diff --git a/.cirrus.yml b/.cirrus.yml index f4d959d5cc8..74b7deae4eb 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -1,29 +1,33 @@ --- -# We use Cirrus for Vagrant tests, because macOS instances of GHA -# are too slow and flaky, and Linux instances of GHA do not support KVM. +# We use Cirrus for Vagrant tests and native CentOS 7 and 8, because macOS +# instances of GHA are too slow and flaky, and Linux instances of GHA do not +# support KVM. # NOTE Cirrus execution environments lack a terminal, needed for # some integration tests. So we use `ssh -tt` command to fake a terminal. -compute_engine_instance: - image_project: cirrus-images - image: family/docker-kvm - platform: linux - nested_virtualization: true - # CPU limit: `16 / NTASK`: see https://cirrus-ci.org/faq/#are-there-any-limits - cpu: 8 - # Memory limit: `4GB * NCPU` - memory: 32G - -vagrant_task: +task: timeout_in: 30m + env: DEBIAN_FRONTEND: noninteractive HOME: /root # yamllint disable rule:key-duplicates matrix: DISTRO: fedora34 - DISTRO: centos7 + + name: vagrant DISTRO:$DISTRO + + compute_engine_instance: + image_project: cirrus-images + image: family/docker-kvm + platform: linux + nested_virtualization: true + # CPU limit: `16 / NTASK`: see https://cirrus-ci.org/faq/#are-there-any-limits + cpu: 8 + # Memory limit: `4GB * NCPU` + memory: 32G + host_info_script: | uname -a echo "-----" @@ -65,3 +69,89 @@ vagrant_task: else ssh -tt default "sudo -i make -C /vagrant localrootlessintegration" fi + +task: + timeout_in: 30m + + env: + HOME: /root + CIRRUS_WORKING_DIR: /home/runc + GO_VERSION: "1.16.6" + BATS_VERSION: "v1.3.0" + # yamllint disable rule:key-duplicates + matrix: + DISTRO: centos-7 + DISTRO: centos-stream-8 + + name: ci / $DISTRO + + compute_engine_instance: + image_project: centos-cloud + image: family/$DISTRO + platform: linux + cpu: 4 + memory: 8G + + install_dependencies_script: | + yum install -y -q epel-release + case $DISTRO in + centos-7) + (cd /etc/yum.repos.d && curl -O https://copr.fedorainfracloud.org/coprs/adrian/criu-el7/repo/epel-7/adrian-criu-el7-epel-7.repo) + # sysctl + echo "user.max_user_namespaces=15076" > /etc/sysctl.d/userns.conf + sysctl --system + ;; + centos-stream-8) + yum install -y -q dnf-plugins-core + yum config-manager --set-enabled powertools + ;; + esac + yum install -y -q gcc git iptables jq glibc-static libseccomp-devel make criu + # install Go + curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" | tar Cxz /usr/local + # install bats + cd /tmp + git clone https://github.com/bats-core/bats-core + cd bats-core + git checkout $BATS_VERSION + ./install.sh /usr/local + cd - + # Add a user for rootless tests + useradd -u2000 -m -d/home/rootless -s/bin/bash rootless + # set PATH + echo 'export PATH=/usr/local/go/bin:/usr/local/bin:$PATH' >> /root/.bashrc + # Setup ssh localhost for terminal emulation (script -e did not work) + ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N "" + cat /root/.ssh/id_ed25519.pub >> /root/.ssh/authorized_keys + chmod 400 /root/.ssh/authorized_keys + ssh-keyscan localhost >> /root/.ssh/known_hosts + echo -e "Host localhost\n\tStrictHostKeyChecking no\t\nIdentityFile /root/.ssh/id_ed25519\n" >> /root/.ssh/config + sed -e "s,PermitRootLogin.*,PermitRootLogin prohibit-password,g" -i /etc/ssh/sshd_config + systemctl restart sshd + host_info_script: | + uname -a + echo "-----" + cat /etc/os-release + echo "-----" + cat /proc/cpuinfo + echo "-----" + df -T + echo "-----" + systemctl --version + unit_tests_script: | + ssh -tt localhost "make -C /home/runc localunittest" + integration_systemd_script: | + ssh -tt localhost "make -C /home/runc localintegration RUNC_USE_SYSTEMD=yes" + integration_fs_script: | + ssh -tt localhost "make -C /home/runc localintegration" + integration_systemd_rootless_script: | + echo "SKIP: integration_systemd_rootless_script requires cgroup v2" + integration_fs_rootless_script: | + case $DISTRO in + centos-7) + echo "SKIP: FIXME: integration_fs_rootless_script is skipped because of EPERM on writing cgroup.procs" + ;; + centos-stream-8) + ssh -tt localhost "make -C /home/runc localrootlessintegration" + ;; + esac diff --git a/Vagrantfile.centos7 b/Vagrantfile.centos7 deleted file mode 100644 index b8ae1db42ad..00000000000 --- a/Vagrantfile.centos7 +++ /dev/null @@ -1,52 +0,0 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : - -Vagrant.configure("2") do |config| - config.vm.box = "centos/7" - config.vm.provider :virtualbox do |v| - v.memory = 2048 - v.cpus = 2 - end - config.vm.provider :libvirt do |v| - v.memory = 2048 - v.cpus = 2 - end - config.vm.provision "shell", inline: <<-SHELL - set -e -u -o pipefail - - # configuration - GO_VERSION="1.16.4" - BATS_VERSION="v1.3.0" - - # install yum packages - yum install -y -q epel-release - (cd /etc/yum.repos.d && curl -O https://copr.fedorainfracloud.org/coprs/adrian/criu-el7/repo/epel-7/adrian-criu-el7-epel-7.repo) - yum install -y -q gcc git iptables jq glibc-static libseccomp-devel make criu - yum clean all - - # install Go - curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" | tar Cxz /usr/local - - # install bats - git clone https://github.com/bats-core/bats-core - cd bats-core - git checkout $BATS_VERSION - ./install.sh /usr/local - cd .. - rm -rf bats-core - - # set PATH (NOTE: sudo without -i ignores this PATH) - cat >> /etc/profile.d/sh.local < /etc/sysctl.d/userns.conf - sysctl --system - - # Add a user for rootless tests - useradd -u2000 -m -d/home/rootless -s/bin/bash rootless - SHELL -end diff --git a/go.mod.orig b/go.mod.orig new file mode 100644 index 00000000000..63cc5bc91cf --- /dev/null +++ b/go.mod.orig @@ -0,0 +1,34 @@ +module github.com/opencontainers/runc + +go 1.13 + +require ( + github.com/bits-and-blooms/bitset v1.2.0 + github.com/checkpoint-restore/go-criu/v5 v5.0.0 + github.com/cilium/ebpf v0.6.2 + github.com/containerd/console v1.0.2 + github.com/coreos/go-systemd/v22 v22.3.2 + github.com/cyphar/filepath-securejoin v0.2.3 + github.com/docker/go-units v0.4.0 + github.com/godbus/dbus/v5 v5.0.4 + github.com/moby/sys/mountinfo v0.4.1 + github.com/mrunalp/fileutils v0.5.0 + github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 +<<<<<<< HEAD + github.com/opencontainers/selinux v1.8.2 + github.com/seccomp/libseccomp-golang v0.9.1 + github.com/sirupsen/logrus v1.8.1 +======= + github.com/opencontainers/selinux v1.8.0 + github.com/pkg/errors v0.9.1 + github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921 + github.com/sirupsen/logrus v1.7.0 +>>>>>>> 1ba567d4 (Add support for seccomp actions `ActKillThread` and `ActKillProcess`) + github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 + // NOTE: urfave/cli must be <= v1.22.1 due to a regression: https://github.com/urfave/cli/issues/1092 + github.com/urfave/cli v1.22.1 + github.com/vishvananda/netlink v1.1.0 + golang.org/x/net v0.0.0-20201224014010-6772e930b67b + golang.org/x/sys v0.0.0-20210426230700-d19ff857e887 + google.golang.org/protobuf v1.27.1 +) diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go index 2dad5c8b575..67719790e0d 100644 --- a/libcontainer/configs/config.go +++ b/libcontainer/configs/config.go @@ -47,6 +47,8 @@ const ( Allow Trace Log + KillThread + KillProcess ) // Operator is a comparison operator to be used when matching syscall arguments in Seccomp diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go index ccf929d7219..8b058576923 100644 --- a/libcontainer/seccomp/patchbpf/enosys_linux.go +++ b/libcontainer/seccomp/patchbpf/enosys_linux.go @@ -583,7 +583,7 @@ func enosysPatchFilter(config *configs.Seccomp, filter *libseccomp.ScmpFilter) ( func filterFlags(filter *libseccomp.ScmpFilter) (flags uint, noNewPrivs bool, err error) { // Ignore the error since pre-2.4 libseccomp is treated as API level 0. - apiLevel, _ := libseccomp.GetApi() + apiLevel, _ := libseccomp.GetAPI() noNewPrivs, err = filter.GetNoNewPrivsBit() if err != nil { diff --git a/libcontainer/seccomp/seccomp_linux.go b/libcontainer/seccomp/seccomp_linux.go index fbbe8219782..a5c4003a2cb 100644 --- a/libcontainer/seccomp/seccomp_linux.go +++ b/libcontainer/seccomp/seccomp_linux.go @@ -82,6 +82,10 @@ func getAction(act configs.Action, errnoRet *uint) (libseccomp.ScmpAction, error switch act { case configs.Kill: return actKill, nil + case configs.KillThread: + return libseccomp.ActKillThread, nil + case configs.KillProcess: + return libseccomp.ActKillProcess, nil case configs.Errno: if errnoRet != nil { return libseccomp.ActErrno.SetReturnCode(int16(*errnoRet)), nil diff --git a/tests/integration/update.bats b/tests/integration/update.bats index d51e93d0d47..2004d9efc2e 100644 --- a/tests/integration/update.bats +++ b/tests/integration/update.bats @@ -537,7 +537,7 @@ EOF root_period=$(cat "${CGROUP_CPU_BASE_PATH}/cpu.rt_period_us") root_runtime=$(cat "${CGROUP_CPU_BASE_PATH}/cpu.rt_runtime_us") # the following IFS magic sets dirs=("runc-cgroups-integration-test" "test-cgroup") - IFS='/' read -r -a dirs <<<"$REL_CGROUPS_PATH" + IFS='/' read -r -a dirs <<<"${REL_CGROUPS_PATH#/}" for ((i = 0; i < ${#dirs[@]}; i++)); do local target="$CGROUP_CPU_BASE_PATH" for ((j = 0; j <= i; j++)); do diff --git a/tests/rootless.sh b/tests/rootless.sh index bacea49d649..952a6dd8d9e 100755 --- a/tests/rootless.sh +++ b/tests/rootless.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/bash -x # Copyright (C) 2017 SUSE LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -114,6 +114,15 @@ function enable_cgroup() { # necessary, and might actually be a bug in our impl of cgroup # handling. [[ "$cg" == "cpuset" ]] && chown rootless:rootless "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpuset."{cpus,mems} + # The following is required by "update rt period and runtime". + if [[ "$cg" == "cpu" ]]; then + if [[ -e "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpu.rt_period_us" ]]; then + chown rootless:rootless "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpu.rt_period_us" + fi + if [[ -e "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpu.rt_runtime_us" ]]; then + chown rootless:rootless "$CGROUP_MOUNT/$cg$CGROUP_PATH/cpu.rt_runtime_us" + fi + fi done # cgroup v2 if [[ -e "$CGROUP_MOUNT/cgroup.controllers" ]]; then