github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-25 06:52:13 +00:00
Code Issues Projects Releases Wiki Activity

agent/agent-ctl: Replace prctl crate by the capctl one

Browse Source 
While evaluating the possibility of having kata-agent statically linked
to the GNU libc, we've ended up facing some issues with prctl.

When debugging the issues, we figured out that the crate hasn't been
maintained since 2015 and that the capctl one is a good 1:1 replacement
for what we need.

Fixes: #1844

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This commit is contained in:
Fabiano Fidêncio 2021-05-19 09:38:32 +02:00
parent d289b1d621
commit f52468bea7
8 changed files with 33 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/agent/Cargo.lock generated
View File

@ -117,6 +117,16 @@ version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b700ce4376041dcd0a327fd0097c41095743c4c8af8887265942faf1100bd040" checksum = "b700ce4376041dcd0a327fd0097c41095743c4c8af8887265942faf1100bd040"
[[package]]
name = "capctl"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "eea0d91a34c56f0a0779e1cc2ec7040fa7f672819c4d3fe7d9dd4af3d2e78aca"
dependencies = [
"bitflags",
"libc",
]
[[package]] [[package]]
name = "caps" name = "caps"
version = "0.5.2" version = "0.5.2"
@ -471,6 +481,7 @@ version = "0.1.0"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"async-trait", "async-trait",
"capctl",
"cgroups-rs", "cgroups-rs",
"futures", "futures",
"ipnetwork", "ipnetwork",
@ -482,7 +493,6 @@ dependencies = [
"netlink-sys", "netlink-sys",
"nix 0.17.0", "nix 0.17.0",
"oci", "oci",
"prctl",
"procfs", "procfs",
"prometheus", "prometheus",
"protobuf", "protobuf",
@ -865,16 +875,6 @@ version = "0.2.10"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ac74c624d6b2d21f425f752262f42188365d7b8ff1aff74c82e45136510a4857" checksum = "ac74c624d6b2d21f425f752262f42188365d7b8ff1aff74c82e45136510a4857"
[[package]]
name = "prctl"
version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "059a34f111a9dee2ce1ac2826a68b24601c4298cfeb1a587c3cb493d5ab46f52"
dependencies = [
"libc",
"nix 0.20.0",
]
[[package]] [[package]]
name = "proc-macro-hack" name = "proc-macro-hack"
version = "0.5.19" version = "0.5.19"
@ -1159,6 +1159,7 @@ version = "0.1.0"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"async-trait", "async-trait",
"capctl",
"caps", "caps",
"cgroups-rs", "cgroups-rs",
"futures", "futures",
@ -1168,7 +1169,6 @@ dependencies = [
"nix 0.17.0", "nix 0.17.0",
"oci", "oci",
"path-absolutize", "path-absolutize",
"prctl",
"protobuf", "protobuf",
"protocols", "protocols",
"regex", "regex",

2
src/agent/Cargo.toml
View File

@ -14,7 +14,7 @@ ttrpc = { version = "0.5.0", features = ["async", "protobuf-codec"], default-fea
protobuf = "=2.14.0" protobuf = "=2.14.0"
libc = "0.2.58" libc = "0.2.58"
nix = "0.17.0" nix = "0.17.0"
prctl = "1.0.0" capctl = "0.2.0"
serde_json = "1.0.39" serde_json = "1.0.39"
scan_fmt = "0.2.3" scan_fmt = "0.2.3"
scopeguard = "1.0.0" scopeguard = "1.0.0"

2
src/agent/rustjail/Cargo.toml
View File

@ -13,7 +13,7 @@ protocols = { path ="../protocols" }
caps = "0.5.0" caps = "0.5.0"
nix = "0.17.0" nix = "0.17.0"
scopeguard = "1.0.0" scopeguard = "1.0.0"
prctl = "1.0.0" capctl = "0.2.0"
lazy_static = "1.3.0" lazy_static = "1.3.0"
libc = "0.2.58" libc = "0.2.58"
protobuf = "=2.14.0" protobuf = "=2.14.0"

8
src/agent/rustjail/src/container.rs
View File

@ -469,7 +469,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
// Ref: https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5 // Ref: https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5
// //
if !nses.is_empty() { if !nses.is_empty() {
prctl::set_dumpable(false) capctl::prctl::set_dumpable(false)
.map_err(|e| anyhow!(e).context("set process non-dumpable failed"))?; .map_err(|e| anyhow!(e).context("set process non-dumpable failed"))?;
} }
@ -602,7 +602,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
// NoNewPeiviledges, Drop capabilities // NoNewPeiviledges, Drop capabilities
if oci_process.no_new_privileges { if oci_process.no_new_privileges {
prctl::set_no_new_privileges(true).map_err(|_| anyhow!("cannot set no new privileges"))?; capctl::prctl::set_no_new_privs().map_err(|_| anyhow!("cannot set no new privileges"))?;
} }
if oci_process.capabilities.is_some() { if oci_process.capabilities.is_some() {
@ -1314,7 +1314,7 @@ fn write_mappings(logger: &Logger, path: &str, maps: &[LinuxIdMapping]) -> Resul
fn setid(uid: Uid, gid: Gid) -> Result<()> { fn setid(uid: Uid, gid: Gid) -> Result<()> {
// set uid/gid // set uid/gid
prctl::set_keep_capabilities(true) capctl::prctl::set_keepcaps(true)
.map_err(|e| anyhow!(e).context("set keep capabilities returned"))?; .map_err(|e| anyhow!(e).context("set keep capabilities returned"))?;
{ {
@ -1328,7 +1328,7 @@ fn setid(uid: Uid, gid: Gid) -> Result<()> {
capabilities::reset_effective()?; capabilities::reset_effective()?;
} }
prctl::set_keep_capabilities(false) capctl::prctl::set_keepcaps(false)
.map_err(|e| anyhow!(e).context("set keep capabilities returned"))?; .map_err(|e| anyhow!(e).context("set keep capabilities returned"))?;
Ok(()) Ok(())

2
src/agent/rustjail/src/lib.rs
View File

@ -23,7 +23,7 @@ extern crate caps;
extern crate protocols; extern crate protocols;
#[macro_use] #[macro_use]
extern crate scopeguard; extern crate scopeguard;
extern crate prctl; extern crate capctl;
#[macro_use] #[macro_use]
extern crate lazy_static; extern crate lazy_static;
extern crate libc; extern crate libc;

2
src/agent/src/main.rs
View File

@ -5,8 +5,8 @@
#[macro_use] #[macro_use]
extern crate lazy_static; extern crate lazy_static;
extern crate capctl;
extern crate oci; extern crate oci;
extern crate prctl;
extern crate prometheus; extern crate prometheus;
extern crate protocols; extern crate protocols;
extern crate regex; extern crate regex;

4
src/agent/src/signal.rs
View File

@ -6,10 +6,10 @@
use crate::sandbox::Sandbox; use crate::sandbox::Sandbox;
use anyhow::{anyhow, Result}; use anyhow::{anyhow, Result};
use capctl::prctl::set_subreaper;
use nix::sys::wait::WaitPidFlag; use nix::sys::wait::WaitPidFlag;
use nix::sys::wait::{self, WaitStatus}; use nix::sys::wait::{self, WaitStatus};
use nix::unistd; use nix::unistd;
use prctl::set_child_subreaper;
use slog::{error, info, o, Logger}; use slog::{error, info, o, Logger};
use std::sync::Arc; use std::sync::Arc;
use tokio::select; use tokio::select;
@ -88,7 +88,7 @@ pub async fn setup_signal_handler(
) -> Result<()> { ) -> Result<()> {
let logger = logger.new(o!("subsystem" => "signals")); let logger = logger.new(o!("subsystem" => "signals"));
set_child_subreaper(true) set_subreaper(true)
.map_err(|err| anyhow!(err).context("failed to setup agent as a child subreaper"))?; .map_err(|err| anyhow!(err).context("failed to setup agent as a child subreaper"))?;
let mut sigchild_stream = signal(SignalKind::child())?; let mut sigchild_stream = signal(SignalKind::child())?;

22
tools/agent-ctl/Cargo.lock generated
View File

@ -116,6 +116,16 @@ version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b700ce4376041dcd0a327fd0097c41095743c4c8af8887265942faf1100bd040" checksum = "b700ce4376041dcd0a327fd0097c41095743c4c8af8887265942faf1100bd040"
[[package]]
name = "capctl"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "eea0d91a34c56f0a0779e1cc2ec7040fa7f672819c4d3fe7d9dd4af3d2e78aca"
dependencies = [
"bitflags",
"libc",
]
[[package]] [[package]]
name = "caps" name = "caps"
version = "0.5.2" version = "0.5.2"
@ -710,16 +720,6 @@ version = "0.2.10"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ac74c624d6b2d21f425f752262f42188365d7b8ff1aff74c82e45136510a4857" checksum = "ac74c624d6b2d21f425f752262f42188365d7b8ff1aff74c82e45136510a4857"
[[package]]
name = "prctl"
version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "059a34f111a9dee2ce1ac2826a68b24601c4298cfeb1a587c3cb493d5ab46f52"
dependencies = [
"libc",
"nix 0.20.0",
]
[[package]] [[package]]
name = "proc-macro-hack" name = "proc-macro-hack"
version = "0.5.19" version = "0.5.19"
@ -992,6 +992,7 @@ version = "0.1.0"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"async-trait", "async-trait",
"capctl",
"caps", "caps",
"cgroups-rs", "cgroups-rs",
"futures", "futures",
@ -1001,7 +1002,6 @@ dependencies = [
"nix 0.17.0", "nix 0.17.0",
"oci", "oci",
"path-absolutize", "path-absolutize",
"prctl",
"protobuf", "protobuf",
"protocols", "protocols",
"regex", "regex",