diff --git a/src/capabilities.rs b/src/capabilities.rs index 7c1ed431d..0ddfb1a34 100644 --- a/src/capabilities.rs +++ b/src/capabilities.rs @@ -124,14 +124,14 @@ impl CapabilityExt for SpecCapability { /// reset capabilities of process calling this to effective capabilities /// effective capability set is set of capabilities used by kernel to perform checks /// see https://man7.org/linux/man-pages/man7/capabilities.7.html for more information -pub fn reset_effective(syscall: &impl Syscall) -> Result<()> { +pub fn reset_effective(syscall: &S) -> Result<()> { log::debug!("reset all caps"); syscall.set_capability(CapSet::Effective, &caps::all())?; Ok(()) } /// Drop any extra granted capabilities, and reset to defaults which are in oci specification -pub fn drop_privileges(cs: &LinuxCapabilities, syscall: &impl Syscall) -> Result<()> { +pub fn drop_privileges(cs: &LinuxCapabilities, syscall: &S) -> Result<()> { log::debug!("dropping bounding capabilities to {:?}", cs.bounding); if let Some(bounding) = cs.bounding.as_ref() { syscall.set_capability(CapSet::Bounding, &to_set(bounding))?; diff --git a/src/commands/create.rs b/src/commands/create.rs index 83eb75d9f..944d21cc2 100644 --- a/src/commands/create.rs +++ b/src/commands/create.rs @@ -3,7 +3,7 @@ use anyhow::Result; use clap::Clap; use std::path::PathBuf; -use crate::container::builder::ContainerBuilder; +use crate::{container::builder::ContainerBuilder, syscall::syscall::create_syscall}; /// This is the main structure which stores various commandline options given by /// high-level container runtime @@ -50,7 +50,8 @@ impl Create { } /// Starts a new container process pub fn exec(&self, root_path: PathBuf, systemd_cgroup: bool) -> Result<()> { - ContainerBuilder::new(self.container_id.clone()) + let syscall = create_syscall(); + ContainerBuilder::new(self.container_id.clone(), syscall.as_ref()) .with_pid_file(self.pid_file.as_ref()) .with_console_socket(self.console_socket.as_ref()) .with_root_path(root_path) diff --git a/src/commands/exec.rs b/src/commands/exec.rs index c41f840fb..13edd707c 100644 --- a/src/commands/exec.rs +++ b/src/commands/exec.rs @@ -2,7 +2,7 @@ use anyhow::Result; use clap::Clap; use std::{error::Error, path::PathBuf}; -use crate::container::builder::ContainerBuilder; +use crate::{container::builder::ContainerBuilder, syscall::syscall::create_syscall}; #[derive(Clap, Debug)] pub struct Exec { @@ -38,7 +38,8 @@ pub struct Exec { impl Exec { pub fn exec(&self, root_path: PathBuf) -> Result<()> { - ContainerBuilder::new(self.container_id.clone()) + let syscall = create_syscall(); + ContainerBuilder::new(self.container_id.clone(), syscall.as_ref()) .with_root_path(root_path) .with_console_socket(self.console_socket.as_ref()) .with_pid_file(self.pid_file.as_ref()) diff --git a/src/container/builder.rs b/src/container/builder.rs index 4821f5267..84a65e1b1 100644 --- a/src/container/builder.rs +++ b/src/container/builder.rs @@ -1,14 +1,14 @@ -use crate::syscall::linux::LinuxSyscall; +use crate::syscall::Syscall; use std::path::PathBuf; use super::{init_builder::InitContainerBuilder, tenant_builder::TenantContainerBuilder}; -pub struct ContainerBuilder { +pub struct ContainerBuilder<'a> { /// Id of the container pub(super) container_id: String, /// Root directory for container state pub(super) root_path: PathBuf, /// Interface to operating system primitives - pub(super) syscall: LinuxSyscall, + pub(super) syscall: &'a dyn Syscall, /// File which will be used to communicate the pid of the /// container process to the higher level runtime pub(super) pid_file: Option, @@ -25,15 +25,16 @@ pub struct ContainerBuilder { /// /// ```no_run /// use youki::container::builder::ContainerBuilder; +/// use youki::syscall::syscall::create_syscall;; /// -/// ContainerBuilder::new("74f1a4cb3801".to_owned()) +/// ContainerBuilder::new("74f1a4cb3801".to_owned(), create_syscall().as_ref()) /// .with_root_path("/run/containers/youki") /// .with_pid_file(Some("/var/run/docker.pid")) /// .with_console_socket(Some("/var/run/docker/sock.tty")) /// .as_init("/var/run/docker/bundle") /// .build(); /// ``` -impl ContainerBuilder { +impl<'a> ContainerBuilder<'a> { /// Generates the base configuration for a container which can be /// transformed into either a init container or a tenant container /// @@ -41,16 +42,17 @@ impl ContainerBuilder { /// /// ```no_run /// use youki::container::builder::ContainerBuilder; + /// use youki::syscall::syscall::create_syscall;; /// - /// let builder = ContainerBuilder::new("74f1a4cb3801".to_owned()); + /// let builder = ContainerBuilder::new("74f1a4cb3801".to_owned(), create_syscall().as_ref()); /// ``` - pub fn new(container_id: String) -> Self { + pub fn new(container_id: String, syscall: &'a dyn Syscall) -> Self { let root_path = PathBuf::from("/run/youki"); Self { container_id, root_path, - syscall: LinuxSyscall, + syscall, pid_file: None, console_socket: None, preserve_fds: 0, @@ -62,14 +64,15 @@ impl ContainerBuilder { /// /// ```no_run /// # use youki::container::builder::ContainerBuilder; + /// # use youki::syscall::syscall::create_syscall; /// - /// ContainerBuilder::new("74f1a4cb3801".to_owned()) + /// ContainerBuilder::new("74f1a4cb3801".to_owned(), create_syscall().as_ref()) /// .as_tenant() /// .with_container_args(vec!["sleep".to_owned(), "9001".to_owned()]) /// .build(); /// ``` #[allow(clippy::wrong_self_convention)] - pub fn as_tenant(self) -> TenantContainerBuilder { + pub fn as_tenant(self) -> TenantContainerBuilder<'a> { TenantContainerBuilder::new(self) } @@ -78,14 +81,15 @@ impl ContainerBuilder { /// /// ```no_run /// # use youki::container::builder::ContainerBuilder; + /// # use youki::syscall::syscall::create_syscall; /// - /// ContainerBuilder::new("74f1a4cb3801".to_owned()) + /// ContainerBuilder::new("74f1a4cb3801".to_owned(), create_syscall().as_ref()) /// .as_init("/var/run/docker/bundle") /// .with_systemd(false) /// .build(); /// ``` #[allow(clippy::wrong_self_convention)] - pub fn as_init>(self, bundle: P) -> InitContainerBuilder { + pub fn as_init>(self, bundle: P) -> InitContainerBuilder<'a> { InitContainerBuilder::new(self, bundle.into()) } @@ -94,8 +98,9 @@ impl ContainerBuilder { /// /// ```no_run /// # use youki::container::builder::ContainerBuilder; + /// # use youki::syscall::syscall::create_syscall; /// - /// ContainerBuilder::new("74f1a4cb3801".to_owned()) + /// ContainerBuilder::new("74f1a4cb3801".to_owned(), create_syscall().as_ref()) /// .with_root_path("/run/containers/youki"); /// ``` pub fn with_root_path>(mut self, path: P) -> Self { @@ -109,8 +114,9 @@ impl ContainerBuilder { /// /// ```no_run /// # use youki::container::builder::ContainerBuilder; + /// # use youki::syscall::syscall::create_syscall; /// - /// ContainerBuilder::new("74f1a4cb3801".to_owned()) + /// ContainerBuilder::new("74f1a4cb3801".to_owned(), create_syscall().as_ref()) /// .with_pid_file(Some("/var/run/docker.pid")); /// ``` pub fn with_pid_file>(mut self, path: Option

) -> Self { @@ -124,8 +130,9 @@ impl ContainerBuilder { /// /// ```no_run /// # use youki::container::builder::ContainerBuilder; + /// # use youki::syscall::syscall::create_syscall; /// - /// ContainerBuilder::new("74f1a4cb3801".to_owned()) + /// ContainerBuilder::new("74f1a4cb3801".to_owned(), create_syscall().as_ref()) /// .with_console_socket(Some("/var/run/docker/sock.tty")); /// ``` pub fn with_console_socket>(mut self, path: Option

) -> Self { @@ -139,8 +146,9 @@ impl ContainerBuilder { /// /// ```no_run /// # use youki::container::builder::ContainerBuilder; + /// # use youki::syscall::syscall::create_syscall; /// - /// ContainerBuilder::new("74f1a4cb3801".to_owned()) + /// ContainerBuilder::new("74f1a4cb3801".to_owned(), create_syscall().as_ref()) /// .with_preserved_fds(5); /// ``` pub fn with_preserved_fds(mut self, preserved_fds: i32) -> Self { diff --git a/src/container/builder_impl.rs b/src/container/builder_impl.rs index b883eafe2..a1ea85553 100644 --- a/src/container/builder_impl.rs +++ b/src/container/builder_impl.rs @@ -3,7 +3,7 @@ use crate::{ notify_socket::NotifyListener, process::{args::ContainerArgs, channel, fork, intermediate}, rootless::{self, Rootless}, - syscall::linux::LinuxSyscall, + syscall::Syscall, utils, }; use anyhow::{Context, Result}; @@ -17,7 +17,7 @@ pub(super) struct ContainerBuilderImpl<'a> { /// Flag indicating if an init or a tenant container should be created pub init: bool, /// Interface to operating system primitives - pub syscall: LinuxSyscall, + pub syscall: &'a dyn Syscall, /// Flag indicating if systemd should be used for cgroup management pub use_systemd: bool, /// Id of the container @@ -102,7 +102,7 @@ impl<'a> ContainerBuilderImpl<'a> { // is a shared reference, we have to clone these variables here. let intermediate_args = ContainerArgs { init: self.init, - syscall: self.syscall.clone(), + syscall: self.syscall, spec: self.spec.clone(), rootfs: self.rootfs.clone(), console_socket: self.console_socket, diff --git a/src/container/init_builder.rs b/src/container/init_builder.rs index 493f918fb..acb87ca37 100644 --- a/src/container/init_builder.rs +++ b/src/container/init_builder.rs @@ -14,16 +14,16 @@ use super::{ }; // Builder that can be used to configure the properties of a new container -pub struct InitContainerBuilder { - base: ContainerBuilder, +pub struct InitContainerBuilder<'a> { + base: ContainerBuilder<'a>, bundle: PathBuf, use_systemd: bool, } -impl InitContainerBuilder { +impl<'a> InitContainerBuilder<'a> { /// Generates the base configuration for a new container from which /// configuration methods can be chained - pub(super) fn new(builder: ContainerBuilder, bundle: PathBuf) -> Self { + pub(super) fn new(builder: ContainerBuilder<'a>, bundle: PathBuf) -> Self { Self { base: builder, bundle, diff --git a/src/container/tenant_builder.rs b/src/container/tenant_builder.rs index 49e9e29d4..42059d66a 100644 --- a/src/container/tenant_builder.rs +++ b/src/container/tenant_builder.rs @@ -16,10 +16,10 @@ use std::{ str::FromStr, }; -use crate::capabilities::CapabilityExt; +use crate::{capabilities::CapabilityExt, container::builder_impl::ContainerBuilderImpl}; use crate::{notify_socket::NotifySocket, rootless::Rootless, tty, utils}; -use super::{builder::ContainerBuilder, builder_impl::ContainerBuilderImpl, Container}; +use super::{builder::ContainerBuilder, Container}; const NAMESPACE_TYPES: &[&str] = &["ipc", "uts", "net", "pid", "mnt", "cgroup"]; const TENANT_NOTIFY: &str = "tenant-notify-"; @@ -27,8 +27,8 @@ const TENANT_TTY: &str = "tenant-tty-"; /// Builder that can be used to configure the properties of a process /// that will join an existing container sandbox -pub struct TenantContainerBuilder { - base: ContainerBuilder, +pub struct TenantContainerBuilder<'a> { + base: ContainerBuilder<'a>, env: HashMap, cwd: Option, args: Vec, @@ -37,11 +37,11 @@ pub struct TenantContainerBuilder { process: Option, } -impl TenantContainerBuilder { +impl<'a> TenantContainerBuilder<'a> { /// Generates the base configuration for a process that will join /// an existing container sandbox from which configuration methods /// can be chained - pub(super) fn new(builder: ContainerBuilder) -> Self { + pub(super) fn new(builder: ContainerBuilder<'a>) -> Self { Self { base: builder, env: HashMap::new(), diff --git a/src/process/args.rs b/src/process/args.rs index 0161c2ffb..e3fc35f92 100644 --- a/src/process/args.rs +++ b/src/process/args.rs @@ -3,13 +3,13 @@ use std::os::unix::prelude::RawFd; use std::path::PathBuf; use crate::rootless::Rootless; -use crate::{container::Container, notify_socket::NotifyListener, syscall::linux::LinuxSyscall}; +use crate::{container::Container, notify_socket::NotifyListener, syscall::Syscall}; pub struct ContainerArgs<'a> { /// Flag indicating if an init or a tenant container should be created pub init: bool, /// Interface to operating system primitives - pub syscall: LinuxSyscall, + pub syscall: &'a dyn Syscall, /// OCI complient runtime spec pub spec: Spec, /// Root filesystem of the container diff --git a/src/process/init.rs b/src/process/init.rs index bacd27990..8a6ebe4af 100644 --- a/src/process/init.rs +++ b/src/process/init.rs @@ -1,7 +1,7 @@ use super::args::ContainerArgs; use crate::{ capabilities, hooks, namespaces::Namespaces, process::channel, rootfs, rootless::Rootless, - seccomp, syscall::Syscall, tty, utils, + seccomp, tty, utils, }; use anyhow::{bail, Context, Result}; use nix::mount::mount as nix_mount; @@ -176,7 +176,7 @@ pub fn container_init( args: ContainerArgs, sender_to_intermediate: &mut channel::SenderInitToIntermediate, ) -> Result<()> { - let command = &args.syscall; + let command = args.syscall; let spec = &args.spec; let linux = spec.linux.as_ref().context("no linux in spec")?; let proc = spec.process.as_ref().context("no process in spec")?; diff --git a/src/process/intermediate.rs b/src/process/intermediate.rs index 26076070b..e8ec071ba 100644 --- a/src/process/intermediate.rs +++ b/src/process/intermediate.rs @@ -1,4 +1,4 @@ -use crate::{namespaces::Namespaces, process::channel, process::fork, syscall::Syscall}; +use crate::{namespaces::Namespaces, process::channel, process::fork}; use anyhow::{Context, Result}; use nix::unistd::{Gid, Uid}; use oci_spec::runtime::LinuxNamespaceType;