Function parameters in test config is not used. This
commit will add under score before variable name
in test config.
Fixes: #3091
Signed-off-by: bin <bin@hyper.sh>
When the container didn't had a tty console, it would be in a same
process group with the kata-agent, which wasn't expected. Thus,
create a new session for the container process.
Fixes: #3063
Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
Use `dup3` system call instead of `dup2` in unit tests of seccomp
because `dup2` is obsolete on aarch64.
Fixes: #2939
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
In order to pass CI test of aarch64, it is necessary to run
`ci/install_libseccomp.sh` before ruuning unit tests in
`jenkins_job_build.sh`.
However, `ci/install_libseccomp.sh` is not available
until PR #1788 including this commit is merged in the mainline.
Therefore, we disable seccomp feature on aarch64 temporarily.
After #1788 lands and CI is fixed, this commit will be reverted.
Fixes: #1476
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
The kata-agent supports seccomp feature based on the OCI runtime specification.
This seccomp capability in the kata-agent is enabled by default.
However, it is not enforced by default: users need to enable that by setting
`disable_guest_seccomp` to `false` in the main configuration file.
Fixes: #1476
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Many device nodes go directly under /dev, however some are conventionally
placed in subdirectories under /dev. For example /dev/vfio/vfio or
/dev/pts/ptmx.
Currently, attempting to pass such a device into a Kata container will fail
because mknod() will get an ENOENT because the parent directory is missing
(or an equivalent error for bind_dev()).
Correct that by making subdirectories as necessary in create_devices().
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
For each user supplied device, create_devices() checks that the given path
actually is in /dev, by checking that its path starts with /dev and does
not contain "..".
However, this has subtle errors because it's interpreting the path as a raw
string without considering separators. It will accept the path /devfoo
which it should not, while it will not accept the valid (though weird)
paths /dev/... and /dev/a..b.
Correct this by using std::path::Path methods designed for the purpose.
Having done this, it's trivial to also generate the relative path that
mknod_dev() or bind_dev() will need, so do that at the same time.
We also move this logic into a helper function so that we can add some unit
tests for it.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Both these functions take the absolute path from LinuxDevice and drop the
leading '/' to make a relative path. They do that with a simple
&dev.path[1..]. That can be technically incorrect in some edge cases such
as a path with redundant /s like "//dev//sda".
To handle cases like that, have the explicit relative path passed into
these functions. For now we calculate it in the same buggy way, but we'll
fix that shortly.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
create_devices() within the rustjail module is responsible for creating
device nodes within the (inner) containers. Errors that occur here will
be propagated up, but are likely to be low level failures of mknod() - e.g.
ENOENT or EACCESS - which won't be very useful without context when
reported all the way up to the runtime without the context of what we were
trying to do.
Add some anyhow context information giving the details of the device we
were trying to create when it failed.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Use `"c".to_string` in the device type of `dev/full`
in order to consistent with the coding style of other devices
Fixes: #2890
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
The CRI-O integration test suite has two tests that fail because they search for
"not found" in the error message, but we emit "is not exist".
Change the error message to match the expectations of the test suite.
Fixes: #2036
Reported-by: Julien Ropé <jrope@redhat.com>
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Although the OCI specification does not explictly requires that, we
should create the process CWD if it does not exist, before chdir'ing
to it. Without that fizx, the kata-agent fails to create a container
and returns a grpc error when it's trying to change the containerd
working directory to an non existing folder.
runc, the OCI runtime reference implementation, also creates the process
CWD when it's not part of the container rootfs.
Fixes#2374
Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
get_mounts() parses /proc/self/mountinfo in order to get the mountpoints
for various cgroup filesystems. One of the entries in mountinfo is the
"device" for each filesystem, but for virtual filesystems like /proc, /sys
and cgroups, the device entry is arbitrary. Depending on the exact rootfs
setup, it can end up being "-".
This breaks get_mounts() because it uses " - " as a separator. There
really is a " - " separator in mountinfo, but in this case the device entry
shows up as a second one. Fix this, by changing a split to a splitn, which
will effectively only consider the first " - " in the line.
While we're there, make the warning message more useful, by having it
actually show which line it wasn't able to parse.
fixes#2182
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Use which to find the full path of exe before run execute_hook
to avoid error: 'No such file or directory'
Fixes: #2172
Signed-off-by: Tim Zhang <tim@hyper.sh>
It's hard to visually scan over the list currently.
Therefore, we should sort the list alphabetically to scan easily.
Fixes: #1999
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Add the following mount options to catch up with the runtime spec
- silent
- loud
- (no)acl
- (no)iversion
- (no)lazytime
Fixes: #1999
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
We need to fix some agent's code to conform to the latest nix crate
to be able to use new features of the nix.
Fixes: #1987
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
When update memory limit, we should adapt the write sequence
for memory and swap memory, so it won't fail because
the new value and the old value don't fit kernel's
validation.
Fixes: #1917
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
When starting a container and dropping all capabilities,
the init child process has no permission to read the exec.fifo
file because the parent set the file mode 0o622. So change the exec.fifo file mode to 0o644.
fixes#1913
Signed-off-by: quanweiZhou <quanweiZhou@linux.alibaba.com>
While evaluating the possibility of having kata-agent statically linked
to the GNU libc, we've ended up facing some issues with prctl.
When debugging the issues, we figured out that the crate hasn't been
maintained since 2015 and that the capctl one is a good 1:1 replacement
for what we need.
Fixes: #1844
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Since the propagation flags couldn't be combinted with the
standard mount flags, and they should be used with the remount,
thus it's better to split them from the standard mount flags.
Fixes: #1699
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
In file src/agent/rustjail/src/validator.rs,
these two functions are not used:
- get_namespace_path
- check_host_ns
Fixes: #1783
Signed-off-by: bin <bin@hyper.sh>
Clippy (in Rust 1.51 at least) has some complaints about this closure
inside execute_hook() because it uses explicit returns in some places
where it doesn't need them, because they're the last expression in the
function.
That isn't necessarily obvious from a glance, but we can make clippy happy
and also make things a little clearer: first we replace a somewhat verbose
'match' using Option::ok_or_else(), then rearrange the remaining code to
put all the error path first with an explicit return then the "happy" path
as the stright line exit with an implicit return.
fixes#1611
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
PathBuf is an owned, mutable Path. We don't need those properties in
get_value_from_cgroup() so we can use a Path instead. This may be slightly
safer, and definitely stops clippy (version 1.51 at least) from
complaining.
fixes#1611
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
