github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-29 16:57:18 +00:00
Code Issues Projects Releases Wiki Activity

runk: Enable seccomp support by default

Browse Source 
Enable seccomp support in `runk` by default.
Due to this, `runk` is built with `gnu libc` by default
because the building `runk` with statically linked the `libseccomp`
and `musl` requires additional configurations.
Also, general container runtimes are built with `gnu libc` as
dynamically linked binaries by default.
The user can disable seccomp by `make SECCOMP=no`.

Fixes: #4896

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
This commit is contained in:
Manabu Sugimoto 2022-08-12 16:19:00 +09:00
parent 7cfc357c6e
commit bcf6bf843c
4 changed files with 74 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/tools/runk/Cargo.lock generated
View File

@ -580,6 +580,23 @@ dependencies = [
"clap", "clap",
] ]
[[package]]
name = "libseccomp"
version = "0.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "49bda1fbf25c42ac8942ff7df1eb6172a3bc36299e84be0dba8c888a7db68c80"
dependencies = [
"libc",
"libseccomp-sys",
"pkg-config",
]
[[package]]
name = "libseccomp-sys"
version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9a7cbbd4ad467251987c6e5b47d53b11a5a05add08f2447a9e2d70aef1e0d138"
[[package]] [[package]]
name = "linux-raw-sys" name = "linux-raw-sys"
version = "0.0.46" version = "0.0.46"
@ -827,6 +844,12 @@ version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
[[package]]
name = "pkg-config"
version = "0.3.25"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1df8c4ec4b0627e53bdf214615ad287367e482558cf84b109250b37464dc03ae"
[[package]] [[package]]
name = "proc-macro-error" name = "proc-macro-error"
version = "1.0.4" version = "1.0.4"
@ -1070,6 +1093,7 @@ dependencies = [
"inotify", "inotify",
"lazy_static", "lazy_static",
"libc", "libc",
"libseccomp",
"nix 0.23.1", "nix 0.23.1",
"oci", "oci",
"path-absolutize", "path-absolutize",

3
src/tools/runk/Cargo.toml
View File

@ -25,6 +25,9 @@ serde_json = "1.0.74"
users = "0.11.0" users = "0.11.0"
tabwriter = "1.2.1" tabwriter = "1.2.1"
[features]
seccomp = ["rustjail/seccomp"]
[dev-dependencies] [dev-dependencies]
tempfile = "3.3.0" tempfile = "3.3.0"

20
src/tools/runk/Makefile
View File

@ -3,20 +3,36 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# #
# LIBC=musl|gnu (default: gnu)
LIBC ?= gnu
include ../../../utils.mk include ../../../utils.mk
TARGET = runk TARGET = runk
TARGET_PATH = target/$(TRIPLE)/$(BUILD_TYPE)/$(TARGET) TARGET_PATH = target/$(TRIPLE)/$(BUILD_TYPE)/$(TARGET)
AGENT_SOURCE_PATH = ../../agent AGENT_SOURCE_PATH = ../../agent
EXTRA_RUSTFEATURES :=
# Define if runk enables seccomp support (default: yes)
SECCOMP := yes
# BINDIR is a directory for installing executable programs # BINDIR is a directory for installing executable programs
BINDIR := /usr/local/bin BINDIR := /usr/local/bin
ifeq ($(SECCOMP),yes)
override EXTRA_RUSTFEATURES += seccomp
endif
ifneq ($(EXTRA_RUSTFEATURES),)
override EXTRA_RUSTFEATURES := --features "$(EXTRA_RUSTFEATURES)"
endif
.DEFAULT_GOAL := default .DEFAULT_GOAL := default
default: build default: build
build: build:
@RUSTFLAGS="$(EXTRA_RUSTFLAGS) --deny warnings" cargo build --target $(TRIPLE) --$(BUILD_TYPE) @RUSTFLAGS="$(EXTRA_RUSTFLAGS) --deny warnings" cargo build --target $(TRIPLE) --$(BUILD_TYPE) $(EXTRA_RUSTFEATURES)
install: install:
install -D $(TARGET_PATH) $(BINDIR)/$(TARGET) install -D $(TARGET_PATH) $(BINDIR)/$(TARGET)
@ -30,7 +46,7 @@ vendor:
test: test-runk test-agent test: test-runk test-agent
test-runk: test-runk:
cargo test --all --target $(TRIPLE) -- --nocapture cargo test --all --target $(TRIPLE) $(EXTRA_RUSTFEATURES) -- --nocapture
test-agent: test-agent:
make test -C $(AGENT_SOURCE_PATH) STANDARD_OCI_RUNTIME=yes make test -C $(AGENT_SOURCE_PATH) STANDARD_OCI_RUNTIME=yes

32
src/tools/runk/README.md
View File

@ -60,17 +60,43 @@ are welcome.
Regarding features compared to `runc`, see the `Status of runk` section in the [issue](https://github.com/kata-containers/kata-containers/issues/2784). Regarding features compared to `runc`, see the `Status of runk` section in the [issue](https://github.com/kata-containers/kata-containers/issues/2784).
## Building ## Building
You can build `runk` as follows.
In order to enable seccomp support, you need to install the `libseccomp` library on
your platform.
> e.g. `libseccomp-dev` for Ubuntu, or `libseccomp-devel` for CentOS
You can build `runk`:
```bash ```bash
$ cd runk $ cd runk
$ make $ make
``` ```
To install `runk` into default directory for install executable program (`/usr/local/bin`): If you want to build a statically linked binary of `runk`, set the environment
variables for the [`libseccomp` crate](https://github.com/libseccomp-rs/libseccomp-rs) and
set the `LIBC` to `musl`:
```bash ```bash
$ sudo make install $ export LIBSECCOMP_LINK_TYPE=static
$ export LIBSECCOMP_LIB_PATH="the path of the directory containing libseccomp.a"
$ export LIBC=musl
$ make
```
> **Note**:
>
> - If the compilation fails when `runk` tries to link the `libseccomp` library statically
> against `musl`, you will need to build the `libseccomp` manually with `-U_FORTIFY_SOURCE`.
> For the details, see [our script](https://github.com/kata-containers/kata-containers/blob/main/ci/install_libseccomp.sh)
> to install the `libseccomp` for the agent.
> - On `ppc64le` and `s390x`, `glibc` should be used even if `LIBC=musl` is specified.
> - If you do not want to enable seccomp support, run `make SECCOMP=no`.
To install `runk` into default directory for executable program (`/usr/local/bin`):
```bash
$ sudo -E make install
``` ```
## Using `runk` directly ## Using `runk` directly