Commit Graph

4007 Commits

Author SHA1 Message Date
Sebastiaan van Stijn d8953334bb
vendor: update opencontainers/selinux v1.3.3
full diff: https://github.com/opencontainers/selinux/compare/v1.3.1...v1.3.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-03-02 12:41:07 +01:00
Sebastiaan van Stijn 22e00ddc03
vendor: update golang.org/x/sys 52ab431487773bc9dd1b0766228b1cf3944126bf
full diff: 9eafafc0a8...52ab431487

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-03-02 12:41:05 +01:00
Sebastiaan van Stijn c295a6339c
vendor: update opencontainers/selinux v1.3.1
full diff: 5215b1806f...v1.3.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-03-02 12:41:01 +01:00
Qiang Huang 3b7e32feba
Merge pull request #2210 from Zyqsempai/2164-remove-deprecated-systemd-resources
Exchange deprecated systemd resources with the appropriate for cgroupv2
2020-02-29 10:13:55 +08:00
Aleksa Sarai 688cf6d43c
merge branch 'pr-2223'
wanghuaiqing (1):
  Fix the value corresponding to rlimitmap [key]

LGTMs: @hqhq @cyphar
Closes #2223
2020-02-21 16:12:41 +11:00
Aleksa Sarai 0f32b03dda
merge branch 'pr-2192'
Boris Popovschi (2):
  Fix skip message for cgroupv2
  Fix MAJ:MIN io.stat parsing order

LGTMs: @hqhq @cyphar
Closes #2192
2020-02-21 16:00:17 +11:00
Qiang Huang 13b1603fd0
Merge pull request #2224 from kolyshkin/systemd-props
Allow to set systemd scope properties via annotations
2020-02-21 09:07:56 +08:00
Kir Kolyshkin 1cd71dfd71 systemd properties: support for *Sec values
Some systemd properties are documented as having "Sec" suffix
(e.g. "TimeoutStopSec") but are expected to have "USec" suffix
when passed over dbus, so let's provide appropriate conversion
to improve compatibility.

This means, one can specify TimeoutStopSec with a numeric argument,
in seconds, and it will be properly converted to TimeoutStopUsec
with the argument in microseconds. As a side bonus, even float
values are converted, so e.g. TimeoutStopSec=1.5 is possible.

This turned out a bit more tricky to implement when I was
originally expected, since there are a handful of numeric
types in dbus and each one requires explicit conversion.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-02-17 16:07:19 -08:00
Kir Kolyshkin 2a81236e89 Document using annotations to set systemd props
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-02-17 16:07:19 -08:00
Kir Kolyshkin 4c5c3fb960 Support for setting systemd properties via annotations
In case systemd is used to set cgroups for the container,
it creates a scope unit dedicated to it (usually named
`runc-$ID.scope`).

This patch adds an ability to set arbitrary systemd properties
for the systemd unit via runtime spec annotations.

Initially this was developed as an ability to specify the
`TimeoutStopUSec` property, but later generalized to work with
arbitrary ones.

Example usage: add the following to runtime spec (config.json):

```
	"annotations": {
		"org.systemd.property.TimeoutStopUSec": "uint64 123456789",
		"org.systemd.property.CollectMode":"'inactive-or-failed'"
	},
```

and start the container (e.g. `runc --systemd-cgroup run $ID`).

The above will set the following systemd parameters:
* `TimeoutStopSec` to 2 minutes and 3 seconds,
* `CollectMode` to "inactive-or-failed".

The values are in the gvariant format (see [1]). To figure out
which type systemd expects for a particular parameter, see
systemd sources.

In particular, parameters with `USec` suffix require an `uint64`
typed argument, while gvariant assumes int32 for a numeric values,
therefore the explicit type is required.

NOTE that systemd receives the time-typed parameters as *USec
but shows them (in `systemctl show`) as *Sec. For example,
the stop timeout should be set as `TimeoutStopUSec` but
is shown as `TimeoutStopSec`.

[1] https://developer.gnome.org/glib/stable/gvariant-text.html

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-02-17 16:07:19 -08:00
Mrunal Patel 81ef5024f8
Merge pull request #2213 from Zyqsempai/2166-convert-cpu-weight-poperly
Added conversion for cpu.weight v2
2020-02-17 07:49:39 -08:00
Boris Popovschi 7c439cc6f6 Added conversion for cpu.weight v2
Signed-off-by: Boris Popovschi <zyqsempai@mail.ru>
2020-02-12 11:32:34 +02:00
wanghuaiqing f27c4e15f6 Fix the value corresponding to rlimitmap [key]
These values depend on the specific arch

Signed-off-by: wanghuaiqing <wanghuaiqing@loongson.cn>
2020-02-07 13:02:14 +08:00
Boris Popovschi 3b992087b8 Fix skip message for cgroupv2
Signed-off-by: Boris Popovschi <zyqsempai@mail.ru>
2020-02-03 14:27:12 +02:00
Aleksa Sarai e6555cc01a
merge branch 'pr-2184'
Kenta Tada (1):
  README.md: modify the explanation of make flags

LGTMs: @hqhq @cyphar
Closes #2184
2020-02-03 22:41:07 +11:00
Kenta Tada e03859022a README.md: modify the explanation of make flags
Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
2020-02-03 15:03:26 +09:00
Aleksa Sarai ff107ee0c1
merge branch 'pr-2190'
Amye Scavarda Perrin (2):
  Update README.md
  Adding .pdf of audit

LGTMs: @caniszczyk @cyphar
Closes #2190
2020-01-31 11:17:42 +11:00
Amye Scavarda Perrin 7d23d1e172
Update README.md
Signed-off-by: Amye Scavarda Perrin <amye@linuxfoundation.org>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2020-01-31 10:59:57 +11:00
Amye Scavarda Perrin 0061cad878
Adding .pdf of audit
Signed-off-by: Amye Scavarda Perrin <amye@linuxfoundation.org>
2020-01-31 10:59:43 +11:00
Mrunal Patel 2b5730a5a6
Merge pull request #2221 from inductor/feature/fix_path_security
Fix path for security report line
2020-01-27 14:40:21 -08:00
Mrunal Patel e4c4935a78
Merge pull request #2217 from cyphar/release-rc10
VERSION: release 1.0.0~rc10
2020-01-27 14:39:52 -08:00
Kohei Ota ed4a3e9bc6 Apply review
Signed-off-by: Kohei Ota <kela@inductor.me>
2020-01-26 23:03:13 +09:00
Kohei Ota c8ba985325 Fix path for security report line
Signed-off-by: Kohei Ota <kela@inductor.me>
2020-01-26 16:13:05 +09:00
Aleksa Sarai e4de2b2555
VERSION: back to development
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2020-01-23 03:19:29 +11:00
Aleksa Sarai dc9208a330
VERSION: update to 1.0.0~rc10
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2020-01-23 03:19:15 +11:00
Mrunal Patel 2fc03cc11c
Merge pull request #2207 from cyphar/fix-double-volume-attack
rootfs: do not permit /proc mounts to non-directories
2020-01-22 08:06:10 -08:00
Aleksa Sarai 3291d66b98
rootfs: do not permit /proc mounts to non-directories
mount(2) will blindly follow symlinks, which is a problem because it
allows a malicious container to trick runc into mounting /proc to an
entirely different location (and thus within the attacker's control for
a rename-exchange attack).

This is just a hotfix (to "stop the bleeding"), and the more complete
fix would be finish libpathrs and port runc to it (to avoid these types
of attacks entirely, and defend against a variety of other /proc-related
attacks). It can be bypased by someone having "/" be a volume controlled
by another container.

Fixes: CVE-2019-19921
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2020-01-17 14:00:30 +11:00
Aleksa Sarai f6fb7a0338
merge branch 'pr-2133'
Julia Nedialkova (1):
  Handle ENODEV when accessing the freezer.state file

LGTMs: @crosbymichael @cyphar
Closes #2133
2020-01-17 02:07:19 +11:00
Boris Popovschi 5b96f314ba Exchanged deprecated systemd resources with the appropriate for cgroupv2
Signed-off-by: Boris Popovschi <zyqsempai@mail.ru>
2020-01-15 18:09:33 +02:00
Boris Popovschi cf9b7c33e1 Fix MAJ:MIN io.stat parsing order
Signed-off-by: Boris Popovschi <zyqsempai@mail.ru>
2020-01-15 14:39:14 +02:00
Qiang Huang 709377ca55
Merge pull request #2198 from AkihiroSuda/criu-master
temporarily disable CRIU tests
2020-01-14 18:57:19 +08:00
Akihiro Suda 55f8c254be temporarily disable CRIU tests
Ubuntu kernel is temporarily broken: https://github.com/opencontainers/runc/pull/2198#issuecomment-571124087

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-01-14 11:18:44 +09:00
Akihiro Suda 5c20ea1472 fix merging #2177 and #2169
A new method was added to the cgroup interface when #2177 was merged.

After #2177 got merged, #2169 was merged without rebase (sorry!) and compilation was failing:

  libcontainer/cgroups/fs2/fs2.go:208:22: container.Cgroup undefined (type *configs.Config has no field or method Cgroup)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-01-14 11:13:25 +09:00
Mrunal Patel 5cc0deaf7a
Merge pull request #2169 from AkihiroSuda/split-fs
cgroup2: split fs2 from fs
2020-01-13 16:23:27 -08:00
Michael Crosby 2b52db7527
Merge pull request #2177 from devimc/topic/libcontainer/kata-containers
libcontainer: export and add new methods to allow cgroups manipulation
2020-01-02 11:47:12 -05:00
Michael Crosby a88592a634
Merge pull request #2185 from liggitt/exec-race
Fix race checking for process exit and waiting for exec fifo
2019-12-26 10:41:07 -05:00
Jordan Liggitt 8541d9cf3d Fix race checking for process exit and waiting for exec fifo
Signed-off-by: Jordan Liggitt <liggitt@google.com>
2019-12-18 18:48:18 +00:00
Jordan Liggitt 52951a7c19 Fix race in tty integration test with slow startup
Signed-off-by: Jordan Liggitt <liggitt@google.com>
2019-12-18 16:54:54 +00:00
Julio Montes 8ddd892072 libcontainer: add method to get cgroup config from cgroup Manager
`configs.Cgroup` contains the configuration used to create cgroups. This
configuration must be saved to disk, since it's required to restore the
cgroup manager that was used to create the cgroups.
Add method to get cgroup configuration from cgroup Manager to allow API users
save it to disk and restore a cgroup manager later.

fixes #2176

Signed-off-by: Julio Montes <julio.montes@intel.com>
2019-12-17 22:46:03 +00:00
Julio Montes cd7c59d042 libcontainer: export createCgroupConfig
A `config.Cgroups` object is required to manipulate cgroups v1 and v2 using
libcontainer.
Export `createCgroupConfig` to allow API users to create `config.Cgroups`
objects using directly libcontainer API.

Signed-off-by: Julio Montes <julio.montes@intel.com>
2019-12-17 22:46:03 +00:00
Aleksa Sarai 7496a96825
merge branch 'pr-2086'
* Kurnia D Win (1):
  fix permission denied

LGTMs: @crosbymichael @cyphar
Closes #2086
2019-12-17 20:49:52 +11:00
Aleksa Sarai 201b063745
merge branch 'pr-2141'
Radostin Stoyanov (1):
  criu: Ensure other users cannot read c/r files

LGTMs: @crosbymichael @cyphar
Closes #2141
2019-12-07 09:32:58 +11:00
Michael Crosby e1b5af0652
Merge pull request #2161 from AkihiroSuda/makefile-overrride-docker
Makefile: allow overriding `docker` command
2019-12-06 10:42:24 -05:00
Akihiro Suda ec49f98d72 fs2: support legacy device spec (to pass CI)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-12-06 15:53:07 +09:00
Akihiro Suda 88e8350de2 cgroup2: split fs2 from fs
split fs2 package from fs, as mixing up fs and fs2 is very likely to result in
unmaintainable code.

Inspired by containerd/cgroups#109

Fix #2157

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-12-06 15:42:10 +09:00
Aleksa Sarai 5e63695384
merge branch 'pr-2174'
Sascha Grunert (1):
  Expose network interfaces via runc events

LGTMs: @cyphar @mrunalp
Closes #2174
2019-12-06 13:07:44 +11:00
Michael Crosby 8bb10af481
Merge pull request #2165 from AkihiroSuda/travis-f31
.travis.yml: add Fedora 31 vagrant box (for cgroup2)
2019-12-05 16:26:51 -05:00
Sascha Grunert 41a20b5852
Expose network interfaces via runc events
The libcontainer network statistics are unreachable without manually
creating a libcontainer instance. To retrieve them via the CLI interface
of runc, we now expose them as well.

Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2019-12-05 13:20:51 +01:00
Akihiro Suda 48b055c40a Makefile: allow overriding `docker` command
e.g. `make CONTAINER_ENGINE="sudo podman" unittest` (for ease of cgroup2 testing)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-12-03 23:59:14 +09:00
Aleksa Sarai c35c2c9cec
merge branch 'pr-2172'
Sascha Grunert (1):
  Make event types public

LGTMs: @crosbymichael @cyphar
Closes #2172
2019-12-03 02:10:37 +11:00