mirror of
https://github.com/containers/youki
synced 2024-11-23 01:11:58 +01:00
Squashed commit of the following: (#2728)
commit f0a6b388e7f132648157ca2712e20a1ee93f265a Author: yihuaf <yihuaf@unkies.org> Date: Sun May 19 21:16:21 2024 -0700 Fix the explicit close Signed-off-by: yihuaf <yihuaf@unkies.org> commit 5e23878453a59e042dd70b07ee57e535d95fb3e8 Author: yihuaf <yihuaf@unkies.org> Date: Thu May 16 21:31:09 2024 -0700 Rebase to the latest main branch Signed-off-by: yihuaf <yihuaf@unkies.org> commit 3144355967e4ba0f3e7ed8aff92945a4b1aaf66d Author: omprakaash <omsuseela@gmail.com> Date: Sat Mar 16 03:28:40 2024 +0000 Update nix to 0.28.0 Signed-off-by: omprakaash <omsuseela@gmail.com> Signed-off-by: om prakaash <omsuseela@gmail.com> Signed-off-by: yihuaf <yihuaf@unkies.org> Co-authored-by: yihuaf <yihuaf@unkies.org> Co-authored-by: Toru Komatsu <k0ma@utam0k.jp>
This commit is contained in:
parent
4962a5ba25
commit
a35d20fa08
12
Cargo.lock
generated
12
Cargo.lock
generated
@ -533,7 +533,7 @@ dependencies = [
|
||||
"flate2",
|
||||
"libcgroups",
|
||||
"libcontainer",
|
||||
"nix 0.27.1",
|
||||
"nix 0.28.0",
|
||||
"num_cpus",
|
||||
"oci-spec",
|
||||
"once_cell",
|
||||
@ -1938,7 +1938,7 @@ dependencies = [
|
||||
"libbpf-sys",
|
||||
"libc",
|
||||
"mockall",
|
||||
"nix 0.27.1",
|
||||
"nix 0.28.0",
|
||||
"oci-spec",
|
||||
"procfs",
|
||||
"quickcheck",
|
||||
@ -1965,7 +1965,7 @@ dependencies = [
|
||||
"libcgroups",
|
||||
"libseccomp",
|
||||
"nc",
|
||||
"nix 0.27.1",
|
||||
"nix 0.28.0",
|
||||
"oci-spec",
|
||||
"once_cell",
|
||||
"prctl",
|
||||
@ -2257,7 +2257,6 @@ dependencies = [
|
||||
"bitflags 2.5.0",
|
||||
"cfg-if",
|
||||
"libc",
|
||||
"memoffset 0.9.1",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@ -2270,6 +2269,7 @@ dependencies = [
|
||||
"cfg-if",
|
||||
"cfg_aliases",
|
||||
"libc",
|
||||
"memoffset 0.9.1",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@ -3153,7 +3153,7 @@ dependencies = [
|
||||
"anyhow",
|
||||
"libc",
|
||||
"nc",
|
||||
"nix 0.27.1",
|
||||
"nix 0.28.0",
|
||||
"oci-spec",
|
||||
]
|
||||
|
||||
@ -5712,7 +5712,7 @@ dependencies = [
|
||||
"libcgroups",
|
||||
"libcontainer",
|
||||
"liboci-cli",
|
||||
"nix 0.27.1",
|
||||
"nix 0.28.0",
|
||||
"once_cell",
|
||||
"pentacle",
|
||||
"procfs",
|
||||
|
@ -20,7 +20,7 @@ systemd = ["v2", "nix/socket", "nix/uio"]
|
||||
cgroupsv2_devices = ["rbpf", "libbpf-sys", "errno", "libc", "nix/dir"]
|
||||
|
||||
[dependencies]
|
||||
nix = { version = "0.27.1", features = ["signal", "user", "fs"] }
|
||||
nix = { version = "0.28.0", features = ["signal", "user", "fs"] }
|
||||
procfs = "0.16.0"
|
||||
oci-spec = { version = "~0.6.4", features = ["runtime"] }
|
||||
fixedbitset = "0.5.7"
|
||||
|
@ -331,7 +331,7 @@ impl Memory {
|
||||
Err(e) => {
|
||||
// we need to look into the raw OS error for an EBUSY status
|
||||
match e.inner().raw_os_error() {
|
||||
Some(code) => match Errno::from_i32(code) {
|
||||
Some(code) => match Errno::from_raw(code) {
|
||||
Errno::EBUSY => {
|
||||
let usage = Self::get_memory_usage(cgroup_root)?;
|
||||
let max_usage = Self::get_memory_max_usage(cgroup_root)?;
|
||||
|
@ -29,7 +29,7 @@ chrono = { version = "0.4", default-features = false, features = [
|
||||
fastrand = "^2.1.0"
|
||||
futures = { version = "0.3", features = ["thread-pool"] }
|
||||
libc = "0.2.155"
|
||||
nix = { version = "0.27.1", features = [
|
||||
nix = { version = "0.28.0", features = [
|
||||
"socket",
|
||||
"sched",
|
||||
"mount",
|
||||
|
@ -133,7 +133,7 @@ impl ContainerBuilderImpl {
|
||||
prctl::set_dumpable(false).map_err(|e| {
|
||||
LibcontainerError::Other(format!(
|
||||
"error in setting dumpable to false : {}",
|
||||
nix::errno::from_i32(e)
|
||||
nix::errno::Errno::from_raw(e)
|
||||
))
|
||||
})?;
|
||||
}
|
||||
|
@ -3,6 +3,7 @@ use std::convert::TryFrom;
|
||||
use std::ffi::{OsStr, OsString};
|
||||
use std::fs;
|
||||
use std::io::BufReader;
|
||||
use std::os::fd::AsRawFd;
|
||||
use std::os::unix::prelude::RawFd;
|
||||
use std::path::{Path, PathBuf};
|
||||
use std::rc::Rc;
|
||||
@ -10,7 +11,7 @@ use std::str::FromStr;
|
||||
|
||||
use caps::Capability;
|
||||
use nix::fcntl::OFlag;
|
||||
use nix::unistd::{close, pipe2, read, Pid};
|
||||
use nix::unistd::{pipe2, read, Pid};
|
||||
use oci_spec::runtime::{
|
||||
Capabilities as SpecCapabilities, Capability as SpecCapability, LinuxBuilder,
|
||||
LinuxCapabilities, LinuxCapabilitiesBuilder, LinuxNamespace, LinuxNamespaceBuilder,
|
||||
@ -126,7 +127,7 @@ impl TenantContainerBuilder {
|
||||
|
||||
let mut builder_impl = ContainerBuilderImpl {
|
||||
container_type: ContainerType::TenantContainer {
|
||||
exec_notify_fd: write_end,
|
||||
exec_notify_fd: write_end.as_raw_fd(),
|
||||
},
|
||||
syscall: self.base.syscall,
|
||||
container_id: self.base.container_id,
|
||||
@ -148,13 +149,19 @@ impl TenantContainerBuilder {
|
||||
let mut notify_socket = NotifySocket::new(notify_path);
|
||||
notify_socket.notify_container_start()?;
|
||||
|
||||
close(write_end).map_err(LibcontainerError::OtherSyscall)?;
|
||||
// Explicitly close the write end of the pipe here to notify the
|
||||
// `read_end` that the init process is able to move forward. Closing one
|
||||
// end of the pipe will immediately signal the other end of the pipe,
|
||||
// which we use in the init thread as a form of barrier. `drop` is used
|
||||
// here becuase `OwnedFd` supports it, so we don't have to use `close`
|
||||
// here with `RawFd`.
|
||||
drop(write_end);
|
||||
|
||||
let mut err_str_buf = Vec::new();
|
||||
|
||||
loop {
|
||||
let mut buf = [0; 3];
|
||||
match read(read_end, &mut buf).map_err(LibcontainerError::OtherSyscall)? {
|
||||
match read(read_end.as_raw_fd(), &mut buf).map_err(LibcontainerError::OtherSyscall)? {
|
||||
0 => {
|
||||
if err_str_buf.is_empty() {
|
||||
return Ok(pid);
|
||||
|
@ -1,3 +1,5 @@
|
||||
use std::os::fd::FromRawFd;
|
||||
|
||||
use libcgroups::common::CgroupManager;
|
||||
use nix::unistd::{close, write, Gid, Pid, Uid};
|
||||
use oci_spec::runtime::{LinuxNamespace, LinuxNamespaceType, LinuxResources};
|
||||
@ -130,12 +132,15 @@ pub fn container_intermediate_process(
|
||||
}
|
||||
if let ContainerType::TenantContainer { exec_notify_fd } = args.container_type {
|
||||
let buf = format!("{e}");
|
||||
if let Err(err) = write(exec_notify_fd, buf.as_bytes()) {
|
||||
let exec_notify_fd =
|
||||
unsafe { std::os::fd::OwnedFd::from_raw_fd(exec_notify_fd) };
|
||||
if let Err(err) = write(&exec_notify_fd, buf.as_bytes()) {
|
||||
tracing::error!(?err, "failed to write to exec notify fd");
|
||||
}
|
||||
if let Err(err) = close(exec_notify_fd) {
|
||||
tracing::error!(?err, "failed to close exec notify fd");
|
||||
}
|
||||
|
||||
// After sending the error through the exec_notify_fd,
|
||||
// we need to explicitly close the pipe.
|
||||
drop(exec_notify_fd);
|
||||
}
|
||||
-1
|
||||
}
|
||||
@ -206,7 +211,7 @@ fn setup_userns(
|
||||
prctl::set_dumpable(true).map_err(|e| {
|
||||
IntermediateProcessError::Other(format!(
|
||||
"error in setting dumpable to true : {}",
|
||||
nix::errno::from_i32(e)
|
||||
nix::errno::Errno::from_raw(e)
|
||||
))
|
||||
})?;
|
||||
sender.identifier_mapping_request().map_err(|err| {
|
||||
@ -220,7 +225,7 @@ fn setup_userns(
|
||||
prctl::set_dumpable(false).map_err(|e| {
|
||||
IntermediateProcessError::Other(format!(
|
||||
"error in setting dumplable to false : {}",
|
||||
nix::errno::from_i32(e)
|
||||
nix::errno::Errno::from_raw(e)
|
||||
))
|
||||
})?;
|
||||
Ok(())
|
||||
|
@ -1,5 +1,4 @@
|
||||
use std::ffi::c_int;
|
||||
use std::fs::File;
|
||||
use std::num::NonZeroUsize;
|
||||
|
||||
use libc::SIGCHLD;
|
||||
@ -164,15 +163,11 @@ fn clone(cb: CloneCb, flags: u64, exit_signal: Option<u64>) -> Result<Pid, Clone
|
||||
// do not use MAP_GROWSDOWN since it is not well supported.
|
||||
// Ref: https://man7.org/linux/man-pages/man2/mmap.2.html
|
||||
let child_stack = unsafe {
|
||||
// Since nix = "0.27.1", `mmap()` requires a generic type `F: AsFd`.
|
||||
// `::<File>` doesn't have any meaning because we won't use it.
|
||||
mman::mmap::<File>(
|
||||
mman::mmap_anonymous(
|
||||
None,
|
||||
NonZeroUsize::new(default_stack_size).ok_or(CloneError::ZeroStackSize)?,
|
||||
mman::ProtFlags::PROT_READ | mman::ProtFlags::PROT_WRITE,
|
||||
mman::MapFlags::MAP_PRIVATE | mman::MapFlags::MAP_ANONYMOUS | mman::MapFlags::MAP_STACK,
|
||||
None,
|
||||
0,
|
||||
mman::MapFlags::MAP_PRIVATE | mman::MapFlags::MAP_STACK,
|
||||
)
|
||||
.map_err(CloneError::StackAllocation)?
|
||||
};
|
||||
@ -187,7 +182,7 @@ fn clone(cb: CloneCb, flags: u64, exit_signal: Option<u64>) -> Result<Pid, Clone
|
||||
|
||||
// Since the child stack for clone grows downward, we need to pass in
|
||||
// the top of the stack address.
|
||||
let child_stack_top = unsafe { child_stack.add(default_stack_size) };
|
||||
let child_stack_top = unsafe { child_stack.as_ptr().add(default_stack_size) };
|
||||
|
||||
// Combine the clone flags with exit signals.
|
||||
let combined_flags = (flags | exit_signal.unwrap_or(0)) as c_int;
|
||||
|
@ -329,7 +329,7 @@ mod tests {
|
||||
}
|
||||
|
||||
if let Some(errno) = ret.err() {
|
||||
if errno != nix::errno::from_i32(expect_error) {
|
||||
if errno != nix::errno::Errno::from_raw(expect_error) {
|
||||
Err(TestCallbackError::Custom(format!(
|
||||
"getcwd failed but we didn't get the expected error from seccomp profile: {}",
|
||||
errno
|
||||
|
@ -314,7 +314,7 @@ impl Syscall for LinuxSyscall {
|
||||
fn set_id(&self, uid: Uid, gid: Gid) -> Result<()> {
|
||||
prctl::set_keep_capabilities(true).map_err(|errno| {
|
||||
tracing::error!(?errno, "failed to set keep capabilities to true");
|
||||
nix::errno::from_i32(errno)
|
||||
nix::errno::Errno::from_raw(errno)
|
||||
})?;
|
||||
// args : real *id, effective *id, saved set *id respectively
|
||||
|
||||
@ -350,7 +350,7 @@ impl Syscall for LinuxSyscall {
|
||||
}
|
||||
prctl::set_keep_capabilities(false).map_err(|errno| {
|
||||
tracing::error!(?errno, "failed to set keep capabilities to false");
|
||||
nix::errno::from_i32(errno)
|
||||
nix::errno::Errno::from_raw(errno)
|
||||
})?;
|
||||
Ok(())
|
||||
}
|
||||
|
@ -32,7 +32,7 @@ chrono = { version = "0.4", default-features = false, features = ["clock", "serd
|
||||
libcgroups = { path = "../libcgroups", default-features = false, version = "0.3.3" } # MARK: Version
|
||||
libcontainer = { path = "../libcontainer", default-features = false, version = "0.3.3" } # MARK: Version
|
||||
liboci-cli = { path = "../liboci-cli", version = "0.3.3" } # MARK: Version
|
||||
nix = "0.27.1"
|
||||
nix = "0.28.0"
|
||||
once_cell = "1.19.0"
|
||||
pentacle = "1.0.0"
|
||||
procfs = "0.16.0"
|
||||
|
@ -9,7 +9,7 @@ chrono = { version = "0.4", default-features = false, features = ["clock"] }
|
||||
flate2 = "1.0"
|
||||
libcgroups = { path = "../../../crates/libcgroups" }
|
||||
libcontainer = { path = "../../../crates/libcontainer" }
|
||||
nix = "0.27.1"
|
||||
nix = "0.28.0"
|
||||
num_cpus = "1.16"
|
||||
oci-spec = { version = "0.6.4", features = ["runtime"] }
|
||||
once_cell = "1.19.0"
|
||||
|
@ -5,7 +5,7 @@ use std::path::Path;
|
||||
|
||||
use anyhow::{bail, Context, Result};
|
||||
use libcontainer::container::ContainerProcessState;
|
||||
use nix::sys::socket::{self, UnixAddr};
|
||||
use nix::sys::socket::{self, Backlog, UnixAddr};
|
||||
use nix::unistd;
|
||||
|
||||
const DEFAULT_BUFFER_SIZE: usize = 4096;
|
||||
@ -30,7 +30,8 @@ pub fn recv_seccomp_listener(seccomp_listener: &Path) -> SeccompAgentResult {
|
||||
socket::bind(socket.as_raw_fd(), &addr).context("failed to bind to seccomp listener socket")?;
|
||||
// Force the backlog to be 1 so in the case of an error, only one connection
|
||||
// from clients will be waiting.
|
||||
socket::listen(&socket.as_fd(), 1).context("failed to listen on seccomp listener")?;
|
||||
socket::listen(&socket.as_fd(), Backlog::new(1)?)
|
||||
.context("failed to listen on seccomp listener")?;
|
||||
let conn = match socket::accept(socket.as_raw_fd()) {
|
||||
Ok(conn) => conn,
|
||||
Err(e) => {
|
||||
|
@ -5,7 +5,7 @@ edition = "2021"
|
||||
|
||||
[dependencies]
|
||||
oci-spec = { version = "0.6.4", features = ["runtime"] }
|
||||
nix = "0.27.1"
|
||||
nix = "0.28.0"
|
||||
anyhow = "1.0"
|
||||
libc = "0.2.155" # TODO (YJDoc2) upgrade to latest
|
||||
nc = "0.8.20"
|
||||
|
@ -38,7 +38,7 @@ pub fn validate_readonly_paths(spec: &Spec) {
|
||||
// change manual matching of i32 to e.kind() and match statement
|
||||
for path in ro_paths {
|
||||
if let std::io::Result::Err(e) = test_read_access(path) {
|
||||
let errno = Errno::from_i32(e.raw_os_error().unwrap());
|
||||
let errno = Errno::from_raw(e.raw_os_error().unwrap());
|
||||
// In the integration tests we test for both existing and non-existing readonly paths
|
||||
// to be specified in the spec, so we allow ENOENT here
|
||||
if errno == Errno::ENOENT {
|
||||
@ -54,7 +54,7 @@ pub fn validate_readonly_paths(spec: &Spec) {
|
||||
}
|
||||
|
||||
if let std::io::Result::Err(e) = test_write_access(path) {
|
||||
let errno = Errno::from_i32(e.raw_os_error().unwrap());
|
||||
let errno = Errno::from_raw(e.raw_os_error().unwrap());
|
||||
// In the integration tests we test for both existing and non-existing readonly paths
|
||||
// being specified in the spec, so we allow ENOENT, and we expect EROFS as the paths
|
||||
// should be read-only
|
||||
|
Loading…
Reference in New Issue
Block a user