mirror/ youki
1
0
Fork 0
mirror of https://github.com/containers/youki synced 2024-05-10 01:26:14 +02:00
Code Issues

fix conflicts.

This commit is contained in:
utam0k 2021-09-12 17:37:14 +09:00
parent f303123859 7aaa2fbfc3
commit f754053e58
55 changed files with 576 additions and 491 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.github/workflows/main.yml vendored
View File

@ -23,10 +23,11 @@ jobs:
./cgroups: cgroups/*
check:
needs: [changes]
if: ${{ !contains(needs.changes.outputs.dirs, '[]') }}
runs-on: ubuntu-latest
strategy:
matrix:
rust: [stable]
rust: [1.55.0, 1.54.0]
dirs: ${{ fromJSON(needs.changes.outputs.dirs) }}
steps:
- uses: actions/checkout@v2
@ -53,7 +54,7 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
rust: [1.54.0]
rust: [1.55.0, 1.54.0]
steps:
- uses: actions/checkout@v2
- uses: actions-rs/toolchain@v1
@ -121,7 +122,7 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
rust: [1.54.0]
rust: [1.55.0, 1.54.0]
steps:
- uses: actions/checkout@v2
with:

226
Cargo.lock generated
View File

@ -28,9 +28,9 @@ dependencies = [
[[package]]
name = "anyhow"
version = "1.0.40"
version = "1.0.43"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "28b2cd92db5cbd74e8e5028f7e27dd7aa3090e89e4f2a197cc7c8dfb69c7063b"
checksum = "28ae2b3dec75a406790005a200b1bd89785afc02517a00ca99ecfe093ee9e6cf"
[[package]]
name = "ascii"
@ -86,9 +86,9 @@ dependencies = [
[[package]]
name = "cc"
version = "1.0.68"
version = "1.0.70"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4a72c244c1ff497a746a7e1fb3d14bd08420ecda70c8f25c7112f2781652d787"
checksum = "d26a6ce4b6a484fa3edb70f7efa6fc430fd2b87285fe8b84304fd0936faa0dc0"
[[package]]
name = "cfg-if"
@ -115,7 +115,7 @@ dependencies = [
"libc",
"log",
"nix",
"oci_spec",
"oci-spec",
"procfs",
"quickcheck",
"rbpf",
@ -233,19 +233,20 @@ dependencies = [
[[package]]
name = "dbus"
version = "0.9.2"
version = "0.9.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f597e08dfa79b593f23bbfc7840b23b2c5aa2e3a98d8e68b67b5b9ff800dc0db"
checksum = "c8862bb50aa3b2a2db5bfd2c875c73b3038aa931c411087e335ca8ca0ed430b9"
dependencies = [
"libc",
"libdbus-sys",
"winapi",
]
[[package]]
name = "env_logger"
version = "0.8.3"
version = "0.8.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "17392a012ea30ef05a610aa97dfb49496e71c9f676b27879922ea5bdf60d9d3f"
checksum = "a19187fea3ac7e84da7dacf48de0c45d63c6a76f9490dae389aead16c243fce3"
dependencies = [
"log",
"regex",
@ -287,18 +288,18 @@ dependencies = [
[[package]]
name = "fastrand"
version = "1.4.1"
version = "1.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "77b705829d1e87f762c2df6da140b26af5839e1033aa84aa5f56bb688e4e1bdb"
checksum = "b394ed3d285a429378d3b384b9eb1285267e7df4b166df24b7a6939a04dc392e"
dependencies = [
"instant",
]
[[package]]
name = "flate2"
version = "1.0.20"
version = "1.0.21"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cd3aec53de10fe96d7d8c565eb17f2c687bb5518a2ec453b5b1252964526abe0"
checksum = "80edafed416a46fb378521624fab1cfa2eb514784fd8921adbe8a8d8321da811"
dependencies = [
"cfg-if 1.0.0",
"crc32fast",
@ -335,9 +336,9 @@ checksum = "7684cf33bb7f28497939e8c7cf17e3e4e3b8d9a0080ffa4f8ae2f515442ee855"
[[package]]
name = "futures"
version = "0.3.15"
version = "0.3.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0e7e43a803dae2fa37c1f6a8fe121e1f7bf9548b4dfc0522a42f34145dadfc27"
checksum = "a12aa0eb539080d55c3f2d45a67c3b58b6b0773c1a3ca2dfec66d58c97fd66ca"
dependencies = [
"futures-channel",
"futures-core",
@ -350,9 +351,9 @@ dependencies = [
[[package]]
name = "futures-channel"
version = "0.3.15"
version = "0.3.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e682a68b29a882df0545c143dc3646daefe80ba479bcdede94d5a703de2871e2"
checksum = "5da6ba8c3bb3c165d3c7319fc1cc8304facf1fb8db99c5de877183c08a273888"
dependencies = [
"futures-core",
"futures-sink",
@ -360,15 +361,15 @@ dependencies = [
[[package]]
name = "futures-core"
version = "0.3.15"
version = "0.3.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0402f765d8a89a26043b889b26ce3c4679d268fa6bb22cd7c6aad98340e179d1"
checksum = "88d1c26957f23603395cd326b0ffe64124b818f4449552f960d815cfba83a53d"
[[package]]
name = "futures-executor"
version = "0.3.15"
version = "0.3.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "badaa6a909fac9e7236d0620a2f57f7664640c56575b71a7552fbd68deafab79"
checksum = "45025be030969d763025784f7f355043dc6bc74093e4ecc5000ca4dc50d8745c"
dependencies = [
"futures-core",
"futures-task",
@ -378,15 +379,15 @@ dependencies = [
[[package]]
name = "futures-io"
version = "0.3.15"
version = "0.3.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "acc499defb3b348f8d8f3f66415835a9131856ff7714bf10dadfc4ec4bdb29a1"
checksum = "522de2a0fe3e380f1bc577ba0474108faf3f6b18321dbf60b3b9c39a75073377"
[[package]]
name = "futures-macro"
version = "0.3.15"
version = "0.3.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a4c40298486cdf52cc00cd6d6987892ba502c7656a16a4192a9992b1ccedd121"
checksum = "18e4a4b95cea4b4ccbcf1c5675ca7c4ee4e9e75eb79944d07defde18068f79bb"
dependencies = [
"autocfg",
"proc-macro-hack",
@ -397,21 +398,21 @@ dependencies = [
[[package]]
name = "futures-sink"
version = "0.3.15"
version = "0.3.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a57bead0ceff0d6dde8f465ecd96c9338121bb7717d3e7b108059531870c4282"
checksum = "36ea153c13024fe480590b3e3d4cad89a0cfacecc24577b68f86c6ced9c2bc11"
[[package]]
name = "futures-task"
version = "0.3.15"
version = "0.3.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8a16bef9fc1a4dddb5bee51c989e3fbba26569cbb0e31f5b303c184e3dd33dae"
checksum = "1d3d00f4eddb73e498a54394f228cd55853bdf059259e8e7bc6e69d408892e99"
[[package]]
name = "futures-util"
version = "0.3.15"
version = "0.3.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "feb5c238d27e2bf94ffdfd27b2c29e3df4a68c4193bb6427384259e2bf191967"
checksum = "36568465210a3a6ee45e1f165136d68671471a501e632e9a98d96872222b5481"
dependencies = [
"autocfg",
"futures-channel",
@ -447,9 +448,9 @@ dependencies = [
[[package]]
name = "hashbrown"
version = "0.9.1"
version = "0.11.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d7afe4a420e3fe79967a00898cc1f4db7c8a49a9333a29f8a4bd76a253d5cd04"
checksum = "ab5ef0d4909ef3724cc8cce6ccc8572c5c817592e9285f5464f8e86f8bd3726e"
[[package]]
name = "heck"
@ -462,9 +463,9 @@ dependencies = [
[[package]]
name = "hermit-abi"
version = "0.1.18"
version = "0.1.19"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "322f4de77956e22ed0e5032c359a0f1273f1f7f0d79bfa3b8ffbc730d7fbcc5c"
checksum = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33"
dependencies = [
"libc",
]
@ -483,9 +484,9 @@ checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4"
[[package]]
name = "indexmap"
version = "1.6.2"
version = "1.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "824845a0bf897a9042383849b02c1bc219c2383772efcd5c6f9766fa4b81aef3"
checksum = "bc633605454125dec4b66843673f01c7df2b89479b32e0ed634e43a91cff62a5"
dependencies = [
"autocfg",
"hashbrown",
@ -493,18 +494,18 @@ dependencies = [
[[package]]
name = "instant"
version = "0.1.9"
version = "0.1.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "61124eeebbd69b8190558df225adf7e4caafce0d743919e5d6b19652314ec5ec"
checksum = "bee0328b1209d157ef001c94dd85b4f8f64139adb0eac2659f4b08382b2f474d"
dependencies = [
"cfg-if 1.0.0",
]
[[package]]
name = "itoa"
version = "0.4.7"
version = "0.4.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dd25036021b0de88a0aff6b850051563c6516d0bf53f8638938edbb9de732736"
checksum = "b71991ff56294aa922b450139ee08b3bfc70982c6b2c7562771375cf73542dd4"
[[package]]
name = "lazy_static"
@ -524,9 +525,9 @@ dependencies = [
[[package]]
name = "libc"
version = "0.2.98"
version = "0.2.101"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "320cfe77175da3a483efed4bc0adc1968ca050b098ce4f2f1c13a56626128790"
checksum = "3cb00336871be5ed2c8ed44b60ae9959dc5b9f08539422ed43f09e34ecaeba21"
[[package]]
name = "libdbus-sys"
@ -550,9 +551,9 @@ dependencies = [
[[package]]
name = "lock_api"
version = "0.4.4"
version = "0.4.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0382880606dff6d15c9476c416d18690b72742aa7b605bb6dd6ec9030fbf07eb"
checksum = "712a4d093c9976e24e7dbca41db895dabcbac38eb5f4045393d17a95bdfb1109"
dependencies = [
"scopeguard",
]
@ -568,9 +569,9 @@ dependencies = [
[[package]]
name = "memchr"
version = "2.4.0"
version = "2.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b16bd47d9e329435e309c58469fe0791c2d0d1ba96ec0954152a5ae2b04387dc"
checksum = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a"
[[package]]
name = "memoffset"
@ -615,9 +616,9 @@ dependencies = [
[[package]]
name = "nix"
version = "0.22.0"
version = "0.22.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cf1e25ee6b412c2a1e3fcb6a4499a5c1bfe7f43e014bdce9a6b6666e5aa2d187"
checksum = "e7555d6c7164cc913be1ce7f95cbecdabda61eb2ccd89008524af306fb7f5031"
dependencies = [
"bitflags",
"cc",
@ -665,24 +666,22 @@ dependencies = [
]
[[package]]
name = "oci_spec"
version = "0.1.0"
source = "git+https://github.com/containers/oci-spec-rs?rev=e0de21b89dc1e65f69a5f45a08bbe426787c7fa1#e0de21b89dc1e65f69a5f45a08bbe426787c7fa1"
name = "oci-spec"
version = "0.4.0"
source = "git+https://github.com/utam0k/oci-spec-rs/?tag=v0.4.0-with-bugfix#73540d3183136d0188b9c3a40f24b08295bbc92e"
dependencies = [
"anyhow",
"caps",
"nix",
"cfg-if 1.0.0",
"quickcheck",
"serde",
"serde_json",
"tempfile",
"thiserror",
]
[[package]]
name = "once_cell"
version = "1.7.2"
version = "1.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "af8b08b04175473088b46763e51ee54da5f9a164bc162f615b91bc179dbf15a3"
checksum = "692fcb63b64b1758029e0a96ee63e049ce8c5948587f2f7208df04625e5f6b56"
[[package]]
name = "os_str_bytes"
@ -692,9 +691,9 @@ checksum = "6acbef58a60fe69ab50510a55bc8cdd4d6cf2283d27ad338f54cb52747a9cf2d"
[[package]]
name = "parking_lot"
version = "0.11.1"
version = "0.11.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6d7744ac029df22dca6284efe4e898991d28e3085c706c972bcd7da4a27a15eb"
checksum = "7d17b78036a60663b797adeaee46f5c9dfebb86948d1255007a1d6be0271ff99"
dependencies = [
"instant",
"lock_api",
@ -703,9 +702,9 @@ dependencies = [
[[package]]
name = "parking_lot_core"
version = "0.8.3"
version = "0.8.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fa7a782938e745763fe6907fc6ba86946d72f49fe7e21de074e08128a99fb018"
checksum = "d76e8e1493bcac0d2766c42737f34458f1c8c50c0d23bcb24ea953affb273216"
dependencies = [
"cfg-if 1.0.0",
"instant",
@ -717,9 +716,9 @@ dependencies = [
[[package]]
name = "pin-project-lite"
version = "0.2.6"
version = "0.2.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dc0e1f259c92177c30a4c9d177246edd0a3568b25756a977d0632cf8fa37e905"
checksum = "8d31d11c69a6b52a174b42bdc0c30e5e11670f90788b2c471c31c1d17d449443"
[[package]]
name = "pin-utils"
@ -733,12 +732,6 @@ version = "0.3.19"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3831453b3449ceb48b6d9c7ad7c96d5ea673e9b470a1dc578c2ce6521230884c"
[[package]]
name = "ppv-lite86"
version = "0.2.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ac74c624d6b2d21f425f752262f42188365d7b8ff1aff74c82e45136510a4857"
[[package]]
name = "prctl"
version = "1.0.0"
@ -815,7 +808,7 @@ version = "1.0.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "588f6378e4dd99458b60ec275b4477add41ce4fa9f64dcba6f15adccb19b50d6"
dependencies = [
"env_logger 0.8.3",
"env_logger 0.8.4",
"log",
"rand",
]
@ -831,44 +824,22 @@ dependencies = [
[[package]]
name = "rand"
version = "0.8.3"
version = "0.8.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0ef9e7e66b4468674bfcb0c81af8b7fa0bb154fa9f28eb840da5c447baeb8d7e"
checksum = "2e7573632e6454cf6b99d7aac4ccca54be06da05aca2ef7423d22d27d4d4bcd8"
dependencies = [
"libc",
"rand_chacha",
"rand_core",
"rand_hc",
]
[[package]]
name = "rand_chacha"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
dependencies = [
"ppv-lite86",
"rand_core",
]
[[package]]
name = "rand_core"
version = "0.6.2"
version = "0.6.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "34cf66eb183df1c5876e2dcf6b13d57340741e8dc255b48e40a26de954d06ae7"
checksum = "d34f1408f55294453790c48b2f1ebbb1c5b4b7563eb1f418bcfcfdbb06ebb4e7"
dependencies = [
"getrandom",
]
[[package]]
name = "rand_hc"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d51e9f596de227fda2ea6c84607f5558e196eeaf43c986b724ba4fb8fdf497e7"
dependencies = [
"rand_core",
]
[[package]]
name = "rbpf"
version = "0.1.0"
@ -883,9 +854,9 @@ dependencies = [
[[package]]
name = "redox_syscall"
version = "0.2.9"
version = "0.2.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5ab49abadf3f9e1c4bc499e8845e152ad87d2ad2d30371841171169e9d75feee"
checksum = "8383f39639269cde97d255a32bdb68c047337295414940c68bdd30c2e13203ff"
dependencies = [
"bitflags",
]
@ -907,15 +878,6 @@ version = "0.6.25"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b"
[[package]]
name = "remove_dir_all"
version = "0.5.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7"
dependencies = [
"winapi",
]
[[package]]
name = "ryu"
version = "1.0.5"
@ -930,18 +892,18 @@ checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
[[package]]
name = "serde"
version = "1.0.126"
version = "1.0.130"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ec7505abeacaec74ae4778d9d9328fe5a5d04253220a85c4ee022239fc996d03"
checksum = "f12d06de37cf59146fbdecab66aa99f9fe4f78722e3607577a5375d66bd0c913"
dependencies = [
"serde_derive",
]
[[package]]
name = "serde_derive"
version = "1.0.126"
version = "1.0.130"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "963a7dbc9895aeac7ac90e74f34a5d5261828f79df35cbed41e10189d3804d43"
checksum = "d7bc1a1ab1961464eae040d96713baa5a724a8152c1222492465b54322ec508b"
dependencies = [
"proc-macro2",
"quote",
@ -950,9 +912,9 @@ dependencies = [
[[package]]
name = "serde_json"
version = "1.0.64"
version = "1.0.67"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "799e97dc9fdae36a5c8b8f2cae9ce2ee9fdce2058c57a93e6099d919fd982f79"
checksum = "a7f9e390c27c3c0ce8bc5d725f6e4d30a29d26659494aa4b17535f7522c5c950"
dependencies = [
"itoa",
"ryu",
@ -983,9 +945,9 @@ dependencies = [
[[package]]
name = "slab"
version = "0.4.3"
version = "0.4.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f173ac3d1a7e3b28003f40de0b5ce7fe2710f9b9dc3fc38664cebee46b3b6527"
checksum = "c307a32c1c5c437f38c7fd45d753050587732ba8628319fbdf12a7e289ccc590"
[[package]]
name = "smallvec"
@ -1007,9 +969,9 @@ checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
[[package]]
name = "syn"
version = "1.0.75"
version = "1.0.76"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b7f58f7e8eaa0009c5fec437aabf511bd9933e4b2d7407bd05273c01a8906ea7"
checksum = "c6f107db402c2c2055242dbf4d2af0e69197202e9faacbef9571bbe47f5a1b84"
dependencies = [
"proc-macro2",
"quote",
@ -1040,20 +1002,6 @@ dependencies = [
"unicode-width",
]
[[package]]
name = "tempfile"
version = "3.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dac1c663cfc93810f88aed9b8941d48cabf856a1b111c29a40439018d870eb22"
dependencies = [
"cfg-if 1.0.0",
"libc",
"rand",
"redox_syscall",
"remove_dir_all",
"winapi",
]
[[package]]
name = "termcolor"
version = "1.1.2"
@ -1080,18 +1028,18 @@ checksum = "0066c8d12af8b5acd21e00547c3797fde4e8677254a7ee429176ccebbe93dd80"
[[package]]
name = "thiserror"
version = "1.0.25"
version = "1.0.29"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fa6f76457f59514c7eeb4e59d891395fab0b2fd1d40723ae737d64153392e9c6"
checksum = "602eca064b2d83369e2b2f34b09c70b605402801927c65c11071ac911d299b88"
dependencies = [
"thiserror-impl",
]
[[package]]
name = "thiserror-impl"
version = "1.0.25"
version = "1.0.29"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8a36768c0fbf1bb15eca10defa29526bda730a2376c2ab4393ccfa16fb1a318d"
checksum = "bad553cc2c78e8de258400763a647e80e6d1b31ee237275d756f6836d204494c"
dependencies = [
"proc-macro2",
"quote",
@ -1110,9 +1058,9 @@ dependencies = [
[[package]]
name = "unicode-segmentation"
version = "1.7.1"
version = "1.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bb0d2e7be6ae3a5fa87eed5fb451aff96f2573d2694942e40543ae0bbe19c796"
checksum = "8895849a949e7845e06bd6dc1aa51731a103c42707010a5b591c0038fb73385b"
[[package]]
name = "unicode-width"
@ -1198,7 +1146,7 @@ dependencies = [
"log",
"mio",
"nix",
"oci_spec",
"oci-spec",
"once_cell",
"prctl",
"procfs",

6
Cargo.toml
View File

@ -34,7 +34,7 @@ mio = { version = "0.7.13", features = ["os-ext", "os-poll"] }
chrono = { version="0.4", features = ["serde"] }
once_cell = "1.6.0"
futures = { version = "0.3", features = ["thread-pool"] }
oci_spec = { git = "https://github.com/containers/oci-spec-rs", rev = "e0de21b89dc1e65f69a5f45a08bbe426787c7fa1"}
oci-spec = { git="https://github.com/utam0k/oci-spec-rs/", tag = "v0.4.0-with-bugfix"}
cgroups = { version = "0.1.0", path = "./cgroups" }
systemd = { version = "0.8", default-features = false, optional = true }
dbus = "0.9.2"
@ -43,9 +43,9 @@ fastrand = "1.4.1"
crossbeam-channel = "0.5"
[dev-dependencies]
oci_spec = { git = "https://github.com/containers/oci-spec-rs", rev = "e0de21b89dc1e65f69a5f45a08bbe426787c7fa1", features = ["proptests"]}
oci-spec = { git = "https://github.com/utam0k/oci-spec-rs/", tag = "v0.4.0-with-bugfix", features = ["proptests"] }
quickcheck = "1"
serial_test = "0.5.1"
[profile.release]
lto = true
lto = true

93
cgroups/Cargo.lock generated
View File

@ -73,17 +73,6 @@ version = "1.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610"
[[package]]
name = "caps"
version = "0.5.3-alpha.0"
source = "git+https://github.com/lucab/caps-rs?rev=cb54844#cb54844125d9dd6de51d6c8c8a951aefbd0d3904"
dependencies = [
"errno",
"libc",
"serde",
"thiserror",
]
[[package]]
name = "cc"
version = "1.0.69"
@ -115,7 +104,7 @@ dependencies = [
"libc",
"log",
"nix",
"oci_spec",
"oci-spec",
"procfs",
"quickcheck",
"rbpf",
@ -428,17 +417,15 @@ dependencies = [
]
[[package]]
name = "oci_spec"
version = "0.1.0"
source = "git+https://github.com/containers/oci-spec-rs?rev=e0de21b89dc1e65f69a5f45a08bbe426787c7fa1#e0de21b89dc1e65f69a5f45a08bbe426787c7fa1"
name = "oci-spec"
version = "0.4.0"
source = "git+https://github.com/utam0k/oci-spec-rs/?tag=v0.4.0-with-bugfix#73540d3183136d0188b9c3a40f24b08295bbc92e"
dependencies = [
"anyhow",
"caps",
"nix",
"cfg-if 1.0.0",
"quickcheck",
"serde",
"serde_json",
"tempfile",
"thiserror",
]
[[package]]
@ -447,12 +434,6 @@ version = "0.3.19"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3831453b3449ceb48b6d9c7ad7c96d5ea673e9b470a1dc578c2ce6521230884c"
[[package]]
name = "ppv-lite86"
version = "0.2.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ac74c624d6b2d21f425f752262f42188365d7b8ff1aff74c82e45136510a4857"
[[package]]
name = "proc-macro2"
version = "1.0.28"
@ -503,19 +484,6 @@ version = "0.8.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2e7573632e6454cf6b99d7aac4ccca54be06da05aca2ef7423d22d27d4d4bcd8"
dependencies = [
"libc",
"rand_chacha",
"rand_core",
"rand_hc",
]
[[package]]
name = "rand_chacha"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
dependencies = [
"ppv-lite86",
"rand_core",
]
@ -528,15 +496,6 @@ dependencies = [
"getrandom",
]
[[package]]
name = "rand_hc"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d51e9f596de227fda2ea6c84607f5558e196eeaf43c986b724ba4fb8fdf497e7"
dependencies = [
"rand_core",
]
[[package]]
name = "rbpf"
version = "0.1.0"
@ -549,15 +508,6 @@ dependencies = [
"time",
]
[[package]]
name = "redox_syscall"
version = "0.2.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5ab49abadf3f9e1c4bc499e8845e152ad87d2ad2d30371841171169e9d75feee"
dependencies = [
"bitflags",
]
[[package]]
name = "regex"
version = "1.5.4"
@ -575,15 +525,6 @@ version = "0.6.25"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b"
[[package]]
name = "remove_dir_all"
version = "0.5.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7"
dependencies = [
"winapi",
]
[[package]]
name = "ryu"
version = "1.0.5"
@ -592,18 +533,18 @@ checksum = "71d301d4193d031abdd79ff7e3dd721168a9572ef3fe51a1517aba235bd8f86e"
[[package]]
name = "serde"
version = "1.0.127"
version = "1.0.130"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f03b9878abf6d14e6779d3f24f07b2cfa90352cfec4acc5aab8f1ac7f146fae8"
checksum = "f12d06de37cf59146fbdecab66aa99f9fe4f78722e3607577a5375d66bd0c913"
dependencies = [
"serde_derive",
]
[[package]]
name = "serde_derive"
version = "1.0.127"
version = "1.0.130"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a024926d3432516606328597e0f224a51355a493b49fdd67e9209187cbe55ecc"
checksum = "d7bc1a1ab1961464eae040d96713baa5a724a8152c1222492465b54322ec508b"
dependencies = [
"proc-macro2",
"quote",
@ -653,20 +594,6 @@ dependencies = [
"utf8-cstr",
]
[[package]]
name = "tempfile"
version = "3.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dac1c663cfc93810f88aed9b8941d48cabf856a1b111c29a40439018d870eb22"
dependencies = [
"cfg-if 1.0.0",
"libc",
"rand",
"redox_syscall",
"remove_dir_all",
"winapi",
]
[[package]]
name = "termcolor"
version = "1.1.2"

4
cgroups/Cargo.toml
View File

@ -14,7 +14,7 @@ nix = "0.22.0"
procfs = "0.10.1"
log = "0.4"
anyhow = "1.0"
oci_spec = { git = "https://github.com/containers/oci-spec-rs", rev = "e0de21b89dc1e65f69a5f45a08bbe426787c7fa1"}
oci-spec = { git="https://github.com/utam0k/oci-spec-rs/", tag = "v0.4.0-with-bugfix"}
systemd = { version = "0.8", default-features = false, optional = true }
dbus = "0.9.2"
serde = { version = "1.0", features = ["derive"] }
@ -24,7 +24,7 @@ errno = { version = "0.2.7", optional = true }
libc = { version = "0.2.84", optional = true }
[dev-dependencies]
oci_spec = { git = "https://github.com/containers/oci-spec-rs", rev = "e0de21b89dc1e65f69a5f45a08bbe426787c7fa1", features = ["proptests"]}
oci-spec = { git = "https://github.com/utam0k/oci-spec-rs/", tag = "v0.4.0-with-bugfix", features = ["proptests"] }
quickcheck = "1"
clap = "2"
serde = { version = "1.0", features = ["derive"] }

28
cgroups/src/common.rs
View File

@ -10,7 +10,7 @@ use nix::{
sys::statfs::{statfs, CGROUP2_SUPER_MAGIC, TMPFS_MAGIC},
unistd::Pid,
};
use oci_spec::{FreezerState, LinuxDevice, LinuxDeviceCgroup, LinuxDeviceType, LinuxResources};
use oci_spec::runtime::{LinuxDevice, LinuxDeviceCgroup, LinuxDeviceType, LinuxResources};
#[cfg(feature = "systemd_cgroups")]
use systemd::daemon::booted;
#[cfg(not(feature = "systemd_cgroups"))]
@ -30,7 +30,7 @@ pub trait CgroupManager {
/// Adds a task specified by its pid to the cgroup
fn add_task(&self, pid: Pid) -> Result<()>;
/// Applies resource restrictions to the cgroup
fn apply(&self, linux_resources: &LinuxResources) -> Result<()>;
fn apply(&self, controller_opt: &ControllerOpt) -> Result<()>;
/// Removes the cgroup
fn remove(&self) -> Result<()>;
// Sets the freezer cgroup to the specified state
@ -60,6 +60,30 @@ impl Display for CgroupSetup {
}
}
/// FreezerState is given freezer contoller
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
pub enum FreezerState {
/// Tasks in cgroup are undefined
Undefined,
/// Tasks in cgroup are suspended.
Frozen,
/// Tasks in cgroup are resuming.
Thawed,
}
/// ControllerOpt is given all cgroup controller for applying cgroup configuration.
#[derive(Clone, Debug, Default)]
pub struct ControllerOpt {
/// Resources contain cgroup information for handling resource constraints for the container.
pub resources: LinuxResources,
/// Disables the OOM killer for out of memory conditions.
pub disable_oom_killer: bool,
/// Specify an oom_score_adj for container.
pub oom_score_adj: Option<i32>,
/// FreezerState is given to freezer contoller for suspending process.
pub freezer_state: Option<FreezerState>,
}
#[inline]
pub fn write_cgroup_file_str<P: AsRef<Path>>(path: P, data: &str) -> Result<()> {
fs::OpenOptions::new()

2
cgroups/src/test.rs
View File

@ -8,7 +8,7 @@ use std::{
path::{Path, PathBuf},
};
use oci_spec::LinuxCpu;
use oci_spec::runtime::LinuxCpu;
pub struct TempDir {
path: Option<PathBuf>,

14
cgroups/src/v1/blkio.rs
View File

@ -1,13 +1,13 @@
use std::path::Path;
use crate::{
common,
common::{self, ControllerOpt},
stats::{self, BlkioDeviceStat, BlkioStats, StatsProvider},
v1::Controller,
};
use anyhow::{Context, Result};
use oci_spec::{LinuxBlockIo, LinuxResources};
use oci_spec::runtime::LinuxBlockIo;
// Throttling/upper limit policy
// ---------------------------------------
@ -74,18 +74,18 @@ pub struct Blkio {}
impl Controller for Blkio {
type Resource = LinuxBlockIo;
fn apply(linux_resources: &LinuxResources, cgroup_root: &Path) -> Result<()> {
fn apply(controller_opt: &ControllerOpt, cgroup_root: &Path) -> Result<()> {
log::debug!("Apply blkio cgroup config");
if let Some(blkio) = Self::needs_to_handle(linux_resources) {
if let Some(blkio) = Self::needs_to_handle(controller_opt) {
Self::apply(cgroup_root, blkio)?;
}
Ok(())
}
fn needs_to_handle(linux_resources: &LinuxResources) -> Option<&Self::Resource> {
if let Some(blkio) = &linux_resources.block_io {
fn needs_to_handle(controller_opt: &ControllerOpt) -> Option<&Self::Resource> {
if let Some(blkio) = &controller_opt.resources.block_io {
return Some(blkio);
}
@ -228,7 +228,7 @@ mod tests {
use crate::test::{create_temp_dir, set_fixture, setup};
use anyhow::Result;
use oci_spec::{LinuxBlockIo, LinuxThrottleDevice};
use oci_spec::runtime::{LinuxBlockIo, LinuxThrottleDevice};
struct BlockIoBuilder {
block_io: LinuxBlockIo,

8
cgroups/src/v1/controller.rs
View File

@ -3,9 +3,7 @@ use std::{fs, path::Path};
use anyhow::Result;
use nix::unistd::Pid;
use oci_spec::LinuxResources;
use crate::common::{self, CGROUP_PROCS};
use crate::common::{self, ControllerOpt, CGROUP_PROCS};
pub trait Controller {
type Resource;
@ -18,8 +16,8 @@ pub trait Controller {
}
/// Applies resource restrictions to the cgroup
fn apply(linux_resources: &LinuxResources, cgroup_root: &Path) -> Result<()>;
fn apply(controller_opt: &ControllerOpt, cgroup_root: &Path) -> Result<()>;
/// Checks if the controller needs to handle this request
fn needs_to_handle(linux_resources: &LinuxResources) -> Option<&Self::Resource>;
fn needs_to_handle(controller_opt: &ControllerOpt) -> Option<&Self::Resource>;
}

12
cgroups/src/v1/cpu.rs
View File

@ -1,10 +1,10 @@
use std::path::Path;
use anyhow::{bail, Context, Result};
use oci_spec::{LinuxCpu, LinuxResources};
use oci_spec::runtime::LinuxCpu;
use crate::{
common,
common::{self, ControllerOpt},
stats::{CpuThrottling, StatsProvider},
};
@ -22,18 +22,18 @@ pub struct Cpu {}
impl Controller for Cpu {
type Resource = LinuxCpu;
fn apply(linux_resources: &LinuxResources, cgroup_root: &Path) -> Result<()> {
fn apply(controller_opt: &ControllerOpt, cgroup_root: &Path) -> Result<()> {
log::debug!("Apply Cpu cgroup config");
if let Some(cpu) = Self::needs_to_handle(linux_resources) {
if let Some(cpu) = Self::needs_to_handle(controller_opt) {
Self::apply(cgroup_root, cpu).context("failed to apply cpu resource restrictions")?;
}
Ok(())
}
fn needs_to_handle(linux_resources: &LinuxResources) -> Option<&Self::Resource> {
if let Some(cpu) = &linux_resources.cpu {
fn needs_to_handle(controller_opt: &ControllerOpt) -> Option<&Self::Resource> {
if let Some(cpu) = &controller_opt.resources.cpu {
if cpu.shares.is_some()
|| cpu.period.is_some()
|| cpu.quota.is_some()

7
cgroups/src/v1/cpuacct.rs
View File

@ -1,10 +1,9 @@
use std::path::Path;
use anyhow::{bail, Context, Result};
use oci_spec::LinuxResources;
use crate::{
common,
common::{self, ControllerOpt},
stats::{CpuUsage, StatsProvider},
};
@ -24,11 +23,11 @@ pub struct CpuAcct {}
impl Controller for CpuAcct {
type Resource = ();
fn apply(_linux_resources: &LinuxResources, _cgroup_path: &Path) -> Result<()> {
fn apply(_controller_opt: &ControllerOpt, _cgroup_path: &Path) -> Result<()> {
Ok(())
}
fn needs_to_handle(_linux_resources: &LinuxResources) -> Option<&Self::Resource> {
fn needs_to_handle(_controller_opt: &ControllerOpt) -> Option<&Self::Resource> {
None
}
}

12
cgroups/src/v1/cpuset.rs
View File

@ -2,10 +2,10 @@ use std::{fs, path::Path};
use anyhow::{bail, Context, Result};
use nix::unistd;
use oci_spec::{LinuxCpu, LinuxResources};
use oci_spec::runtime::LinuxCpu;
use unistd::Pid;
use crate::common::{self, CGROUP_PROCS};
use crate::common::{self, ControllerOpt, CGROUP_PROCS};
use super::{util, Controller, ControllerType};
@ -27,10 +27,10 @@ impl Controller for CpuSet {
Ok(())
}
fn apply(linux_resources: &LinuxResources, cgroup_path: &Path) -> Result<()> {
fn apply(controller_opt: &ControllerOpt, cgroup_path: &Path) -> Result<()> {
log::debug!("Apply CpuSet cgroup config");
if let Some(cpuset) = Self::needs_to_handle(linux_resources) {
if let Some(cpuset) = Self::needs_to_handle(controller_opt) {
Self::apply(cgroup_path, cpuset)
.context("failed to apply cpuset resource restrictions")?;
}
@ -38,8 +38,8 @@ impl Controller for CpuSet {
Ok(())
}
fn needs_to_handle(linux_resources: &LinuxResources) -> Option<&Self::Resource> {
if let Some(cpuset) = &linux_resources.cpu {
fn needs_to_handle(controller_opt: &ControllerOpt) -> Option<&Self::Resource> {
if let Some(cpuset) = &controller_opt.resources.cpu {
if cpuset.cpus.is_some() || cpuset.mems.is_some() {
return Some(cpuset);
}

12
cgroups/src/v1/devices.rs
View File

@ -3,18 +3,18 @@ use std::path::Path;
use anyhow::Result;
use super::controller::Controller;
use crate::common::{self, default_allow_devices, default_devices};
use oci_spec::{LinuxDeviceCgroup, LinuxResources};
use crate::common::{self, default_allow_devices, default_devices, ControllerOpt};
use oci_spec::runtime::LinuxDeviceCgroup;
pub struct Devices {}
impl Controller for Devices {
type Resource = ();
fn apply(linux_resources: &LinuxResources, cgroup_root: &Path) -> Result<()> {
fn apply(controller_opt: &ControllerOpt, cgroup_root: &Path) -> Result<()> {
log::debug!("Apply Devices cgroup config");
if let Some(devices) = linux_resources.devices.as_ref() {
if let Some(devices) = controller_opt.resources.devices.as_ref() {
for d in devices {
Self::apply_device(d, cgroup_root)?;
}
@ -33,7 +33,7 @@ impl Controller for Devices {
}
// always needs to be called due to default devices
fn needs_to_handle(_linux_resources: &LinuxResources) -> Option<&Self::Resource> {
fn needs_to_handle(_controller_opt: &ControllerOpt) -> Option<&Self::Resource> {
Some(&())
}
}
@ -56,7 +56,7 @@ mod tests {
use super::*;
use crate::test::create_temp_dir;
use crate::test::set_fixture;
use oci_spec::{LinuxDeviceCgroup, LinuxDeviceType};
use oci_spec::runtime::{LinuxDeviceCgroup, LinuxDeviceType};
use std::fs::read_to_string;
#[test]

52
cgroups/src/v1/freezer.rs
View File

@ -9,7 +9,7 @@ use anyhow::{Result, *};
use super::Controller;
use crate::common;
use oci_spec::{FreezerState, LinuxResources};
use crate::common::{ControllerOpt, FreezerState};
const CGROUP_FREEZER_STATE: &str = "freezer.state";
const FREEZER_STATE_THAWED: &str = "THAWED";
@ -21,19 +21,19 @@ pub struct Freezer {}
impl Controller for Freezer {
type Resource = FreezerState;
fn apply(linux_resources: &LinuxResources, cgroup_root: &Path) -> Result<()> {
fn apply(controller_opt: &ControllerOpt, cgroup_root: &Path) -> Result<()> {
log::debug!("Apply Freezer cgroup config");
create_dir_all(&cgroup_root)?;
if let Some(freezer_state) = Self::needs_to_handle(linux_resources) {
if let Some(freezer_state) = Self::needs_to_handle(controller_opt) {
Self::apply(freezer_state, cgroup_root).context("failed to appyl freezer")?;
}
Ok(())
}
fn needs_to_handle(linux_resources: &LinuxResources) -> Option<&Self::Resource> {
if let Some(freezer_state) = &linux_resources.freezer {
fn needs_to_handle(controller: &ControllerOpt) -> Option<&Self::Resource> {
if let Some(freezer_state) = &controller.freezer_state {
return Some(freezer_state);
}
@ -124,10 +124,10 @@ impl Freezer {
#[cfg(test)]
mod tests {
use super::*;
use crate::common::CGROUP_PROCS;
use crate::common::{FreezerState, CGROUP_PROCS};
use crate::test::{create_temp_dir, set_fixture};
use nix::unistd::Pid;
use oci_spec::FreezerState;
use oci_spec::runtime::LinuxResources;
#[test]
fn test_set_freezer_state() {
@ -178,22 +178,26 @@ mod tests {
{
let linux_resources = LinuxResources {
devices: Some(vec![]),
disable_oom_killer: false,
oom_score_adj: None,
memory: None,
cpu: None,
pids: None,
block_io: None,
hugepage_limits: Some(vec![]),
network: None,
freezer: Some(FreezerState::Thawed),
rdma: None,
unified: None,
};
let state = FreezerState::Thawed;
let controller_opt = ControllerOpt {
resources: linux_resources,
freezer_state: Some(state),
..Default::default()
};
let pid = Pid::from_raw(1000);
Freezer::add_task(pid, &tmp).expect("freezer add task");
<Freezer as Controller>::apply(&linux_resources, &tmp).expect("freezer apply");
<Freezer as Controller>::apply(&controller_opt, &tmp).expect("freezer apply");
let state_content =
std::fs::read_to_string(tmp.join(CGROUP_FREEZER_STATE)).expect("read to string");
assert_eq!(FREEZER_STATE_THAWED, state_content);
@ -206,22 +210,27 @@ mod tests {
{
let linux_resources = LinuxResources {
devices: Some(vec![]),
disable_oom_killer: false,
oom_score_adj: None,
memory: None,
cpu: None,
pids: None,
block_io: None,
hugepage_limits: Some(vec![]),
network: None,
freezer: Some(FreezerState::Frozen),
rdma: None,
unified: None,
};
let state = FreezerState::Frozen;
let controller_opt = ControllerOpt {
resources: linux_resources,
freezer_state: Some(state),
..Default::default()
};
let pid = Pid::from_raw(1001);
Freezer::add_task(pid, &tmp).expect("freezer add task");
<Freezer as Controller>::apply(&linux_resources, &tmp).expect("freezer apply");
<Freezer as Controller>::apply(&controller_opt, &tmp).expect("freezer apply");
let state_content =
std::fs::read_to_string(tmp.join(CGROUP_FREEZER_STATE)).expect("read to string");
assert_eq!(FREEZER_STATE_FROZEN, state_content);
@ -234,24 +243,29 @@ mod tests {
{
let linux_resources = LinuxResources {
devices: Some(vec![]),
disable_oom_killer: false,
oom_score_adj: None,
memory: None,
cpu: None,
pids: None,
block_io: None,
hugepage_limits: Some(vec![]),
network: None,
freezer: Some(FreezerState::Undefined),
rdma: None,
unified: None,
};
let state = FreezerState::Undefined;
let controller_opt = ControllerOpt {
resources: linux_resources,
freezer_state: Some(state),
..Default::default()
};
let pid = Pid::from_raw(1002);
let old_state_content =
std::fs::read_to_string(tmp.join(CGROUP_FREEZER_STATE)).expect("read to string");
Freezer::add_task(pid, &tmp).expect("freezer add task");
<Freezer as Controller>::apply(&linux_resources, &tmp).expect("freezer apply");
<Freezer as Controller>::apply(&controller_opt, &tmp).expect("freezer apply");
let state_content =
std::fs::read_to_string(tmp.join(CGROUP_FREEZER_STATE)).expect("read to string");
assert_eq!(old_state_content, state_content);

16
cgroups/src/v1/hugetlb.rs
View File

@ -3,22 +3,22 @@ use std::{collections::HashMap, path::Path};
use anyhow::{bail, Context, Result};
use crate::{
common,
common::{self, ControllerOpt},
stats::{supported_page_sizes, HugeTlbStats, StatsProvider},
};
use super::Controller;
use oci_spec::{LinuxHugepageLimit, LinuxResources};
use oci_spec::runtime::LinuxHugepageLimit;
pub struct HugeTlb {}
impl Controller for HugeTlb {
type Resource = Vec<LinuxHugepageLimit>;
fn apply(linux_resources: &LinuxResources, cgroup_root: &std::path::Path) -> Result<()> {
fn apply(controller_opt: &ControllerOpt, cgroup_root: &std::path::Path) -> Result<()> {
log::debug!("Apply Hugetlb cgroup config");
if let Some(hugepage_limits) = Self::needs_to_handle(linux_resources) {
if let Some(hugepage_limits) = Self::needs_to_handle(controller_opt) {
for hugetlb in hugepage_limits {
Self::apply(cgroup_root, hugetlb)
.context("failed to apply hugetlb resource restrictions")?
@ -28,10 +28,10 @@ impl Controller for HugeTlb {
Ok(())
}
fn needs_to_handle(linux_resources: &LinuxResources) -> Option<&Self::Resource> {
if let Some(hugepage_limits) = linux_resources.hugepage_limits.as_ref() {
fn needs_to_handle(controller_opt: &ControllerOpt) -> Option<&Self::Resource> {
if let Some(hugepage_limits) = controller_opt.resources.hugepage_limits.as_ref() {
if !hugepage_limits.is_empty() {
return linux_resources.hugepage_limits.as_ref();
return controller_opt.resources.hugepage_limits.as_ref();
}
}
@ -101,7 +101,7 @@ impl HugeTlb {
mod tests {
use super::*;
use crate::test::{create_temp_dir, set_fixture};
use oci_spec::LinuxHugepageLimit;
use oci_spec::runtime::LinuxHugepageLimit;
use std::fs::read_to_string;
#[test]

65
cgroups/src/v1/manager.rs
View File

@ -16,9 +16,9 @@ use super::{
perf_event::PerfEvent, pids::Pids, util, Controller,
};
use crate::common::{self, CgroupManager, PathBufExt, CGROUP_PROCS};
use crate::common::{self, CgroupManager, ControllerOpt, FreezerState, PathBufExt, CGROUP_PROCS};
use crate::stats::{Stats, StatsProvider};
use oci_spec::{FreezerState, LinuxResources};
pub struct Manager {
subsystems: HashMap<CtrlType, PathBuf>,
}
@ -61,28 +61,28 @@ impl Manager {
fn get_required_controllers(
&self,
linux_resources: &LinuxResources,
controller_opt: &ControllerOpt,
) -> Result<HashMap<&CtrlType, &PathBuf>> {
let mut required_controllers = HashMap::new();
for controller in CONTROLLERS {
let required = match controller {
CtrlType::Cpu => Cpu::needs_to_handle(linux_resources).is_some(),
CtrlType::CpuAcct => CpuAcct::needs_to_handle(linux_resources).is_some(),
CtrlType::CpuSet => CpuSet::needs_to_handle(linux_resources).is_some(),
CtrlType::Devices => Devices::needs_to_handle(linux_resources).is_some(),
CtrlType::HugeTlb => HugeTlb::needs_to_handle(linux_resources).is_some(),
CtrlType::Memory => Memory::needs_to_handle(linux_resources).is_some(),
CtrlType::Pids => Pids::needs_to_handle(linux_resources).is_some(),
CtrlType::PerfEvent => PerfEvent::needs_to_handle(linux_resources).is_some(),
CtrlType::Blkio => Blkio::needs_to_handle(linux_resources).is_some(),
CtrlType::Cpu => Cpu::needs_to_handle(controller_opt).is_some(),
CtrlType::CpuAcct => CpuAcct::needs_to_handle(controller_opt).is_some(),
CtrlType::CpuSet => CpuSet::needs_to_handle(controller_opt).is_some(),
CtrlType::Devices => Devices::needs_to_handle(controller_opt).is_some(),
CtrlType::HugeTlb => HugeTlb::needs_to_handle(controller_opt).is_some(),
CtrlType::Memory => Memory::needs_to_handle(controller_opt).is_some(),
CtrlType::Pids => Pids::needs_to_handle(controller_opt).is_some(),
CtrlType::PerfEvent => PerfEvent::needs_to_handle(controller_opt).is_some(),
CtrlType::Blkio => Blkio::needs_to_handle(controller_opt).is_some(),
CtrlType::NetworkPriority => {
NetworkPriority::needs_to_handle(linux_resources).is_some()
NetworkPriority::needs_to_handle(controller_opt).is_some()
}
CtrlType::NetworkClassifier => {
NetworkClassifier::needs_to_handle(linux_resources).is_some()
NetworkClassifier::needs_to_handle(controller_opt).is_some()
}
CtrlType::Freezer => Freezer::needs_to_handle(linux_resources).is_some(),
CtrlType::Freezer => Freezer::needs_to_handle(controller_opt).is_some(),
};
if required {
@ -128,21 +128,21 @@ impl CgroupManager for Manager {
Ok(())
}
fn apply(&self, linux_resources: &LinuxResources) -> Result<()> {
for subsys in self.get_required_controllers(linux_resources)? {
fn apply(&self, controller_opt: &ControllerOpt) -> Result<()> {
for subsys in self.get_required_controllers(controller_opt)? {
match subsys.0 {
CtrlType::Cpu => Cpu::apply(linux_resources, subsys.1)?,
CtrlType::CpuAcct => CpuAcct::apply(linux_resources, subsys.1)?,
CtrlType::CpuSet => CpuSet::apply(linux_resources, subsys.1)?,
CtrlType::Devices => Devices::apply(linux_resources, subsys.1)?,
CtrlType::HugeTlb => HugeTlb::apply(linux_resources, subsys.1)?,
CtrlType::Memory => Memory::apply(linux_resources, subsys.1)?,
CtrlType::Pids => Pids::apply(linux_resources, subsys.1)?,
CtrlType::PerfEvent => PerfEvent::apply(linux_resources, subsys.1)?,
CtrlType::Blkio => Blkio::apply(linux_resources, subsys.1)?,
CtrlType::NetworkPriority => NetworkPriority::apply(linux_resources, subsys.1)?,
CtrlType::NetworkClassifier => NetworkClassifier::apply(linux_resources, subsys.1)?,
CtrlType::Freezer => Freezer::apply(linux_resources, subsys.1)?,
CtrlType::Cpu => Cpu::apply(controller_opt, subsys.1)?,
CtrlType::CpuAcct => CpuAcct::apply(controller_opt, subsys.1)?,
CtrlType::CpuSet => CpuSet::apply(controller_opt, subsys.1)?,
CtrlType::Devices => Devices::apply(controller_opt, subsys.1)?,
CtrlType::HugeTlb => HugeTlb::apply(controller_opt, subsys.1)?,
CtrlType::Memory => Memory::apply(controller_opt, subsys.1)?,
CtrlType::Pids => Pids::apply(controller_opt, subsys.1)?,
CtrlType::PerfEvent => PerfEvent::apply(controller_opt, subsys.1)?,
CtrlType::Blkio => Blkio::apply(controller_opt, subsys.1)?,
CtrlType::NetworkPriority => NetworkPriority::apply(controller_opt, subsys.1)?,
CtrlType::NetworkClassifier => NetworkClassifier::apply(controller_opt, subsys.1)?,
CtrlType::Freezer => Freezer::apply(controller_opt, subsys.1)?,
}
}
@ -169,12 +169,13 @@ impl CgroupManager for Manager {
}
fn freeze(&self, state: FreezerState) -> Result<()> {
let linux_resources = LinuxResources {
freezer: Some(state),
let controller_opt = ControllerOpt {
resources: Default::default(),
freezer_state: Some(state),
..Default::default()
};
Freezer::apply(
&linux_resources,
&controller_opt,
self.subsystems.get(&CtrlType::Freezer).unwrap(),
)
}

30
cgroups/src/v1/memory.rs
View File

@ -6,10 +6,10 @@ use anyhow::{anyhow, bail, Result};
use nix::errno::Errno;
use super::Controller;
use crate::common::{self};
use crate::common::{self, ControllerOpt};
use crate::stats::{self, parse_single_value, MemoryData, MemoryStats, StatsProvider};
use oci_spec::{LinuxMemory, LinuxResources};
use oci_spec::runtime::LinuxMemory;
const CGROUP_MEMORY_SWAP_LIMIT: &str = "memory.memsw.limit_in_bytes";
const CGROUP_MEMORY_LIMIT: &str = "memory.limit_in_bytes";
@ -48,10 +48,10 @@ pub struct Memory {}
impl Controller for Memory {
type Resource = LinuxMemory;
fn apply(linux_resources: &LinuxResources, cgroup_root: &Path) -> Result<()> {
fn apply(controller_opt: &ControllerOpt, cgroup_root: &Path) -> Result<()> {
log::debug!("Apply Memory cgroup config");
if let Some(memory) = Self::needs_to_handle(linux_resources) {
if let Some(memory) = Self::needs_to_handle(controller_opt) {
let reservation = memory.reservation.unwrap_or(0);
Self::apply(memory, cgroup_root)?;
@ -63,7 +63,7 @@ impl Controller for Memory {
)?;
}
if linux_resources.disable_oom_killer {
if controller_opt.disable_oom_killer {
common::write_cgroup_file(cgroup_root.join(CGROUP_MEMORY_OOM_CONTROL), 0)?;
} else {
common::write_cgroup_file(cgroup_root.join(CGROUP_MEMORY_OOM_CONTROL), 1)?;
@ -101,8 +101,8 @@ impl Controller for Memory {
Ok(())
}
fn needs_to_handle(linux_resources: &LinuxResources) -> Option<&Self::Resource> {
if let Some(memory) = &linux_resources.memory {
fn needs_to_handle(controller_opt: &ControllerOpt) -> Option<&Self::Resource> {
if let Some(memory) = &controller_opt.resources.memory {
return Some(memory);
}
@ -324,7 +324,7 @@ mod tests {
use super::*;
use crate::common::CGROUP_PROCS;
use crate::test::{create_temp_dir, set_fixture};
use oci_spec::LinuxMemory;
use oci_spec::runtime::{LinuxMemory, LinuxResources};
#[test]
fn test_set_memory() {
@ -440,24 +440,28 @@ mod tests {
// clone to avoid use of moved value later on
let memory_limits = linux_memory.clone();
let memory_limits = linux_memory;
let linux_resources = LinuxResources {
devices: Some(vec![]),
disable_oom_killer,
oom_score_adj: None, // current unused
memory: Some(linux_memory),
cpu: None,
pids: None,
block_io: None,
hugepage_limits: Some(vec![]),
network: None,
freezer: None,
rdma: None,
unified: None,
};
let result = <Memory as Controller>::apply(&linux_resources, &tmp);
let controller_opt = ControllerOpt {
resources: linux_resources,
disable_oom_killer,
..Default::default()
};
let result = <Memory as Controller>::apply(&controller_opt, &tmp);
if result.is_err() {
if let Some(swappiness) = memory_limits.swappiness {

12
cgroups/src/v1/network_classifier.rs
View File

@ -3,18 +3,18 @@ use std::path::Path;
use anyhow::{Context, Result};
use super::Controller;
use crate::common;
use oci_spec::{LinuxNetwork, LinuxResources};
use crate::common::{self, ControllerOpt};
use oci_spec::runtime::LinuxNetwork;
pub struct NetworkClassifier {}
impl Controller for NetworkClassifier {
type Resource = LinuxNetwork;
fn apply(linux_resources: &LinuxResources, cgroup_root: &Path) -> Result<()> {
fn apply(controller_opt: &ControllerOpt, cgroup_root: &Path) -> Result<()> {
log::debug!("Apply NetworkClassifier cgroup config");
if let Some(network) = Self::needs_to_handle(linux_resources) {
if let Some(network) = Self::needs_to_handle(controller_opt) {
Self::apply(cgroup_root, network)
.context("failed to apply network classifier resource restrictions")?;
}
@ -22,8 +22,8 @@ impl Controller for NetworkClassifier {
Ok(())
}
fn needs_to_handle(linux_resources: &LinuxResources) -> Option<&Self::Resource> {
if let Some(network) = linux_resources.network.as_ref() {
fn needs_to_handle(controller_opt: &ControllerOpt) -> Option<&Self::Resource> {
if let Some(network) = controller_opt.resources.network.as_ref() {
return Some(network);
}

14
cgroups/src/v1/network_priority.rs
View File

@ -3,18 +3,18 @@ use std::path::Path;
use anyhow::{Context, Result};
use super::Controller;
use crate::common;
use oci_spec::{LinuxNetwork, LinuxResources};
use crate::common::{self, ControllerOpt};
use oci_spec::runtime::LinuxNetwork;
pub struct NetworkPriority {}
impl Controller for NetworkPriority {
type Resource = LinuxNetwork;
fn apply(linux_resources: &LinuxResources, cgroup_root: &Path) -> Result<()> {
fn apply(controller_opt: &ControllerOpt, cgroup_root: &Path) -> Result<()> {
log::debug!("Apply NetworkPriority cgroup config");
if let Some(network) = Self::needs_to_handle(linux_resources) {
if let Some(network) = Self::needs_to_handle(controller_opt) {
Self::apply(cgroup_root, network)
.context("failed to apply network priority resource restrictions")?;
}
@ -22,8 +22,8 @@ impl Controller for NetworkPriority {
Ok(())
}
fn needs_to_handle(linux_resources: &LinuxResources) -> Option<&Self::Resource> {
if let Some(network) = &linux_resources.network {
fn needs_to_handle(controller_opt: &ControllerOpt) -> Option<&Self::Resource> {
if let Some(network) = &controller_opt.resources.network {
return Some(network);
}
@ -46,7 +46,7 @@ impl NetworkPriority {
mod tests {
use super::*;
use crate::test::{create_temp_dir, set_fixture};
use oci_spec::LinuxInterfacePriority;
use oci_spec::runtime::LinuxInterfacePriority;
#[test]
fn test_apply_network_priorites() {

6
cgroups/src/v1/perf_event.rs
View File

@ -1,6 +1,6 @@
use super::Controller;
use crate::common::ControllerOpt;
use anyhow::Result;
use oci_spec::LinuxResources;
use std::path::Path;
pub struct PerfEvent {}
@ -8,11 +8,11 @@ pub struct PerfEvent {}
impl Controller for PerfEvent {
type Resource = ();
fn apply(_linux_resources: &LinuxResources, _cgroup_root: &Path) -> Result<()> {
fn apply(_controller_opt: &ControllerOpt, _cgroup_root: &Path) -> Result<()> {
Ok(())
}
//no need to handle any case
fn needs_to_handle(_linux_resources: &LinuxResources) -> Option<&Self::Resource> {
fn needs_to_handle(_controller_opt: &ControllerOpt) -> Option<&Self::Resource> {
None
}
}

14
cgroups/src/v1/pids.rs
View File

@ -4,10 +4,10 @@ use anyhow::{Context, Result};
use super::Controller;
use crate::{
common,
common::{self, ControllerOpt},
stats::{self, PidStats, StatsProvider},
};
use oci_spec::{LinuxPids, LinuxResources};
use oci_spec::runtime::LinuxPids;
// Contains the maximum allowed number of active pids
const CGROUP_PIDS_MAX: &str = "pids.max";
@ -17,18 +17,18 @@ pub struct Pids {}
impl Controller for Pids {
type Resource = LinuxPids;
fn apply(linux_resources: &LinuxResources, cgroup_root: &Path) -> Result<()> {
fn apply(controller_opt: &ControllerOpt, cgroup_root: &Path) -> Result<()> {
log::debug!("Apply pids cgroup config");
if let Some(pids) = &linux_resources.pids {
if let Some(pids) = &controller_opt.resources.pids {
Self::apply(cgroup_root, pids).context("failed to apply pids resource restrictions")?;
}
Ok(())
}
fn needs_to_handle(linux_resources: &LinuxResources) -> Option<&Self::Resource> {
if let Some(pids) = &linux_resources.pids {
fn needs_to_handle(controller_opt: &ControllerOpt) -> Option<&Self::Resource> {
if let Some(pids) = &controller_opt.resources.pids {
return Some(pids);
}
@ -61,7 +61,7 @@ impl Pids {
mod tests {
use super::*;
use crate::test::{create_temp_dir, set_fixture};
use oci_spec::LinuxPids;
use oci_spec::runtime::LinuxPids;
// Contains the current number of active pids
const CGROUP_PIDS_CURRENT: &str = "pids.current";

4
cgroups/src/v2/controller.rs
View File

@ -1,8 +1,8 @@
use anyhow::Result;
use std::path::Path;
use oci_spec::LinuxResources;
use crate::common::ControllerOpt;
pub trait Controller {
fn apply(linux_resources: &LinuxResources, cgroup_path: &Path) -> Result<()>;
fn apply(controller_opt: &ControllerOpt, cgroup_path: &Path) -> Result<()>;
}

8
cgroups/src/v2/cpu.rs
View File

@ -2,11 +2,11 @@ use anyhow::{bail, Context, Result};
use std::path::Path;
use crate::{
common,
common::{self, ControllerOpt},
stats::{CpuUsage, StatsProvider},
};
use oci_spec::{LinuxCpu, LinuxResources};
use oci_spec::runtime::LinuxCpu;
use super::controller::Controller;
@ -20,8 +20,8 @@ const CPU_STAT: &str = "cpu.stat";
pub struct Cpu {}
impl Controller for Cpu {
fn apply(linux_resources: &LinuxResources, path: &Path) -> Result<()> {
if let Some(cpu) = &linux_resources.cpu {
fn apply(controller_opt: &ControllerOpt, path: &Path) -> Result<()> {
if let Some(cpu) = &controller_opt.resources.cpu {
Self::apply(path, cpu).context("failed to apply cpu resource restrictions")?;
}

8
cgroups/src/v2/cpuset.rs
View File

@ -1,8 +1,8 @@
use anyhow::{Context, Result};
use std::path::Path;
use crate::common;
use oci_spec::{LinuxCpu, LinuxResources};
use crate::common::{self, ControllerOpt};
use oci_spec::runtime::LinuxCpu;
use super::controller::Controller;
@ -12,8 +12,8 @@ const CGROUP_CPUSET_MEMS: &str = "cpuset.mems";
pub struct CpuSet {}
impl Controller for CpuSet {
fn apply(linux_resources: &LinuxResources, cgroup_path: &Path) -> Result<()> {
if let Some(cpuset) = &linux_resources.cpu {
fn apply(controller_opt: &ControllerOpt, cgroup_path: &Path) -> Result<()> {
if let Some(cpuset) = &controller_opt.resources.cpu {
Self::apply(cgroup_path, cpuset)
.context("failed to apply cpuset resource restrictions")?;
}

8
cgroups/src/v2/devices/controller.rs
View File

@ -6,9 +6,9 @@ use anyhow::Result;
use super::*;
use nix::fcntl::OFlag;
use nix::sys::stat::Mode;
use oci_spec::{LinuxDeviceCgroup, LinuxResources};
use oci_spec::runtime::LinuxDeviceCgroup;
use crate::common::{default_allow_devices, default_devices};
use crate::common::{default_allow_devices, default_devices, ControllerOpt};
use crate::v2::controller::Controller;
const LICENSE: &str = "Apache";
@ -16,12 +16,12 @@ const LICENSE: &str = "Apache";
pub struct Devices {}
impl Controller for Devices {
fn apply(linux_resources: &LinuxResources, cgroup_root: &Path) -> Result<()> {
fn apply(controller_opt: &ControllerOpt, cgroup_root: &Path) -> Result<()> {
#[cfg(not(feature = "cgroupsv2_devices"))]
return Ok(());
#[cfg(feature = "cgroupsv2_devices")]
return Self::apply_devices(cgroup_root, &linux_resources.devices);
return Self::apply_devices(cgroup_root, &controller_opt.resources.devices);
}
}

8
cgroups/src/v2/devices/emulator.rs
View File

@ -1,5 +1,5 @@
use anyhow::Result;
use oci_spec::*;
use oci_spec::runtime::{LinuxDeviceCgroup, LinuxDeviceType};
// For cgroup v1 compatiblity, runc implements a device emulator to caculate the final rules given
// a list of user-defined rules.
@ -28,17 +28,17 @@ impl Emulator {
}
}
pub fn add_rules(&mut self, rules: &[oci_spec::LinuxDeviceCgroup]) -> Result<()> {
pub fn add_rules(&mut self, rules: &[LinuxDeviceCgroup]) -> Result<()> {
for rule in rules {
self.add_rule(rule)?;
}
Ok(())
}
pub fn add_rule(&mut self, rule: &oci_spec::LinuxDeviceCgroup) -> Result<()> {
pub fn add_rule(&mut self, rule: &LinuxDeviceCgroup) -> Result<()> {
// special case, switch to blacklist or whitelist and clear all existing rules
// NOTE: we ignore other fields when type='a', this is same as cgroup v1 and runc
if rule.typ.unwrap_or_default() == oci_spec::LinuxDeviceType::A {
if rule.typ.unwrap_or_default() == LinuxDeviceType::A {
self.default_allow = rule.allow;
self.rules.clear();
return Ok(());

4
cgroups/src/v2/devices/program.rs
View File

@ -1,5 +1,5 @@
use anyhow::{bail, Result};
use oci_spec::*;
use oci_spec::runtime::*;
use rbpf::disassembler::disassemble;
use rbpf::insn_builder::Arch as RbpfArch;
@ -249,7 +249,7 @@ fn bpf_cgroup_dev_ctx(
mod tests {
use super::*;
fn build_bpf_program(rules: &Option<Vec<oci_spec::LinuxDeviceCgroup>>) -> Result<Program> {
fn build_bpf_program(rules: &Option<Vec<LinuxDeviceCgroup>>) -> Result<Program> {
let mut em = crate::v2::devices::emulator::Emulator::with_default_allow(false);
if let Some(rules) = rules {
em.add_rules(rules)?;

8
cgroups/src/v2/freezer.rs
View File

@ -7,7 +7,7 @@ use std::{
time::Duration,
};
use oci_spec::{FreezerState, LinuxResources};
use crate::common::{ControllerOpt, FreezerState};
use super::controller::Controller;
@ -17,8 +17,8 @@ const CGROUP_EVENTS: &str = "cgroup.events";
pub struct Freezer {}
impl Controller for Freezer {
fn apply(linux_resources: &LinuxResources, cgroup_path: &Path) -> Result<()> {
if let Some(freezer_state) = linux_resources.freezer {
fn apply(controller_opt: &ControllerOpt, cgroup_path: &Path) -> Result<()> {
if let Some(freezer_state) = controller_opt.freezer_state {
Self::apply(freezer_state, cgroup_path).context("failed to apply freezer")?;
}
@ -122,8 +122,8 @@ impl Freezer {
#[cfg(test)]
mod tests {
use super::*;
use crate::common::FreezerState;
use crate::test::{create_temp_dir, set_fixture};
use oci_spec::FreezerState;
use std::sync::Arc;
#[test]

10
cgroups/src/v2/hugetlb.rs
View File

@ -3,18 +3,18 @@ use std::{collections::HashMap, path::Path};
use super::controller::Controller;
use crate::{
common,
common::{self, ControllerOpt},
stats::{parse_single_value, supported_page_sizes, HugeTlbStats, StatsProvider},
};
use oci_spec::{LinuxHugepageLimit, LinuxResources};
use oci_spec::runtime::LinuxHugepageLimit;
pub struct HugeTlb {}
impl Controller for HugeTlb {
fn apply(linux_resources: &LinuxResources, cgroup_root: &std::path::Path) -> Result<()> {
fn apply(controller_opt: &ControllerOpt, cgroup_root: &std::path::Path) -> Result<()> {
log::debug!("Apply hugetlb cgroup v2 config");
if let Some(hugepage_limits) = linux_resources.hugepage_limits.as_ref() {
if let Some(hugepage_limits) = controller_opt.resources.hugepage_limits.as_ref() {
for hugetlb in hugepage_limits {
Self::apply(cgroup_root, hugetlb)
.context("failed to apply hugetlb resource restrictions")?
@ -88,7 +88,7 @@ impl HugeTlb {
mod tests {
use super::*;
use crate::test::{create_temp_dir, set_fixture};
use oci_spec::LinuxHugepageLimit;
use oci_spec::runtime::LinuxHugepageLimit;
use std::fs::read_to_string;
#[test]

10
cgroups/src/v2/io.rs
View File

@ -3,12 +3,12 @@ use std::path::{Path, PathBuf};
use anyhow::{bail, Context, Result};
use crate::{
common,
common::{self, ControllerOpt},
stats::{self, BlkioDeviceStat, BlkioStats, StatsProvider},
};
use super::controller::Controller;
use oci_spec::{LinuxBlockIo, LinuxResources};
use oci_spec::runtime::LinuxBlockIo;
const CGROUP_BFQ_IO_WEIGHT: &str = "io.bfq.weight";
const CGROUP_IO_WEIGHT: &str = "io.weight";
@ -17,9 +17,9 @@ const CGROUP_IO_STAT: &str = "io.stat";
pub struct Io {}
impl Controller for Io {
fn apply(linux_resource: &LinuxResources, cgroup_root: &Path) -> Result<()> {
fn apply(controller_opt: &ControllerOpt, cgroup_root: &Path) -> Result<()> {
log::debug!("Apply io cgroup v2 config");
if let Some(io) = &linux_resource.block_io {
if let Some(io) = &controller_opt.resources.block_io {
Self::apply(cgroup_root, io).context("failed to apply io resource restrictions")?;
}
Ok(())
@ -151,7 +151,7 @@ mod test {
use super::*;
use crate::test::{create_temp_dir, set_fixture, setup};
use oci_spec::{LinuxBlockIo, LinuxThrottleDevice, LinuxWeightDevice};
use oci_spec::runtime::{LinuxBlockIo, LinuxThrottleDevice, LinuxWeightDevice};
use std::fs;
struct BlockIoBuilder {
block_io: LinuxBlockIo,

30
cgroups/src/v2/manager.rs
View File

@ -7,7 +7,6 @@ use std::{
use anyhow::{bail, Result};
use nix::unistd::Pid;
use oci_spec::{FreezerState, LinuxResources};
#[cfg(feature = "cgroupsv2_devices")]
use super::devices::Devices;
@ -26,7 +25,7 @@ use super::{
unified::Unified,
};
use crate::{
common::{self, CgroupManager, PathBufExt, CGROUP_PROCS},
common::{self, CgroupManager, ControllerOpt, FreezerState, PathBufExt, CGROUP_PROCS},
stats::{Stats, StatsProvider},
};
@ -122,26 +121,26 @@ impl CgroupManager for Manager {
Ok(())
}
fn apply(&self, linux_resources: &LinuxResources) -> Result<()> {
fn apply(&self, controller_opt: &ControllerOpt) -> Result<()> {
for controller in CONTROLLER_TYPES {
match controller {
ControllerType::Cpu => Cpu::apply(linux_resources, &self.full_path)?,
ControllerType::CpuSet => CpuSet::apply(linux_resources, &self.full_path)?,
ControllerType::HugeTlb => HugeTlb::apply(linux_resources, &self.full_path)?,
ControllerType::Io => Io::apply(linux_resources, &self.full_path)?,
ControllerType::Memory => Memory::apply(linux_resources, &self.full_path)?,
ControllerType::Pids => Pids::apply(linux_resources, &self.full_path)?,
ControllerType::Freezer => Freezer::apply(linux_resources, &self.full_path)?,
ControllerType::Cpu => Cpu::apply(controller_opt, &self.full_path)?,
ControllerType::CpuSet => CpuSet::apply(controller_opt, &self.full_path)?,
ControllerType::HugeTlb => HugeTlb::apply(controller_opt, &self.full_path)?,
ControllerType::Io => Io::apply(controller_opt, &self.full_path)?,
ControllerType::Memory => Memory::apply(controller_opt, &self.full_path)?,
ControllerType::Pids => Pids::apply(controller_opt, &self.full_path)?,
ControllerType::Freezer => Freezer::apply(controller_opt, &self.full_path)?,
}
}
#[cfg(feature = "cgroupsv2_devices")]
Devices::apply(linux_resources, &self.cgroup_path)?;
Devices::apply(controller_opt, &self.cgroup_path)?;
for pseudoctlr in PSEUDO_CONTROLLER_TYPES {
if let PseudoControllerType::Unified = pseudoctlr {
Unified::apply(
linux_resources,
controller_opt,
&self.cgroup_path,
self.get_available_controllers()?,
)?
@ -159,11 +158,12 @@ impl CgroupManager for Manager {
}
fn freeze(&self, state: FreezerState) -> Result<()> {
let linux_resources = LinuxResources {
freezer: Some(state),
let controller_opt = ControllerOpt {
resources: Default::default(),
freezer_state: Some(state),
..Default::default()
};
Freezer::apply(&linux_resources, &self.full_path)
Freezer::apply(&controller_opt, &self.full_path)
}
fn stats(&self) -> Result<Stats> {

10
cgroups/src/v2/memory.rs
View File

@ -1,10 +1,10 @@
use anyhow::{bail, Context, Result};
use std::path::Path;
use oci_spec::{LinuxMemory, LinuxResources};
use oci_spec::runtime::LinuxMemory;
use crate::{
common,
common::{self, ControllerOpt},
stats::{self, MemoryData, MemoryStats, StatsProvider},
};
@ -18,8 +18,8 @@ const MEMORY_STAT: &str = "memory.stat";
pub struct Memory {}
impl Controller for Memory {
fn apply(linux_resources: &LinuxResources, cgroup_path: &Path) -> Result<()> {
if let Some(memory) = &linux_resources.memory {
fn apply(controller_opt: &ControllerOpt, cgroup_path: &Path) -> Result<()> {
if let Some(memory) = &controller_opt.resources.memory {
Self::apply(cgroup_path, memory)
.context("failed to apply memory resource restrictions")?;
}
@ -146,7 +146,7 @@ impl Memory {
mod tests {
use super::*;
use crate::test::{create_temp_dir, set_fixture};
use oci_spec::LinuxMemory;
use oci_spec::runtime::LinuxMemory;
use std::fs::read_to_string;
#[test]

10
cgroups/src/v2/pids.rs
View File

@ -3,19 +3,19 @@ use std::path::Path;
use anyhow::{Context, Result};
use crate::{
common,
common::{self, ControllerOpt},
stats::{self, PidStats, StatsProvider},
};
use super::controller::Controller;
use oci_spec::{LinuxPids, LinuxResources};
use oci_spec::runtime::LinuxPids;
pub struct Pids {}
impl Controller for Pids {
fn apply(linux_resource: &LinuxResources, cgroup_root: &std::path::Path) -> Result<()> {
fn apply(controller_opt: &ControllerOpt, cgroup_root: &std::path::Path) -> Result<()> {
log::debug!("Apply pids cgroup v2 config");
if let Some(pids) = &linux_resource.pids {
if let Some(pids) = &controller_opt.resources.pids {
Self::apply(cgroup_root, pids).context("failed to apply pids resource restrictions")?;
}
Ok(())
@ -45,7 +45,7 @@ impl Pids {
mod tests {
use super::*;
use crate::test::{create_temp_dir, set_fixture};
use oci_spec::LinuxPids;
use oci_spec::runtime::LinuxPids;
#[test]
fn test_set_pids() {

28
cgroups/src/v2/systemd_manager.rs
View File

@ -5,7 +5,6 @@ use std::{
use anyhow::{anyhow, bail, Result};
use nix::unistd::Pid;
use oci_spec::{FreezerState, LinuxResources};
use std::path::{Path, PathBuf};
#[cfg(feature = "cgroupsv2_devices")]
@ -14,7 +13,7 @@ use super::{
controller::Controller, controller_type::ControllerType, cpu::Cpu, cpuset::CpuSet,
freezer::Freezer, hugetlb::HugeTlb, io::Io, memory::Memory, pids::Pids,
};
use crate::common::{self, CgroupManager, PathBufExt};
use crate::common::{self, CgroupManager, ControllerOpt, FreezerState, PathBufExt};
use crate::stats::Stats;
const CGROUP_PROCS: &str = "cgroup.procs";
@ -227,21 +226,21 @@ impl CgroupManager for SystemDCGroupManager {
Ok(())
}
fn apply(&self, linux_resources: &LinuxResources) -> Result<()> {
fn apply(&self, controller_opt: &ControllerOpt) -> Result<()> {
for controller in CONTROLLER_TYPES {
match controller {
ControllerType::Cpu => Cpu::apply(linux_resources, &self.full_path)?,
ControllerType::CpuSet => CpuSet::apply(linux_resources, &self.full_path)?,
ControllerType::HugeTlb => HugeTlb::apply(linux_resources, &self.full_path)?,
ControllerType::Io => Io::apply(linux_resources, &self.full_path)?,
ControllerType::Memory => Memory::apply(linux_resources, &self.full_path)?,
ControllerType::Pids => Pids::apply(linux_resources, &self.full_path)?,
ControllerType::Freezer => Freezer::apply(linux_resources, &self.full_path)?,
ControllerType::Cpu => Cpu::apply(controller_opt, &self.full_path)?,
ControllerType::CpuSet => CpuSet::apply(controller_opt, &self.full_path)?,
ControllerType::HugeTlb => HugeTlb::apply(controller_opt, &self.full_path)?,
ControllerType::Io => Io::apply(controller_opt, &self.full_path)?,
ControllerType::Memory => Memory::apply(controller_opt, &self.full_path)?,
ControllerType::Pids => Pids::apply(controller_opt, &self.full_path)?,
ControllerType::Freezer => Freezer::apply(controller_opt, &self.full_path)?,
}
}
#[cfg(feature = "cgroupsv2_devices")]
Devices::apply(linux_resources, &self.full_path)?;
Devices::apply(controller_opt, &self.full_path)?;
Ok(())
}
@ -250,11 +249,12 @@ impl CgroupManager for SystemDCGroupManager {
}
fn freeze(&self, state: FreezerState) -> Result<()> {
let linux_resources = LinuxResources {
freezer: Some(state),
let controller_opt = ControllerOpt {
resources: Default::default(),
freezer_state: Some(state),
..Default::default()
};
Freezer::apply(&linux_resources, &self.full_path)
Freezer::apply(&controller_opt, &self.full_path)
}
fn stats(&self) -> Result<Stats> {

30
cgroups/src/v2/unified.rs
View File

@ -1,20 +1,19 @@
use std::path::Path;
use anyhow::{Context, Result};
use oci_spec::LinuxResources;
use super::controller_type::ControllerType;
use crate::common;
use crate::common::{self, ControllerOpt};
pub struct Unified {}
impl Unified {
pub fn apply(
linux_resources: &LinuxResources,
controller_opt: &ControllerOpt,
cgroup_path: &Path,
controllers: Vec<ControllerType>,
) -> Result<()> {
if let Some(unified) = &linux_resources.unified {
if let Some(unified) = &controller_opt.resources.unified {
log::debug!("Apply unified cgroup config");
for (cgroup_file, value) in unified {
common::write_cgroup_file_str(cgroup_path.join(cgroup_file), value).map_err(
@ -49,6 +48,8 @@ mod tests {
use std::array::IntoIter;
use std::fs;
use oci_spec::runtime::LinuxResources;
use crate::test::{create_temp_dir, set_fixture};
use crate::v2::controller_type::ControllerType;
@ -75,8 +76,13 @@ mod tests {
..Default::default()
};
let controller_opt = ControllerOpt {
resources,
..Default::default()
};
// act
Unified::apply(&resources, &tmp, vec![]).expect("apply unified");
Unified::apply(&controller_opt, &tmp, vec![]).expect("apply unified");
// assert
let hugetlb_limit = fs::read_to_string(hugetlb_limit_path).expect("read hugetlb limit");
@ -105,8 +111,13 @@ mod tests {
..Default::default()
};
let controller_opt = ControllerOpt {
resources,
..Default::default()
};
// act
let result = Unified::apply(&resources, &tmp, vec![]);
let result = Unified::apply(&controller_opt, &tmp, vec![]);
// assert
assert!(result.is_err());
@ -131,9 +142,14 @@ mod tests {
..Default::default()
};
let controller_opt = ControllerOpt {
resources,
..Default::default()
};
// act
let result = Unified::apply(
&resources,
&controller_opt,
&tmp,
vec![ControllerType::HugeTlb, ControllerType::Cpu],
);

2
integration_test.sh
View File

@ -50,7 +50,7 @@ test_cases=(
# "linux_rootfs_propagation/linux_rootfs_propagation.t"
# "linux_seccomp/linux_seccomp.t"
"linux_sysctl/linux_sysctl.t"
# "linux_uid_mappings/linux_uid_mappings.t"
"linux_uid_mappings/linux_uid_mappings.t"
"misc_props/misc_props.t"
"mounts/mounts.t"
# "pidfile/pidfile.t"

121
src/capabilities.rs
View File

@ -1,19 +1,126 @@
//! Handles Management of Capabilities
use crate::syscall::Syscall;
use caps::Capability as CapsCapability;
use caps::*;
use anyhow::Result;
use oci_spec::LinuxCapabilities;
use oci_spec::runtime::{Capabilities, Capability as SpecCapability, LinuxCapabilities};
/// Converts a list of capability types to capabilities has set
fn to_set(caps: &[Capability]) -> CapsHashSet {
fn to_set(caps: &Capabilities) -> CapsHashSet {
let mut capabilities = CapsHashSet::new();
for c in caps {
capabilities.insert(*c);
let cap = c.to_cap();
capabilities.insert(cap);
}
capabilities
}
pub trait CapabilityExt {
/// Convert self to caps::Capability
fn to_cap(&self) -> caps::Capability;
/// Convert caps::Capability to self
fn from_cap(c: CapsCapability) -> Self;
}
impl CapabilityExt for SpecCapability {
/// Convert oci::runtime::Capability to caps::Capability
fn to_cap(&self) -> caps::Capability {
match self {
SpecCapability::AuditControl => CapsCapability::CAP_AUDIT_CONTROL,
SpecCapability::AuditRead => CapsCapability::CAP_AUDIT_READ,
SpecCapability::AuditWrite => CapsCapability::CAP_AUDIT_WRITE,
SpecCapability::BlockSuspend => CapsCapability::CAP_BLOCK_SUSPEND,
SpecCapability::Bpf => CapsCapability::CAP_BPF,
SpecCapability::CheckpointRestore => CapsCapability::CAP_CHECKPOINT_RESTORE,
SpecCapability::Chown => CapsCapability::CAP_CHOWN,
SpecCapability::DacOverride => CapsCapability::CAP_DAC_OVERRIDE,
SpecCapability::DacReadSearch => CapsCapability::CAP_DAC_READ_SEARCH,
SpecCapability::Fowner => CapsCapability::CAP_FOWNER,
SpecCapability::Fsetid => CapsCapability::CAP_FSETID,
SpecCapability::IpcLock => CapsCapability::CAP_IPC_LOCK,
SpecCapability::IpcOwner => CapsCapability::CAP_IPC_OWNER,
SpecCapability::Kill => CapsCapability::CAP_KILL,
SpecCapability::Lease => CapsCapability::CAP_LEASE,
SpecCapability::LinuxImmutable => CapsCapability::CAP_LINUX_IMMUTABLE,
SpecCapability::MacAdmin => CapsCapability::CAP_MAC_ADMIN,
SpecCapability::MacOverride => CapsCapability::CAP_MAC_OVERRIDE,
SpecCapability::Mknod => CapsCapability::CAP_MKNOD,
SpecCapability::NetAdmin => CapsCapability::CAP_NET_ADMIN,
SpecCapability::NetBindService => CapsCapability::CAP_NET_BIND_SERVICE,
SpecCapability::NetBroadcast => CapsCapability::CAP_NET_BROADCAST,
SpecCapability::NetRaw => CapsCapability::CAP_NET_RAW,
SpecCapability::Perfmon => CapsCapability::CAP_PERFMON,
SpecCapability::Setgid => CapsCapability::CAP_SETGID,
SpecCapability::Setfcap => CapsCapability::CAP_SETFCAP,
SpecCapability::Setpcap => CapsCapability::CAP_SETPCAP,
SpecCapability::Setuid => CapsCapability::CAP_SETUID,
SpecCapability::SysAdmin => CapsCapability::CAP_SYS_ADMIN,
SpecCapability::SysBoot => CapsCapability::CAP_SYS_BOOT,
SpecCapability::SysChroot => CapsCapability::CAP_SYS_CHROOT,
SpecCapability::SysModule => CapsCapability::CAP_SYS_MODULE,
SpecCapability::SysNice => CapsCapability::CAP_SYS_NICE,
SpecCapability::SysPacct => CapsCapability::CAP_SYS_PACCT,
SpecCapability::SysPtrace => CapsCapability::CAP_SYS_PTRACE,
SpecCapability::SysRawio => CapsCapability::CAP_SYS_RAWIO,
SpecCapability::SysResource => CapsCapability::CAP_SYS_RESOURCE,
SpecCapability::SysTime => CapsCapability::CAP_SYS_TIME,
SpecCapability::SysTtyConfig => CapsCapability::CAP_SYS_TTY_CONFIG,
SpecCapability::Syslog => CapsCapability::CAP_SYSLOG,
SpecCapability::WakeAlarm => CapsCapability::CAP_WAKE_ALARM,
}
}
/// Convert caps::Capability to oci::runtime::Capability
fn from_cap(c: CapsCapability) -> SpecCapability {
match c {
CapsCapability::CAP_AUDIT_CONTROL => SpecCapability::AuditControl,
CapsCapability::CAP_AUDIT_READ => SpecCapability::AuditRead,
CapsCapability::CAP_AUDIT_WRITE => SpecCapability::AuditWrite,
CapsCapability::CAP_BLOCK_SUSPEND => SpecCapability::BlockSuspend,
CapsCapability::CAP_BPF => SpecCapability::Bpf,
CapsCapability::CAP_CHECKPOINT_RESTORE => SpecCapability::CheckpointRestore,
CapsCapability::CAP_CHOWN => SpecCapability::Chown,
CapsCapability::CAP_DAC_OVERRIDE => SpecCapability::DacOverride,
CapsCapability::CAP_DAC_READ_SEARCH => SpecCapability::DacReadSearch,
CapsCapability::CAP_FOWNER => SpecCapability::Fowner,
CapsCapability::CAP_FSETID => SpecCapability::Fsetid,
CapsCapability::CAP_IPC_LOCK => SpecCapability::IpcLock,
CapsCapability::CAP_IPC_OWNER => SpecCapability::IpcOwner,
CapsCapability::CAP_KILL => SpecCapability::Kill,
CapsCapability::CAP_LEASE => SpecCapability::Lease,
CapsCapability::CAP_LINUX_IMMUTABLE => SpecCapability::LinuxImmutable,
CapsCapability::CAP_MAC_ADMIN => SpecCapability::MacAdmin,
CapsCapability::CAP_MAC_OVERRIDE => SpecCapability::MacOverride,
CapsCapability::CAP_MKNOD => SpecCapability::Mknod,
CapsCapability::CAP_NET_ADMIN => SpecCapability::NetAdmin,
CapsCapability::CAP_NET_BIND_SERVICE => SpecCapability::NetBindService,
CapsCapability::CAP_NET_BROADCAST => SpecCapability::NetBroadcast,
CapsCapability::CAP_NET_RAW => SpecCapability::NetRaw,
CapsCapability::CAP_PERFMON => SpecCapability::Perfmon,
CapsCapability::CAP_SETGID => SpecCapability::Setgid,
CapsCapability::CAP_SETFCAP => SpecCapability::Setfcap,
CapsCapability::CAP_SETPCAP => SpecCapability::Setpcap,
CapsCapability::CAP_SETUID => SpecCapability::Setuid,
CapsCapability::CAP_SYS_ADMIN => SpecCapability::SysAdmin,
CapsCapability::CAP_SYS_BOOT => SpecCapability::SysBoot,
CapsCapability::CAP_SYS_CHROOT => SpecCapability::SysChroot,
CapsCapability::CAP_SYS_MODULE => SpecCapability::SysModule,
CapsCapability::CAP_SYS_NICE => SpecCapability::SysNice,
CapsCapability::CAP_SYS_PACCT => SpecCapability::SysPacct,
CapsCapability::CAP_SYS_PTRACE => SpecCapability::SysPtrace,
CapsCapability::CAP_SYS_RAWIO => SpecCapability::SysRawio,
CapsCapability::CAP_SYS_RESOURCE => SpecCapability::SysResource,
CapsCapability::CAP_SYS_TIME => SpecCapability::SysTime,
CapsCapability::CAP_SYS_TTY_CONFIG => SpecCapability::SysTtyConfig,
CapsCapability::CAP_SYSLOG => SpecCapability::Syslog,
CapsCapability::CAP_WAKE_ALARM => SpecCapability::WakeAlarm,
CapsCapability::__Nonexhaustive => unreachable!("invalid capability"),
}
}
}
/// reset capabilities of process calling this to effective capabilities
/// effective capability set is set of capabilities used by kernel to perform checks
/// see https://man7.org/linux/man-pages/man7/capabilities.7.html for more information
@ -68,4 +175,12 @@ mod tests {
.collect();
assert_eq!(set_capability_args, vec![caps::all()]);
}
#[test]
fn test_convert_oci_spec_to_caps_type() {
let chown = oci_spec::runtime::Capability::Chown;
let cap = chown.to_cap();
assert_eq!(cap, Capability::CAP_CHOWN);
}
}

2
src/commands/delete.rs
View File

@ -44,7 +44,7 @@ impl Delete {
if container.root.exists() {
let config_absolute_path = container.root.join("config.json");
log::debug!("load spec from {:?}", config_absolute_path);
let spec = oci_spec::Spec::load(config_absolute_path)?;
let spec = oci_spec::runtime::Spec::load(config_absolute_path)?;
log::debug!("spec: {:?}", spec);
// remove the directory storing container state

2
src/commands/pause.rs
View File

@ -9,7 +9,7 @@ use crate::container::Container;
use crate::container::ContainerStatus;
use crate::utils;
use cgroups;
use oci_spec::FreezerState;
use cgroups::common::FreezerState;
/// Structure to implement pause command
#[derive(Clap, Debug)]

2
src/commands/ps.rs
View File

@ -25,7 +25,7 @@ impl Ps {
if container.root.exists() {
let config_absolute_path = container.root.join("config.json");
log::debug!("load spec from {:?}", config_absolute_path);
let spec = oci_spec::Spec::load(config_absolute_path)?;
let spec = oci_spec::runtime::Spec::load(config_absolute_path)?;
log::debug!("spec: {:?}", spec);
let cgroups_path = utils::get_cgroup_path(
&spec.linux.context("no linux in spec")?.cgroups_path,

2
src/commands/resume.rs
View File

@ -9,7 +9,7 @@ use crate::container::Container;
use crate::container::ContainerStatus;
use crate::utils;
use cgroups;
use oci_spec::FreezerState;
use cgroups::common::FreezerState;
/// Structure to implement resume command
#[derive(Clap, Debug)]

2
src/commands/spec_json.rs
View File

@ -1,6 +1,6 @@
use anyhow::Result;
use clap::Clap;
use oci_spec::Spec;
use oci_spec::runtime::Spec;
use serde_json::to_writer_pretty;
use std::fs::File;

2
src/commands/start.rs
View File

@ -37,7 +37,7 @@ impl Start {
}
let spec_path = container.root.join("config.json");
let spec = oci_spec::Spec::load(spec_path).context("failed to load spec")?;
let spec = oci_spec::runtime::Spec::load(spec_path).context("failed to load spec")?;
if let Some(hooks) = spec.hooks.as_ref() {
// While prestart is marked as deprecated in the OCI spec, the docker and integration test still
// uses it.

8
src/container/builder_impl.rs
View File

@ -8,7 +8,7 @@ use crate::{
};
use anyhow::{Context, Result};
use cgroups;
use oci_spec::Spec;
use oci_spec::runtime::Spec;
use std::{fs, io::Write, os::unix::prelude::RawFd, path::PathBuf};
use super::{Container, ContainerStatus};
@ -153,12 +153,16 @@ impl<'a> ContainerBuilderImpl<'a> {
log::debug!("init pid is {:?}", init_pid);
if self.rootless.is_none() && linux.resources.is_some() && self.init {
let controller_opt = cgroups::common::ControllerOpt {
resources: linux.resources.clone().unwrap(),
..Default::default()
};
cmanager
.add_task(init_pid)
.context("Failed to add tasks to cgroup manager")?;
cmanager
.apply(linux.resources.as_ref().unwrap())
.apply(&controller_opt)
.context("Failed to apply resource limits through cgroup")?;
}

5
src/container/container.rs
View File

@ -8,7 +8,7 @@ use chrono::DateTime;
use nix::unistd::Pid;
use chrono::Utc;
use oci_spec::Spec;
use oci_spec::runtime::Spec;
use procfs::process::Process;
use crate::syscall::syscall::create_syscall;
@ -198,7 +198,8 @@ impl Container {
}
pub fn spec(&self) -> Result<Spec> {
Spec::load(self.root.join("config.json"))
let spec = Spec::load(self.root.join("config.json"))?;
Ok(spec)
}
}

6
src/container/init_builder.rs
View File

@ -1,6 +1,6 @@
use anyhow::{bail, Context, Result};
use nix::unistd;
use oci_spec::Spec;
use oci_spec::runtime::Spec;
use rootless::Rootless;
use std::{
fs,
@ -99,7 +99,7 @@ impl InitContainerBuilder {
fn load_spec(&self) -> Result<Spec> {
let source_spec_path = self.bundle.join("config.json");
let mut spec = oci_spec::Spec::load(&source_spec_path)?;
let mut spec = Spec::load(&source_spec_path)?;
if !spec.version.starts_with("1.0") {
bail!(
"runtime spec has incompatible version '{}'. Only 1.0.X is supported",
@ -110,7 +110,7 @@ impl InitContainerBuilder {
Ok(spec)
}
fn save_spec(&self, spec: &oci_spec::Spec, container_dir: &Path) -> Result<()> {
fn save_spec(&self, spec: &Spec, container_dir: &Path) -> Result<()> {
let target_spec_path = container_dir.join("config.json");
spec.save(target_spec_path)?;
Ok(())

24
src/container/tenant_builder.rs
View File

@ -1,7 +1,10 @@
use anyhow::{bail, Context, Result};
use caps::Capability;
use nix::unistd;
use oci_spec::{LinuxCapabilities, LinuxNamespace, LinuxNamespaceType, Process, Spec};
use oci_spec::runtime::{
Capabilities as SpecCapabilities, Capability as SpecCapability, LinuxCapabilities,
LinuxNamespace, LinuxNamespaceType, Process, Spec,
};
use procfs::process::Namespace;
use std::{
@ -13,6 +16,7 @@ use std::{
str::FromStr,
};
use crate::capabilities::CapabilityExt;
use crate::{notify_socket::NotifySocket, rootless::Rootless, tty, utils};
use super::{builder::ContainerBuilder, builder_impl::ContainerBuilderImpl, Container};
@ -136,7 +140,7 @@ impl TenantContainerBuilder {
fn load_init_spec(&self, container_dir: &Path) -> Result<Spec> {
let spec_path = container_dir.join("config.json");
let spec = oci_spec::Spec::load(spec_path).context("failed to load spec")?;
let spec = Spec::load(spec_path).context("failed to load spec")?;
Ok(spec)
}
@ -196,8 +200,7 @@ impl TenantContainerBuilder {
);
}
spec.process.as_mut().context("no process in spec")?.cwd =
cwd.to_string_lossy().to_string();
spec.process.as_mut().context("no process in spec")?.cwd = cwd.to_path_buf();
}
Ok(())
@ -247,6 +250,9 @@ impl TenantContainerBuilder {
caps.push(Capability::from_str(cap)?);
}
let caps: SpecCapabilities =
caps.iter().map(|c| SpecCapability::from_cap(*c)).collect();
if let Some(ref mut spec_caps) = spec
.process
.as_mut()
@ -257,27 +263,27 @@ impl TenantContainerBuilder {
.ambient
.as_mut()
.context("no ambient caps in process spec")?
.append(&mut caps.clone());
.extend(&caps);
spec_caps
.bounding
.as_mut()
.context("no bounding caps in process spec")?
.append(&mut caps.clone());
.extend(&caps);
spec_caps
.effective
.as_mut()
.context("no effective caps in process spec")?
.append(&mut caps.clone());
.extend(&caps);
spec_caps
.inheritable
.as_mut()
.context("no inheritable caps in process spec")?
.append(&mut caps.clone());
.extend(&caps);
spec_caps
.permitted
.as_mut()
.context("no permitted caps in process spec")?
.append(&mut caps);
.extend(&caps);
} else {
spec.process
.as_mut()

29
src/hooks.rs
View File

@ -1,6 +1,6 @@
use anyhow::{bail, Context, Result};
use nix::{sys::signal, unistd::Pid};
use oci_spec::Hook;
use oci_spec::runtime::Hook;
use std::{
collections::HashMap, fmt, io::ErrorKind, io::Write, os::unix::prelude::CommandExt, process,
thread, time,
@ -138,7 +138,19 @@ mod test {
use super::*;
use anyhow::{bail, Result};
use serial_test::serial;
use std::path::PathBuf;
use std::{env, fs, path::PathBuf};
fn is_command_in_path(program: &str) -> bool {
if let Ok(path) = env::var("PATH") {
for p in path.split(':') {
let p_str = format!("{}/{}", p, program);
if fs::metadata(p_str).is_ok() {
return true;
}
}
}
false
}
// Note: the run_hook will require the use of pipe to write the container
// state into stdin of the hook command. When cargo test runs these tests in
@ -156,26 +168,31 @@ mod test {
}
{
assert!(is_command_in_path("true"), "The true was not found.");
let default_container: Container = Default::default();
let hook = Hook {
path: PathBuf::from("/bin/true"),
path: PathBuf::from("true"),
args: None,
env: None,
timeout: None,
};
let hooks = Some(vec![hook]);
run_hooks(hooks.as_ref(), Some(&default_container)).context("Failed /bin/true")?;
run_hooks(hooks.as_ref(), Some(&default_container)).context("Failed true")?;
}
{
assert!(
is_command_in_path("printenv"),
"The printenv was not found."
);
// Use `printenv` to make sure the environment is set correctly.
let default_container: Container = Default::default();
let hook = Hook {
path: PathBuf::from("/usr/bin/bash"),
path: PathBuf::from("bash"),
args: Some(vec![
String::from("bash"),
String::from("-c"),
String::from("/usr/bin/printenv key > /dev/null"),
String::from("printenv key > /dev/null"),
]),
env: Some(vec![String::from("key=value")]),
timeout: None,

4
src/namespaces.rs
View File

@ -10,7 +10,7 @@
use crate::syscall::{syscall::create_syscall, Syscall};
use anyhow::{Context, Result};
use nix::{fcntl, sched::CloneFlags, sys::stat, unistd};
use oci_spec::{LinuxNamespace, LinuxNamespaceType};
use oci_spec::runtime::{LinuxNamespace, LinuxNamespaceType};
use std::collections;
/// Holds information about namespaces
@ -87,7 +87,7 @@ impl Namespaces {
mod tests {
use super::*;
use crate::syscall::test::TestHelperSyscall;
use oci_spec::LinuxNamespaceType;
use oci_spec::runtime::LinuxNamespaceType;
fn gen_sample_linux_namespaces() -> Vec<LinuxNamespace> {
vec![

9
src/process/init.rs
View File

@ -7,8 +7,7 @@ use nix::{
sys::statfs,
unistd::{self, Gid, Uid},
};
use oci_spec::User;
use oci_spec::{LinuxNamespaceType, Spec};
use oci_spec::runtime::{LinuxNamespaceType, Spec, User};
use std::collections::HashMap;
use std::{
env,
@ -396,7 +395,8 @@ pub fn container_init(
}
}
let do_chdir = if proc.cwd.is_empty() {
let cwd = format!("{}", proc.cwd.display());
let do_chdir = if cwd.is_empty() {
false
} else {
// This chdir must run before setting up the user.
@ -466,7 +466,8 @@ pub fn container_init(
// change directory to process.cwd if process.cwd is not empty
if do_chdir {
unistd::chdir(&*proc.cwd).with_context(|| format!("Failed to chdir {}", proc.cwd))?;
unistd::chdir(&*proc.cwd)
.with_context(|| format!("Failed to chdir {}", proc.cwd.display()))?;
}
// Reset the process env based on oci spec.

21
src/rootfs.rs
View File

@ -7,11 +7,11 @@ use nix::errno::Errno;
use nix::fcntl::{open, OFlag};
use nix::mount::mount as nix_mount;
use nix::mount::MsFlags;
use nix::sys::stat::Mode;
use nix::sys::stat::{mknod, umask};
use nix::sys::stat::{Mode, SFlag};
use nix::unistd::{chown, close};
use nix::unistd::{Gid, Uid};
use oci_spec::{LinuxDevice, LinuxDeviceType, Mount, Spec};
use oci_spec::runtime::{LinuxDevice, LinuxDeviceType, Mount, Spec};
use std::fs::OpenOptions;
use std::fs::{canonicalize, create_dir_all, remove_file};
use std::os::unix::fs::symlink;
@ -212,9 +212,9 @@ fn bind_dev(rootfs: &Path, dev: &LinuxDevice) -> Result<()> {
)?;
close(fd)?;
nix_mount(
Some(&full_container_path),
&dev.path,
None::<&str>,
Some(&dev.path),
&full_container_path,
Some("bind"),
MsFlags::MS_BIND,
None::<&str>,
)?;
@ -222,6 +222,15 @@ fn bind_dev(rootfs: &Path, dev: &LinuxDevice) -> Result<()> {
Ok(())
}
fn to_sflag(dev_type: LinuxDeviceType) -> SFlag {
match dev_type {
LinuxDeviceType::A => SFlag::S_IFBLK | SFlag::S_IFCHR | SFlag::S_IFIFO,
LinuxDeviceType::B => SFlag::S_IFBLK,
LinuxDeviceType::C | LinuxDeviceType::U => SFlag::S_IFCHR,
LinuxDeviceType::P => SFlag::S_IFIFO,
}
}
fn mknod_dev(rootfs: &Path, dev: &LinuxDevice) -> Result<()> {
fn makedev(major: i64, minor: i64) -> u64 {
((minor & 0xff)
@ -233,7 +242,7 @@ fn mknod_dev(rootfs: &Path, dev: &LinuxDevice) -> Result<()> {
let full_container_path = rootfs.join(dev.path.as_in_container()?);
mknod(
&full_container_path,
dev.typ.to_sflag()?,
to_sflag(dev.typ),
Mode::from_bits_truncate(dev.file_mode.unwrap_or(0)),
makedev(dev.major, dev.minor),
)?;

4
src/rootless.rs
View File

@ -1,7 +1,7 @@
use crate::{namespaces::Namespaces, utils};
use anyhow::{bail, Context, Result};
use nix::unistd::Pid;
use oci_spec::{Linux, LinuxIdMapping, LinuxNamespace, LinuxNamespaceType, Mount, Spec};
use oci_spec::runtime::{Linux, LinuxIdMapping, LinuxNamespace, LinuxNamespaceType, Mount, Spec};
use std::path::Path;
use std::process::Command;
use std::{env, path::PathBuf};
@ -231,7 +231,7 @@ pub fn write_gid_mapping(target_pid: Pid, rootless: Option<&Rootless>) -> Result
fn write_id_mapping(
map_file: &str,
mappings: &[oci_spec::LinuxIdMapping],
mappings: &[LinuxIdMapping],
map_binary: Option<&Path>,
) -> Result<()> {
let mappings: Vec<String> = mappings

2
src/syscall/linux.rs
View File

@ -22,7 +22,7 @@ use nix::{
};
use nix::{sched::unshare, sys::stat::Mode};
use oci_spec::LinuxRlimit;
use oci_spec::runtime::LinuxRlimit;
use super::Syscall;
use crate::capabilities;

2
src/syscall/syscall.rs
View File

@ -10,7 +10,7 @@ use nix::{
unistd::{Gid, Uid},
};
use oci_spec::LinuxRlimit;
use oci_spec::runtime::LinuxRlimit;
use crate::syscall::{linux::LinuxSyscall, test::TestHelperSyscall};

2
src/syscall/test.rs
View File

@ -2,7 +2,7 @@ use std::{any::Any, cell::RefCell, ffi::OsStr, sync::Arc};
use caps::{errors::CapsError, CapSet, CapsHashSet};
use nix::sched::CloneFlags;
use oci_spec::LinuxRlimit;
use oci_spec::runtime::LinuxRlimit;
use super::Syscall;