diff --git a/contrib/test/integration/build/runc.yml b/contrib/test/integration/build/runc.yml index 5f6689eee90..6f61817dcfb 100644 --- a/contrib/test/integration/build/runc.yml +++ b/contrib/test/integration/build/runc.yml @@ -8,7 +8,6 @@ - name: build runc make: - params: BUILDTAGS="seccomp selinux" chdir: "{{ ansible_env.GOPATH }}/src/github.com/opencontainers/runc" - name: install runc diff --git a/dependencies.yaml b/dependencies.yaml index e4d62bb8424..8ef4d5abcc6 100644 --- a/dependencies.yaml +++ b/dependencies.yaml @@ -48,7 +48,7 @@ dependencies: match: cri_tools_git_version - name: runc - version: v1.1.1 + version: v1.1.3 refPaths: - path: scripts/versions match: runc diff --git a/internal/config/cgmgr/cgroupfs.go b/internal/config/cgmgr/cgroupfs.go index 39b89fa481d..374ca14598d 100644 --- a/internal/config/cgmgr/cgroupfs.go +++ b/internal/config/cgmgr/cgroupfs.go @@ -10,13 +10,10 @@ import ( "strings" "github.com/containers/common/pkg/cgroups" - "github.com/cri-o/cri-o/internal/config/node" + "github.com/containers/podman/v4/pkg/rootless" "github.com/cri-o/cri-o/utils" - libctr "github.com/opencontainers/runc/libcontainer/cgroups" - "github.com/opencontainers/runc/libcontainer/cgroups/fs" - "github.com/opencontainers/runc/libcontainer/cgroups/fs2" + libctrCgMgr "github.com/opencontainers/runc/libcontainer/cgroups/manager" cgcfgs "github.com/opencontainers/runc/libcontainer/configs" - "github.com/opencontainers/runc/libcontainer/devices" rspec "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -135,46 +132,27 @@ func (*CgroupfsManager) MoveConmonToCgroup(cid, cgroupParent, conmonCgroup strin } func setWorkloadSettings(cgPath string, resources *rspec.LinuxResources) (err error) { - var mgr libctr.Manager if resources.CPU == nil { return nil } - paths := map[string]string{ - "cpuset": filepath.Join("/sys/fs/cgroup", "cpuset", cgPath), - "cpu": filepath.Join("/sys/fs/cgroup", "cpu", cgPath), - "freezer": filepath.Join("/sys/fs/cgroup", "freezer", cgPath), - "devices": filepath.Join("/sys/fs/cgroup", "devices", cgPath), - } - cg := &cgcfgs.Cgroup{ - Name: cgPath, - Resources: &cgcfgs.Resources{}, - } - if resources.CPU.Cpus != "" { - cg.Resources.CpusetCpus = resources.CPU.Cpus + Path: "/" + cgPath, + Resources: &cgcfgs.Resources{ + SkipDevices: true, + CpusetCpus: resources.CPU.Cpus, + }, + Rootless: rootless.IsRootless(), } if resources.CPU.Shares != nil { cg.Resources.CpuShares = *resources.CPU.Shares } - // We need to white list all devices - // so containers created underneath won't fail - cg.Resources.Devices = []*devices.Rule{ - { - Type: devices.WildcardDevice, - Allow: true, - }, - } - - if node.CgroupIsV2() { - mgr, err = fs2.NewManager(cg, cgPath) - } else { - mgr, err = fs.NewManager(cg, paths) - } + mgr, err := libctrCgMgr.New(cg) if err != nil { return err } + return mgr.Set(cg.Resources) } diff --git a/scripts/versions b/scripts/versions index 11a7499ddb0..7e61aa2549f 100755 --- a/scripts/versions +++ b/scripts/versions @@ -6,7 +6,7 @@ declare -A VERSIONS=( ["cni-plugins"]=v1.1.1 ["conmon"]=v2.1.2 ["cri-tools"]=v1.24.2 - ["runc"]=v1.1.1 + ["runc"]=v1.1.3 ["crun"]=1.4.5 ["bats"]=v1.6.0 ) diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/manager/new.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/manager/new.go new file mode 100644 index 00000000000..5df120d0f09 --- /dev/null +++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/manager/new.go @@ -0,0 +1,78 @@ +package manager + +import ( + "errors" + "fmt" + "path/filepath" + + "github.com/opencontainers/runc/libcontainer/cgroups" + "github.com/opencontainers/runc/libcontainer/cgroups/fs" + "github.com/opencontainers/runc/libcontainer/cgroups/fs2" + "github.com/opencontainers/runc/libcontainer/cgroups/systemd" + "github.com/opencontainers/runc/libcontainer/configs" +) + +// New returns the instance of a cgroup manager, which is chosen +// based on the local environment (whether cgroup v1 or v2 is used) +// and the config (whether config.Systemd is set or not). +func New(config *configs.Cgroup) (cgroups.Manager, error) { + return NewWithPaths(config, nil) +} + +// NewWithPaths is similar to New, and can be used in case cgroup paths +// are already well known, which can save some resources. +// +// For cgroup v1, the keys are controller/subsystem name, and the values +// are absolute filesystem paths to the appropriate cgroups. +// +// For cgroup v2, the only key allowed is "" (empty string), and the value +// is the unified cgroup path. +func NewWithPaths(config *configs.Cgroup, paths map[string]string) (cgroups.Manager, error) { + if config == nil { + return nil, errors.New("cgroups/manager.New: config must not be nil") + } + if config.Systemd && !systemd.IsRunningSystemd() { + return nil, errors.New("systemd not running on this host, cannot use systemd cgroups manager") + } + + // Cgroup v2 aka unified hierarchy. + if cgroups.IsCgroup2UnifiedMode() { + path, err := getUnifiedPath(paths) + if err != nil { + return nil, fmt.Errorf("manager.NewWithPaths: inconsistent paths: %w", err) + } + if config.Systemd { + return systemd.NewUnifiedManager(config, path) + } + return fs2.NewManager(config, path) + } + + // Cgroup v1. + if config.Systemd { + return systemd.NewLegacyManager(config, paths) + } + + return fs.NewManager(config, paths) +} + +// getUnifiedPath is an implementation detail of libcontainer factory. +// Historically, it saves cgroup paths as per-subsystem path map (as returned +// by cm.GetPaths(""), but with v2 we only have one single unified path +// (with "" as a key). +// +// This function converts from that map to string (using "" as a key), +// and also checks that the map itself is sane. +func getUnifiedPath(paths map[string]string) (string, error) { + if len(paths) > 1 { + return "", fmt.Errorf("expected a single path, got %+v", paths) + } + path := paths[""] + // can be empty + if path != "" { + if filepath.Clean(path) != path || !filepath.IsAbs(path) { + return "", fmt.Errorf("invalid path: %q", path) + } + } + + return path, nil +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 23caaef9de9..9956a3b14e5 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1627,6 +1627,7 @@ github.com/opencontainers/runc/libcontainer/cgroups/ebpf/devicefilter github.com/opencontainers/runc/libcontainer/cgroups/fs github.com/opencontainers/runc/libcontainer/cgroups/fs2 github.com/opencontainers/runc/libcontainer/cgroups/fscommon +github.com/opencontainers/runc/libcontainer/cgroups/manager github.com/opencontainers/runc/libcontainer/cgroups/systemd github.com/opencontainers/runc/libcontainer/configs github.com/opencontainers/runc/libcontainer/devices