vendor: Update libcontainer vendoring #490
Conversation
|
Supersedes #477 |
|
/test |
|
/test |
|
lgtm @sboeuf |
|
@amshinde ok let me split that :) |
|
/test |
|
@amshinde done! PTAL |
|
thanks @sboeuf ! |
|
Thanks @sboeuf. Please can you add in the git shortlog showing the changes this re-vendoring introduces by inserting the output of the scriptlet here into the commit: |
The agent vendoring needs to be updated regarding the libcontainer
dependency so that it does not run into the following issue:
"failed to write to cgroups.proc"
when running "kata-runtime exec" commands.
Shortlog since last vendoring of github.com/opencontainers/runc:
9fe7c939 Add a Travis-CI job for systemd cgroup driver
5369f9ad Skip CRIU tests when $RUNC_USE_SYSTEMD for now
d4586090 Update tests that depend on cgroupfs paths to consider systemd cgroups
a9056a34 Add $RUNC_USE_SYSTEMD to use systemd cgroup driver in tests
4b2b9782 Add cgroup name to error message
6f714aa9 Use getenv not secure_getenv
dbf6e48d README: link to /org/security/
2d4a37b4 nsenter: cloned_binary: userspace copy fallback if sendfile fails
16612d74 nsenter: cloned_binary: try to ro-bind /proc/self/exe before copying
af9da0a4 nsenter: cloned_binary: use the runc statedir for O_TMPFILE
2429d593 nsenter: cloned_binary: expand and add pre-3.11 fallbacks
7cb3cde1 fix preserve-fds flag may cause runc hang
5b775bf2 nsenter: cloned_binary: detect and handle short copies
52f4e0fa exec: expose --preserve-fds
f1da0d30 switched travis to xenial
9edb5494 Use vendored in CRIU Go bindings
bfca1e62 Vendor in go-criu
bb7d8b1f nsexec (CVE-2019-5736): avoid parsing environ
cd41feb4 Remove detection for scope properties, which have always been broken
7354546c Create mountpoints also on restore
f661e023 factor out bind mount mountpoint creation
0a8e4117 nsenter: clone /proc/self/exe to avoid exposing host binary to container
ec069fe3 Vendor opencontainers/runtime-spec 29686dbc
4a600c04 Update vendored golang.org/x/sys to latest
565325fc integration: fix mis-use of libcontainer.Factory
dd50c7e3 Add 'org.criu.config' annotation documentation
5f32bb94 Update runc-checkpoint man-page
28a697cc rootfs: umount all procfs and sysfs with --no-pivot
f0192337 systemd: fix setting kernel memory limit
acb75d0e libcontainer: intelrdt: fix null intelrdt path issue in Destroy()
403986c5 Add CRIU patch to fix checkpoint test
6f3e13cc Added test for container specific CRIU configuration files
e1579630 Enable CRIU configuration files
360ba8a2 Update criurpc definition for latest features
0855bce4 Fix .Fatalf() error message
bdf3524b Retry adding pids to cgroups when EINVAL occurs
769d6c4a Fix some typos
dce70cdf cr: get pid from criu notify when restore
8a4629f7 cgroups: nokmem: error out on explicitly-set kmemcg limits
07d1ad44 kill: allow to signal paused containers
30817421 Modify check-config.sh in accordance with Moby Project updates
a0200001 MAINTAINERS: remove @vmarmol
2efedb02 MAINTAINERS: remove @rjnagal
87a18899 may kill other process when container has been stopped
061dfe95 VERSION: back to development
ccb5efd3 VERSION: release v1.0.0~rc6
bc0b0471 Small fixes for CRIU based test cases
37634277 Bump CRIU to 3.11
48189715 add missing intelRdt parameters in 'runc update' manpage
e2386860 libcontainer: Set 'status' in hook stdin
95af9eff libcontainer: intelrdt: add support for Intel RDT/MBA Software Controller in runc
714a4d46 rootless: fix potential panic in shouldUseRootlessCgroupManager
16d55f17 libcontainer: fix potential panic if spec.Process is nil
95d1aa18 test: fix TestDupNamespaces
f1b1407e readme: add nokmem build tag
1e0d04c6 Makefile: rm cgo tag
6a2c1559 libcontainer: ability to compile without kmem
df3fa115 Add support for cgroup namespace
869add33 rootless: fix running with /proc/self/setgroups set to deny
5c6b9c3c libcontainer: map PidsLimit to systemd's TasksMax property
9a3a8a5e libcontainer: implement CLONE_NEWCGROUP
630fb5b8 Bump Travis versions
6c307f8f libcontainer: intelrdt: add user-friendly diagnostics for Intel RDT operation errors
d59b17d6 libcontainer: intelrdt: Add more check if sub-features are enabled
f0973392 libcontainer: intelrdt: add test cases for Intel RDT/MBA
1ed597bf libcontainer: intelrdt: add update command support for Intel RDT/MBA
27560ace libcontainer: intelrdt: add support for Intel RDT/MBA in runc
c1cece7e libcontainer: intelrdt: add Intel RDT/MBA docs in SPEC.md
bd905416 vendor: bump runtime-spec to 5684b8af48c1
0b412e94 various cleanups to address linter issues
0d011647 Fix travis Go: tip
36f84720 fix build break
1499c746 Move spec.Linux.IntelRdt check to spec.Linux != nil block
26bdc0dc clarify license information
a1d5398a Respect container's cgroup path
5de99cd3 tty: clean up epollConsole closing
ec0d23a9 tty: close epollConsole on errors
40f14684 keyring: handle ENOSYS with keyctl(KEYCTL_JOIN_SESSION_KEYRING)
5963cf2a test: add more test case for CleanPath
06f789cf Disable rootless mode except RootlessCgMgr when executed as the root in userns
feb90346 doc: fix typo
4eb30fcd code optimization: use securejoin.SecureJoin and CleanPath
4fae8fcc code optimization after review
d2d226e8 fix unexpected delete bug when container id is ..
3ce8fac7 libcontainer: add /proc/loadavg to the white list of bind mount
636b6640 linux: drop check for /proc as invalid dest
b34d6d8a libcontainer: CurrentGroupSubGIDs -> CurrentUserSubGIDs
fe3d5c4c Remove unused veth setup code
832ac8a5 tests: add external network namespace tests
fa43a72a criu: restore into existing namespace when specified
b399167f Add docker proxy settings for make test in a proxy environment
62a4763a When doing a copyup, /tmp can not be a shared mount point
4803faf0 cr: don't restore net namespace by default
cb3e35b5 Add missing data to man page
26ec8a97 Revert "libcontainer/rootfs_linux: minor cleanup"
e389f575 Dockerfile: update criu to v3.10 + checkpoint-restore/criu@27034e7c
34ed6269 Update outdated nsenter README content
a2faaa13 Fix duplicate entries and missing entries in getCgroupMountsHelper
0880503b Add an explanation for TESTPATH
3321aa1a Fix regression with mounts with non-absolute source path
b681b58e Fix the problem TESTFLAGS is not to be used in Makefile correctly
8187fb74 cr: don't dump network devices and their configuration
46221e39 criu tests: rename criu feature check
7fb79f31 Add osusergo flag to static build
53fddb54 Pass GOMAXPROCS to init processes
472fcb30 docs: add information about terminals
e5a7c61f Add test for testing cgroup mounts on bedrock linux
5ee0648b Stop relying on number of subsystems for cgroups
823c06ea libcontainer: improve "kernel.{domainname,hostname}" sysctl handling
d18a45f6 Stop using unix.SIGUNUSED which has been removed from golang.org/x/sys
a0e99e7a libcontainer: devices: fix mips builds
39f679c4 travis: test cross compilation
c205e9fb libcontainer: fix compilation on GOARCH=arm GOARM=6 (32 bits)
cbcc85d3 runc: not require uid/gid mappings if euid()==0
aa3fee6c SELinux labels are tied to the thread
bd3c4f84 Fix race in runc exec
63bb0fe9 Fix merge conflict
939d5a37 cgroup: clean up isIgnorableError for skippable EROFS
c9381573 libcontainer: remove extra CAP_SETGID check for SetgroupAttr
b515963c systemd cpu quota ignores -1
fd0febd3 Wrap error messages during init
cdb7f23d main: add condition to isRootless()
f103de57 main: support rootless mode in userns
9c7d8bc1 libcontainer: add parser for /etc/sub{u,g}id and /proc/PID/{u,g}id_map
40680b2d Make the setupSeccomp function public.
1b27db67 libcontainer/rootfs_linux: minor cleanup
165ee453 Make channel for StartTransientUnit buffered
1a506462 nsexec.c: fix GCC 8 warning
4521d4b1 Only configure networking when creating a net ns
0e16bd9b Detect whether Delegate is available on both slices and scopes
8ab251f2 Fix systemd.Apply() to check for DBus error before waiting on a channel.
73f3dc63 libcontainer: allow setgroup in rootless mode
ed58366c libcontainer: fix Boolmsg alignment
fd3a6e6c libcontainer: handle unset oomScoreAdj corectly
03e58598 rootless: cgroup: treat EROFS as a skippable error
0aa6e4e5 libcontainer/specconv/spec_linux: Support empty 'type' for bind mounts
5a46c2ba nsenter: move namespace creation after userns creation
Fixes kata-containers#476
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Commit bd3c4f844abed063a0d0a8575eb596159f33732c is included through
the new libcontainer vendoring:
Fix race in runc exec
There is a race in runc exec when the init process stops just before
the check for the container status. It is then wrongly assumed that
we are trying to start an init process instead of an exec process.
This commit add an Init field to libcontainer Process to distinguish
between init and exec processes to prevent this race.
In order to prevent from breaking Kata Containers with this commit,
we have to provide explicit information if the process is the init
process or not, depending if we're creating a new container or exec'ing
a process on an existing container.
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Latest libcontainer vendoring update introduced a new function as part of the Container Go interface, OCIState(). The mockContainer interface needs to implement this too, otherwise the tests won't compile. Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
|
/test |
|
@jodh-intel commit message updated. Thanks for reminding me, I had totally forgotten about that... |
|
@devimc |
There was a problem hiding this comment.
@sboeuf did you measure the memory footprint impact of this change? see opencontainers/runc@0a8e411#commitcomment-32280015
|
changing to dnm, I have a question |
|
@devimc @grahamwhaley good point, no I haven't done this check since I thought you had done it when you advise to move to a new version of libcontainer. |
|
taking a look at the CI failures here: The other issue I see is a failure in the shimv2 tests, which I haven't seen before: restarting jobs... |
|
Thanks @chavafg for the quick feedback. |
|
@sboeuf - I think the best way to look at impact is to use the report tool, as that way you get to do a side-by-side comparison of before/after on your machine, and the report shows a lot more useful detail than the metrics CI will. |
|
Thanks @grahamwhaley |
|
I still see failures on shimv2 on fedora and initrd jobs. from http://jenkins.katacontainers.io/job/kata-containers-agent-ubuntu-18-04-PR-initrd/362/console @sboeuf I'll run the tool and get back with results when got them. |
|
@sboeuf @grahamwhaley @devimc |
|
thx @chavafg - if anything, |
|
@sboeuf shimv2 is also being tested on the other jobs, but on these 2 jobs seem to fail constantly. Not sure if we are introducing some instabilities here... Will try to reproduce locally. |
|
Removing |
Hi @sboeuf, I don't think it can be measured with a simple boot metrics as we did before. With the cve-2019-5736 fix, each Adding back |
|
@bergwolf we need an in-depth discussion on this topic and have a decision on it. |
|
@gnawux @sboeuf As I was trying to summarize the current situation, I found that the runc(libcontainer) has modified its fix to The current fix of protecting the host runc binary works as follows:
Since the very first method does not involve any data copy, it consumes almost no additional memory overhead. Unless it falls for some reason, we won't see any visible memory impact for kata containers. For that reason, I'm giving the PR LGTM. OTOH, if some day we implement readonly container rootfs support, the fix can still have memory footprint impact. A simple workaround is to create the bindmount to a file under |
The agent vendoring needs to be updated regarding the libcontainer
dependency so that it does not run into the following issue:
failed to write to cgroups.procwhen running
kata-runtime execcommands.Fixes #476
Signed-off-by: Sebastien Boeuf sebastien.boeuf@intel.com