diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 994a6f0c..e0415e42 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,7 +12,7 @@ jobs: checks: strategy: matrix: - directories: [vmm/sandbox, vmm/task, shim, quark] + directories: [vmm/sandbox, vmm/task, shim, quark, runc] features: [--all-features] include: - directories: wasm @@ -49,7 +49,7 @@ jobs: tests: strategy: matrix: - directories: [vmm/sandbox, vmm/task, shim, quark] + directories: [vmm/sandbox, vmm/task, shim, quark, runc] features: [--all-features] include: - directories: wasm diff --git a/Makefile b/Makefile index f4986d6b..2cdfb123 100644 --- a/Makefile +++ b/Makefile @@ -42,8 +42,13 @@ bin/quark-sandboxer: @cd quark && cargo build --release @mkdir -p bin && cp quark/target/release/quark-sandboxer bin/quark-sandboxer +bin/runc-sandboxer: + @cd runc && cargo build --release + @mkdir -p bin && cp runc/target/release/runc-sandboxer bin/runc-sandboxer + wasm: bin/wasm-sandboxer quark: bin/quark-sandboxer +runc: bin/runc-sandboxer ifeq ($(HYPERVISOR), stratovirt) vmm: bin/vmm-sandboxer bin/kuasar.initrd bin/vmlinux.bin @@ -57,6 +62,7 @@ clean: @cd vmm/task && cargo clean @cd wasm && cargo clean @cd quark && cargo clean + @cd runc && cargo clean install-vmm: @install -d -m 750 ${DEST_DIR}${BIN_DIR} @@ -82,4 +88,7 @@ install-wasm: install-quark: @install -p -m 550 bin/quark-sandboxer ${DEST_DIR}${BIN_DIR}/quark-sandboxer -install: all install-vmm install-wasm install-quark +install-runc: + @install -p -m 550 bin/runc-sandboxer ${DEST_DIR}${BIN_DIR}/runc-sandboxer + +install: all install-vmm install-wasm install-quark install-runc diff --git a/runc/src/common.rs b/runc/src/common.rs index e876a895..fa1011f7 100644 --- a/runc/src/common.rs +++ b/runc/src/common.rs @@ -1,17 +1,17 @@ /* - Copyright The containerd Authors. +Copyright 2022 The Kuasar Authors. - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 +http://www.apache.org/licenses/LICENSE-2.0 - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. */ use std::{io::IoSliceMut, ops::Deref, os::unix::io::RawFd, path::Path, sync::Arc}; diff --git a/runc/src/main.rs b/runc/src/main.rs index d53d5018..60299efa 100644 --- a/runc/src/main.rs +++ b/runc/src/main.rs @@ -1,3 +1,19 @@ +/* +Copyright 2022 The Kuasar Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + use std::ffi::CString; use std::os::fd::RawFd; use std::process::exit; @@ -38,7 +54,7 @@ fn main() { let os_args: Vec<_> = std::env::args_os().collect(); // TODO avoid parse args multiple times let flags = containerd_sandbox::args::parse(&os_args[1..]).unwrap(); - let task_socket = format!("{}/task-{}.sock", flags.dir, Uuid::new_v4().to_string()); + let task_socket = format!("{}/task-{}.sock", flags.dir, Uuid::new_v4()); fork_task_server(&task_socket, &flags.dir).unwrap(); let runtime = tokio::runtime::Runtime::new().unwrap(); runtime.block_on(async move { @@ -66,7 +82,7 @@ fn fork_sandbox_parent() -> Result { close(reqw).unwrap_or_default(); close(respr).unwrap_or_default(); prctl::set_child_subreaper(true).unwrap(); - let comm = format!("[sandbox-parent]"); + let comm = "[sandbox-parent]"; let comm_cstr = CString::new(comm).unwrap(); let addr = comm_cstr.as_ptr(); set_process_comm(addr as u64, comm_cstr.as_bytes_with_nul().len() as u64); @@ -82,8 +98,8 @@ fn fork_sandbox_parent() -> Result { let buffer = read_count(reqr, 512).unwrap(); let id = String::from_utf8_lossy(&buffer[0..64]).to_string(); let mut zero_index = 64; - for i in 64..512 { - if buffer[i] == 0 { + for (i, &b) in buffer.iter().enumerate().take(512).skip(64) { + if b == 0 { zero_index = i; break; } @@ -151,7 +167,7 @@ fn fork_sandbox(id: &str, netns: &str) -> Result { let r = read_count(r, 4)?; resp[..].copy_from_slice(r.as_slice()); let pid = i32::from_le_bytes(resp); - return Ok(pid); + Ok(pid) } ForkResult::Child => { close(r).unwrap_or_default(); @@ -170,7 +186,7 @@ fn fork_sandbox(id: &str, netns: &str) -> Result { set_process_comm(addr as u64, comm_cstr.as_bytes_with_nul().len() as u64); if !netns.is_empty() { let netns_fd = - nix::fcntl::open(&*netns, OFlag::O_CLOEXEC, Mode::empty()).unwrap(); + nix::fcntl::open(netns, OFlag::O_CLOEXEC, Mode::empty()).unwrap(); setns(netns_fd, CloneFlags::CLONE_NEWNET).unwrap(); } loop { @@ -183,7 +199,7 @@ fn fork_sandbox(id: &str, netns: &str) -> Result { } fn set_process_comm(addr: u64, len: u64) { - if let Err(_) = prctl::set_mm(PrctlMM::PR_SET_MM_ARG_START, addr) { + if prctl::set_mm(PrctlMM::PR_SET_MM_ARG_START, addr).is_err() { prctl::set_mm(PrctlMM::PR_SET_MM_ARG_END, addr + len).unwrap(); prctl::set_mm(PrctlMM::PR_SET_MM_ARG_START, addr).unwrap() } else { diff --git a/runc/src/runc.rs b/runc/src/runc.rs index ebdc9d1a..3b55f1fd 100644 --- a/runc/src/runc.rs +++ b/runc/src/runc.rs @@ -219,7 +219,7 @@ impl RuncFactory { if let Some(s) = socket { s.clean().await; } - let runtime_e = runtime_error(e, &*bundle).await; + let runtime_e = runtime_error(e, bundle).await; return Err(runtime_e); } copy_io_or_console(init, socket, pio, init.lifecycle.exit_signal.clone()).await?; @@ -474,7 +474,7 @@ impl ProcessLifecycle for RuncExecLifecycle { } else { // TODO this is kill from nix crate, it is os specific, maybe have annotated with target os kill( - Pid::from_raw(p.pid as i32), + Pid::from_raw(p.pid), nix::sys::signal::Signal::try_from(signal as i32).unwrap(), ) .map_err(Into::into) diff --git a/runc/src/sandbox.rs b/runc/src/sandbox.rs index ba66733c..b4435bb0 100644 --- a/runc/src/sandbox.rs +++ b/runc/src/sandbox.rs @@ -1,3 +1,19 @@ +/* +Copyright 2022 The Kuasar Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + use std::collections::HashMap; use std::io::Write; use std::os::fd::RawFd; @@ -94,11 +110,11 @@ impl Drop for SandboxParent { impl RuncSandboxer { pub async fn new(sandbox_parent: SandboxParent, task_address: &str) -> Result { - return Ok(Self { + Ok(Self { task_address: task_address.to_string(), sandboxes: Default::default(), sandbox_parent: Arc::new(Mutex::new(sandbox_parent)), - }); + }) } pub async fn recover(&self, dir: &str) -> Result<()> { @@ -161,13 +177,13 @@ impl Sandboxer for RuncSandboxer { let mut sandbox_parent = self.sandbox_parent.lock().await; let sandbox_pid = sandbox_parent.fork_sandbox_process(id, &sandbox.data.netns)?; sandbox.prepare_sandbox_ns(sandbox_pid).await.map_err(|e| { - kill(Pid::from_raw(sandbox_pid as i32), Signal::SIGKILL).unwrap_or_default(); + kill(Pid::from_raw(sandbox_pid), Signal::SIGKILL).unwrap_or_default(); e })?; sandbox.data.task_address = self.task_address.clone(); sandbox.dump().await.map_err(|e| { - kill(Pid::from_raw(sandbox_pid as i32), Signal::SIGKILL).unwrap_or_default(); + kill(Pid::from_raw(sandbox_pid), Signal::SIGKILL).unwrap_or_default(); e })?; Ok(()) @@ -290,7 +306,7 @@ impl RuncSandbox { ) .map_err(|e| anyhow!("failed to mount sandbox network ns, {}", e))?; - kill(Pid::from_raw(sandbox_pid as i32), Signal::SIGKILL).unwrap_or_default(); + kill(Pid::from_raw(sandbox_pid), Signal::SIGKILL).unwrap_or_default(); self.status = SandboxStatus::Running(0); } else { self.status = SandboxStatus::Running(sandbox_pid as u32); @@ -315,7 +331,7 @@ impl RuncSandbox { return true; } } - return false; + false } } diff --git a/runc/src/task.rs b/runc/src/task.rs index 85acbc27..7462b6c7 100644 --- a/runc/src/task.rs +++ b/runc/src/task.rs @@ -1,3 +1,19 @@ +/* +Copyright 2022 The Kuasar Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + use std::os::fd::{AsRawFd, RawFd}; use std::os::unix::net::UnixListener; use std::process::exit; @@ -34,7 +50,7 @@ pub fn fork_task_server(task_socket: &str, sandbox_parent_dir: &str) -> Result<( ForkResult::Parent { child: _ } => { close(pipe_r).unwrap_or_default(); drop(task_listener); - return Ok(()); + Ok(()) } ForkResult::Child => { close(pipe_w).unwrap_or_default();