For docker in docker scenario, the nested container created
has entry "b *:* m" in the list of devices it is allowed to access
under /sys/fs/cgroup/devices/docker/{ctrid}/devices.list.
This entry was causing issues while starting a nested container
as we were denying "m" access to the rootfs block devices.
With this change we add back "m" access, the container would be
allowed to create a device node for the rootfs device but will
not have read-write access to the created device node.
This fixes the docker in docker use case while still making sure
the container is not allowed read/write access to the rootfs.
Note, this could also be fixed by simply skipping {"Type : "b"}
while creating the device cgroup with libcontainer.
But this seems to be undocumented behaviour at this point,
hence refrained from taking this approach.
Fixes#426
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Add support shareProcessNamespace.
BTW, this commit only support shared pid namespace by
sharing the infrastructure pause container's pid namespace
with other containers, instead of creating a new pid
namespace different from pause container.
Fixes: #342
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Makefile is determining the architecture by running uname command
which gives ppc64le as output. But rust toolchain target is available
with the name powerpc64le for ppc64le arch. So this change took care of that.
Signed-off-by: Abhishek Dasgupta <abdasgupta@in.ibm.com>
Currently the default LIBC used to build the agent is "musl". However,
"musl" is not preset in a big portion of the distros *and* "gnu" libc
just works as expected.
Knowing that, let's add the option to the one building the project to
simply do `make LIBC=gnu` instead of expected the person to go through
the Makefile and replace musl by gnu there.
Fixes: #369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
When the "PCIAddr" (BDF information) is available, we allow to use the
predicted "VmPath" (from kata-runtime) to locate the block device in the
agent. This is a special code path for supporting block-device/volume
passthrough w/ cloud-hypervisor when the BDF information is not
available (as of clh v0.8.0).
This is mainly porting the changes from kata-agent PR https://github.com/kata-containers/agent/pull/790,
as the related changes from kata-runtime is ported to kata 2.0 earlier
this week (https://github.com/kata-containers/kata-containers/pull/362).
Note that the upstream clh recently added the support of returning BDF
information for hotplugged devices. We will consolidate/remove this
special code path for the next upgrade of clh version in kata.
Fixes: #248
Signed-off-by: Bo Chen <chen.bo@intel.com>
It should iter the shells to find the existing shell
command instead of return an error directly when it
meet an absent shell command.
Fixes: #354
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Changed the name of the rule that runs the tests to "test" for
consistency, but retained `check` for backwards compatibility
for now.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Dup a new file descriptor for temporary logger writer,
since this logger would be dropped and it's writer would
be closed out of if definition scope, which would cause
the logger process thread terminated if it used the original
pipe write fd.
Fixes: #318
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
With this change, a container is not longer given access to
the underlying root partition.
This is done by explicitly adding the root partition
to the device cgroup of the container.
Fixes: #317
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
The agent logger is useful and generic enough that it can be used by
other components, so move the agent logging package to below a top level
`pkg` to encourage re-use.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Clean up all clippy warning.
Also fix a bug in dealing with IFLA_IFNAME attribute.
nlh.addattr_var(IFLA_IFNAME, name.as_ptr() as *const u8, name.len() + 1);
The `name` is a rust String, which doesn't including the trailing '\0',
so name.len() + 1 may cause invalid memory access.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
Implment `TryFrom<IPAddress> for RtIPAddr` instead of From<IPAddress>,
so error code could be returned instead of unwrap().
Do the same for `TryFrom<Route> for RtRoute`.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
There are too much unsafe code in the netlink crate, we need to reduce
unsafe code as much as possible. To achieve this, methods are classified
as public interfaces and internal methods.
All public interface of RtnlHandle has been reimplemented as safe code,
only some public helper functions to manipulater Netlink message data
structures are implemented as unsafe code.
The code to parse IPv4/IPv6/MAC addresses has been moved to a dedicated
file named parser.rs.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
The scan_fmt crate has dependency on other four crates, and it's trivial
to use std library to implement the same logic. Get rid of scan_fmt to
reduce the dependency chain.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
Use features to enable/disable slog and agent handler on demand.
This helps to reduce dependency chains if slog/agent handler is unused.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
The netlink crate is a library to communicate with Linux kenrel by using
the netlink socket. It's generic enough to be reused by other clients.
So get rid of dependency on the rustjail crate by:
1) normalize all pub interfaces to return Result<T, nix::Error>,
2) add helpers to reduce duplicated code,
3) move parse_mac() into lib.rs,
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
Add grpc API for adding arp neighbours for a network
interface. These are expected to be static arp entries
sent by the runtime.
Signed-off-by: Tim Zhang <tim@hyper.sh>
Got:
make PROTO_FILE=agent.proto generate-protocol
google/protobuf/descriptor.proto: Read access is denied for file: /usr/local/include/google/protobuf/descriptor.proto
This commit will fix this error.
Signed-off-by: Tim Zhang <tim@hyper.sh>
In Kata 1.x, agent interface is defined in agent repo and vendored by runtime. But in Kata 2.0, agent and runtime will use ttrpc as protocol, and agent is using rust language, so runtime can't vendor agent again, have to compile from agent's protobuf files.
This PR will hold proto files under src/agent, and compile it to rust/go sources for agent/runtime. Typing `make generate-protocols` under root of this repo or `src/agent` can see how to use it.
Signed-off-by: bin liu <bin@hyper.sh>
Hardcode the Cargo.lock file to prevent dependencies
change which would cause some compatible issues.
Fixes: #230
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Since the ttrpc upgraded with async supported, which isn't
compatible with current agent, thus it's better to change
the dependency to a stable branch.
Fixes: #229
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
It's better to check whether the sandbox's get_container
result instead of unwrap it directly, otherwise it would
crash the agent if the conainer id is invalid.
Fixes: #178
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
