From f34698ca6c344dbe0b93fd3dd1f3b6070de263f7 Mon Sep 17 00:00:00 2001 From: nixpig <143995476+nixpig@users.noreply.github.com> Date: Mon, 16 Dec 2024 06:50:11 +0000 Subject: [PATCH] chore: wip --- README.md | 2 ++ container/container_init.go | 14 ++++++++------ container/container_reexec.go | 11 ----------- 3 files changed, 10 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index cdf51b9..10acad1 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,8 @@ This is a personal project for me to explore and better understand the OCI Runti **🗒️ To do** (items remaining for _me_ to consider this 'complete') - [ ] ~Unit tests~ Integration tests seem to be sufficing +- [ ] Fix networking +- [ ] Container cleanup - [ ] Implement [Cgroups v2](https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#control-groups) - [ ] Implement optional [Seccomp](https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#seccomp) - [ ] Implement optional [AppArmor](https://github.com/opencontainers/runtime-spec/blob/main/config.md#linux-process) diff --git a/container/container_init.go b/container/container_init.go index d89ea35..9aba527 100644 --- a/container/container_init.go +++ b/container/container_init.go @@ -92,15 +92,18 @@ func (c *Container) Init(reexec string, arg string) error { ns := namespace.LinuxNamespace(ns) if ns.Path == "" { + fmt.Printf("join '%s' namespace by clone\n", ns.Type) cloneFlags |= ns.ToFlag() } else { + fmt.Printf("join '%s' namespace by path\n", ns.Type) if !strings.HasSuffix(ns.Path, fmt.Sprintf("/%s", ns.ToEnv())) && ns.Type != specs.PIDNamespace { return fmt.Errorf("namespace type (%s) and path (%s) do not match", ns.Type, ns.Path) } - // TODO: align so the same mechanism is used for all namespaces? if ns.Type == specs.MountNamespace { + // mount namespaces do not work across threads, so this needs to be done + // in single-threaded context in C before the reexec cmd.Env = append(cmd.Env, fmt.Sprintf("gons_%s=%s", ns.ToEnv(), ns.Path)) } else { if err := ns.Enter(); err != nil { @@ -111,10 +114,9 @@ func (c *Container) Init(reexec string, arg string) error { } cmd.SysProcAttr = &syscall.SysProcAttr{ - Cloneflags: cloneFlags, - Unshareflags: uintptr(0), - UidMappings: uidMappings, - GidMappings: gidMappings, + Cloneflags: cloneFlags, + UidMappings: uidMappings, + GidMappings: gidMappings, } if c.Spec.Process != nil && c.Spec.Process.Env != nil { @@ -160,7 +162,7 @@ func (c *Container) Init(reexec string, arg string) error { conn, err := listener.Accept() if err != nil { - return fmt.Errorf("accept on listener: %w", err) + return fmt.Errorf("accept on init listener: %w", err) } defer conn.Close() diff --git a/container/container_reexec.go b/container/container_reexec.go index ab682f4..45361ea 100644 --- a/container/container_reexec.go +++ b/container/container_reexec.go @@ -148,17 +148,6 @@ func (c *Container) Reexec() error { return fmt.Errorf("set additional GIDs: %w", err) } - // TODO: reimplement uid and gid mappings for execve - // if c.Spec.Linux.UIDMappings != nil { - // cmd.SysProcAttr.UidMappings = - // user.BuildUIDMappings(c.Spec.Linux.UIDMappings) - // } - // - // if c.Spec.Linux.GIDMappings != nil { - // cmd.SysProcAttr.GidMappings = - // user.BuildGIDMappings(c.Spec.Linux.GIDMappings) - // } - if err := c.ExecHooks("startContainer"); err != nil { return fmt.Errorf("execute startContainer hooks: %w", err) }