From e2738d136bbdedbe3553b947f3c18183fc70e56c Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Fri, 7 Jun 2024 14:51:06 +0000 Subject: [PATCH] version: 3.2.0.0 This version uses the latest skarnet.org packages. It also changes the default service startup timeout to infinite, and it adds support for more unprivileged environments. Signed-off-by: Laurent Bercot --- CHANGELOG.md | 12 ++++++ COPYING | 2 +- README.md | 16 +++---- conf/defaults.mk | 4 +- conf/versions | 34 +++++++-------- .../etc/s6-linux-init/skel/rc.init | 2 +- .../s6-overlay-@VERSION@/libexec/preinit | 42 ++++++++++++++++--- .../admin/s6-overlay-@VERSION@/libexec/stage0 | 2 +- 8 files changed, 80 insertions(+), 34 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3747c0db..b666fce1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,18 @@ Please view the git log to see all the minor changes made to the code. This docu ## Major changes +### Version 3.2.0.0 + +* There is no default global timeout for starting services anymore. Previously, +if the services took more than 5 seconds to be brought up, they would +fail; the intent was to detect hanged containers (waiting on a dysfunctional +network connection, for instance) and make them fail early, but it has +proven to create more problems than it was solving - so the timeout has +been removed. If you need it, you can, as before, use the `S6_CMD_WAIT_FOR_SERVICES_MAXTIME` +variable. +* More unprivileged configurations are supported: you should now be +able to use s6-overlay in containers created by Kubernetes, for instance. + ### Version 3.1.0.0 * `/etc/s6-overlay/config/global_path` isn't provided or taken into diff --git a/COPYING b/COPYING index e2ad5b26..2e50dedd 100644 --- a/COPYING +++ b/COPYING @@ -1,7 +1,7 @@ Internet Systems Consortium license =================================== -Copyright (c) 2021-2023 Laurent Bercot , John Regan +Copyright (c) 2021-2024 Laurent Bercot , John Regan Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above diff --git a/README.md b/README.md index 133930ad..10ea1b78 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,7 @@ Build the following Dockerfile and try it out: ``` # Use your favorite image FROM ubuntu -ARG S6_OVERLAY_VERSION=3.1.6.2 +ARG S6_OVERLAY_VERSION=3.2.0.0 RUN apt-get update && apt-get install -y nginx xz-utils RUN echo "daemon off;" >> /etc/nginx/nginx.conf @@ -873,11 +873,13 @@ starting the `user2` bundle and the CMD, if any of these is defined. If will wait until the services in `/etc/services.d` are *ready* before proceeding with the rest of the sequence. Note that this is only significant if the services in `/etc/services.d` [notify their readiness](https://skarnet.org/software/s6/notifywhenup.html) to s6. -* `S6_CMD_WAIT_FOR_SERVICES_MAXTIME` (default = 5000): The maximum time (in milliseconds) the services could take to bring up before proceding to CMD executing. -Note that this value also includes the time setting up legacy container initialization (`/etc/cont-init.d`) and services (`/etc/services.d`), -and that it is taken into account even if you are not running a CMD. In other words: no matter whether you're running a CMD or not, -if you have scripts in `/etc/cont-init.d` that take a long time to run, you should set this variable to either 0, or a value high -enough so that your scripts have time to finish without s6-overlay interrupting them and diagnosing an error. +* `S6_CMD_WAIT_FOR_SERVICES_MAXTIME` (default = 0, i.e. infinite): The maximum time (in milliseconds) the services could take to bring up before proceding to CMD executing. +Set this variable to a positive value if you have services that can potentially block indefinitely and you prefer the container to fail +if not everything is up after a given time. +Note that this value also includes the time setting up legacy container initialization (`/etc/cont-init.d`) and services (`/etc/services.d`), so +take that into account when computing a suitable value. In versions of s6-overlay up to 3.1.6.2, the default was 5000 (five seconds), +but it caused more unwanted container failures than it solved issues, so now there's no timeout by default: s6-overlay will wait as long as +is necessary for all the services to be brought up. * `S6_READ_ONLY_ROOT` (default = 0): When running in a container whose root filesystem is read-only, set this env to **1** to inform init stage 2 that it should copy user-provided initialization scripts from `/etc` to `/run/s6/etc` before it attempts to change permissions, etc. See [Read-Only Root Filesystem](#read-only-root-filesystem) for more information. * `S6_SYNC_DISKS` (default = 0): Set this env to **1** to inform init stage 3 that it should attempt to sync filesystems before stopping the container. Note: this will likely sync all filesystems on the host. * `S6_STAGE2_HOOK` (default = none): If this variable exists, its contents @@ -956,7 +958,7 @@ RUN cd /tmp && sha256sum -c *.sha256 ### `USER` directive -As of version 3.1.6.2, s6-overlay has limited support for running as a user other than `root`: +As of version 3.2.0.0, s6-overlay has limited support for running as a user other than `root`: * Tools like `fix-attrs` and `logutil-service` are unlikely to work (they rely on being able to change UIDs). diff --git a/conf/defaults.mk b/conf/defaults.mk index 0d9f695e..e0dec0d9 100644 --- a/conf/defaults.mk +++ b/conf/defaults.mk @@ -3,7 +3,7 @@ # e.g.: make SHEBANGDIR=/usr/bin VERSION=3.1.6.0 # The version of the software being built. -VERSION := 3.1.6.2 +VERSION := 3.2.0.0 # Where stuff is going to be built. Change for out-of-tree builds. OUTPUT := output @@ -21,7 +21,7 @@ TOOLCHAIN_PATH := # When fetching one from the web, what version we want. # Only a few versions are available, don't change blindly. -TOOLCHAIN_VERSION := 13.2.0 +TOOLCHAIN_VERSION := 14.1.0 # For fetching toolchains: the download command. # Change to curl -O if you don't have wget. diff --git a/conf/versions b/conf/versions index 23e242a9..889a9bf4 100644 --- a/conf/versions +++ b/conf/versions @@ -6,32 +6,32 @@ BEARSSL_VERSION=79c060eea3eea1257797f15ea1608a9a9923aa6f # BEARSSL_VERSION=v0.6 -# SKALIBS_VERSION=c0e625ea5d47d32110dae6b1cf7671060e5c47bf -SKALIBS_VERSION=v2.14.0.1 +# SKALIBS_VERSION=4dcf9fa0521a1c4243c28fb2f657d8029317e55e +SKALIBS_VERSION=v2.14.2.0 -# EXECLINE_VERSION=813a7ae859c0563f87c2afef79d346b853c20e36 -EXECLINE_VERSION=v2.9.4.0 +# EXECLINE_VERSION=9983edf33b1eb4d91bf1187f8e4b7c0c3d288e53 +EXECLINE_VERSION=v2.9.6.0 -# S6_VERSION=8d032b7ff814b08aba0b23c03cdd589eae98d22a -S6_VERSION=v2.12.0.2 +# S6_VERSION=9778ca30e4415698dbb1f736cf5fe132a7cec04d +S6_VERSION=v2.13.0.0 -# S6_RC_VERSION=940e4bb20f7927a54c9ee92bcea1c54f8b60666d -S6_RC_VERSION=v0.5.4.2 +# S6_RC_VERSION=f3a8a60eb872096084c98ccaabf65656df349998 +S6_RC_VERSION=v0.5.4.3 -# S6_LINUX_INIT_VERSION=421ff132dee36124fd6fe4eaaffe3576179c3812 +# S6_LINUX_INIT_VERSION=28787fc0512f8df17809c1a0507da2bfed552082 S6_LINUX_INIT_VERSION=v1.1.2.0 -# S6_PORTABLE_UTILS_VERSION=aed143be3f5deace8e7b57ed48151fc17265cd9b +# S6_PORTABLE_UTILS_VERSION=00ad09ecf7ad44e32c3cc54819bbf50e944fd4f9 S6_PORTABLE_UTILS_VERSION=v2.3.0.3 -# S6_LINUX_UTILS_VERSION=d492e79229d1f5f96c5c618cbd5504ffb32e2d72 +# S6_LINUX_UTILS_VERSION=4ac235b523cd1b50bd681e31c8241a2b8bdd3060 S6_LINUX_UTILS_VERSION=v2.6.2.0 -# S6_DNS_VERSION=20d8277451d8fd7cbce316b80a0018bc2639335d -S6_DNS_VERSION=v2.3.7.0 +# S6_DNS_VERSION=33e4b9d9137b5dbb02a087956f1558ef30647aea +S6_DNS_VERSION=v2.3.7.2 -# S6_NETWORKING_VERSION=8fe924c3da6ab919f512029a15464e77cbeede8a -S6_NETWORKING_VERSION=v2.7.0.0 +# S6_NETWORKING_VERSION=42cb4c7b043964874caea0268b6c814e68a6e7a5 +S6_NETWORKING_VERSION=v2.7.0.3 -# S6_OVERLAY_HELPERS_VERSION=b23f96cbfabf23f686f71de826a482c272dd3645 -S6_OVERLAY_HELPERS_VERSION=v0.1.0.2 +# S6_OVERLAY_HELPERS_VERSION=a6281ad45dd43f4e8ddb6818a9b0513e391e64bb +S6_OVERLAY_HELPERS_VERSION=v0.1.1.0 diff --git a/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/rc.init b/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/rc.init index 038968aa..aeb70391 100755 --- a/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/rc.init +++ b/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/rc.init @@ -41,7 +41,7 @@ s6-rc-compile -v"$cv" /run/s6/db "$etc/s6-overlay/s6-rc.d" /package/admin/s6-ove s6-rc-init -c /run/s6/db /run/service if timeout=`printcontenv S6_CMD_WAIT_FOR_SERVICES_MAXTIME` && eltest "$timeout" =~ '^[[:digit:]]+$' ; then : ; else - timeout=5000 + timeout=0 fi set +e diff --git a/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/libexec/preinit b/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/libexec/preinit index 774ead42..ec270ded 100755 --- a/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/libexec/preinit +++ b/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/libexec/preinit @@ -2,9 +2,19 @@ # This script is spawned by s6-overlay-suexec, as the # first thing in the userland boot process. -# It is run as root even with a USER directive present. -# If USER, then UID and GID hold the uid and gid of the user -# (this is used by s6-chown -U). +# It is normally run as root, but some configurations want to +# run completely unprivileged and s6-overlay-suexec is denied +# suid, in which case preinit will be unprivileged as well. + +# The point of preinit is to sanity check the system to make +# sure s6-linux-init can run in a safe configuration. If we +# are root, or if the system has been correctly prepared by the +# container manager for a privilegeless execution, we can fix +# any issue we encounter. Otherwise, we just report the problem +# and abort execution. + +# The UID, USER, EUID, GID, GROUP and EGID variables are set for +# us by s6-overlay-suexec, so we can check every possible case. prog=/package/admin/s6-overlay/libexec/preinit @@ -59,8 +69,30 @@ is likely to crash soon, if /run is (incorrectly) mounted noexec." 1>&2 else s6-mkdir -p -m 0755 /run fi -if test "0$UID" -ne 0 ; then - s6-chown -U -- /run + +eval `s6-overlay-stat /run` + +if test "0$S6_VERBOSITY" -gt 1 ; then + echo "$prog: info: container permissions: uid=$UID ($USER), euid=$EUID, gid=$GID ($GROUP), egid=$EGID" + echo "$prog: info: /run permissions: uid=$uid ($user), gid=$gid ($group), perms=$perms" +fi + +if test "$UID" -ne "$uid" ; then # /run does not belong to the container user + if test "$EUID" -eq 0 ; then + echo "$prog: info: /run belongs to uid $uid instead of $UID - fixing it" + s6-chown -U -- /run + s6-chmod 0755 /run + elif test "$GID" -eq 0 && test "$gid" -eq 0 ; then # Unprivileged Kubernetes Environment + if echo "$perms" | s6-grep -qF gxgwgr && echo "$perms" | s6-grep -qvF ow ; then + echo "$prog: info: using /run with gid 0" + else + echo "$prog: fatal: wrong permissions on /run for a gid 0 setup" + exit 100 + fi + else + echo "$prog: fatal: /run belongs to uid $uid instead of $UID and we're lacking the privileges to fix it." + exit 100 + fi fi # Ensure /var/run is a symlink to /run diff --git a/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/libexec/stage0 b/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/libexec/stage0 index 1cf8dc9c..34d4ddd9 100755 --- a/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/libexec/stage0 +++ b/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/libexec/stage0 @@ -1,7 +1,7 @@ #!/bin/sh -e # This script is run as pid 1 after preinit has exited. -# It doesn't need privileges: it will run with or without USER. +# It doesn't need privileges: it should run in all configurations. # It invokes s6-linux-init-maker with options depending on run-time # control variables, then execs into the init script created by # s6-linux-init-maker, which is stage 1.