Support time namespace

[chethanah]

• closes Support time namespaces #2345

Background

• runtime-spec now supports time namespace
  • Add support for time namespace runtime-spec#1151 - Merged
• Existing issue in runc - Support time namespaces #2345

Support time ns in runc

• This PR supports time ns by updating the monotonic and boottime clock offest in /proc/self/timens_offsets
  • Support BootTimeNsAttr and MonotonicNsAttr netlink message type to send to bootstrap program
  • Update time ns in STAGE_CHILD after unsharing all the clone flags (stage-1)
  • validate path /proc/self/timens_offsets to validate if time ns enabled
• Add test cases
  • nsenter_test.go only checks for invalid ns path and type for netlink requests. No specific _test.go for time ns is required.
  • Add timens.bats integration test? - TBD
• ❌ Update documentations - Not required
  • runtime-spec documentations are already updated. No docs required in runc.
  • https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#namespaces
  • https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#offset-for-time-namespace

Unit test

• Launch container with boottime offsets

# jq '.linux.timeOffsets["boottime"]' config.json 
{
  "secs": 999999999,
  "nanosecs": 0
}

# jq '.linux.namespaces[5]' config.json 
{
  "type": "time"
}

# jq '.process.args' config.json 
[
  "uptime",
  "-s"
]

# uptime -s; ./runc run test 
2023-05-22 17:05:57
1991-09-13 09:49:18

Discussion points

• The time offset is updated to /proc/self/timens_offsets
  • is it important to set stage1_pid/stage2_pid like done in update_uidmap?
• Is it advisable to set offsets elsewhere apart from STAGE_CHILD?
  • Ref: https://man7.org/linux/man-pages/man7/time_namespaces.7.html
  • but after the first process has been created in or has entered the namespace, write(2)s on this file fail with the error EACCES.
  • Therefore, considered to write during STAGE_CHILD after unshared ns

[chethanah]

CC: @KentaTada
Create PR for supporting time ns in runc

[chethanah]

• Kindly review and suggest for changes or additional discussion points.
• Test cases and documentation will be added if core implementation is finalized

[chethanah]

CC: @AkihiroSuda

[AkihiroSuda]

CI is failing

[chethanah]

The CI is now passing after removing logrus print statement.

[chethanah]

Additional merge commit added while rebasing changes from main. I'll update my branch by removing the merge commit.

[cyphar]

Sorry for not looking at this earlier, only one somewhat significant thing needs to be changed. And this unfortunately needs a rebase due to the just-merged id-mapped-mounts work.

This could also really use some integration tests. If you're not comfortable setting those up, I can do them in a follow-up PR.

[cyphar]

To match the rest of the state json:

Suggested change

	TimeOffsets map[string]specs.LinuxTimeOffset `json:"timeOffsets,omitempty"`
	TimeOffsets map[string]specs.LinuxTimeOffset `json:"time_offsets,omitempty"`

[cyphar]

These can be written with one string by separating them with newlines, so there's no need to add multiple netlink entries for this. Just generate one string into a TimeOffsetsAttr and write it in one shot in nsexec.c.

[cyphar]

You're outputting this debug information twice (both here and in update_timens). You can remove this one.

[kolyshkin]

You use 3 map lookups here, while 1 should be enough. Make encodeTimeNs check if the fields are all 0 and return empty string in such case, add a check for empty string below.

[kolyshkin]

It also looks like this would be a good place to write something like

for k, v := c.Config.TimeOffsets {
...
}

making the code more generic and avoiding to use specific strings.

[kolyshkin]

nit: missing period.

[kolyshkin]

nit: missing periods. Please write complete sentences in comments, otherwise it's harder to read (and maintain).

[kolyshkin]

Here if is not needed -- worst case scenario is you assign nil to config.TimeOffsets.

(In other places if is needed to avoid nil dereferences, but not here).

[chethanah]

Thank you for detailed review. I'll update as per comments.

[cyphar]

This is a little difficult to read. Maybe something more like this (untested):

Suggested change

	// write boottime and monotonic time ns offsets.
	if c.config.TimeOffsets != nil {
	timeOffset := append([]byte("monotonic"), []byte(fmt.Sprintf(" %d %d\n", c.config.TimeOffsets["monotonic"].Secs, c.config.TimeOffsets["monotonic"].Nanosecs))...)
	timeOffset = append(timeOffset, []byte("boottime")...)
	r.AddData(&Bytemsg{
	Type: TimeOffsetsAttr,
	Value: append(timeOffset, []byte(fmt.Sprintf(" %d %d", c.config.TimeOffsets["boottime"].Secs, c.config.TimeOffsets["boottime"].Nanosecs))...),
	})
	}
	// write boottime and monotonic time ns offsets.
	if c.config.TimeOffsets != nil {
	var offsetSpec bytes.Buffer
	for clock, offset := range c.config.TimeOffsets {
	fmt.Fprintf(&offsetSpec, "%s %d %d\n", clock, offset.Secs, offset.Nanosecs)
	}
	r.AddData(&Bytemsg{
	Type: TimeOffsetsAttr,
	Value: offsetSpec.Bytes(),
	})
	}

[kolyshkin]

In Go, printf-like functions are notoriously slow for some reason. I'd prefer string concatenation, but it's not a big deal since it's only done once during the container start here.

[cyphar]

lgtm

[lifubang]

EPERM means The caller does not have the CAP_SYS_TIME capability.
Why ignore this error?

[cyphar]

Good catch. I think this was mistakenly copied from the /proc/self/uid_map and gid_map helpers (which call the setuid newuidmap/newgidmap helper programs in case of -EPERM).

[cyphar]

Good catch. I think this was mistakenly copied from the /proc/self/uid_map and gid_map helpers (which call the setuid newuidmap/newgidmap helper programs in case of -EPERM).

[cyphar]

Suggested change

	if (write_file(map, map_len, "/proc/self/timens_offsets") < 0) {
	if (errno != EPERM)
	bail("failed to update /proc/self/timens_offsets");
	}
	if (write_file(map, map_len, "/proc/self/timens_offsets") < 0)
	bail("failed to update /proc/self/timens_offsets");

[cyphar]

I suspect we want this check to be done in the validator (at is stands, the code will silently ignore timensOffsets being configured without CLONE_NEWTIME enabled). But I can do this in a separate PR when I add the necessary integration tests for this feature.

[kolyshkin]

Nit: perhaps you can move this to be right after these lines:

                  config.MaskPaths = spec.Linux.MaskedPaths
                  config.ReadonlyPaths = spec.Linux.ReadonlyPaths
                  config.MountLabel = spec.Linux.MountLabel
                  config.Sysctl = spec.Linux.Sysctl

and drop the comment since it's kind of obvious what we do here.

[kolyshkin]

Looks mostly OK to me, left a couple of nits.

[cyphar]

We can just merge this, I'll send a PR to fix up the remaining nits (including the incorrect EPERM ignore logic) so we don't need to do more rounds of review.

Thanks @chethanah!