diff --git a/src/agent/rustjail/src/cgroups/mod.rs b/src/agent/rustjail/src/cgroups/mod.rs index c99ef469ac..abcaccb673 100644 --- a/src/agent/rustjail/src/cgroups/mod.rs +++ b/src/agent/rustjail/src/cgroups/mod.rs @@ -3,7 +3,6 @@ // SPDX-License-Identifier: Apache-2.0 // -// use crate::configs::{FreezerState, Config}; use anyhow::{anyhow, Result}; use oci::LinuxResources; use protocols::agent::CgroupStats; diff --git a/src/agent/rustjail/src/configs/mod.rs b/src/agent/rustjail/src/configs/mod.rs index dea1682d26..21cc8b7c4d 100644 --- a/src/agent/rustjail/src/configs/mod.rs +++ b/src/agent/rustjail/src/configs/mod.rs @@ -366,128 +366,3 @@ impl IfPrioMap { format!("{} {}", self.interface, self.priority) } } - -/* -impl Config { - fn new(opts: &CreateOpts) -> Result { - if opts.spec.is_none() { - return Err(ErrorKind::ErrorCode("invalid createopts!".into())); - } - - let root = unistd::getcwd().chain_err(|| "cannot getwd")?; - let root = root.as_path().canonicalize().chain_err(|| - "cannot resolve root into absolute path")?; - let mut root = root.into(); - let cwd = root.clone(); - - let spec = opts.spec.as_ref().unwrap(); - if spec.root.is_none() { - return Err(ErrorKind::ErrorCode("no root".into())); - } - - let rootfs = PathBuf::from(&spec.root.as_ref().unwrap().path); - if rootfs.is_relative() { - root = format!("{}/{}", root, rootfs.into()); - } - - // handle annotations - let mut label = spec.annotations - .iter() - .map(|(key, value)| format!("{}={}", key, value)).collect(); - label.push(format!("bundle={}", cwd)); - - let mut config = Config { - rootfs: root, - no_pivot_root: opts.no_pivot_root, - readonlyfs: spec.root.as_ref().unwrap().readonly, - hostname: spec.hostname.clone(), - labels: label, - no_new_keyring: opts.no_new_keyring, - rootless_euid: opts.rootless_euid, - rootless_cgroups: opts.rootless_cgroups, - }; - - config.mounts = Vec::new(); - for m in &spec.mounts { - config.mounts.push(Mount::new(&cwd, &m)?); - } - - config.devices = create_devices(&spec)?; - config.cgroups = Cgroups::new(&opts)?; - - if spec.linux.as_ref().is_none() { - return Err(ErrorKind::ErrorCode("no linux configuration".into())); - } - let linux = spec.linux.as_ref().unwrap(); - - let propagation = MOUNTPROPAGATIONMAPPING.get(linux.rootfs_propagation); - if propagation.is_none() { - Err(ErrorKind::ErrorCode("rootfs propagation not support".into())); - } - - config.root_propagation = propagation.unwrap(); - if config.no_pivot_root && (config.root_propagation & MSFlags::MSPRIVATE != 0) { - return Err(ErrorKind::ErrorCode("[r]private is not safe without pivot root".into())); - } - - // handle namespaces - let m: HashMap = HashMap::new(); - for ns in &linux.namespaces { - if NAMESPACEMAPPING.get(&ns.r#type.as_str()).is_none() { - return Err(ErrorKind::ErrorCode("namespace don't exist".into())); - } - - if m.get(&ns.r#type).is_some() { - return Err(ErrorKind::ErrorCode(format!("duplicate ns {}", ns.r#type))); - } - - m.insert(ns.r#type, ns.path); - } - - if m.contains_key(oci::NETWORKNAMESPACE) { - let path = m.get(oci::NETWORKNAMESPACE).unwrap(); - if path == "" { - config.networks = vec![Network { - r#type: "loopback", - }]; - } - } - - if m.contains_key(oci::USERNAMESPACE) { - setup_user_namespace(&spec, &mut config)?; - } - - config.namespaces = m.iter().map(|(key, value)| Namespace { - r#type: key, - path: value, - }).collect(); - config.mask_paths = linux.mask_paths; - config.readonly_path = linux.readonly_path; - config.mount_label = linux.mount_label; - config.sysctl = linux.sysctl; - config.seccomp = None; - config.intelrdt = None; - - if spec.process.is_some() { - let process = spec.process.as_ref().unwrap(); - config.oom_score_adj = process.oom_score_adj; - config.process_label = process.selinux_label.clone(); - if process.capabilities.as_ref().is_some() { - let cap = process.capabilities.as_ref().unwrap(); - config.capabilities = Some(Capabilities { - ..cap - }) - } - } - config.hooks = None; - config.version = spec.version; - Ok(config) - } -} - - -impl Mount { - fn new(cwd: &str, m: &oci::Mount) -> Result { - } -} -*/ diff --git a/src/agent/rustjail/src/container.rs b/src/agent/rustjail/src/container.rs index c6d14e63cd..7db0440796 100644 --- a/src/agent/rustjail/src/container.rs +++ b/src/agent/rustjail/src/container.rs @@ -3,35 +3,32 @@ // SPDX-License-Identifier: Apache-2.0 // +use anyhow::{anyhow, bail, Context, Result}; use dirs; use lazy_static; +use libc::pid_t; use oci::{Hook, Linux, LinuxNamespace, LinuxResources, POSIXRlimit, Spec}; +use oci::{LinuxDevice, LinuxIDMapping}; use serde_json; +use std::clone::Clone; use std::ffi::{CStr, CString}; use std::fmt; +use std::fmt::Display; use std::fs; use std::os::unix::io::RawFd; use std::path::{Path, PathBuf}; -use std::time::SystemTime; -// use crate::sync::Cond; -use anyhow::{anyhow, bail, Context, Result}; -use libc::pid_t; -use oci::{LinuxDevice, LinuxIDMapping}; -use std::clone::Clone; -use std::fmt::Display; use std::process::Command; +use std::time::SystemTime; use cgroups::freezer::FreezerState; -use crate::process::Process; -// use crate::intelrdt::Manager as RdtManager; -use crate::log_child; -use crate::specconv::CreateOpts; -use crate::sync::*; -// use crate::stats::Stats; use crate::capabilities::{self, CAPSMAP}; use crate::cgroups::fs::Manager as FsManager; use crate::cgroups::Manager; +use crate::log_child; +use crate::process::Process; +use crate::specconv::CreateOpts; +use crate::sync::*; use crate::{mount, validator}; use protocols::agent::StatsContainerResponse; @@ -225,11 +222,6 @@ pub struct BaseState { init_process_pid: i32, #[serde(default)] init_process_start: u64, - /* - #[serde(default)] - created: SystemTime, - config: Config, - */ } pub trait BaseContainer { @@ -291,12 +283,8 @@ pub struct SyncPC { } pub trait Container: BaseContainer { - // fn checkpoint(&self, opts: &CriuOpts) -> Result<()>; - // fn restore(&self, p: &Process, opts: &CriuOpts) -> Result<()>; fn pause(&mut self) -> Result<()>; fn resume(&mut self) -> Result<()>; - // fn notify_oom(&self) -> Result<(Sender, Receiver)>; - // fn notify_memory_pressure(&self, lvl: PressureLevel) -> Result<(Sender, Receiver)>; } impl Container for LinuxContainer { @@ -627,7 +615,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> { fifofd = std::env::var(FIFO_FD)?.parse::().unwrap(); } - //cleanup the env inherited from parent + // cleanup the env inherited from parent for (key, _) in env::vars() { env::remove_var(key); } @@ -636,7 +624,6 @@ fn do_init_child(cwfd: RawFd) -> Result<()> { for e in env.iter() { let v: Vec<&str> = e.splitn(2, "=").collect(); if v.len() != 2 { - //info!(logger, "incorrect env config!"); continue; } env::set_var(v[0], v[1]); @@ -780,7 +767,6 @@ impl BaseContainer for LinuxContainer { return Err(anyhow!("exec fifo exists")); } unistd::mkfifo(fifo_file.as_str(), Mode::from_bits(0o622).unwrap())?; - // defer!(fs::remove_file(&fifo_file)?); fifofd = fcntl::open( fifo_file.as_str(), @@ -1089,8 +1075,6 @@ fn do_exec(args: &[String]) -> ! { let a: Vec<&CStr> = sa.iter().map(|s| s.as_c_str()).collect(); if let Err(e) = unistd::execvp(p.as_c_str(), a.as_slice()) { - // info!(logger, "execve failed!!!"); - // info!(logger, "binary: {:?}, args: {:?}, envs: {:?}", p, a, env); match e { nix::Error::Sys(errno) => { std::process::exit(errno as i32); @@ -1198,7 +1182,6 @@ fn join_namespaces( info!(logger, "wait child received oci spec"); - // child.try_wait()?; read_sync(prfd)?; info!(logger, "send oci process from parent to child"); @@ -1211,7 +1194,7 @@ fn join_namespaces( let cm_str = serde_json::to_string(cm)?; write_sync(pwfd, SYNC_DATA, cm_str.as_str())?; - //wait child setup user namespace + // wait child setup user namespace info!(logger, "wait child setup user namespace"); read_sync(prfd)?; @@ -1270,7 +1253,7 @@ fn join_namespaces( read_sync(prfd)?; info!(logger, "get ready to run poststart hook!"); - //run poststart hook + // run poststart hook if spec.hooks.is_some() { info!(logger, "poststart hook"); let hooks = spec.hooks.as_ref().unwrap(); @@ -1508,7 +1491,6 @@ fn execute_hook(logger: &Logger, h: &Hook, st: &OCIState) -> Result<()> { let args = h.args.clone(); let envs = h.env.clone(); let state = serde_json::to_string(st)?; - // state.push_str("\n"); let (rfd, wfd) = unistd::pipe2(OFlag::O_CLOEXEC)?; defer!({ @@ -1528,9 +1510,6 @@ fn execute_hook(logger: &Logger, h: &Hook, st: &OCIState) -> Result<()> { info!(logger, "hook child: {} status: {}", child, status); - // let _ = wait::waitpid(_ch, - // Some(WaitPidFlag::WEXITED | WaitPidFlag::__WALL)); - if status != 0 { if status == -libc::ETIMEDOUT { return Err(anyhow!(nix::Error::from_errno(Errno::ETIMEDOUT))); @@ -1571,7 +1550,7 @@ fn execute_hook(logger: &Logger, h: &Hook, st: &OCIState) -> Result<()> { .spawn() .unwrap(); - //send out our pid + // send out our pid tx.send(child.id() as libc::pid_t).unwrap(); info!(logger, "hook grand: {}", child.id()); @@ -1590,7 +1569,7 @@ fn execute_hook(logger: &Logger, h: &Hook, st: &OCIState) -> Result<()> { .unwrap() .read_to_string(&mut out) .unwrap(); - info!(logger, "{}", out.as_str()); + info!(logger, "child stdout: {}", out.as_str()); match child.wait() { Ok(exit) => { let code: i32 = if exit.success() { @@ -1660,8 +1639,6 @@ fn execute_hook(logger: &Logger, h: &Hook, st: &OCIState) -> Result<()> { SYNC_DATA, std::str::from_utf8(&status.to_be_bytes()).unwrap_or_default(), ); - // let _ = wait::waitpid(Pid::from_raw(pid), - // Some(WaitPidFlag::WEXITED | WaitPidFlag::__WALL)); std::process::exit(0); } } diff --git a/src/agent/rustjail/src/mount.rs b/src/agent/rustjail/src/mount.rs index b45ca97cea..f759456e7a 100644 --- a/src/agent/rustjail/src/mount.rs +++ b/src/agent/rustjail/src/mount.rs @@ -912,8 +912,6 @@ fn mask_path(path: &str) -> Result<()> { return Err(nix::Error::Sys(Errno::EINVAL).into()); } - //info!("{}", path); - match mount( Some("/dev/null"), path, @@ -929,7 +927,6 @@ fn mask_path(path: &str) -> Result<()> { } Err(e) => { - //info!("{}: {}", path, e.as_errno().unwrap().desc()); return Err(e.into()); } @@ -944,8 +941,6 @@ fn readonly_path(path: &str) -> Result<()> { return Err(nix::Error::Sys(Errno::EINVAL).into()); } - //info!("{}", path); - match mount( Some(&path[1..]), path, @@ -963,7 +958,6 @@ fn readonly_path(path: &str) -> Result<()> { } Err(e) => { - //info!("{}: {}", path, e.as_errno().unwrap().desc()); return Err(e.into()); } diff --git a/src/agent/rustjail/src/process.rs b/src/agent/rustjail/src/process.rs index f27c4cda02..daba20e5f5 100644 --- a/src/agent/rustjail/src/process.rs +++ b/src/agent/rustjail/src/process.rs @@ -3,16 +3,11 @@ // SPDX-License-Identifier: Apache-2.0 // -// use std::process::{Stdio, Command, ExitStatus}; use libc::pid_t; use std::fs::File; use std::os::unix::io::RawFd; use std::sync::mpsc::Sender; -// use crate::configs::{Capabilities, Rlimit}; -// use crate::cgroups::Manager as CgroupManager; -// use crate::intelrdt::Manager as RdtManager; - use nix::fcntl::{fcntl, FcntlArg, OFlag}; use nix::sys::signal::{self, Signal}; use nix::sys::wait::{self, WaitStatus}; @@ -31,8 +26,6 @@ pub struct Process { pub exit_pipe_r: Option, pub exit_pipe_w: Option, pub extra_files: Vec, - // pub caps: Capabilities, - // pub rlimits: Vec, pub term_master: Option, pub tty: bool, pub parent_stdin: Option, diff --git a/src/agent/rustjail/src/specconv.rs b/src/agent/rustjail/src/specconv.rs index ca67bee91e..b61e544a39 100644 --- a/src/agent/rustjail/src/specconv.rs +++ b/src/agent/rustjail/src/specconv.rs @@ -4,8 +4,6 @@ // use oci::Spec; -// use crate::configs::namespaces; -// use crate::configs::device::Device; #[derive(Debug)] pub struct CreateOpts { @@ -17,143 +15,3 @@ pub struct CreateOpts { pub rootless_euid: bool, pub rootless_cgroup: bool, } -/* -const WILDCARD: i32 = -1; - -lazy_static! { - static ref NAEMSPACEMAPPING: HashMap<&'static str, &'static str> = { - let mut m = HashMap::new(); - m.insert(oci::PIDNAMESPACE, namespaces::NEWPID); - m.insert(oci::NETWORKNAMESPACE, namespaces::NEWNET); - m.insert(oci::UTSNAMESPACE, namespaces::NEWUTS); - m.insert(oci::MOUNTNAMESPACE, namespaces::NEWNS); - m.insert(oci::IPCNAMESPACE, namespaces::NEWIPC); - m.insert(oci::USERNAMESPACE, namespaces::NEWUSER); - m.insert(oci::CGROUPNAMESPACE, namespaces::NEWCGROUP); - m - }; - - static ref MOUNTPROPAGATIONMAPPING: HashMap<&'static str, MsFlags> = { - let mut m = HashMap::new(); - m.insert("rprivate", MsFlags::MS_PRIVATE | MsFlags::MS_REC); - m.insert("private", MsFlags::MS_PRIVATE); - m.insert("rslave", MsFlags::MS_SLAVE | MsFlags::MS_REC); - m.insert("slave", MsFlags::MS_SLAVE); - m.insert("rshared", MsFlags::MS_SHARED | MsFlags::MS_REC); - m.insert("shared", MsFlags::MS_SHARED); - m.insert("runbindable", MsFlags::MS_UNBINDABLE | MsFlags::MS_REC); - m.insert("unbindable", MsFlags::MS_UNBINDABLE); - m - }; - - static ref ALLOWED_DEVICES: Vec = { - let mut m = Vec::new(); - m.push(Device { - r#type: 'c', - major: WILDCARD, - minor: WILDCARD, - permissions: "m", - allow: true, - }); - - m.push(Device { - r#type: 'b', - major: WILDCARD, - minor: WILDCARD, - permissions: "m", - allow: true, - }); - - m.push(Device { - r#type: 'c', - path: "/dev/null".to_string(), - major: 1, - minor: 3, - permissions: "rwm", - allow: true, - }); - - m.push(Device { - r#type: 'c', - path: String::from("/dev/random"), - major: 1, - minor: 8, - permissions: "rwm", - allow: true, - }); - - m.push(Device { - r#type: 'c', - path: String::from("/dev/full"), - major: 1, - minor: 7, - permissions: "rwm", - allow: true, - }); - - m.push(Device { - r#type: 'c', - path: String::from("/dev/tty"), - major: 5, - minor: 0, - permissions: "rwm", - allow: true, - }); - - m.push(Device { - r#type: 'c', - path: String::from("/dev/zero"), - major: 1, - minor: 5, - permissions: "rwm", - allow: true, - }); - - m.push(Device { - r#type: 'c', - path: String::from("/dev/urandom"), - major: 1, - minor: 9, - permissions: "rwm", - allow: true, - }); - - m.push(Device { - r#type: 'c', - path: String::from("/dev/console"), - major: 5, - minor: 1, - permissions: "rwm", - allow: true, - }); - - m.push(Device { - r#type: 'c', - path: String::from(""), - major: 136, - minor: WILDCARD, - permissions: "rwm", - allow: true, - }); - - m.push(Device { - r#type: 'c', - path: String::from(""), - major: 5, - minor: 2, - permissions: "rwm", - allow: true, - }); - - m.push(Device { - r#type: 'c', - path: String::from(""), - major: 10, - minor: 200, - permissions: "rwm", - allow: true, - }); - m - }; -} -*/