *our* programs) or to switch away from custom
programs and instead use eBPF maps (which are pinned) and thus we just
update the map conntents to update the ruleset. Unfortunately these both
would add a hard requirement of bpffs and would require at least a minor
rewrite of the eBPF filtering code -- which is better left for another
time.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-23 17:55:19 +10:00
Aleksa Sarai 98a3c0e4db cgroup2: devices: switch to emulator for cgroupv1 parity
There were several issues with the previous cgroupv2 devices filter
generator implementation, stemming from the previous implementation
using a few too many tricks to implement the correct cgroup behaviour
(rules were handled in reverse order, with wildcards having particularly
special interpretations). As a result, some slightly odd configurations
with rules in specific orders could result in incorrect filters being
generated.

By switching to the emulator which is already used by cgroupv1, we can
guarantee that the behaviour of filters in both cgroup versions will be
identical, as well as making use of the hardenings in the emulator (not
allowing users to add deny rules the kernel will ignore).

(Note that because the ordering of the devices emulator rules is
deterministic and based on the rule value, the existing test rules had
to be reordered slightly.)

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-23 17:55:15 +10:00
Aleksa Sarai dcc1cf7c1c devices: add emulator.Rules shorthand
The devices cgroup emulator is also useful for removing unneeded rules
as well as computing what the final default-allow state of the filter
will be (allow-list or deny-list).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-23 17:55:12 +10:00
Aleksa Sarai 54904516e6 libcontainer: fix integration failure in "make test"
When running inside a Docker container, systemd is not available. The
new TestFdLeaksSystemd forgot to include the relevant t.Skip section.

Fixes: a7feb42395 ("libct/int: add TestFdLeaksSystemd")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-23 17:55:09 +10:00
Aleksa Sarai c7c70ce810 *: clean t.Skip messages
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-23 17:53:01 +10:00
Mrunal Patel 211aceec3b Merge pull request #2957 from haircommander/export-RangeToBits
libctr/cg/systemd: export rangeToBits
2021-05-21 13:36:16 -04:00
Peter Hunt a95237f816 libctr/cg/systemd: export rangeToBits
It's both a useful function, and sufficiently complex to discourage copying

Signed-off-by: Peter Hunt <pehunt@redhat.com>
2021-05-21 10:18:34 -04:00
Sebastiaan van Stijn df0206a6b3 errcheck: utils
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-20 14:19:34 +02:00
Sebastiaan van Stijn 0c65f833ef errcheck: signals
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-20 14:19:32 +02:00
Sebastiaan van Stijn 3b31e3eaac errcheck: tty
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-20 14:19:30 +02:00
Sebastiaan van Stijn b45fbd43b8 errcheck: libcontainer
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-20 14:19:26 +02:00
Sebastiaan van Stijn 463ee5e19a errcheck: libcontainer/nsenter
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-20 14:17:47 +02:00
Sebastiaan van Stijn 7e7ff8722a errcheck: libcontainer/configs
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-20 14:17:45 +02:00
Sebastiaan van Stijn a899505377 errcheck: libcontainer/integration
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-20 14:17:40 +02:00
Kir Kolyshkin fdc28957f5 Makefile: use git describe for $COMMIT
Use "git describe --dirty --long" instead of "git rev-parse". As a
result, the commit ID will contain the closest tag, the number of commits
since the tag, and the (abbreviated) git commit sha (see example below).

NOTE that this tag is still unique and can be used instead of bare sha
for all git commands.

Example output of "runc -v | grep commit".

Before:
 commit: 4d87573871

After:
 commit: v1.0.0-rc95-9-g6f55d074

This means that
 - the closest tag is v1.0.0-rc95
 - there were 9 commits after the tag
 - the abbreviated sha is 6f55d074

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-19 23:42:29 -07:00
Akihiro Suda 4d87573871 Merge pull request #2940 from kolyshkin/intelrdt-unit-test
libct/intelrdt: fix unit test
2021-05-20 13:43:20 +09:00
Aleksa Sarai 57d353df7b merge branch 'pr-2955'
Kir Kolyshkin (3):
  libct/cg/fs2: setFreezer: wait until frozen
  libct/cg/fs2: optimize setFreezer more
  libct/cg/fs2: optimize setFreezer

LGTMs: cyphar AkihiroSuda
Closes #2955
2021-05-20 14:25:41 +10:00
Kir Kolyshkin b93666ebc1 libct/cg/fs2: setFreezer: wait until frozen
According to cgroup v2 documentation [1]:

> Freezing of the cgroup may take some time; when this action is
> completed, the “frozen” value in the cgroup.events control file will
> be updated to “1” and the corresponding notification will be issued.

Implement polling of cgroup.events, waiting for "frozen 1" to appear.
In case something goes wrong, limit the maximum number of retries and
return "undefined" after some time (currently 10s).

[1] https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-19 12:15:24 -07:00
Kir Kolyshkin 1069e4e9da libct/cg/fs2: optimize setFreezer more
Before this patch, setFreezer does

- open/read/close (to check if the freezer is supported)
- open/write/close (to set the value)
- open/read/close (to check the value)

Three opens is a bit excessive. Refactor to only open the file once:

- open (to check if the freezer is supported)
- write (to set the value)
- seek/read (to check the value)
- close

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-19 12:10:56 -07:00
Kir Kolyshkin 5d193188db libct/cg/fs2: optimize setFreezer
In case configs.Undefined or any wrong value is passed, there is no need
to check whether the freezer is supported.

Move arguments check to the beginning to avoid an unnecessary call to
supportFreezer().

While at it, simplify the "whether to return an error if freezer is not
supported" check.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-19 12:10:56 -07:00
Aleksa Sarai d3e5303429 Merge branch 'release-rc95'
Aleksa Sarai (3):
  VERSION: back to development
  VERSION: release v1.0.0-rc95
  rootfs: add mount destination validation

LGTMs: cyphar kolyshkin mrunalp AkihiroSuda
Closes GHSA-c3xm-pvg7-gh7r CVE-2021-30465
2021-05-19 19:20:54 +10:00
Aleksa Sarai 8a7a374f5b VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-19 16:59:42 +10:00
Kir Kolyshkin 33c9f8b9c7 libct/cg/sd: return error from stopUnit
Historically, we never returned an error from failed startUnit
or stopUnit. The startUnit case was fixed by commit 3844789.

It is time to fix stopUnit, too. The reasons are:

1. Ignoring an error from stopUnit means an unexpected trouble down the
   road, for example a failure to create a container with the same name:

   > time="2021-05-07T19:51:27Z" level=error msg="container_linux.go:380: starting container process caused: process_linux.go:385: applying cgroup configuration for process caused: Unit runc-test_busybox.scope already exists."

2. A somewhat short timeout of 1 second means the cgroup might
   actually be removed a few seconds later but we might have a
   race between removing the cgroup and creating another one
   with the same name, resulting in the same error as amove.

So, return an error if removal failed, and increase the timeout.

Now, modify the systemd cgroup v1 manager to not mask the error from
stopUnit (stopErr) with the subsequent one from cgroups.RemovePath,
as stopErr is most probably the reason why RemovePath failed.

Note that for v1 we do want to remove the paths even in case of a
failure from stopUnit, as some were not created by systemd.
There's no need to do that for v2, thanks to unified hierarchy,
so no changes there.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-12 11:40:21 -07:00
Kir Kolyshkin e1d842cfa6 libct/intelrdt: fix unit test
1. These tests can't be run in parallel since they do check
   a global variable (mbaScEnabled).

2. findIntelRdtMountpointDir() relies on mbaScEnabled to be initially
   set to the default value (false) and this the test fails if run
   more than once:

> go test -count 2
> ...
> intelrdt_test.go:243: expected mbaScEnabled=false, got true
>    --- FAIL: TestFindIntelRdtMountpointDir/Valid_mountinfo_with_MBA_Software_Controller_disabled (0.00s)

Fixes: 2c70d2384
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-05-05 14:07:10 -07:00
Liu Hua da22625f69 checkpoint: resolve symlink for external bind mount
runc resolves symlink before doing bind mount. So
we should save original path while formatting CriuReq for
checkpoint.

Signed-off-by: Liu Hua <weldonliu@tencent.com>
2021-04-25 09:50:00 +08:00
1500 changed files with 159427 additions and 74849 deletions
+8
View File
@@ -0,0 +1,8 @@
---
# We use GNU indent from the Makefile to format C code in this project. Alas,
# there is no way to map indent options to clang-format style options in a way
# to achieve identical results for both formatters.
#
# Therefore, let's disable clang-format entirely.
DisableFormat: true
...
+3
View File
@@ -0,0 +1,3 @@
[codespell]
skip = ./vendor,./.git,./go.sum
ignore-words-list = clos,mis
+8
View File
@@ -0,0 +1,8 @@
# This file is used by shfmt. See https://EditorConfig.org
# This is a top-most EditorConfig file.
root = true
# Ignore the entire "vendor" directory.
[vendor/**]
ignore = true
+56
View File
@@ -0,0 +1,56 @@
# Forked from https://github.com/containerd/nerdctl/blob/v1.2.1/.github/ISSUE_TEMPLATE/bug_report.yaml
name: Bug report
description: Create a bug report to help improve runc
labels: kind/unconfirmed-bug-claim
body:
- type: markdown
attributes:
value: |
If you are reporting a new issue, make sure that we do not have any duplicates
already open. You can ensure this by searching the issue list for this
repository. If there is a duplicate, please close your issue and add a comment
to the existing issue instead.
When reporting a security issue, do not create an issue or file a pull request on GitHub.
See [`opencontainers/.github/SECURITY.md`](https://github.com/opencontainers/.github/blob/master/SECURITY.md).
- type: textarea
attributes:
label: Description
description: |
Briefly describe the problem you are having in a few paragraphs.
validations:
required: true
- type: textarea
attributes:
label: Steps to reproduce the issue
description: |
As much as possible, try to make steps that would work in a script. This makes the repro unambiguous and easy to follow.
value: |
1.
2.
3.
- type: textarea
attributes:
label: Describe the results you received and expected
validations:
required: true
- type: textarea
attributes:
label: What version of runc are you using?
placeholder: runc --version
validations:
required: true
- type: textarea
attributes:
label: Host OS information
placeholder: cat /etc/os-release
- type: textarea
attributes:
label: Host kernel information
placeholder: uname -a
+17
View File
@@ -0,0 +1,17 @@
# Forked from https://github.com/containerd/nerdctl/blob/main/.github/ISSUE_TEMPLATE/config.yml
blank_issues_enabled: true
contact_links:
- name: Ask a question (GitHub Discussions)
url: https://github.com/opencontainers/runc/discussions
about: |
Please do not submit "a bug report" for asking a question.
In most cases, GitHub Discussions is the best place to ask a question.
If you are not sure whether you are going to report a bug or ask a question,
please consider asking in GitHub Discussions first.
- name: Slack (opencontainers.slack.com)
url: https://communityinviter.com/apps/opencontainers/join-the-oci-community
# GitHub requires the `about` property to be set
about: Slack
- name: Mailing list
url: https://groups.google.com/a/opencontainers.org/forum/#!forum/dev
about: Mailing list
+22
View File
@@ -0,0 +1,22 @@
# Please see the documentation for all configuration options:
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
# Dependencies listed in go.mod
- package-ecosystem: "gomod"
directory: "/" # Location of package manifests
schedule:
interval: "daily"
# Dependencies listed in .github/workflows/*.yml
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
# Dependencies listed in Dockerfile
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "daily"
+35
View File
@@ -0,0 +1,35 @@
# This enables periodical execution of CI jobs in branches we maintain.
#
# CI jobs are triggered through here (instead of adding "schedule:" to the
# appropriate files) because scheduled jobs are only run on the main branch.
# In other words, it's a way to run periodical CI for other branches.
name: scheduled
on:
schedule:
# Runs at 00:00 UTC every Sunday, Tuesday, Thursday.
- cron: '0 0 * * 0,2,4'
workflow_dispatch:
permissions:
contents: read
actions: write
jobs:
trigger-workflow:
strategy:
matrix:
branch: ["main", "release-1.3"]
wf_id: ["validate.yml", "test.yml"]
runs-on: ubuntu-latest
steps:
- name: Trigger ${{ matrix.wf_id }} workflow on ${{ matrix.branch}} branch
uses: actions/github-script@v8
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
await github.rest.actions.createWorkflowDispatch({
owner: context.repo.owner,
repo: context.repo.repo,
workflow_id: '${{ matrix.wf_id }}',
ref: '${{ matrix.branch }}'
});
+219 -121
View File
@@ -1,8 +1,5 @@
# NOTE Github Actions execution environments lack a terminal, needed for
# some integration tests. Two ways to get a terminal are used below:
#
# 1. script utility -- for "local" integration tests;
# 2. ssh -tt -- for Vagrant VMs (script is buggy on CentOS 7).
# some integration tests. So we use `script` command to fake a terminal.
name: ci
on:
@@ -10,45 +7,130 @@ on:
tags:
- v*
branches:
- master
- main
- release-*
pull_request:
workflow_dispatch:
permissions:
contents: read
env:
LIBPATHRS_VERSION: "0.2.4"
# Don't ignore C warnings. Note that the output of "go env CGO_CFLAGS" by default is "-g -O2", so we keep them.
CGO_CFLAGS: -g -O2 -Werror
jobs:
test:
runs-on: ubuntu-20.04
timeout-minutes: 30
strategy:
fail-fast: false
matrix:
# Dockre/Moby still builds runc with Go 1.13, so we should still support Go 1.13.
go-version: [1.13.x, 1.15.x, 1.16.x]
os: [ubuntu-24.04, ubuntu-24.04-arm]
go-version: [1.25.x, 1.26.x]
libpathrs: ["libpathrs", ""]
rootless: ["rootless", ""]
race: ["-race", ""]
criu: ["", "criu-dev"]
exclude:
# Disable most of criu-dev jobs, as they are expensive
# (need to compile criu) and don't add much value/coverage.
- criu: criu-dev
go-version: 1.25.x
- criu: criu-dev
rootless: rootless
# Do race detection only with latest stable Go version.
- race: -race
go-version: 1.25.x
runs-on: ${{ matrix.os }}
steps:
- name: checkout
uses: actions/checkout@v2
uses: actions/checkout@v6
- name: Show host info
run: |
set -x
# Sync `set -x` outputs with command ouputs
exec 2>&1
# Version
uname -a
cat /etc/os-release
# Hardware
cat /proc/cpuinfo
free -mt
# cgroup
ls -F /sys/fs/cgroup
cat /proc/self/cgroup
if [ -e /sys/fs/cgroup/cgroup.controllers ]; then
cat /sys/fs/cgroup/cgroup.controllers
cat /sys/fs/cgroup/cgroup.subtree_control
ls -F /sys/fs/cgroup$(grep -oP '0::\K.*' /proc/self/cgroup)
fi
# kernel config
script/check-config.sh
- name: install deps
run: |
# criu repo
sudo add-apt-repository -y ppa:criu/ppa
# apt-add-repository runs apt update so we don't have to
sudo apt -q install libseccomp-dev criu
sudo apt update
sudo apt -y install libseccomp-dev sshfs uidmap lld
- name: install libpathrs ${{ env.LIBPATHRS_VERSION }}
if: ${{ matrix.libpathrs != '' }}
run: |
sudo -E PATH="$PATH" ./script/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr
- name: remove libpathrs build tag
if: ${{ matrix.libpathrs == '' }}
run: |
echo RUNC_BUILDTAGS=-libpathrs >>"$GITHUB_ENV"
- name: install CRIU
if: ${{ matrix.criu == '' }}
env:
PREFIX: https://download.opensuse.org/repositories/devel:/tools:/criu/xUbuntu
run: |
REPO=${PREFIX}_$(. /etc/os-release && echo $VERSION_ID)
curl -fSsLl $REPO/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_tools_criu.gpg > /dev/null
echo "deb $REPO/ /" | sudo tee /etc/apt/sources.list.d/criu.list
sudo apt update
sudo apt -y install criu
- name: install CRIU (${{ matrix.criu }})
if: ${{ matrix.criu != '' }}
run: |
sudo apt -qy install \
libcap-dev libnet1-dev libnl-3-dev uuid-dev \
libprotobuf-c-dev libprotobuf-dev protobuf-c-compiler protobuf-compiler
git clone --depth 1 --branch ${{ matrix.criu }} --single-branch \
https://github.com/checkpoint-restore/criu.git ~/criu
(cd ~/criu && sudo make -j $(nproc) install-criu)
rm -rf ~/criu
criu --version
- name: install go ${{ matrix.go-version }}
uses: actions/setup-go@v2
uses: actions/setup-go@v6
with:
stable: '!contains(${{ matrix.go-version }}, "beta") && !contains(${{ matrix.go-version }}, "rc")'
go-version: ${{ matrix.go-version }}
check-latest: true
- name: build
run: sudo -E PATH="$PATH" make EXTRA_FLAGS="${{ matrix.race }}" all
- name: install bats
uses: mig4/setup-bats@v1
- name: Setup Bats and bats libs
uses: bats-core/bats-action@4.0.0
with:
bats-version: 1.3.0
bats-version: 1.12.0 # Known as BATS_VERSION in other places.
support-install: false
assert-install: false
detik-install: false
file-install: false
- name: Allow userns for runc
# https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15
if: startsWith(matrix.os, 'ubuntu-24.04')
run: |
sed "s;^profile runc /usr/sbin/;profile runc-test $PWD/;" < /etc/apparmor.d/runc | sudo apparmor_parser
- name: unit test
if: matrix.rootless != 'rootless'
@@ -57,129 +139,145 @@ jobs:
- name: add rootless user
if: matrix.rootless == 'rootless'
run: |
sudo useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
# Allow root to execute `ssh rootless@localhost` in tests/rootless.sh
ssh-keygen -t ecdsa -N "" -f $HOME/rootless.key
sudo mkdir -m 0700 -p /home/rootless/.ssh
sudo cp $HOME/rootless.key.pub /home/rootless/.ssh/authorized_keys
sudo chown -R rootless.rootless /home/rootless
./script/setup_rootless.sh
sudo chmod a+X $HOME # for Ubuntu 22.04 and later
- name: integration test (fs driver)
continue-on-error: ${{ matrix.criu != '' }} # Don't let criu-dev errors fail CI.
run: sudo -E PATH="$PATH" script -e -c 'make local${{ matrix.rootless }}integration'
- name: integration test (systemd driver)
# can't use systemd driver with cgroupv1
if: matrix.rootless != 'rootless'
run: sudo -E PATH="$PATH" script -e -c 'make RUNC_USE_SYSTEMD=yes local${{ matrix.rootless }}integration'
# cgroup v2 unified hierarchy + very recent kernel (openat2)
fedora:
# nested virtualization is only available on macOS hosts
runs-on: macos-10.15
timeout-minutes: 30
# only run it if others have passed
needs: [test]
steps:
- uses: actions/checkout@v2
- name: "Cache ~/.vagrant.d/boxes, using hash of Vagrantfile.fedora34"
uses: actions/cache@v2
with:
path: ~/.vagrant.d/boxes
key: vagrant-${{ hashFiles('Vagrantfile.fedora34') }}
- name: prepare vagrant
run: |
ln -sf Vagrantfile.fedora34 Vagrantfile
# Retry if it fails (download.fedoraproject.org returns 404 sometimes)
vagrant up || vagrant up
vagrant ssh-config >> ~/.ssh/config
- name: system info
run: ssh default 'sh -exc "uname -a && systemctl --version && df -T"'
- name: unit tests
run: ssh default 'cd /vagrant && sudo make localunittest'
- name: cgroupv2 with systemd
run: ssh -tt default "sudo make -C /vagrant localintegration RUNC_USE_SYSTEMD=yes"
- name: cgroupv2 with fs2
run: ssh -tt default "sudo make -C /vagrant localintegration"
- name: cgroupv2 with systemd (rootless)
run: ssh -tt default "sudo make -C /vagrant localrootlessintegration RUNC_USE_SYSTEMD=yes"
- name: cgroupv2 with fs2 (rootless)
run: ssh -tt default "sudo make -C /vagrant localrootlessintegration"
# kernel 3.10 (frankenized), systemd 219
centos7:
# nested virtualization is only available on macOS hosts
runs-on: macos-10.15
timeout-minutes: 15
# only run it if others have passed
needs: [test]
steps:
- uses: actions/checkout@v2
- name: "Cache ~/.vagrant.d/boxes, using hash of Vagrantfile.centos7"
uses: actions/cache@v2
with:
path: ~/.vagrant.d/boxes
key: vagrant-${{ hashFiles('Vagrantfile.centos7') }}
- name: prepare vagrant
run: |
ln -sf Vagrantfile.centos7 Vagrantfile
vagrant up
vagrant ssh-config >> ~/.ssh/config
- name: system info
run: ssh default 'rpm -q centos-release kernel systemd'
- name: unit tests
run: ssh default 'sudo -i make -C /vagrant localunittest'
- name: integration tests (fs cgroup driver)
run: ssh -tt default "sudo -i make -C /vagrant localintegration"
- name: integration tests (systemd cgroup driver)
run: ssh -tt default "sudo -i make -C /vagrant localintegration RUNC_USE_SYSTEMD=1"
- name: rootless integration
# FIXME: rootless is skipped because of EPERM on writing cgroup.procs
if: false
run: ssh default "sudo -i make -C /vagrant localrootlessintegration"
continue-on-error: ${{ matrix.criu != '' }} # Don't let criu-dev errors fail CI.
run: |
# Delegate all cgroup v2 controllers to rootless user via --systemd-cgroup.
# The default (since systemd v252) is "pids memory cpu".
sudo mkdir -p /etc/systemd/system/user@.service.d
printf "[Service]\nDelegate=yes\n" | sudo tee /etc/systemd/system/user@.service.d/delegate.conf
sudo systemctl daemon-reload
# Run the tests.
sudo -E PATH="$PATH" script -e -c 'make RUNC_USE_SYSTEMD=yes local${{ matrix.rootless }}integration'
# We need to continue support for 32-bit ARM.
# However, we do not have 32-bit ARM CI, so we use i386 for testing 32bit stuff.
# We are not interested in providing official support for i386.
cross-i386:
runs-on: ubuntu-20.04
timeout-minutes: 15
strategy:
fail-fast: false
runs-on: ubuntu-24.04
steps:
- name: checkout
uses: actions/checkout@v2
uses: actions/checkout@v6
- name: install deps
run: |
sudo dpkg --add-architecture i386
# add criu repo
sudo add-apt-repository -y ppa:criu/ppa
# Add criu repo. The web server returns gateway timeout, thus the retry.
sudo add-apt-repository -y ppa:criu/ppa || sudo add-apt-repository -y ppa:criu/ppa
# apt-add-repository runs apt update so we don't have to.
# Due to a bug in apt, we have to update it first
# (see https://bugs.launchpad.net/ubuntu-cdimage/+bug/1871268)
sudo apt -q install apt
sudo apt -q install libseccomp-dev libseccomp-dev:i386 gcc-multilib criu
GCC_VERSION="$(gcc -dumpversion)"
sudo apt -qy install \
lld criu \
libseccomp-dev libseccomp-dev:i386 \
libc-dev:i386 libgcc-s1:i386 libgcc-${GCC_VERSION}-dev:i386 gcc-i686-linux-gnu
# When cross-compiling, GCC 13 and earlier will look for a linker that
# is marked for cross-compilation, which the Ubuntu lld package doesn't
# provide. The solution is to create a symlink ourselves. GCC 14 fixed
# this, see <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111605>.
ln -sv "$(which ld.lld)" /usr/local/bin/i686-linux-gnu-ld.lld
- run: rustup target add i686-unknown-linux-gnu
- name: install libpathrs ${{ env.LIBPATHRS_VERSION }}
run: |
sudo -E PATH="$PATH" ./script/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr 386
sudo ldconfig /usr/386/lib
- name: install go
uses: actions/setup-go@v2 # use default Go version
uses: actions/setup-go@v6
with:
go-version: 1.x # Latest stable
check-latest: true
- name: unit test
# cgo is disabled by default when cross-compiling
run: sudo -E PATH="$PATH" -- make GOARCH=386 CGO_ENABLED=1 localunittest
env:
CC: i686-linux-gnu-gcc
PKG_CONFIG_PATH: /usr/386/lib/pkgconfig
run: sudo -E PATH="$PATH" -- make GOARCH=386 localunittest
lima:
timeout-minutes: 60
strategy:
fail-fast: false
matrix:
template: [almalinux-8, almalinux-9, centos-stream-10, fedora]
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- uses: lima-vm/lima-actions/setup@v1
id: lima-actions-setup
- uses: actions/cache@v5
with:
path: ~/.cache/lima
key: lima-${{ steps.lima-actions-setup.outputs.version }}-${{ matrix.template }}
- name: "Start VM"
# --plain is set to disable file sharing, port forwarding, built-in containerd, etc. for faster start up
#
# CPUs: min(4, host CPU cores)
# RAM: min(4 GiB, half of host memory)
# Disk: 100 GiB
run: limactl start --plain --name=default template:${{ matrix.template }}
- name: "Initialize VM"
run: |
set -eux -o pipefail
limactl cp -r . default:/tmp/runc
lima sudo /tmp/runc/script/setup_host.sh
- name: "Show guest info"
run: |
set -eux -o pipefail
lima uname -a
lima systemctl --version
lima df -T
lima cat /etc/os-release
lima go version
lima sestatus
lima rpm -q container-selinux
- name: "Check config"
run: lima /tmp/runc/script/check-config.sh
# NOTE the execution environment lacks a terminal, needed for
# some integration tests. So we use `ssh -tt` command to fake a terminal.
- name: "Run unit tests"
run: ssh -tt lima-default sudo -i make -C /tmp/runc localunittest
- name: "Run integration tests (systemd driver)"
run: ssh -tt lima-default sudo -i make -C /tmp/runc localintegration RUNC_USE_SYSTEMD=yes
- name: "Run integration tests (fs driver)"
run: ssh -tt lima-default sudo -i make -C /tmp/runc localintegration
- name: "Run integration tests (systemd driver, rootless)"
# Needs cgroup v2
if: ${{ matrix.template != 'almalinux-8' }}
run: ssh -tt lima-default sudo -i make -C /tmp/runc localrootlessintegration RUNC_USE_SYSTEMD=yes
- name: "Run integration tests (fs driver, rootless)"
run: ssh -tt lima-default sudo -i make -C /tmp/runc localrootlessintegration
all-done:
needs:
- test
- cross-i386
- lima
runs-on: ubuntu-24.04
steps:
- run: echo "All jobs completed"
+269 -94
View File
@@ -4,111 +4,228 @@ on:
tags:
- v*
branches:
- master
- main
- release-*
pull_request:
workflow_dispatch:
permissions:
contents: read
env:
GO_VERSION: 1.25
LIBPATHRS_VERSION: "0.2.4"
jobs:
keyring:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: check runc.keyring
run: make validate-keyring
lint:
runs-on: ubuntu-20.04
timeout-minutes: 30
permissions:
contents: read
pull-requests: read
checks: write # to allow the action to annotate code in the PR.
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v6
with:
fetch-depth: 2
- uses: actions/setup-go@v6
with:
go-version: "${{ env.GO_VERSION }}"
- name: install deps
run: |
sudo apt -q update
sudo apt -q install libseccomp-dev
- uses: golangci/golangci-lint-action@v2
sudo apt -qy install libseccomp-dev
- uses: golangci/golangci-lint-action@v9
with:
# must be specified without patch version
version: v1.36
# Only show new issues for a pull request.
only-new-issues: true
version: v2.10
skip-cache: true
# Extra linters, only checking new code from a pull request to main.
- name: lint-extra
if: github.event_name == 'pull_request' && github.base_ref == 'main'
run: |
golangci-lint run --config .golangci-extra.yml --new-from-rev=HEAD~1
modernize:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 2
- uses: actions/setup-go@v6
with:
go-version: stable # modernize@latest may require latest Go.
- name: install deps
run: |
sudo apt -q update
sudo apt -qy install libseccomp-dev
- name: run go fix
run: |
go fix ./...
git diff --exit-code
- name: run modernize
run: |
go run golang.org/x/tools/go/analysis/passes/modernize/cmd/modernize@latest -fix ./...
git diff --exit-code
compile-buildtags:
runs-on: ubuntu-24.04
env:
# Don't ignore C warnings. Note that the output of "go env CGO_CFLAGS" by default is "-g -O2", so we keep them.
CGO_CFLAGS: -g -O2 -Werror
steps:
- uses: actions/checkout@v6
- name: install go
uses: actions/setup-go@v6
with:
go-version: "${{ env.GO_VERSION }}"
- name: install deps
run: |
sudo apt update
sudo apt -y install libseccomp-dev lld
- name: install libpathrs ${{ env.LIBPATHRS_VERSION }}
run: |
sudo -E PATH="$PATH" ./script/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr
- name: compile with no build tags
run: make BUILDTAGS=""
- name: compile with runc_nocriu build tag
run: make RUNC_BUILDTAGS="runc_nocriu"
codespell:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: install deps
# Version of codespell bundled with Ubuntu is way old, so use pip.
run: pip install --break-system-packages codespell==v2.4.1
- name: run codespell
run: codespell
shfmt:
runs-on: ubuntu-20.04
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v2
- name: vars
run: |
echo "VERSION=3.2.4" >> $GITHUB_ENV
echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
- name: cache go mod and $GOCACHE
uses: actions/cache@v2
with:
path: |
~/go/pkg/mod
~/.cache/go-build
key: ${{ runner.os }}-shfmt-${{ env.VERSION }}
restore-keys: ${{ runner.os }}-shfmt-
- name: install shfmt
run: |
command -v shfmt || \
(cd ~ && GO111MODULE=on time go get mvdan.cc/sh/v3/cmd/shfmt@v$VERSION)
- uses: actions/checkout@v6
- name: shfmt
run: make shfmt
shellcheck:
runs-on: ubuntu-20.04
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v2
- name: vars
run: |
echo 'VERSION=v0.7.2' >> $GITHUB_ENV
echo 'BASEURL=https://github.com/koalaman/shellcheck/releases/download' >> $GITHUB_ENV
echo 'SHA256SUM=12ee2e0b90a3d1e9cae24ac9b2838be66b48573cb2c8e8f3c566b959df6f050c' >> $GITHUB_ENV
echo ~/bin >> $GITHUB_PATH
- uses: actions/checkout@v6
- name: install shellcheck
env:
VERSION: v0.11.0
BASEURL: https://github.com/koalaman/shellcheck/releases/download
SHA256: 4da528ddb3a4d1b7b24a59d4e16eb2f5fd960f4bd9a3708a15baddbdf1d5a55b
run: |
mkdir ~/bin
curl -sSfL --retry 5 $BASEURL/$VERSION/shellcheck-$VERSION.linux.x86_64.tar.xz |
tar xfJ - -C ~/bin --strip 1 shellcheck-$VERSION/shellcheck
sha256sum ~/bin/shellcheck | grep -q $SHA256SUM
sha256sum --strict --check - <<<"$SHA256 *$HOME/bin/shellcheck"
# make sure to remove the old version
sudo rm -f /usr/bin/shellcheck
- uses: lumaxis/shellcheck-problem-matchers@v1
- name: shellcheck
run: |
make shellcheck
# Add ~/bin to $PATH.
echo ~/bin >> $GITHUB_PATH
- uses: lumaxis/shellcheck-problem-matchers@v2
- name: run
run: make shellcheck
- name: check-config.sh
run : ./script/check-config.sh
space-at-eol:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- run: rm -fr vendor
- run: if git -P grep -I -n '\s$'; then echo "^^^ extra whitespace at EOL, please fix"; exit 1; fi
deps:
runs-on: ubuntu-20.04
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v2
- name: cache go mod and $GOCACHE
uses: actions/cache@v2
- uses: actions/checkout@v6
- name: install go
uses: actions/setup-go@v6
with:
path: |
~/go/pkg/mod
~/.cache/go-build
key: ${{ runner.os }}-go.sum-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-go.sum-
go-version: "${{ env.GO_VERSION }}"
check-latest: true
- name: verify deps
run: make verify-dependencies
- name: no toolchain in go.mod # See https://github.com/opencontainers/runc/pull/4717, https://github.com/dependabot/dependabot-core/issues/11933.
run: |
if grep -q '^toolchain ' go.mod; then echo "Error: go.mod must not have toolchain directive, please fix"; exit 1; fi
- name: no exclude nor replace in go.mod
run: |
if grep -Eq '^\s*(exclude|replace) ' go.mod; then echo "Error: go.mod must not have exclude/replace directive, it breaks go install. Please fix"; exit 1; fi
commit:
runs-on: ubuntu-20.04
# Only check commits on pull requests.
if: github.event_name == 'pull_request'
permissions:
contents: read
pull-requests: read
runs-on: ubuntu-24.04
steps:
- name: get pr commits
if: github.event_name == 'pull_request' # Only check commits on pull requests.
id: 'get-pr-commits'
uses: tim-actions/get-pr-commits@v1.0.0
uses: tim-actions/get-pr-commits@v1.3.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: check subject line length
uses: tim-actions/commit-message-checker-with-regex@v0.3.1
if: github.event_name == 'pull_request' # Only check commits on pull requests.
uses: tim-actions/commit-message-checker-with-regex@v0.3.2
with:
commits: ${{ steps.get-pr-commits.outputs.commits }}
pattern: '^.{0,72}(\n.*)*$'
error: 'Subject too long (max 72)'
- name: succeed (not a PR) # Allow all-done to succeed for non-PRs.
if: github.event_name != 'pull_request'
run: echo "Nothing to check here."
cross:
runs-on: ubuntu-20.04
cfmt:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v2
- name: checkout
uses: actions/checkout@v6
- name: install deps
run: |
sudo apt -qq update
sudo apt -qqy install indent
- name: cfmt
run: |
make cfmt
git diff --exit-code
check-go:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: check Go version
run: |
GO_VER=$(awk -F= '/^ARG\s+GO_VERSION=/ {print $2; quit}' Dockerfile)
echo "Go version used in Dockerfile: $GO_VER"
echo -n "Checking if Go $GO_VER is supported ... "
curl -fsSL https://go.dev/dl/?mode=json | jq -e 'any(.[]; .version | startswith("go'$GO_VER'"))'
echo -n "Checking if Go $GO_VER is tested against ... "
yq -e '.jobs.test.strategy.matrix.go-version | contains(["'$GO_VER'.x"])' .github/workflows/test.yml
release:
timeout-minutes: 30
runs-on: ubuntu-24.04
steps:
- name: checkout
uses: actions/checkout@v6
- name: check CHANGELOG.md
run: make verify-changelog
# We have to run this under Docker as Ubuntu (host) does not support all
# the architectures we want to compile test against, and Dockerfile uses
# Debian (which does).
@@ -118,46 +235,104 @@ jobs:
# under Docker will emerge, it will be good to have a separate make
# runcimage job and share its result (the docker image) with whoever
# needs it.
- uses: satackey/action-docker-layer-caching@v0.0.11
continue-on-error: true
- name: build docker image
run: make runcimage
- name: cross
run: make cross
cfmt:
runs-on: ubuntu-20.04
steps:
- name: checkout
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: install deps
run: |
sudo apt -qq update
sudo apt -qq install indent
- name: cfmt
run: |
make cfmt
git diff --exit-code
release:
runs-on: ubuntu-20.04
steps:
- name: checkout
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: install deps
run: |
sudo apt -qq update
sudo apt -qq install gperf
- name: make release
run: make release
- name: make releaseall
run: make releaseall
- name: upload artifacts
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@v7
with:
name: release-${{ github.run_id }}
path: release/*
get-images:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: install bashbrew
env:
BASEURL: https://github.com/docker-library/bashbrew/releases/download
VERSION: v0.1.7
SHA256: 6b71a6fccfb2025d48a2b23324836b5513c29abfd2d16a57b7a2f89bd02fe53a
run: |
mkdir ~/bin
curl -sSfL --retry 5 -o ~/bin/bashbrew \
$BASEURL/$VERSION/bashbrew-amd64
sha256sum --strict --check - <<<"$SHA256 *$HOME/bin/bashbrew"
chmod a+x ~/bin/bashbrew
# Add ~/bin to $PATH.
echo ~/bin >> $GITHUB_PATH
- name: check that get-images.sh is up to date
run: |
cd tests/integration
./bootstrap-get-images.sh > get-images.sh
git diff --exit-code
conmon:
runs-on: ubuntu-24.04
steps:
- name: checkout
uses: actions/checkout@v6
- name: install runc and conmon deps
# XXX maybe switch to conmon/hack/github-actions-setup if the burden
# to maintain the list of needed packages here is too much to handle.
run: |
sudo apt update
sudo apt -y install libseccomp-dev libglib2.0-dev libsystemd-dev socat
- name: install libpathrs ${{ env.LIBPATHRS_VERSION }}
run: |
sudo -E PATH="$PATH" ./script/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr
- name: install Go
uses: actions/setup-go@v6
with:
go-version: "${{ env.GO_VERSION }}"
- name: build runc
run: make
- name: setup bats
uses: bats-core/bats-action@4.0.0
with:
bats-version: 1.13.0 # As required by conmon in hack/github-actions-setup.
support-install: false
assert-install: false
detik-install: false
file-install: false
- name: checkout conmon
uses: actions/checkout@v6
with:
repository: containers/conmon
path: conmon
ref: v2.2.1
- name: build conmon
run: cd conmon && make
- name: run conmon tests
run: |
RUNTIME_BINARY=$(pwd)/runc ./conmon/test/run-tests.sh -j $(nproc)
all-done:
needs:
- check-go
- cfmt
- codespell
- commit
- compile-buildtags
- conmon
- deps
- get-images
- keyring
- lint
- modernize
- release
- shellcheck
- shfmt
- space-at-eol
runs-on: ubuntu-24.04
steps:
- run: echo "All jobs completed"
+1 -1
View File
@@ -1,7 +1,7 @@
vendor/pkg
/runc
/runc-*
contrib/cmd/recvtty/recvtty
/tests/cmd/_bin
man/man8
release
Vagrantfile
+22
View File
@@ -0,0 +1,22 @@
# This is golangci-lint config file which is used to check new code in
# github PRs only (see lint-extra in .github/workflows/validate.yml).
#
# For the default linter config, see .golangci.yml. This config should
# only enable additional linters not enabled in the default config.
version: "2"
run:
build-tags:
- seccomp
linters:
default: none
enable:
- godot
- revive
- staticcheck
settings:
staticcheck:
checks:
- all
- -QF1008 # https://staticcheck.dev/docs/checks/#QF1008 Omit embedded fields from selector expression.
+47 -2
View File
@@ -1,9 +1,54 @@
# For documentation, see https://golangci-lint.run/usage/configuration/
version: "2"
run:
build-tags:
- seccomp
formatters:
enable:
- gofumpt
settings:
gofumpt:
extra-rules: true
linters:
enable:
- gofmt
- errorlint
- forbidigo
- nolintlint
- unconvert
- unparam
settings:
govet:
enable:
- nilness
staticcheck:
checks:
- all
- -ST1000 # https://staticcheck.dev/docs/checks/#ST1000 Incorrect or missing package comment.
- -ST1003 # https://staticcheck.dev/docs/checks/#ST1003 Poorly chosen identifier.
- -ST1005 # https://staticcheck.dev/docs/checks/#ST1005 Incorrectly formatted error string.
- -QF1008 # https://staticcheck.dev/docs/checks/#QF1008 Omit embedded fields from selector expression.
forbidigo:
forbid:
# os.Create implies O_TRUNC without O_CREAT|O_EXCL, which can lead to
# an even more severe attacks than CVE-2024-45310, where host files
# could be wiped. Always use O_EXCL or otherwise ensure we are not
# going to be tricked into overwriting host files.
- pattern: ^os\.Create$
pkg: ^os$
# os.Is* error checking functions predate errors.Is. Therefore, they
# only support errors returned by the os package and subtly fail
# to deal with other wrapped error types.
# New code should use errors.Is(err, error-type) instead.
- pattern: ^os\.Is(Exist|NotExist|Permission|Timeout)$
pkg: ^os$
analyze-types: true
exclusions:
rules:
# forbidigo lints are only relevant for main code.
- path: '(.+)_test\.go'
linters:
- forbidigo
presets:
- std-error-handling
+1781
View File
File diff suppressed because it is too large Load Diff
+55 -21
View File
@@ -1,39 +1,46 @@
ARG GO_VERSION=1.16
ARG BATS_VERSION=v1.3.0
ARG GO_VERSION=1.25
ARG BATS_VERSION=v1.12.0
ARG LIBSECCOMP_VERSION=2.6.0
ARG LIBPATHRS_VERSION=0.2.4
FROM golang:${GO_VERSION}-buster
FROM golang:${GO_VERSION}-trixie
ARG DEBIAN_FRONTEND=noninteractive
ARG CRIU_REPO=https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_13
RUN echo 'deb https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_10/ /' > /etc/apt/sources.list.d/criu.list \
&& wget -nv https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_10/Release.key -O- | apt-key add - \
&& dpkg --add-architecture armel \
&& dpkg --add-architecture armhf \
&& dpkg --add-architecture arm64 \
&& dpkg --add-architecture ppc64el \
RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \
wget -nv $CRIU_REPO/Release.key -O- | gpg --dearmor > "$KEYFILE" \
&& echo "deb [signed-by=$KEYFILE] $CRIU_REPO/ /" > /etc/apt/sources.list.d/criu.list \
&& printf "%s\n" i386 armel armhf arm64 ppc64el s390x riscv64 | xargs -t -n1 -- dpkg --add-architecture \
&& apt-get update \
&& apt-get install -y --no-install-recommends \
build-essential \
cargo \
cargo-auditable \
clang \
criu \
crossbuild-essential-arm64 \
crossbuild-essential-armel \
crossbuild-essential-armhf \
crossbuild-essential-ppc64el \
gcc \
gcc-multilib \
curl \
gawk \
gcc \
gperf \
iptables \
jq \
kmod \
libseccomp-dev \
libseccomp-dev:arm64 \
libseccomp-dev:armel \
libseccomp-dev:armhf \
libseccomp-dev:ppc64el \
libseccomp2 \
lld \
pkg-config \
python-minimal \
python3-minimal \
sshfs \
sudo \
uidmap \
iproute2 \
&& apt-get install -y --no-install-recommends \
libc-dev:i386 libgcc-s1:i386 gcc-i686-linux-gnu libstd-rust-dev:i386 \
gcc-aarch64-linux-gnu libc-dev-arm64-cross libstd-rust-dev:arm64 \
gcc-arm-linux-gnueabi libc-dev-armel-cross libstd-rust-dev:armel \
gcc-arm-linux-gnueabihf libc-dev-armhf-cross libstd-rust-dev:armhf \
gcc-powerpc64le-linux-gnu libc-dev-ppc64el-cross libstd-rust-dev:ppc64el \
gcc-s390x-linux-gnu libc-dev-s390x-cross libstd-rust-dev:s390x \
gcc-riscv64-linux-gnu libc-dev-riscv64-cross libstd-rust-dev:riscv64 \
&& apt-get clean \
&& rm -rf /var/cache/apt /var/lib/apt/lists/* /etc/apt/sources.list.d/*.list
@@ -52,4 +59,31 @@ RUN cd /tmp \
&& ./install.sh /usr/local \
&& rm -rf /tmp/bats-core
ARG RELEASE_ARCHES="386 amd64 arm64 armel armhf ppc64le riscv64 s390x"
ENV DYLIB_DIR=/opt/runc-dylibs
# install libseccomp
ARG LIBSECCOMP_VERSION
COPY script/build-seccomp.sh script/lib.sh /tmp/script/
RUN mkdir -p $DYLIB_DIR \
&& /tmp/script/build-seccomp.sh "$LIBSECCOMP_VERSION" $DYLIB_DIR $RELEASE_ARCHES
ENV LIBSECCOMP_VERSION=$LIBSECCOMP_VERSION
# install libpathrs
ARG LIBPATHRS_VERSION
COPY script/build-libpathrs.sh /tmp/script/
RUN mkdir -p $DYLIB_DIR \
&& /tmp/script/build-libpathrs.sh "$LIBPATHRS_VERSION" $DYLIB_DIR $RELEASE_ARCHES
ENV LIBPATHRS_VERSION=$LIBPATHRS_VERSION
ENV LD_LIBRARY_PATH=$DYLIB_DIR/lib
ENV PKG_CONFIG_PATH=$DYLIB_DIR/lib/pkgconfig
# Prevent the "fatal: detected dubious ownership in repository" git complain during build.
RUN git config --global --add safe.directory /go/src/github.com/opencontainers/runc
WORKDIR /go/src/github.com/opencontainers/runc
# Fixup for cgroup v2.
COPY script/prepare-cgroup-v2.sh /
ENTRYPOINT [ "/prepare-cgroup-v2.sh" ]
+3
View File
@@ -7,5 +7,8 @@ contributions to our collective success:
* Andrei Vagin (@avagin)
* Rohit Jnagal (@rjnagal)
* Victor Marmol (@vmarmol)
* Michael Crosby (@crosbymichael)
* Daniel, Dao Quang Minh (@dqminh)
* Qiang Huang (@hqhq)
We thank these members for their service to the OCI community.
+3 -3
View File
@@ -1,7 +1,7 @@
Michael Crosby <michael@docker.com> (@crosbymichael)
Mrunal Patel <mpatel@redhat.com> (@mrunalp)
Daniel, Dao Quang Minh <dqminh89@gmail.com> (@dqminh)
Qiang Huang <h.huangqiang@huawei.com> (@hqhq)
Aleksa Sarai <cyphar@cyphar.com> (@cyphar)
Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (@AkihiroSuda)
Kir Kolyshkin <kolyshkin@gmail.com> (@kolyshkin)
Sebastiaan van Stijn <github@gone.nl> (@thaJeztah)
Li Fu Bang <lifubang@acmcoder.com> (@lifubang)
Rodrigo Campos <rodrigo@sdfg.com.ar> (@rata)
+4 -21
View File
@@ -50,7 +50,7 @@ All decisions affecting runc, big and small, follow the same 3 steps:
* Step 2: Discuss the pull request. Anyone can do this.
* Step 3: Accept (`LGTM`) or refuse a pull request. The relevant maintainers do
* Step 3: Accept (`LGTM`) or refuse a pull request. The relevant maintainers do
this (see below "Who decides what?")
*I'm a maintainer, should I make pull requests too?*
@@ -70,19 +70,6 @@ Overall the maintainer system works because of mutual respect across the
maintainers of the project. The maintainers trust one another to make decisions
in the best interests of the project. Sometimes maintainers can disagree and
this is part of a healthy project to represent the point of views of various people.
In the case where maintainers cannot find agreement on a specific change the
role of a Chief Maintainer comes into play.
The Chief Maintainer for the project is responsible for overall architecture
of the project to maintain conceptual integrity. Large decisions and
architecture changes should be reviewed by the chief maintainer.
The current chief maintainer for the project is Michael Crosby (@crosbymichael).
Even though the maintainer system is built on trust, if there is a conflict
with the chief maintainer on a decision, their decision can be challenged
and brought to the technical oversight board if two-thirds of the
maintainers vote for an appeal. It is expected that this would be a
very exceptional event.
### How are maintainers added?
@@ -97,9 +84,8 @@ Just contributing does not make you a maintainer, it is about building trust
with the current maintainers of the project and being a person that they can
depend on and trust to make decisions in the best interest of the project. The
final vote to add a new maintainer should be approved by over 66% of the current
maintainers with the chief maintainer having veto power. In case of a veto,
conflict resolution rules expressed above apply. The voting period is
five business days on the Pull Request to add the new maintainer.
maintainers. The voting period is five business days on the Pull Request
to add the new maintainer.
### What is expected of maintainers?
@@ -111,10 +97,7 @@ issues where they are pinged. Being a maintainer is a time consuming commitment
not be taken lightly.
When a maintainer is unable to perform the required duties they can be removed with
a vote by 66% of the current maintainers with the chief maintainer having veto power.
a vote by 66% of the current maintainers.
The voting period is ten business days. Issues related to a maintainer's performance should
be discussed with them among the other maintainers so that they are not surprised by
a pull request removing them.
+155 -60
View File
@@ -1,3 +1,5 @@
SHELL = /bin/bash
CONTAINER_ENGINE := docker
GO ?= go
@@ -9,83 +11,172 @@ GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
GIT_BRANCH_CLEAN := $(shell echo $(GIT_BRANCH) | sed -e "s/[^[:alnum:]]/-/g")
RUNC_IMAGE := runc_dev$(if $(GIT_BRANCH_CLEAN),:$(GIT_BRANCH_CLEAN))
PROJECT := github.com/opencontainers/runc
BUILDTAGS ?= seccomp
COMMIT_NO := $(shell git rev-parse HEAD 2> /dev/null || true)
COMMIT ?= $(if $(shell git status --porcelain --untracked-files=no),"$(COMMIT_NO)-dirty","$(COMMIT_NO)")
VERSION := $(shell cat ./VERSION)
# TODO: rm -mod=vendor once go 1.13 is unsupported
ifneq ($(GO111MODULE),off)
MOD_VENDOR := "-mod=vendor"
BUILDTAGS := seccomp urfave_cli_no_docs libpathrs
# Tags prefixed with - in RUNC_BUILDTAGS are removed from BUILDTAGS; others are added.
RUNC_BUILDTAGS ?=
BUILDTAGS_REMOVE := $(patsubst -%,%,$(filter -%,$(RUNC_BUILDTAGS)))
BUILDTAGS_ADD := $(filter-out -%,$(RUNC_BUILDTAGS))
BUILDTAGS := $(filter-out $(BUILDTAGS_REMOVE),$(BUILDTAGS)) $(BUILDTAGS_ADD)
# TODO: remove EXTRA_BUILDTAGS for runc 1.6.
ifdef EXTRA_BUILDTAGS
$(warning EXTRA_BUILDTAGS is deprecated; use RUNC_BUILDTAGS instead)
BUILDTAGS += $(EXTRA_BUILDTAGS)
endif
ifeq ($(shell $(GO) env GOOS),linux)
ifeq (,$(filter $(shell $(GO) env GOARCH),mips mipsle mips64 mips64le ppc64))
ifeq (,$(findstring -race,$(EXTRA_FLAGS)))
GO_BUILDMODE := "-buildmode=pie"
endif
COMMIT := $(shell git describe --dirty --long --always)
EXTRA_VERSION :=
LDFLAGS_COMMON := -X main.gitCommit=$(COMMIT) \
$(if $(strip $(EXTRA_VERSION)),-X main.extraVersion=$(EXTRA_VERSION),)
GOARCH := $(shell $(GO) env GOARCH)
# -trimpath may be required on some platforms to create reproducible builds
# on the other hand, it does strip out build information, like -ldflags, which
# some tools use to infer the version, in the absence of go information,
# which happens when you use `go build`.
# This enables someone to override by doing `make runc TRIMPATH= ` etc.
TRIMPATH := -trimpath
GO_BUILDMODE :=
# Enable dynamic PIE executables on supported platforms.
ifneq (,$(filter $(GOARCH),386 amd64 arm arm64 loong64 ppc64le riscv64 s390x))
ifeq (,$(findstring -race,$(EXTRA_FLAGS)))
GO_BUILDMODE := "-buildmode=pie"
endif
endif
GO_BUILD := $(GO) build -trimpath $(MOD_VENDOR) $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
-ldflags "-X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(MOD_VENDOR) $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \
-ldflags "-w -extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
GO_BUILD := $(GO) build $(TRIMPATH) $(GO_BUILDMODE) \
$(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
-ldflags "$(LDFLAGS_COMMON) $(EXTRA_LDFLAGS)"
GO_BUILDMODE_STATIC :=
LDFLAGS_STATIC := -extldflags -static
# Enable static PIE executables on supported platforms.
# This (among the other things) requires libc support (rcrt1.o), which seems
# to be available only for arm64 and amd64 (Debian Bullseye).
ifneq (,$(filter $(GOARCH),arm64 amd64))
ifeq (,$(findstring -race,$(EXTRA_FLAGS)))
GO_BUILDMODE_STATIC := -buildmode=pie
LDFLAGS_STATIC := -linkmode external -extldflags -static-pie
endif
endif
# Enable static PIE binaries on supported platforms.
GO_BUILD_STATIC := $(GO) build $(TRIMPATH) $(GO_BUILDMODE_STATIC) \
$(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \
-ldflags "$(LDFLAGS_COMMON) $(LDFLAGS_STATIC) $(EXTRA_LDFLAGS)"
GPG_KEYID ?= cyphar@cyphar.com
# Some targets need cgo, which is disabled by default when cross compiling.
# Enable cgo explicitly for those.
# Both runc and libcontainer/integration need libcontainer/nsenter.
runc static localunittest: export CGO_ENABLED=1
# seccompagent needs libseccomp (when seccomp build tag is set).
ifneq (,$(filter $(BUILDTAGS),seccomp))
seccompagent: export CGO_ENABLED=1
endif
.DEFAULT: runc
runc:
.PHONY: runc
runc: runc-bin
.PHONY: runc-bin
runc-bin:
$(GO_BUILD) -o runc .
all: runc recvtty
.PHONY: all
all: runc
recvtty:
$(GO_BUILD) -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
TESTBINDIR := tests/cmd/_bin
$(TESTBINDIR):
mkdir $(TESTBINDIR)
static:
TESTBINS := recvtty sd-helper seccompagent fs-idmap pidfd-kill remap-rootfs key_label
.PHONY: test-binaries $(TESTBINS)
test-binaries: $(TESTBINS)
$(TESTBINS): $(TESTBINDIR)
$(GO_BUILD) -o $(TESTBINDIR) ./tests/cmd/$@
.PHONY: clean
clean:
rm -f runc runc-*
rm -fr $(TESTBINDIR)
sudo rm -rf release
rm -rf man/man8
.PHONY: static
static: static-bin
.PHONY: static-bin
static-bin:
$(GO_BUILD_STATIC) -o runc .
$(GO_BUILD_STATIC) -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
release:
script/release.sh -r release/$(VERSION) -v $(VERSION)
.PHONY: releaseall
releaseall: RELEASE_ARGS := "-a 386 -a amd64 -a arm64 -a armel -a armhf -a ppc64le -a riscv64 -a s390x"
releaseall: release
.PHONY: release
release: runcimage
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
--rm -v $(CURDIR):/go/src/$(PROJECT) \
-e RELEASE_ARGS=$(RELEASE_ARGS) \
$(RUNC_IMAGE) make localrelease
script/release_sign.sh -S $(GPG_KEYID)
.PHONY: localrelease
localrelease: verify-changelog
script/release_build.sh $(RELEASE_ARGS)
.PHONY: dbuild
dbuild: runcimage
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
--privileged --rm \
-v $(CURDIR):/go/src/$(PROJECT) \
$(RUNC_IMAGE) make clean all
$(RUNC_IMAGE) make clean runc test-binaries
.PHONY: lint
lint:
golangci-lint run ./...
.PHONY: man
man:
man/md2man-all.sh
.PHONY: runcimage
runcimage:
$(CONTAINER_ENGINE) build $(CONTAINER_ENGINE_BUILD_FLAGS) -t $(RUNC_IMAGE) .
.PHONY: test
test: unittest integration rootlessintegration
.PHONY: localtest
localtest: localunittest localintegration localrootlessintegration
.PHONY: unittest
unittest: runcimage
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
-t --privileged --rm \
-v /lib/modules:/lib/modules:ro \
-v $(CURDIR):/go/src/$(PROJECT) \
$(RUNC_IMAGE) make localunittest TESTFLAGS=$(TESTFLAGS)
$(RUNC_IMAGE) make localunittest TESTFLAGS="$(TESTFLAGS)"
localunittest: all
$(GO) test $(MOD_VENDOR) -timeout 3m -tags "$(BUILDTAGS)" $(TESTFLAGS) -v ./...
.PHONY: localunittest
localunittest: test-binaries
$(GO) test -timeout 3m -tags "$(BUILDTAGS)" $(TESTFLAGS) -v ./...
.PHONY: integration
integration: runcimage
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
-t --privileged --rm \
-v /lib/modules:/lib/modules:ro \
-v $(CURDIR):/go/src/$(PROJECT) \
$(RUNC_IMAGE) make localintegration TESTPATH=$(TESTPATH)
$(RUNC_IMAGE) make localintegration TESTPATH="$(TESTPATH)"
localintegration: all
.PHONY: localintegration
localintegration: runc test-binaries
bats -t tests/integration$(TESTPATH)
.PHONY: rootlessintegration
rootlessintegration: runcimage
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
-t --privileged --rm \
@@ -93,67 +184,71 @@ rootlessintegration: runcimage
-e ROOTLESS_TESTPATH \
$(RUNC_IMAGE) make localrootlessintegration
localrootlessintegration: all
.PHONY: localrootlessintegration
localrootlessintegration: runc test-binaries
tests/rootless.sh
.PHONY: shell
shell: runcimage
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
-ti --privileged --rm \
-v $(CURDIR):/go/src/$(PROJECT) \
$(RUNC_IMAGE) bash
.PHONY: install
install:
install -D -m0755 runc $(DESTDIR)$(BINDIR)/runc
.PHONY: install-bash
install-bash:
install -D -m0644 contrib/completions/bash/runc $(DESTDIR)$(PREFIX)/share/bash-completion/completions/runc
.PHONY: install-man
install-man: man
install -d -m 755 $(DESTDIR)$(MANDIR)/man8
install -D -m 644 man/man8/*.8 $(DESTDIR)$(MANDIR)/man8
clean:
rm -f runc runc-*
rm -f contrib/cmd/recvtty/recvtty
rm -rf release
rm -rf man/man8
.PHONY: cfmt
cfmt: C_SRC=$(shell git ls-files '*.c' | grep -v '^vendor/')
cfmt:
indent -linux -l120 -il0 -ppi2 -cp1 -T size_t -T jmp_buf $(C_SRC)
indent -linux -l120 -il0 -ppi2 -cp1 -sar -T size_t -T jmp_buf $(C_SRC)
.PHONY: shellcheck
shellcheck:
shellcheck tests/integration/*.bats tests/integration/*.sh tests/*.sh script/release.sh
# TODO: add shellcheck for more sh files
shellcheck tests/integration/*.bats tests/integration/*.sh \
tests/integration/*.bash tests/*.sh \
man/*.sh script/*
# TODO: add shellcheck for more sh files (contrib/completions/bash/runc).
.PHONY: shfmt
shfmt:
shfmt -ln bats -d -w tests/integration/*.bats
shfmt -ln bash -d -w man/*.sh script/* tests/*.sh tests/integration/*.bash
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
--rm -v $(CURDIR):/src -w /src \
mvdan/shfmt:v3.11.0 -d -w .
.PHONY: localshfmt
localshfmt:
shfmt -d -w .
.PHONY: vendor
vendor:
$(GO) mod tidy
$(GO) mod vendor
$(GO) mod verify
.PHONY: verify-changelog
verify-changelog:
# No space at EOL.
! grep -n '\s$$' CHANGELOG.md
# Period before issue/PR references.
! grep -n '[0-9a-zA-Z][^.] (#[1-9][0-9, #]*)$$' CHANGELOG.md
.PHONY: verify-dependencies
verify-dependencies: vendor
@test -z "$$(git status --porcelain -- go.mod go.sum vendor/)" \
|| (echo -e "git status:\n $$(git status -- go.mod go.sum vendor/)\nerror: vendor/, go.mod and/or go.sum not up to date. Run \"make vendor\" to update"; exit 1) \
&& echo "all vendor files are up to date."
cross: runcimage
$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
-e BUILDTAGS="$(BUILDTAGS)" --rm \
-v $(CURDIR):/go/src/$(PROJECT) \
$(RUNC_IMAGE) make localcross
localcross:
CGO_ENABLED=1 GOARCH=arm GOARM=6 CC=arm-linux-gnueabi-gcc $(GO_BUILD) -o runc-armel .
CGO_ENABLED=1 GOARCH=arm GOARM=7 CC=arm-linux-gnueabihf-gcc $(GO_BUILD) -o runc-armhf .
CGO_ENABLED=1 GOARCH=arm64 CC=aarch64-linux-gnu-gcc $(GO_BUILD) -o runc-arm64 .
CGO_ENABLED=1 GOARCH=ppc64le CC=powerpc64le-linux-gnu-gcc $(GO_BUILD) -o runc-ppc64le .
.PHONY: runc all recvtty static release dbuild lint man runcimage \
test localtest unittest localunittest integration localintegration \
rootlessintegration localrootlessintegration shell install install-bash \
install-man clean cfmt shfmt shellcheck \
vendor verify-dependencies cross localcross
.PHONY: validate-keyring
validate-keyring:
script/keyring_validate.sh
+2 -2
View File
@@ -8,9 +8,9 @@ The following is courtesy of our legal counsel:
Use and transfer of Docker may be subject to certain restrictions by the
United States and other governments.
United States and other governments.
It is your responsibility to ensure that your use and/or transfer does not
violate applicable laws.
violate applicable laws.
For more information, please see http://www.bis.doc.gov
+115 -20
View File
@@ -1,23 +1,21 @@
# runc
[![Go Report Card](https://goreportcard.com/badge/github.com/opencontainers/runc)](https://goreportcard.com/report/github.com/opencontainers/runc)
[![GoDoc](https://godoc.org/github.com/opencontainers/runc?status.svg)](https://godoc.org/github.com/opencontainers/runc)
[![Go Reference](https://pkg.go.dev/badge/github.com/opencontainers/runc.svg)](https://pkg.go.dev/github.com/opencontainers/runc)
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/588/badge)](https://bestpractices.coreinfrastructure.org/projects/588)
[![gha/validate](https://github.com/opencontainers/runc/workflows/validate/badge.svg)](https://github.com/opencontainers/runc/actions?query=workflow%3Avalidate)
[![gha/ci](https://github.com/opencontainers/runc/workflows/ci/badge.svg)](https://github.com/opencontainers/runc/actions?query=workflow%3Aci)
## Introduction
`runc` is a CLI tool for spawning and running containers according to the OCI specification.
`runc` is a CLI tool for spawning and running containers on Linux according to the OCI specification.
## Releases
`runc` depends on and tracks the [runtime-spec](https://github.com/opencontainers/runtime-spec) repository.
We will try to make sure that `runc` and the OCI specification major versions stay in lockstep.
This means that `runc` 1.0.0 should implement the 1.0 version of the specification.
You can find official releases of `runc` on the [release](https://github.com/opencontainers/runc/releases) page.
All releases are signed by one of the keys listed in the [`runc.keyring` file in the root of this repository](runc.keyring).
## Security
The reporting process and disclosure communications are outlined [here](https://github.com/opencontainers/org/blob/master/SECURITY.md).
@@ -27,11 +25,86 @@ A third party security audit was performed by Cure53, you can see the full repor
## Building
`runc` currently supports the Linux platform with various architecture support.
It must be built with Go version 1.13 or higher.
`runc` only supports Linux. See the header of [`go.mod`](./go.mod) for the minimally required Go version.
In order to enable seccomp support you will need to install `libseccomp` on your platform.
> e.g. `libseccomp-devel` for CentOS, or `libseccomp-dev` for Ubuntu
### Pre-Requisites
#### Utilities and Libraries
In addition to Go, building `runc` requires multiple utilities and libraries to be installed on your system.
On Ubuntu/Debian, you can install the required dependencies with:
```bash
apt update && apt install -y make gcc linux-libc-dev libseccomp-dev pkg-config git
```
On CentOS/Fedora, you can install the required dependencies with:
```bash
yum install -y make gcc kernel-headers libseccomp-devel pkg-config git
```
On Alpine Linux, you can install the required dependencies with:
```bash
apk --update add bash make gcc libseccomp-dev musl-dev linux-headers git
```
The following dependencies are optional:
* `libseccomp` - only required if you enable seccomp support; to disable, see [Build Tags](#build-tags).
* `libpathrs` - only required if you enable libpathrs support; to disable, see [Build Tags](#build-tags).
For notes on installing libpathrs, see [the next section](#libpathrs).
##### libpathrs
[libpathrs][] is a Rust library runc can optionally use for path safety. As
mentioned in [the build tag section](#build-tags), its use is controlled with
the `libpathrs` build tag. runc currently requires at least libpathrs 0.2.4 in
order to function properly.
At time of writing, very few distributions have libpathrs packages and so it is
usually necessary to build and install it locally. For detailed installation
instructions, see [the upstream documentation][libpathrs-install-md], but for
development builds the following instructions should be sufficient:
libpathrs requires Rust 1.63+ (which is available on almost any distribution,
including Debian oldstable and enterprise distributions like RHEL or SLES).
Assuming you already have `cargo` installed (as well as other libpathrs
dependencies like `clang` and `lld`), the following steps are all that are
really necessary to install libpathrs:
```sh
LIBPATHRS_VERSION=0.2.4
curl -o - -sSL https://github.com/cyphar/libpathrs/releases/download/v${LIBPATHRS_VERSION}/libpathrs-${LIBPATHRS_VERSION}.tar.xz | tar xvfJ -
cd libpathrs-${LIBPATHRS_VERSION}/
make release
sudo ./install.sh --prefix=/usr/local
sudo ldconfig
```
As part of our CI, we make use of a custom [installation script for
libpathrs][libpathrs-install-script] which may be useful as a reference for
folks with more complicated needs. With `script/build-libpathrs.sh` the
installation of libpathrs becomes as simple as:
```sh
sudo ./script/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr/local
sudo ldconfig
```
However, please note that this installation script is **completely
unsupported** and is not really intended for general use (it includes some
workarounds for issues in our CI which will no longer be necessary once
libpathrs has distribution packages we can use).
[libpathrs]: https://github.com/cyphar/libpathrs
[libpathrs-install-md]: https://github.com/cyphar/libpathrs/blob/main/INSTALL.md
[libpathrs-install-script]: ./script/build-libpathrs.sh
[gha-test-yml]: ./.github/workflows/test.yml
### Build
```bash
# create a 'github.com/opencontainers' in your GOPATH/src
@@ -54,24 +127,43 @@ sudo make install
`runc` will be installed to `/usr/local/sbin/runc` on your system.
#### Version string customization
You can see the runc version by running `runc --version`. You can append a custom string to the
version using the `EXTRA_VERSION` make variable when building, e.g.:
```bash
make EXTRA_VERSION="+build-1"
```
Bear in mind to include some separator for readability.
#### Build Tags
`runc` supports optional build tags for compiling support of various features,
with some of them enabled by default (see `BUILDTAGS` in top-level `Makefile`).
with some of them enabled by default in the top-level Makefile.
To change build tags from the default, set the `BUILDTAGS` variable for make,
e.g. to disable seccomp:
The following build tags are currently recognized:
| Build Tag | Feature | Set by Default | Dependencies |
|---------------|---------------------------------------|----------------|---------------------|
| `seccomp` | Syscall filtering using `libseccomp`. | yes | `libseccomp` |
| `libpathrs` | Use [`libpathrs`][] for path safety. | yes | [`libpathrs`][] |
| `runc_nocriu` | **Disables** runc checkpoint/restore. | no | `criu` |
[`libpathrs`]: https://github.com/cyphar/libpathrs
To add or remove build tags from the default set, use the `RUNC_BUILDTAGS`
make or shell variable. Tags prefixed with `-` are removed from the default set;
others are added. For example:
```bash
make BUILDTAGS=""
# Add runc_nocriu and remove seccomp tag.
make RUNC_BUILDTAGS="runc_nocriu -seccomp"
```
| Build Tag | Feature | Enabled by default | Dependency |
|-----------|------------------------------------|--------------------|------------|
| seccomp | Syscall filtering | yes | libseccomp |
The following build tags were used earlier, but are now obsoleted:
- **runc_nodmz** (since runc v1.2.1 runc dmz binary is dropped)
- **nokmem** (since runc v1.0.0-rc94 kernel memory settings are ignored)
- **apparmor** (since runc v1.0.0-rc93 the feature is always enabled)
- **selinux** (since runc v1.0.0-rc93 the feature is always enabled)
@@ -111,11 +203,11 @@ You can run a test using your container engine's flags by setting `CONTAINER_ENG
# make test CONTAINER_ENGINE_BUILD_FLAGS="--build-arg http_proxy=http://yourproxy/" CONTAINER_ENGINE_RUN_FLAGS="-e http_proxy=http://yourproxy/"
```
### Dependencies Management
### Go Dependencies Management
`runc` uses [Go Modules](https://github.com/golang/go/wiki/Modules) for dependencies management.
Please refer to [Go Modules](https://github.com/golang/go/wiki/Modules) for how to add or update
new dependencies. When updating dependencies, be sure that you are running Go `1.14` or newer.
new dependencies.
```
# Update vendored dependencies
@@ -302,10 +394,13 @@ WantedBy=multi-user.target
## More documentation
* [Spec conformance](./docs/spec-conformance.md)
* [cgroup v2](./docs/cgroup-v2.md)
* [Checkpoint and restore](./docs/checkpoint-restore.md)
* [systemd cgroup driver](./docs/systemd.md)
* [Terminals and standard IO](./docs/terminals.md)
* [Experimental features](./docs/experimental.md)
* [Deprecated features](./docs/deprecated.md)
## License
+96
View File
@@ -0,0 +1,96 @@
## Release Cadence and Support Policy ##
This document describes the release cadence for runc as well as outlining the
support policy for old release branches. Historically, despite runc being the
most widely used Linux container runtime, our release schedule has been very
ad-hoc and has resulted in very long periods of time between minor releases,
causing issues for downstreams that wanted particular features.
### Semantic Versioning ###
runc uses [Semantic Versioning][semver] for releases. However, our
compatibility policy only applies to the runc binary. We will make a
best-effort attempt to reduce the impact to users that make direct use of the
Go packages prefixed with `github.com/opencontainers/runc`, but we do not
formally guarantee that API compatibility will be preserved.
[semver]: https://semver.org/spec/v2.0.0.html
### Release Cadence ###
[new-issue]: https://github.com/opencontainers/runc/issues/new/choose
runc follows a 6-month minor version release schedule, with the aim of releases
happening at the end of April and October each year.
The first release candidate will be created 2 months before the planned release
date (i.e. the end of February and August, respectively), at which point the
release branch will be created and will enter a feature freeze. No new features
will be merged into the release branch, and large features being developed
immediately before the feature freeze may have their merge delayed so as to not
be included in the next release. Most releases will have two or three release
candidates, but this may change depending on the circumstances of the release
at the time.
If a last-minute critical issue is discovered, the release may be delayed.
However, the following release will still go according to schedule (except in
the exceptionally unlikely scenario where the delay is 4-6 months long, in
which case the next release is moved forward to when the subsequent release
would have been).
Here is a hypothetical release timeline to see how this works in practice:
| Date | Release | Notes |
| ---------- | ------------ | ----- |
| 200X-02-28 | `1.3.0-rc.1` | `release-1.3` branch created, feature freeze. |
| 200X-03-12 | `1.3.0-rc.2` | |
| 200X-03-25 | `1.3.0-rc.3` | |
| 200X-04-30 | `1.3.0` | `1.3` release published. |
| 200X-05-10 | `1.3.1` | |
| 200X-06-21 | `1.3.2` | |
| 200X-06-25 | `1.3.3` | |
| 200X-07-02 | `1.3.4` | |
| 200X-08-28 | `1.4.0-rc.1` | `release-1.4` branch created, feature freeze. |
| 200X-09-15 | `1.3.5` | Patch releases in other release branches have no impact on the new release branch. |
| 200X-09-21 | `1.4.0-rc.2` | |
| 200X-10-31 | `1.4.0` | `1.4` release published. |
| 200X-11-10 | `1.4.1` | |
| 200X-12-25 | `1.4.2` | |
(And so on for the next year.)
### Support Policy ###
In order to ease the transition between minor runc releases, previous minor
release branches of runc will be maintained for some time after the newest
minor release is published. In the following text, `latest` refers to the
latest minor (non-release-candidate) runc release published; `latest-1` is the
previous minor release branch; and `latest-2` is the minor release branch
before `latest-1`. For example, if `latest` is `1.4.0` then `latest-1` is
`1.3.z` and `latest-2` is `1.2.z`.
* Once `latest` is released, new features will no longer be merged into
`latest` and only bug and security fixes will be backported, though we will
be fairly liberal with what kinds of bugs will considered candidates for
backporting.
* `latest-1` will only receive security fixes and significant bug fixes (what
bug fixes are "significant" are down to the maintainer's judgement, but
maintainers should err on the side of reducing the number of backports at
this stage). At this stage, users of `latest-1` are encouraged to start
planning the migration to the `latest` release of runc (as well as reporting
any issues they may find).
* `latest-2` will only receive high severity security fixes (i.e. CVEs that
have been assessed as having a CVSS score of 7.0 or higher). At this stage,
users still using `latest-2` would be strongly encouraged to upgrade to
either `latest` or `latest-1`.
* Any older releases will no longer receive any updates, and users are
encouraged to upgrade in the strongest possible terms, as they will not
receive any security fixes regardless of severity or impact.
This policy only applies to minor releases of runc with major version `1`. If
there is a runc `2.0` release in the future, this document will be updated to
reflect the necessary changes to the support policy for the `1.y` major release
branch of runc.
+1
View File
@@ -1,3 +1,4 @@
# Security
When reporting a security issue, do not create an issue or file a pull request on GitHub.
The reporting process and disclosure communications are outlined [here](https://github.com/opencontainers/org/blob/master/SECURITY.md).
+1 -1
View File
@@ -1 +1 @@
1.0.0-rc95
1.5.0-rc.3
-52
View File
@@ -1,52 +0,0 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
config.vm.box = "centos/7"
config.vm.provider :virtualbox do |v|
v.memory = 2048
v.cpus = 2
end
config.vm.provider :libvirt do |v|
v.memory = 2048
v.cpus = 2
end
config.vm.provision "shell", inline: <<-SHELL
set -e -u -o pipefail
# configuration
GO_VERSION="1.16.4"
BATS_VERSION="v1.3.0"
# install yum packages
yum install -y -q epel-release
(cd /etc/yum.repos.d && curl -O https://copr.fedorainfracloud.org/coprs/adrian/criu-el7/repo/epel-7/adrian-criu-el7-epel-7.repo)
yum install -y -q gcc git iptables jq glibc-static libseccomp-devel make criu
yum clean all
# install Go
curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" | tar Cxz /usr/local
# install bats
git clone https://github.com/bats-core/bats-core
cd bats-core
git checkout $BATS_VERSION
./install.sh /usr/local
cd ..
rm -rf bats-core
# set PATH (NOTE: sudo without -i ignores this PATH)
cat >> /etc/profile.d/sh.local <<EOF
PATH=/usr/local/go/bin:/usr/local/bin:$PATH
export PATH
EOF
source /etc/profile.d/sh.local
# sysctl
echo "user.max_user_namespaces=15076" > /etc/sysctl.d/userns.conf
sysctl --system
# Add a user for rootless tests
useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
SHELL
end
-49
View File
@@ -1,49 +0,0 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
# Fedora box is used for testing cgroup v2 support
config.vm.box = "fedora/34-cloud-base"
config.vm.provider :virtualbox do |v|
v.memory = 2048
v.cpus = 2
end
config.vm.provider :libvirt do |v|
v.memory = 2048
v.cpus = 2
end
config.vm.provision "shell", inline: <<-SHELL
set -e -u -o pipefail
# Work around dnf mirror failures by retrying a few times
for i in $(seq 0 2); do
sleep $i
cat << EOF | dnf -y shell && break
config exclude kernel,kernel-core
config install_weak_deps false
update
install iptables gcc make golang-go glibc-static libseccomp-devel bats jq git-core criu
ts run
EOF
done
dnf clean all
# Add a user for rootless tests
useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
# Allow root to execute `ssh rootless@localhost` in tests/rootless.sh
ssh-keygen -t ecdsa -N "" -f /root/rootless.key
mkdir -m 0700 -p /home/rootless/.ssh
cat /root/rootless.key.pub >> /home/rootless/.ssh/authorized_keys
chown -R rootless.rootless /home/rootless
# Delegate cgroup v2 controllers to rootless user via --systemd-cgroup
mkdir -p /etc/systemd/system/user@.service.d
cat > /etc/systemd/system/user@.service.d/delegate.conf << EOF
[Service]
# default: Delegate=pids memory
# NOTE: delegation of cpuset requires systemd >= 244 (Fedora >= 32, Ubuntu >= 20.04).
Delegate=yes
EOF
systemctl daemon-reload
SHELL
end
+66 -55
View File
@@ -1,5 +1,3 @@
// +build linux
package main
import (
@@ -10,13 +8,13 @@ import (
"path/filepath"
"strconv"
criu "github.com/checkpoint-restore/go-criu/v5/rpc"
"github.com/opencontainers/runc/libcontainer"
"github.com/opencontainers/runc/libcontainer/userns"
"github.com/moby/sys/userns"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
"github.com/urfave/cli"
"golang.org/x/sys/unix"
"github.com/opencontainers/runc/libcontainer"
)
var checkpointCommand = cli.Command{
@@ -33,6 +31,8 @@ checkpointed.`,
cli.StringFlag{Name: "parent-path", Value: "", Usage: "path for previous criu image files in pre-dump"},
cli.BoolFlag{Name: "leave-running", Usage: "leave the process running after checkpointing"},
cli.BoolFlag{Name: "tcp-established", Usage: "allow open tcp connections"},
cli.BoolFlag{Name: "tcp-skip-in-flight", Usage: "skip in-flight tcp connections"},
cli.BoolFlag{Name: "link-remap", Usage: "allow one to link unlinked files back when possible"},
cli.BoolFlag{Name: "ext-unix-sk", Usage: "allow external unix sockets"},
cli.BoolFlag{Name: "shell-job", Usage: "allow shell jobs"},
cli.BoolFlag{Name: "lazy-pages", Usage: "use userfaultfd to lazily restore memory pages"},
@@ -40,7 +40,7 @@ checkpointed.`,
cli.StringFlag{Name: "page-server", Value: "", Usage: "ADDRESS:PORT of the page server"},
cli.BoolFlag{Name: "file-locks", Usage: "handle file locks, for safety"},
cli.BoolFlag{Name: "pre-dump", Usage: "dump container's memory information only, leave the container running after this"},
cli.StringFlag{Name: "manage-cgroups-mode", Value: "", Usage: "cgroups mode: 'soft' (default), 'full' and 'strict'"},
cli.StringFlag{Name: "manage-cgroups-mode", Value: "", Usage: "cgroups mode: soft|full|strict|ignore (default: soft)"},
cli.StringSliceFlag{Name: "empty-ns", Usage: "create a namespace, but don't restore its properties"},
cli.BoolFlag{Name: "auto-dedup", Usage: "enable auto deduplication of memory images"},
},
@@ -62,30 +62,31 @@ checkpointed.`,
return err
}
if status == libcontainer.Created || status == libcontainer.Stopped {
fatal(fmt.Errorf("Container cannot be checkpointed in %s state", status.String()))
return fmt.Errorf("Container cannot be checkpointed in %s state", status.String())
}
options := criuOptions(context)
if !(options.LeaveRunning || options.PreDump) {
// destroy container unless we tell CRIU to keep it
defer destroy(container)
}
// these are the mandatory criu options for a container
setPageServer(context, options)
setManageCgroupsMode(context, options)
if err := setEmptyNsMask(context, options); err != nil {
options, err := criuOptions(context)
if err != nil {
return err
}
return container.Checkpoint(options)
err = container.Checkpoint(options)
if err == nil && !options.LeaveRunning && !options.PreDump {
// Destroy the container unless we tell CRIU to keep it.
if err := container.Destroy(); err != nil {
logrus.Warn(err)
}
}
return err
},
}
func prepareImagePaths(context *cli.Context) (string, string, error) {
imagePath := context.String("image-path")
if imagePath == "" {
imagePath = getDefaultImagePath(context)
imagePath = getDefaultImagePath()
}
if err := os.MkdirAll(imagePath, 0600); err != nil {
if err := os.MkdirAll(imagePath, 0o600); err != nil {
return "", "", err
}
@@ -109,60 +110,70 @@ func prepareImagePaths(context *cli.Context) (string, string, error) {
}
return imagePath, parentPath, nil
}
func setPageServer(context *cli.Context, options *libcontainer.CriuOpts) {
// xxx following criu opts are optional
// The dump image can be sent to a criu page server
func criuOptions(context *cli.Context) (*libcontainer.CriuOpts, error) {
imagePath, parentPath, err := prepareImagePaths(context)
if err != nil {
return nil, err
}
opts := &libcontainer.CriuOpts{
ImagesDirectory: imagePath,
WorkDirectory: context.String("work-path"),
ParentImage: parentPath,
LeaveRunning: context.Bool("leave-running"),
TcpEstablished: context.Bool("tcp-established"),
TcpSkipInFlight: context.Bool("tcp-skip-in-flight"),
LinkRemap: context.Bool("link-remap"),
ExternalUnixConnections: context.Bool("ext-unix-sk"),
ShellJob: context.Bool("shell-job"),
FileLocks: context.Bool("file-locks"),
PreDump: context.Bool("pre-dump"),
AutoDedup: context.Bool("auto-dedup"),
LazyPages: context.Bool("lazy-pages"),
StatusFd: context.Int("status-fd"),
LsmProfile: context.String("lsm-profile"),
LsmMountContext: context.String("lsm-mount-context"),
ManageCgroupsMode: context.String("manage-cgroups-mode"),
}
// CRIU options below may or may not be set.
if psOpt := context.String("page-server"); psOpt != "" {
address, port, err := net.SplitHostPort(psOpt)
if err != nil || address == "" || port == "" {
fatal(errors.New("Use --page-server ADDRESS:PORT to specify page server"))
return nil, errors.New("Use --page-server ADDRESS:PORT to specify page server")
}
portInt, err := strconv.Atoi(port)
if err != nil {
fatal(errors.New("Invalid port number"))
return nil, errors.New("Invalid port number")
}
options.PageServer = libcontainer.CriuPageServerInfo{
opts.PageServer = libcontainer.CriuPageServerInfo{
Address: address,
Port: int32(portInt),
}
}
}
func setManageCgroupsMode(context *cli.Context, options *libcontainer.CriuOpts) {
if cgOpt := context.String("manage-cgroups-mode"); cgOpt != "" {
switch cgOpt {
case "soft":
options.ManageCgroupsMode = criu.CriuCgMode_SOFT
case "full":
options.ManageCgroupsMode = criu.CriuCgMode_FULL
case "strict":
options.ManageCgroupsMode = criu.CriuCgMode_STRICT
default:
fatal(errors.New("Invalid manage cgroups mode"))
}
}
}
var namespaceMapping = map[specs.LinuxNamespaceType]int{
specs.NetworkNamespace: unix.CLONE_NEWNET,
}
func setEmptyNsMask(context *cli.Context, options *libcontainer.CriuOpts) error {
/* Runc doesn't manage network devices and their configuration */
// runc doesn't manage network devices and their configuration.
nsmask := unix.CLONE_NEWNET
for _, ns := range context.StringSlice("empty-ns") {
f, exists := namespaceMapping[specs.LinuxNamespaceType(ns)]
if !exists {
return fmt.Errorf("namespace %q is not supported", ns)
if context.IsSet("empty-ns") {
namespaceMapping := map[specs.LinuxNamespaceType]int{
specs.NetworkNamespace: unix.CLONE_NEWNET,
}
for _, ns := range context.StringSlice("empty-ns") {
f, exists := namespaceMapping[specs.LinuxNamespaceType(ns)]
if !exists {
return nil, fmt.Errorf("namespace %q is not supported", ns)
}
nsmask |= f
}
nsmask |= f
}
options.EmptyNs = uint32(nsmask)
return nil
opts.EmptyNs = uint32(nsmask)
return opts, nil
}
+7 -4
View File
@@ -173,6 +173,7 @@ _runc_exec() {
--apparmor
--cap, -c
--preserve-fds
--ignore-paused
"
local all_options="$options_with_args $boolean_options"
@@ -230,12 +231,11 @@ _runc_runc() {
--log
--log-format
--root
--criu
--rootless
"
case "$prev" in
--log | --root | --criu)
--log | --root)
case "$cur" in
*:*) ;; # TODO somehow do _filedir for stuff inside the image, if it's already specified (which is also somewhat difficult to determine)
'')
@@ -382,7 +382,7 @@ _runc_events() {
_runc_list() {
local boolean_options="
--help
--quiet
--quiet
-q
"
@@ -507,6 +507,8 @@ _runc_checkpoint() {
-h
--leave-running
--tcp-established
--tcp-skip-in-flight
--link-remap
--ext-unix-sk
--shell-job
--lazy-pages
@@ -732,6 +734,7 @@ _runc_update() {
--blkio-weight
--cpu-period
--cpu-quota
--cpu-burst
--cpu-rt-period
--cpu-rt-runtime
--cpu-share
@@ -743,6 +746,7 @@ _runc_update() {
--pids-limit
--l3-cache-schema
--mem-bw-schema
--cpu-idle
"
case "$prev" in
@@ -771,7 +775,6 @@ _runc() {
delete
events
exec
init
kill
list
pause
+11 -14
View File
@@ -1,6 +1,7 @@
package main
import (
"fmt"
"os"
"github.com/urfave/cli"
@@ -33,6 +34,10 @@ command(s) that get executed on start, edit the args parameter of the spec. See
Value: "",
Usage: "path to an AF_UNIX socket which will receive a file descriptor referencing the master end of the console's pseudoterminal",
},
cli.StringFlag{
Name: "pidfd-socket",
Usage: "path to an AF_UNIX socket which will receive a file descriptor referencing the init process",
},
cli.StringFlag{
Name: "pid-file",
Value: "",
@@ -55,20 +60,12 @@ command(s) that get executed on start, edit the args parameter of the spec. See
if err := checkArgs(context, 1, exactArgs); err != nil {
return err
}
if err := revisePidFile(context); err != nil {
return err
status, err := startContainer(context, CT_ACT_CREATE, nil)
if err == nil {
// exit with the container's exit status so any external supervisor
// is notified of the exit with the correct exit status.
os.Exit(status)
}
spec, err := setupSpec(context)
if err != nil {
return err
}
status, err := startContainer(context, spec, CT_ACT_CREATE, nil)
if err != nil {
return err
}
// exit with the container's exit status so any external supervisor is
// notified of the exit with the correct exit status.
os.Exit(status)
return nil
return fmt.Errorf("runc create failed: %w", err)
},
}
+16 -16
View File
@@ -1,5 +1,3 @@
// +build !solaris
package main
import (
@@ -15,13 +13,12 @@ import (
"golang.org/x/sys/unix"
)
func killContainer(container libcontainer.Container) error {
_ = container.Signal(unix.SIGKILL, false)
for i := 0; i < 100; i++ {
func killContainer(container *libcontainer.Container) error {
_ = container.Signal(unix.SIGKILL)
for range 100 {
time.Sleep(100 * time.Millisecond)
if err := container.Signal(unix.Signal(0), false); err != nil {
destroy(container)
return nil
if err := container.Signal(unix.Signal(0)); err != nil {
return container.Destroy()
}
}
return errors.New("container init still running")
@@ -55,7 +52,7 @@ status of "ubuntu01" as "stopped" the following will delete resources held for
force := context.Bool("force")
container, err := getContainer(context)
if err != nil {
if lerr, ok := err.(libcontainer.Error); ok && lerr.Code() == libcontainer.ContainerNotExists {
if errors.Is(err, libcontainer.ErrNotExist) {
// if there was an aborted start or something of the sort then the container's directory could exist but
// libcontainer does not see it because the state.json file inside that directory was never created.
path := filepath.Join(context.GlobalString("root"), id)
@@ -68,22 +65,25 @@ status of "ubuntu01" as "stopped" the following will delete resources held for
}
return err
}
// When --force is given, we kill all container processes and
// then destroy the container. This is done even for a stopped
// container, because (in case it does not have its own PID
// namespace) there may be some leftover processes in the
// container's cgroup.
if force {
return killContainer(container)
}
s, err := container.Status()
if err != nil {
return err
}
switch s {
case libcontainer.Stopped:
destroy(container)
return container.Destroy()
case libcontainer.Created:
return killContainer(container)
default:
if force {
return killContainer(container)
}
return fmt.Errorf("cannot delete container %s that is not stopped: %s\n", id, s)
return fmt.Errorf("cannot delete container %s that is not stopped: %s", id, s)
}
return nil
},
}
+20 -12
View File
@@ -3,7 +3,15 @@
runc fully supports cgroup v2 (unified mode) since v1.0.0-rc93.
To use cgroup v2, you might need to change the configuration of the host init system.
Fedora (>= 31) uses cgroup v2 by default and no extra configuration is required.
The following distributions are known to use cgroup v2 by default:
<!-- the list should be kept in sync with https://github.com/rootless-containers/rootlesscontaine.rs/blob/master/content/getting-started/common/cgroup2.md -->
- Fedora (since 31)
- Arch Linux (since April 2021)
- openSUSE Tumbleweed (since c. 2021)
- Debian GNU/Linux (since 11)
- Ubuntu (since 21.10)
- RHEL and RHEL-like distributions (since 9)
On other systemd-based distros, cgroup v2 can be enabled by adding `systemd.unified_cgroup_hierarchy=1` to the kernel cmdline.
## Am I using cgroup v2?
@@ -26,18 +34,18 @@ The recommended systemd version is 244 or later. Older systemd does not support
Make sure you also have the `dbus-user-session` (Debian/Ubuntu) or `dbus-daemon` (CentOS/Fedora) package installed, and that `dbus` is running. On Debian-flavored distros, this can be accomplished like so:
```console
$ sudo apt install -y dbus-user-session
$ systemctl --user start dbus
```bash
sudo apt install -y dbus-user-session
systemctl --user start dbus
```
## Rootless
On cgroup v2 hosts, rootless runc can talk to systemd to get cgroup permissions to be delegated.
```console
$ runc spec --rootless
$ jq '.linux.cgroupsPath="user.slice:runc:foo"' config.json | sponge config.json
$ runc --systemd-cgroup run foo
```bash
runc spec --rootless
jq '.linux.cgroupsPath="user.slice:runc:foo"' config.json | sponge config.json
runc --systemd-cgroup run foo
```
The container processes are executed in a cgroup like `/user.slice/user-$(id -u).slice/user@$(id -u).service/user.slice/runc-foo.scope`.
@@ -52,11 +60,11 @@ memory pids
To allow delegation of other controllers, you need to change the systemd configuration as follows:
```console
# mkdir -p /etc/systemd/system/user@.service.d
# cat > /etc/systemd/system/user@.service.d/delegate.conf << EOF
```bash
sudo mkdir -p /etc/systemd/system/user@.service.d
cat <<EOF | sudo tee /etc/systemd/system/user@.service.d/delegate.conf
[Service]
Delegate=cpu cpuset io memory pids
EOF
# systemctl daemon-reload
sudo systemctl daemon-reload
```
+11
View File
@@ -0,0 +1,11 @@
# Deprecated features
The following features are deprecated:
Feature | Deprecation release | Removal release
---------------------------------------- | -------------------- | ------------------
cgroup v1 | v1.4.0 | (May 2029)
<!-- TBD: features that were already deprecated and removed -->
- The latest release in May 2029 may not necessarily support cgroup v1, but there will be at least one maintained branch with the support for cgroup v1.
+9
View File
@@ -0,0 +1,9 @@
# Experimental features
The following features were experimental in the past:
Feature | Experimental release | Graduation release
---------------------------------------- | -------------------- | ------------------
cgroup v2 | v1.0.0-rc91 | v1.0.0-rc93
The `runc features` command | v1.1.0 | v1.2.0
runc-dmz | v1.2.0-rc1 | Dropped in v1.2.1
+22
View File
@@ -0,0 +1,22 @@
# Spec conformance
This branch of runc implements the [OCI Runtime Spec v1.3.0](https://github.com/opencontainers/runtime-spec/tree/v1.3.0)
for the `linux` platform.
## Architectures
The following architectures are supported:
runc binary | seccomp
-------------|-------------------------------------------------------
`amd64` | `SCMP_ARCH_X86`, `SCMP_ARCH_X86_64`, `SCMP_ARCH_X32`
`arm64` | `SCMP_ARCH_ARM`, `SCMP_ARCH_AARCH64`
`armel` | `SCMP_ARCH_ARM`
`armhf` | `SCMP_ARCH_ARM`
`ppc64le` | `SCMP_ARCH_PPC64LE`
`riscv64` | `SCMP_ARCH_RISCV64`
`s390x` | `SCMP_ARCH_S390`, `SCMP_ARCH_S390X`
`loong64` | `SCMP_ARCH_LOONGARCH64`
The runc binary might be compilable for i386, big-endian PPC64,
and several MIPS variants too, but these architectures are not officially supported.
+5 -3
View File
@@ -3,7 +3,7 @@
By default, runc creates cgroups and sets cgroup limits on its own (this mode
is known as fs cgroup driver). When `--systemd-cgroup` global option is given
(as in e.g. `runc --systemd-cgroup run ...`), runc switches to systemd cgroup
driver. This document describes its features and pecularities.
driver. This document describes its features and peculiarities.
### systemd unit name and placement
@@ -31,6 +31,7 @@ runtime spec in the following way:
Next, `prefix` and `name` are used to compose the unit name, which
is `<prefix>-<name>.scope`, unless `name` has `.slice` suffix, in
which case `prefix` is ignored and the `name` is used as is.
The default value for both `prefix` and `name` is empty string.
2. If `Linux.CgroupsPath` is not set or empty, it works the same way as if it
would be set to `:runc:<container-id>`. See the description above to see
@@ -91,6 +92,7 @@ The following tables summarize which properties are translated.
| cpu.mems | AllowedMemoryNodes | v244 |
| unified.cpu.max | CPUQuota, CPUQuotaPeriodSec | v242 |
| unified.cpu.weight | CPUWeight | |
| unified.cpu.idle | CPUWeight | v252 |
| unified.cpuset.cpus | AllowedCPUs | v244 |
| unified.cpuset.mems | AllowedMemoryNodes | v244 |
| unified.memory.high | MemoryHigh | |
@@ -123,8 +125,8 @@ The above will set the following properties:
* `TimeoutStopSec` to 2 minutes and 3 seconds;
* `CollectMode` to "inactive-or-failed".
The values must be in the gvariant format (for details, see
[gvariant documentation](https://developer.gnome.org/glib/stable/gvariant-text.html)).
The values must be in the gvariant text format, as described in
[gvariant documentation](https://docs.gtk.org/glib/gvariant-text-format.html).
To find out which type systemd expects for a particular parameter, please
consult systemd sources.
+34 -7
View File
@@ -35,8 +35,8 @@ descriptors to preserve. Instead, it takes how many file descriptors (not
including `stdio` or `LISTEN_FDS`) should be passed to the container. In the
following example:
```
% runc run --preserve-fds 5 <container>
```bash
runc run --preserve-fds 5 <container>
```
`runc` will pass the first `5` file descriptors (`3`, `4`, `5`, `6`, and `7` --
@@ -46,8 +46,8 @@ In addition to `--preserve-fds`, `LISTEN_FDS` file descriptors are passed
automatically to allow for `systemd`-style socket activation. To extend the
above example:
```
% LISTEN_PID=$pid_of_runc LISTEN_FDS=3 runc run --preserve-fds 5 <container>
```bash
LISTEN_PID=$pid_of_runc LISTEN_FDS=3 runc run --preserve-fds 5 <container>
```
`runc` will now pass the first `8` file descriptors (and it will also pass
@@ -113,6 +113,33 @@ interact with pseudo-terminal `stdio`][tty_ioctl(4)].
> means that it is not really possible to uniquely distinguish between `stdout`
> and `stderr` from the caller's perspective.
#### Issues
If you see an error like
```
open /dev/tty: no such device or address
```
from runc, it means it can't open a terminal (because there isn't one). This
can happen when stdin (and possibly also stdout and stderr) are redirected,
or in some environments that lack a tty (such as GitHub Actions runners).
The solution to this is to *not* use a terminal for the container, i.e. have
`terminal: false` in `config.json`. If the container really needs a terminal
(some programs require one), you can provide one, using one of the following
methods.
One way is to use `ssh` with the `-tt` flag. The second `t` forces a terminal
allocation even if there's no local one -- and so it is required when stdin is
not a terminal (some `ssh` implementations only look for a terminal on stdin).
Another way is to run runc under the `script` utility, like this
```bash
script -e -c 'runc run <container>'
```
[tty_ioctl(4)]: https://linux.die.net/man/4/tty_ioctl
### <a name="pass-through"> Pass-Through ###
@@ -123,8 +150,8 @@ the contained process (this is not necessarily the same as `--preserve-fds`'s
passing of file descriptors -- [details below](#runc-modes)). As an example
(assuming that `terminal: false` is set in `config.json`):
```
% echo input | runc run some_container > /tmp/log.out 2> /tmp/log.err
```bash
echo input | runc run some_container > /tmp/log.out 2> /tmp/log.err
```
Here the container's various `stdio` file descriptors will be substituted with
@@ -324,4 +351,4 @@ a [Go implementation in the `go-runc` bindings][containerd/go-runc.Socket], as
well as [a simple client][recvtty].
[containerd/go-runc.Socket]: https://godoc.org/github.com/containerd/go-runc#Socket
[recvtty]: /contrib/cmd/recvtty
[recvtty]: /tests/cmd/recvtty
+9 -8
View File
@@ -1,5 +1,3 @@
// +build linux
package main
import (
@@ -10,8 +8,8 @@ import (
"sync"
"time"
"github.com/opencontainers/cgroups"
"github.com/opencontainers/runc/libcontainer"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/intelrdt"
"github.com/opencontainers/runc/types"
@@ -55,16 +53,14 @@ information is displayed once every 5 seconds.`,
events = make(chan *types.Event, 1024)
group = &sync.WaitGroup{}
)
group.Add(1)
go func() {
defer group.Done()
group.Go(func() {
enc := json.NewEncoder(os.Stdout)
for e := range events {
if err := enc.Encode(e); err != nil {
logrus.Error(err)
}
}
}()
})
if context.Bool("stats") {
s, err := container.Stats()
if err != nil {
@@ -131,6 +127,7 @@ func convertLibcontainerStats(ls *libcontainer.Stats) *types.Stats {
s.CPU.Throttling.Periods = cg.CpuStats.ThrottlingData.Periods
s.CPU.Throttling.ThrottledPeriods = cg.CpuStats.ThrottlingData.ThrottledPeriods
s.CPU.Throttling.ThrottledTime = cg.CpuStats.ThrottlingData.ThrottledTime
s.CPU.PSI = cg.CpuStats.PSI
s.CPUSet = types.CPUSet(cg.CPUSetStats)
@@ -140,6 +137,7 @@ func convertLibcontainerStats(ls *libcontainer.Stats) *types.Stats {
s.Memory.Swap = convertMemoryEntry(cg.MemoryStats.SwapUsage)
s.Memory.Usage = convertMemoryEntry(cg.MemoryStats.Usage)
s.Memory.Raw = cg.MemoryStats.Stats
s.Memory.PSI = cg.MemoryStats.PSI
s.Blkio.IoServiceBytesRecursive = convertBlkioEntry(cg.BlkioStats.IoServiceBytesRecursive)
s.Blkio.IoServicedRecursive = convertBlkioEntry(cg.BlkioStats.IoServicedRecursive)
@@ -149,6 +147,7 @@ func convertLibcontainerStats(ls *libcontainer.Stats) *types.Stats {
s.Blkio.IoMergedRecursive = convertBlkioEntry(cg.BlkioStats.IoMergedRecursive)
s.Blkio.IoTimeRecursive = convertBlkioEntry(cg.BlkioStats.IoTimeRecursive)
s.Blkio.SectorsRecursive = convertBlkioEntry(cg.BlkioStats.SectorsRecursive)
s.Blkio.PSI = cg.BlkioStats.PSI
s.Hugetlb = make(map[string]types.Hugetlb)
for k, v := range cg.HugetlbStats {
@@ -172,6 +171,8 @@ func convertLibcontainerStats(ls *libcontainer.Stats) *types.Stats {
if intelrdt.IsCMTEnabled() {
s.IntelRdt.CMTStats = is.CMTStats
}
s.IntelRdt.Schemata = is.Schemata
}
s.NetworkInterfaces = ls.Interfaces
@@ -196,7 +197,7 @@ func convertMemoryEntry(c cgroups.MemoryData) types.MemoryEntry {
}
func convertBlkioEntry(c []cgroups.BlkioStatEntry) []types.BlkioEntry {
var out []types.BlkioEntry
out := make([]types.BlkioEntry, 0, len(c))
for _, e := range c {
out = append(out, types.BlkioEntry(e))
}
+90 -45
View File
@@ -1,9 +1,8 @@
// +build linux
package main
import (
"encoding/json"
"errors"
"fmt"
"os"
"strconv"
@@ -34,6 +33,10 @@ following will output a list of processes running in the container:
Name: "console-socket",
Usage: "path to an AF_UNIX socket which will receive a file descriptor referencing the master end of the console's pseudoterminal",
},
cli.StringFlag{
Name: "pidfd-socket",
Usage: "path to an AF_UNIX socket which will receive a file descriptor referencing the exec process",
},
cli.StringFlag{
Name: "cwd",
Usage: "current working directory in the container",
@@ -84,15 +87,18 @@ following will output a list of processes running in the container:
Value: &cli.StringSlice{},
Usage: "add a capability to the bounding set for the process",
},
cli.BoolFlag{
Name: "no-subreaper",
Usage: "disable the use of the subreaper used to reap reparented processes",
Hidden: true,
},
cli.IntFlag{
Name: "preserve-fds",
Usage: "Pass N additional file descriptors to the container (stdio + $LISTEN_FDS + N in total)",
},
cli.StringSliceFlag{
Name: "cgroup",
Usage: "run the process in an (existing) sub-cgroup(s). Format is [<controller>:]<cgroup>.",
},
cli.BoolFlag{
Name: "ignore-paused",
Usage: "allow exec in a paused container",
},
},
Action: func(context *cli.Context) error {
if err := checkArgs(context, 1, minArgs); err != nil {
@@ -105,11 +111,47 @@ following will output a list of processes running in the container:
if err == nil {
os.Exit(status)
}
return fmt.Errorf("exec failed: %v", err)
fatalWithCode(fmt.Errorf("exec failed: %w", err), 255)
return nil // to satisfy the linter
},
SkipArgReorder: true,
}
// getSubCgroupPaths parses --cgroup arguments, which can either be
// - a single "path" argument (for cgroup v2);
// - one or more controller[,controller[,...]]:path arguments (for cgroup v1).
//
// Returns a controller to path map. For cgroup v2, it's a single entity map
// with empty controller value.
func getSubCgroupPaths(args []string) (map[string]string, error) {
if len(args) == 0 {
return nil, nil
}
paths := make(map[string]string, len(args))
for _, c := range args {
// Split into controller:path.
if ctr, path, ok := strings.Cut(c, ":"); ok {
// There may be a few comma-separated controllers.
for ctrl := range strings.SplitSeq(ctr, ",") {
if ctrl == "" {
return nil, fmt.Errorf("invalid --cgroup argument: %s (empty <controller> prefix)", c)
}
if _, ok := paths[ctrl]; ok {
return nil, fmt.Errorf("invalid --cgroup argument(s): controller %s specified multiple times", ctrl)
}
paths[ctrl] = path
}
} else {
// No "controller:" prefix (cgroup v2, a single path).
if len(args) != 1 {
return nil, fmt.Errorf("invalid --cgroup argument: %s (missing <controller>: prefix)", c)
}
paths[""] = c
}
}
return paths, nil
}
func execProcess(context *cli.Context) (int, error) {
container, err := getContainer(context)
if err != nil {
@@ -120,26 +162,19 @@ func execProcess(context *cli.Context) (int, error) {
return -1, err
}
if status == libcontainer.Stopped {
return -1, fmt.Errorf("cannot exec a container that has stopped")
return -1, errors.New("cannot exec in a stopped container")
}
path := context.String("process")
if path == "" && len(context.Args()) == 1 {
return -1, fmt.Errorf("process args cannot be empty")
if status == libcontainer.Paused && !context.Bool("ignore-paused") {
return -1, errors.New("cannot exec in a paused container (use --ignore-paused to override)")
}
detach := context.Bool("detach")
state, err := container.State()
if err != nil {
return -1, err
}
bundle := utils.SearchLabels(state.Config.Labels, "bundle")
p, err := getProcess(context, bundle)
p, err := getProcess(context, container)
if err != nil {
return -1, err
}
logLevel := "info"
if context.GlobalBool("debug") {
logLevel = "debug"
cgPaths, err := getSubCgroupPaths(context.StringSlice("cgroup"))
if err != nil {
return -1, err
}
r := &runner{
@@ -147,17 +182,18 @@ func execProcess(context *cli.Context) (int, error) {
shouldDestroy: false,
container: container,
consoleSocket: context.String("console-socket"),
detach: detach,
pidfdSocket: context.String("pidfd-socket"),
detach: context.Bool("detach"),
pidFile: context.String("pid-file"),
action: CT_ACT_RUN,
init: false,
preserveFDs: context.Int("preserve-fds"),
logLevel: logLevel,
subCgroupPaths: cgPaths,
}
return r.run(p)
}
func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
func getProcess(context *cli.Context, c *libcontainer.Container) (*specs.Process, error) {
if path := context.String("process"); path != "" {
f, err := os.Open(path)
if err != nil {
@@ -170,7 +206,11 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
}
return &p, validateProcessSpec(&p)
}
// process via cli flags
// Process from config.json and CLI flags.
bundle, ok := utils.SearchLabels(c.Config().Labels, "bundle")
if !ok {
return nil, errors.New("bundle not found in labels")
}
if err := os.Chdir(bundle); err != nil {
return nil, err
}
@@ -179,10 +219,14 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
return nil, err
}
p := spec.Process
p.Args = context.Args()[1:]
// override the cwd, if passed
if context.String("cwd") != "" {
p.Cwd = context.String("cwd")
args := context.Args()
if len(args) < 2 {
return nil, errors.New("exec args cannot be empty")
}
p.Args = args[1:]
// Override the cwd, if passed.
if cwd := context.String("cwd"); cwd != "" {
p.Cwd = cwd
}
if ap := context.String("apparmor"); ap != "" {
p.ApparmorProfile = ap
@@ -193,36 +237,37 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
if caps := context.StringSlice("cap"); len(caps) > 0 {
for _, c := range caps {
p.Capabilities.Bounding = append(p.Capabilities.Bounding, c)
p.Capabilities.Inheritable = append(p.Capabilities.Inheritable, c)
p.Capabilities.Effective = append(p.Capabilities.Effective, c)
p.Capabilities.Permitted = append(p.Capabilities.Permitted, c)
p.Capabilities.Ambient = append(p.Capabilities.Ambient, c)
// Since ambient capabilities can't be set without inherritable,
// and runc exec --cap don't set inheritable, let's only set
// ambient if we already have some inheritable bits set from spec.
if p.Capabilities.Inheritable != nil {
p.Capabilities.Ambient = append(p.Capabilities.Ambient, c)
}
}
}
// append the passed env variables
p.Env = append(p.Env, context.StringSlice("env")...)
// set the tty
p.Terminal = false
if context.IsSet("tty") {
p.Terminal = context.Bool("tty")
}
// Always set tty to false, unless explicitly enabled from CLI.
p.Terminal = context.Bool("tty")
if context.IsSet("no-new-privs") {
p.NoNewPrivileges = context.Bool("no-new-privs")
}
// override the user, if passed
if context.String("user") != "" {
u := strings.SplitN(context.String("user"), ":", 2)
if len(u) > 1 {
gid, err := strconv.Atoi(u[1])
// Override the user, if passed.
if user := context.String("user"); user != "" {
uids, gids, ok := strings.Cut(user, ":")
if ok {
gid, err := strconv.Atoi(gids)
if err != nil {
return nil, fmt.Errorf("parsing %s as int for gid failed: %v", u[1], err)
return nil, fmt.Errorf("bad gid: %w", err)
}
p.User.GID = uint32(gid)
}
uid, err := strconv.Atoi(u[0])
uid, err := strconv.Atoi(uids)
if err != nil {
return nil, fmt.Errorf("parsing %s as int for uid failed: %v", u[0], err)
return nil, fmt.Errorf("bad uid: %w", err)
}
p.User.UID = uint32(uid)
}
+100
View File
@@ -0,0 +1,100 @@
package main
import (
"encoding/json"
"fmt"
"github.com/opencontainers/runc/libcontainer/capabilities"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/seccomp"
"github.com/opencontainers/runc/libcontainer/specconv"
runcfeatures "github.com/opencontainers/runc/types/features"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-spec/specs-go/features"
"github.com/urfave/cli"
)
var featuresCommand = cli.Command{
Name: "features",
Usage: "show the enabled features",
ArgsUsage: "",
Description: `Show the enabled features.
The result is parsable as a JSON.
See https://github.com/opencontainers/runtime-spec/blob/main/features.md for the type definition.
`,
Action: func(context *cli.Context) error {
if err := checkArgs(context, 0, exactArgs); err != nil {
return err
}
t := true
feat := features.Features{
OCIVersionMin: "1.0.0",
OCIVersionMax: specs.Version,
Annotations: map[string]string{
runcfeatures.AnnotationRuncVersion: version,
runcfeatures.AnnotationRuncCommit: gitCommit,
runcfeatures.AnnotationRuncCheckpointEnabled: "true",
},
Hooks: configs.KnownHookNames(),
MountOptions: specconv.KnownMountOptions(),
Linux: &features.Linux{
Namespaces: specconv.KnownNamespaces(),
Capabilities: capabilities.KnownCapabilities(),
Cgroup: &features.Cgroup{
V1: &t,
V2: &t,
Systemd: &t,
SystemdUser: &t,
Rdma: &t,
},
Apparmor: &features.Apparmor{
Enabled: &t,
},
Selinux: &features.Selinux{
Enabled: &t,
},
IntelRdt: &features.IntelRdt{
Enabled: &t,
Schemata: &t,
Monitoring: &t,
},
MemoryPolicy: &features.MemoryPolicy{
Modes: specconv.KnownMemoryPolicyModes(),
Flags: specconv.KnownMemoryPolicyFlags(),
},
MountExtensions: &features.MountExtensions{
IDMap: &features.IDMap{
Enabled: &t,
},
},
NetDevices: &features.NetDevices{
Enabled: &t,
},
},
PotentiallyUnsafeConfigAnnotations: []string{
"bundle",
"org.systemd.property.", // prefix form
"org.criu.config",
},
}
if seccomp.Enabled {
feat.Linux.Seccomp = &features.Seccomp{
Enabled: &t,
Actions: seccomp.KnownActions(),
Operators: seccomp.KnownOperators(),
Archs: seccomp.KnownArchs(),
KnownFlags: seccomp.KnownFlags(),
SupportedFlags: seccomp.SupportedFlags(),
}
major, minor, patch := seccomp.Version()
feat.Annotations[runcfeatures.AnnotationLibseccompVersion] = fmt.Sprintf("%d.%d.%d", major, minor, patch)
}
enc := json.NewEncoder(context.App.Writer)
enc.SetIndent("", " ")
return enc.Encode(feat)
},
}
+31 -23
View File
@@ -1,28 +1,36 @@
module github.com/opencontainers/runc
go 1.13
go 1.25.0
require (
github.com/checkpoint-restore/go-criu/v5 v5.0.0
github.com/cilium/ebpf v0.5.0
github.com/containerd/console v1.0.2
github.com/coreos/go-systemd/v22 v22.3.1
github.com/cyphar/filepath-securejoin v0.2.2
github.com/docker/go-units v0.4.0
github.com/godbus/dbus/v5 v5.0.4
github.com/moby/sys/mountinfo v0.4.1
github.com/mrunalp/fileutils v0.5.0
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
github.com/opencontainers/selinux v1.8.0
github.com/pkg/errors v0.9.1
github.com/seccomp/libseccomp-golang v0.9.1
github.com/sirupsen/logrus v1.7.0
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
// NOTE: urfave/cli must be <= v1.22.1 due to a regression: https://github.com/urfave/cli/issues/1092
github.com/urfave/cli v1.22.1
github.com/vishvananda/netlink v1.1.0
github.com/willf/bitset v1.1.11
golang.org/x/net v0.0.0-20201224014010-6772e930b67b
golang.org/x/sys v0.0.0-20210426230700-d19ff857e887
google.golang.org/protobuf v1.25.0
github.com/checkpoint-restore/go-criu/v7 v7.2.0
github.com/containerd/console v1.0.5
github.com/coreos/go-systemd/v22 v22.7.0
github.com/cyphar/filepath-securejoin v0.6.1
github.com/docker/go-units v0.5.0
github.com/godbus/dbus/v5 v5.2.2
github.com/moby/sys/capability v0.4.0
github.com/moby/sys/devices v0.1.0
github.com/moby/sys/mountinfo v0.7.2
github.com/moby/sys/user v0.4.0
github.com/moby/sys/userns v0.1.0
github.com/mrunalp/fileutils v0.5.1
github.com/opencontainers/cgroups v0.0.6
github.com/opencontainers/runtime-spec v1.3.0
github.com/opencontainers/selinux v1.13.1
github.com/seccomp/libseccomp-golang v0.11.1
github.com/sirupsen/logrus v1.9.4
github.com/urfave/cli v1.22.17
github.com/vishvananda/netlink v1.3.1
github.com/vishvananda/netns v0.0.5
golang.org/x/net v0.50.0
golang.org/x/sys v0.41.0
google.golang.org/protobuf v1.36.11
)
require (
cyphar.com/go-pathrs v0.2.4 // indirect
github.com/cilium/ebpf v0.17.3 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
)
+93 -136
View File
@@ -1,141 +1,98 @@
cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/checkpoint-restore/go-criu/v5 v5.0.0 h1:TW8f/UvntYoVDMN1K2HlT82qH1rb0sOjpGw3m6Ym+i4=
github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M=
github.com/cilium/ebpf v0.5.0 h1:E1KshmrMEtkMP2UjlWzfmUV1owWY+BnbL5FxxuatnrU=
github.com/cilium/ebpf v0.5.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
github.com/containerd/console v1.0.2 h1:Pi6D+aZXM+oUw1czuKgH5IJ+y0jhYcwBJfx5/Ghn9dE=
github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ=
github.com/coreos/go-systemd/v22 v22.3.1 h1:7OO2CXWMYNDdaAzP51t4lCCZWwpQHmvPbm9sxWjm3So=
github.com/coreos/go-systemd/v22 v22.3.1/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY=
github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg=
github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
cyphar.com/go-pathrs v0.2.4 h1:iD/mge36swa1UFKdINkr1Frkpp6wZsy3YYEildj9cLY=
cyphar.com/go-pathrs v0.2.4/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=
github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
github.com/checkpoint-restore/go-criu/v7 v7.2.0 h1:qGiWA4App1gGlEfIJ68WR9jbezV9J7yZdjzglezcqKo=
github.com/checkpoint-restore/go-criu/v7 v7.2.0/go.mod h1:u0LCWLg0w4yqqu14aXhiB4YD3a1qd8EcCEg7vda5dwo=
github.com/cilium/ebpf v0.17.3 h1:FnP4r16PWYSE4ux6zN+//jMcW4nMVRvuTLVTvCjyyjg=
github.com/cilium/ebpf v0.17.3/go.mod h1:G5EDHij8yiLzaqn0WjyfJHvRa+3aDlReIaLVRMvOyJk=
github.com/containerd/console v1.0.5 h1:R0ymNeydRqH2DmakFNdmjR2k0t7UPuiOV/N/27/qqsc=
github.com/containerd/console v1.0.5/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk=
github.com/coreos/go-systemd/v22 v22.7.0 h1:LAEzFkke61DFROc7zNLX/WA2i5J8gYqe0rSj9KI28KA=
github.com/coreos/go-systemd/v22 v22.7.0/go.mod h1:xNUYtjHu2EDXbsxz1i41wouACIwT7Ybq9o0BQhMwD0w=
github.com/cpuguy83/go-md2man/v2 v2.0.7 h1:zbFlGlXEAKlwXpmvle3d8Oe3YnkKIK4xSRTd3sHPnBo=
github.com/cpuguy83/go-md2man/v2 v2.0.7/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE=
github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
github.com/frankban/quicktest v1.11.3 h1:8sXhOn0uLys67V8EsXLc6eszDs8VXWxL3iRvebPhedY=
github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
github.com/godbus/dbus/v5 v5.0.4 h1:9349emZab16e7zQvpmsbtjc18ykshndd8y2PG3sgJbA=
github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM=
github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M=
github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/moby/sys/mountinfo v0.4.1 h1:1O+1cHA1aujwEwwVMa2Xm2l+gIpUHyd3+D+d7LZh1kM=
github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
github.com/mrunalp/fileutils v0.5.0 h1:NKzVxiH7eSk+OQ4M+ZYW1K6h27RUV3MI6NUTsHhU6Z4=
github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc=
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/selinux v1.8.0 h1:+77ba4ar4jsCbL1GLbFL8fFM57w6suPfSS9PDLDY7KM=
github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ=
github.com/godbus/dbus/v5 v5.2.2/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
github.com/jsimonetti/rtnetlink/v2 v2.0.1 h1:xda7qaHDSVOsADNouv7ukSuicKZO7GgVUCXxpaIEIlM=
github.com/jsimonetti/rtnetlink/v2 v2.0.1/go.mod h1:7MoNYNbb3UaDHtF8udiJo/RH6VsTKP1pqKLUTVCvToE=
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
github.com/moby/sys/capability v0.4.0 h1:4D4mI6KlNtWMCM1Z/K0i7RV1FkX+DBDHKVJpCndZoHk=
github.com/moby/sys/capability v0.4.0/go.mod h1:4g9IK291rVkms3LKCDOoYlnV8xKwoDTpIrNEE35Wq0I=
github.com/moby/sys/devices v0.1.0 h1:uaMrDm1U3h0AwUDNWeT5lBV40v0eayt+VuukRbYn5K4=
github.com/moby/sys/devices v0.1.0/go.mod h1:nIV6AO7t0DY2ObAm1GfL4AX9mBRqzxzHwGfvNCR9lfI=
github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
github.com/moby/sys/user v0.4.0 h1:jhcMKit7SA80hivmFJcbB1vqmw//wU61Zdui2eQXuMs=
github.com/moby/sys/user v0.4.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g=
github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28=
github.com/mrunalp/fileutils v0.5.1 h1:F+S7ZlNKnrwHfSwdlgNSkKo67ReVf8o9fel6C3dkm/Q=
github.com/mrunalp/fileutils v0.5.1/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
github.com/opencontainers/cgroups v0.0.6 h1:tfZFWTIIGaUUFImTyuTg+Mr5x8XRiSdZESgEBW7UxuI=
github.com/opencontainers/cgroups v0.0.6/go.mod h1:oWVzJsKK0gG9SCRBfTpnn16WcGEqDI8PAcpMGbqWxcs=
github.com/opencontainers/runtime-spec v1.3.0 h1:YZupQUdctfhpZy3TM39nN9Ika5CBWT5diQ8ibYCRkxg=
github.com/opencontainers/runtime-spec v1.3.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/selinux v1.13.1 h1:A8nNeceYngH9Ow++M+VVEwJVpdFmrlxsN22F+ISDCJE=
github.com/opencontainers/selinux v1.13.1/go.mod h1:S10WXZ/osk2kWOYKy1x2f/eXF5ZHJoUs8UU/2caNRbg=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q=
github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/seccomp/libseccomp-golang v0.9.1 h1:NJjM5DNFOs0s3kYE1WUOr6G8V97sdt46rlXTMfXGWBo=
github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo=
github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
github.com/sirupsen/logrus v1.7.0 h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX+mg7ZARUtM=
github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
github.com/urfave/cli v1.22.1 h1:+mkCCcOFKPnCmVYVcURKps1Xe+3zP90gSYGNfRkjoIY=
github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
github.com/vishvananda/netlink v1.1.0 h1:1iyaYNBLmP6L0220aDnYQpo1QEV4t4hJ+xEEhhJH8j0=
github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df h1:OviZH7qLw/7ZovXvuNyL3XQl8UFofeikI1NW1Gypu7k=
github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
github.com/willf/bitset v1.1.11 h1:N7Z7E9UvjW+sGsEl7k/SJrvY2reP1A07MrGuCjIOjRE=
github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20201224014010-6772e930b67b h1:iFwSg7t5GZmB/Q5TjiEAsdoLDrdJRC1RiF2WhuV29Qw=
golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c h1:VwygUrnw9jn88c4u8GD3rZQbqrP/tgas88tPUbBxQrk=
golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210426230700-d19ff857e887 h1:dXfMednGJh/SUUFjTLsWJz3P+TQt9qnR11GgeI3vWKs=
golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/seccomp/libseccomp-golang v0.11.1 h1:wuk4ZjSx6kyQII4rj6G6fvVzRHQaSiPvccJazDagu4g=
github.com/seccomp/libseccomp-golang v0.11.1/go.mod h1:5m1Lk8E9OwgZTTVz4bBOer7JuazaBa+xTkM895tDiWc=
github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w=
github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
github.com/urfave/cli v1.22.17 h1:SYzXoiPfQjHBbkYxbew5prZHS1TOLT3ierW8SYLqtVQ=
github.com/urfave/cli v1.22.17/go.mod h1:b0ht0aqgH/6pBYzzxURyrM4xXNgsoT/n2ZzwQiEhNVo=
github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0=
github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+3 -43
View File
@@ -1,56 +1,16 @@
package main
import (
"fmt"
"os"
"runtime"
"strconv"
"github.com/opencontainers/runc/libcontainer"
"github.com/opencontainers/runc/libcontainer/logs"
_ "github.com/opencontainers/runc/libcontainer/nsenter"
"github.com/sirupsen/logrus"
"github.com/urfave/cli"
)
func init() {
if len(os.Args) > 1 && os.Args[1] == "init" {
runtime.GOMAXPROCS(1)
runtime.LockOSThread()
level := os.Getenv("_LIBCONTAINER_LOGLEVEL")
logLevel, err := logrus.ParseLevel(level)
if err != nil {
panic(fmt.Sprintf("libcontainer: failed to parse log level: %q: %v", level, err))
}
logPipeFdStr := os.Getenv("_LIBCONTAINER_LOGPIPE")
logPipeFd, err := strconv.Atoi(logPipeFdStr)
if err != nil {
panic(fmt.Sprintf("libcontainer: failed to convert environment variable _LIBCONTAINER_LOGPIPE=%s to int: %s", logPipeFdStr, err))
}
err = logs.ConfigureLogging(logs.Config{
LogPipeFd: logPipeFd,
LogFormat: "json",
LogLevel: logLevel,
})
if err != nil {
panic(fmt.Sprintf("libcontainer: failed to configure logging: %v", err))
}
logrus.Debug("child process in init()")
// This is the golang entry point for runc init, executed
// before main() but after libcontainer/nsenter's nsexec().
libcontainer.Init()
}
}
var initCommand = cli.Command{
Name: "init",
Usage: `initialize the namespaces and launch the process (do not call it outside of runc)`,
Action: func(context *cli.Context) error {
factory, _ := libcontainer.New("")
if err := factory.StartInitialization(); err != nil {
// as the error is sent back to the parent there is no need to log
// or write it to stderr because the parent process will handle this
os.Exit(1)
}
panic("libcontainer: container init failed to exec")
},
}
+134
View File
@@ -0,0 +1,134 @@
// Package cmsg provides helpers for sending and receiving SCM_RIGHTS messages
// via sockets.
package cmsg
/*
* Copyright 2016, 2017 SUSE LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
import (
"fmt"
"os"
"runtime"
"golang.org/x/sys/unix"
"github.com/opencontainers/runc/internal/linux"
)
// MaxNameLen is the maximum length of the name of a file descriptor being sent
// using SendFile. The name of the file handle returned by RecvFile will never be
// larger than this value.
const MaxNameLen = 4096
// oobSpace is the size of the oob slice required to store a single FD. Note
// that unix.UnixRights appears to make the assumption that fd is always int32,
// so sizeof(fd) = 4.
var oobSpace = unix.CmsgSpace(4)
// RecvFile waits for a file descriptor to be sent over the given AF_UNIX
// socket. The file name of the remote file descriptor will be recreated
// locally (it is sent as non-auxiliary data in the same payload).
func RecvFile(socket *os.File) (_ *os.File, Err error) {
name := make([]byte, MaxNameLen)
oob := make([]byte, oobSpace)
sockfd := socket.Fd()
var (
n, oobn int
err error
)
for {
n, oobn, _, _, err = unix.Recvmsg(int(sockfd), name, oob, unix.MSG_CMSG_CLOEXEC)
if err != unix.EINTR {
break
}
}
if err != nil {
return nil, os.NewSyscallError("recvmsg", err)
}
if n >= MaxNameLen || oobn != oobSpace {
return nil, fmt.Errorf("recvfile: incorrect number of bytes read (n=%d oobn=%d)", n, oobn)
}
// Truncate.
name = name[:n]
oob = oob[:oobn]
scms, err := unix.ParseSocketControlMessage(oob)
if err != nil {
return nil, err
}
// We cannot control how many SCM_RIGHTS we receive, and upon receiving
// them all of the descriptors are installed in our fd table, so we need to
// parse all of the SCM_RIGHTS we received in order to close all of the
// descriptors on error.
var fds []int
defer func() {
for i, fd := range fds {
if i == 0 && Err == nil {
// Only close the first one on error.
continue
}
// Always close extra ones.
_ = unix.Close(fd)
}
}()
var lastErr error
for _, scm := range scms {
if scm.Header.Type == unix.SCM_RIGHTS {
scmFds, err := unix.ParseUnixRights(&scm)
if err != nil {
lastErr = err
} else {
fds = append(fds, scmFds...)
}
}
}
if lastErr != nil {
return nil, lastErr
}
// We do this after collecting the fds to make sure we close them all when
// returning an error here.
if len(scms) != 1 {
return nil, fmt.Errorf("recvfd: number of SCMs is not 1: %d", len(scms))
}
if len(fds) != 1 {
return nil, fmt.Errorf("recvfd: number of fds is not 1: %d", len(fds))
}
return os.NewFile(uintptr(fds[0]), string(name)), nil
}
// SendFile sends a file over the given AF_UNIX socket. file.Name() is also
// included so that if the other end uses RecvFile, the file will have the same
// name information.
func SendFile(socket, file *os.File) error {
name := file.Name()
if len(name) >= MaxNameLen {
return fmt.Errorf("sendfd: filename too long: %s", name)
}
err := SendRawFd(socket, name, file.Fd())
runtime.KeepAlive(file)
return err
}
// SendRawFd sends a specific file descriptor over the given AF_UNIX socket.
func SendRawFd(socket *os.File, msg string, fd uintptr) error {
oob := unix.UnixRights(int(fd))
return linux.Sendmsg(int(socket.Fd()), []byte(msg), oob, nil, 0)
}
+3
View File
@@ -0,0 +1,3 @@
// Package linux provides minimal wrappers around Linux system calls, primarily
// to provide support for automatic EINTR-retries.
package linux
+28
View File
@@ -0,0 +1,28 @@
package linux
import (
"errors"
"golang.org/x/sys/unix"
)
// retryOnEINTR takes a function that returns an error and calls it
// until the error returned is not EINTR.
func retryOnEINTR(fn func() error) error {
for {
err := fn()
if !errors.Is(err, unix.EINTR) {
return err
}
}
}
// retryOnEINTR2 is like retryOnEINTR, but it returns 2 values.
func retryOnEINTR2[T any](fn func() (T, error)) (T, error) {
for {
val, err := fn()
if !errors.Is(err, unix.EINTR) {
return val, err
}
}
}
+138
View File
@@ -0,0 +1,138 @@
package linux
import (
"os"
"unsafe"
"golang.org/x/sys/unix"
)
// Dup3 wraps [unix.Dup3].
func Dup3(oldfd, newfd, flags int) error {
err := retryOnEINTR(func() error {
return unix.Dup3(oldfd, newfd, flags)
})
return os.NewSyscallError("dup3", err)
}
// Exec wraps [unix.Exec].
func Exec(cmd string, args, env []string) error {
err := retryOnEINTR(func() error {
return unix.Exec(cmd, args, env)
})
if err != nil {
return &os.PathError{Op: "exec", Path: cmd, Err: err}
}
return nil
}
// Getwd wraps [unix.Getwd].
func Getwd() (wd string, err error) {
wd, err = retryOnEINTR2(unix.Getwd)
return wd, os.NewSyscallError("getwd", err)
}
// Open wraps [unix.Open].
func Open(path string, mode int, perm uint32) (fd int, err error) {
fd, err = retryOnEINTR2(func() (int, error) {
return unix.Open(path, mode, perm)
})
if err != nil {
return -1, &os.PathError{Op: "open", Path: path, Err: err}
}
return fd, nil
}
// Openat wraps [unix.Openat].
func Openat(dirfd int, path string, mode int, perm uint32) (fd int, err error) {
fd, err = retryOnEINTR2(func() (int, error) {
return unix.Openat(dirfd, path, mode, perm)
})
if err != nil {
return -1, &os.PathError{Op: "openat", Path: path, Err: err}
}
return fd, nil
}
// Recvfrom wraps [unix.Recvfrom].
func Recvfrom(fd int, p []byte, flags int) (n int, from unix.Sockaddr, err error) {
err = retryOnEINTR(func() error {
n, from, err = unix.Recvfrom(fd, p, flags)
return err
})
if err != nil {
return 0, nil, os.NewSyscallError("recvfrom", err)
}
return n, from, err
}
// SchedSetaffinity wraps sched_setaffinity syscall without unix.CPUSet size limitation.
func SchedSetaffinity(pid int, buf []byte) error {
err := retryOnEINTR(func() error {
_, _, errno := unix.Syscall(
unix.SYS_SCHED_SETAFFINITY,
uintptr(pid),
uintptr(len(buf)),
uintptr((unsafe.Pointer)(&buf[0])))
if errno != 0 {
return errno
}
return nil
})
return os.NewSyscallError("sched_setaffinity", err)
}
// Sendmsg wraps [unix.Sendmsg].
func Sendmsg(fd int, p, oob []byte, to unix.Sockaddr, flags int) error {
err := retryOnEINTR(func() error {
return unix.Sendmsg(fd, p, oob, to, flags)
})
return os.NewSyscallError("sendmsg", err)
}
// SetMempolicy wraps set_mempolicy.
func SetMempolicy(mode int, mask *unix.CPUSet) error {
err := retryOnEINTR(func() error {
return unix.SetMemPolicy(mode, mask)
})
return os.NewSyscallError("set_mempolicy", err)
}
// Readlinkat wraps [unix.Readlinkat].
func Readlinkat(dir *os.File, path string) (string, error) {
size := 4096
for {
linkBuf := make([]byte, size)
n, err := retryOnEINTR2(func() (int, error) {
return unix.Readlinkat(int(dir.Fd()), path, linkBuf)
})
if err != nil {
return "", &os.PathError{Op: "readlinkat", Path: dir.Name() + "/" + path, Err: err}
}
if n != size {
return string(linkBuf[:n]), nil
}
// Possible truncation, resize the buffer.
size *= 2
}
}
// GetPtyPeer is a wrapper for ioctl(TIOCGPTPEER).
func GetPtyPeer(ptyFd uintptr, unsafePeerPath string, flags int) (*os.File, error) {
// Make sure O_NOCTTY is always set -- otherwise runc might accidentally
// gain it as a controlling terminal. O_CLOEXEC also needs to be set to
// make sure we don't leak the handle either.
flags |= unix.O_NOCTTY | unix.O_CLOEXEC
// There is no nice wrapper for this kind of ioctl in unix.
peerFd, _, errno := unix.Syscall(
unix.SYS_IOCTL,
ptyFd,
uintptr(unix.TIOCGPTPEER),
uintptr(flags),
)
if errno != 0 {
return nil, os.NewSyscallError("ioctl TIOCGPTPEER", errno)
}
return os.NewFile(peerFd, unsafePeerPath), nil
}
+23
View File
@@ -0,0 +1,23 @@
// SPDX-License-Identifier: Apache-2.0
/*
* Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
* Copyright (C) 2024-2025 SUSE LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
// Package pathrs provides wrappers around filepath-securejoin to add the
// minimum set of features needed from libpathrs that are not provided by
// filepath-securejoin, with the eventual goal being that these can be used to
// ease the transition by converting them stubs when enabling libpathrs builds.
package pathrs
+59
View File
@@ -0,0 +1,59 @@
// SPDX-License-Identifier: Apache-2.0
/*
* Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
* Copyright (C) 2024-2025 SUSE LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package pathrs
import (
"fmt"
"os"
"path/filepath"
)
func splitPath(path string) (dirPath, filename string, err error) {
dirPath, filename = filepath.Split(path)
if filepath.Join("/", filename) == "/" {
return "", "", fmt.Errorf("root subpath %q has bad trailing component %q", path, filename)
}
return dirPath, filename, nil
}
// MkdirAllParentInRoot is like [MkdirAllInRoot] except that it only creates
// the parent directory of the target path, returning the trailing component so
// the caller has more flexibility around constructing the final inode.
//
// Callers need to be very careful operating on the trailing path, as trivial
// mistakes like following symlinks can cause security bugs. Most people
// should probably just use [MkdirAllInRoot] or [CreateInRoot].
func MkdirAllParentInRoot(root *os.File, unsafePath string, mode os.FileMode) (*os.File, string, error) {
// MkdirAllInRoot also does hallucinateUnsafePath, but we need to do it
// here first because when we split unsafePath into (dir, file) components
// we want to be doing so with the hallucinated path (so that trailing
// dangling symlinks are treated correctly).
unsafePath, err := hallucinateUnsafePath(root.Name(), unsafePath)
if err != nil {
return nil, "", fmt.Errorf("failed to construct hallucinated target path: %w", err)
}
dirPath, filename, err := splitPath(unsafePath)
if err != nil {
return nil, "", fmt.Errorf("split path %q for mkdir parent: %w", unsafePath, err)
}
dirFd, err := MkdirAllInRoot(root, dirPath, mode)
return dirFd, filename, err
}
+72
View File
@@ -0,0 +1,72 @@
// SPDX-License-Identifier: Apache-2.0
/*
* Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
* Copyright (C) 2024-2025 SUSE LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package pathrs
import (
"fmt"
"os"
"github.com/cyphar/filepath-securejoin/pathrs-lite"
"github.com/sirupsen/logrus"
)
// MkdirAllInRoot attempts to make
//
// path, _ := securejoin.SecureJoin(root.Name(), unsafePath)
// os.MkdirAll(path, mode)
// os.Open(path)
//
// safer against attacks where components in the path are changed between
// SecureJoin returning and MkdirAll (or Open) being called. In particular, we
// try to detect any symlink components in the path while we are doing the
// MkdirAll.
//
// NOTE: If unsafePath is a subpath of root, we assume that you have already
// called SecureJoin and so we use the provided path verbatim without resolving
// any symlinks (this is done in a way that avoids symlink-exchange races).
// This means that the path also must not contain ".." elements, otherwise an
// error will occur.
//
// This uses (pathrs-lite).MkdirAllHandle under the hood, but it has special
// handling if unsafePath has already been scoped within the rootfs (this is
// needed for a lot of runc callers and fixing this would require reworking a
// lot of path logic).
func MkdirAllInRoot(root *os.File, unsafePath string, mode os.FileMode) (*os.File, error) {
unsafePath, err := hallucinateUnsafePath(root.Name(), unsafePath)
if err != nil {
return nil, fmt.Errorf("failed to construct hallucinated target path: %w", err)
}
// Check for any silly mode bits.
if mode&^0o7777 != 0 {
return nil, fmt.Errorf("tried to include non-mode bits in MkdirAll mode: 0o%.3o", mode)
}
// Linux (and thus os.MkdirAll) silently ignores the suid and sgid bits if
// passed. While it would make sense to return an error in that case (since
// the user has asked for a mode that won't be applied), for compatibility
// reasons we have to ignore these bits.
if ignoredBits := mode &^ 0o1777; ignoredBits != 0 {
logrus.Warnf("MkdirAll called with no-op mode bits that are ignored by Linux: 0o%.3o", ignoredBits)
mode &= 0o1777
}
return retryEAGAIN(func() (*os.File, error) {
return pathrs.MkdirAllHandle(root, unsafePath, mode)
})
}
+116
View File
@@ -0,0 +1,116 @@
// SPDX-License-Identifier: Apache-2.0
/*
* Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
* Copyright (C) 2024-2025 SUSE LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package pathrs
import (
"os"
"path/filepath"
"strings"
securejoin "github.com/cyphar/filepath-securejoin"
)
// IsLexicallyInRoot is shorthand for strings.HasPrefix(path+"/", root+"/"),
// but properly handling the case where path or root have a "/" suffix.
//
// NOTE: The return value only make sense if the path is already mostly cleaned
// (i.e., doesn't contain "..", ".", nor unneeded "/"s).
func IsLexicallyInRoot(root, path string) bool {
root = strings.TrimRight(root, "/")
path = strings.TrimRight(path, "/")
return strings.HasPrefix(path+"/", root+"/")
}
// LexicallyCleanPath makes a path safe for use with filepath.Join. This is
// done by not only cleaning the path, but also (if the path is relative)
// adding a leading '/' and cleaning it (then removing the leading '/'). This
// ensures that a path resulting from prepending another path will always
// resolve to lexically be a subdirectory of the prefixed path. This is all
// done lexically, so paths that include symlinks won't be safe as a result of
// using CleanPath.
func LexicallyCleanPath(path string) string {
// Deal with empty strings nicely.
if path == "" {
return ""
}
// Ensure that all paths are cleaned (especially problematic ones like
// "/../../../../../" which can cause lots of issues).
if filepath.IsAbs(path) {
return filepath.Clean(path)
}
// If the path isn't absolute, we need to do more processing to fix paths
// such as "../../../../<etc>/some/path". We also shouldn't convert absolute
// paths to relative ones.
path = filepath.Clean(string(os.PathSeparator) + path)
// This can't fail, as (by definition) all paths are relative to root.
path, _ = filepath.Rel(string(os.PathSeparator), path)
return path
}
// LexicallyStripRoot returns the passed path, stripping the root path if it
// was (lexicially) inside it. Note that both passed paths will always be
// treated as absolute, and the returned path will also always be absolute. In
// addition, the paths are cleaned before stripping the root.
func LexicallyStripRoot(root, path string) string {
// Make the paths clean and absolute.
root, path = LexicallyCleanPath("/"+root), LexicallyCleanPath("/"+path)
switch {
case path == root:
path = "/"
case root == "/":
// do nothing
default:
path = strings.TrimPrefix(path, root+"/")
}
return LexicallyCleanPath("/" + path)
}
// hallucinateUnsafePath creates a new unsafePath which has all symlinks
// (including dangling symlinks) fully resolved and any non-existent components
// treated as though they are real. This is effectively just a wrapper around
// [securejoin.SecureJoin] that strips the root. This path *IS NOT* safe to use
// as-is, you *MUST* operate on the returned path with pathrs-lite.
//
// The reason for this methods is that in previous runc versions, we would
// tolerate nonsense paths with dangling symlinks as path components.
// pathrs-lite does not support this, so instead we have to emulate this
// behaviour by doing SecureJoin *purely to get a semi-reasonable path to use*
// and then we use pathrs-lite to operate on the path safely.
//
// It would be quite difficult to emulate this in a race-free way in
// pathrs-lite, so instead we use [securejoin.SecureJoin] to simply produce a
// new candidate path for operations like [MkdirAllInRoot] so they can then
// operate on the new unsafePath as if it was what the user requested.
//
// If unsafePath is already lexically inside root, it is stripped before
// re-resolving it (this is done to ensure compatibility with legacy callers
// within runc that call SecureJoin before calling into pathrs).
func hallucinateUnsafePath(root, unsafePath string) (string, error) {
unsafePath = LexicallyStripRoot(root, unsafePath)
weirdPath, err := securejoin.SecureJoin(root, unsafePath)
if err != nil {
return "", err
}
unsafePath = LexicallyStripRoot(root, weirdPath)
return unsafePath, nil
}
+120
View File
@@ -0,0 +1,120 @@
// SPDX-License-Identifier: Apache-2.0
/*
* Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
* Copyright (C) 2024-2025 SUSE LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package pathrs
import "testing"
func TestIsLexicallyInRoot(t *testing.T) {
for _, test := range []struct {
name string
root, path string
expected bool
}{
{"Equal1", "/foo", "/foo", true},
{"Equal2", "/bar/baz", "/bar/baz", true},
{"Equal3", "/bar/baz/", "/bar/baz/", true},
{"Root", "/", "/foo/bar", true},
{"Root-Equal", "/", "/", true},
{"InRoot-Basic1", "/foo/bar", "/foo/bar/baz/abcd", true},
{"InRoot-Basic2", "/a/b/c/d", "/a/b/c/d/e/f/g/h", true},
{"InRoot-Long", "/var/lib/docker/container/1234abcde/rootfs", "/var/lib/docker/container/1234abcde/rootfs/a/b/c", true},
{"InRoot-TrailingSlash1", "/foo/bar/", "/foo/bar", true},
{"InRoot-TrailingSlash2", "/foo/", "/foo/bar/baz/boop", true},
{"NotInRoot-Basic1", "/foo", "/bar", false},
{"NotInRoot-Basic2", "/foo", "/bar", false},
{"NotInRoot-Basic3", "/foo/bar/baz", "/foo/boo/baz/abc", false},
{"NotInRoot-Long", "/var/lib/docker/container/1234abcde/rootfs", "/a/b/c", false},
{"NotInRoot-Tricky1", "/foo/bar", "/foo/bara", false},
{"NotInRoot-Tricky2", "/foo/bar", "/foo/ba/r", false},
} {
t.Run(test.name, func(t *testing.T) {
got := IsLexicallyInRoot(test.root, test.path)
if test.expected != got {
t.Errorf("IsLexicallyInRoot(%q, %q) = %v (expected %v)", test.root, test.path, got, test.expected)
}
})
}
}
func TestLexicallyCleanPath(t *testing.T) {
path := LexicallyCleanPath("")
if path != "" {
t.Errorf("expected to receive empty string and received %s", path)
}
path = LexicallyCleanPath("rootfs")
if path != "rootfs" {
t.Errorf("expected to receive 'rootfs' and received %s", path)
}
path = LexicallyCleanPath("../../../var")
if path != "var" {
t.Errorf("expected to receive 'var' and received %s", path)
}
path = LexicallyCleanPath("/../../../var")
if path != "/var" {
t.Errorf("expected to receive '/var' and received %s", path)
}
path = LexicallyCleanPath("/foo/bar/")
if path != "/foo/bar" {
t.Errorf("expected to receive '/foo/bar' and received %s", path)
}
path = LexicallyCleanPath("/foo/bar/../")
if path != "/foo" {
t.Errorf("expected to receive '/foo' and received %s", path)
}
}
func TestLexicallyStripRoot(t *testing.T) {
for _, test := range []struct {
root, path, out string
}{
// Works with multiple components.
{"/a/b", "/a/b/c", "/c"},
{"/hello/world", "/hello/world/the/quick-brown/fox", "/the/quick-brown/fox"},
// '/' must be a no-op.
{"/", "/a/b/c", "/a/b/c"},
// Must be the correct order.
{"/a/b", "/a/c/b", "/a/c/b"},
// Must be at start.
{"/abc/def", "/foo/abc/def/bar", "/foo/abc/def/bar"},
// Must be a lexical parent.
{"/foo/bar", "/foo/barSAMECOMPONENT", "/foo/barSAMECOMPONENT"},
// Must only strip the root once.
{"/foo/bar", "/foo/bar/foo/bar/baz", "/foo/bar/baz"},
// Deal with .. in a fairly sane way.
{"/foo/bar", "/foo/bar/../baz", "/foo/baz"},
{"/foo/bar", "../../../../../../foo/bar/baz", "/baz"},
{"/foo/bar", "/../../../../../../foo/bar/baz", "/baz"},
{"/foo/bar/../baz", "/foo/baz/bar", "/bar"},
{"/foo/bar/../baz", "/foo/baz/../bar/../baz/./foo", "/foo"},
// All paths are made absolute before stripping.
{"foo/bar", "/foo/bar/baz/bee", "/baz/bee"},
{"/foo/bar", "foo/bar/baz/beef", "/baz/beef"},
{"foo/bar", "foo/bar/baz/beets", "/baz/beets"},
} {
got := LexicallyStripRoot(test.root, test.path)
if got != test.out {
t.Errorf("LexicallyStripRoot(%q, %q) -- got %q, expected %q", test.root, test.path, got, test.out)
}
}
}
+108
View File
@@ -0,0 +1,108 @@
// SPDX-License-Identifier: Apache-2.0
/*
* Copyright (C) 2025 Aleksa Sarai <cyphar@cyphar.com>
* Copyright (C) 2025 SUSE LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package pathrs
import (
"fmt"
"os"
"github.com/cyphar/filepath-securejoin/pathrs-lite"
"github.com/cyphar/filepath-securejoin/pathrs-lite/procfs"
)
func procOpenReopen(openFn func(subpath string) (*os.File, error), subpath string, flags int) (*os.File, error) {
handle, err := retryEAGAIN(func() (*os.File, error) {
return openFn(subpath)
})
if err != nil {
return nil, err
}
defer handle.Close()
f, err := Reopen(handle, flags)
if err != nil {
return nil, fmt.Errorf("reopen %s: %w", handle.Name(), err)
}
return f, nil
}
// ProcSelfOpen is a wrapper around [procfs.Handle.OpenSelf] and
// [pathrs.Reopen], to let you one-shot open a procfs file with the given
// flags.
func ProcSelfOpen(subpath string, flags int) (*os.File, error) {
proc, err := retryEAGAIN(procfs.OpenProcRoot)
if err != nil {
return nil, err
}
defer proc.Close()
return procOpenReopen(proc.OpenSelf, subpath, flags)
}
// ProcPidOpen is a wrapper around [procfs.Handle.OpenPid] and [pathrs.Reopen],
// to let you one-shot open a procfs file with the given flags.
func ProcPidOpen(pid int, subpath string, flags int) (*os.File, error) {
proc, err := retryEAGAIN(procfs.OpenProcRoot)
if err != nil {
return nil, err
}
defer proc.Close()
return procOpenReopen(func(subpath string) (*os.File, error) {
return proc.OpenPid(pid, subpath)
}, subpath, flags)
}
// ProcThreadSelfOpen is a wrapper around [procfs.Handle.OpenThreadSelf] and
// [pathrs.Reopen], to let you one-shot open a procfs file with the given
// flags. The returned [procfs.ProcThreadSelfCloser] needs the same handling as
// when using pathrs-lite.
func ProcThreadSelfOpen(subpath string, flags int) (_ *os.File, _ procfs.ProcThreadSelfCloser, Err error) {
proc, err := retryEAGAIN(procfs.OpenProcRoot)
if err != nil {
return nil, nil, err
}
defer proc.Close()
handle, closer, err := retryEAGAIN2(func() (*os.File, procfs.ProcThreadSelfCloser, error) {
return proc.OpenThreadSelf(subpath)
})
if err != nil {
return nil, nil, err
}
if closer != nil {
defer func() {
if Err != nil {
closer()
}
}()
}
defer handle.Close()
f, err := Reopen(handle, flags)
if err != nil {
return nil, nil, fmt.Errorf("reopen %s: %w", handle.Name(), err)
}
return f, closer, nil
}
// Reopen is a wrapper around pathrs.Reopen.
func Reopen(file *os.File, flags int) (*os.File, error) {
return retryEAGAIN(func() (*os.File, error) {
return pathrs.Reopen(file, flags)
})
}
+66
View File
@@ -0,0 +1,66 @@
// SPDX-License-Identifier: Apache-2.0
/*
* Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
* Copyright (C) 2024-2025 SUSE LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package pathrs
import (
"errors"
"fmt"
"time"
"golang.org/x/sys/unix"
)
// Based on >50k tests running "runc run" on a 16-core system with very heavy
// rename(2) load, the single longest latency caused by -EAGAIN retries was
// ~800us (with the vast majority being closer to 400us). So, a 2ms limit
// should give more than enough headroom for any real system in practice.
const retryDeadline = 2 * time.Millisecond
// retryEAGAIN is a top-level retry loop for pathrs to try to returning
// spurious errors in most normal user cases when using openat2 (libpathrs
// itself does up to 128 retries already, but this method takes a
// wallclock-deadline approach to simply retry until a timer elapses).
func retryEAGAIN[T any](fn func() (T, error)) (T, error) {
deadline := time.After(retryDeadline)
for {
v, err := fn()
if !errors.Is(err, unix.EAGAIN) {
return v, err
}
select {
case <-deadline:
return *new(T), fmt.Errorf("%v retry deadline exceeded: %w", retryDeadline, err)
default:
// retry
}
}
}
// retryEAGAIN2 is like retryEAGAIN except it returns two values.
func retryEAGAIN2[T1, T2 any](fn func() (T1, T2, error)) (T1, T2, error) {
type ret struct {
v1 T1
v2 T2
}
v, err := retryEAGAIN(func() (ret, error) {
v1, v2, err := fn()
return ret{v1: v1, v2: v2}, err
})
return v.v1, v.v2, err
}
+112
View File
@@ -0,0 +1,112 @@
// SPDX-License-Identifier: Apache-2.0
/*
* Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
* Copyright (C) 2024-2025 SUSE LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package pathrs
import (
"fmt"
"os"
"path/filepath"
"github.com/cyphar/filepath-securejoin/pathrs-lite"
"golang.org/x/sys/unix"
"github.com/opencontainers/runc/internal/linux"
)
// OpenInRoot opens the given path inside the root with the provided flags. It
// is effectively shorthand for [securejoin.OpenatInRoot] followed by
// [securejoin.Reopen].
func OpenInRoot(root *os.File, subpath string, flags int) (*os.File, error) {
handle, err := retryEAGAIN(func() (*os.File, error) {
return pathrs.OpenatInRoot(root, subpath)
})
if err != nil {
return nil, err
}
defer handle.Close()
return Reopen(handle, flags)
}
// CreateInRoot creates a new file inside a root (as well as any missing parent
// directories) and returns a handle to said file. This effectively has
// open(O_CREAT|O_NOFOLLOW) semantics. If you want the creation to use O_EXCL,
// include it in the passed flags. The fileMode argument uses unix.* mode bits,
// *not* os.FileMode.
func CreateInRoot(root *os.File, subpath string, flags int, fileMode uint32) (*os.File, error) {
dirFd, filename, err := MkdirAllParentInRoot(root, subpath, 0o755)
if err != nil {
return nil, err
}
defer dirFd.Close()
// We know that the filename does not have any "/" components, and that
// dirFd is inside the root. O_NOFOLLOW will stop us from following
// trailing symlinks, so this is safe to do. libpathrs's Root::create_file
// works the same way.
flags |= unix.O_CREAT | unix.O_NOFOLLOW
fd, err := linux.Openat(int(dirFd.Fd()), filename, flags, fileMode)
if err != nil {
return nil, err
}
return os.NewFile(uintptr(fd), root.Name()+"/"+subpath), nil
}
// UnlinkInRoot deletes the inode specified at the given subpath. If you pass
// [unix.AT_REMOVEDIR] it will remove directories, otherwise it will remove
// non-directory inodes.
func UnlinkInRoot(root *os.File, subpath string, flags int) error {
dirPath, filename, err := splitPath(subpath)
if err != nil {
return fmt.Errorf("split path %q for unlink: %w", subpath, err)
}
dirFd := root
if filepath.Join("/", dirPath) != "/" {
newDirFd, err := OpenInRoot(root, dirPath, unix.O_DIRECTORY|unix.O_PATH)
if err != nil {
return fmt.Errorf("failed to open parent directory %q for unlink: %w", dirPath, err)
}
dirFd = newDirFd
defer dirFd.Close()
}
err = unix.Unlinkat(int(dirFd.Fd()), filename, flags)
if err != nil {
err = &os.PathError{Op: "unlinkat", Path: dirFd.Name() + "/" + filename, Err: err}
}
return err
}
// SymlinkInRoot creates a symlink inside a root with the given target (as well
// as creating any missing parent directories). If the subpath already exists,
// an error is returned.
func SymlinkInRoot(linktarget string, root *os.File, subpath string) error {
dirFd, filename, err := MkdirAllParentInRoot(root, subpath, 0o755)
if err != nil {
return err
}
defer dirFd.Close()
err = unix.Symlinkat(linktarget, int(dirFd.Fd()), filename)
if err != nil {
err = &os.PathError{Op: "symlinkat", Path: dirFd.Name() + "/" + filename, Err: err}
}
return err
}
+5
View File
@@ -0,0 +1,5 @@
// Package sys is an internal package that contains helper methods for dealing
// with Linux that are more complicated than basic wrappers. Basic wrappers
// usually belong in internal/linux. If you feel something belongs in
// libcontainer/utils or libcontainer/system, it probably belongs here instead.
package sys
+53
View File
@@ -0,0 +1,53 @@
package sys
import (
"fmt"
"os"
"runtime"
"strconv"
"golang.org/x/sys/unix"
"github.com/opencontainers/runc/internal/pathrs"
)
// FchmodFile is a wrapper around fchmodat2(AT_EMPTY_PATH) with fallbacks for
// older kernels. This is distinct from [File.Chmod] and [unix.Fchmod] in that
// it works on O_PATH file descriptors.
func FchmodFile(f *os.File, mode uint32) error {
err := unix.Fchmodat(int(f.Fd()), "", mode, unix.AT_EMPTY_PATH)
// If fchmodat2(2) is not available at all, golang.org/x/unix (probably
// in order to mirror glibc) returns EOPNOTSUPP rather than EINVAL
// (what the kernel actually returns for invalid flags, which is being
// emulated) or ENOSYS (which is what glibc actually sees).
if err != unix.EINVAL && err != unix.EOPNOTSUPP { //nolint:errorlint // unix errors are bare
// err == nil is implicitly handled
return os.NewSyscallError("fchmodat2 AT_EMPTY_PATH", err)
}
// AT_EMPTY_PATH support was added to fchmodat2 in Linux 6.6
// (5daeb41a6fc9d0d81cb2291884b7410e062d8fa1). The alternative for
// older kernels is to go through /proc.
fdDir, closer, err2 := pathrs.ProcThreadSelfOpen("fd/", unix.O_DIRECTORY)
if err2 != nil {
return fmt.Errorf("fchmodat2 AT_EMPTY_PATH fallback: %w", err2)
}
defer closer()
defer fdDir.Close()
err = unix.Fchmodat(int(fdDir.Fd()), strconv.Itoa(int(f.Fd())), mode, 0)
if err != nil {
err = fmt.Errorf("fchmodat /proc/self/fd/%d: %w", f.Fd(), err)
}
runtime.KeepAlive(f)
return err
}
// FchownFile is a wrapper around fchownat(AT_EMPTY_PATH). This is distinct
// from [File.Chown] and [unix.Fchown] in that it works on O_PATH file
// descriptors.
func FchownFile(f *os.File, uid, gid int) error {
err := unix.Fchownat(int(f.Fd()), "", uid, gid, unix.AT_EMPTY_PATH)
runtime.KeepAlive(f)
return os.NewSyscallError("fchownat AT_EMPTY_PATH", err)
}
+50
View File
@@ -0,0 +1,50 @@
package sys
import (
"fmt"
"os"
"strings"
"golang.org/x/sys/unix"
"github.com/cyphar/filepath-securejoin/pathrs-lite"
"github.com/cyphar/filepath-securejoin/pathrs-lite/procfs"
)
func procfsOpenRoot(proc *procfs.Handle, subpath string, flags int) (*os.File, error) {
handle, err := proc.OpenRoot(subpath)
if err != nil {
return nil, err
}
defer handle.Close()
return pathrs.Reopen(handle, flags)
}
// WriteSysctls sets the given sysctls to the requested values.
func WriteSysctls(sysctls map[string]string) error {
// We are going to write multiple sysctls, which require writing to an
// unmasked procfs which is not going to be cached. To avoid creating a new
// procfs instance for each one, just allocate one handle for all of them.
proc, err := procfs.OpenUnsafeProcRoot()
if err != nil {
return err
}
defer proc.Close()
for key, value := range sysctls {
keyPath := strings.ReplaceAll(key, ".", "/")
sysctlFile, err := procfsOpenRoot(proc, "sys/"+keyPath, unix.O_WRONLY|unix.O_TRUNC|unix.O_CLOEXEC)
if err != nil {
return fmt.Errorf("open sysctl %s file: %w", key, err)
}
defer sysctlFile.Close()
_, err = sysctlFile.WriteString(value)
if err != nil {
return fmt.Errorf("failed to write sysctl %s = %q: %w", key, value, err)
}
}
return nil
}
+30
View File
@@ -0,0 +1,30 @@
package sys
import (
"fmt"
"os"
"runtime"
"golang.org/x/sys/unix"
)
// VerifyInodeFunc is the callback passed to [VerifyInode] to check if the
// inode is the expected type (and on the correct filesystem type, in the case
// of filesystem-specific inodes).
type VerifyInodeFunc func(stat *unix.Stat_t, statfs *unix.Statfs_t) error
// VerifyInode verifies that the underlying inode for the given file matches an
// expected inode type (possibly on a particular kind of filesystem). This is
// mainly a wrapper around [VerifyInodeFunc].
func VerifyInode(file *os.File, checkFunc VerifyInodeFunc) error {
var stat unix.Stat_t
if err := unix.Fstat(int(file.Fd()), &stat); err != nil {
return fmt.Errorf("fstat %q: %w", file.Name(), err)
}
var statfs unix.Statfs_t
if err := unix.Fstatfs(int(file.Fd()), &statfs); err != nil {
return fmt.Errorf("fstatfs %q: %w", file.Name(), err)
}
runtime.KeepAlive(file)
return checkFunc(&stat, &statfs)
}
@@ -12,9 +12,13 @@
// See the License for the specific language governing permissions and
// limitations under the License.
// +build !windows
//go:build !windows
// Package activation implements primitives for systemd socket activation.
//
// It is a partial copy of https://github.com/coreos/go-systemd/v22/activation
// (https://github.com/coreos/go-systemd/blob/ce60782c0aabb616faa8e60f91e639d91f631e99/activation/files_unix.go),
// to avoid bringing in crypto/tls dependency.
package activation
import (
@@ -29,26 +33,18 @@ const (
listenFdsStart = 3
)
// Files returns a slice containing a `os.File` object for each
// Files returns a slice containing a os.File object for each
// file descriptor passed to this process via systemd fd-passing protocol.
//
// The order of the file descriptors is preserved in the returned slice.
// `unsetEnv` is typically set to `true` in order to avoid clashes in
// fd usage and to avoid leaking environment flags to child processes.
func Files(unsetEnv bool) []*os.File {
if unsetEnv {
defer os.Unsetenv("LISTEN_PID")
defer os.Unsetenv("LISTEN_FDS")
defer os.Unsetenv("LISTEN_FDNAMES")
}
func Files() []*os.File {
pid, err := strconv.Atoi(os.Getenv("LISTEN_PID"))
if err != nil || pid != os.Getpid() {
return nil
}
nfds, err := strconv.Atoi(os.Getenv("LISTEN_FDS"))
if err != nil || nfds == 0 {
if err != nil || nfds <= 0 {
return nil
}
+10 -5
View File
@@ -1,12 +1,12 @@
// +build linux
package main
import (
"errors"
"fmt"
"strconv"
"strings"
"github.com/opencontainers/runc/libcontainer"
"github.com/urfave/cli"
"golang.org/x/sys/unix"
)
@@ -26,8 +26,9 @@ signal to the init process of the "ubuntu01" container:
# runc kill ubuntu01 KILL`,
Flags: []cli.Flag{
cli.BoolFlag{
Name: "all, a",
Usage: "send the specified signal to all processes inside the container",
Name: "all, a",
Usage: "(obsoleted, do not use)",
Hidden: true,
},
},
Action: func(context *cli.Context) error {
@@ -51,7 +52,11 @@ signal to the init process of the "ubuntu01" container:
if err != nil {
return err
}
return container.Signal(signal, context.Bool("all"))
err = container.Signal(signal)
if errors.Is(err, libcontainer.ErrNotRunning) && context.Bool("all") {
err = nil
}
return err
},
}
+11 -295
View File
@@ -1,6 +1,6 @@
# libcontainer
[![GoDoc](https://godoc.org/github.com/opencontainers/runc/libcontainer?status.svg)](https://godoc.org/github.com/opencontainers/runc/libcontainer)
[![Go Reference](https://pkg.go.dev/badge/github.com/opencontainers/runc/libcontainer.svg)](https://pkg.go.dev/github.com/opencontainers/runc/libcontainer)
Libcontainer provides a native Go implementation for creating containers
with namespaces, cgroups, capabilities, and filesystem access controls.
@@ -8,11 +8,15 @@ It allows you to manage the lifecycle of the container performing additional ope
after the container is created.
#### Container
## Container
A container is a self contained execution environment that shares the kernel of the
host system and which is (optionally) isolated from other containers in the system.
#### Using libcontainer
## Using libcontainer
For a brief overview of using libcontainer, see [example_test.go](example_test.go).
### Container init
Because containers are spawned in a two step process you will need a binary that
will be executed as the init process for the container. In libcontainer, we use
@@ -21,300 +25,12 @@ arg "init", we call the first step process "bootstrap", so you always need a "in
function as the entry of "bootstrap".
In addition to the go init function the early stage bootstrap is handled by importing
[nsenter](https://github.com/opencontainers/runc/blob/master/libcontainer/nsenter/README.md).
[nsenter](../nsenter/README.md).
```go
import (
_ "github.com/opencontainers/runc/libcontainer/nsenter"
)
For details on how runc implements such "init", see
[../init.go](../init.go) and [init_linux.go](init_linux.go).
func init() {
if len(os.Args) > 1 && os.Args[1] == "init" {
runtime.GOMAXPROCS(1)
runtime.LockOSThread()
factory, _ := libcontainer.New("")
if err := factory.StartInitialization(); err != nil {
logrus.Fatal(err)
}
panic("--this line should have never been executed, congratulations--")
}
}
```
Then to create a container you first have to initialize an instance of a factory
that will handle the creation and initialization for a container.
```go
factory, err := libcontainer.New("/var/lib/container", libcontainer.Cgroupfs, libcontainer.InitArgs(os.Args[0], "init"))
if err != nil {
logrus.Fatal(err)
return
}
```
Once you have an instance of the factory created we can create a configuration
struct describing how the container is to be created. A sample would look similar to this:
```go
defaultMountFlags := unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV
var devices []*configs.DeviceRule
for _, device := range specconv.AllowedDevices {
devices = append(devices, &device.Rule)
}
config := &configs.Config{
Rootfs: "/your/path/to/rootfs",
Capabilities: &configs.Capabilities{
Bounding: []string{
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE",
},
Effective: []string{
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE",
},
Inheritable: []string{
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE",
},
Permitted: []string{
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE",
},
Ambient: []string{
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE",
},
},
Namespaces: configs.Namespaces([]configs.Namespace{
{Type: configs.NEWNS},
{Type: configs.NEWUTS},
{Type: configs.NEWIPC},
{Type: configs.NEWPID},
{Type: configs.NEWUSER},
{Type: configs.NEWNET},
{Type: configs.NEWCGROUP},
}),
Cgroups: &configs.Cgroup{
Name: "test-container",
Parent: "system",
Resources: &configs.Resources{
MemorySwappiness: nil,
Devices: devices,
},
},
MaskPaths: []string{
"/proc/kcore",
"/sys/firmware",
},
ReadonlyPaths: []string{
"/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus",
},
Devices: specconv.AllowedDevices,
Hostname: "testing",
Mounts: []*configs.Mount{
{
Source: "proc",
Destination: "/proc",
Device: "proc",
Flags: defaultMountFlags,
},
{
Source: "tmpfs",
Destination: "/dev",
Device: "tmpfs",
Flags: unix.MS_NOSUID | unix.MS_STRICTATIME,
Data: "mode=755",
},
{
Source: "devpts",
Destination: "/dev/pts",
Device: "devpts",
Flags: unix.MS_NOSUID | unix.MS_NOEXEC,
Data: "newinstance,ptmxmode=0666,mode=0620,gid=5",
},
{
Device: "tmpfs",
Source: "shm",
Destination: "/dev/shm",
Data: "mode=1777,size=65536k",
Flags: defaultMountFlags,
},
{
Source: "mqueue",
Destination: "/dev/mqueue",
Device: "mqueue",
Flags: defaultMountFlags,
},
{
Source: "sysfs",
Destination: "/sys",
Device: "sysfs",
Flags: defaultMountFlags | unix.MS_RDONLY,
},
},
UidMappings: []configs.IDMap{
{
ContainerID: 0,
HostID: 1000,
Size: 65536,
},
},
GidMappings: []configs.IDMap{
{
ContainerID: 0,
HostID: 1000,
Size: 65536,
},
},
Networks: []*configs.Network{
{
Type: "loopback",
Address: "127.0.0.1/0",
Gateway: "localhost",
},
},
Rlimits: []configs.Rlimit{
{
Type: unix.RLIMIT_NOFILE,
Hard: uint64(1025),
Soft: uint64(1025),
},
},
}
```
Once you have the configuration populated you can create a container:
```go
container, err := factory.Create("container-id", config)
if err != nil {
logrus.Fatal(err)
return
}
```
To spawn bash as the initial process inside the container and have the
processes pid returned in order to wait, signal, or kill the process:
```go
process := &libcontainer.Process{
Args: []string{"/bin/bash"},
Env: []string{"PATH=/bin"},
User: "daemon",
Stdin: os.Stdin,
Stdout: os.Stdout,
Stderr: os.Stderr,
Init: true,
}
err := container.Run(process)
if err != nil {
container.Destroy()
logrus.Fatal(err)
return
}
// wait for the process to finish.
_, err := process.Wait()
if err != nil {
logrus.Fatal(err)
}
// destroy the container.
container.Destroy()
```
Additional ways to interact with a running container are:
```go
// return all the pids for all processes running inside the container.
processes, err := container.Processes()
// get detailed cpu, memory, io, and network statistics for the container and
// it's processes.
stats, err := container.Stats()
// pause all processes inside the container.
container.Pause()
// resume all paused processes.
container.Resume()
// send signal to container's init process.
container.Signal(signal)
// update container resource constraints.
container.Set(config)
// get current status of the container.
status, err := container.Status()
// get current container's state information.
state, err := container.State()
```
#### Checkpoint & Restore
## Checkpoint & Restore
libcontainer now integrates [CRIU](http://criu.org/) for checkpointing and restoring containers.
This lets you save the state of a process running inside a container to disk, and then restore
+45 -27
View File
@@ -2,7 +2,7 @@
This is the standard configuration for version 1 containers. It includes
namespaces, standard filesystem setup, a default Linux capability set, and
information about resource reservations. It also has information about any
information about resource reservations. It also has information about any
populated environment settings for the processes running inside a container.
Along with the configuration of how a container is created the standard also
@@ -42,10 +42,10 @@ the binaries and system libraries are local to that directory. Any binaries
to be executed must be contained within this rootfs.
Mounts that happen inside the container are automatically cleaned up when the
container exits as the mount namespace is destroyed and the kernel will
container exits as the mount namespace is destroyed and the kernel will
unmount all the mounts that were setup within that namespace.
For a container to execute properly there are certain filesystems that
For a container to execute properly there are certain filesystems that
are required to be mounted within the rootfs that the runtime will setup.
| Path | Type | Flags | Data |
@@ -58,7 +58,7 @@ are required to be mounted within the rootfs that the runtime will setup.
| /sys | sysfs | MS_NOEXEC,MS_NOSUID,MS_NODEV,MS_RDONLY | |
After a container's filesystems are mounted within the newly created
After a container's filesystems are mounted within the newly created
mount namespace `/dev` will need to be populated with a set of device nodes.
It is expected that a rootfs does not need to have any device nodes specified
for `/dev` within the rootfs as the container will setup the correct devices
@@ -76,25 +76,25 @@ that are required for executing a container's process.
**ptmx**
`/dev/ptmx` will need to be a symlink to the host's `/dev/ptmx` within
the container.
the container.
The use of a pseudo TTY is optional within a container and it should support both.
If a pseudo is provided to the container `/dev/console` will need to be
If a pseudo is provided to the container `/dev/console` will need to be
setup by binding the console in `/dev/` after it has been populated and mounted
in tmpfs.
| Source | Destination | UID GID | Mode | Type |
| --------------- | ------------ | ------- | ---- | ---- |
| *pty host path* | /dev/console | 0 0 | 0600 | bind |
| *pty host path* | /dev/console | 0 0 | 0600 | bind |
After `/dev/null` has been setup we check for any external links between
the container's io, STDIN, STDOUT, STDERR. If the container's io is pointing
to `/dev/null` outside the container we close and `dup2` the `/dev/null`
to `/dev/null` outside the container we close and `dup2` the `/dev/null`
that is local to the container's rootfs.
After the container has `/proc` mounted a few standard symlinks are setup
After the container has `/proc` mounted a few standard symlinks are setup
within `/dev/` for the io.
| Source | Destination |
@@ -104,7 +104,7 @@ within `/dev/` for the io.
| /proc/self/fd/1 | /dev/stdout |
| /proc/self/fd/2 | /dev/stderr |
A `pivot_root` is used to change the root for the process, effectively
A `pivot_root` is used to change the root for the process, effectively
jailing the process inside the rootfs.
```c
@@ -151,7 +151,7 @@ so that containers can be paused and resumed.
The parent process of the container's init must place the init pid inside
the correct cgroups before the initialization begins. This is done so
that no processes or threads escape the cgroups. This sync is
that no processes or threads escape the cgroups. This sync is
done via a pipe ( specified in the runtime section below ) that the container's
init process will block waiting for the parent to finish setup.
@@ -263,7 +263,7 @@ For example, on a two-socket machine, the schema line could be
"MB:0=5000;1=7000" which means 5000 MBps memory bandwidth limit on socket 0
and 7000 MBps memory bandwidth limit on socket 1.
For more information about Intel RDT kernel interface:
For more information about Intel RDT kernel interface:
https://www.kernel.org/doc/Documentation/x86/intel_rdt_ui.txt
```
@@ -285,7 +285,7 @@ maximum memory bandwidth of 20% on socket 0 and 70% on socket 1.
}
```
### Security
### Security
The standard set of Linux capabilities that are set in a container
provide a good default for security and flexibility for the applications.
@@ -335,8 +335,8 @@ provide a good default for security and flexibility for the applications.
Additional security layers like [apparmor](https://wiki.ubuntu.com/AppArmor)
and [selinux](http://selinuxproject.org/page/Main_Page) can be used with
the containers. A container should support setting an apparmor profile or
selinux process and mount labels if provided in the configuration.
the containers. A container should support setting an apparmor profile or
selinux process and mount labels if provided in the configuration.
Standard apparmor profile:
```c
@@ -367,21 +367,39 @@ profile <profile_name> flags=(attach_disconnected,mediate_deleted) {
}
```
*TODO: seccomp work is being done to find a good default config*
[seccomp](https://en.wikipedia.org/wiki/Seccomp) can be used to apply filters
to the system calls used in a container. The set of filter expressions allows
you to match against syscall numbers (automatically resolved from syscall
names) and apply various comparison operators to syscall arguments.
When a filter rule matches, the associated action is executed - such as killing
the process or thread, returning an errno value without executing the syscall,
forwarding the request to a user-space agent to handle, emitting a log entry,
or permitting the syscall to execute.
The primary use-case is to provide an explicit allow-list of syscalls for a
container, to reduce the kernel API attack surface exposed to the container.
Historically, seccomp has protected containers against various kernel 0-day
vulnerabilities, so a strong seccomp filter is highly recommended.
libcontainer does not provide a default filter, but higher-level
runtimes tend to define their own filters for use with runc (see
[oci-runtime-seccomp](https://github.com/opencontainers/runtime-spec/blob/v1.2.1/config-linux.md#seccomp)
for more information on how to write your own filters).
### Runtime and Init Process
During container creation the parent process needs to talk to the container's init
During container creation the parent process needs to talk to the container's init
process and have a form of synchronization. This is accomplished by creating
a pipe that is passed to the container's init. When the init process first spawns
a pipe that is passed to the container's init. When the init process first spawns
it will block on its side of the pipe until the parent closes its side. This
allows the parent to have time to set the new process inside a cgroup hierarchy
and/or write any uid/gid mappings required for user namespaces.
allows the parent to have time to set the new process inside a cgroup hierarchy
and/or write any uid/gid mappings required for user namespaces.
The pipe is passed to the init process via FD 3.
The application consuming libcontainer should be compiled statically. libcontainer
does not define any init process and the arguments provided are used to `exec` the
process inside the application. There should be no long running init within the
process inside the application. There should be no long running init within the
container spec.
If a pseudo tty is provided to a container it will open and `dup2` the console
@@ -391,10 +409,10 @@ as `/dev/console`.
An extra set of mounts are provided to a container and setup for use. A container's
rootfs can contain some non portable files inside that can cause side effects during
execution of a process. These files are usually created and populated with the container
specific information via the runtime.
specific information via the runtime.
**Extra runtime files:**
* /etc/hosts
* /etc/hosts
* /etc/resolv.conf
* /etc/hostname
* /etc/localtime
@@ -407,7 +425,7 @@ these apply to processes within a container.
| Type | Value |
| ------------------- | ------------------------------ |
| Parent Death Signal | SIGKILL |
| Parent Death Signal | SIGKILL |
| UID | 0 |
| GID | 0 |
| GROUPS | 0, NULL |
@@ -420,15 +438,15 @@ these apply to processes within a container.
## Actions
After a container is created there is a standard set of actions that can
be done to the container. These actions are part of the public API for
be done to the container. These actions are part of the public API for
a container.
| Action | Description |
| -------------- | ------------------------------------------------------------------ |
| Get processes | Return all the pids for processes running inside a container |
| Get processes | Return all the pids for processes running inside a container |
| Get Stats | Return resource statistics for the container as a whole |
| Wait | Waits on the container's init process ( pid 1 ) |
| Wait Process | Wait on any of the container's processes returning the exit status |
| Wait Process | Wait on any of the container's processes returning the exit status |
| Destroy | Kill the container's init process and remove any filesystem state |
| Signal | Send a signal to the container's init process |
| Signal Process | Send a signal to any of the container's processes |
+21
View File
@@ -0,0 +1,21 @@
// Package apparmor provides a minimal set of helpers to configure the AppArmor
// profile of the current process, effectively acting as a very stripped-down
// version of libapparmor.
package apparmor
import "errors"
// IsEnabled returns true if apparmor is enabled for the host.
func IsEnabled() bool {
return isEnabled()
}
// ApplyProfile will apply the profile with the specified name to the process
// after the next exec. It is only supported on Linux and produces an
// [ErrApparmorNotEnabled] on other platforms.
func ApplyProfile(name string) error {
return applyProfile(name)
}
// ErrApparmorNotEnabled indicates that AppArmor is not enabled or not supported.
var ErrApparmorNotEnabled = errors.New("apparmor: config provided but apparmor not supported")
+20 -20
View File
@@ -3,11 +3,12 @@ package apparmor
import (
"errors"
"fmt"
"io/ioutil"
"os"
"sync"
"github.com/opencontainers/runc/libcontainer/utils"
"golang.org/x/sys/unix"
"github.com/opencontainers/runc/internal/pathrs"
)
var (
@@ -15,11 +16,11 @@ var (
checkAppArmor sync.Once
)
// IsEnabled returns true if apparmor is enabled for the host.
func IsEnabled() bool {
// isEnabled returns true if apparmor is enabled for the host.
func isEnabled() bool {
checkAppArmor.Do(func() {
if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil {
buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
buf, err := os.ReadFile("/sys/module/apparmor/parameters/enabled")
appArmorEnabled = err == nil && len(buf) > 1 && buf[0] == 'Y'
}
})
@@ -27,39 +28,38 @@ func IsEnabled() bool {
}
func setProcAttr(attr, value string) error {
// Under AppArmor you can only change your own attr, so use /proc/self/
// instead of /proc/<tid>/ like libapparmor does
attrPath := "/proc/self/attr/apparmor/" + attr
if _, err := os.Stat(attrPath); errors.Is(err, os.ErrNotExist) {
attr = pathrs.LexicallyCleanPath(attr)
attrSubPath := "attr/apparmor/" + attr
if _, err := os.Stat("/proc/self/" + attrSubPath); errors.Is(err, os.ErrNotExist) {
// fall back to the old convention
attrPath = "/proc/self/attr/" + attr
attrSubPath = "attr/" + attr
}
f, err := os.OpenFile(attrPath, os.O_WRONLY, 0)
// Under AppArmor you can only change your own attr, so there's no reason
// to not use /proc/thread-self/ (instead of /proc/<tid>/, like libapparmor
// does).
f, closer, err := pathrs.ProcThreadSelfOpen(attrSubPath, unix.O_WRONLY|unix.O_CLOEXEC)
if err != nil {
return err
}
defer closer()
defer f.Close()
if err := utils.EnsureProcHandle(f); err != nil {
return err
}
_, err = f.WriteString(value)
return err
}
// changeOnExec reimplements aa_change_onexec from libapparmor in Go
// changeOnExec reimplements aa_change_onexec from libapparmor in Go.
func changeOnExec(name string) error {
if err := setProcAttr("exec", "exec "+name); err != nil {
return fmt.Errorf("apparmor failed to apply profile: %s", err)
return fmt.Errorf("apparmor failed to apply profile: %w", err)
}
return nil
}
// ApplyProfile will apply the profile with the specified name to the process after
// the next exec.
func ApplyProfile(name string) error {
// applyProfile will apply the profile with the specified name to the process
// after the next exec.
func applyProfile(name string) error {
if name == "" {
return nil
}
@@ -1,18 +1,12 @@
// +build !linux
//go:build !linux
package apparmor
import (
"errors"
)
var ErrApparmorNotEnabled = errors.New("apparmor: config provided but apparmor not supported")
func IsEnabled() bool {
func isEnabled() bool {
return false
}
func ApplyProfile(name string) error {
func applyProfile(name string) error {
if name != "" {
return ErrApparmorNotEnabled
}
+83 -44
View File
@@ -1,48 +1,62 @@
// +build linux
//go:build linux
// Package capabilities provides helpers for managing Linux capabilities.
package capabilities
import (
"sort"
"errors"
"fmt"
"maps"
"slices"
"strings"
"sync"
"syscall"
"github.com/moby/sys/capability"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/sirupsen/logrus"
"github.com/syndtr/gocapability/capability"
)
const allCapabilityTypes = capability.CAPS | capability.BOUNDING | capability.AMBIENT
func capToStr(c capability.Cap) string {
return "CAP_" + strings.ToUpper(c.String())
}
var (
capabilityMap map[string]capability.Cap
capTypes = []capability.CapType{
capability.BOUNDING,
capability.PERMITTED,
capability.INHERITABLE,
capability.EFFECTIVE,
capability.AMBIENT,
var capMap = sync.OnceValues(func() (map[string]capability.Cap, error) {
list, err := capability.ListSupported()
if err != nil {
return nil, err
}
)
cm := make(map[string]capability.Cap, len(list))
for _, c := range list {
cm[capToStr(c)] = c
}
return cm, nil
})
func init() {
capabilityMap = make(map[string]capability.Cap, capability.CAP_LAST_CAP+1)
for _, c := range capability.List() {
if c > capability.CAP_LAST_CAP {
continue
}
capabilityMap["CAP_"+strings.ToUpper(c.String())] = c
// KnownCapabilities returns the list of the known capabilities.
// Used by `runc features`.
func KnownCapabilities() []string {
list := capability.ListKnown()
res := make([]string, len(list))
for i, c := range list {
res[i] = "CAP_" + strings.ToUpper(c.String())
}
return res
}
// New creates a new Caps from the given Capabilities config. Unknown Capabilities
// or Capabilities that are unavailable in the current environment are ignored,
// printing a warning instead.
func New(capConfig *configs.Capabilities) (*Caps, error) {
var (
err error
c Caps
)
var c Caps
if capConfig == nil {
return &c, nil
}
_, err := capMap()
if err != nil {
return nil, err
}
unknownCaps := make(map[string]struct{})
c.caps = map[capability.CapType][]capability.Cap{
capability.BOUNDING: capSlice(capConfig.Bounding, unknownCaps),
@@ -54,11 +68,8 @@ func New(capConfig *configs.Capabilities) (*Caps, error) {
if c.pid, err = capability.NewPid2(0); err != nil {
return nil, err
}
if err = c.pid.Load(); err != nil {
return nil, err
}
if len(unknownCaps) > 0 {
logrus.Warn("ignoring unknown or unavailable capabilities: ", mapKeys(unknownCaps))
logrus.Warn("ignoring unknown or unavailable capabilities: ", slices.Sorted(maps.Keys(unknownCaps)))
}
return &c, nil
}
@@ -67,9 +78,10 @@ func New(capConfig *configs.Capabilities) (*Caps, error) {
// equivalent, and returns them as a slice. Unknown or unavailable capabilities
// are not returned, but appended to unknownCaps.
func capSlice(caps []string, unknownCaps map[string]struct{}) []capability.Cap {
var out []capability.Cap
cm, _ := capMap()
out := make([]capability.Cap, 0, len(caps))
for _, c := range caps {
if v, ok := capabilityMap[c]; !ok {
if v, ok := cm[c]; !ok {
unknownCaps[c] = struct{}{}
} else {
out = append(out, v)
@@ -78,16 +90,6 @@ func capSlice(caps []string, unknownCaps map[string]struct{}) []capability.Cap {
return out
}
// mapKeys returns the keys of input in sorted order
func mapKeys(input map[string]struct{}) []string {
var keys []string
for c := range input {
keys = append(keys, c)
}
sort.Strings(keys)
return keys
}
// Caps holds the capabilities for a container.
type Caps struct {
pid capability.Capabilities
@@ -96,16 +98,53 @@ type Caps struct {
// ApplyBoundingSet sets the capability bounding set to those specified in the whitelist.
func (c *Caps) ApplyBoundingSet() error {
if c.pid == nil {
return nil
}
c.pid.Clear(capability.BOUNDING)
c.pid.Set(capability.BOUNDING, c.caps[capability.BOUNDING]...)
return c.pid.Apply(capability.BOUNDING)
}
// Apply sets all the capabilities for the current process in the config.
// ApplyCaps sets all the capabilities for the current process in the config.
func (c *Caps) ApplyCaps() error {
c.pid.Clear(allCapabilityTypes)
for _, g := range capTypes {
if c.pid == nil {
return nil
}
c.pid.Clear(capability.CAPS | capability.BOUNDS)
for _, g := range []capability.CapType{
capability.EFFECTIVE,
capability.PERMITTED,
capability.INHERITABLE,
capability.BOUNDING,
} {
c.pid.Set(g, c.caps[g]...)
}
return c.pid.Apply(allCapabilityTypes)
if err := c.pid.Apply(capability.CAPS | capability.BOUNDS); err != nil {
return fmt.Errorf("can't apply capabilities: %w", err)
}
// Old version of capability package used to ignore errors from setting
// ambient capabilities, which is now fixed (see
// https://github.com/kolyshkin/capability/pull/3).
//
// To maintain backward compatibility, set ambient caps one by one and
// don't return any errors, only warn.
ambs := c.caps[capability.AMBIENT]
err := capability.ResetAmbient()
// EINVAL is returned when the kernel doesn't support ambient capabilities.
// We ignore this because runc supports running on older kernels.
if err != nil && !errors.Is(err, syscall.EINVAL) {
return err
}
for _, a := range ambs {
err := capability.SetAmbient(true, a)
if err != nil {
logrus.Warnf("can't raise ambient capability %s: %v", capToStr(a), err)
}
}
return nil
}
@@ -1,16 +1,24 @@
package capabilities
import (
"io/ioutil"
"io"
"os"
"testing"
"github.com/moby/sys/capability"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/sirupsen/logrus"
"github.com/sirupsen/logrus/hooks/test"
"github.com/syndtr/gocapability/capability"
)
var capTypes = []capability.CapType{
capability.BOUNDING,
capability.PERMITTED,
capability.INHERITABLE,
capability.EFFECTIVE,
capability.AMBIENT,
}
func TestNew(t *testing.T) {
cs := []string{"CAP_CHOWN", "CAP_UNKNOWN", "CAP_UNKNOWN2"}
conf := configs.Capabilities{
@@ -24,7 +32,7 @@ func TestNew(t *testing.T) {
hook := test.NewGlobal()
defer hook.Reset()
logrus.SetOutput(ioutil.Discard)
logrus.SetOutput(io.Discard)
caps, err := New(&conf)
logrus.SetOutput(os.Stderr)
@@ -1,3 +1,3 @@
// +build !linux
//go:build !linux
package capabilities
-20
View File
@@ -1,20 +0,0 @@
// +build linux
package cgroups
import (
"testing"
)
func TestParseCgroups(t *testing.T) {
cgroups, err := ParseCgroupFile("/proc/self/cgroup")
if err != nil {
t.Fatal(err)
}
if IsCgroup2UnifiedMode() {
return
}
if _, ok := cgroups["cpu"]; !ok {
t.Fail()
}
}
@@ -1,3 +0,0 @@
// +build !linux
package cgroups
File diff suppressed because it is too large Load Diff
@@ -1,183 +0,0 @@
// Package devicefilter contains eBPF device filter program
//
// The implementation is based on https://github.com/containers/crun/blob/0.10.2/src/libcrun/ebpf.c
//
// Although ebpf.c is originally licensed under LGPL-3.0-or-later, the author (Giuseppe Scrivano)
// agreed to relicense the file in Apache License 2.0: https://github.com/opencontainers/runc/issues/2144#issuecomment-543116397
package devicefilter
import (
"math"
"strconv"
"github.com/cilium/ebpf/asm"
"github.com/opencontainers/runc/libcontainer/devices"
"github.com/pkg/errors"
"golang.org/x/sys/unix"
)
const (
// license string format is same as kernel MODULE_LICENSE macro
license = "Apache"
)
// DeviceFilter returns eBPF device filter program and its license string
func DeviceFilter(devices []*devices.Rule) (asm.Instructions, string, error) {
p := &program{}
p.init()
for i := len(devices) - 1; i >= 0; i-- {
if err := p.appendDevice(devices[i]); err != nil {
return nil, "", err
}
}
insts, err := p.finalize()
return insts, license, err
}
type program struct {
insts asm.Instructions
hasWildCard bool
blockID int
}
func (p *program) init() {
// struct bpf_cgroup_dev_ctx: https://elixir.bootlin.com/linux/v5.3.6/source/include/uapi/linux/bpf.h#L3423
/*
u32 access_type
u32 major
u32 minor
*/
// R2 <- type (lower 16 bit of u32 access_type at R1[0])
p.insts = append(p.insts,
asm.LoadMem(asm.R2, asm.R1, 0, asm.Word),
asm.And.Imm32(asm.R2, 0xFFFF))
// R3 <- access (upper 16 bit of u32 access_type at R1[0])
p.insts = append(p.insts,
asm.LoadMem(asm.R3, asm.R1, 0, asm.Word),
// RSh: bitwise shift right
asm.RSh.Imm32(asm.R3, 16))
// R4 <- major (u32 major at R1[4])
p.insts = append(p.insts,
asm.LoadMem(asm.R4, asm.R1, 4, asm.Word))
// R5 <- minor (u32 minor at R1[8])
p.insts = append(p.insts,
asm.LoadMem(asm.R5, asm.R1, 8, asm.Word))
}
// appendDevice needs to be called from the last element of OCI linux.resources.devices to the head element.
func (p *program) appendDevice(dev *devices.Rule) error {
if p.blockID < 0 {
return errors.New("the program is finalized")
}
if p.hasWildCard {
// All entries after wildcard entry are ignored
return nil
}
bpfType := int32(-1)
hasType := true
switch dev.Type {
case 'c':
bpfType = int32(unix.BPF_DEVCG_DEV_CHAR)
case 'b':
bpfType = int32(unix.BPF_DEVCG_DEV_BLOCK)
case 'a':
hasType = false
default:
// if not specified in OCI json, typ is set to DeviceTypeAll
return errors.Errorf("invalid Type %q", string(dev.Type))
}
if dev.Major > math.MaxUint32 {
return errors.Errorf("invalid major %d", dev.Major)
}
if dev.Minor > math.MaxUint32 {
return errors.Errorf("invalid minor %d", dev.Major)
}
hasMajor := dev.Major >= 0 // if not specified in OCI json, major is set to -1
hasMinor := dev.Minor >= 0
bpfAccess := int32(0)
for _, r := range dev.Permissions {
switch r {
case 'r':
bpfAccess |= unix.BPF_DEVCG_ACC_READ
case 'w':
bpfAccess |= unix.BPF_DEVCG_ACC_WRITE
case 'm':
bpfAccess |= unix.BPF_DEVCG_ACC_MKNOD
default:
return errors.Errorf("unknown device access %v", r)
}
}
// If the access is rwm, skip the check.
hasAccess := bpfAccess != (unix.BPF_DEVCG_ACC_READ | unix.BPF_DEVCG_ACC_WRITE | unix.BPF_DEVCG_ACC_MKNOD)
var (
blockSym = "block-" + strconv.Itoa(p.blockID)
nextBlockSym = "block-" + strconv.Itoa(p.blockID+1)
prevBlockLastIdx = len(p.insts) - 1
)
if hasType {
p.insts = append(p.insts,
// if (R2 != bpfType) goto next
asm.JNE.Imm(asm.R2, bpfType, nextBlockSym),
)
}
if hasAccess {
p.insts = append(p.insts,
// if (R3 & bpfAccess != R3 /* use R1 as a temp var */) goto next
asm.Mov.Reg32(asm.R1, asm.R3),
asm.And.Imm32(asm.R1, bpfAccess),
asm.JNE.Reg(asm.R1, asm.R3, nextBlockSym),
)
}
if hasMajor {
p.insts = append(p.insts,
// if (R4 != major) goto next
asm.JNE.Imm(asm.R4, int32(dev.Major), nextBlockSym),
)
}
if hasMinor {
p.insts = append(p.insts,
// if (R5 != minor) goto next
asm.JNE.Imm(asm.R5, int32(dev.Minor), nextBlockSym),
)
}
if !hasType && !hasAccess && !hasMajor && !hasMinor {
p.hasWildCard = true
}
p.insts = append(p.insts, acceptBlock(dev.Allow)...)
// set blockSym to the first instruction we added in this iteration
p.insts[prevBlockLastIdx+1] = p.insts[prevBlockLastIdx+1].Sym(blockSym)
p.blockID++
return nil
}
func (p *program) finalize() (asm.Instructions, error) {
if p.hasWildCard {
// acceptBlock with asm.Return() is already inserted
return p.insts, nil
}
blockSym := "block-" + strconv.Itoa(p.blockID)
p.insts = append(p.insts,
// R0 <- 0
asm.Mov.Imm32(asm.R0, 0).Sym(blockSym),
asm.Return(),
)
p.blockID = -1
return p.insts, nil
}
func acceptBlock(accept bool) asm.Instructions {
v := int32(0)
if accept {
v = 1
}
return []asm.Instruction{
// R0 <- v
asm.Mov.Imm32(asm.R0, v),
asm.Return(),
}
}
@@ -1,260 +0,0 @@
package devicefilter
import (
"strings"
"testing"
"github.com/opencontainers/runc/libcontainer/devices"
"github.com/opencontainers/runc/libcontainer/specconv"
)
func hash(s, comm string) string {
var res []string
for _, l := range strings.Split(s, "\n") {
trimmed := strings.TrimSpace(l)
if trimmed == "" || strings.HasPrefix(trimmed, comm) {
continue
}
res = append(res, trimmed)
}
return strings.Join(res, "\n")
}
func testDeviceFilter(t testing.TB, devices []*devices.Rule, expectedStr string) {
insts, _, err := DeviceFilter(devices)
if err != nil {
t.Fatalf("%s: %v (devices: %+v)", t.Name(), err, devices)
}
s := insts.String()
if expectedStr != "" {
hashed := hash(s, "//")
expectedHashed := hash(expectedStr, "//")
if expectedHashed != hashed {
t.Fatalf("expected:\n%q\ngot\n%q", expectedHashed, hashed)
}
}
}
func TestDeviceFilter_Nil(t *testing.T) {
expected := `
// load parameters into registers
0: LdXMemW dst: r2 src: r1 off: 0 imm: 0
1: And32Imm dst: r2 imm: 65535
2: LdXMemW dst: r3 src: r1 off: 0 imm: 0
3: RSh32Imm dst: r3 imm: 16
4: LdXMemW dst: r4 src: r1 off: 4 imm: 0
5: LdXMemW dst: r5 src: r1 off: 8 imm: 0
block-0:
// return 0 (reject)
6: Mov32Imm dst: r0 imm: 0
7: Exit
`
testDeviceFilter(t, nil, expected)
}
func TestDeviceFilter_BuiltInAllowList(t *testing.T) {
expected := `
// load parameters into registers
0: LdXMemW dst: r2 src: r1 off: 0 imm: 0
1: And32Imm dst: r2 imm: 65535
2: LdXMemW dst: r3 src: r1 off: 0 imm: 0
3: RSh32Imm dst: r3 imm: 16
4: LdXMemW dst: r4 src: r1 off: 4 imm: 0
5: LdXMemW dst: r5 src: r1 off: 8 imm: 0
block-0:
// tuntap (c, 10, 200, rwm, allow)
6: JNEImm dst: r2 off: -1 imm: 2 <block-1>
7: JNEImm dst: r4 off: -1 imm: 10 <block-1>
8: JNEImm dst: r5 off: -1 imm: 200 <block-1>
9: Mov32Imm dst: r0 imm: 1
10: Exit
block-1:
11: JNEImm dst: r2 off: -1 imm: 2 <block-2>
12: JNEImm dst: r4 off: -1 imm: 5 <block-2>
13: JNEImm dst: r5 off: -1 imm: 2 <block-2>
14: Mov32Imm dst: r0 imm: 1
15: Exit
block-2:
// /dev/pts (c, 136, wildcard, rwm, true)
16: JNEImm dst: r2 off: -1 imm: 2 <block-3>
17: JNEImm dst: r4 off: -1 imm: 136 <block-3>
18: Mov32Imm dst: r0 imm: 1
19: Exit
block-3:
20: JNEImm dst: r2 off: -1 imm: 2 <block-4>
21: JNEImm dst: r4 off: -1 imm: 1 <block-4>
22: JNEImm dst: r5 off: -1 imm: 9 <block-4>
23: Mov32Imm dst: r0 imm: 1
24: Exit
block-4:
25: JNEImm dst: r2 off: -1 imm: 2 <block-5>
26: JNEImm dst: r4 off: -1 imm: 1 <block-5>
27: JNEImm dst: r5 off: -1 imm: 5 <block-5>
28: Mov32Imm dst: r0 imm: 1
29: Exit
block-5:
30: JNEImm dst: r2 off: -1 imm: 2 <block-6>
31: JNEImm dst: r4 off: -1 imm: 5 <block-6>
32: JNEImm dst: r5 off: -1 imm: 0 <block-6>
33: Mov32Imm dst: r0 imm: 1
34: Exit
block-6:
35: JNEImm dst: r2 off: -1 imm: 2 <block-7>
36: JNEImm dst: r4 off: -1 imm: 1 <block-7>
37: JNEImm dst: r5 off: -1 imm: 7 <block-7>
38: Mov32Imm dst: r0 imm: 1
39: Exit
block-7:
40: JNEImm dst: r2 off: -1 imm: 2 <block-8>
41: JNEImm dst: r4 off: -1 imm: 1 <block-8>
42: JNEImm dst: r5 off: -1 imm: 8 <block-8>
43: Mov32Imm dst: r0 imm: 1
44: Exit
block-8:
45: JNEImm dst: r2 off: -1 imm: 2 <block-9>
46: JNEImm dst: r4 off: -1 imm: 1 <block-9>
47: JNEImm dst: r5 off: -1 imm: 3 <block-9>
48: Mov32Imm dst: r0 imm: 1
49: Exit
block-9:
// (b, wildcard, wildcard, m, true)
50: JNEImm dst: r2 off: -1 imm: 1 <block-10>
51: Mov32Reg dst: r1 src: r3
52: And32Imm dst: r1 imm: 1
53: JNEReg dst: r1 off: -1 src: r3 <block-10>
54: Mov32Imm dst: r0 imm: 1
55: Exit
block-10:
// (c, wildcard, wildcard, m, true)
56: JNEImm dst: r2 off: -1 imm: 2 <block-11>
57: Mov32Reg dst: r1 src: r3
58: And32Imm dst: r1 imm: 1
59: JNEReg dst: r1 off: -1 src: r3 <block-11>
60: Mov32Imm dst: r0 imm: 1
61: Exit
block-11:
62: Mov32Imm dst: r0 imm: 0
63: Exit
`
var devices []*devices.Rule
for _, device := range specconv.AllowedDevices {
devices = append(devices, &device.Rule)
}
testDeviceFilter(t, devices, expected)
}
func TestDeviceFilter_Privileged(t *testing.T) {
devices := []*devices.Rule{
{
Type: 'a',
Major: -1,
Minor: -1,
Permissions: "rwm",
Allow: true,
},
}
expected :=
`
// load parameters into registers
0: LdXMemW dst: r2 src: r1 off: 0 imm: 0
1: And32Imm dst: r2 imm: 65535
2: LdXMemW dst: r3 src: r1 off: 0 imm: 0
3: RSh32Imm dst: r3 imm: 16
4: LdXMemW dst: r4 src: r1 off: 4 imm: 0
5: LdXMemW dst: r5 src: r1 off: 8 imm: 0
block-0:
// return 1 (accept)
6: Mov32Imm dst: r0 imm: 1
7: Exit
`
testDeviceFilter(t, devices, expected)
}
func TestDeviceFilter_PrivilegedExceptSingleDevice(t *testing.T) {
devices := []*devices.Rule{
{
Type: 'a',
Major: -1,
Minor: -1,
Permissions: "rwm",
Allow: true,
},
{
Type: 'b',
Major: 8,
Minor: 0,
Permissions: "rwm",
Allow: false,
},
}
expected := `
// load parameters into registers
0: LdXMemW dst: r2 src: r1 off: 0 imm: 0
1: And32Imm dst: r2 imm: 65535
2: LdXMemW dst: r3 src: r1 off: 0 imm: 0
3: RSh32Imm dst: r3 imm: 16
4: LdXMemW dst: r4 src: r1 off: 4 imm: 0
5: LdXMemW dst: r5 src: r1 off: 8 imm: 0
block-0:
// return 0 (reject) if type==b && major == 8 && minor == 0
6: JNEImm dst: r2 off: -1 imm: 1 <block-1>
7: JNEImm dst: r4 off: -1 imm: 8 <block-1>
8: JNEImm dst: r5 off: -1 imm: 0 <block-1>
9: Mov32Imm dst: r0 imm: 0
10: Exit
block-1:
// return 1 (accept)
11: Mov32Imm dst: r0 imm: 1
12: Exit
`
testDeviceFilter(t, devices, expected)
}
func TestDeviceFilter_Weird(t *testing.T) {
devices := []*devices.Rule{
{
Type: 'b',
Major: 8,
Minor: 1,
Permissions: "rwm",
Allow: false,
},
{
Type: 'a',
Major: -1,
Minor: -1,
Permissions: "rwm",
Allow: true,
},
{
Type: 'b',
Major: 8,
Minor: 2,
Permissions: "rwm",
Allow: false,
},
}
// 8/1 is allowed, 8/2 is not allowed.
// This conforms to runc v1.0.0-rc.9 (cgroup1) behavior.
expected := `
// load parameters into registers
0: LdXMemW dst: r2 src: r1 off: 0 imm: 0
1: And32Imm dst: r2 imm: 65535
2: LdXMemW dst: r3 src: r1 off: 0 imm: 0
3: RSh32Imm dst: r3 imm: 16
4: LdXMemW dst: r4 src: r1 off: 4 imm: 0
5: LdXMemW dst: r5 src: r1 off: 8 imm: 0
block-0:
// return 0 (reject) if type==b && major == 8 && minor == 2
6: JNEImm dst: r2 off: -1 imm: 1 <block-1>
7: JNEImm dst: r4 off: -1 imm: 8 <block-1>
8: JNEImm dst: r5 off: -1 imm: 2 <block-1>
9: Mov32Imm dst: r0 imm: 0
10: Exit
block-1:
// return 1 (accept)
11: Mov32Imm dst: r0 imm: 1
12: Exit
`
testDeviceFilter(t, devices, expected)
}
-57
View File
@@ -1,57 +0,0 @@
package ebpf
import (
"github.com/cilium/ebpf"
"github.com/cilium/ebpf/asm"
"github.com/cilium/ebpf/link"
"github.com/pkg/errors"
"golang.org/x/sys/unix"
)
// LoadAttachCgroupDeviceFilter installs eBPF device filter program to /sys/fs/cgroup/<foo> directory.
//
// Requires the system to be running in cgroup2 unified-mode with kernel >= 4.15 .
//
// https://github.com/torvalds/linux/commit/ebc614f687369f9df99828572b1d85a7c2de3d92
func LoadAttachCgroupDeviceFilter(insts asm.Instructions, license string, dirFD int) (func() error, error) {
nilCloser := func() error {
return nil
}
// Increase `ulimit -l` limit to avoid BPF_PROG_LOAD error (#2167).
// This limit is not inherited into the container.
memlockLimit := &unix.Rlimit{
Cur: unix.RLIM_INFINITY,
Max: unix.RLIM_INFINITY,
}
_ = unix.Setrlimit(unix.RLIMIT_MEMLOCK, memlockLimit)
spec := &ebpf.ProgramSpec{
Type: ebpf.CGroupDevice,
Instructions: insts,
License: license,
}
prog, err := ebpf.NewProgram(spec)
if err != nil {
return nilCloser, err
}
err = link.RawAttachProgram(link.RawAttachProgramOptions{
Target: dirFD,
Program: prog,
Attach: ebpf.AttachCGroupDevice,
Flags: unix.BPF_F_ALLOW_MULTI,
})
if err != nil {
return nilCloser, errors.Wrap(err, "failed to call BPF_PROG_ATTACH (BPF_CGROUP_DEVICE, BPF_F_ALLOW_MULTI)")
}
closer := func() error {
err = link.RawDetachProgram(link.RawDetachProgramOptions{
Target: dirFD,
Program: prog,
Attach: ebpf.AttachCGroupDevice,
})
if err != nil {
return errors.Wrap(err, "failed to call BPF_PROG_DETACH (BPF_CGROUP_DEVICE)")
}
return nil
}
return closer, nil
}
-851
View File
@@ -1,851 +0,0 @@
// +build linux
package fs
import (
"fmt"
"strconv"
"testing"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
"github.com/opencontainers/runc/libcontainer/configs"
)
const (
sectorsRecursiveContents = `8:0 1024`
sectorsRecursiveContentsBFQ = `8:0 2048`
serviceBytesRecursiveContents = `8:0 Read 100
8:0 Write 200
8:0 Sync 300
8:0 Async 500
8:0 Total 500
Total 500`
serviceBytesRecursiveContentsBFQ = `8:0 Read 1100
8:0 Write 1200
8:0 Sync 1300
8:0 Async 1500
8:0 Total 1500
Total 1500`
servicedRecursiveContents = `8:0 Read 10
8:0 Write 40
8:0 Sync 20
8:0 Async 30
8:0 Total 50
Total 50`
servicedRecursiveContentsBFQ = `8:0 Read 11
8:0 Write 41
8:0 Sync 21
8:0 Async 31
8:0 Total 51
Total 51`
queuedRecursiveContents = `8:0 Read 1
8:0 Write 4
8:0 Sync 2
8:0 Async 3
8:0 Total 5
Total 5`
queuedRecursiveContentsBFQ = `8:0 Read 2
8:0 Write 3
8:0 Sync 4
8:0 Async 5
8:0 Total 6
Total 6`
serviceTimeRecursiveContents = `8:0 Read 173959
8:0 Write 0
8:0 Sync 0
8:0 Async 173959
8:0 Total 17395
Total 17395`
serviceTimeRecursiveContentsBFQ = `8:0 Read 173959
8:0 Write 0
8:0 Sync 0
8:0 Async 173
8:0 Total 174
Total 174`
waitTimeRecursiveContents = `8:0 Read 15571
8:0 Write 0
8:0 Sync 0
8:0 Async 15571
8:0 Total 15571`
waitTimeRecursiveContentsBFQ = `8:0 Read 1557
8:0 Write 0
8:0 Sync 0
8:0 Async 1557
8:0 Total 1557`
mergedRecursiveContents = `8:0 Read 5
8:0 Write 10
8:0 Sync 0
8:0 Async 0
8:0 Total 15
Total 15`
mergedRecursiveContentsBFQ = `8:0 Read 51
8:0 Write 101
8:0 Sync 0
8:0 Async 0
8:0 Total 151
Total 151`
timeRecursiveContents = `8:0 8`
timeRecursiveContentsBFQ = `8:0 16`
throttleServiceBytes = `8:0 Read 11030528
8:0 Write 23
8:0 Sync 42
8:0 Async 11030528
8:0 Total 11030528
252:0 Read 11030528
252:0 Write 23
252:0 Sync 42
252:0 Async 11030528
252:0 Total 11030528
Total 22061056`
throttleServiceBytesRecursive = `8:0 Read 110305281
8:0 Write 231
8:0 Sync 421
8:0 Async 110305281
8:0 Total 110305281
252:0 Read 110305281
252:0 Write 231
252:0 Sync 421
252:0 Async 110305281
252:0 Total 110305281
Total 220610561`
throttleServiced = `8:0 Read 164
8:0 Write 23
8:0 Sync 42
8:0 Async 164
8:0 Total 164
252:0 Read 164
252:0 Write 23
252:0 Sync 42
252:0 Async 164
252:0 Total 164
Total 328`
throttleServicedRecursive = `8:0 Read 1641
8:0 Write 231
8:0 Sync 421
8:0 Async 1641
8:0 Total 1641
252:0 Read 1641
252:0 Write 231
252:0 Sync 421
252:0 Async 1641
252:0 Total 1641
Total 3281`
)
var blkioBFQDebugStatsTestFiles = map[string]string{
"blkio.bfq.io_service_bytes_recursive": serviceBytesRecursiveContentsBFQ,
"blkio.bfq.io_serviced_recursive": servicedRecursiveContentsBFQ,
"blkio.bfq.io_queued_recursive": queuedRecursiveContentsBFQ,
"blkio.bfq.io_service_time_recursive": serviceTimeRecursiveContentsBFQ,
"blkio.bfq.io_wait_time_recursive": waitTimeRecursiveContentsBFQ,
"blkio.bfq.io_merged_recursive": mergedRecursiveContentsBFQ,
"blkio.bfq.time_recursive": timeRecursiveContentsBFQ,
"blkio.bfq.sectors_recursive": sectorsRecursiveContentsBFQ,
}
var blkioBFQStatsTestFiles = map[string]string{
"blkio.bfq.io_service_bytes_recursive": serviceBytesRecursiveContentsBFQ,
"blkio.bfq.io_serviced_recursive": servicedRecursiveContentsBFQ,
}
var blkioCFQStatsTestFiles = map[string]string{
"blkio.io_service_bytes_recursive": serviceBytesRecursiveContents,
"blkio.io_serviced_recursive": servicedRecursiveContents,
"blkio.io_queued_recursive": queuedRecursiveContents,
"blkio.io_service_time_recursive": serviceTimeRecursiveContents,
"blkio.io_wait_time_recursive": waitTimeRecursiveContents,
"blkio.io_merged_recursive": mergedRecursiveContents,
"blkio.time_recursive": timeRecursiveContents,
"blkio.sectors_recursive": sectorsRecursiveContents,
}
type blkioStatFailureTestCase struct {
desc string
filename string
}
func appendBlkioStatEntry(blkioStatEntries *[]cgroups.BlkioStatEntry, major, minor, value uint64, op string) {
*blkioStatEntries = append(*blkioStatEntries, cgroups.BlkioStatEntry{Major: major, Minor: minor, Value: value, Op: op})
}
func TestBlkioSetWeight(t *testing.T) {
helper := NewCgroupTestUtil("blkio", t)
defer helper.cleanup()
const (
weightBefore = 100
weightAfter = 200
)
helper.writeFileContents(map[string]string{
"blkio.weight": strconv.Itoa(weightBefore),
})
helper.CgroupData.config.Resources.BlkioWeight = weightAfter
blkio := &BlkioGroup{}
if err := blkio.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
value, err := fscommon.GetCgroupParamUint(helper.CgroupPath, "blkio.weight")
if err != nil {
t.Fatalf("Failed to parse blkio.weight - %s", err)
}
if value != weightAfter {
t.Fatal("Got the wrong value, set blkio.weight failed.")
}
}
func TestBlkioSetWeightDevice(t *testing.T) {
helper := NewCgroupTestUtil("blkio", t)
defer helper.cleanup()
const (
weightDeviceBefore = "8:0 400"
)
wd := configs.NewWeightDevice(8, 0, 500, 0)
weightDeviceAfter := wd.WeightString()
helper.writeFileContents(map[string]string{
"blkio.weight_device": weightDeviceBefore,
})
helper.CgroupData.config.Resources.BlkioWeightDevice = []*configs.WeightDevice{wd}
blkio := &BlkioGroup{}
if err := blkio.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
value, err := fscommon.GetCgroupParamString(helper.CgroupPath, "blkio.weight_device")
if err != nil {
t.Fatalf("Failed to parse blkio.weight_device - %s", err)
}
if value != weightDeviceAfter {
t.Fatal("Got the wrong value, set blkio.weight_device failed.")
}
}
// regression #274
func TestBlkioSetMultipleWeightDevice(t *testing.T) {
helper := NewCgroupTestUtil("blkio", t)
defer helper.cleanup()
const (
weightDeviceBefore = "8:0 400"
)
wd1 := configs.NewWeightDevice(8, 0, 500, 0)
wd2 := configs.NewWeightDevice(8, 16, 500, 0)
// we cannot actually set and check both because normal ioutil.WriteFile
// when writing to cgroup file will overwrite the whole file content instead
// of updating it as the kernel is doing. Just check the second device
// is present will suffice for the test to ensure multiple writes are done.
weightDeviceAfter := wd2.WeightString()
helper.writeFileContents(map[string]string{
"blkio.weight_device": weightDeviceBefore,
})
helper.CgroupData.config.Resources.BlkioWeightDevice = []*configs.WeightDevice{wd1, wd2}
blkio := &BlkioGroup{}
if err := blkio.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
value, err := fscommon.GetCgroupParamString(helper.CgroupPath, "blkio.weight_device")
if err != nil {
t.Fatalf("Failed to parse blkio.weight_device - %s", err)
}
if value != weightDeviceAfter {
t.Fatal("Got the wrong value, set blkio.weight_device failed.")
}
}
func TestBlkioBFQDebugStats(t *testing.T) {
helper := NewCgroupTestUtil("blkio", t)
defer helper.cleanup()
helper.writeFileContents(blkioBFQDebugStatsTestFiles)
blkio := &BlkioGroup{}
actualStats := *cgroups.NewStats()
err := blkio.GetStats(helper.CgroupPath, &actualStats)
if err != nil {
t.Fatal(err)
}
expectedStats := cgroups.BlkioStats{}
appendBlkioStatEntry(&expectedStats.SectorsRecursive, 8, 0, 2048, "")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 1100, "Read")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 1200, "Write")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 1300, "Sync")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 1500, "Async")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 1500, "Total")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 11, "Read")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 41, "Write")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 21, "Sync")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 31, "Async")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 51, "Total")
appendBlkioStatEntry(&expectedStats.IoQueuedRecursive, 8, 0, 2, "Read")
appendBlkioStatEntry(&expectedStats.IoQueuedRecursive, 8, 0, 3, "Write")
appendBlkioStatEntry(&expectedStats.IoQueuedRecursive, 8, 0, 4, "Sync")
appendBlkioStatEntry(&expectedStats.IoQueuedRecursive, 8, 0, 5, "Async")
appendBlkioStatEntry(&expectedStats.IoQueuedRecursive, 8, 0, 6, "Total")
appendBlkioStatEntry(&expectedStats.IoServiceTimeRecursive, 8, 0, 173959, "Read")
appendBlkioStatEntry(&expectedStats.IoServiceTimeRecursive, 8, 0, 0, "Write")
appendBlkioStatEntry(&expectedStats.IoServiceTimeRecursive, 8, 0, 0, "Sync")
appendBlkioStatEntry(&expectedStats.IoServiceTimeRecursive, 8, 0, 173, "Async")
appendBlkioStatEntry(&expectedStats.IoServiceTimeRecursive, 8, 0, 174, "Total")
appendBlkioStatEntry(&expectedStats.IoWaitTimeRecursive, 8, 0, 1557, "Read")
appendBlkioStatEntry(&expectedStats.IoWaitTimeRecursive, 8, 0, 0, "Write")
appendBlkioStatEntry(&expectedStats.IoWaitTimeRecursive, 8, 0, 0, "Sync")
appendBlkioStatEntry(&expectedStats.IoWaitTimeRecursive, 8, 0, 1557, "Async")
appendBlkioStatEntry(&expectedStats.IoWaitTimeRecursive, 8, 0, 1557, "Total")
appendBlkioStatEntry(&expectedStats.IoMergedRecursive, 8, 0, 51, "Read")
appendBlkioStatEntry(&expectedStats.IoMergedRecursive, 8, 0, 101, "Write")
appendBlkioStatEntry(&expectedStats.IoMergedRecursive, 8, 0, 0, "Sync")
appendBlkioStatEntry(&expectedStats.IoMergedRecursive, 8, 0, 0, "Async")
appendBlkioStatEntry(&expectedStats.IoMergedRecursive, 8, 0, 151, "Total")
appendBlkioStatEntry(&expectedStats.IoTimeRecursive, 8, 0, 16, "")
expectBlkioStatsEquals(t, expectedStats, actualStats.BlkioStats)
}
func TestBlkioMultipleStatsFiles(t *testing.T) {
helper := NewCgroupTestUtil("blkio", t)
defer helper.cleanup()
helper.writeFileContents(blkioBFQDebugStatsTestFiles)
helper.writeFileContents(blkioCFQStatsTestFiles)
blkio := &BlkioGroup{}
actualStats := *cgroups.NewStats()
err := blkio.GetStats(helper.CgroupPath, &actualStats)
if err != nil {
t.Fatal(err)
}
expectedStats := cgroups.BlkioStats{}
appendBlkioStatEntry(&expectedStats.SectorsRecursive, 8, 0, 2048, "")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 1100, "Read")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 1200, "Write")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 1300, "Sync")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 1500, "Async")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 1500, "Total")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 11, "Read")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 41, "Write")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 21, "Sync")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 31, "Async")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 51, "Total")
appendBlkioStatEntry(&expectedStats.IoQueuedRecursive, 8, 0, 2, "Read")
appendBlkioStatEntry(&expectedStats.IoQueuedRecursive, 8, 0, 3, "Write")
appendBlkioStatEntry(&expectedStats.IoQueuedRecursive, 8, 0, 4, "Sync")
appendBlkioStatEntry(&expectedStats.IoQueuedRecursive, 8, 0, 5, "Async")
appendBlkioStatEntry(&expectedStats.IoQueuedRecursive, 8, 0, 6, "Total")
appendBlkioStatEntry(&expectedStats.IoServiceTimeRecursive, 8, 0, 173959, "Read")
appendBlkioStatEntry(&expectedStats.IoServiceTimeRecursive, 8, 0, 0, "Write")
appendBlkioStatEntry(&expectedStats.IoServiceTimeRecursive, 8, 0, 0, "Sync")
appendBlkioStatEntry(&expectedStats.IoServiceTimeRecursive, 8, 0, 173, "Async")
appendBlkioStatEntry(&expectedStats.IoServiceTimeRecursive, 8, 0, 174, "Total")
appendBlkioStatEntry(&expectedStats.IoWaitTimeRecursive, 8, 0, 1557, "Read")
appendBlkioStatEntry(&expectedStats.IoWaitTimeRecursive, 8, 0, 0, "Write")
appendBlkioStatEntry(&expectedStats.IoWaitTimeRecursive, 8, 0, 0, "Sync")
appendBlkioStatEntry(&expectedStats.IoWaitTimeRecursive, 8, 0, 1557, "Async")
appendBlkioStatEntry(&expectedStats.IoWaitTimeRecursive, 8, 0, 1557, "Total")
appendBlkioStatEntry(&expectedStats.IoMergedRecursive, 8, 0, 51, "Read")
appendBlkioStatEntry(&expectedStats.IoMergedRecursive, 8, 0, 101, "Write")
appendBlkioStatEntry(&expectedStats.IoMergedRecursive, 8, 0, 0, "Sync")
appendBlkioStatEntry(&expectedStats.IoMergedRecursive, 8, 0, 0, "Async")
appendBlkioStatEntry(&expectedStats.IoMergedRecursive, 8, 0, 151, "Total")
appendBlkioStatEntry(&expectedStats.IoTimeRecursive, 8, 0, 16, "")
expectBlkioStatsEquals(t, expectedStats, actualStats.BlkioStats)
}
func TestBlkioBFQStats(t *testing.T) {
helper := NewCgroupTestUtil("blkio", t)
defer helper.cleanup()
helper.writeFileContents(blkioBFQStatsTestFiles)
blkio := &BlkioGroup{}
actualStats := *cgroups.NewStats()
err := blkio.GetStats(helper.CgroupPath, &actualStats)
if err != nil {
t.Fatal(err)
}
expectedStats := cgroups.BlkioStats{}
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 1100, "Read")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 1200, "Write")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 1300, "Sync")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 1500, "Async")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 1500, "Total")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 11, "Read")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 41, "Write")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 21, "Sync")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 31, "Async")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 51, "Total")
expectBlkioStatsEquals(t, expectedStats, actualStats.BlkioStats)
}
func TestBlkioStatsNoFilesBFQDebug(t *testing.T) {
if testing.Short() {
t.Skip("skipping test in short mode.")
}
testCases := []blkioStatFailureTestCase{
{
desc: "missing blkio.bfq.io_service_bytes_recursive file",
filename: "blkio.bfq.io_service_bytes_recursive",
},
{
desc: "missing blkio.bfq.io_serviced_recursive file",
filename: "blkio.bfq.io_serviced_recursive",
},
{
desc: "missing blkio.bfq.io_queued_recursive file",
filename: "blkio.bfq.io_queued_recursive",
},
{
desc: "missing blkio.bfq.sectors_recursive file",
filename: "blkio.bfq.sectors_recursive",
},
{
desc: "missing blkio.bfq.io_service_time_recursive file",
filename: "blkio.bfq.io_service_time_recursive",
},
{
desc: "missing blkio.bfq.io_wait_time_recursive file",
filename: "blkio.bfq.io_wait_time_recursive",
},
{
desc: "missing blkio.bfq.io_merged_recursive file",
filename: "blkio.bfq.io_merged_recursive",
},
{
desc: "missing blkio.bfq.time_recursive file",
filename: "blkio.bfq.time_recursive",
},
}
for _, testCase := range testCases {
helper := NewCgroupTestUtil("cpuset", t)
defer helper.cleanup()
tempBlkioTestFiles := map[string]string{}
for i, v := range blkioBFQDebugStatsTestFiles {
tempBlkioTestFiles[i] = v
}
delete(tempBlkioTestFiles, testCase.filename)
helper.writeFileContents(tempBlkioTestFiles)
cpuset := &CpusetGroup{}
actualStats := *cgroups.NewStats()
err := cpuset.GetStats(helper.CgroupPath, &actualStats)
if err != nil {
t.Errorf(fmt.Sprintf("test case '%s' failed unexpectedly: %s", testCase.desc, err))
}
}
}
func TestBlkioCFQStats(t *testing.T) {
helper := NewCgroupTestUtil("blkio", t)
defer helper.cleanup()
helper.writeFileContents(blkioCFQStatsTestFiles)
blkio := &BlkioGroup{}
actualStats := *cgroups.NewStats()
err := blkio.GetStats(helper.CgroupPath, &actualStats)
if err != nil {
t.Fatal(err)
}
// Verify expected stats.
expectedStats := cgroups.BlkioStats{}
appendBlkioStatEntry(&expectedStats.SectorsRecursive, 8, 0, 1024, "")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 100, "Read")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 200, "Write")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 300, "Sync")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 500, "Async")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 500, "Total")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 10, "Read")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 40, "Write")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 20, "Sync")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 30, "Async")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 50, "Total")
appendBlkioStatEntry(&expectedStats.IoQueuedRecursive, 8, 0, 1, "Read")
appendBlkioStatEntry(&expectedStats.IoQueuedRecursive, 8, 0, 4, "Write")
appendBlkioStatEntry(&expectedStats.IoQueuedRecursive, 8, 0, 2, "Sync")
appendBlkioStatEntry(&expectedStats.IoQueuedRecursive, 8, 0, 3, "Async")
appendBlkioStatEntry(&expectedStats.IoQueuedRecursive, 8, 0, 5, "Total")
appendBlkioStatEntry(&expectedStats.IoServiceTimeRecursive, 8, 0, 173959, "Read")
appendBlkioStatEntry(&expectedStats.IoServiceTimeRecursive, 8, 0, 0, "Write")
appendBlkioStatEntry(&expectedStats.IoServiceTimeRecursive, 8, 0, 0, "Sync")
appendBlkioStatEntry(&expectedStats.IoServiceTimeRecursive, 8, 0, 173959, "Async")
appendBlkioStatEntry(&expectedStats.IoServiceTimeRecursive, 8, 0, 17395, "Total")
appendBlkioStatEntry(&expectedStats.IoWaitTimeRecursive, 8, 0, 15571, "Read")
appendBlkioStatEntry(&expectedStats.IoWaitTimeRecursive, 8, 0, 0, "Write")
appendBlkioStatEntry(&expectedStats.IoWaitTimeRecursive, 8, 0, 0, "Sync")
appendBlkioStatEntry(&expectedStats.IoWaitTimeRecursive, 8, 0, 15571, "Async")
appendBlkioStatEntry(&expectedStats.IoWaitTimeRecursive, 8, 0, 15571, "Total")
appendBlkioStatEntry(&expectedStats.IoMergedRecursive, 8, 0, 5, "Read")
appendBlkioStatEntry(&expectedStats.IoMergedRecursive, 8, 0, 10, "Write")
appendBlkioStatEntry(&expectedStats.IoMergedRecursive, 8, 0, 0, "Sync")
appendBlkioStatEntry(&expectedStats.IoMergedRecursive, 8, 0, 0, "Async")
appendBlkioStatEntry(&expectedStats.IoMergedRecursive, 8, 0, 15, "Total")
appendBlkioStatEntry(&expectedStats.IoTimeRecursive, 8, 0, 8, "")
expectBlkioStatsEquals(t, expectedStats, actualStats.BlkioStats)
}
func TestBlkioStatsNoFilesCFQ(t *testing.T) {
if testing.Short() {
t.Skip("skipping test in short mode.")
}
testCases := []blkioStatFailureTestCase{
{
desc: "missing blkio.io_service_bytes_recursive file",
filename: "blkio.io_service_bytes_recursive",
},
{
desc: "missing blkio.io_serviced_recursive file",
filename: "blkio.io_serviced_recursive",
},
{
desc: "missing blkio.io_queued_recursive file",
filename: "blkio.io_queued_recursive",
},
{
desc: "missing blkio.sectors_recursive file",
filename: "blkio.sectors_recursive",
},
{
desc: "missing blkio.io_service_time_recursive file",
filename: "blkio.io_service_time_recursive",
},
{
desc: "missing blkio.io_wait_time_recursive file",
filename: "blkio.io_wait_time_recursive",
},
{
desc: "missing blkio.io_merged_recursive file",
filename: "blkio.io_merged_recursive",
},
{
desc: "missing blkio.time_recursive file",
filename: "blkio.time_recursive",
},
}
for _, testCase := range testCases {
helper := NewCgroupTestUtil("cpuset", t)
defer helper.cleanup()
tempBlkioTestFiles := map[string]string{}
for i, v := range blkioCFQStatsTestFiles {
tempBlkioTestFiles[i] = v
}
delete(tempBlkioTestFiles, testCase.filename)
helper.writeFileContents(tempBlkioTestFiles)
cpuset := &CpusetGroup{}
actualStats := *cgroups.NewStats()
err := cpuset.GetStats(helper.CgroupPath, &actualStats)
if err != nil {
t.Errorf(fmt.Sprintf("test case '%s' failed unexpectedly: %s", testCase.desc, err))
}
}
}
func TestBlkioStatsUnexpectedNumberOfFields(t *testing.T) {
helper := NewCgroupTestUtil("blkio", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"blkio.io_service_bytes_recursive": "8:0 Read 100 100",
"blkio.io_serviced_recursive": servicedRecursiveContents,
"blkio.io_queued_recursive": queuedRecursiveContents,
"blkio.sectors_recursive": sectorsRecursiveContents,
"blkio.io_service_time_recursive": serviceTimeRecursiveContents,
"blkio.io_wait_time_recursive": waitTimeRecursiveContents,
"blkio.io_merged_recursive": mergedRecursiveContents,
"blkio.time_recursive": timeRecursiveContents,
})
blkio := &BlkioGroup{}
actualStats := *cgroups.NewStats()
err := blkio.GetStats(helper.CgroupPath, &actualStats)
if err == nil {
t.Fatal("Expected to fail, but did not")
}
}
func TestBlkioStatsUnexpectedFieldType(t *testing.T) {
helper := NewCgroupTestUtil("blkio", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"blkio.io_service_bytes_recursive": "8:0 Read Write",
"blkio.io_serviced_recursive": servicedRecursiveContents,
"blkio.io_queued_recursive": queuedRecursiveContents,
"blkio.sectors_recursive": sectorsRecursiveContents,
"blkio.io_service_time_recursive": serviceTimeRecursiveContents,
"blkio.io_wait_time_recursive": waitTimeRecursiveContents,
"blkio.io_merged_recursive": mergedRecursiveContents,
"blkio.time_recursive": timeRecursiveContents,
})
blkio := &BlkioGroup{}
actualStats := *cgroups.NewStats()
err := blkio.GetStats(helper.CgroupPath, &actualStats)
if err == nil {
t.Fatal("Expected to fail, but did not")
}
}
func TestThrottleRecursiveBlkioStats(t *testing.T) {
helper := NewCgroupTestUtil("blkio", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"blkio.io_service_bytes_recursive": "",
"blkio.io_serviced_recursive": "",
"blkio.io_queued_recursive": "",
"blkio.sectors_recursive": "",
"blkio.io_service_time_recursive": "",
"blkio.io_wait_time_recursive": "",
"blkio.io_merged_recursive": "",
"blkio.time_recursive": "",
"blkio.throttle.io_service_bytes_recursive": throttleServiceBytesRecursive,
"blkio.throttle.io_serviced_recursive": throttleServicedRecursive,
})
blkio := &BlkioGroup{}
actualStats := *cgroups.NewStats()
err := blkio.GetStats(helper.CgroupPath, &actualStats)
if err != nil {
t.Fatal(err)
}
// Verify expected stats.
expectedStats := cgroups.BlkioStats{}
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 110305281, "Read")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 231, "Write")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 421, "Sync")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 110305281, "Async")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 110305281, "Total")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 252, 0, 110305281, "Read")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 252, 0, 231, "Write")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 252, 0, 421, "Sync")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 252, 0, 110305281, "Async")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 252, 0, 110305281, "Total")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 1641, "Read")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 231, "Write")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 421, "Sync")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 1641, "Async")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 1641, "Total")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 252, 0, 1641, "Read")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 252, 0, 231, "Write")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 252, 0, 421, "Sync")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 252, 0, 1641, "Async")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 252, 0, 1641, "Total")
expectBlkioStatsEquals(t, expectedStats, actualStats.BlkioStats)
}
func TestThrottleBlkioStats(t *testing.T) {
helper := NewCgroupTestUtil("blkio", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"blkio.io_service_bytes_recursive": "",
"blkio.io_serviced_recursive": "",
"blkio.io_queued_recursive": "",
"blkio.sectors_recursive": "",
"blkio.io_service_time_recursive": "",
"blkio.io_wait_time_recursive": "",
"blkio.io_merged_recursive": "",
"blkio.time_recursive": "",
"blkio.throttle.io_service_bytes": throttleServiceBytes,
"blkio.throttle.io_serviced": throttleServiced,
})
blkio := &BlkioGroup{}
actualStats := *cgroups.NewStats()
err := blkio.GetStats(helper.CgroupPath, &actualStats)
if err != nil {
t.Fatal(err)
}
// Verify expected stats.
expectedStats := cgroups.BlkioStats{}
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 11030528, "Read")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 23, "Write")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 42, "Sync")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 11030528, "Async")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 8, 0, 11030528, "Total")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 252, 0, 11030528, "Read")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 252, 0, 23, "Write")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 252, 0, 42, "Sync")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 252, 0, 11030528, "Async")
appendBlkioStatEntry(&expectedStats.IoServiceBytesRecursive, 252, 0, 11030528, "Total")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 164, "Read")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 23, "Write")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 42, "Sync")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 164, "Async")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 8, 0, 164, "Total")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 252, 0, 164, "Read")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 252, 0, 23, "Write")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 252, 0, 42, "Sync")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 252, 0, 164, "Async")
appendBlkioStatEntry(&expectedStats.IoServicedRecursive, 252, 0, 164, "Total")
expectBlkioStatsEquals(t, expectedStats, actualStats.BlkioStats)
}
func TestBlkioSetThrottleReadBpsDevice(t *testing.T) {
helper := NewCgroupTestUtil("blkio", t)
defer helper.cleanup()
const (
throttleBefore = `8:0 1024`
)
td := configs.NewThrottleDevice(8, 0, 2048)
throttleAfter := td.String()
helper.writeFileContents(map[string]string{
"blkio.throttle.read_bps_device": throttleBefore,
})
helper.CgroupData.config.Resources.BlkioThrottleReadBpsDevice = []*configs.ThrottleDevice{td}
blkio := &BlkioGroup{}
if err := blkio.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
value, err := fscommon.GetCgroupParamString(helper.CgroupPath, "blkio.throttle.read_bps_device")
if err != nil {
t.Fatalf("Failed to parse blkio.throttle.read_bps_device - %s", err)
}
if value != throttleAfter {
t.Fatal("Got the wrong value, set blkio.throttle.read_bps_device failed.")
}
}
func TestBlkioSetThrottleWriteBpsDevice(t *testing.T) {
helper := NewCgroupTestUtil("blkio", t)
defer helper.cleanup()
const (
throttleBefore = `8:0 1024`
)
td := configs.NewThrottleDevice(8, 0, 2048)
throttleAfter := td.String()
helper.writeFileContents(map[string]string{
"blkio.throttle.write_bps_device": throttleBefore,
})
helper.CgroupData.config.Resources.BlkioThrottleWriteBpsDevice = []*configs.ThrottleDevice{td}
blkio := &BlkioGroup{}
if err := blkio.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
value, err := fscommon.GetCgroupParamString(helper.CgroupPath, "blkio.throttle.write_bps_device")
if err != nil {
t.Fatalf("Failed to parse blkio.throttle.write_bps_device - %s", err)
}
if value != throttleAfter {
t.Fatal("Got the wrong value, set blkio.throttle.write_bps_device failed.")
}
}
func TestBlkioSetThrottleReadIOpsDevice(t *testing.T) {
helper := NewCgroupTestUtil("blkio", t)
defer helper.cleanup()
const (
throttleBefore = `8:0 1024`
)
td := configs.NewThrottleDevice(8, 0, 2048)
throttleAfter := td.String()
helper.writeFileContents(map[string]string{
"blkio.throttle.read_iops_device": throttleBefore,
})
helper.CgroupData.config.Resources.BlkioThrottleReadIOPSDevice = []*configs.ThrottleDevice{td}
blkio := &BlkioGroup{}
if err := blkio.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
value, err := fscommon.GetCgroupParamString(helper.CgroupPath, "blkio.throttle.read_iops_device")
if err != nil {
t.Fatalf("Failed to parse blkio.throttle.read_iops_device - %s", err)
}
if value != throttleAfter {
t.Fatal("Got the wrong value, set blkio.throttle.read_iops_device failed.")
}
}
func TestBlkioSetThrottleWriteIOpsDevice(t *testing.T) {
helper := NewCgroupTestUtil("blkio", t)
defer helper.cleanup()
const (
throttleBefore = `8:0 1024`
)
td := configs.NewThrottleDevice(8, 0, 2048)
throttleAfter := td.String()
helper.writeFileContents(map[string]string{
"blkio.throttle.write_iops_device": throttleBefore,
})
helper.CgroupData.config.Resources.BlkioThrottleWriteIOPSDevice = []*configs.ThrottleDevice{td}
blkio := &BlkioGroup{}
if err := blkio.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
value, err := fscommon.GetCgroupParamString(helper.CgroupPath, "blkio.throttle.write_iops_device")
if err != nil {
t.Fatalf("Failed to parse blkio.throttle.write_iops_device - %s", err)
}
if value != throttleAfter {
t.Fatal("Got the wrong value, set blkio.throttle.write_iops_device failed.")
}
}
-116
View File
@@ -1,116 +0,0 @@
// +build linux
package fs
import (
"bufio"
"fmt"
"os"
"strconv"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
"github.com/opencontainers/runc/libcontainer/configs"
)
type CpuGroup struct {
}
func (s *CpuGroup) Name() string {
return "cpu"
}
func (s *CpuGroup) Apply(path string, d *cgroupData) error {
// This might happen if we have no cpu cgroup mounted.
// Just do nothing and don't fail.
if path == "" {
return nil
}
if err := os.MkdirAll(path, 0755); err != nil {
return err
}
// We should set the real-Time group scheduling settings before moving
// in the process because if the process is already in SCHED_RR mode
// and no RT bandwidth is set, adding it will fail.
if err := s.SetRtSched(path, d.config.Resources); err != nil {
return err
}
// Since we are not using join(), we need to place the pid
// into the procs file unlike other subsystems.
return cgroups.WriteCgroupProc(path, d.pid)
}
func (s *CpuGroup) SetRtSched(path string, r *configs.Resources) error {
if r.CpuRtPeriod != 0 {
if err := fscommon.WriteFile(path, "cpu.rt_period_us", strconv.FormatUint(r.CpuRtPeriod, 10)); err != nil {
return err
}
}
if r.CpuRtRuntime != 0 {
if err := fscommon.WriteFile(path, "cpu.rt_runtime_us", strconv.FormatInt(r.CpuRtRuntime, 10)); err != nil {
return err
}
}
return nil
}
func (s *CpuGroup) Set(path string, r *configs.Resources) error {
if r.CpuShares != 0 {
shares := r.CpuShares
if err := fscommon.WriteFile(path, "cpu.shares", strconv.FormatUint(shares, 10)); err != nil {
return err
}
// read it back
sharesRead, err := fscommon.GetCgroupParamUint(path, "cpu.shares")
if err != nil {
return err
}
// ... and check
if shares > sharesRead {
return fmt.Errorf("the maximum allowed cpu-shares is %d", sharesRead)
} else if shares < sharesRead {
return fmt.Errorf("the minimum allowed cpu-shares is %d", sharesRead)
}
}
if r.CpuPeriod != 0 {
if err := fscommon.WriteFile(path, "cpu.cfs_period_us", strconv.FormatUint(r.CpuPeriod, 10)); err != nil {
return err
}
}
if r.CpuQuota != 0 {
if err := fscommon.WriteFile(path, "cpu.cfs_quota_us", strconv.FormatInt(r.CpuQuota, 10)); err != nil {
return err
}
}
return s.SetRtSched(path, r)
}
func (s *CpuGroup) GetStats(path string, stats *cgroups.Stats) error {
f, err := fscommon.OpenFile(path, "cpu.stat", os.O_RDONLY)
if err != nil {
if os.IsNotExist(err) {
return nil
}
return err
}
defer f.Close()
sc := bufio.NewScanner(f)
for sc.Scan() {
t, v, err := fscommon.ParseKeyValue(sc.Text())
if err != nil {
return err
}
switch t {
case "nr_periods":
stats.CpuStats.ThrottlingData.Periods = v
case "nr_throttled":
stats.CpuStats.ThrottlingData.ThrottledPeriods = v
case "throttled_time":
stats.CpuStats.ThrottlingData.ThrottledTime = v
}
}
return nil
}
-212
View File
@@ -1,212 +0,0 @@
// +build linux
package fs
import (
"fmt"
"strconv"
"testing"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
)
func TestCpuSetShares(t *testing.T) {
helper := NewCgroupTestUtil("cpu", t)
defer helper.cleanup()
const (
sharesBefore = 1024
sharesAfter = 512
)
helper.writeFileContents(map[string]string{
"cpu.shares": strconv.Itoa(sharesBefore),
})
helper.CgroupData.config.Resources.CpuShares = sharesAfter
cpu := &CpuGroup{}
if err := cpu.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
value, err := fscommon.GetCgroupParamUint(helper.CgroupPath, "cpu.shares")
if err != nil {
t.Fatalf("Failed to parse cpu.shares - %s", err)
}
if value != sharesAfter {
t.Fatal("Got the wrong value, set cpu.shares failed.")
}
}
func TestCpuSetBandWidth(t *testing.T) {
helper := NewCgroupTestUtil("cpu", t)
defer helper.cleanup()
const (
quotaBefore = 8000
quotaAfter = 5000
periodBefore = 10000
periodAfter = 7000
rtRuntimeBefore = 8000
rtRuntimeAfter = 5000
rtPeriodBefore = 10000
rtPeriodAfter = 7000
)
helper.writeFileContents(map[string]string{
"cpu.cfs_quota_us": strconv.Itoa(quotaBefore),
"cpu.cfs_period_us": strconv.Itoa(periodBefore),
"cpu.rt_runtime_us": strconv.Itoa(rtRuntimeBefore),
"cpu.rt_period_us": strconv.Itoa(rtPeriodBefore),
})
helper.CgroupData.config.Resources.CpuQuota = quotaAfter
helper.CgroupData.config.Resources.CpuPeriod = periodAfter
helper.CgroupData.config.Resources.CpuRtRuntime = rtRuntimeAfter
helper.CgroupData.config.Resources.CpuRtPeriod = rtPeriodAfter
cpu := &CpuGroup{}
if err := cpu.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
quota, err := fscommon.GetCgroupParamUint(helper.CgroupPath, "cpu.cfs_quota_us")
if err != nil {
t.Fatalf("Failed to parse cpu.cfs_quota_us - %s", err)
}
if quota != quotaAfter {
t.Fatal("Got the wrong value, set cpu.cfs_quota_us failed.")
}
period, err := fscommon.GetCgroupParamUint(helper.CgroupPath, "cpu.cfs_period_us")
if err != nil {
t.Fatalf("Failed to parse cpu.cfs_period_us - %s", err)
}
if period != periodAfter {
t.Fatal("Got the wrong value, set cpu.cfs_period_us failed.")
}
rtRuntime, err := fscommon.GetCgroupParamUint(helper.CgroupPath, "cpu.rt_runtime_us")
if err != nil {
t.Fatalf("Failed to parse cpu.rt_runtime_us - %s", err)
}
if rtRuntime != rtRuntimeAfter {
t.Fatal("Got the wrong value, set cpu.rt_runtime_us failed.")
}
rtPeriod, err := fscommon.GetCgroupParamUint(helper.CgroupPath, "cpu.rt_period_us")
if err != nil {
t.Fatalf("Failed to parse cpu.rt_period_us - %s", err)
}
if rtPeriod != rtPeriodAfter {
t.Fatal("Got the wrong value, set cpu.rt_period_us failed.")
}
}
func TestCpuStats(t *testing.T) {
helper := NewCgroupTestUtil("cpu", t)
defer helper.cleanup()
const (
nrPeriods = 2000
nrThrottled = 200
throttledTime = uint64(18446744073709551615)
)
cpuStatContent := fmt.Sprintf("nr_periods %d\nnr_throttled %d\nthrottled_time %d\n",
nrPeriods, nrThrottled, throttledTime)
helper.writeFileContents(map[string]string{
"cpu.stat": cpuStatContent,
})
cpu := &CpuGroup{}
actualStats := *cgroups.NewStats()
err := cpu.GetStats(helper.CgroupPath, &actualStats)
if err != nil {
t.Fatal(err)
}
expectedStats := cgroups.ThrottlingData{
Periods: nrPeriods,
ThrottledPeriods: nrThrottled,
ThrottledTime: throttledTime}
expectThrottlingDataEquals(t, expectedStats, actualStats.CpuStats.ThrottlingData)
}
func TestNoCpuStatFile(t *testing.T) {
helper := NewCgroupTestUtil("cpu", t)
defer helper.cleanup()
cpu := &CpuGroup{}
actualStats := *cgroups.NewStats()
err := cpu.GetStats(helper.CgroupPath, &actualStats)
if err != nil {
t.Fatal("Expected not to fail, but did")
}
}
func TestInvalidCpuStat(t *testing.T) {
helper := NewCgroupTestUtil("cpu", t)
defer helper.cleanup()
cpuStatContent := `nr_periods 2000
nr_throttled 200
throttled_time fortytwo`
helper.writeFileContents(map[string]string{
"cpu.stat": cpuStatContent,
})
cpu := &CpuGroup{}
actualStats := *cgroups.NewStats()
err := cpu.GetStats(helper.CgroupPath, &actualStats)
if err == nil {
t.Fatal("Expected failed stat parsing.")
}
}
func TestCpuSetRtSchedAtApply(t *testing.T) {
helper := NewCgroupTestUtil("cpu", t)
defer helper.cleanup()
const (
rtRuntimeBefore = 0
rtRuntimeAfter = 5000
rtPeriodBefore = 0
rtPeriodAfter = 7000
)
helper.writeFileContents(map[string]string{
"cpu.rt_runtime_us": strconv.Itoa(rtRuntimeBefore),
"cpu.rt_period_us": strconv.Itoa(rtPeriodBefore),
})
helper.CgroupData.config.Resources.CpuRtRuntime = rtRuntimeAfter
helper.CgroupData.config.Resources.CpuRtPeriod = rtPeriodAfter
cpu := &CpuGroup{}
helper.CgroupData.pid = 1234
if err := cpu.Apply(helper.CgroupPath, helper.CgroupData); err != nil {
t.Fatal(err)
}
rtRuntime, err := fscommon.GetCgroupParamUint(helper.CgroupPath, "cpu.rt_runtime_us")
if err != nil {
t.Fatalf("Failed to parse cpu.rt_runtime_us - %s", err)
}
if rtRuntime != rtRuntimeAfter {
t.Fatal("Got the wrong value, set cpu.rt_runtime_us failed.")
}
rtPeriod, err := fscommon.GetCgroupParamUint(helper.CgroupPath, "cpu.rt_period_us")
if err != nil {
t.Fatalf("Failed to parse cpu.rt_period_us - %s", err)
}
if rtPeriod != rtPeriodAfter {
t.Fatal("Got the wrong value, set cpu.rt_period_us failed.")
}
pid, err := fscommon.GetCgroupParamUint(helper.CgroupPath, "cgroup.procs")
if err != nil {
t.Fatalf("Failed to parse cgroup.procs - %s", err)
}
if pid != 1234 {
t.Fatal("Got the wrong value, set cgroup.procs failed.")
}
}
-93
View File
@@ -1,93 +0,0 @@
// +build linux
package fs
import (
"reflect"
"testing"
"github.com/opencontainers/runc/libcontainer/cgroups"
)
const (
cpuAcctUsageContents = "12262454190222160"
cpuAcctUsagePerCPUContents = "1564936537989058 1583937096487821 1604195415465681 1596445226820187 1481069084155629 1478735613864327 1477610593414743 1476362015778086"
cpuAcctStatContents = "user 452278264\nsystem 291429664"
cpuAcctUsageAll = `cpu user system
0 962250696038415 637727786389114
1 981956408513304 638197595421064
2 1002658817529022 638956774598358
3 994937703492523 637985531181620
4 874843781648690 638837766495476
5 872544369885276 638763309884944
6 870104915696359 640081778921247
7 870202363887496 638716766259495
`
)
func TestCpuacctStats(t *testing.T) {
helper := NewCgroupTestUtil("cpuacct.", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"cpuacct.usage": cpuAcctUsageContents,
"cpuacct.usage_percpu": cpuAcctUsagePerCPUContents,
"cpuacct.stat": cpuAcctStatContents,
"cpuacct.usage_all": cpuAcctUsageAll,
})
cpuacct := &CpuacctGroup{}
actualStats := *cgroups.NewStats()
err := cpuacct.GetStats(helper.CgroupPath, &actualStats)
if err != nil {
t.Fatal(err)
}
expectedStats := cgroups.CpuUsage{
TotalUsage: uint64(12262454190222160),
PercpuUsage: []uint64{1564936537989058, 1583937096487821, 1604195415465681, 1596445226820187,
1481069084155629, 1478735613864327, 1477610593414743, 1476362015778086},
PercpuUsageInKernelmode: []uint64{637727786389114, 638197595421064, 638956774598358, 637985531181620,
638837766495476, 638763309884944, 640081778921247, 638716766259495},
PercpuUsageInUsermode: []uint64{962250696038415, 981956408513304, 1002658817529022, 994937703492523,
874843781648690, 872544369885276, 870104915696359, 870202363887496},
UsageInKernelmode: (uint64(291429664) * nanosecondsInSecond) / clockTicks,
UsageInUsermode: (uint64(452278264) * nanosecondsInSecond) / clockTicks,
}
if !reflect.DeepEqual(expectedStats, actualStats.CpuStats.CpuUsage) {
t.Errorf("Expected CPU usage %#v but found %#v\n",
expectedStats, actualStats.CpuStats.CpuUsage)
}
}
func TestCpuacctStatsWithoutUsageAll(t *testing.T) {
helper := NewCgroupTestUtil("cpuacct.", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"cpuacct.usage": cpuAcctUsageContents,
"cpuacct.usage_percpu": cpuAcctUsagePerCPUContents,
"cpuacct.stat": cpuAcctStatContents,
})
cpuacct := &CpuacctGroup{}
actualStats := *cgroups.NewStats()
err := cpuacct.GetStats(helper.CgroupPath, &actualStats)
if err != nil {
t.Fatal(err)
}
expectedStats := cgroups.CpuUsage{
TotalUsage: uint64(12262454190222160),
PercpuUsage: []uint64{1564936537989058, 1583937096487821, 1604195415465681, 1596445226820187,
1481069084155629, 1478735613864327, 1477610593414743, 1476362015778086},
PercpuUsageInKernelmode: []uint64{},
PercpuUsageInUsermode: []uint64{},
UsageInKernelmode: (uint64(291429664) * nanosecondsInSecond) / clockTicks,
UsageInUsermode: (uint64(452278264) * nanosecondsInSecond) / clockTicks,
}
if !reflect.DeepEqual(expectedStats, actualStats.CpuStats.CpuUsage) {
t.Errorf("Expected CPU usage %#v but found %#v\n",
expectedStats, actualStats.CpuStats.CpuUsage)
}
}
-246
View File
@@ -1,246 +0,0 @@
// +build linux
package fs
import (
"reflect"
"testing"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
)
const (
cpus = "0-2,7,12-14\n"
cpuExclusive = "1\n"
mems = "1-4,6,9\n"
memHardwall = "0\n"
memExclusive = "0\n"
memoryMigrate = "1\n"
memorySpreadPage = "0\n"
memorySpeadSlab = "1\n"
memoryPressure = "34377\n"
schedLoadBalance = "1\n"
schedRelaxDomainLevel = "-1\n"
)
var cpusetTestFiles = map[string]string{
"cpuset.cpus": cpus,
"cpuset.cpu_exclusive": cpuExclusive,
"cpuset.mems": mems,
"cpuset.mem_hardwall": memHardwall,
"cpuset.mem_exclusive": memExclusive,
"cpuset.memory_migrate": memoryMigrate,
"cpuset.memory_spread_page": memorySpreadPage,
"cpuset.memory_spread_slab": memorySpeadSlab,
"cpuset.memory_pressure": memoryPressure,
"cpuset.sched_load_balance": schedLoadBalance,
"cpuset.sched_relax_domain_level": schedRelaxDomainLevel,
}
func TestCPUSetSetCpus(t *testing.T) {
helper := NewCgroupTestUtil("cpuset", t)
defer helper.cleanup()
const (
cpusBefore = "0"
cpusAfter = "1-3"
)
helper.writeFileContents(map[string]string{
"cpuset.cpus": cpusBefore,
})
helper.CgroupData.config.Resources.CpusetCpus = cpusAfter
cpuset := &CpusetGroup{}
if err := cpuset.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
value, err := fscommon.GetCgroupParamString(helper.CgroupPath, "cpuset.cpus")
if err != nil {
t.Fatalf("Failed to parse cpuset.cpus - %s", err)
}
if value != cpusAfter {
t.Fatal("Got the wrong value, set cpuset.cpus failed.")
}
}
func TestCPUSetSetMems(t *testing.T) {
helper := NewCgroupTestUtil("cpuset", t)
defer helper.cleanup()
const (
memsBefore = "0"
memsAfter = "1"
)
helper.writeFileContents(map[string]string{
"cpuset.mems": memsBefore,
})
helper.CgroupData.config.Resources.CpusetMems = memsAfter
cpuset := &CpusetGroup{}
if err := cpuset.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
value, err := fscommon.GetCgroupParamString(helper.CgroupPath, "cpuset.mems")
if err != nil {
t.Fatalf("Failed to parse cpuset.mems - %s", err)
}
if value != memsAfter {
t.Fatal("Got the wrong value, set cpuset.mems failed.")
}
}
func TestCPUSetStatsCorrect(t *testing.T) {
helper := NewCgroupTestUtil("cpuset", t)
defer helper.cleanup()
helper.writeFileContents(cpusetTestFiles)
cpuset := &CpusetGroup{}
actualStats := *cgroups.NewStats()
err := cpuset.GetStats(helper.CgroupPath, &actualStats)
if err != nil {
t.Fatal(err)
}
expectedStats := cgroups.CPUSetStats{
CPUs: []uint16{0, 1, 2, 7, 12, 13, 14},
CPUExclusive: 1,
Mems: []uint16{1, 2, 3, 4, 6, 9},
MemoryMigrate: 1,
MemHardwall: 0,
MemExclusive: 0,
MemorySpreadPage: 0,
MemorySpreadSlab: 1,
MemoryPressure: 34377,
SchedLoadBalance: 1,
SchedRelaxDomainLevel: -1}
if !reflect.DeepEqual(expectedStats, actualStats.CPUSetStats) {
t.Fatalf("Expected Cpuset stats usage %#v but found %#v",
expectedStats, actualStats.CPUSetStats)
}
}
func TestCPUSetStatsMissingFiles(t *testing.T) {
for _, testCase := range []struct {
desc string
filename, contents string
removeFile bool
}{
{
desc: "empty cpus file",
filename: "cpuset.cpus",
contents: "",
removeFile: false,
},
{
desc: "empty mems file",
filename: "cpuset.mems",
contents: "",
removeFile: false,
},
{
desc: "corrupted cpus file",
filename: "cpuset.cpus",
contents: "0-3,*4^2",
removeFile: false,
},
{
desc: "corrupted mems file",
filename: "cpuset.mems",
contents: "0,1,2-5,8-7",
removeFile: false,
},
{
desc: "missing cpu_exclusive file",
filename: "cpuset.cpu_exclusive",
contents: "",
removeFile: true,
},
{
desc: "missing memory_migrate file",
filename: "cpuset.memory_migrate",
contents: "",
removeFile: true,
},
{
desc: "missing mem_hardwall file",
filename: "cpuset.mem_hardwall",
contents: "",
removeFile: true,
},
{
desc: "missing mem_exclusive file",
filename: "cpuset.mem_exclusive",
contents: "",
removeFile: true,
},
{
desc: "missing memory_spread_page file",
filename: "cpuset.memory_spread_page",
contents: "",
removeFile: true,
},
{
desc: "missing memory_spread_slab file",
filename: "cpuset.memory_spread_slab",
contents: "",
removeFile: true,
},
{
desc: "missing memory_pressure file",
filename: "cpuset.memory_pressure",
contents: "",
removeFile: true,
},
{
desc: "missing sched_load_balance file",
filename: "cpuset.sched_load_balance",
contents: "",
removeFile: true,
},
{
desc: "missing sched_relax_domain_level file",
filename: "cpuset.sched_relax_domain_level",
contents: "",
removeFile: true,
},
} {
t.Run(testCase.desc, func(t *testing.T) {
helper := NewCgroupTestUtil("cpuset", t)
defer helper.cleanup()
tempCpusetTestFiles := map[string]string{}
for i, v := range cpusetTestFiles {
tempCpusetTestFiles[i] = v
}
if testCase.removeFile {
delete(tempCpusetTestFiles, testCase.filename)
helper.writeFileContents(tempCpusetTestFiles)
cpuset := &CpusetGroup{}
actualStats := *cgroups.NewStats()
err := cpuset.GetStats(helper.CgroupPath, &actualStats)
if err != nil {
t.Errorf("failed unexpectedly: %q", err)
}
} else {
tempCpusetTestFiles[testCase.filename] = testCase.contents
helper.writeFileContents(tempCpusetTestFiles)
cpuset := &CpusetGroup{}
actualStats := *cgroups.NewStats()
err := cpuset.GetStats(helper.CgroupPath, &actualStats)
if err == nil {
t.Error("failed to return expected error")
}
}
})
}
}
-52
View File
@@ -1,52 +0,0 @@
// +build linux
package fs
import (
"testing"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
"github.com/opencontainers/runc/libcontainer/devices"
)
func TestDevicesSetAllow(t *testing.T) {
helper := NewCgroupTestUtil("devices", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"devices.allow": "",
"devices.deny": "",
"devices.list": "a *:* rwm",
})
helper.CgroupData.config.Resources.Devices = []*devices.Rule{
{
Type: devices.CharDevice,
Major: 1,
Minor: 5,
Permissions: devices.Permissions("rwm"),
Allow: true,
},
}
d := &DevicesGroup{testingSkipFinalCheck: true}
if err := d.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
// The default deny rule must be written.
value, err := fscommon.GetCgroupParamString(helper.CgroupPath, "devices.deny")
if err != nil {
t.Fatalf("Failed to parse devices.deny: %s", err)
}
if value[0] != 'a' {
t.Errorf("Got the wrong value (%q), set devices.deny failed.", value)
}
// Permitted rule must be written.
if value, err := fscommon.GetCgroupParamString(helper.CgroupPath, "devices.allow"); err != nil {
t.Fatalf("Failed to parse devices.allow: %s", err)
} else if value != "c 1:5 rwm" {
t.Errorf("Got the wrong value (%q), set devices.allow failed.", value)
}
}
-48
View File
@@ -1,48 +0,0 @@
// +build linux
package fs
import (
"testing"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
"github.com/opencontainers/runc/libcontainer/configs"
)
func TestFreezerSetState(t *testing.T) {
helper := NewCgroupTestUtil("freezer", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"freezer.state": string(configs.Frozen),
})
helper.CgroupData.config.Resources.Freezer = configs.Thawed
freezer := &FreezerGroup{}
if err := freezer.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
value, err := fscommon.GetCgroupParamString(helper.CgroupPath, "freezer.state")
if err != nil {
t.Fatalf("Failed to parse freezer.state - %s", err)
}
if value != string(configs.Thawed) {
t.Fatal("Got the wrong value, set freezer.state failed.")
}
}
func TestFreezerSetInvalidState(t *testing.T) {
helper := NewCgroupTestUtil("freezer", t)
defer helper.cleanup()
const (
invalidArg configs.FreezerState = "Invalid"
)
helper.CgroupData.config.Resources.Freezer = invalidArg
freezer := &FreezerGroup{}
if err := freezer.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err == nil {
t.Fatal("Failed to return invalid argument error")
}
}
-438
View File
@@ -1,438 +0,0 @@
// +build linux
package fs
import (
"fmt"
"os"
"path/filepath"
"sync"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
"github.com/opencontainers/runc/libcontainer/configs"
libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
"github.com/pkg/errors"
"golang.org/x/sys/unix"
)
var (
subsystems = []subsystem{
&CpusetGroup{},
&DevicesGroup{},
&MemoryGroup{},
&CpuGroup{},
&CpuacctGroup{},
&PidsGroup{},
&BlkioGroup{},
&HugetlbGroup{},
&NetClsGroup{},
&NetPrioGroup{},
&PerfEventGroup{},
&FreezerGroup{},
&NameGroup{GroupName: "name=systemd", Join: true},
}
HugePageSizes, _ = cgroups.GetHugePageSize()
)
var errSubsystemDoesNotExist = errors.New("cgroup: subsystem does not exist")
type subsystem interface {
// Name returns the name of the subsystem.
Name() string
// Returns the stats, as 'stats', corresponding to the cgroup under 'path'.
GetStats(path string, stats *cgroups.Stats) error
// Creates and joins the cgroup represented by 'cgroupData'.
Apply(path string, c *cgroupData) error
// Set sets the cgroup resources.
Set(path string, r *configs.Resources) error
}
type manager struct {
mu sync.Mutex
cgroups *configs.Cgroup
rootless bool // ignore permission-related errors
paths map[string]string
}
func NewManager(cg *configs.Cgroup, paths map[string]string, rootless bool) cgroups.Manager {
return &manager{
cgroups: cg,
paths: paths,
rootless: rootless,
}
}
// The absolute path to the root of the cgroup hierarchies.
var cgroupRootLock sync.Mutex
var cgroupRoot string
const defaultCgroupRoot = "/sys/fs/cgroup"
func tryDefaultCgroupRoot() string {
var st, pst unix.Stat_t
// (1) it should be a directory...
err := unix.Lstat(defaultCgroupRoot, &st)
if err != nil || st.Mode&unix.S_IFDIR == 0 {
return ""
}
// (2) ... and a mount point ...
err = unix.Lstat(filepath.Dir(defaultCgroupRoot), &pst)
if err != nil {
return ""
}
if st.Dev == pst.Dev {
// parent dir has the same dev -- not a mount point
return ""
}
// (3) ... of 'tmpfs' fs type.
var fst unix.Statfs_t
err = unix.Statfs(defaultCgroupRoot, &fst)
if err != nil || fst.Type != unix.TMPFS_MAGIC {
return ""
}
// (4) it should have at least 1 entry ...
dir, err := os.Open(defaultCgroupRoot)
if err != nil {
return ""
}
names, err := dir.Readdirnames(1)
if err != nil {
return ""
}
if len(names) < 1 {
return ""
}
// ... which is a cgroup mount point.
err = unix.Statfs(filepath.Join(defaultCgroupRoot, names[0]), &fst)
if err != nil || fst.Type != unix.CGROUP_SUPER_MAGIC {
return ""
}
return defaultCgroupRoot
}
// Gets the cgroupRoot.
func getCgroupRoot() (string, error) {
cgroupRootLock.Lock()
defer cgroupRootLock.Unlock()
if cgroupRoot != "" {
return cgroupRoot, nil
}
// fast path
cgroupRoot = tryDefaultCgroupRoot()
if cgroupRoot != "" {
return cgroupRoot, nil
}
// slow path: parse mountinfo
mi, err := cgroups.GetCgroupMounts(false)
if err != nil {
return "", err
}
if len(mi) < 1 {
return "", errors.New("no cgroup mount found in mountinfo")
}
// Get the first cgroup mount (e.g. "/sys/fs/cgroup/memory"),
// use its parent directory.
root := filepath.Dir(mi[0].Mountpoint)
if _, err := os.Stat(root); err != nil {
return "", err
}
cgroupRoot = root
return cgroupRoot, nil
}
type cgroupData struct {
root string
innerPath string
config *configs.Cgroup
pid int
}
// isIgnorableError returns whether err is a permission error (in the loose
// sense of the word). This includes EROFS (which for an unprivileged user is
// basically a permission error) and EACCES (for similar reasons) as well as
// the normal EPERM.
func isIgnorableError(rootless bool, err error) bool {
// We do not ignore errors if we are root.
if !rootless {
return false
}
// TODO: rm errors.Cause once we switch to %w everywhere
err = errors.Cause(err)
// Is it an ordinary EPERM?
if errors.Is(err, os.ErrPermission) {
return true
}
// Handle some specific syscall errors.
var errno unix.Errno
if errors.As(err, &errno) {
return errno == unix.EROFS || errno == unix.EPERM || errno == unix.EACCES
}
return false
}
func (m *manager) Apply(pid int) (err error) {
if m.cgroups == nil {
return nil
}
m.mu.Lock()
defer m.mu.Unlock()
c := m.cgroups
if c.Resources.Unified != nil {
return cgroups.ErrV1NoUnified
}
m.paths = make(map[string]string)
if c.Paths != nil {
cgMap, err := cgroups.ParseCgroupFile("/proc/self/cgroup")
if err != nil {
return err
}
for name, path := range c.Paths {
// XXX(kolyshkin@): why this check is needed?
if _, ok := cgMap[name]; ok {
m.paths[name] = path
}
}
return cgroups.EnterPid(m.paths, pid)
}
d, err := getCgroupData(m.cgroups, pid)
if err != nil {
return err
}
for _, sys := range subsystems {
p, err := d.path(sys.Name())
if err != nil {
// The non-presence of the devices subsystem is
// considered fatal for security reasons.
if cgroups.IsNotFound(err) && (c.SkipDevices || sys.Name() != "devices") {
continue
}
return err
}
m.paths[sys.Name()] = p
if err := sys.Apply(p, d); err != nil {
// In the case of rootless (including euid=0 in userns), where an
// explicit cgroup path hasn't been set, we don't bail on error in
// case of permission problems. Cases where limits have been set
// (and we couldn't create our own cgroup) are handled by Set.
if isIgnorableError(m.rootless, err) && m.cgroups.Path == "" {
delete(m.paths, sys.Name())
continue
}
return err
}
}
return nil
}
func (m *manager) Destroy() error {
if m.cgroups == nil || m.cgroups.Paths != nil {
return nil
}
m.mu.Lock()
defer m.mu.Unlock()
return cgroups.RemovePaths(m.paths)
}
func (m *manager) Path(subsys string) string {
m.mu.Lock()
defer m.mu.Unlock()
return m.paths[subsys]
}
func (m *manager) GetStats() (*cgroups.Stats, error) {
m.mu.Lock()
defer m.mu.Unlock()
stats := cgroups.NewStats()
for _, sys := range subsystems {
path := m.paths[sys.Name()]
if path == "" {
continue
}
if err := sys.GetStats(path, stats); err != nil {
return nil, err
}
}
return stats, nil
}
func (m *manager) Set(r *configs.Resources) error {
if r == nil {
return nil
}
// If Paths are set, then we are just joining cgroups paths
// and there is no need to set any values.
if m.cgroups != nil && m.cgroups.Paths != nil {
return nil
}
if r.Unified != nil {
return cgroups.ErrV1NoUnified
}
m.mu.Lock()
defer m.mu.Unlock()
for _, sys := range subsystems {
path := m.paths[sys.Name()]
if err := sys.Set(path, r); err != nil {
if m.rootless && sys.Name() == "devices" {
continue
}
// When m.rootless is true, errors from the device subsystem are ignored because it is really not expected to work.
// However, errors from other subsystems are not ignored.
// see @test "runc create (rootless + limits + no cgrouppath + no permission) fails with informative error"
if path == "" {
// We never created a path for this cgroup, so we cannot set
// limits for it (though we have already tried at this point).
return fmt.Errorf("cannot set %s limit: container could not join or create cgroup", sys.Name())
}
return err
}
}
return nil
}
// Freeze toggles the container's freezer cgroup depending on the state
// provided
func (m *manager) Freeze(state configs.FreezerState) error {
path := m.Path("freezer")
if m.cgroups == nil || path == "" {
return errors.New("cannot toggle freezer: cgroups not configured for container")
}
prevState := m.cgroups.Resources.Freezer
m.cgroups.Resources.Freezer = state
freezer := &FreezerGroup{}
if err := freezer.Set(path, m.cgroups.Resources); err != nil {
m.cgroups.Resources.Freezer = prevState
return err
}
return nil
}
func (m *manager) GetPids() ([]int, error) {
return cgroups.GetPids(m.Path("devices"))
}
func (m *manager) GetAllPids() ([]int, error) {
return cgroups.GetAllPids(m.Path("devices"))
}
func getCgroupData(c *configs.Cgroup, pid int) (*cgroupData, error) {
root, err := getCgroupRoot()
if err != nil {
return nil, err
}
if (c.Name != "" || c.Parent != "") && c.Path != "" {
return nil, errors.New("cgroup: either Path or Name and Parent should be used")
}
// XXX: Do not remove this code. Path safety is important! -- cyphar
cgPath := libcontainerUtils.CleanPath(c.Path)
cgParent := libcontainerUtils.CleanPath(c.Parent)
cgName := libcontainerUtils.CleanPath(c.Name)
innerPath := cgPath
if innerPath == "" {
innerPath = filepath.Join(cgParent, cgName)
}
return &cgroupData{
root: root,
innerPath: innerPath,
config: c,
pid: pid,
}, nil
}
func (raw *cgroupData) path(subsystem string) (string, error) {
// If the cgroup name/path is absolute do not look relative to the cgroup of the init process.
if filepath.IsAbs(raw.innerPath) {
mnt, err := cgroups.FindCgroupMountpoint(raw.root, subsystem)
// If we didn't mount the subsystem, there is no point we make the path.
if err != nil {
return "", err
}
// Sometimes subsystems can be mounted together as 'cpu,cpuacct'.
return filepath.Join(raw.root, filepath.Base(mnt), raw.innerPath), nil
}
// Use GetOwnCgroupPath instead of GetInitCgroupPath, because the creating
// process could in container and shared pid namespace with host, and
// /proc/1/cgroup could point to whole other world of cgroups.
parentPath, err := cgroups.GetOwnCgroupPath(subsystem)
if err != nil {
return "", err
}
return filepath.Join(parentPath, raw.innerPath), nil
}
func join(path string, pid int) error {
if path == "" {
return nil
}
if err := os.MkdirAll(path, 0755); err != nil {
return err
}
return cgroups.WriteCgroupProc(path, pid)
}
func (m *manager) GetPaths() map[string]string {
m.mu.Lock()
defer m.mu.Unlock()
return m.paths
}
func (m *manager) GetCgroups() (*configs.Cgroup, error) {
return m.cgroups, nil
}
func (m *manager) GetFreezerState() (configs.FreezerState, error) {
dir := m.Path("freezer")
// If the container doesn't have the freezer cgroup, say it's undefined.
if dir == "" {
return configs.Undefined, nil
}
freezer := &FreezerGroup{}
return freezer.GetState(dir)
}
func (m *manager) Exists() bool {
return cgroups.PathExists(m.Path("devices"))
}
func OOMKillCount(path string) (uint64, error) {
return fscommon.GetValueByKey(path, "memory.oom_control", "oom_kill")
}
func (m *manager) OOMKillCount() (uint64, error) {
c, err := OOMKillCount(m.Path("memory"))
// Ignore ENOENT when rootless as it couldn't create cgroup.
if err != nil && m.rootless && os.IsNotExist(err) {
err = nil
}
return c, err
}
-146
View File
@@ -1,146 +0,0 @@
// +build linux
package fs
import (
"path/filepath"
"strings"
"testing"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
"github.com/opencontainers/runc/libcontainer/configs"
)
func TestInvalidCgroupPath(t *testing.T) {
if cgroups.IsCgroup2UnifiedMode() {
t.Skip("cgroup v2 is not supported")
}
root, err := getCgroupRoot()
if err != nil {
t.Fatalf("couldn't get cgroup root: %v", err)
}
testCases := []struct {
test string
path, name, parent string
}{
{
test: "invalid cgroup path",
path: "../../../../../../../../../../some/path",
},
{
test: "invalid absolute cgroup path",
path: "/../../../../../../../../../../some/path",
},
{
test: "invalid cgroup parent",
parent: "../../../../../../../../../../some/path",
name: "name",
},
{
test: "invalid absolute cgroup parent",
parent: "/../../../../../../../../../../some/path",
name: "name",
},
{
test: "invalid cgroup name",
parent: "parent",
name: "../../../../../../../../../../some/path",
},
{
test: "invalid absolute cgroup name",
parent: "parent",
name: "/../../../../../../../../../../some/path",
},
{
test: "invalid cgroup name and parent",
parent: "../../../../../../../../../../some/path",
name: "../../../../../../../../../../some/path",
},
{
test: "invalid absolute cgroup name and parent",
parent: "/../../../../../../../../../../some/path",
name: "/../../../../../../../../../../some/path",
},
}
for _, tc := range testCases {
t.Run(tc.test, func(t *testing.T) {
config := &configs.Cgroup{Path: tc.path, Name: tc.name, Parent: tc.parent}
data, err := getCgroupData(config, 0)
if err != nil {
t.Fatalf("couldn't get cgroup data: %v", err)
}
// Make sure the final innerPath doesn't go outside the cgroup mountpoint.
if strings.HasPrefix(data.innerPath, "..") {
t.Errorf("SECURITY: cgroup innerPath is outside cgroup mountpoint!")
}
// Double-check, using an actual cgroup.
deviceRoot := filepath.Join(root, "devices")
devicePath, err := data.path("devices")
if err != nil {
t.Fatalf("couldn't get cgroup path: %v", err)
}
if !strings.HasPrefix(devicePath, deviceRoot) {
t.Errorf("SECURITY: cgroup path() is outside cgroup mountpoint!")
}
})
}
}
func TestTryDefaultCgroupRoot(t *testing.T) {
res := tryDefaultCgroupRoot()
exp := defaultCgroupRoot
if cgroups.IsCgroup2UnifiedMode() {
// checking that tryDefaultCgroupRoot does return ""
// in case /sys/fs/cgroup is not cgroup v1 root dir.
exp = ""
}
if res != exp {
t.Errorf("tryDefaultCgroupRoot: want %q, got %q", exp, res)
}
}
func BenchmarkGetStats(b *testing.B) {
if cgroups.IsCgroup2UnifiedMode() {
b.Skip("cgroup v2 is not supported")
}
// Unset TestMode as we work with real cgroupfs here,
// and we want OpenFile to perform the fstype check.
fscommon.TestMode = false
defer func() {
fscommon.TestMode = true
}()
cg := &configs.Cgroup{
Path: "/some/kind/of/a/path/here",
Resources: &configs.Resources{},
}
m := NewManager(cg, nil, false)
err := m.Apply(-1)
if err != nil {
b.Fatal(err)
}
defer func() {
_ = m.Destroy()
}()
var st *cgroups.Stats
b.ResetTimer()
for i := 0; i < b.N; i++ {
st, err = m.GetStats()
if err != nil {
b.Fatal(err)
}
}
if st.CpuStats.CpuUsage.TotalUsage != 0 {
b.Fatalf("stats: %+v", st)
}
}
-66
View File
@@ -1,66 +0,0 @@
// +build linux
package fs
import (
"fmt"
"strconv"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
"github.com/opencontainers/runc/libcontainer/configs"
)
type HugetlbGroup struct {
}
func (s *HugetlbGroup) Name() string {
return "hugetlb"
}
func (s *HugetlbGroup) Apply(path string, d *cgroupData) error {
return join(path, d.pid)
}
func (s *HugetlbGroup) Set(path string, r *configs.Resources) error {
for _, hugetlb := range r.HugetlbLimit {
if err := fscommon.WriteFile(path, "hugetlb."+hugetlb.Pagesize+".limit_in_bytes", strconv.FormatUint(hugetlb.Limit, 10)); err != nil {
return err
}
}
return nil
}
func (s *HugetlbGroup) GetStats(path string, stats *cgroups.Stats) error {
hugetlbStats := cgroups.HugetlbStats{}
if !cgroups.PathExists(path) {
return nil
}
for _, pageSize := range HugePageSizes {
usage := "hugetlb." + pageSize + ".usage_in_bytes"
value, err := fscommon.GetCgroupParamUint(path, usage)
if err != nil {
return fmt.Errorf("failed to parse %s - %v", usage, err)
}
hugetlbStats.Usage = value
maxUsage := "hugetlb." + pageSize + ".max_usage_in_bytes"
value, err = fscommon.GetCgroupParamUint(path, maxUsage)
if err != nil {
return fmt.Errorf("failed to parse %s - %v", maxUsage, err)
}
hugetlbStats.MaxUsage = value
failcnt := "hugetlb." + pageSize + ".failcnt"
value, err = fscommon.GetCgroupParamUint(path, failcnt)
if err != nil {
return fmt.Errorf("failed to parse %s - %v", failcnt, err)
}
hugetlbStats.Failcnt = value
stats.HugetlbStats[pageSize] = hugetlbStats
}
return nil
}
-155
View File
@@ -1,155 +0,0 @@
// +build linux
package fs
import (
"fmt"
"strconv"
"testing"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
"github.com/opencontainers/runc/libcontainer/configs"
)
const (
hugetlbUsageContents = "128\n"
hugetlbMaxUsageContents = "256\n"
hugetlbFailcnt = "100\n"
)
const (
usage = "hugetlb.%s.usage_in_bytes"
limit = "hugetlb.%s.limit_in_bytes"
maxUsage = "hugetlb.%s.max_usage_in_bytes"
failcnt = "hugetlb.%s.failcnt"
)
func TestHugetlbSetHugetlb(t *testing.T) {
helper := NewCgroupTestUtil("hugetlb", t)
defer helper.cleanup()
const (
hugetlbBefore = 256
hugetlbAfter = 512
)
for _, pageSize := range HugePageSizes {
helper.writeFileContents(map[string]string{
fmt.Sprintf(limit, pageSize): strconv.Itoa(hugetlbBefore),
})
}
for _, pageSize := range HugePageSizes {
helper.CgroupData.config.Resources.HugetlbLimit = []*configs.HugepageLimit{
{
Pagesize: pageSize,
Limit: hugetlbAfter,
},
}
hugetlb := &HugetlbGroup{}
if err := hugetlb.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
}
for _, pageSize := range HugePageSizes {
limit := fmt.Sprintf(limit, pageSize)
value, err := fscommon.GetCgroupParamUint(helper.CgroupPath, limit)
if err != nil {
t.Fatalf("Failed to parse %s - %s", limit, err)
}
if value != hugetlbAfter {
t.Fatalf("Set hugetlb.limit_in_bytes failed. Expected: %v, Got: %v", hugetlbAfter, value)
}
}
}
func TestHugetlbStats(t *testing.T) {
helper := NewCgroupTestUtil("hugetlb", t)
defer helper.cleanup()
for _, pageSize := range HugePageSizes {
helper.writeFileContents(map[string]string{
fmt.Sprintf(usage, pageSize): hugetlbUsageContents,
fmt.Sprintf(maxUsage, pageSize): hugetlbMaxUsageContents,
fmt.Sprintf(failcnt, pageSize): hugetlbFailcnt,
})
}
hugetlb := &HugetlbGroup{}
actualStats := *cgroups.NewStats()
err := hugetlb.GetStats(helper.CgroupPath, &actualStats)
if err != nil {
t.Fatal(err)
}
expectedStats := cgroups.HugetlbStats{Usage: 128, MaxUsage: 256, Failcnt: 100}
for _, pageSize := range HugePageSizes {
expectHugetlbStatEquals(t, expectedStats, actualStats.HugetlbStats[pageSize])
}
}
func TestHugetlbStatsNoUsageFile(t *testing.T) {
helper := NewCgroupTestUtil("hugetlb", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
maxUsage: hugetlbMaxUsageContents,
})
hugetlb := &HugetlbGroup{}
actualStats := *cgroups.NewStats()
err := hugetlb.GetStats(helper.CgroupPath, &actualStats)
if err == nil {
t.Fatal("Expected failure")
}
}
func TestHugetlbStatsNoMaxUsageFile(t *testing.T) {
helper := NewCgroupTestUtil("hugetlb", t)
defer helper.cleanup()
for _, pageSize := range HugePageSizes {
helper.writeFileContents(map[string]string{
fmt.Sprintf(usage, pageSize): hugetlbUsageContents,
})
}
hugetlb := &HugetlbGroup{}
actualStats := *cgroups.NewStats()
err := hugetlb.GetStats(helper.CgroupPath, &actualStats)
if err == nil {
t.Fatal("Expected failure")
}
}
func TestHugetlbStatsBadUsageFile(t *testing.T) {
helper := NewCgroupTestUtil("hugetlb", t)
defer helper.cleanup()
for _, pageSize := range HugePageSizes {
helper.writeFileContents(map[string]string{
fmt.Sprintf(usage, pageSize): "bad",
maxUsage: hugetlbMaxUsageContents,
})
}
hugetlb := &HugetlbGroup{}
actualStats := *cgroups.NewStats()
err := hugetlb.GetStats(helper.CgroupPath, &actualStats)
if err == nil {
t.Fatal("Expected failure")
}
}
func TestHugetlbStatsBadMaxUsageFile(t *testing.T) {
helper := NewCgroupTestUtil("hugetlb", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
usage: hugetlbUsageContents,
maxUsage: "bad",
})
hugetlb := &HugetlbGroup{}
actualStats := *cgroups.NewStats()
err := hugetlb.GetStats(helper.CgroupPath, &actualStats)
if err == nil {
t.Fatal("Expected failure")
}
}
-506
View File
@@ -1,506 +0,0 @@
// +build linux
package fs
import (
"strconv"
"testing"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
)
const (
memoryStatContents = `cache 512
rss 1024`
memoryUsageContents = "2048\n"
memoryMaxUsageContents = "4096\n"
memoryFailcnt = "100\n"
memoryLimitContents = "8192\n"
memoryUseHierarchyContents = "1\n"
memoryNUMAStatContents = `total=44611 N0=32631 N1=7501 N2=1982 N3=2497
file=44428 N0=32614 N1=7335 N2=1982 N3=2497
anon=183 N0=17 N1=166 N2=0 N3=0
unevictable=0 N0=0 N1=0 N2=0 N3=0
hierarchical_total=768133 N0=509113 N1=138887 N2=20464 N3=99669
hierarchical_file=722017 N0=496516 N1=119997 N2=20181 N3=85323
hierarchical_anon=46096 N0=12597 N1=18890 N2=283 N3=14326
hierarchical_unevictable=20 N0=0 N1=0 N2=0 N3=20
`
memoryNUMAStatNoHierarchyContents = `total=44611 N0=32631 N1=7501 N2=1982 N3=2497
file=44428 N0=32614 N1=7335 N2=1982 N3=2497
anon=183 N0=17 N1=166 N2=0 N3=0
unevictable=0 N0=0 N1=0 N2=0 N3=0
`
// Some custom kernels has extra fields that should be ignored
memoryNUMAStatExtraContents = `numa_locality 0 0 0 0 0 0 0 0 0 0
numa_exectime 0
whatever=100 N0=0
`
)
func TestMemorySetMemory(t *testing.T) {
helper := NewCgroupTestUtil("memory", t)
defer helper.cleanup()
const (
memoryBefore = 314572800 // 300M
memoryAfter = 524288000 // 500M
reservationBefore = 209715200 // 200M
reservationAfter = 314572800 // 300M
)
helper.writeFileContents(map[string]string{
"memory.limit_in_bytes": strconv.Itoa(memoryBefore),
"memory.soft_limit_in_bytes": strconv.Itoa(reservationBefore),
})
helper.CgroupData.config.Resources.Memory = memoryAfter
helper.CgroupData.config.Resources.MemoryReservation = reservationAfter
memory := &MemoryGroup{}
if err := memory.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
value, err := fscommon.GetCgroupParamUint(helper.CgroupPath, "memory.limit_in_bytes")
if err != nil {
t.Fatalf("Failed to parse memory.limit_in_bytes - %s", err)
}
if value != memoryAfter {
t.Fatal("Got the wrong value, set memory.limit_in_bytes failed.")
}
value, err = fscommon.GetCgroupParamUint(helper.CgroupPath, "memory.soft_limit_in_bytes")
if err != nil {
t.Fatalf("Failed to parse memory.soft_limit_in_bytes - %s", err)
}
if value != reservationAfter {
t.Fatal("Got the wrong value, set memory.soft_limit_in_bytes failed.")
}
}
func TestMemorySetMemoryswap(t *testing.T) {
helper := NewCgroupTestUtil("memory", t)
defer helper.cleanup()
const (
memoryswapBefore = 314572800 // 300M
memoryswapAfter = 524288000 // 500M
)
helper.writeFileContents(map[string]string{
"memory.memsw.limit_in_bytes": strconv.Itoa(memoryswapBefore),
})
helper.CgroupData.config.Resources.MemorySwap = memoryswapAfter
memory := &MemoryGroup{}
if err := memory.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
value, err := fscommon.GetCgroupParamUint(helper.CgroupPath, "memory.memsw.limit_in_bytes")
if err != nil {
t.Fatalf("Failed to parse memory.memsw.limit_in_bytes - %s", err)
}
if value != memoryswapAfter {
t.Fatal("Got the wrong value, set memory.memsw.limit_in_bytes failed.")
}
}
func TestMemorySetMemoryLargerThanSwap(t *testing.T) {
helper := NewCgroupTestUtil("memory", t)
defer helper.cleanup()
const (
memoryBefore = 314572800 // 300M
memoryswapBefore = 524288000 // 500M
memoryAfter = 629145600 // 600M
memoryswapAfter = 838860800 // 800M
)
helper.writeFileContents(map[string]string{
"memory.limit_in_bytes": strconv.Itoa(memoryBefore),
"memory.memsw.limit_in_bytes": strconv.Itoa(memoryswapBefore),
// Set will call getMemoryData when memory and swap memory are
// both set, fake these fields so we don't get error.
"memory.usage_in_bytes": "0",
"memory.max_usage_in_bytes": "0",
"memory.failcnt": "0",
})
helper.CgroupData.config.Resources.Memory = memoryAfter
helper.CgroupData.config.Resources.MemorySwap = memoryswapAfter
memory := &MemoryGroup{}
if err := memory.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
value, err := fscommon.GetCgroupParamUint(helper.CgroupPath, "memory.limit_in_bytes")
if err != nil {
t.Fatalf("Failed to parse memory.limit_in_bytes - %s", err)
}
if value != memoryAfter {
t.Fatal("Got the wrong value, set memory.limit_in_bytes failed.")
}
value, err = fscommon.GetCgroupParamUint(helper.CgroupPath, "memory.memsw.limit_in_bytes")
if err != nil {
t.Fatalf("Failed to parse memory.memsw.limit_in_bytes - %s", err)
}
if value != memoryswapAfter {
t.Fatal("Got the wrong value, set memory.memsw.limit_in_bytes failed.")
}
}
func TestMemorySetSwapSmallerThanMemory(t *testing.T) {
helper := NewCgroupTestUtil("memory", t)
defer helper.cleanup()
const (
memoryBefore = 629145600 // 600M
memoryswapBefore = 838860800 // 800M
memoryAfter = 314572800 // 300M
memoryswapAfter = 524288000 // 500M
)
helper.writeFileContents(map[string]string{
"memory.limit_in_bytes": strconv.Itoa(memoryBefore),
"memory.memsw.limit_in_bytes": strconv.Itoa(memoryswapBefore),
})
helper.CgroupData.config.Resources.Memory = memoryAfter
helper.CgroupData.config.Resources.MemorySwap = memoryswapAfter
memory := &MemoryGroup{}
if err := memory.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
value, err := fscommon.GetCgroupParamUint(helper.CgroupPath, "memory.limit_in_bytes")
if err != nil {
t.Fatalf("Failed to parse memory.limit_in_bytes - %s", err)
}
if value != memoryAfter {
t.Fatalf("Got the wrong value (%d != %d), set memory.limit_in_bytes failed", value, memoryAfter)
}
value, err = fscommon.GetCgroupParamUint(helper.CgroupPath, "memory.memsw.limit_in_bytes")
if err != nil {
t.Fatalf("Failed to parse memory.memsw.limit_in_bytes - %s", err)
}
if value != memoryswapAfter {
t.Fatalf("Got the wrong value (%d != %d), set memory.memsw.limit_in_bytes failed", value, memoryswapAfter)
}
}
func TestMemorySetMemorySwappinessDefault(t *testing.T) {
helper := NewCgroupTestUtil("memory", t)
defer helper.cleanup()
swappinessBefore := 60 //default is 60
swappinessAfter := uint64(0)
helper.writeFileContents(map[string]string{
"memory.swappiness": strconv.Itoa(swappinessBefore),
})
helper.CgroupData.config.Resources.MemorySwappiness = &swappinessAfter
memory := &MemoryGroup{}
if err := memory.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
value, err := fscommon.GetCgroupParamUint(helper.CgroupPath, "memory.swappiness")
if err != nil {
t.Fatalf("Failed to parse memory.swappiness - %s", err)
}
if value != swappinessAfter {
t.Fatalf("Got the wrong value (%d), set memory.swappiness = %d failed.", value, swappinessAfter)
}
}
func TestMemoryStats(t *testing.T) {
helper := NewCgroupTestUtil("memory", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"memory.stat": memoryStatContents,
"memory.usage_in_bytes": memoryUsageContents,
"memory.limit_in_bytes": memoryLimitContents,
"memory.max_usage_in_bytes": memoryMaxUsageContents,
"memory.failcnt": memoryFailcnt,
"memory.memsw.usage_in_bytes": memoryUsageContents,
"memory.memsw.max_usage_in_bytes": memoryMaxUsageContents,
"memory.memsw.failcnt": memoryFailcnt,
"memory.memsw.limit_in_bytes": memoryLimitContents,
"memory.kmem.usage_in_bytes": memoryUsageContents,
"memory.kmem.max_usage_in_bytes": memoryMaxUsageContents,
"memory.kmem.failcnt": memoryFailcnt,
"memory.kmem.limit_in_bytes": memoryLimitContents,
"memory.use_hierarchy": memoryUseHierarchyContents,
"memory.numa_stat": memoryNUMAStatContents + memoryNUMAStatExtraContents,
})
memory := &MemoryGroup{}
actualStats := *cgroups.NewStats()
err := memory.GetStats(helper.CgroupPath, &actualStats)
if err != nil {
t.Fatal(err)
}
expectedStats := cgroups.MemoryStats{Cache: 512, Usage: cgroups.MemoryData{Usage: 2048, MaxUsage: 4096, Failcnt: 100, Limit: 8192}, SwapUsage: cgroups.MemoryData{Usage: 2048, MaxUsage: 4096, Failcnt: 100, Limit: 8192}, KernelUsage: cgroups.MemoryData{Usage: 2048, MaxUsage: 4096, Failcnt: 100, Limit: 8192}, Stats: map[string]uint64{"cache": 512, "rss": 1024}, UseHierarchy: true,
PageUsageByNUMA: cgroups.PageUsageByNUMA{
PageUsageByNUMAInner: cgroups.PageUsageByNUMAInner{
Total: cgroups.PageStats{Total: 44611, Nodes: map[uint8]uint64{0: 32631, 1: 7501, 2: 1982, 3: 2497}},
File: cgroups.PageStats{Total: 44428, Nodes: map[uint8]uint64{0: 32614, 1: 7335, 2: 1982, 3: 2497}},
Anon: cgroups.PageStats{Total: 183, Nodes: map[uint8]uint64{0: 17, 1: 166, 2: 0, 3: 0}},
Unevictable: cgroups.PageStats{Total: 0, Nodes: map[uint8]uint64{0: 0, 1: 0, 2: 0, 3: 0}},
},
Hierarchical: cgroups.PageUsageByNUMAInner{
Total: cgroups.PageStats{Total: 768133, Nodes: map[uint8]uint64{0: 509113, 1: 138887, 2: 20464, 3: 99669}},
File: cgroups.PageStats{Total: 722017, Nodes: map[uint8]uint64{0: 496516, 1: 119997, 2: 20181, 3: 85323}},
Anon: cgroups.PageStats{Total: 46096, Nodes: map[uint8]uint64{0: 12597, 1: 18890, 2: 283, 3: 14326}},
Unevictable: cgroups.PageStats{Total: 20, Nodes: map[uint8]uint64{0: 0, 1: 0, 2: 0, 3: 20}},
},
}}
expectMemoryStatEquals(t, expectedStats, actualStats.MemoryStats)
}
func TestMemoryStatsNoStatFile(t *testing.T) {
helper := NewCgroupTestUtil("memory", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"memory.usage_in_bytes": memoryUsageContents,
"memory.max_usage_in_bytes": memoryMaxUsageContents,
"memory.limit_in_bytes": memoryLimitContents,
})
memory := &MemoryGroup{}
actualStats := *cgroups.NewStats()
err := memory.GetStats(helper.CgroupPath, &actualStats)
if err != nil {
t.Fatal(err)
}
}
func TestMemoryStatsNoUsageFile(t *testing.T) {
helper := NewCgroupTestUtil("memory", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"memory.stat": memoryStatContents,
"memory.max_usage_in_bytes": memoryMaxUsageContents,
"memory.limit_in_bytes": memoryLimitContents,
})
memory := &MemoryGroup{}
actualStats := *cgroups.NewStats()
err := memory.GetStats(helper.CgroupPath, &actualStats)
if err == nil {
t.Fatal("Expected failure")
}
}
func TestMemoryStatsNoMaxUsageFile(t *testing.T) {
helper := NewCgroupTestUtil("memory", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"memory.stat": memoryStatContents,
"memory.usage_in_bytes": memoryUsageContents,
"memory.limit_in_bytes": memoryLimitContents,
})
memory := &MemoryGroup{}
actualStats := *cgroups.NewStats()
err := memory.GetStats(helper.CgroupPath, &actualStats)
if err == nil {
t.Fatal("Expected failure")
}
}
func TestMemoryStatsNoLimitInBytesFile(t *testing.T) {
helper := NewCgroupTestUtil("memory", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"memory.stat": memoryStatContents,
"memory.usage_in_bytes": memoryUsageContents,
"memory.max_usage_in_bytes": memoryMaxUsageContents,
})
memory := &MemoryGroup{}
actualStats := *cgroups.NewStats()
err := memory.GetStats(helper.CgroupPath, &actualStats)
if err == nil {
t.Fatal("Expected failure")
}
}
func TestMemoryStatsBadStatFile(t *testing.T) {
helper := NewCgroupTestUtil("memory", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"memory.stat": "rss rss",
"memory.usage_in_bytes": memoryUsageContents,
"memory.max_usage_in_bytes": memoryMaxUsageContents,
"memory.limit_in_bytes": memoryLimitContents,
})
memory := &MemoryGroup{}
actualStats := *cgroups.NewStats()
err := memory.GetStats(helper.CgroupPath, &actualStats)
if err == nil {
t.Fatal("Expected failure")
}
}
func TestMemoryStatsBadUsageFile(t *testing.T) {
helper := NewCgroupTestUtil("memory", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"memory.stat": memoryStatContents,
"memory.usage_in_bytes": "bad",
"memory.max_usage_in_bytes": memoryMaxUsageContents,
"memory.limit_in_bytes": memoryLimitContents,
})
memory := &MemoryGroup{}
actualStats := *cgroups.NewStats()
err := memory.GetStats(helper.CgroupPath, &actualStats)
if err == nil {
t.Fatal("Expected failure")
}
}
func TestMemoryStatsBadMaxUsageFile(t *testing.T) {
helper := NewCgroupTestUtil("memory", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"memory.stat": memoryStatContents,
"memory.usage_in_bytes": memoryUsageContents,
"memory.max_usage_in_bytes": "bad",
"memory.limit_in_bytes": memoryLimitContents,
})
memory := &MemoryGroup{}
actualStats := *cgroups.NewStats()
err := memory.GetStats(helper.CgroupPath, &actualStats)
if err == nil {
t.Fatal("Expected failure")
}
}
func TestMemoryStatsBadLimitInBytesFile(t *testing.T) {
helper := NewCgroupTestUtil("memory", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"memory.stat": memoryStatContents,
"memory.usage_in_bytes": memoryUsageContents,
"memory.max_usage_in_bytes": memoryMaxUsageContents,
"memory.limit_in_bytes": "bad",
})
memory := &MemoryGroup{}
actualStats := *cgroups.NewStats()
err := memory.GetStats(helper.CgroupPath, &actualStats)
if err == nil {
t.Fatal("Expected failure")
}
}
func TestMemorySetOomControl(t *testing.T) {
helper := NewCgroupTestUtil("memory", t)
defer helper.cleanup()
const (
oomKillDisable = 1 // disable oom killer, default is 0
)
helper.writeFileContents(map[string]string{
"memory.oom_control": strconv.Itoa(oomKillDisable),
})
memory := &MemoryGroup{}
if err := memory.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
value, err := fscommon.GetCgroupParamUint(helper.CgroupPath, "memory.oom_control")
if err != nil {
t.Fatalf("Failed to parse memory.oom_control - %s", err)
}
if value != oomKillDisable {
t.Fatalf("Got the wrong value, set memory.oom_control failed.")
}
}
func TestNoHierarchicalNumaStat(t *testing.T) {
helper := NewCgroupTestUtil("memory", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"memory.numa_stat": memoryNUMAStatNoHierarchyContents + memoryNUMAStatExtraContents,
})
actualStats, err := getPageUsageByNUMA(helper.CgroupPath)
if err != nil {
t.Fatal(err)
}
pageUsageByNUMA := cgroups.PageUsageByNUMA{
PageUsageByNUMAInner: cgroups.PageUsageByNUMAInner{
Total: cgroups.PageStats{Total: 44611, Nodes: map[uint8]uint64{0: 32631, 1: 7501, 2: 1982, 3: 2497}},
File: cgroups.PageStats{Total: 44428, Nodes: map[uint8]uint64{0: 32614, 1: 7335, 2: 1982, 3: 2497}},
Anon: cgroups.PageStats{Total: 183, Nodes: map[uint8]uint64{0: 17, 1: 166, 2: 0, 3: 0}},
Unevictable: cgroups.PageStats{Total: 0, Nodes: map[uint8]uint64{0: 0, 1: 0, 2: 0, 3: 0}},
},
Hierarchical: cgroups.PageUsageByNUMAInner{},
}
expectPageUsageByNUMAEquals(t, pageUsageByNUMA, actualStats)
}
func TestBadNumaStat(t *testing.T) {
memoryNUMAStatBadContents := []struct {
desc, contents string
}{
{
desc: "Nx where x is not a number",
contents: `total=44611 N0=44611,
file=44428 Nx=0
`,
}, {
desc: "Nx where x > 255",
contents: `total=44611 N333=444`,
}, {
desc: "Nx argument missing",
contents: `total=44611 N0=123 N1=`,
}, {
desc: "Nx argument is not a number",
contents: `total=44611 N0=123 N1=a`,
}, {
desc: "Missing = after Nx",
contents: `total=44611 N0=123 N1`,
}, {
desc: "No Nx at non-first position",
contents: `total=44611 N0=32631
file=44428 N0=32614
anon=183 N0=12 badone
`,
},
}
helper := NewCgroupTestUtil("memory", t)
defer helper.cleanup()
for _, c := range memoryNUMAStatBadContents {
helper.writeFileContents(map[string]string{
"memory.numa_stat": c.contents,
})
_, err := getPageUsageByNUMA(helper.CgroupPath)
if err == nil {
t.Errorf("case %q: expected error, got nil", c.desc)
}
}
}
func TestWithoutNumaStat(t *testing.T) {
helper := NewCgroupTestUtil("memory", t)
defer helper.cleanup()
actualStats, err := getPageUsageByNUMA(helper.CgroupPath)
if err != nil {
t.Fatal(err)
}
expectPageUsageByNUMAEquals(t, cgroups.PageUsageByNUMA{}, actualStats)
}
-33
View File
@@ -1,33 +0,0 @@
// +build linux
package fs
import (
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
)
type NameGroup struct {
GroupName string
Join bool
}
func (s *NameGroup) Name() string {
return s.GroupName
}
func (s *NameGroup) Apply(path string, d *cgroupData) error {
if s.Join {
// ignore errors if the named cgroup does not exist
_ = join(path, d.pid)
}
return nil
}
func (s *NameGroup) Set(_ string, _ *configs.Resources) error {
return nil
}
func (s *NameGroup) GetStats(path string, stats *cgroups.Stats) error {
return nil
}
-36
View File
@@ -1,36 +0,0 @@
// +build linux
package fs
import (
"strconv"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
"github.com/opencontainers/runc/libcontainer/configs"
)
type NetClsGroup struct {
}
func (s *NetClsGroup) Name() string {
return "net_cls"
}
func (s *NetClsGroup) Apply(path string, d *cgroupData) error {
return join(path, d.pid)
}
func (s *NetClsGroup) Set(path string, r *configs.Resources) error {
if r.NetClsClassid != 0 {
if err := fscommon.WriteFile(path, "net_cls.classid", strconv.FormatUint(uint64(r.NetClsClassid), 10)); err != nil {
return err
}
}
return nil
}
func (s *NetClsGroup) GetStats(path string, stats *cgroups.Stats) error {
return nil
}
-41
View File
@@ -1,41 +0,0 @@
// +build linux
package fs
import (
"strconv"
"testing"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
)
const (
classidBefore = 0x100002
classidAfter = 0x100001
)
func TestNetClsSetClassid(t *testing.T) {
helper := NewCgroupTestUtil("net_cls", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"net_cls.classid": strconv.FormatUint(classidBefore, 10),
})
helper.CgroupData.config.Resources.NetClsClassid = classidAfter
netcls := &NetClsGroup{}
if err := netcls.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
// As we are in mock environment, we can't get correct value of classid from
// net_cls.classid.
// So. we just judge if we successfully write classid into file
value, err := fscommon.GetCgroupParamUint(helper.CgroupPath, "net_cls.classid")
if err != nil {
t.Fatalf("Failed to parse net_cls.classid - %s", err)
}
if value != classidAfter {
t.Fatal("Got the wrong value, set net_cls.classid failed.")
}
}
-34
View File
@@ -1,34 +0,0 @@
// +build linux
package fs
import (
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
"github.com/opencontainers/runc/libcontainer/configs"
)
type NetPrioGroup struct {
}
func (s *NetPrioGroup) Name() string {
return "net_prio"
}
func (s *NetPrioGroup) Apply(path string, d *cgroupData) error {
return join(path, d.pid)
}
func (s *NetPrioGroup) Set(path string, r *configs.Resources) error {
for _, prioMap := range r.NetPrioIfpriomap {
if err := fscommon.WriteFile(path, "net_prio.ifpriomap", prioMap.CgroupString()); err != nil {
return err
}
}
return nil
}
func (s *NetPrioGroup) GetStats(path string, stats *cgroups.Stats) error {
return nil
}
-39
View File
@@ -1,39 +0,0 @@
// +build linux
package fs
import (
"strings"
"testing"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
"github.com/opencontainers/runc/libcontainer/configs"
)
var (
prioMap = []*configs.IfPrioMap{
{
Interface: "test",
Priority: 5,
},
}
)
func TestNetPrioSetIfPrio(t *testing.T) {
helper := NewCgroupTestUtil("net_prio", t)
defer helper.cleanup()
helper.CgroupData.config.Resources.NetPrioIfpriomap = prioMap
netPrio := &NetPrioGroup{}
if err := netPrio.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
value, err := fscommon.GetCgroupParamString(helper.CgroupPath, "net_prio.ifpriomap")
if err != nil {
t.Fatalf("Failed to parse net_prio.ifpriomap - %s", err)
}
if !strings.Contains(value, "test 5") {
t.Fatal("Got the wrong value, set net_prio.ifpriomap failed.")
}
}
-27
View File
@@ -1,27 +0,0 @@
// +build linux
package fs
import (
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
)
type PerfEventGroup struct {
}
func (s *PerfEventGroup) Name() string {
return "perf_event"
}
func (s *PerfEventGroup) Apply(path string, d *cgroupData) error {
return join(path, d.pid)
}
func (s *PerfEventGroup) Set(_ string, _ *configs.Resources) error {
return nil
}
func (s *PerfEventGroup) GetStats(path string, stats *cgroups.Stats) error {
return nil
}
-69
View File
@@ -1,69 +0,0 @@
// +build linux
package fs
import (
"fmt"
"path/filepath"
"strconv"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
"github.com/opencontainers/runc/libcontainer/configs"
)
type PidsGroup struct {
}
func (s *PidsGroup) Name() string {
return "pids"
}
func (s *PidsGroup) Apply(path string, d *cgroupData) error {
return join(path, d.pid)
}
func (s *PidsGroup) Set(path string, r *configs.Resources) error {
if r.PidsLimit != 0 {
// "max" is the fallback value.
limit := "max"
if r.PidsLimit > 0 {
limit = strconv.FormatInt(r.PidsLimit, 10)
}
if err := fscommon.WriteFile(path, "pids.max", limit); err != nil {
return err
}
}
return nil
}
func (s *PidsGroup) GetStats(path string, stats *cgroups.Stats) error {
if !cgroups.PathExists(path) {
return nil
}
current, err := fscommon.GetCgroupParamUint(path, "pids.current")
if err != nil {
return fmt.Errorf("failed to parse pids.current - %s", err)
}
maxString, err := fscommon.GetCgroupParamString(path, "pids.max")
if err != nil {
return fmt.Errorf("failed to parse pids.max - %s", err)
}
// Default if pids.max == "max" is 0 -- which represents "no limit".
var max uint64
if maxString != "max" {
max, err = fscommon.ParseUint(maxString, 10, 64)
if err != nil {
return fmt.Errorf("failed to parse pids.max - unable to parse %q as a uint from Cgroup file %q", maxString, filepath.Join(path, "pids.max"))
}
}
stats.PidsStats.Current = current
stats.PidsStats.Limit = max
return nil
}
-112
View File
@@ -1,112 +0,0 @@
// +build linux
package fs
import (
"strconv"
"testing"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
)
const (
maxUnlimited = -1
maxLimited = 1024
)
func TestPidsSetMax(t *testing.T) {
helper := NewCgroupTestUtil("pids", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"pids.max": "max",
})
helper.CgroupData.config.Resources.PidsLimit = maxLimited
pids := &PidsGroup{}
if err := pids.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
value, err := fscommon.GetCgroupParamUint(helper.CgroupPath, "pids.max")
if err != nil {
t.Fatalf("Failed to parse pids.max - %s", err)
}
if value != maxLimited {
t.Fatalf("Expected %d, got %d for setting pids.max - limited", maxLimited, value)
}
}
func TestPidsSetUnlimited(t *testing.T) {
helper := NewCgroupTestUtil("pids", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"pids.max": strconv.Itoa(maxLimited),
})
helper.CgroupData.config.Resources.PidsLimit = maxUnlimited
pids := &PidsGroup{}
if err := pids.Set(helper.CgroupPath, helper.CgroupData.config.Resources); err != nil {
t.Fatal(err)
}
value, err := fscommon.GetCgroupParamString(helper.CgroupPath, "pids.max")
if err != nil {
t.Fatalf("Failed to parse pids.max - %s", err)
}
if value != "max" {
t.Fatalf("Expected %s, got %s for setting pids.max - unlimited", "max", value)
}
}
func TestPidsStats(t *testing.T) {
helper := NewCgroupTestUtil("pids", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"pids.current": strconv.Itoa(1337),
"pids.max": strconv.Itoa(maxLimited),
})
pids := &PidsGroup{}
stats := *cgroups.NewStats()
if err := pids.GetStats(helper.CgroupPath, &stats); err != nil {
t.Fatal(err)
}
if stats.PidsStats.Current != 1337 {
t.Fatalf("Expected %d, got %d for pids.current", 1337, stats.PidsStats.Current)
}
if stats.PidsStats.Limit != maxLimited {
t.Fatalf("Expected %d, got %d for pids.max", maxLimited, stats.PidsStats.Limit)
}
}
func TestPidsStatsUnlimited(t *testing.T) {
helper := NewCgroupTestUtil("pids", t)
defer helper.cleanup()
helper.writeFileContents(map[string]string{
"pids.current": strconv.Itoa(4096),
"pids.max": "max",
})
pids := &PidsGroup{}
stats := *cgroups.NewStats()
if err := pids.GetStats(helper.CgroupPath, &stats); err != nil {
t.Fatal(err)
}
if stats.PidsStats.Current != 4096 {
t.Fatalf("Expected %d, got %d for pids.current", 4096, stats.PidsStats.Current)
}
if stats.PidsStats.Limit != 0 {
t.Fatalf("Expected %d, got %d for pids.max", 0, stats.PidsStats.Limit)
}
}
-134
View File
@@ -1,134 +0,0 @@
// +build linux
package fs
import (
"errors"
"fmt"
"reflect"
"testing"
"github.com/opencontainers/runc/libcontainer/cgroups"
)
func blkioStatEntryEquals(expected, actual []cgroups.BlkioStatEntry) error {
if len(expected) != len(actual) {
return errors.New("blkioStatEntries length do not match")
}
for i, expValue := range expected {
actValue := actual[i]
if expValue != actValue {
return fmt.Errorf("Expected blkio stat entry %v but found %v", expValue, actValue)
}
}
return nil
}
func expectBlkioStatsEquals(t *testing.T, expected, actual cgroups.BlkioStats) {
if err := blkioStatEntryEquals(expected.IoServiceBytesRecursive, actual.IoServiceBytesRecursive); err != nil {
t.Errorf("blkio IoServiceBytesRecursive do not match - %s\n", err)
}
if err := blkioStatEntryEquals(expected.IoServicedRecursive, actual.IoServicedRecursive); err != nil {
t.Errorf("blkio IoServicedRecursive do not match - %s\n", err)
}
if err := blkioStatEntryEquals(expected.IoQueuedRecursive, actual.IoQueuedRecursive); err != nil {
t.Errorf("blkio IoQueuedRecursive do not match - %s\n", err)
}
if err := blkioStatEntryEquals(expected.SectorsRecursive, actual.SectorsRecursive); err != nil {
t.Errorf("blkio SectorsRecursive do not match - %s\n", err)
}
if err := blkioStatEntryEquals(expected.IoServiceTimeRecursive, actual.IoServiceTimeRecursive); err != nil {
t.Errorf("blkio IoServiceTimeRecursive do not match - %s\n", err)
}
if err := blkioStatEntryEquals(expected.IoWaitTimeRecursive, actual.IoWaitTimeRecursive); err != nil {
t.Errorf("blkio IoWaitTimeRecursive do not match - %s\n", err)
}
if err := blkioStatEntryEquals(expected.IoMergedRecursive, actual.IoMergedRecursive); err != nil {
t.Errorf("blkio IoMergedRecursive do not match - %v vs %v\n", expected.IoMergedRecursive, actual.IoMergedRecursive)
}
if err := blkioStatEntryEquals(expected.IoTimeRecursive, actual.IoTimeRecursive); err != nil {
t.Errorf("blkio IoTimeRecursive do not match - %s\n", err)
}
}
func expectThrottlingDataEquals(t *testing.T, expected, actual cgroups.ThrottlingData) {
if expected != actual {
t.Errorf("Expected throttling data %v but found %v\n", expected, actual)
}
}
func expectHugetlbStatEquals(t *testing.T, expected, actual cgroups.HugetlbStats) {
if expected != actual {
t.Errorf("Expected hugetlb stats %v but found %v\n", expected, actual)
}
}
func expectMemoryStatEquals(t *testing.T, expected, actual cgroups.MemoryStats) {
expectMemoryDataEquals(t, expected.Usage, actual.Usage)
expectMemoryDataEquals(t, expected.SwapUsage, actual.SwapUsage)
expectMemoryDataEquals(t, expected.KernelUsage, actual.KernelUsage)
expectPageUsageByNUMAEquals(t, expected.PageUsageByNUMA, actual.PageUsageByNUMA)
if expected.UseHierarchy != actual.UseHierarchy {
t.Errorf("Expected memory use hierarchy %v, but found %v\n", expected.UseHierarchy, actual.UseHierarchy)
}
for key, expValue := range expected.Stats {
actValue, ok := actual.Stats[key]
if !ok {
t.Errorf("Expected memory stat key %s not found\n", key)
}
if expValue != actValue {
t.Errorf("Expected memory stat value %d but found %d\n", expValue, actValue)
}
}
}
func expectMemoryDataEquals(t *testing.T, expected, actual cgroups.MemoryData) {
if expected.Usage != actual.Usage {
t.Errorf("Expected memory usage %d but found %d\n", expected.Usage, actual.Usage)
}
if expected.MaxUsage != actual.MaxUsage {
t.Errorf("Expected memory max usage %d but found %d\n", expected.MaxUsage, actual.MaxUsage)
}
if expected.Failcnt != actual.Failcnt {
t.Errorf("Expected memory failcnt %d but found %d\n", expected.Failcnt, actual.Failcnt)
}
if expected.Limit != actual.Limit {
t.Errorf("Expected memory limit %d but found %d\n", expected.Limit, actual.Limit)
}
}
func expectPageUsageByNUMAEquals(t *testing.T, expected, actual cgroups.PageUsageByNUMA) {
if !reflect.DeepEqual(expected.Total, actual.Total) {
t.Errorf("Expected total page usage by NUMA %#v but found %#v", expected.Total, actual.Total)
}
if !reflect.DeepEqual(expected.File, actual.File) {
t.Errorf("Expected file page usage by NUMA %#v but found %#v", expected.File, actual.File)
}
if !reflect.DeepEqual(expected.Anon, actual.Anon) {
t.Errorf("Expected anon page usage by NUMA %#v but found %#v", expected.Anon, actual.Anon)
}
if !reflect.DeepEqual(expected.Unevictable, actual.Unevictable) {
t.Errorf("Expected unevictable page usage by NUMA %#v but found %#v", expected.Unevictable, actual.Unevictable)
}
if !reflect.DeepEqual(expected.Hierarchical.Total, actual.Hierarchical.Total) {
t.Errorf("Expected hierarchical total page usage by NUMA %#v but found %#v", expected.Hierarchical.Total, actual.Hierarchical.Total)
}
if !reflect.DeepEqual(expected.Hierarchical.File, actual.Hierarchical.File) {
t.Errorf("Expected hierarchical file page usage by NUMA %#v but found %#v", expected.Hierarchical.File, actual.Hierarchical.File)
}
if !reflect.DeepEqual(expected.Hierarchical.Anon, actual.Hierarchical.Anon) {
t.Errorf("Expected hierarchical anon page usage by NUMA %#v but found %#v", expected.Hierarchical.Anon, actual.Hierarchical.Anon)
}
if !reflect.DeepEqual(expected.Hierarchical.Unevictable, actual.Hierarchical.Unevictable) {
t.Errorf("Expected hierarchical total page usage by NUMA %#v but found %#v", expected.Hierarchical.Unevictable, actual.Hierarchical.Unevictable)
}
}
-3
View File
@@ -1,3 +0,0 @@
// +build !linux
package fs
-72
View File
@@ -1,72 +0,0 @@
// +build linux
/*
Utility for testing cgroup operations.
Creates a mock of the cgroup filesystem for the duration of the test.
*/
package fs
import (
"io/ioutil"
"os"
"path/filepath"
"testing"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
"github.com/opencontainers/runc/libcontainer/configs"
)
func init() {
fscommon.TestMode = true
}
type cgroupTestUtil struct {
// cgroup data to use in tests.
CgroupData *cgroupData
// Path to the mock cgroup directory.
CgroupPath string
// Temporary directory to store mock cgroup filesystem.
tempDir string
t *testing.T
}
// Creates a new test util for the specified subsystem
func NewCgroupTestUtil(subsystem string, t *testing.T) *cgroupTestUtil {
d := &cgroupData{
config: &configs.Cgroup{},
}
d.config.Resources = &configs.Resources{}
tempDir, err := ioutil.TempDir("", "cgroup_test")
if err != nil {
t.Fatal(err)
}
d.root = tempDir
testCgroupPath := filepath.Join(d.root, subsystem)
if err != nil {
t.Fatal(err)
}
// Ensure the full mock cgroup path exists.
err = os.MkdirAll(testCgroupPath, 0755)
if err != nil {
t.Fatal(err)
}
return &cgroupTestUtil{CgroupData: d, CgroupPath: testCgroupPath, tempDir: tempDir, t: t}
}
func (c *cgroupTestUtil) cleanup() {
os.RemoveAll(c.tempDir)
}
// Write the specified contents on the mock of the specified cgroup files.
func (c *cgroupTestUtil) writeFileContents(fileContents map[string]string) {
for file, contents := range fileContents {
err := fscommon.WriteFile(c.CgroupPath, file, contents)
if err != nil {
c.t.Fatal(err)
}
}
}
-84
View File
@@ -1,84 +0,0 @@
// +build linux
package fs2
import (
"bufio"
"os"
"strconv"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
"github.com/opencontainers/runc/libcontainer/configs"
)
func isCpuSet(r *configs.Resources) bool {
return r.CpuWeight != 0 || r.CpuQuota != 0 || r.CpuPeriod != 0
}
func setCpu(dirPath string, r *configs.Resources) error {
if !isCpuSet(r) {
return nil
}
// NOTE: .CpuShares is not used here. Conversion is the caller's responsibility.
if r.CpuWeight != 0 {
if err := fscommon.WriteFile(dirPath, "cpu.weight", strconv.FormatUint(r.CpuWeight, 10)); err != nil {
return err
}
}
if r.CpuQuota != 0 || r.CpuPeriod != 0 {
str := "max"
if r.CpuQuota > 0 {
str = strconv.FormatInt(r.CpuQuota, 10)
}
period := r.CpuPeriod
if period == 0 {
// This default value is documented in
// https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html
period = 100000
}
str += " " + strconv.FormatUint(period, 10)
if err := fscommon.WriteFile(dirPath, "cpu.max", str); err != nil {
return err
}
}
return nil
}
func statCpu(dirPath string, stats *cgroups.Stats) error {
f, err := fscommon.OpenFile(dirPath, "cpu.stat", os.O_RDONLY)
if err != nil {
return err
}
defer f.Close()
sc := bufio.NewScanner(f)
for sc.Scan() {
t, v, err := fscommon.ParseKeyValue(sc.Text())
if err != nil {
return err
}
switch t {
case "usage_usec":
stats.CpuStats.CpuUsage.TotalUsage = v * 1000
case "user_usec":
stats.CpuStats.CpuUsage.UsageInUsermode = v * 1000
case "system_usec":
stats.CpuStats.CpuUsage.UsageInKernelmode = v * 1000
case "nr_periods":
stats.CpuStats.ThrottlingData.Periods = v
case "nr_throttled":
stats.CpuStats.ThrottlingData.ThrottledPeriods = v
case "throttled_usec":
stats.CpuStats.ThrottlingData.ThrottledTime = v * 1000
}
}
return nil
}
-30
View File
@@ -1,30 +0,0 @@
// +build linux
package fs2
import (
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
"github.com/opencontainers/runc/libcontainer/configs"
)
func isCpusetSet(r *configs.Resources) bool {
return r.CpusetCpus != "" || r.CpusetMems != ""
}
func setCpuset(dirPath string, r *configs.Resources) error {
if !isCpusetSet(r) {
return nil
}
if r.CpusetCpus != "" {
if err := fscommon.WriteFile(dirPath, "cpuset.cpus", r.CpusetCpus); err != nil {
return err
}
}
if r.CpusetMems != "" {
if err := fscommon.WriteFile(dirPath, "cpuset.mems", r.CpusetMems); err != nil {
return err
}
}
return nil
}
-105
View File
@@ -1,105 +0,0 @@
/*
Copyright The containerd Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package fs2
import (
"bufio"
"io"
"os"
"path/filepath"
"strings"
"github.com/opencontainers/runc/libcontainer/configs"
libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
"github.com/pkg/errors"
)
const UnifiedMountpoint = "/sys/fs/cgroup"
func defaultDirPath(c *configs.Cgroup) (string, error) {
if (c.Name != "" || c.Parent != "") && c.Path != "" {
return "", errors.Errorf("cgroup: either Path or Name and Parent should be used, got %+v", c)
}
if len(c.Paths) != 0 {
// never set by specconv
return "", errors.Errorf("cgroup: Paths is unsupported, use Path, got %+v", c)
}
// XXX: Do not remove this code. Path safety is important! -- cyphar
cgPath := libcontainerUtils.CleanPath(c.Path)
cgParent := libcontainerUtils.CleanPath(c.Parent)
cgName := libcontainerUtils.CleanPath(c.Name)
return _defaultDirPath(UnifiedMountpoint, cgPath, cgParent, cgName)
}
func _defaultDirPath(root, cgPath, cgParent, cgName string) (string, error) {
if (cgName != "" || cgParent != "") && cgPath != "" {
return "", errors.New("cgroup: either Path or Name and Parent should be used")
}
innerPath := cgPath
if innerPath == "" {
innerPath = filepath.Join(cgParent, cgName)
}
if filepath.IsAbs(innerPath) {
return filepath.Join(root, innerPath), nil
}
ownCgroup, err := parseCgroupFile("/proc/self/cgroup")
if err != nil {
return "", err
}
// The current user scope most probably has tasks in it already,
// making it impossible to enable controllers for its sub-cgroup.
// A parent cgroup (with no tasks in it) is what we need.
ownCgroup = filepath.Dir(ownCgroup)
return filepath.Join(root, ownCgroup, innerPath), nil
}
// parseCgroupFile parses /proc/PID/cgroup file and return string
func parseCgroupFile(path string) (string, error) {
f, err := os.Open(path)
if err != nil {
return "", err
}
defer f.Close()
return parseCgroupFromReader(f)
}
func parseCgroupFromReader(r io.Reader) (string, error) {
var (
s = bufio.NewScanner(r)
)
for s.Scan() {
var (
text = s.Text()
parts = strings.SplitN(text, ":", 3)
)
if len(parts) < 3 {
return "", errors.Errorf("invalid cgroup entry: %q", text)
}
// text is like "0::/user.slice/user-1001.slice/session-1.scope"
if parts[0] == "0" && parts[1] == "" {
return parts[2], nil
}
}
if err := s.Err(); err != nil {
return "", err
}
return "", errors.New("cgroup path not found")
}
@@ -1,87 +0,0 @@
/*
Copyright The containerd Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package fs2
import (
"path/filepath"
"strings"
"testing"
"github.com/opencontainers/runc/libcontainer/cgroups"
)
func TestParseCgroupFromReader(t *testing.T) {
cases := map[string]string{
"0::/user.slice/user-1001.slice/session-1.scope\n": "/user.slice/user-1001.slice/session-1.scope",
"2:cpuset:/foo\n1:name=systemd:/\n": "",
"2:cpuset:/foo\n1:name=systemd:/\n0::/user.slice/user-1001.slice/session-1.scope\n": "/user.slice/user-1001.slice/session-1.scope",
}
for s, expected := range cases {
g, err := parseCgroupFromReader(strings.NewReader(s))
if expected != "" {
if g != expected {
t.Errorf("expected %q, got %q", expected, g)
}
if err != nil {
t.Error(err)
}
} else {
if err == nil {
t.Error("error is expected")
}
}
}
}
func TestDefaultDirPath(t *testing.T) {
if !cgroups.IsCgroup2UnifiedMode() {
t.Skip("need cgroupv2")
}
// same code as in defaultDirPath()
ownCgroup, err := parseCgroupFile("/proc/self/cgroup")
if err != nil {
// Not a test failure, but rather some weird
// environment so we can't run this test.
t.Skipf("can't get own cgroup: %v", err)
}
ownCgroup = filepath.Dir(ownCgroup)
cases := []struct {
cgPath string
cgParent string
cgName string
expected string
}{
{
cgPath: "/foo/bar",
expected: "/sys/fs/cgroup/foo/bar",
},
{
cgPath: "foo/bar",
expected: filepath.Join(UnifiedMountpoint, ownCgroup, "foo/bar"),
},
}
for _, c := range cases {
got, err := _defaultDirPath(UnifiedMountpoint, c.cgPath, c.cgParent, c.cgName)
if err != nil {
t.Fatal(err)
}
if got != c.expected {
t.Fatalf("expected %q, got %q", c.expected, got)
}
}
}

Some files were not shown because too many files have changed in this diff Show More