From 249f117b55c37a7b07b4b322e89137ac6b775596 Mon Sep 17 00:00:00 2001 From: nixpig <143995476+nixpig@users.noreply.github.com> Date: Tue, 3 Dec 2024 07:20:43 +0000 Subject: [PATCH] feat: apply namespaces by path --- README.md | 13 +++++++++++- container/container_init.go | 32 ++++++++++++++++------------ go.mod | 6 +++--- go.sum | 42 +++++-------------------------------- internal/ipc/ipc.go | 4 ---- main.go | 7 +++++++ oci.sh | 4 ++-- 7 files changed, 48 insertions(+), 60 deletions(-) diff --git a/README.md b/README.md index 786979a..a35f59d 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,17 @@ mv tmp/bin/brownie ~/.local/bin ## Usage +### Notes + +#### cgroups + +Need to do some jiggery-pokery for cgroups? + +``` +$ sudo mkdir /sys/fs/cgroup/systemd +$ sudo mount -t cgroup -o none,name=systemd cgroup /sys/fs/cgroup/systemd +``` + ### Docker > [!IMPORTANT] @@ -189,6 +200,7 @@ Tests are run on every build in [this Github Action](https://github.com/nixpig/b - [x] linux_mount_label - [x] linux_ns_itype - [x] linux_ns_nopath +- [x] linux_ns_path - [x] linux_readonly_paths - [x] linux_rootfs_propagation - [x] linux_sysctl @@ -212,7 +224,6 @@ Tests are run on every build in [this Github Action](https://github.com/nixpig/b ### ⚠️ To do - [ ] delete_only_create_resources -- [ ] linux_ns_path - [ ] linux_ns_path_type - [ ] linux_process_apparmor_profile - [ ] linux_seccomp diff --git a/container/container_init.go b/container/container_init.go index fe2cd19..01b8d34 100644 --- a/container/container_init.go +++ b/container/container_init.go @@ -80,6 +80,7 @@ func (c *Container) Init(reexec string, arg string, log *zerolog.Logger) error { ) cloneFlags := uintptr(0) + unshareFlags := uintptr(0) var uidMappings []syscall.SysProcIDMap var gidMappings []syscall.SysProcIDMap @@ -105,34 +106,39 @@ func (c *Container) Init(reexec string, arg string, log *zerolog.Logger) error { return fmt.Errorf("convert namespace to flag: %w", err) } - // if it's path-based, we need to do it in the reexec if ns.Path == "" { cloneFlags |= flag } else { - fd, err := syscall.Open(ns.Path, syscall.O_RDONLY, 0666) - if err != nil { - log.Error().Err(err).Str("path", ns.Path).Str("type", string(ns.Type)).Msg("failed to open namespace path") - return fmt.Errorf("open ns path: %w", err) - } - defer syscall.Close(fd) - log.Info().Str("path", ns.Path).Int("fd", int(fd)).Msg("writing ns path") - _, _, errno := syscall.RawSyscall(unix.SYS_SETNS, uintptr(fd), 0, 0) - if errno != 0 { - log.Error().Str("path", ns.Path).Int("errno", int(errno)).Msg("FAIELD THE RAWSYSCALL") + // TODO: align so the same mechanism is used for all namespaces? + if ns.Type == specs.MountNamespace { + reexecCmd.Env = append(reexecCmd.Env, fmt.Sprintf("gons_mnt=%s", ns.Path)) + } else { + fd, err := syscall.Open(ns.Path, syscall.O_RDONLY, 0666) + if err != nil { + log.Error().Err(err).Str("path", ns.Path).Str("type", string(ns.Type)).Msg("failed to open namespace path") + return fmt.Errorf("open ns path: %w", err) + } + defer syscall.Close(fd) + + log.Info().Str("path", ns.Path).Int("fd", int(fd)).Msg("writing ns path") + _, _, errno := syscall.RawSyscall(unix.SYS_SETNS, uintptr(fd), 0, 0) + if errno != 0 { + log.Error().Str("path", ns.Path).Int("errno", int(errno)).Msg("FAIELD THE RAWSYSCALL") + } } } } reexecCmd.SysProcAttr = &syscall.SysProcAttr{ Cloneflags: cloneFlags, - Unshareflags: uintptr(0), + Unshareflags: unshareFlags, UidMappings: uidMappings, GidMappings: gidMappings, } if c.Spec.Process != nil && c.Spec.Process.Env != nil { - reexecCmd.Env = c.Spec.Process.Env + reexecCmd.Env = append(reexecCmd.Env, c.Spec.Process.Env...) } if c.Spec.Process != nil && c.Spec.Process.Rlimits != nil { diff --git a/go.mod b/go.mod index 64ee8b2..63cfad3 100644 --- a/go.mod +++ b/go.mod @@ -3,6 +3,7 @@ module github.com/nixpig/brownie go 1.23.0 require ( + github.com/containerd/cgroups/v3 v3.0.4 github.com/google/uuid v1.6.0 github.com/opencontainers/runtime-spec v1.2.0 github.com/rs/zerolog v1.33.0 @@ -14,19 +15,18 @@ require ( ) require ( - github.com/containerd/cgroups v1.1.0 // indirect - github.com/containerd/cgroups/v3 v3.0.4 // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/docker/go-units v0.5.0 // indirect github.com/godbus/dbus/v5 v5.1.0 // indirect - github.com/gogo/protobuf v1.3.2 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.19 // indirect github.com/moby/sys/userns v0.1.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/spf13/pflag v1.0.5 // indirect + github.com/thediveo/gons v0.9.9 // indirect + golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect google.golang.org/protobuf v1.35.2 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index 1ad6e16..0174077 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,3 @@ -github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM= -github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw= github.com/containerd/cgroups/v3 v3.0.4 h1:2fs7l3P0Qxb1nKWuJNFiwhp2CqiKzho71DQkDrHJIo4= github.com/containerd/cgroups/v3 v3.0.4/go.mod h1:SA5DLYnXO8pTGYiAHXz94qvLQTKfVM5GEVisn4jpins= github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= @@ -7,22 +5,17 @@ github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSV github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw= -github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= -github.com/godbus/dbus/v5 v5.0.4 h1:9349emZab16e7zQvpmsbtjc18ykshndd8y2PG3sgJbA= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= -github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= -github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= @@ -47,41 +40,16 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= -github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +github.com/thediveo/gons v0.9.9 h1:y76H/gtmKclSCbNLd3SlH8Qy1u1P2c/CLw4i35Kdi9s= +github.com/thediveo/gons v0.9.9/go.mod h1:Rh4YVjFOEJNctU0hIZvuDK9K5AdwvxyjqrT4Cf8ihNU= golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0= golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= -golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s= golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= diff --git a/internal/ipc/ipc.go b/internal/ipc/ipc.go index 0ccb1ba..ed4bd33 100644 --- a/internal/ipc/ipc.go +++ b/internal/ipc/ipc.go @@ -3,7 +3,6 @@ package ipc import ( "fmt" "net" - "runtime" ) type closer func() error @@ -57,9 +56,6 @@ func NewReceiver(sockAddr string) (chan []byte, closer, error) { } func WaitForMsg(ch chan []byte, msg string, cb func() error) error { - runtime.LockOSThread() - defer runtime.UnlockOSThread() - for { recv := <-ch diff --git a/main.go b/main.go index 5062c77..97b1fd3 100644 --- a/main.go +++ b/main.go @@ -8,6 +8,7 @@ import ( "github.com/nixpig/brownie/internal/cli" "github.com/nixpig/brownie/internal/logging" "github.com/rs/zerolog" + "github.com/thediveo/gons" ) const ( @@ -15,6 +16,12 @@ const ( ) func main() { + // check namespace status + if err := gons.Status(); err != nil { + fmt.Println("join namespace(s): ", err) + os.Exit(1) + } + // create logger logPath := filepath.Join(brownieRootDir, "logs", "brownie.log") log, err := logging.CreateLogger(logPath, zerolog.InfoLevel) diff --git a/oci.sh b/oci.sh index 14b6324..34bf2f2 100755 --- a/oci.sh +++ b/oci.sh @@ -21,7 +21,7 @@ tests=( "linux_mount_label" "linux_ns_itype" "linux_ns_nopath" -# "linux_ns_path" + "linux_ns_path" # "linux_ns_path_type" # "linux_process_apparmor_profile" # ??? "linux_readonly_paths" @@ -29,7 +29,7 @@ tests=( # "linux_seccomp" "linux_sysctl" "linux_uid_mappings" -# "misc_props" # flaky due to test suite trying to delete container before process has exiting and status updated to stopped +# "misc_props" # flaky due to test suite trying to delete container before process has exited and status updated to stopped "mounts" # "pidfile" # runc and youki both hang on this "poststart"