The logic for the debug console meant that if the debug console was
_disabled_, the agent was guaranteed to crash on function exit due to
the unsafe code block. Fixed by simplifying the code to use the standard
`Option` idiom for optional values.
Fixes: #554.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Don't create a thread to wait for the ttRPC server to end - it isn't
required as the operation should be blocked on.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Print a simple version string rather than delaying the output
to display a structured version string. The structured output
is potentially more useful but:
- This output is not consistent with other components.
- Delaying the output makes `--version` unusable in some
environments (since a lot of setup is called before the
version string can be output).
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
When creating a container process/exec process, it should set the
"HOME" env for this process by getting from /etc/passwd.
Fixes: #498
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
When do bind mount for container's volumes, the propagation
flags should be mount/set after bind mount.
Fixes: #530
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
For docker in docker scenario, the nested container created
has entry "b *:* m" in the list of devices it is allowed to access
under /sys/fs/cgroup/devices/docker/{ctrid}/devices.list.
This entry was causing issues while starting a nested container
as we were denying "m" access to the rootfs block devices.
With this change we add back "m" access, the container would be
allowed to create a device node for the rootfs device but will
not have read-write access to the created device node.
This fixes the docker in docker use case while still making sure
the container is not allowed read/write access to the rootfs.
Note, this could also be fixed by simply skipping {"Type : "b"}
while creating the device cgroup with libcontainer.
But this seems to be undocumented behaviour at this point,
hence refrained from taking this approach.
Fixes#426
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Add support shareProcessNamespace.
BTW, this commit only support shared pid namespace by
sharing the infrastructure pause container's pid namespace
with other containers, instead of creating a new pid
namespace different from pause container.
Fixes: #342
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Makefile is determining the architecture by running uname command
which gives ppc64le as output. But rust toolchain target is available
with the name powerpc64le for ppc64le arch. So this change took care of that.
Signed-off-by: Abhishek Dasgupta <abdasgupta@in.ibm.com>
Currently the default LIBC used to build the agent is "musl". However,
"musl" is not preset in a big portion of the distros *and* "gnu" libc
just works as expected.
Knowing that, let's add the option to the one building the project to
simply do `make LIBC=gnu` instead of expected the person to go through
the Makefile and replace musl by gnu there.
Fixes: #369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
When the "PCIAddr" (BDF information) is available, we allow to use the
predicted "VmPath" (from kata-runtime) to locate the block device in the
agent. This is a special code path for supporting block-device/volume
passthrough w/ cloud-hypervisor when the BDF information is not
available (as of clh v0.8.0).
This is mainly porting the changes from kata-agent PR https://github.com/kata-containers/agent/pull/790,
as the related changes from kata-runtime is ported to kata 2.0 earlier
this week (https://github.com/kata-containers/kata-containers/pull/362).
Note that the upstream clh recently added the support of returning BDF
information for hotplugged devices. We will consolidate/remove this
special code path for the next upgrade of clh version in kata.
Fixes: #248
Signed-off-by: Bo Chen <chen.bo@intel.com>
It should iter the shells to find the existing shell
command instead of return an error directly when it
meet an absent shell command.
Fixes: #354
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Changed the name of the rule that runs the tests to "test" for
consistency, but retained `check` for backwards compatibility
for now.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Dup a new file descriptor for temporary logger writer,
since this logger would be dropped and it's writer would
be closed out of if definition scope, which would cause
the logger process thread terminated if it used the original
pipe write fd.
Fixes: #318
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
With this change, a container is not longer given access to
the underlying root partition.
This is done by explicitly adding the root partition
to the device cgroup of the container.
Fixes: #317
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
The agent logger is useful and generic enough that it can be used by
other components, so move the agent logging package to below a top level
`pkg` to encourage re-use.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Clean up all clippy warning.
Also fix a bug in dealing with IFLA_IFNAME attribute.
nlh.addattr_var(IFLA_IFNAME, name.as_ptr() as *const u8, name.len() + 1);
The `name` is a rust String, which doesn't including the trailing '\0',
so name.len() + 1 may cause invalid memory access.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
Implment `TryFrom<IPAddress> for RtIPAddr` instead of From<IPAddress>,
so error code could be returned instead of unwrap().
Do the same for `TryFrom<Route> for RtRoute`.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
There are too much unsafe code in the netlink crate, we need to reduce
unsafe code as much as possible. To achieve this, methods are classified
as public interfaces and internal methods.
All public interface of RtnlHandle has been reimplemented as safe code,
only some public helper functions to manipulater Netlink message data
structures are implemented as unsafe code.
The code to parse IPv4/IPv6/MAC addresses has been moved to a dedicated
file named parser.rs.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
The scan_fmt crate has dependency on other four crates, and it's trivial
to use std library to implement the same logic. Get rid of scan_fmt to
reduce the dependency chain.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
Use features to enable/disable slog and agent handler on demand.
This helps to reduce dependency chains if slog/agent handler is unused.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
