Disable runc-dmz by default #4174
Conversation
rata
force-pushed
the
rata/runc-dmz-disable
branch
2 times, most recently
from
79fd1ba
to
6c47543
Compare
|
Grr, there are some github actions that compile with no_dmz, that of course are of no use now. I'll be on PTO starting tomorrow EOD, can someone please pick this up and carry it to the merge line? :) See dac4171 for what was added by DMZ. |
|
I was about to write a similar PR 😅. I'll close this once I send that one. I'll also be on PTO from next week. |
rata
force-pushed
the
rata/runc-dmz-disable
branch
from
6c47543
to
457c077
Compare
|
@cyphar as you didn't open a PR, I've changed this one to do that. Let me know what you think, and feel free to open a PR that replaces this. |
rata
force-pushed
the
rata/runc-dmz-disable
branch
2 times, most recently
from
c956a0a
to
d1ca579
Compare
| @@ -127,20 +127,20 @@ function teardown() { | |||
| [ "${lines[0]}" = "410" ] | |||
| } | |||
|
|
|||
| @test "runc run [runc-dmz]" { | |||
| runc --debug run test_hello | |||
| @test "RUNC_DMZ=true runc run [runc-dmz]" { | |||
There was a problem hiding this comment.
| @test "RUNC_DMZ=true runc run [runc-dmz]" { | |
| @test "[RUNC_DMZ=true] runc run" { |
rata
force-pushed
the
rata/runc-dmz-disable
branch
3 times, most recently
from
e07265a
to
5073630
Compare
|
Suse mirrors are breaking the github actions, but it was passing all the tests before |
|
@kolyshkin for some reason I can't answer to your comment, but I've fixed it. PTAL :) |
rata
force-pushed
the
rata/runc-dmz-disable
branch
from
5073630
to
48fd3b8
Compare
|
@kolyshkin I agree, that is why I mentioned it in the PR description. But I wouldn't do it in 1.2, as we are introducing the machinery to cross-compile C, just for runc-dmz. I would have the build-tag in case there si an issue (cross-compiling C is not as easy as cross-compiling go) and we haven't ever released with this machinery. I would keep it, if it fails people can easily avoid it and build anyways (with the same behavior as runc-dmz is disabled by default), we can see the bug reports and fix it without a huge impact as they have other trivial alternatives. In 1.3 we can remove the build-tag (even if we don't remove runc-dmz) and that is all. What do you think? |
rata
force-pushed
the
rata/runc-dmz-disable
branch
from
48fd3b8
to
eb67815
Compare
Maybe I do not understand, what do you mean by "cross-compile"? We compile runc-dmz for the same architecture as the main runc (and we already have some C code in runc, see libcontainer/nsenter). IOW, we do not cross-compile runc-dmz (unless we also cross-compile runc). Perhaps we can leave The next step is what to do about enabling dmz during runtime. We have agreed that we should have it disabled by default. I'm not sure if using an environment variable is the best way to do that -- I remember @crosbymichael being very against using environment to affect how a command works (but I don't remember why exactly, maybe Michael himself or @thaJeztah can shed some light). But for now, let's say, we want |
Having said that, yes, we do cross-compile runc ourselves (that includes C stuff in runc-dmz and libct/nsenter) as we want to provide release binaries for multiple architectures. That doesn't mean that most users do it -- I suspect they all compile natively (that's what I'd do). |
rata
force-pushed
the
rata/runc-dmz-disable
branch
from
eb67815
to
188e470
Compare
@kolyshkin I've updated it to do just that. |
rata
force-pushed
the
rata/runc-dmz-disable
branch
from
188e470
to
51861e5
Compare
rata
force-pushed
the
rata/runc-dmz-disable
branch
from
51861e5
to
9a6129e
Compare
|
Rebased now that tests should be fixed in main. PTAL |
rata
force-pushed
the
rata/runc-dmz-disable
branch
2 times, most recently
from
ac795bd
to
e1477d6
Compare
libcontainer/dmz/dmz_linux.go
Outdated
| if os.Getenv("RUNC_DMZ") == "legacy" { | ||
| logrus.Debugf("RUNC_DMZ=legacy set -- switching back to classic /proc/self/exe cloning") | ||
| // Only RUNC_DMZ=true enables runc_dmz | ||
| if os.Getenv("RUNC_DMZ") != "true" { |
There was a problem hiding this comment.
Can we use strconv.ParseBool
There was a problem hiding this comment.
@AkihiroSuda it returns an error which we need to handle and also errors out when parsing "". So, the code becomes a mess for, IMHO, no good reason:
- // Setting RUNC_DMZ=legacy disables this dmz method.
- if os.Getenv("RUNC_DMZ") == "legacy" {
- logrus.Debugf("RUNC_DMZ=legacy set -- switching back to classic /proc/self/exe cloning")
+ // Only RUNC_DMZ=true enables runc_dmz
+ runcDmz := os.Getenv("RUNC_DMZ")
+ if runcDmz == "" {
+ logrus.Debugf("RUNC_DMZ is not set -- switching back to classic /proc/self/exe cloning")
return nil, ErrNoDmzBinary
}
+ if dmzEnabled, err := strconv.ParseBool(runcDmz); err == nil && !dmzEnabled {
+ logrus.Debugf("RUNC_DMZ is not true -- switching back to classic /proc/self/exe cloning")
+ return nil, ErrNoDmzBinary
+ } else if err != nil {
+ return nil, fmt.Errorf("parsing RUNC_DMZ: %w", err)
+ }
+Do you really think it is worth it?
rata
force-pushed
the
rata/runc-dmz-disable
branch
from
e1477d6
to
3df30bd
Compare
tests/integration/exec.bats
Outdated
| @@ -323,14 +323,14 @@ function check_exec_debug() { | |||
| [ "$status" -eq 0 ] | |||
| } | |||
|
|
|||
| @test "RUNC_DMZ=legacy runc exec [execve error]" { | |||
| @test "RUNC_DMZ=false runc exec [execve error]" { | |||
There was a problem hiding this comment.
So, why setting RUNC_DMZ=false here if this is the default?
There was a problem hiding this comment.
IMHO it seems better to be explicit when the test needs that. If we switch the default later to enabled, it will be painful to realize which tests we need to add the RUNC_DMZ=false.
Not because of failing tests, those are easy fix (although pointless overhead, imho), but cases exactly like this one are the tricky ones, that we want to test it with and without runc_dmz. When we switch the default, we need to find these cases where now we need to disable it. Otherwise test will just pass and we won't be testing that case (we will be testing twice with it enabled, the default and the test requesting it enabled).
But that is my personal preference. I've updated to remove it, to match yours :)
There was a problem hiding this comment.
That mistake is very simple to make, I was doing it here 🙈
I've fixed it, but if you decide you prefer the explicit false/true, I have it ready in another branch locally.
Let me know what you think
rata
force-pushed
the
rata/runc-dmz-disable
branch
from
3df30bd
to
c63f544
Compare
|
@kolyshkin PTAL |
rata
force-pushed
the
rata/runc-dmz-disable
branch
2 times, most recently
from
34cb9c6
to
7630252
Compare
|
ping @cyphar @kolyshkin PTAL |
I see this sentence in your PR description, but I think this is not implemented in your PR. @rata And there is another small issue in the main branch: https://github.com/opencontainers/runc/blob/main/Makefile#L82 , could you please fix it in this PR as well? It should be: |
Yes, I changed it as @kolyshkin asked. I've updated the PR description to reflect the current state.
Fixed, thanks! |
If it is compiled, the user needs to opt-in with this env variable to use it. While we are there, remove the RUNC_DMZ=legacy as that is now the default. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
rata
force-pushed
the
rata/runc-dmz-disable
branch
from
17797db
to
83b4b94
Compare
Signed-off-by: Rodrigo Campos <rodrigo@sdfg.com.ar>
rata
force-pushed
the
rata/runc-dmz-disable
branch
from
83b4b94
to
fc76b13
Compare
|
PTAL @lifubang |
|
@lifubang @kolyshkin friendly ping? |
|
Since WDYT @AkihiroSuda @kolyshkin? Aside from that, looks good. |
|
Can we just merge this, release v1.2.0 RC, and work on refactoring in a follow-up PR? |
There are several issues that we caught at the last minute. Several maintainers said it seems safer to disable it by default, so let's do that.
runc-dmz is marked as experimental and besides the build tag you need to opt-in with
RUNC_DMZ=trueto use it.Future PRs can go further and maybe even remove the buildtag, simplifying the CI (and the time it takes to run).
cc @cyphar @kolyshkin @lifubang