diff --git a/Cargo.lock b/Cargo.lock index 4cee8d2ca..4278114c9 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1758,7 +1758,7 @@ dependencies = [ "flate2", "libcgroups", "libcontainer", - "nix", + "nix 0.27.1", "num_cpus", "oci-spec", "once_cell", @@ -1917,7 +1917,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "75adb4021282a72ca63ebbc0e4247750ad74ede68ff062d247691072d709ad8b" dependencies = [ "cc", - "nix", + "nix 0.26.2", "num_cpus", "pkg-config", ] @@ -1941,7 +1941,7 @@ dependencies = [ "libbpf-sys", "libc", "mockall", - "nix", + "nix 0.27.1", "oci-spec", "procfs", "quickcheck", @@ -1967,7 +1967,7 @@ dependencies = [ "libc", "libcgroups", "libseccomp", - "nix", + "nix 0.27.1", "oci-spec", "once_cell", "prctl", @@ -2259,6 +2259,18 @@ dependencies = [ "static_assertions", ] +[[package]] +name = "nix" +version = "0.27.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2eb04e9c688eff1c89d72b407f168cf79bb9e867a9d3323ed6c01519eb9cc053" +dependencies = [ + "bitflags 2.4.0", + "cfg-if", + "libc", + "memoffset 0.9.0", +] + [[package]] name = "no-std-net" version = "0.6.0" @@ -2634,7 +2646,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "059a34f111a9dee2ce1ac2826a68b24601c4298cfeb1a587c3cb493d5ab46f52" dependencies = [ "libc", - "nix", + "nix 0.26.2", ] [[package]] @@ -3138,7 +3150,7 @@ name = "runtimetest" version = "0.0.1" dependencies = [ "anyhow", - "nix", + "nix 0.27.1", "oci-spec", ] @@ -5738,7 +5750,7 @@ dependencies = [ "libcgroups", "libcontainer", "liboci-cli", - "nix", + "nix 0.27.1", "once_cell", "pentacle", "procfs", diff --git a/crates/libcgroups/Cargo.toml b/crates/libcgroups/Cargo.toml index 48ad8dc75..10f5ff968 100644 --- a/crates/libcgroups/Cargo.toml +++ b/crates/libcgroups/Cargo.toml @@ -14,24 +14,24 @@ keywords = ["youki", "container", "cgroups"] [features] default = ["v1", "v2", "systemd"] -v1 = [] -v2 = [] -systemd = ["v2", "dep:dbus"] -cgroupsv2_devices = ["rbpf", "libbpf-sys", "errno", "libc"] +v1 = ["nix/process", "nix/fs", "nix/signal"] +v2 = ["nix/process", "nix/fs", "nix/signal"] +systemd = ["v2", "dep:dbus", "nix/user"] +cgroupsv2_devices = ["rbpf", "libbpf-sys", "errno", "libc", "nix/dir"] [dependencies] -nix = "0.26.2" +nix = { version = "0.27.1" } procfs = "0.15.1" oci-spec = { version = "~0.6.2", features = ["runtime"] } dbus = { version = "0.9.7", optional = true } fixedbitset = "0.4.2" serde = { version = "1.0", features = ["derive"] } -rbpf = {version = "0.2.0", optional = true } +rbpf = { version = "0.2.0", optional = true } libbpf-sys = { version = "1.2.1", optional = true } errno = { version = "0.3.3", optional = true } libc = { version = "0.2.148", optional = true } thiserror = "1.0.48" -tracing = { version = "0.1.37", features = ["attributes"]} +tracing = { version = "0.1.37", features = ["attributes"] } [dev-dependencies] anyhow = "1.0" diff --git a/crates/libcontainer/Cargo.toml b/crates/libcontainer/Cargo.toml index 2c6e67876..ac57f607a 100644 --- a/crates/libcontainer/Cargo.toml +++ b/crates/libcontainer/Cargo.toml @@ -22,11 +22,27 @@ cgroupsv2_devices = ["libcgroups/cgroupsv2_devices"] [dependencies] bitflags = "2.4.0" caps = "0.5.5" -chrono = { version = "0.4", default-features = false, features = ["clock", "serde"] } +chrono = { version = "0.4", default-features = false, features = [ + "clock", + "serde", +] } fastrand = "^2.0.0" futures = { version = "0.3", features = ["thread-pool"] } libc = "0.2.148" -nix = "0.26.2" +nix = { version = "0.27.1", features = [ + "fs", + "process", + "signal", + "socket", + "mount", + "sched", + "hostname", + "mman", + "resource", + "dir", + "term", + "user", +] } oci-spec = { version = "~0.6.2", features = ["runtime"] } once_cell = "1.18.0" procfs = "0.15.1" diff --git a/crates/libcontainer/src/channel.rs b/crates/libcontainer/src/channel.rs index a772a10d3..0323a6f2e 100644 --- a/crates/libcontainer/src/channel.rs +++ b/crates/libcontainer/src/channel.rs @@ -6,7 +6,10 @@ use serde::{Deserialize, Serialize}; use std::{ io::{IoSlice, IoSliceMut}, marker::PhantomData, - os::unix::prelude::RawFd, + os::{ + fd::{AsRawFd, OwnedFd}, + unix::prelude::RawFd, + }, }; #[derive(Debug, thiserror::Error)] @@ -198,18 +201,20 @@ where { let (os_sender, os_receiver) = unix_channel()?; let receiver = Receiver { - receiver: os_receiver, + receiver: os_receiver.as_raw_fd(), phantom: PhantomData, }; let sender = Sender { - sender: os_sender, + sender: os_sender.as_raw_fd(), phantom: PhantomData, }; + std::mem::forget(os_sender); + std::mem::forget(os_receiver); Ok((sender, receiver)) } // Use socketpair as the underlying pipe. -fn unix_channel() -> Result<(RawFd, RawFd), ChannelError> { +fn unix_channel() -> Result<(OwnedFd, OwnedFd), ChannelError> { Ok(socket::socketpair( socket::AddressFamily::Unix, socket::SockType::SeqPacket, diff --git a/crates/libcontainer/src/container/init_builder.rs b/crates/libcontainer/src/container/init_builder.rs index f56e00107..236c2e8d4 100644 --- a/crates/libcontainer/src/container/init_builder.rs +++ b/crates/libcontainer/src/container/init_builder.rs @@ -2,8 +2,9 @@ use nix::unistd; use oci_spec::runtime::Spec; use std::{ fs, + os::fd::AsRawFd, path::{Path, PathBuf}, - rc::Rc, + rc::Rc, mem::forget, }; use user_ns::UserNamespaceConfig; @@ -85,6 +86,14 @@ impl InitContainerBuilder { } else { None }; + let csocketfd = csocketfd.map(|sockfd| match sockfd { + Some(sockfd) => { + let fd = sockfd.as_raw_fd(); + forget(sockfd); + fd + } + None => -1, + }); let user_ns_config = UserNamespaceConfig::new(&spec)?; diff --git a/crates/libcontainer/src/container/tenant_builder.rs b/crates/libcontainer/src/container/tenant_builder.rs index 5bb6f9a56..bafeae233 100644 --- a/crates/libcontainer/src/container/tenant_builder.rs +++ b/crates/libcontainer/src/container/tenant_builder.rs @@ -8,6 +8,8 @@ use oci_spec::runtime::{ }; use procfs::process::Namespace; +use std::mem::forget; +use std::os::fd::{AsRawFd, OwnedFd}; use std::rc::Rc; use std::{ collections::HashMap, @@ -15,7 +17,6 @@ use std::{ ffi::{OsStr, OsString}, fs, io::BufReader, - os::unix::prelude::RawFd, path::{Path, PathBuf}, str::FromStr, }; @@ -117,6 +118,11 @@ impl TenantContainerBuilder { // if socket file path is given in commandline options, // get file descriptors of console socket let csocketfd = self.setup_tty_socket(&container_dir)?; + let csocketfd = csocketfd.map(|sockfd| { + let fd = sockfd.as_raw_fd(); + forget(sockfd); + fd + }); let use_systemd = self.should_use_systemd(&container); let user_ns_config = UserNamespaceConfig::new(&spec)?; @@ -430,14 +436,10 @@ impl TenantContainerBuilder { Ok(socket_path) } - fn setup_tty_socket(&self, container_dir: &Path) -> Result, LibcontainerError> { + fn setup_tty_socket(&self, container_dir: &Path) -> Result, LibcontainerError> { let tty_name = Self::generate_name(container_dir, TENANT_TTY); let csocketfd = if let Some(console_socket) = &self.base.console_socket { - Some(tty::setup_console_socket( - container_dir, - console_socket, - &tty_name, - )?) + tty::setup_console_socket(container_dir, console_socket, &tty_name)? } else { None }; diff --git a/crates/libcontainer/src/namespaces.rs b/crates/libcontainer/src/namespaces.rs index 22c941301..eb67ce8c1 100644 --- a/crates/libcontainer/src/namespaces.rs +++ b/crates/libcontainer/src/namespaces.rs @@ -8,7 +8,7 @@ //! Cgroup (Resource limits, execution priority etc.) use crate::syscall::{syscall::create_syscall, Syscall}; -use nix::{fcntl, sched::CloneFlags, sys::stat, unistd}; +use nix::{fcntl, sched::CloneFlags, sys::stat}; use oci_spec::runtime::{LinuxNamespace, LinuxNamespaceType}; use std::collections; @@ -110,10 +110,6 @@ impl Namespaces { tracing::error!(?err, ?namespace, "failed to set namespace"); err })?; - unistd::close(fd).map_err(|err| { - tracing::error!(?err, ?namespace, "failed to close namespace file"); - err - })?; } None => { self.command diff --git a/crates/libcontainer/src/process/fork.rs b/crates/libcontainer/src/process/fork.rs index 114a22440..b4b3900d3 100644 --- a/crates/libcontainer/src/process/fork.rs +++ b/crates/libcontainer/src/process/fork.rs @@ -1,4 +1,4 @@ -use std::{ffi::c_int, num::NonZeroUsize}; +use std::{ffi::c_int, fs::File, num::NonZeroUsize}; use libc::SIGCHLD; use nix::{ @@ -164,12 +164,12 @@ fn clone(cb: CloneCb, flags: u64, exit_signal: Option) -> Result( None, NonZeroUsize::new(default_stack_size).ok_or(CloneError::ZeroStackSize)?, mman::ProtFlags::PROT_READ | mman::ProtFlags::PROT_WRITE, mman::MapFlags::MAP_PRIVATE | mman::MapFlags::MAP_ANONYMOUS | mman::MapFlags::MAP_STACK, - -1, + None, 0, ) .map_err(CloneError::StackAllocation)? diff --git a/crates/libcontainer/src/process/seccomp_listener.rs b/crates/libcontainer/src/process/seccomp_listener.rs index 608ff725b..cfc0fb9f5 100644 --- a/crates/libcontainer/src/process/seccomp_listener.rs +++ b/crates/libcontainer/src/process/seccomp_listener.rs @@ -5,7 +5,7 @@ use nix::{ unistd, }; use oci_spec::runtime; -use std::{io::IoSlice, path::Path}; +use std::{io::IoSlice, os::fd::AsRawFd, path::Path}; use super::channel; @@ -76,7 +76,7 @@ fn sync_seccomp_send_msg(listener_path: &Path, msg: &[u8], fd: i32) -> Result<() ); SeccompListenerError::UnixOther(err) })?; - socket::connect(socket, &unix_addr).map_err(|err| { + socket::connect(socket.as_raw_fd(), &unix_addr).map_err(|err| { tracing::error!( ?err, ?listener_path, @@ -91,14 +91,17 @@ fn sync_seccomp_send_msg(listener_path: &Path, msg: &[u8], fd: i32) -> Result<() let iov = [IoSlice::new(msg)]; let fds = [fd]; let cmsgs = socket::ControlMessage::ScmRights(&fds); - socket::sendmsg::(socket, &iov, &[cmsgs], socket::MsgFlags::empty(), None).map_err( - |err| { - tracing::error!(?err, "failed to write container state to seccomp listener"); - SeccompListenerError::UnixOther(err) - }, - )?; - // The spec requires the listener socket to be closed immediately after sending. - let _ = unistd::close(socket); + socket::sendmsg::( + socket.as_raw_fd(), + &iov, + &[cmsgs], + socket::MsgFlags::empty(), + None, + ) + .map_err(|err| { + tracing::error!(?err, "failed to write container state to seccomp listener"); + SeccompListenerError::UnixOther(err) + })?; Ok(()) } diff --git a/crates/libcontainer/src/syscall/linux.rs b/crates/libcontainer/src/syscall/linux.rs index 1fc247347..9a042c99c 100644 --- a/crates/libcontainer/src/syscall/linux.rs +++ b/crates/libcontainer/src/syscall/linux.rs @@ -13,6 +13,7 @@ use nix::{ use oci_spec::runtime::LinuxRlimit; use std::ffi::{CStr, CString, OsStr}; use std::fs; +use std::os::fd::{FromRawFd, OwnedFd}; use std::os::unix::ffi::OsStrExt; use std::os::unix::fs::symlink; use std::os::unix::io::RawFd; @@ -305,7 +306,7 @@ impl Syscall for LinuxSyscall { /// Set namespace for process fn set_ns(&self, rawfd: i32, nstype: CloneFlags) -> Result<()> { - nix::sched::setns(rawfd, nstype)?; + nix::sched::setns(unsafe { OwnedFd::from_raw_fd(rawfd) }, nstype)?; Ok(()) } diff --git a/crates/libcontainer/src/tty.rs b/crates/libcontainer/src/tty.rs index e43ecae58..93cddf4ea 100644 --- a/crates/libcontainer/src/tty.rs +++ b/crates/libcontainer/src/tty.rs @@ -2,9 +2,10 @@ use nix::errno::Errno; use nix::sys::socket::{self, UnixAddr}; -use nix::unistd::close; use nix::unistd::dup2; use std::io::IoSlice; +use std::mem::forget; +use std::os::fd::OwnedFd; use std::os::unix::fs::symlink; use std::os::unix::io::AsRawFd; use std::os::unix::prelude::RawFd; @@ -74,7 +75,7 @@ pub fn setup_console_socket( container_dir: &Path, console_socket_path: &Path, socket_name: &str, -) -> Result { +) -> Result> { let linked = container_dir.join(socket_name); symlink(console_socket_path, &linked).map_err(|err| TTYError::Symlink { source: err, @@ -82,26 +83,26 @@ pub fn setup_console_socket( console_socket_path: console_socket_path.to_path_buf().into(), })?; - let mut csocketfd = socket::socket( + let csocketfd = socket::socket( socket::AddressFamily::Unix, socket::SockType::Stream, socket::SockFlag::empty(), None, ) .map_err(|err| TTYError::CreateConsoleSocketFd { source: err })?; - csocketfd = match socket::connect( - csocketfd, + let csocketfd = match socket::connect( + csocketfd.as_raw_fd(), &socket::UnixAddr::new(socket_name).map_err(|err| TTYError::InvalidSocketName { source: err, socket_name: socket_name.to_string(), })?, ) { - Err(Errno::ENOENT) => -1, + Err(Errno::ENOENT) => None, Err(errno) => Err(TTYError::CreateConsoleSocket { source: errno, socket_name: socket_name.to_string(), })?, - Ok(()) => csocketfd, + Ok(()) => Some(csocketfd), }; Ok(csocketfd) } @@ -113,23 +114,17 @@ pub fn setup_console(console_fd: &RawFd) -> Result<()> { .map_err(|err| TTYError::CreatePseudoTerminal { source: err })?; let pty_name: &[u8] = b"/dev/ptmx"; let iov = [IoSlice::new(pty_name)]; - let fds = [openpty_result.master]; + let fds = [openpty_result.master.as_raw_fd()]; let cmsg = socket::ControlMessage::ScmRights(&fds); - socket::sendmsg::( - console_fd.as_raw_fd(), - &iov, - &[cmsg], - socket::MsgFlags::empty(), - None, - ) - .map_err(|err| TTYError::SendPtyMaster { source: err })?; + socket::sendmsg::(*console_fd, &iov, &[cmsg], socket::MsgFlags::empty(), None) + .map_err(|err| TTYError::SendPtyMaster { source: err })?; - if unsafe { libc::ioctl(openpty_result.slave, libc::TIOCSCTTY) } < 0 { + if unsafe { libc::ioctl(openpty_result.slave.as_raw_fd(), libc::TIOCSCTTY) } < 0 { tracing::warn!("could not TIOCSCTTY"); }; - let slave = openpty_result.slave; + let slave = openpty_result.slave.as_raw_fd(); + forget(openpty_result); connect_stdio(&slave, &slave, &slave)?; - close(console_fd.as_raw_fd()).map_err(|err| TTYError::CloseConsoleSocket { source: err })?; Ok(()) } @@ -186,7 +181,7 @@ mod tests { assert!(lis.is_ok()); let fd = setup_console_socket(&rundir_path, &socket_path, CONSOLE_SOCKET); assert!(fd.is_ok()); - assert_ne!(fd.unwrap().as_raw_fd(), -1); + assert!(fd.unwrap().is_some()); } #[test] @@ -197,7 +192,7 @@ mod tests { let (_testdir, rundir_path, socket_path) = init.unwrap(); let fd = setup_console_socket(&rundir_path, &socket_path, CONSOLE_SOCKET); assert!(fd.is_ok()); - assert_eq!(fd.unwrap().as_raw_fd(), -1); + assert!(fd.unwrap().is_none()); } #[test] @@ -221,7 +216,7 @@ mod tests { let lis = UnixListener::bind(Path::join(testdir.path(), "console-socket")); assert!(lis.is_ok()); let fd = setup_console_socket(&rundir_path, &socket_path, CONSOLE_SOCKET); - let status = setup_console(&fd.unwrap()); + let status = setup_console(&fd.unwrap().unwrap().as_raw_fd()); assert!(status.is_ok()); } } diff --git a/crates/libcontainer/src/utils.rs b/crates/libcontainer/src/utils.rs index 78186d093..a15ed933d 100644 --- a/crates/libcontainer/src/utils.rs +++ b/crates/libcontainer/src/utils.rs @@ -4,7 +4,6 @@ use std::collections::HashMap; use std::fs::{self, DirBuilder, File}; use std::os::linux::fs::MetadataExt; use std::os::unix::fs::DirBuilderExt; -use std::os::unix::prelude::AsRawFd; use std::path::{Component, Path, PathBuf}; use nix::sys::stat::Mode; @@ -249,7 +248,7 @@ pub fn ensure_procfs(path: &Path) -> Result<(), EnsureProcfsError> { tracing::error!(?err, ?path, "failed to open procfs file"); err })?; - let fstat_info = statfs::fstatfs(&procfs_fd.as_raw_fd()).map_err(|err| { + let fstat_info = statfs::fstatfs(&procfs_fd).map_err(|err| { tracing::error!(?err, ?path, "failed to fstatfs the procfs"); err })?; diff --git a/crates/youki/Cargo.toml b/crates/youki/Cargo.toml index f3bed39dd..daaa53441 100644 --- a/crates/youki/Cargo.toml +++ b/crates/youki/Cargo.toml @@ -31,7 +31,7 @@ chrono = { version = "0.4", default-features = false, features = ["clock", "serd libcgroups = { version = "0.2.0", path = "../libcgroups", default-features = false } libcontainer = { version = "0.2.0", path = "../libcontainer", default-features = false } liboci-cli = { version = "0.2.0", path = "../liboci-cli" } -nix = "0.26.2" +nix ={ version = "0.27.1", features = ["user", "fs"]} once_cell = "1.18.0" pentacle = "1.0.0" procfs = "0.15.1" diff --git a/tests/rust-integration-tests/integration_test/Cargo.toml b/tests/rust-integration-tests/integration_test/Cargo.toml index c9be1b97f..09707ba5e 100644 --- a/tests/rust-integration-tests/integration_test/Cargo.toml +++ b/tests/rust-integration-tests/integration_test/Cargo.toml @@ -9,7 +9,7 @@ chrono = { version = "0.4", default-features = false, features = ["clock"] } flate2 = "1.0" libcgroups = { path = "../../../crates/libcgroups" } libcontainer = { path = "../../../crates/libcontainer" } -nix = "0.26.2" +nix = "0.27.1" num_cpus = "1.16" oci-spec = { version = "0.6.1", features = ["runtime"] } once_cell = "1.18.0" diff --git a/tests/rust-integration-tests/integration_test/src/tests/seccomp_notify/seccomp_agent.rs b/tests/rust-integration-tests/integration_test/src/tests/seccomp_notify/seccomp_agent.rs index 6d5370f58..ca2bf2ec0 100644 --- a/tests/rust-integration-tests/integration_test/src/tests/seccomp_notify/seccomp_agent.rs +++ b/tests/rust-integration-tests/integration_test/src/tests/seccomp_notify/seccomp_agent.rs @@ -4,7 +4,11 @@ use nix::{ sys::socket::{self, UnixAddr}, unistd, }; -use std::{io::IoSliceMut, os::unix::prelude::RawFd, path::Path}; +use std::{ + io::IoSliceMut, + os::{fd::AsRawFd, unix::prelude::RawFd}, + path::Path, +}; const DEFAULT_BUFFER_SIZE: usize = 4096; @@ -24,14 +28,13 @@ pub fn recv_seccomp_listener(seccomp_listener: &Path) -> SeccompAgentResult { None, ) .context("failed to create seccomp listener socket")?; - socket::bind(socket, &addr).context("failed to bind to seccomp listener socket")?; + socket::bind(socket.as_raw_fd(), &addr).context("failed to bind to seccomp listener socket")?; // Force the backlog to be 1 so in the case of an error, only one connection // from clients will be waiting. - socket::listen(socket, 1).context("failed to listen on seccomp listener")?; - let conn = match socket::accept(socket) { + socket::listen(&socket, 1).context("failed to listen on seccomp listener")?; + let conn = match socket::accept(socket.as_raw_fd()) { Ok(conn) => conn, Err(e) => { - let _ = unistd::close(socket); bail!("failed to accept connection: {}", e); } }; @@ -47,14 +50,12 @@ pub fn recv_seccomp_listener(seccomp_listener: &Path) -> SeccompAgentResult { Ok(msg) => msg, Err(e) => { let _ = unistd::close(conn); - let _ = unistd::close(socket); bail!("failed to receive message: {}", e); } }; // We received the message correctly here, so we can now safely close the socket and connection. let _ = unistd::close(conn); - let _ = unistd::close(socket); // We are expecting 1 SCM_RIGHTS message with 1 fd. let cmsg = msg diff --git a/tests/rust-integration-tests/runtimetest/Cargo.toml b/tests/rust-integration-tests/runtimetest/Cargo.toml index b0ee75729..cbf13db8f 100644 --- a/tests/rust-integration-tests/runtimetest/Cargo.toml +++ b/tests/rust-integration-tests/runtimetest/Cargo.toml @@ -5,6 +5,5 @@ edition = "2021" [dependencies] oci-spec = { version = "0.6.1", features = ["runtime"] } -nix = "0.26.2" +nix = { version = "0.27.1" } anyhow = "1.0" -