1
0
mirror of https://github.com/containers/youki synced 2024-11-23 01:11:58 +01:00

Squashed commit of the following: (#2728)

commit f0a6b388e7f132648157ca2712e20a1ee93f265a
Author: yihuaf <yihuaf@unkies.org>
Date:   Sun May 19 21:16:21 2024 -0700

    Fix the explicit close

    Signed-off-by: yihuaf <yihuaf@unkies.org>

commit 5e23878453a59e042dd70b07ee57e535d95fb3e8
Author: yihuaf <yihuaf@unkies.org>
Date:   Thu May 16 21:31:09 2024 -0700

    Rebase to the latest main branch

    Signed-off-by: yihuaf <yihuaf@unkies.org>

commit 3144355967e4ba0f3e7ed8aff92945a4b1aaf66d
Author: omprakaash <omsuseela@gmail.com>
Date:   Sat Mar 16 03:28:40 2024 +0000

    Update nix to 0.28.0

    Signed-off-by: omprakaash <omsuseela@gmail.com>
    Signed-off-by: om prakaash <omsuseela@gmail.com>

Signed-off-by: yihuaf <yihuaf@unkies.org>
Co-authored-by: yihuaf <yihuaf@unkies.org>
Co-authored-by: Toru Komatsu <k0ma@utam0k.jp>
This commit is contained in:
Om Prakaash 2024-05-23 17:59:37 +05:30 committed by GitHub
parent 4962a5ba25
commit a35d20fa08
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
15 changed files with 46 additions and 38 deletions

12
Cargo.lock generated

@ -533,7 +533,7 @@ dependencies = [
"flate2",
"libcgroups",
"libcontainer",
"nix 0.27.1",
"nix 0.28.0",
"num_cpus",
"oci-spec",
"once_cell",
@ -1938,7 +1938,7 @@ dependencies = [
"libbpf-sys",
"libc",
"mockall",
"nix 0.27.1",
"nix 0.28.0",
"oci-spec",
"procfs",
"quickcheck",
@ -1965,7 +1965,7 @@ dependencies = [
"libcgroups",
"libseccomp",
"nc",
"nix 0.27.1",
"nix 0.28.0",
"oci-spec",
"once_cell",
"prctl",
@ -2257,7 +2257,6 @@ dependencies = [
"bitflags 2.5.0",
"cfg-if",
"libc",
"memoffset 0.9.1",
]
[[package]]
@ -2270,6 +2269,7 @@ dependencies = [
"cfg-if",
"cfg_aliases",
"libc",
"memoffset 0.9.1",
]
[[package]]
@ -3153,7 +3153,7 @@ dependencies = [
"anyhow",
"libc",
"nc",
"nix 0.27.1",
"nix 0.28.0",
"oci-spec",
]
@ -5712,7 +5712,7 @@ dependencies = [
"libcgroups",
"libcontainer",
"liboci-cli",
"nix 0.27.1",
"nix 0.28.0",
"once_cell",
"pentacle",
"procfs",

@ -20,7 +20,7 @@ systemd = ["v2", "nix/socket", "nix/uio"]
cgroupsv2_devices = ["rbpf", "libbpf-sys", "errno", "libc", "nix/dir"]
[dependencies]
nix = { version = "0.27.1", features = ["signal", "user", "fs"] }
nix = { version = "0.28.0", features = ["signal", "user", "fs"] }
procfs = "0.16.0"
oci-spec = { version = "~0.6.4", features = ["runtime"] }
fixedbitset = "0.5.7"

@ -331,7 +331,7 @@ impl Memory {
Err(e) => {
// we need to look into the raw OS error for an EBUSY status
match e.inner().raw_os_error() {
Some(code) => match Errno::from_i32(code) {
Some(code) => match Errno::from_raw(code) {
Errno::EBUSY => {
let usage = Self::get_memory_usage(cgroup_root)?;
let max_usage = Self::get_memory_max_usage(cgroup_root)?;

@ -29,7 +29,7 @@ chrono = { version = "0.4", default-features = false, features = [
fastrand = "^2.1.0"
futures = { version = "0.3", features = ["thread-pool"] }
libc = "0.2.155"
nix = { version = "0.27.1", features = [
nix = { version = "0.28.0", features = [
"socket",
"sched",
"mount",

@ -133,7 +133,7 @@ impl ContainerBuilderImpl {
prctl::set_dumpable(false).map_err(|e| {
LibcontainerError::Other(format!(
"error in setting dumpable to false : {}",
nix::errno::from_i32(e)
nix::errno::Errno::from_raw(e)
))
})?;
}

@ -3,6 +3,7 @@ use std::convert::TryFrom;
use std::ffi::{OsStr, OsString};
use std::fs;
use std::io::BufReader;
use std::os::fd::AsRawFd;
use std::os::unix::prelude::RawFd;
use std::path::{Path, PathBuf};
use std::rc::Rc;
@ -10,7 +11,7 @@ use std::str::FromStr;
use caps::Capability;
use nix::fcntl::OFlag;
use nix::unistd::{close, pipe2, read, Pid};
use nix::unistd::{pipe2, read, Pid};
use oci_spec::runtime::{
Capabilities as SpecCapabilities, Capability as SpecCapability, LinuxBuilder,
LinuxCapabilities, LinuxCapabilitiesBuilder, LinuxNamespace, LinuxNamespaceBuilder,
@ -126,7 +127,7 @@ impl TenantContainerBuilder {
let mut builder_impl = ContainerBuilderImpl {
container_type: ContainerType::TenantContainer {
exec_notify_fd: write_end,
exec_notify_fd: write_end.as_raw_fd(),
},
syscall: self.base.syscall,
container_id: self.base.container_id,
@ -148,13 +149,19 @@ impl TenantContainerBuilder {
let mut notify_socket = NotifySocket::new(notify_path);
notify_socket.notify_container_start()?;
close(write_end).map_err(LibcontainerError::OtherSyscall)?;
// Explicitly close the write end of the pipe here to notify the
// `read_end` that the init process is able to move forward. Closing one
// end of the pipe will immediately signal the other end of the pipe,
// which we use in the init thread as a form of barrier. `drop` is used
// here becuase `OwnedFd` supports it, so we don't have to use `close`
// here with `RawFd`.
drop(write_end);
let mut err_str_buf = Vec::new();
loop {
let mut buf = [0; 3];
match read(read_end, &mut buf).map_err(LibcontainerError::OtherSyscall)? {
match read(read_end.as_raw_fd(), &mut buf).map_err(LibcontainerError::OtherSyscall)? {
0 => {
if err_str_buf.is_empty() {
return Ok(pid);

@ -1,3 +1,5 @@
use std::os::fd::FromRawFd;
use libcgroups::common::CgroupManager;
use nix::unistd::{close, write, Gid, Pid, Uid};
use oci_spec::runtime::{LinuxNamespace, LinuxNamespaceType, LinuxResources};
@ -130,12 +132,15 @@ pub fn container_intermediate_process(
}
if let ContainerType::TenantContainer { exec_notify_fd } = args.container_type {
let buf = format!("{e}");
if let Err(err) = write(exec_notify_fd, buf.as_bytes()) {
let exec_notify_fd =
unsafe { std::os::fd::OwnedFd::from_raw_fd(exec_notify_fd) };
if let Err(err) = write(&exec_notify_fd, buf.as_bytes()) {
tracing::error!(?err, "failed to write to exec notify fd");
}
if let Err(err) = close(exec_notify_fd) {
tracing::error!(?err, "failed to close exec notify fd");
}
// After sending the error through the exec_notify_fd,
// we need to explicitly close the pipe.
drop(exec_notify_fd);
}
-1
}
@ -206,7 +211,7 @@ fn setup_userns(
prctl::set_dumpable(true).map_err(|e| {
IntermediateProcessError::Other(format!(
"error in setting dumpable to true : {}",
nix::errno::from_i32(e)
nix::errno::Errno::from_raw(e)
))
})?;
sender.identifier_mapping_request().map_err(|err| {
@ -220,7 +225,7 @@ fn setup_userns(
prctl::set_dumpable(false).map_err(|e| {
IntermediateProcessError::Other(format!(
"error in setting dumplable to false : {}",
nix::errno::from_i32(e)
nix::errno::Errno::from_raw(e)
))
})?;
Ok(())

@ -1,5 +1,4 @@
use std::ffi::c_int;
use std::fs::File;
use std::num::NonZeroUsize;
use libc::SIGCHLD;
@ -164,15 +163,11 @@ fn clone(cb: CloneCb, flags: u64, exit_signal: Option<u64>) -> Result<Pid, Clone
// do not use MAP_GROWSDOWN since it is not well supported.
// Ref: https://man7.org/linux/man-pages/man2/mmap.2.html
let child_stack = unsafe {
// Since nix = "0.27.1", `mmap()` requires a generic type `F: AsFd`.
// `::<File>` doesn't have any meaning because we won't use it.
mman::mmap::<File>(
mman::mmap_anonymous(
None,
NonZeroUsize::new(default_stack_size).ok_or(CloneError::ZeroStackSize)?,
mman::ProtFlags::PROT_READ | mman::ProtFlags::PROT_WRITE,
mman::MapFlags::MAP_PRIVATE | mman::MapFlags::MAP_ANONYMOUS | mman::MapFlags::MAP_STACK,
None,
0,
mman::MapFlags::MAP_PRIVATE | mman::MapFlags::MAP_STACK,
)
.map_err(CloneError::StackAllocation)?
};
@ -187,7 +182,7 @@ fn clone(cb: CloneCb, flags: u64, exit_signal: Option<u64>) -> Result<Pid, Clone
// Since the child stack for clone grows downward, we need to pass in
// the top of the stack address.
let child_stack_top = unsafe { child_stack.add(default_stack_size) };
let child_stack_top = unsafe { child_stack.as_ptr().add(default_stack_size) };
// Combine the clone flags with exit signals.
let combined_flags = (flags | exit_signal.unwrap_or(0)) as c_int;

@ -329,7 +329,7 @@ mod tests {
}
if let Some(errno) = ret.err() {
if errno != nix::errno::from_i32(expect_error) {
if errno != nix::errno::Errno::from_raw(expect_error) {
Err(TestCallbackError::Custom(format!(
"getcwd failed but we didn't get the expected error from seccomp profile: {}",
errno

@ -314,7 +314,7 @@ impl Syscall for LinuxSyscall {
fn set_id(&self, uid: Uid, gid: Gid) -> Result<()> {
prctl::set_keep_capabilities(true).map_err(|errno| {
tracing::error!(?errno, "failed to set keep capabilities to true");
nix::errno::from_i32(errno)
nix::errno::Errno::from_raw(errno)
})?;
// args : real *id, effective *id, saved set *id respectively
@ -350,7 +350,7 @@ impl Syscall for LinuxSyscall {
}
prctl::set_keep_capabilities(false).map_err(|errno| {
tracing::error!(?errno, "failed to set keep capabilities to false");
nix::errno::from_i32(errno)
nix::errno::Errno::from_raw(errno)
})?;
Ok(())
}

@ -32,7 +32,7 @@ chrono = { version = "0.4", default-features = false, features = ["clock", "serd
libcgroups = { path = "../libcgroups", default-features = false, version = "0.3.3" } # MARK: Version
libcontainer = { path = "../libcontainer", default-features = false, version = "0.3.3" } # MARK: Version
liboci-cli = { path = "../liboci-cli", version = "0.3.3" } # MARK: Version
nix = "0.27.1"
nix = "0.28.0"
once_cell = "1.19.0"
pentacle = "1.0.0"
procfs = "0.16.0"

@ -9,7 +9,7 @@ chrono = { version = "0.4", default-features = false, features = ["clock"] }
flate2 = "1.0"
libcgroups = { path = "../../../crates/libcgroups" }
libcontainer = { path = "../../../crates/libcontainer" }
nix = "0.27.1"
nix = "0.28.0"
num_cpus = "1.16"
oci-spec = { version = "0.6.4", features = ["runtime"] }
once_cell = "1.19.0"

@ -5,7 +5,7 @@ use std::path::Path;
use anyhow::{bail, Context, Result};
use libcontainer::container::ContainerProcessState;
use nix::sys::socket::{self, UnixAddr};
use nix::sys::socket::{self, Backlog, UnixAddr};
use nix::unistd;
const DEFAULT_BUFFER_SIZE: usize = 4096;
@ -30,7 +30,8 @@ pub fn recv_seccomp_listener(seccomp_listener: &Path) -> SeccompAgentResult {
socket::bind(socket.as_raw_fd(), &addr).context("failed to bind to seccomp listener socket")?;
// Force the backlog to be 1 so in the case of an error, only one connection
// from clients will be waiting.
socket::listen(&socket.as_fd(), 1).context("failed to listen on seccomp listener")?;
socket::listen(&socket.as_fd(), Backlog::new(1)?)
.context("failed to listen on seccomp listener")?;
let conn = match socket::accept(socket.as_raw_fd()) {
Ok(conn) => conn,
Err(e) => {

@ -5,7 +5,7 @@ edition = "2021"
[dependencies]
oci-spec = { version = "0.6.4", features = ["runtime"] }
nix = "0.27.1"
nix = "0.28.0"
anyhow = "1.0"
libc = "0.2.155" # TODO (YJDoc2) upgrade to latest
nc = "0.8.20"

@ -38,7 +38,7 @@ pub fn validate_readonly_paths(spec: &Spec) {
// change manual matching of i32 to e.kind() and match statement
for path in ro_paths {
if let std::io::Result::Err(e) = test_read_access(path) {
let errno = Errno::from_i32(e.raw_os_error().unwrap());
let errno = Errno::from_raw(e.raw_os_error().unwrap());
// In the integration tests we test for both existing and non-existing readonly paths
// to be specified in the spec, so we allow ENOENT here
if errno == Errno::ENOENT {
@ -54,7 +54,7 @@ pub fn validate_readonly_paths(spec: &Spec) {
}
if let std::io::Result::Err(e) = test_write_access(path) {
let errno = Errno::from_i32(e.raw_os_error().unwrap());
let errno = Errno::from_raw(e.raw_os_error().unwrap());
// In the integration tests we test for both existing and non-existing readonly paths
// being specified in the spec, so we allow ENOENT, and we expect EROFS as the paths
// should be read-only