Commit Graph

3846 Commits

Author SHA1 Message Date
Qiang Huang c8337777b6
Merge pull request #2042 from xiaochenshen/rdt-add-missing-destroy
libcontainer: intelrdt: add missing destroy handler in defer func
2019-05-21 09:48:00 +08:00
Mrunal Patel b9b6cc6e47
Merge pull request #2057 from giuseppe/no-reopen-stderr
main: not reopen /dev/stderr
2019-05-14 17:39:28 -07:00
Giuseppe Scrivano 8383c724a4
main: not reopen /dev/stderr
commit a146081828 introduced a change to
write to /dev/stderr by default.  Do not reopen the file in this case,
but use directly the fd 2.

Closes: https://github.com/opencontainers/runc/issues/2056
Closes: https://github.com/kubernetes/kubernetes/issues/77615
Closes: https://github.com/cri-o/cri-o/issues/2368

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-05-14 21:56:41 +02:00
Mrunal Patel eb4aeed24f
Merge pull request #2038 from imxyb/defer-destroy
`r.destroy` can defer exec in `runner.run` method.
2019-05-07 15:48:14 -07:00
Mrunal Patel 2484581dd7
Merge pull request #2035 from cyphar/bindmount-types
specconv: always set "type: bind" in case of MS_BIND
2019-05-07 15:47:58 -07:00
Mrunal Patel a0ecf749ee
Merge pull request #2047 from filbranden/systemd7
Move systemd.Manager initialization into a function in that module
2019-05-07 15:08:41 -07:00
Michael Crosby 70bc4cd847
Merge pull request #2034 from masters-of-cats/pr-child-logging
Support for logging from children processes
2019-05-07 10:35:48 -04:00
Filipe Brandenburger 46351eb3d1 Move systemd.Manager initialization into a function in that module
This will permit us to extend the internals of systemd.Manager to include
further information about the system, such as whether cgroupv1, cgroupv2 or
both are in effect.

Furthermore, it allows a future refactor of moving more of UseSystemd() code
into the factory initialization function.

Signed-off-by: Filipe Brandenburger <filbranden@gmail.com>
2019-05-01 13:22:19 -07:00
Mrunal Patel dae70e8efe
Merge pull request #2045 from cyphar/release-rc8
VERSION: release 1.0.0-rc8
2019-04-25 16:48:16 -07:00
Aleksa Sarai 62bd2593b3
VERSION: back to development
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2019-04-25 07:48:36 +10:00
Aleksa Sarai 425e105d5a
VERSION: release 1.0.0-rc8
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2019-04-25 07:48:25 +10:00
Mrunal Patel c1b8c57aba
Merge pull request #2043 from rhatdan/selinux
Vendor in latest selinux code for keycreate errors
2019-04-24 08:39:10 -07:00
Daniel J Walsh 8362cd02c0
Vendor in latest selinux code for keycreate errors
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2019-04-24 08:41:56 -04:00
Georgi Sabev a146081828 Write logs to stderr by default
Minor refactoring to use the filePair struct for both init sock and log pipe

Co-authored-by: Julia Nedialkova <julianedialkova@hotmail.com>
Signed-off-by: Georgi Sabev <georgethebeatle@gmail.com>
2019-04-24 15:18:14 +03:00
Georgi Sabev 68b4ff5b37 Simplify bail logic & minor nsexec improvements
Co-authored-by: Julia Nedialkova <julianedialkova@hotmail.com>
Signed-off-by: Georgi Sabev <georgethebeatle@gmail.com>
2019-04-24 15:16:11 +03:00
Xiaochen Shen 17b37ea3fa libcontainer: intelrdt: add missing destroy handler in defer func
In the exception handling of initProcess.start(), we need to add the
missing IntelRdtManager.Destroy() handler in defer func.

Signed-off-by: Xiaochen Shen <xiaochen.shen@intel.com>
2019-04-24 16:41:51 +08:00
Georgi Sabev 475aef10f7 Remove redundant log function
Bump logrus so that we can use logrus.StandardLogger().Logf instead

Co-authored-by: Julia Nedialkova <julianedialkova@hotmail.com>
Signed-off-by: Georgi Sabev <georgethebeatle@gmail.com>
2019-04-22 17:54:55 +03:00
Georgi Sabev ba3cabf932 Improve nsexec logging
* Simplify logging function
* Logs contain __FUNCTION__:__LINE__
* Bail uses write_log

Co-authored-by: Julia Nedialkova <julianedialkova@hotmail.com>
Co-authored-by: Danail Branekov <danailster@gmail.com>
Signed-off-by: Georgi Sabev <georgethebeatle@gmail.com>
2019-04-22 17:53:52 +03:00
Xiao YongBiao da5a2dd456 `r.destroy` can defer exec in `runner.run` method.
Signed-off-by: Xiao YongBiao <xyb4638@gmail.com>
2019-04-10 23:25:03 +08:00
Aleksa Sarai 8296826da5
specconv: always set "type: bind" in case of MS_BIND
We discovered in umoci that setting a dummy type of "none" would result
in file-based bind-mounts no longer working properly, which is caused by
a restriction for when specconv will change the device type to "bind" to
work around rootfs_linux.go's ... issues.

However, bind-mounts don't have a type (and Linux will ignore any type
specifier you give it) because the type is copied from the source of the
bind-mount. So we should always overwrite it to avoid user confusion.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2019-04-08 15:08:08 +10:00
Danail Branekov c486e3c406 Address comments in PR 1861
Refactor configuring logging into a reusable component
so that it can be nicely used in both main() and init process init()

Co-authored-by: Georgi Sabev <georgethebeatle@gmail.com>
Co-authored-by: Giuseppe Capizzi <gcapizzi@pivotal.io>
Co-authored-by: Claudia Beresford <cberesford@pivotal.io>
Signed-off-by: Danail Branekov <danailster@gmail.com>
2019-04-04 14:57:28 +03:00
Marco Vedovati feebfac358 Remove pipe close before exec.
Pipe close before exec is not necessary as os.Pipe() is calling pipe2
with O_CLOEXEC option.

Signed-off-by: Marco Vedovati <mvedovati@suse.com>
2019-04-04 14:53:30 +03:00
Marco Vedovati 9a599f62fb Support for logging from children processes
Add support for children processes logging (including nsexec).
A pipe is used to send logs from children to parent in JSON.
The JSON format used is the same used by logrus JSON formatted,
i.e. children process can use standard logrus APIs.

Signed-off-by: Marco Vedovati <mvedovati@suse.com>
2019-04-04 14:53:23 +03:00
Michael Crosby 029124da7a
Merge pull request #2031 from lifubang/selinux
Add selinux validate in runc exec
2019-04-03 16:09:19 -04:00
lifubang 3e6688f5c9 add selinux label for runc exec
Signed-off-by: lifubang <lifubang@acmcoder.com>
2019-04-03 12:09:06 +08:00
Mrunal Patel 6a3f4749b8
Merge pull request #2032 from rhatdan/selinux
Fix SELinux failures on disabled SELinux Machines
2019-04-02 13:39:48 -07:00
Daniel J Walsh dcf994b4f8
Fix SELinux failures on disabled SELinux Machines
On some machines when setting the SELinux key labels to "", we are seeing
failures that cause runc to fail.  Even if SELinux is disabled.

This check will ignore callers calling SELinux Set*Label functions with ""
when SELinux is disabled.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2019-04-02 10:27:27 -04:00
Aleksa Sarai da2021132b
merge branch 'pr-2026'
VERSION: back to development
  VERSION: release v1.0.0-rc7

Votes: +5 -0 /0
LGTMs: [unanimous]
2019-03-29 02:19:24 +11:00
Aleksa Sarai 6b5ee713f3
VERSION: back to development
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2019-03-28 22:46:35 +11:00
Aleksa Sarai 69ae5da6af
VERSION: release v1.0.0-rc7
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2019-03-28 22:45:53 +11:00
Michael Crosby 11fc498ffa
Merge pull request #2023 from LittleLightLittleFire/2022-fix-runc-zombie-process-regression
Fixes regression causing zombie runc:[1:CHILD] processes
2019-03-22 14:06:31 -04:00
Mrunal Patel dd22a84864
Merge pull request #2012 from rhatdan/selinux
Need to setup labeling of kernel keyrings.
2019-03-20 21:17:18 -07:00
Alex Fang eab5330908 Fixes regression causing zombie runc:[1:CHILD] processes
Whenever processes are spawned using nsexec, a zombie runc:[1:CHILD]
process will always be created and will need to be reaped by the parent

Signed-off-by: Alex Fang <littlelightlittlefire@gmail.com>
2019-03-21 13:43:38 +11:00
Aleksa Sarai f56b4cbead
merge branch 'pr-2015'
Use getenv not secure_getenv

LGTMs: @crosbymichael @cyphar
Closes #2015
2019-03-16 17:30:56 +11:00
Daniel, Dao Quang Minh 7341c22d46
Merge pull request #2014 from filbranden/testing1
Add $RUNC_USE_SYSTEMD to run tests using systemd cgroup driver
2019-03-15 10:49:13 +00:00
Filipe Brandenburger 9fe7c939f8 Add a Travis-CI job for systemd cgroup driver
The additional test shows as a separate job. It sets environment
RUNC_USE_SYSTEMD=1 so it will be clear in Travis-CI that this job is
testing the systemd cgroup driver.

Signed-off-by: Filipe Brandenburger <filbranden@google.com>
2019-03-14 18:53:27 -07:00
Filipe Brandenburger 5369f9ade3 Skip CRIU tests when $RUNC_USE_SYSTEMD for now
These tests sometimes hang, so let's skip them for now.

Tested:
  $ sudo make localintegration TESTPATH='/checkpoint.bats' RUNC_USE_SYSTEMD=1

The 5 tests in this test suite will be skipped.

Signed-off-by: Filipe Brandenburger <filbranden@google.com>
2019-03-14 14:53:09 -07:00
Filipe Brandenburger d4586090c4 Update tests that depend on cgroupfs paths to consider systemd cgroups
When $RUNC_USE_SYSTEMD is set, then use a systemd syntax for the
cgroupsPath. Also fix $CGROUPS_PATH to look under the actual path to the
slice/scope created by systemd.

Tested:
  $ sudo make localintegration TESTPATH='/cgroups.bats' RUNC_USE_SYSTEMD=1

That test will fail without this commit.

Signed-off-by: Filipe Brandenburger <filbranden@google.com>
2019-03-14 14:51:24 -07:00
Filipe Brandenburger a9056a348f Add $RUNC_USE_SYSTEMD to use systemd cgroup driver in tests
This allows us to test runc using libcontainer's systemd driver, by
passing an extra `--systemd-cgroup` argument to the calls to runc.

Tested:
  $ sudo make localintegration TESTPATH='/exec.bats' RUNC_USE_SYSTEMD=1

And confirmed that systemd was in use by looking at creation and removal
of libcontainer_<pid>_systemd_test_default.slice test slices. Also
introduced a breakage in systemd cgroup driver and confirmed that the
tests failed as expected.

Signed-off-by: Filipe Brandenburger <filbranden@google.com>
2019-03-14 10:26:47 -07:00
Filipe Brandenburger 4b2b978291 Add cgroup name to error message
More information should help troubleshoot an issue when this error occurs.

Signed-off-by: Filipe Brandenburger <filbranden@google.com>
2019-03-14 10:25:00 -07:00
Justin Cormack 6f714aa928
Use getenv not secure_getenv
secure_getenv is a Glibc extension and so this code does not compile
on Musl libc any more after this patch.

secure_getenv is only intended to be used in setuid binaries, in
order that they should not trust their environment. It simply returns
NULL if the binary is running setuid. If runc was installed setuid,
the user can already do anything as root, so it is game over, so this
check is not needed.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2019-03-14 10:58:10 +00:00
Daniel J Walsh cd96170c10
Need to setup labeling of kernel keyrings.
Work is ongoing in the kernel to support different kernel
keyrings per user namespace.  We want to allow SELinux to manage
kernel keyrings inside of the container.

Currently when runc creates the kernel keyring it gets the label which runc is
running with ususally `container_runtime_t`, with this change the kernel keyring
will be labeled with the container process label container_t:s0:C1,c2.

Container running as container_t:s0:c1,c2 can manage keyrings with the same label.

This change required a revendoring or the SELinux go bindings.

github.com/opencontainers/selinux.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2019-03-13 17:57:30 -04:00
Mrunal Patel 2b18fe1d88
Merge pull request #1984 from cyphar/memfd-cleanups
nsenter: cloned_binary: "memfd" cleanups
2019-03-07 10:18:33 -08:00
Aleksa Sarai 923a8f8a9a
merge branch 'pr-2001'
README: link to /org/security/

LGTMs: @crosbymichael @cyphar
Closes #2001
2019-03-05 18:45:55 +11:00
Michael Crosby f739110263
Merge pull request #1968 from adrianreber/podman
Create bind mount mountpoints during restore
2019-03-04 11:37:07 -06:00
Michael Crosby f416cac1fa
Merge pull request #2000 from lifubang/preserve-fds-error
fix preserve-fds flag may cause runc hang
2019-03-04 10:45:17 -06:00
Vincent Batts dbf6e48d0f
README: link to /org/security/
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2019-03-03 15:01:08 -05:00
Aleksa Sarai 2d4a37b427
nsenter: cloned_binary: userspace copy fallback if sendfile fails
There are some circumstances where sendfile(2) can fail (one example is
that AppArmor appears to block writing to deleted files with sendfile(2)
under some circumstances) and so we need to have a userspace fallback.
It's fairly trivial (and handles short-writes).

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2019-03-01 23:29:10 +11:00
Aleksa Sarai 16612d74de
nsenter: cloned_binary: try to ro-bind /proc/self/exe before copying
The usage of memfd_create(2) and other copying techniques is quite
wasteful, despite attempts to minimise it with _LIBCONTAINER_STATEDIR.
memfd_create(2) added ~10M of memory usage to the cgroup associated with
the container, which can result in some setups getting OOM'd (or just
hogging the hosts' memory when you have lots of created-but-not-started
containers sticking around).

The easiest way of solving this is by creating a read-only bind-mount of
the binary, opening that read-only bindmount, and then umounting it to
ensure that the host won't accidentally be re-mounted read-write. This
avoids all copying and cleans up naturally like the other techniques
used. Unfortunately, like the O_TMPFILE fallback, this requires being
able to create a file inside _LIBCONTAINER_STATEDIR (since bind-mounting
over the most obvious path -- /proc/self/exe -- is a *very bad idea*).

Unfortunately detecting this isn't fool-proof -- on a system with a
read-only root filesystem (that might become read-write during "runc
init" execution), we cannot tell whether we have already done an ro
remount. As a partial mitigation, we store a _LIBCONTAINER_CLONED_BINARY
environment variable which is checked *alongside* the protection being
present.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2019-03-01 23:29:08 +11:00
Aleksa Sarai af9da0a450
nsenter: cloned_binary: use the runc statedir for O_TMPFILE
Writing a file to tmpfs actually incurs a memcg penalty, and thus the
benefit of being able to disable memfd_create(2) with
_LIBCONTAINER_DISABLE_MEMFD_CLONE is fairly minimal -- though it should
be noted that quite a few distributions don't use tmpfs for /tmp (and
instead have it as a regular directory or subvolume of the host
filesystem).

Since runc must have write access to the state directory anyway (and the
state directory is usually not on a tmpfs) we can use that instead of
/tmp -- avoiding potential memcg costs with no real downside.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2019-03-01 23:28:51 +11:00