diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml index ceb692878c..65928f1c81 100644 --- a/src/agent/Cargo.toml +++ b/src/agent/Cargo.toml @@ -104,6 +104,5 @@ lto = true [features] seccomp = ["rustjail/seccomp"] -standard-oci-runtime = ["rustjail/standard-oci-runtime"] agent-policy = ["kata-agent-policy"] init-data = [] diff --git a/src/agent/Makefile b/src/agent/Makefile index 4305c41d43..9957955377 100644 --- a/src/agent/Makefile +++ b/src/agent/Makefile @@ -51,14 +51,6 @@ endif include ../../utils.mk -##VAR STANDARD_OCI_RUNTIME=yes|no define if agent enables standard oci runtime feature -STANDARD_OCI_RUNTIME := no - -# Enable standard oci runtime feature of rust build -ifeq ($(STANDARD_OCI_RUNTIME),yes) - override EXTRA_RUSTFEATURES += standard-oci-runtime -endif - ifneq ($(EXTRA_RUSTFEATURES),) override EXTRA_RUSTFEATURES := --features "$(EXTRA_RUSTFEATURES)" endif diff --git a/src/agent/rustjail/Cargo.toml b/src/agent/rustjail/Cargo.toml index 54c5f8689a..6240b3ce5f 100644 --- a/src/agent/rustjail/Cargo.toml +++ b/src/agent/rustjail/Cargo.toml @@ -61,4 +61,3 @@ test-utils.workspace = true [features] seccomp = ["libseccomp"] -standard-oci-runtime = [] diff --git a/src/agent/rustjail/src/console.rs b/src/agent/rustjail/src/console.rs deleted file mode 100644 index 3ac351357e..0000000000 --- a/src/agent/rustjail/src/console.rs +++ /dev/null @@ -1,77 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// -// Copyright 2021 Sony Group Corporation -// - -use anyhow::{anyhow, Result}; -use nix::errno::Errno; -use nix::pty; -use nix::sys::socket; -use nix::unistd::{self, dup2}; -use std::io::IoSlice; -use std::os::unix::io::{AsRawFd, RawFd}; -use std::path::Path; - -pub fn setup_console_socket(csocket_path: &str) -> Result> { - if csocket_path.is_empty() { - return Ok(None); - } - - let socket_fd = socket::socket( - socket::AddressFamily::Unix, - socket::SockType::Stream, - socket::SockFlag::empty(), - None, - )?; - - match socket::connect(socket_fd, &socket::UnixAddr::new(Path::new(csocket_path))?) { - Ok(()) => Ok(Some(socket_fd)), - Err(errno) => Err(anyhow!("failed to open console fd: {}", errno)), - } -} - -pub fn setup_master_console(socket_fd: RawFd) -> Result<()> { - let pseudo = pty::openpty(None, None)?; - - let pty_name: &[u8] = b"/dev/ptmx"; - let iov = [IoSlice::new(pty_name)]; - let fds = [pseudo.master]; - let cmsg = socket::ControlMessage::ScmRights(&fds); - - socket::sendmsg::<()>(socket_fd, &iov, &[cmsg], socket::MsgFlags::empty(), None)?; - - unistd::setsid()?; - let ret = unsafe { libc::ioctl(pseudo.slave, libc::TIOCSCTTY) }; - Errno::result(ret).map_err(|e| anyhow!(e).context("ioctl TIOCSCTTY"))?; - - dup2(pseudo.slave, std::io::stdin().as_raw_fd())?; - dup2(pseudo.slave, std::io::stdout().as_raw_fd())?; - dup2(pseudo.slave, std::io::stderr().as_raw_fd())?; - - unistd::close(socket_fd)?; - - Ok(()) -} - -#[cfg(test)] -mod tests { - use super::*; - use std::os::unix::net::UnixListener; - use tempfile::{self, tempdir}; - - const CONSOLE_SOCKET: &str = "console-socket"; - - #[test] - fn test_setup_console_socket() { - let dir = tempdir() - .map_err(|e| anyhow!(e).context("tempdir failed")) - .unwrap(); - let socket_path = dir.path().join(CONSOLE_SOCKET); - - let _listener = UnixListener::bind(&socket_path).unwrap(); - - let ret = setup_console_socket(socket_path.to_str().unwrap()); - - assert!(ret.is_ok()); - } -} diff --git a/src/agent/rustjail/src/container.rs b/src/agent/rustjail/src/container.rs index d6b2aca4c5..e6a3834118 100644 --- a/src/agent/rustjail/src/container.rs +++ b/src/agent/rustjail/src/container.rs @@ -28,8 +28,6 @@ use crate::cgroups::fs::Manager as FsManager; use crate::cgroups::mock::Manager as FsManager; use crate::cgroups::systemd::manager::Manager as SystemdManager; use crate::cgroups::{DevicesCgroupInfo, Manager}; -#[cfg(feature = "standard-oci-runtime")] -use crate::console; use crate::log_child; use crate::process::Process; use crate::process::ProcessOperations; @@ -85,7 +83,6 @@ const FIFO_FD: &str = "FIFO_FD"; const HOME_ENV_KEY: &str = "HOME"; const PIDNS_FD: &str = "PIDNS_FD"; const PIDNS_ENABLED: &str = "PIDNS_ENABLED"; -const CONSOLE_SOCKET_FD: &str = "CONSOLE_SOCKET_FD"; #[derive(Debug)] pub struct ContainerStatus { @@ -266,8 +263,6 @@ pub struct LinuxContainer { pub status: ContainerStatus, pub created: SystemTime, pub logger: Logger, - #[cfg(feature = "standard-oci-runtime")] - pub console_socket: PathBuf, } #[derive(Serialize, Deserialize, Debug)] @@ -422,9 +417,6 @@ fn do_init_child(cwfd: RawFd) -> Result<()> { let fs_cm: Result = serde_json::from_str(cm_str); let systemd_cm: Result = serde_json::from_str(cm_str); - #[cfg(feature = "standard-oci-runtime")] - let csocket_fd = console::setup_console_socket(&std::env::var(CONSOLE_SOCKET_FD)?)?; - let p = if spec.process().is_some() { spec.process().as_ref().unwrap() } else { @@ -791,19 +783,8 @@ fn do_init_child(cwfd: RawFd) -> Result<()> { let _ = unistd::close(cwfd); if oci_process.terminal().unwrap_or_default() { - cfg_if::cfg_if! { - if #[cfg(feature = "standard-oci-runtime")] { - if let Some(csocket_fd) = csocket_fd { - console::setup_master_console(csocket_fd)?; - } else { - return Err(anyhow!("failed to get console master socket fd")); - } - } - else { - unistd::setsid().context("create a new session")?; - unsafe { libc::ioctl(0, libc::TIOCSCTTY) }; - } - } + unistd::setsid().context("create a new session")?; + unsafe { libc::ioctl(0, libc::TIOCSCTTY) }; } if init { @@ -1145,7 +1126,6 @@ impl BaseContainer for LinuxContainer { } let pidns = get_pid_namespace(&self.logger, linux)?; - #[cfg(not(feature = "standard-oci-runtime"))] if !pidns.enabled { return Err(anyhow!("cannot find the pid ns")); } @@ -1157,13 +1137,6 @@ impl BaseContainer for LinuxContainer { let exec_path = std::env::current_exe()?; let mut child = std::process::Command::new(exec_path); - #[allow(unused_mut)] - let mut console_name = PathBuf::from(""); - #[cfg(feature = "standard-oci-runtime")] - if !self.console_socket.as_os_str().is_empty() { - console_name = self.console_socket.clone(); - } - let mut child = child .arg("init") .stdin(child_stdin) @@ -1174,7 +1147,6 @@ impl BaseContainer for LinuxContainer { .env(CRFD_FD, format!("{crfd}")) .env(CWFD_FD, format!("{cwfd}")) .env(CLOG_FD, format!("{cfd_log}")) - .env(CONSOLE_SOCKET_FD, console_name) .env(PIDNS_ENABLED, format!("{}", pidns.enabled)); if p.init { @@ -1765,16 +1737,8 @@ impl LinuxContainer { .unwrap() .as_secs(), logger: logger.new(o!("module" => "rustjail", "subsystem" => "container", "cid" => id)), - #[cfg(feature = "standard-oci-runtime")] - console_socket: Path::new("").to_path_buf(), }) } - - #[cfg(feature = "standard-oci-runtime")] - pub fn set_console_socket(&mut self, console_socket: &Path) -> Result<()> { - self.console_socket = console_socket.to_path_buf(); - Ok(()) - } } use std::fs::OpenOptions; diff --git a/src/agent/rustjail/src/lib.rs b/src/agent/rustjail/src/lib.rs index 3effee8889..c888a1836d 100644 --- a/src/agent/rustjail/src/lib.rs +++ b/src/agent/rustjail/src/lib.rs @@ -27,8 +27,6 @@ extern crate regex; pub mod capabilities; pub mod cgroups; -#[cfg(feature = "standard-oci-runtime")] -pub mod console; pub mod container; pub mod mount; pub mod pipestream; diff --git a/src/agent/rustjail/src/process.rs b/src/agent/rustjail/src/process.rs index 3f41b1e1b9..a7b60d1fb3 100644 --- a/src/agent/rustjail/src/process.rs +++ b/src/agent/rustjail/src/process.rs @@ -5,7 +5,7 @@ use libc::pid_t; use std::fs::File; -use std::os::unix::io::{AsRawFd, RawFd}; +use std::os::unix::io::RawFd; use tokio::sync::mpsc::Sender; use tokio_vsock::VsockStream; @@ -168,34 +168,28 @@ impl Process { info!(logger, "before create console socket!"); if !p.tty { - if cfg!(feature = "standard-oci-runtime") { - p.stdin = Some(std::io::stdin().as_raw_fd()); - p.stdout = Some(std::io::stdout().as_raw_fd()); - p.stderr = Some(std::io::stderr().as_raw_fd()); - } else { - info!(logger, "created console socket!"); + info!(logger, "created console socket!"); - let (stdin, pstdin) = unistd::pipe2(OFlag::O_CLOEXEC)?; - p.parent_stdin = Some(pstdin); - p.stdin = Some(stdin); + let (stdin, pstdin) = unistd::pipe2(OFlag::O_CLOEXEC)?; + p.parent_stdin = Some(pstdin); + p.stdin = Some(stdin); - // Make sure the parent stdin writer be inserted into - // p.writes hashmap, thus the cleanup_process_stream can - // cleanup and close the parent stdin fd. - let _ = p.get_writer(StreamType::ParentStdin); + // Make sure the parent stdin writer be inserted into + // p.writes hashmap, thus the cleanup_process_stream can + // cleanup and close the parent stdin fd. + let _ = p.get_writer(StreamType::ParentStdin); - // These pipes are necessary as the stdout/stderr of the child process - // cannot be a socket. Otherwise, some images relying on the /dev/stdout(stderr) - // and /proc/self/fd/1(2) will fail to boot as opening an existing socket - // is forbidden by the Linux kernel. - let (pstdout, stdout) = create_extended_pipe(OFlag::O_CLOEXEC, pipe_size)?; - p.parent_stdout = Some(pstdout); - p.stdout = Some(stdout); + // These pipes are necessary as the stdout/stderr of the child process + // cannot be a socket. Otherwise, some images relying on the /dev/stdout(stderr) + // and /proc/self/fd/1(2) will fail to boot as opening an existing socket + // is forbidden by the Linux kernel. + let (pstdout, stdout) = create_extended_pipe(OFlag::O_CLOEXEC, pipe_size)?; + p.parent_stdout = Some(pstdout); + p.stdout = Some(stdout); - let (pstderr, stderr) = create_extended_pipe(OFlag::O_CLOEXEC, pipe_size)?; - p.parent_stderr = Some(pstderr); - p.stderr = Some(stderr); - } + let (pstderr, stderr) = create_extended_pipe(OFlag::O_CLOEXEC, pipe_size)?; + p.parent_stderr = Some(pstderr); + p.stderr = Some(stderr); } Ok(p) } @@ -336,11 +330,5 @@ mod tests { // group of the calling process. process.pid = 0; assert!(process.signal(libc::SIGCONT).is_ok()); - - if cfg!(feature = "standard-oci-runtime") { - assert_eq!(process.stdin.unwrap(), std::io::stdin().as_raw_fd()); - assert_eq!(process.stdout.unwrap(), std::io::stdout().as_raw_fd()); - assert_eq!(process.stderr.unwrap(), std::io::stderr().as_raw_fd()); - } } } diff --git a/src/agent/src/features.rs b/src/agent/src/features.rs index c5f1b00e28..c66ea8ed10 100644 --- a/src/agent/src/features.rs +++ b/src/agent/src/features.rs @@ -10,8 +10,6 @@ pub fn get_build_features() -> Vec { "agent-policy", #[cfg(feature = "seccomp")] "seccomp", - #[cfg(feature = "standard-oci-runtime")] - "standard-oci-runtime", ]; let mut sorted: Vec = features.into_iter().map(String::from).collect();