-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
integrate libcontainer/userns into moby/sys/user #140
integrate libcontainer/userns into moby/sys/user #140
Conversation
6438200
to
7cfea2c
Compare
/cc @AkihiroSuda @kolyshkin @cyphar @lifubang PTAL if this LGTY (related PR in runc is opencontainers/runc#4350) |
Makefile
Outdated
@@ -16,14 +16,18 @@ clean: | |||
test: test-local | |||
set -eu; \ | |||
for p in $(PACKAGES); do \ | |||
(cd $$p; go test $(RUN_VIA_SUDO) -v .); \ | |||
if $p = user && go version | grep -qv go1.17; then \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need to support Go <= 1.20
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The other modules still have go1.17 as minimum version; I didn't want to change that as part of this PR, but we can revisit that in a follow up
user/userns/userns_linux.go
Outdated
|
||
// runningInUserNS detects whether we are currently running in a user namespace. | ||
// | ||
// Originally copied from https://github.com/lxc/incus/blob/e45085dd42f826b3c8c3228e9733c0b6f998eafe/shared/util.go#L678-L700. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: we should probably refer to runc, too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a mention of runc (both here, and in the package description)
It looks like git history here begins when the code was moved in runc, and contains some drastic changes (like additon and removal of a big portion of C code). IOW it's not very useful (I tried to answer simple questions like "why do we use Given that git history serves a main purpose of figuring out why (or when, or by whom) things were written the way they are written, and that this git history is:
I'm not sure it makes sense to retain it. I think it's better to just copy and commit the code @ specific commit with a clean git history, and refer to older runc history in the docs (like we did when it was copied from lxc). |
7b76d4a
to
aa1d8ad
Compare
@kolyshkin I gave this another go, and used more specific filters so that the unrelated commits don't get included. History now contains all history since the code was moved, but the merge-commit contains a link to the commits that moved it. Let me know if this looks better 🤞 |
aa1d8ad
to
6d16ea0
Compare
@kolyshkin ptal 🤗 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
|
Moving these utilities to a separate package, so that consumers of this package don't have to pull in the whole "system" package. Looking at uses of these utilities (outside of runc itself); `RunningInUserNS()` is used by [various external consumers][1], so adding a "Deprecated" alias for this. [1]: https://grep.app/search?current=2&q=.RunningInUserNS Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
For files that end with _linux.go or _linux_test.go, there is no need to specify linux build tag, as it is assumed from the file name. In addition, rename libcontainer/notify_linux_v2.go -> libcontainer/notify_v2_linux.go for the file name to make sense. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Go 1.17 introduce this new (and better) way to specify build tags. For more info, see https://golang.org/design/draft-gobuild. As a way to seamlessly switch from old to new build tags, gofmt (and gopls) from go 1.17 adds the new tags along with the old ones. Later, when go < 1.17 is no longer supported, the old build tags can be removed. Now, as I started to use latest gopls (v0.7.1), it adds these tags while I edit. Rather than to randomly add new build tags, I guess it is better to do it once for all files. Mind that previous commits removed some tags that were useless, so this one only touches packages that can at least be built on non-linux. Brought to you by go1.17 fmt ./... Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This makes libcontainer/userns self-dependent, largely returning to the original implementation from lxc. The `uiMapInUserNS` is kept as a separate function for unit-testing and fuzzing. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Removed pre-go1.17 build-tags with go fix; go fix -mod=readonly ./... Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This was a poor decision on my side; ab29593 moved this utility to a separate package, and split the exported function from the implementation (and stubs). Out of convenience, I used an alias for the latter part, but there's two downsides to that; - `RunningInUserNS` being an exported var means that (technically) it can be replaced by other code; perhaps that's a "feature", but not one we intended it to be used for. - `RunningInUserNS` being implemented through a var / alias means it's also documented as such on [pkg.go.dev], which is confusing. This patch changes it to a regular function, acting as a wrapper for the underlying implementations. While at it, also slightly touching up the GoDoc to describe its functionality / behavior. [pkg.go.dev]: https://pkg.go.dev/github.com/opencontainers/runc@v1.1.13/libcontainer/userns#RunningInUserNS Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The fuzzer for this only runs on Linux; rename the file to be Linux-only so that we don't have to stub out the uidMapInUserNS function. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Now that we dropped support for go < 1.21, we can use this; moving the sync.once out of the runningInUserNS() implementation would also allow for it to be more easily tested if we'd decide to. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
6d16ea0
to
5cd502c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I'm a little late to the party (sorry 😭), but I'm actually a bit confused by this. As far as I can tell, the only thing the "user" and "userns" packages have in common is the name, so this seems like an odd grouping IMO |
I'm also missing the justification for the bump to go1.21? 5cd502c#r144637064 (and in fact, #140 (comment) seems to directly contradict doing so 🤔) |
@tianon Arf, sorry for ghosting you; I saw your comment on my phone, and wanted to bring it up in one of the calls, but I didn't make both of them, then forgot.
That, hm, is a valid point. I think I initially put it as a separate module, but then (maybe incorrectly?) recalled that there was a discussion to move this, as well as possibly the FWIW; to my knowledge none of the current consumers (moby, buildkit, containerd) have included this change in a release, so there's still a potential to change this to a separate module if we think that's better
The code in
Ah, right, so the comment was about the added check in |
The context for why I even care is that I'm a downstream user of |
So that's the long way of saying I'm very much in favor of a |
I opened a PR to move this to a separate module; |
❯ go get github.com/containers/storage@v1.53.0 go: warning: github.com/moby/sys/user@v0.2.0: retracted by module author: Package github.com/moby/sys/user/userns was included in this module, but should've been a separate module; see moby/sys#140 (comment). go: to switch to the latest unretracted version, run: go get github.com/moby/sys/user@latest go: downgraded github.com/containers/storage v1.55.0 => v1.53.0 ~/git/openshift-velero-plugin remotes/weshayutin/konveyor_dev_CVE-2024-3727* ❯ go mod tidy ~/git/openshift-velero-plugin remotes/weshayutin/konveyor_dev_CVE-2024-3727* ❯ go vet ./... Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
….2 (#288) * CVE-2024-3727 GO-2024-2842: bump github.com/containers/image/v5 v5.30.2 Signed-off-by: Wesley Hayutin <weshayutin@gmail.com> * Fix storage import vet failure. ❯ go get github.com/containers/storage@v1.53.0 go: warning: github.com/moby/sys/user@v0.2.0: retracted by module author: Package github.com/moby/sys/user/userns was included in this module, but should've been a separate module; see moby/sys#140 (comment). go: to switch to the latest unretracted version, run: go get github.com/moby/sys/user@latest go: downgraded github.com/containers/storage v1.55.0 => v1.53.0 ~/git/openshift-velero-plugin remotes/weshayutin/konveyor_dev_CVE-2024-3727* ❯ go mod tidy ~/git/openshift-velero-plugin remotes/weshayutin/konveyor_dev_CVE-2024-3727* ❯ go vet ./... Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com> --------- Signed-off-by: Wesley Hayutin <weshayutin@gmail.com> Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com> Co-authored-by: Tiger Kaovilai <tkaovila@redhat.com>
internal
opencontainers/runc#3028integrate libcontainer/userns into moby/sys/user
This integrates the userns package from libcontainer (runc) at commit;
3778ae603c706494fd1e2c2faf83b406e38d687d (1).
Code was originally added through runc@c0ad40c (2), and located in the
libcontainer/system package; history of this code from before it was moved
can be found through 3 and 4.
Migration was done using the following steps: