update nix to 0.27.1

crates/libcgroups/Cargo.toml

@@ -16,21 +16,21 @@ keywords = ["youki", "container", "cgroups"]
 default = ["v1", "v2", "systemd"]
 v1 = []
 v2 = []
-systemd = ["v2"]
-cgroupsv2_devices = ["rbpf", "libbpf-sys", "errno", "libc"]
+systemd = ["v2", "nix/socket", "nix/uio"]
+cgroupsv2_devices = ["rbpf", "libbpf-sys", "errno", "libc", "nix/dir"]
 
 [dependencies]
-nix = "0.26.2"
+nix = { version = "0.27.1", features = ["signal", "user", "fs"] }
 procfs = "0.15.1"
 oci-spec = { version = "~0.6.2", features = ["runtime"] }
 fixedbitset = "0.4.2"
 serde = { version = "1.0", features = ["derive"] }
-rbpf = {version = "0.2.0", optional = true }
+rbpf = { version = "0.2.0", optional = true }
 libbpf-sys = { version = "1.2.1", optional = true }
 errno = { version = "0.3.4", optional = true }
 libc = { version = "0.2.149", optional = true }
 thiserror = "1.0.49"
-tracing = { version = "0.1.37", features = ["attributes"]}
+tracing = { version = "0.1.37", features = ["attributes"] }
 
 [dev-dependencies]
 anyhow = "1.0"

crates/libcgroups/src/systemd/dbus_native/dbus.rs

@@ -7,6 +7,7 @@ use super::utils::{DbusError, Result, SystemdClientError};
 use nix::sys::socket;
 use std::collections::HashMap;
 use std::io::{IoSlice, IoSliceMut};
+use std::os::fd::AsRawFd;
 use std::path::PathBuf;
 use std::sync::atomic::{AtomicU32, Ordering};
 
@@ -121,17 +122,18 @@ impl DbusConnection {
     /// Open a new dbus connection to given address
     /// authenticating as user with given uid
     pub fn new(addr: &str, uid: u32, system: bool) -> Result<Self> {
-        let socket = socket::socket(
+        // Use ManuallyDrop to keep the socket open.
+        let socket = std::mem::ManuallyDrop::new(socket::socket(
             socket::AddressFamily::Unix,
             socket::SockType::Stream,
             socket::SockFlag::empty(),
             None,
-        )?;
+        )?);
 
         let addr = socket::UnixAddr::new(addr)?;
-        socket::connect(socket, &addr)?;
+        socket::connect(socket.as_raw_fd(), &addr)?;
         let mut dbus = Self {
-            socket,
+            socket: socket.as_raw_fd(),
             msg_ctr: AtomicU32::new(0),
             id: None,
             system,
@@ -237,11 +239,11 @@ impl DbusConnection {
         let mut ret = Vec::with_capacity(512);
         loop {
             let mut reply: [u8; REPLY_BUF_SIZE] = [0_u8; REPLY_BUF_SIZE];
-            let reply_buffer = IoSliceMut::new(&mut reply[0..]);
+            let mut reply_buffer = [IoSliceMut::new(&mut reply[0..])];
 
             let reply_rcvd = socket::recvmsg::<()>(
                 self.socket,
-                &mut [reply_buffer],
+                &mut reply_buffer,
                 None,
                 socket::MsgFlags::empty(),
             )?;

crates/libcontainer/Cargo.toml

@@ -22,23 +22,35 @@ cgroupsv2_devices = ["libcgroups/cgroupsv2_devices"]
 [dependencies]
 bitflags = "2.4.0"
 caps = "0.5.5"
-chrono = { version = "0.4", default-features = false, features = ["clock", "serde"] }
+chrono = { version = "0.4", default-features = false, features = [
+    "clock",
+    "serde",
+] }
 fastrand = "^2.0.1"
 futures = { version = "0.3", features = ["thread-pool"] }
 libc = "0.2.149"
-nix = "0.26.2"
+nix = { version = "0.27.1", features = [
+    "socket",
+    "sched",
+    "mount",
+    "mman",
+    "resource",
+    "dir",
+    "term",
+    "hostname",
+] }
 oci-spec = { version = "~0.6.2", features = ["runtime"] }
 once_cell = "1.18.0"
 procfs = "0.15.1"
 prctl = "1.0.0"
 libcgroups = { version = "0.2.0", path = "../libcgroups", default-features = false }
-libseccomp = { version = "0.3.0", optional=true }
+libseccomp = { version = "0.3.0", optional = true }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 rust-criu = "0.4.0"
 regex = "1.9.6"
 thiserror = "1.0.49"
-tracing = { version = "0.1.37", features = ["attributes"]}
+tracing = { version = "0.1.37", features = ["attributes"] }
 safe-path = "0.1.0"
 
 [dev-dependencies]

crates/libcontainer/src/channel.rs

@@ -6,7 +6,7 @@ use serde::{Deserialize, Serialize};
 use std::{
     io::{IoSlice, IoSliceMut},
     marker::PhantomData,
-    os::unix::prelude::RawFd,
+    os::{fd::AsRawFd, unix::prelude::RawFd},
 };
 
 #[derive(Debug, thiserror::Error)]
@@ -210,10 +210,16 @@ where
 
 // Use socketpair as the underlying pipe.
 fn unix_channel() -> Result<(RawFd, RawFd), ChannelError> {
-    Ok(socket::socketpair(
+    let (f1, f2) = socket::socketpair(
         socket::AddressFamily::Unix,
         socket::SockType::SeqPacket,
         None,
         socket::SockFlag::SOCK_CLOEXEC,
-    )?)
+    )?;
+    // It is not straightforward to share the OwnedFd across forks, so we
+    // treat them as i32. We use ManuallyDrop to keep the connection open.
+    let f1 = std::mem::ManuallyDrop::new(f1);
+    let f2 = std::mem::ManuallyDrop::new(f2);
+
+    Ok((f1.as_raw_fd(), f2.as_raw_fd()))
 }

crates/libcontainer/src/process/fork.rs

@@ -1,4 +1,4 @@
-use std::{ffi::c_int, num::NonZeroUsize};
+use std::{ffi::c_int, fs::File, num::NonZeroUsize};
 
 use libc::SIGCHLD;
 use nix::{
@@ -164,12 +164,14 @@ fn clone(cb: CloneCb, flags: u64, exit_signal: Option<u64>) -> Result<Pid, Clone
     // do not use MAP_GROWSDOWN since it is not well supported.
     // Ref: https://man7.org/linux/man-pages/man2/mmap.2.html
     let child_stack = unsafe {
-        mman::mmap(
+        // Since nix = "0.27.1", `mmap()` requires a generic type `F: AsFd`.
+        // `::<File>` doesn't have any meaning because we won't use it.
+        mman::mmap::<File>(
             None,
             NonZeroUsize::new(default_stack_size).ok_or(CloneError::ZeroStackSize)?,
             mman::ProtFlags::PROT_READ | mman::ProtFlags::PROT_WRITE,
             mman::MapFlags::MAP_PRIVATE | mman::MapFlags::MAP_ANONYMOUS | mman::MapFlags::MAP_STACK,
-            -1,
+            None,
             0,
         )
         .map_err(CloneError::StackAllocation)?

crates/libcontainer/src/process/seccomp_listener.rs

@@ -5,7 +5,7 @@ use nix::{
     unistd,
 };
 use oci_spec::runtime;
-use std::{io::IoSlice, path::Path};
+use std::{io::IoSlice, os::fd::AsRawFd, path::Path};
 
 use super::channel;
 
@@ -76,7 +76,7 @@ fn sync_seccomp_send_msg(listener_path: &Path, msg: &[u8], fd: i32) -> Result<()
         );
         SeccompListenerError::UnixOther(err)
     })?;
-    socket::connect(socket, &unix_addr).map_err(|err| {
+    socket::connect(socket.as_raw_fd(), &unix_addr).map_err(|err| {
         tracing::error!(
             ?err,
             ?listener_path,
@@ -91,15 +91,19 @@ fn sync_seccomp_send_msg(listener_path: &Path, msg: &[u8], fd: i32) -> Result<()
     let iov = [IoSlice::new(msg)];
     let fds = [fd];
     let cmsgs = socket::ControlMessage::ScmRights(&fds);
-    socket::sendmsg::<UnixAddr>(socket, &iov, &[cmsgs], socket::MsgFlags::empty(), None).map_err(
-        |err| {
-            tracing::error!(?err, "failed to write container state to seccomp listener");
-            SeccompListenerError::UnixOther(err)
-        },
-    )?;
+    socket::sendmsg::<UnixAddr>(
+        socket.as_raw_fd(),
+        &iov,
+        &[cmsgs],
+        socket::MsgFlags::empty(),
+        None,
+    )
+    .map_err(|err| {
+        tracing::error!(?err, "failed to write container state to seccomp listener");
+        SeccompListenerError::UnixOther(err)
+    })?;
     // The spec requires the listener socket to be closed immediately after sending.
-    let _ = unistd::close(socket);
-
+    drop(socket);
     Ok(())
 }
 

crates/libcontainer/src/syscall/linux.rs

@@ -13,6 +13,7 @@ use nix::{
 use oci_spec::runtime::LinuxRlimit;
 use std::ffi::{CStr, CString, OsStr};
 use std::fs;
+use std::os::fd::BorrowedFd;
 use std::os::unix::ffi::OsStrExt;
 use std::os::unix::fs::symlink;
 use std::os::unix::io::RawFd;
@@ -305,7 +306,8 @@ impl Syscall for LinuxSyscall {
 
     /// Set namespace for process
     fn set_ns(&self, rawfd: i32, nstype: CloneFlags) -> Result<()> {
-        nix::sched::setns(rawfd, nstype)?;
+        let fd = unsafe { BorrowedFd::borrow_raw(rawfd) };
+        nix::sched::setns(fd, nstype)?;
         Ok(())
     }
 

crates/libcontainer/src/tty.rs

@@ -81,16 +81,18 @@ pub fn setup_console_socket(
         linked: linked.to_path_buf().into(),
         console_socket_path: console_socket_path.to_path_buf().into(),
     })?;
-
-    let mut csocketfd = socket::socket(
-        socket::AddressFamily::Unix,
-        socket::SockType::Stream,
-        socket::SockFlag::empty(),
-        None,
-    )
-    .map_err(|err| TTYError::CreateConsoleSocketFd { source: err })?;
-    csocketfd = match socket::connect(
-        csocketfd,
+    // Using ManuallyDrop to keep the socket open.
+    let csocketfd = std::mem::ManuallyDrop::new(
+        socket::socket(
+            socket::AddressFamily::Unix,
+            socket::SockType::Stream,
+            socket::SockFlag::empty(),
+            None,
+        )
+        .map_err(|err| TTYError::CreateConsoleSocketFd { source: err })?,
+    );
+    let csocketfd = match socket::connect(
+        csocketfd.as_raw_fd(),
         &socket::UnixAddr::new(socket_name).map_err(|err| TTYError::InvalidSocketName {
             source: err,
             socket_name: socket_name.to_string(),
@@ -101,7 +103,7 @@ pub fn setup_console_socket(
             source: errno,
             socket_name: socket_name.to_string(),
         })?,
-        Ok(()) => csocketfd,
+        Ok(()) => csocketfd.as_raw_fd(),
     };
     Ok(csocketfd)
 }
@@ -113,7 +115,13 @@ pub fn setup_console(console_fd: &RawFd) -> Result<()> {
         .map_err(|err| TTYError::CreatePseudoTerminal { source: err })?;
     let pty_name: &[u8] = b"/dev/ptmx";
     let iov = [IoSlice::new(pty_name)];
-    let fds = [openpty_result.master];
+
+    let [master, slave] = [openpty_result.master, openpty_result.slave];
+    // Use ManuallyDrop to keep FDs open.
+    let master = std::mem::ManuallyDrop::new(master);
+    let slave = std::mem::ManuallyDrop::new(slave);
+
+    let fds = [master.as_raw_fd()];
     let cmsg = socket::ControlMessage::ScmRights(&fds);
     socket::sendmsg::<UnixAddr>(
         console_fd.as_raw_fd(),
@@ -124,10 +132,10 @@ pub fn setup_console(console_fd: &RawFd) -> Result<()> {
     )
     .map_err(|err| TTYError::SendPtyMaster { source: err })?;
 
-    if unsafe { libc::ioctl(openpty_result.slave, libc::TIOCSCTTY) } < 0 {
+    if unsafe { libc::ioctl(slave.as_raw_fd(), libc::TIOCSCTTY) } < 0 {
         tracing::warn!("could not TIOCSCTTY");
     };
-    let slave = openpty_result.slave;
+    let slave = slave.as_raw_fd();
     connect_stdio(&slave, &slave, &slave)?;
     close(console_fd.as_raw_fd()).map_err(|err| TTYError::CloseConsoleSocket { source: err })?;
 

crates/libcontainer/src/utils.rs

@@ -4,7 +4,6 @@ use std::collections::HashMap;
 use std::fs::{self, DirBuilder, File};
 use std::os::linux::fs::MetadataExt;
 use std::os::unix::fs::DirBuilderExt;
-use std::os::unix::prelude::AsRawFd;
 use std::path::{Component, Path, PathBuf};
 
 use nix::sys::stat::Mode;
@@ -249,7 +248,7 @@ pub fn ensure_procfs(path: &Path) -> Result<(), EnsureProcfsError> {
         tracing::error!(?err, ?path, "failed to open procfs file");
         err
     })?;
-    let fstat_info = statfs::fstatfs(&procfs_fd.as_raw_fd()).map_err(|err| {
+    let fstat_info = statfs::fstatfs(&procfs_fd).map_err(|err| {
         tracing::error!(?err, ?path, "failed to fstatfs the procfs");
         err
     })?;