diff --git a/Cargo.lock b/Cargo.lock
index 4cee8d2ca..4278114c9 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1758,7 +1758,7 @@ dependencies = [
"flate2",
"libcgroups",
"libcontainer",
- "nix",
+ "nix 0.27.1",
"num_cpus",
"oci-spec",
"once_cell",
@@ -1917,7 +1917,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "75adb4021282a72ca63ebbc0e4247750ad74ede68ff062d247691072d709ad8b"
dependencies = [
"cc",
- "nix",
+ "nix 0.26.2",
"num_cpus",
"pkg-config",
]
@@ -1941,7 +1941,7 @@ dependencies = [
"libbpf-sys",
"libc",
"mockall",
- "nix",
+ "nix 0.27.1",
"oci-spec",
"procfs",
"quickcheck",
@@ -1967,7 +1967,7 @@ dependencies = [
"libc",
"libcgroups",
"libseccomp",
- "nix",
+ "nix 0.27.1",
"oci-spec",
"once_cell",
"prctl",
@@ -2259,6 +2259,18 @@ dependencies = [
"static_assertions",
]
+[[package]]
+name = "nix"
+version = "0.27.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2eb04e9c688eff1c89d72b407f168cf79bb9e867a9d3323ed6c01519eb9cc053"
+dependencies = [
+ "bitflags 2.4.0",
+ "cfg-if",
+ "libc",
+ "memoffset 0.9.0",
+]
+
[[package]]
name = "no-std-net"
version = "0.6.0"
@@ -2634,7 +2646,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "059a34f111a9dee2ce1ac2826a68b24601c4298cfeb1a587c3cb493d5ab46f52"
dependencies = [
"libc",
- "nix",
+ "nix 0.26.2",
]
[[package]]
@@ -3138,7 +3150,7 @@ name = "runtimetest"
version = "0.0.1"
dependencies = [
"anyhow",
- "nix",
+ "nix 0.27.1",
"oci-spec",
]
@@ -5738,7 +5750,7 @@ dependencies = [
"libcgroups",
"libcontainer",
"liboci-cli",
- "nix",
+ "nix 0.27.1",
"once_cell",
"pentacle",
"procfs",
diff --git a/crates/libcgroups/Cargo.toml b/crates/libcgroups/Cargo.toml
index 48ad8dc75..10f5ff968 100644
--- a/crates/libcgroups/Cargo.toml
+++ b/crates/libcgroups/Cargo.toml
@@ -14,24 +14,24 @@ keywords = ["youki", "container", "cgroups"]
[features]
default = ["v1", "v2", "systemd"]
-v1 = []
-v2 = []
-systemd = ["v2", "dep:dbus"]
-cgroupsv2_devices = ["rbpf", "libbpf-sys", "errno", "libc"]
+v1 = ["nix/process", "nix/fs", "nix/signal"]
+v2 = ["nix/process", "nix/fs", "nix/signal"]
+systemd = ["v2", "dep:dbus", "nix/user"]
+cgroupsv2_devices = ["rbpf", "libbpf-sys", "errno", "libc", "nix/dir"]
[dependencies]
-nix = "0.26.2"
+nix = { version = "0.27.1" }
procfs = "0.15.1"
oci-spec = { version = "~0.6.2", features = ["runtime"] }
dbus = { version = "0.9.7", optional = true }
fixedbitset = "0.4.2"
serde = { version = "1.0", features = ["derive"] }
-rbpf = {version = "0.2.0", optional = true }
+rbpf = { version = "0.2.0", optional = true }
libbpf-sys = { version = "1.2.1", optional = true }
errno = { version = "0.3.3", optional = true }
libc = { version = "0.2.148", optional = true }
thiserror = "1.0.48"
-tracing = { version = "0.1.37", features = ["attributes"]}
+tracing = { version = "0.1.37", features = ["attributes"] }
[dev-dependencies]
anyhow = "1.0"
diff --git a/crates/libcontainer/Cargo.toml b/crates/libcontainer/Cargo.toml
index 2c6e67876..ac57f607a 100644
--- a/crates/libcontainer/Cargo.toml
+++ b/crates/libcontainer/Cargo.toml
@@ -22,11 +22,27 @@ cgroupsv2_devices = ["libcgroups/cgroupsv2_devices"]
[dependencies]
bitflags = "2.4.0"
caps = "0.5.5"
-chrono = { version = "0.4", default-features = false, features = ["clock", "serde"] }
+chrono = { version = "0.4", default-features = false, features = [
+ "clock",
+ "serde",
+] }
fastrand = "^2.0.0"
futures = { version = "0.3", features = ["thread-pool"] }
libc = "0.2.148"
-nix = "0.26.2"
+nix = { version = "0.27.1", features = [
+ "fs",
+ "process",
+ "signal",
+ "socket",
+ "mount",
+ "sched",
+ "hostname",
+ "mman",
+ "resource",
+ "dir",
+ "term",
+ "user",
+] }
oci-spec = { version = "~0.6.2", features = ["runtime"] }
once_cell = "1.18.0"
procfs = "0.15.1"
diff --git a/crates/libcontainer/src/channel.rs b/crates/libcontainer/src/channel.rs
index a772a10d3..0323a6f2e 100644
--- a/crates/libcontainer/src/channel.rs
+++ b/crates/libcontainer/src/channel.rs
@@ -6,7 +6,10 @@ use serde::{Deserialize, Serialize};
use std::{
io::{IoSlice, IoSliceMut},
marker::PhantomData,
- os::unix::prelude::RawFd,
+ os::{
+ fd::{AsRawFd, OwnedFd},
+ unix::prelude::RawFd,
+ },
};
#[derive(Debug, thiserror::Error)]
@@ -198,18 +201,20 @@ where
{
let (os_sender, os_receiver) = unix_channel()?;
let receiver = Receiver {
- receiver: os_receiver,
+ receiver: os_receiver.as_raw_fd(),
phantom: PhantomData,
};
let sender = Sender {
- sender: os_sender,
+ sender: os_sender.as_raw_fd(),
phantom: PhantomData,
};
+ std::mem::forget(os_sender);
+ std::mem::forget(os_receiver);
Ok((sender, receiver))
}
// Use socketpair as the underlying pipe.
-fn unix_channel() -> Result<(RawFd, RawFd), ChannelError> {
+fn unix_channel() -> Result<(OwnedFd, OwnedFd), ChannelError> {
Ok(socket::socketpair(
socket::AddressFamily::Unix,
socket::SockType::SeqPacket,
diff --git a/crates/libcontainer/src/container/init_builder.rs b/crates/libcontainer/src/container/init_builder.rs
index f56e00107..236c2e8d4 100644
--- a/crates/libcontainer/src/container/init_builder.rs
+++ b/crates/libcontainer/src/container/init_builder.rs
@@ -2,8 +2,9 @@ use nix::unistd;
use oci_spec::runtime::Spec;
use std::{
fs,
+ os::fd::AsRawFd,
path::{Path, PathBuf},
- rc::Rc,
+ rc::Rc, mem::forget,
};
use user_ns::UserNamespaceConfig;
@@ -85,6 +86,14 @@ impl InitContainerBuilder {
} else {
None
};
+ let csocketfd = csocketfd.map(|sockfd| match sockfd {
+ Some(sockfd) => {
+ let fd = sockfd.as_raw_fd();
+ forget(sockfd);
+ fd
+ }
+ None => -1,
+ });
let user_ns_config = UserNamespaceConfig::new(&spec)?;
diff --git a/crates/libcontainer/src/container/tenant_builder.rs b/crates/libcontainer/src/container/tenant_builder.rs
index 5bb6f9a56..bafeae233 100644
--- a/crates/libcontainer/src/container/tenant_builder.rs
+++ b/crates/libcontainer/src/container/tenant_builder.rs
@@ -8,6 +8,8 @@ use oci_spec::runtime::{
};
use procfs::process::Namespace;
+use std::mem::forget;
+use std::os::fd::{AsRawFd, OwnedFd};
use std::rc::Rc;
use std::{
collections::HashMap,
@@ -15,7 +17,6 @@ use std::{
ffi::{OsStr, OsString},
fs,
io::BufReader,
- os::unix::prelude::RawFd,
path::{Path, PathBuf},
str::FromStr,
};
@@ -117,6 +118,11 @@ impl TenantContainerBuilder {
// if socket file path is given in commandline options,
// get file descriptors of console socket
let csocketfd = self.setup_tty_socket(&container_dir)?;
+ let csocketfd = csocketfd.map(|sockfd| {
+ let fd = sockfd.as_raw_fd();
+ forget(sockfd);
+ fd
+ });
let use_systemd = self.should_use_systemd(&container);
let user_ns_config = UserNamespaceConfig::new(&spec)?;
@@ -430,14 +436,10 @@ impl TenantContainerBuilder {
Ok(socket_path)
}
- fn setup_tty_socket(&self, container_dir: &Path) -> Result