-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[1.0] cgroupv2: ebpf: ignore inaccessible existing programs #3087
[1.0] cgroupv2: ebpf: ignore inaccessible existing programs #3087
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah wait, this PR was made against the wrong branch -- should be against release-1.0
.
(Good thing I do merges manually -- |
9389a44
to
29924cc
Compare
My bad 🤦🏻 Fixed. |
We need to update the eBPF library so that we can get the raw syscall errors from bpf(2) syscalls using errors.Is. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (cherry picked from commit fe518a0) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This is necessary in order for runc to be able to configure device cgroups with --systemd-cgroup on distributions that have very strict SELinux policies such as openSUSE MicroOS[1]. The core issue here is that systemd is adding its own BPF policy that has an SELinux label such that runc cannot interact with it. In order to work around this, we can just ignore the policy -- in theory this behaviour is not correct but given that the most obvious case (--systemd-cgroup) will still handle updates correctly, this logic is reasonable. [1]: https://bugzilla.suse.com/show_bug.cgi?id=1182428 Fixes: d0f2c25 ("cgroup2: devices: replace all existing filters when attaching") Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (cherry picked from commit 57e3c54) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
29924cc
to
4dc207a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
This is the first stable release in the 1.0 branch, fixing a few medium and high priority issues with runc 1.0.0, including a few that affect Kubernetes' usage of libcontainer. Bugfixes: - Fixed occasional runc exec/run failure ("interrupted system call") on an Azure volume. ([#3074](opencontainers/runc#3074)) - Fixed "unable to find groups ... token too long" error with /etc/group containing lines longer than 64K characters. ([#3079](opencontainers/runc#3079)) - cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes). ([#3085](opencontainers/runc#3085)) - cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely. ([#3087](opencontainers/runc#3087)) - cgroup/systemd/v2: don't freeze cgroup on Set. ([#3092](opencontainers/runc#3092)) - cgroup/systemd/v1: avoid unnecessary freeze on Set. ([#3093](opencontainers/runc#3093))
This is a backport of PR #3055 to 1.0 branch.
Draft until that one is merged.Original description follows.This is necessary in order for runc to be able to configure device
cgroups with --systemd-cgroup on distributions that have very strict
SELinux policies such as openSUSE MicroOS.
The core issue here is that systemd is adding its own BPF policy that
has an SELinux label such that runc cannot interact with it. In order to
work around this, we can just ignore the policy -- in theory this
behaviour is not correct but given that the most obvious case
(--systemd-cgroup) will still handle updates correctly, this logic is
reasonable.
Fixes: d0f2c25 ("cgroup2: devices: replace all existing filters when attaching")
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
Changelog Entry