2018-04-27 17:37:02 +00:00
|
|
|
// Copyright 2018 Google Inc.
|
|
|
|
|
//
|
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
|
//
|
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
//
|
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
2018-06-20 04:42:21 +00:00
|
|
|
// Package boot loads the kernel and runs a container.
|
2018-04-27 17:37:02 +00:00
|
|
|
package boot
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
2018-10-10 21:17:27 +00:00
|
|
|
mrand "math/rand"
|
2018-08-15 23:24:07 +00:00
|
|
|
"os"
|
2018-10-10 15:59:25 +00:00
|
|
|
"runtime"
|
2018-06-22 21:30:33 +00:00
|
|
|
"sync"
|
2018-04-27 17:37:02 +00:00
|
|
|
"sync/atomic"
|
2018-08-27 18:09:06 +00:00
|
|
|
"syscall"
|
2018-04-27 17:37:02 +00:00
|
|
|
gtime "time"
|
|
|
|
|
|
|
|
|
|
specs "github.com/opencontainers/runtime-spec/specs-go"
|
|
|
|
|
"gvisor.googlesource.com/gvisor/pkg/abi/linux"
|
|
|
|
|
"gvisor.googlesource.com/gvisor/pkg/cpuid"
|
|
|
|
|
"gvisor.googlesource.com/gvisor/pkg/log"
|
2018-10-10 21:17:27 +00:00
|
|
|
"gvisor.googlesource.com/gvisor/pkg/rand"
|
2018-09-06 04:13:46 +00:00
|
|
|
"gvisor.googlesource.com/gvisor/pkg/sentry/arch"
|
2018-09-17 23:24:05 +00:00
|
|
|
"gvisor.googlesource.com/gvisor/pkg/sentry/control"
|
runsc: Support job control signals in "exec -it".
Terminal support in runsc relies on host tty file descriptors that are imported
into the sandbox. Application tty ioctls are sent directly to the host fd.
However, those host tty ioctls are associated in the host kernel with a host
process (in this case runsc), and the host kernel intercepts job control
characters like ^C and send signals to the host process. Thus, typing ^C into a
"runsc exec" shell will send a SIGINT to the runsc process.
This change makes "runsc exec" handle all signals, and forward them into the
sandbox via the "ContainerSignal" urpc method. Since the "runsc exec" is
associated with a particular container process in the sandbox, the signal must
be associated with the same container process.
One big difficulty is that the signal should not necessarily be sent to the
sandbox process started by "exec", but instead must be sent to the foreground
process group for the tty. For example, we may exec "bash", and from bash call
"sleep 100". A ^C at this point should SIGINT sleep, not bash.
To handle this, tty files inside the sandbox must keep track of their
foreground process group, which is set/get via ioctls. When an incoming
ContainerSignal urpc comes in, we look up the foreground process group via the
tty file. Unfortunately, this means we have to expose and cache the tty file in
the Loader.
Note that "runsc exec" now handles signals properly, but "runs run" does not.
That will come in a later CL, as this one is complex enough already.
Example:
root@:/usr/local/apache2# sleep 100
^C
root@:/usr/local/apache2# sleep 100
^Z
[1]+ Stopped sleep 100
root@:/usr/local/apache2# fg
sleep 100
^C
root@:/usr/local/apache2#
PiperOrigin-RevId: 215334554
Change-Id: I53cdce39653027908510a5ba8d08c49f9cf24f39
2018-10-02 05:05:41 +00:00
|
|
|
"gvisor.googlesource.com/gvisor/pkg/sentry/fs/host"
|
2018-04-27 17:37:02 +00:00
|
|
|
"gvisor.googlesource.com/gvisor/pkg/sentry/inet"
|
|
|
|
|
"gvisor.googlesource.com/gvisor/pkg/sentry/kernel"
|
|
|
|
|
"gvisor.googlesource.com/gvisor/pkg/sentry/kernel/auth"
|
|
|
|
|
"gvisor.googlesource.com/gvisor/pkg/sentry/loader"
|
|
|
|
|
"gvisor.googlesource.com/gvisor/pkg/sentry/platform"
|
|
|
|
|
"gvisor.googlesource.com/gvisor/pkg/sentry/platform/kvm"
|
|
|
|
|
"gvisor.googlesource.com/gvisor/pkg/sentry/platform/ptrace"
|
|
|
|
|
"gvisor.googlesource.com/gvisor/pkg/sentry/sighandling"
|
|
|
|
|
slinux "gvisor.googlesource.com/gvisor/pkg/sentry/syscalls/linux"
|
|
|
|
|
"gvisor.googlesource.com/gvisor/pkg/sentry/time"
|
2018-09-18 04:33:51 +00:00
|
|
|
"gvisor.googlesource.com/gvisor/pkg/sentry/usage"
|
2018-04-27 17:37:02 +00:00
|
|
|
"gvisor.googlesource.com/gvisor/pkg/sentry/watchdog"
|
2018-05-02 05:11:07 +00:00
|
|
|
"gvisor.googlesource.com/gvisor/pkg/tcpip"
|
2018-04-27 17:37:02 +00:00
|
|
|
"gvisor.googlesource.com/gvisor/pkg/tcpip/link/sniffer"
|
|
|
|
|
"gvisor.googlesource.com/gvisor/pkg/tcpip/network/arp"
|
|
|
|
|
"gvisor.googlesource.com/gvisor/pkg/tcpip/network/ipv4"
|
|
|
|
|
"gvisor.googlesource.com/gvisor/pkg/tcpip/network/ipv6"
|
|
|
|
|
"gvisor.googlesource.com/gvisor/pkg/tcpip/stack"
|
2018-05-02 05:50:55 +00:00
|
|
|
"gvisor.googlesource.com/gvisor/pkg/tcpip/transport/ping"
|
2018-04-27 17:37:02 +00:00
|
|
|
"gvisor.googlesource.com/gvisor/pkg/tcpip/transport/tcp"
|
|
|
|
|
"gvisor.googlesource.com/gvisor/pkg/tcpip/transport/udp"
|
|
|
|
|
"gvisor.googlesource.com/gvisor/runsc/boot/filter"
|
|
|
|
|
"gvisor.googlesource.com/gvisor/runsc/specutils"
|
|
|
|
|
|
|
|
|
|
// Include supported socket providers.
|
|
|
|
|
"gvisor.googlesource.com/gvisor/pkg/sentry/socket/epsocket"
|
|
|
|
|
"gvisor.googlesource.com/gvisor/pkg/sentry/socket/hostinet"
|
|
|
|
|
_ "gvisor.googlesource.com/gvisor/pkg/sentry/socket/netlink"
|
|
|
|
|
_ "gvisor.googlesource.com/gvisor/pkg/sentry/socket/netlink/route"
|
|
|
|
|
_ "gvisor.googlesource.com/gvisor/pkg/sentry/socket/unix"
|
|
|
|
|
)
|
|
|
|
|
|
2018-05-17 18:54:36 +00:00
|
|
|
// Loader keeps state needed to start the kernel and run the container..
|
2018-04-27 17:37:02 +00:00
|
|
|
type Loader struct {
|
|
|
|
|
// k is the kernel.
|
|
|
|
|
k *kernel.Kernel
|
|
|
|
|
|
|
|
|
|
// ctrl is the control server.
|
|
|
|
|
ctrl *controller
|
|
|
|
|
|
|
|
|
|
conf *Config
|
|
|
|
|
|
|
|
|
|
// console is set to true if terminal is enabled.
|
|
|
|
|
console bool
|
|
|
|
|
|
|
|
|
|
watchdog *watchdog.Watchdog
|
|
|
|
|
|
2018-09-20 05:19:10 +00:00
|
|
|
// stdioFDs contains stdin, stdout, and stderr.
|
|
|
|
|
stdioFDs []int
|
|
|
|
|
|
|
|
|
|
// goferFDs are the FDs that attach the sandbox to the gofers.
|
|
|
|
|
goferFDs []int
|
2018-07-18 23:57:29 +00:00
|
|
|
|
|
|
|
|
// spec is the base configuration for the root container.
|
|
|
|
|
spec *specs.Spec
|
|
|
|
|
|
2018-09-07 20:38:12 +00:00
|
|
|
// startSignalForwarding enables forwarding of signals to the sandboxed
|
|
|
|
|
// container. It should be called after the init process is loaded.
|
|
|
|
|
startSignalForwarding func() func()
|
|
|
|
|
|
2018-04-27 17:37:02 +00:00
|
|
|
// stopSignalForwarding disables forwarding of signals to the sandboxed
|
2018-05-17 18:54:36 +00:00
|
|
|
// container. It should be called when a sandbox is destroyed.
|
2018-04-27 17:37:02 +00:00
|
|
|
stopSignalForwarding func()
|
|
|
|
|
|
2018-06-29 21:46:45 +00:00
|
|
|
// restore is set to true if we are restoring a container.
|
|
|
|
|
restore bool
|
|
|
|
|
|
2018-06-20 04:42:21 +00:00
|
|
|
// rootProcArgs refers to the root sandbox init task.
|
|
|
|
|
rootProcArgs kernel.CreateProcessArgs
|
2018-06-22 21:30:33 +00:00
|
|
|
|
2018-06-28 21:55:46 +00:00
|
|
|
// sandboxID is the ID for the whole sandbox.
|
|
|
|
|
sandboxID string
|
|
|
|
|
|
2018-09-28 06:54:13 +00:00
|
|
|
// mu guards processes.
|
2018-06-22 21:30:33 +00:00
|
|
|
mu sync.Mutex
|
|
|
|
|
|
2018-10-17 19:27:58 +00:00
|
|
|
// processes maps containers init process and invocation of exec. Root
|
2018-09-28 06:54:13 +00:00
|
|
|
// processes are keyed with container ID and pid=0, while exec invocations
|
|
|
|
|
// have the corresponding pid set.
|
2018-06-22 21:30:33 +00:00
|
|
|
//
|
2018-09-28 06:54:13 +00:00
|
|
|
// processes is guardded by mu.
|
runsc: Support job control signals in "exec -it".
Terminal support in runsc relies on host tty file descriptors that are imported
into the sandbox. Application tty ioctls are sent directly to the host fd.
However, those host tty ioctls are associated in the host kernel with a host
process (in this case runsc), and the host kernel intercepts job control
characters like ^C and send signals to the host process. Thus, typing ^C into a
"runsc exec" shell will send a SIGINT to the runsc process.
This change makes "runsc exec" handle all signals, and forward them into the
sandbox via the "ContainerSignal" urpc method. Since the "runsc exec" is
associated with a particular container process in the sandbox, the signal must
be associated with the same container process.
One big difficulty is that the signal should not necessarily be sent to the
sandbox process started by "exec", but instead must be sent to the foreground
process group for the tty. For example, we may exec "bash", and from bash call
"sleep 100". A ^C at this point should SIGINT sleep, not bash.
To handle this, tty files inside the sandbox must keep track of their
foreground process group, which is set/get via ioctls. When an incoming
ContainerSignal urpc comes in, we look up the foreground process group via the
tty file. Unfortunately, this means we have to expose and cache the tty file in
the Loader.
Note that "runsc exec" now handles signals properly, but "runs run" does not.
That will come in a later CL, as this one is complex enough already.
Example:
root@:/usr/local/apache2# sleep 100
^C
root@:/usr/local/apache2# sleep 100
^Z
[1]+ Stopped sleep 100
root@:/usr/local/apache2# fg
sleep 100
^C
root@:/usr/local/apache2#
PiperOrigin-RevId: 215334554
Change-Id: I53cdce39653027908510a5ba8d08c49f9cf24f39
2018-10-02 05:05:41 +00:00
|
|
|
processes map[execID]*execProcess
|
2018-09-17 23:24:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// execID uniquely identifies a sentry process.
|
|
|
|
|
type execID struct {
|
|
|
|
|
cid string
|
|
|
|
|
pid kernel.ThreadID
|
2018-04-27 17:37:02 +00:00
|
|
|
}
|
|
|
|
|
|
runsc: Support job control signals in "exec -it".
Terminal support in runsc relies on host tty file descriptors that are imported
into the sandbox. Application tty ioctls are sent directly to the host fd.
However, those host tty ioctls are associated in the host kernel with a host
process (in this case runsc), and the host kernel intercepts job control
characters like ^C and send signals to the host process. Thus, typing ^C into a
"runsc exec" shell will send a SIGINT to the runsc process.
This change makes "runsc exec" handle all signals, and forward them into the
sandbox via the "ContainerSignal" urpc method. Since the "runsc exec" is
associated with a particular container process in the sandbox, the signal must
be associated with the same container process.
One big difficulty is that the signal should not necessarily be sent to the
sandbox process started by "exec", but instead must be sent to the foreground
process group for the tty. For example, we may exec "bash", and from bash call
"sleep 100". A ^C at this point should SIGINT sleep, not bash.
To handle this, tty files inside the sandbox must keep track of their
foreground process group, which is set/get via ioctls. When an incoming
ContainerSignal urpc comes in, we look up the foreground process group via the
tty file. Unfortunately, this means we have to expose and cache the tty file in
the Loader.
Note that "runsc exec" now handles signals properly, but "runs run" does not.
That will come in a later CL, as this one is complex enough already.
Example:
root@:/usr/local/apache2# sleep 100
^C
root@:/usr/local/apache2# sleep 100
^Z
[1]+ Stopped sleep 100
root@:/usr/local/apache2# fg
sleep 100
^C
root@:/usr/local/apache2#
PiperOrigin-RevId: 215334554
Change-Id: I53cdce39653027908510a5ba8d08c49f9cf24f39
2018-10-02 05:05:41 +00:00
|
|
|
// execProcess contains the thread group and host TTY of a sentry process.
|
|
|
|
|
type execProcess struct {
|
|
|
|
|
tg *kernel.ThreadGroup
|
|
|
|
|
|
|
|
|
|
// tty will be nil if the process is not attached to a terminal.
|
|
|
|
|
tty *host.TTYFileOperations
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-27 17:37:02 +00:00
|
|
|
func init() {
|
|
|
|
|
// Initialize the random number generator.
|
2018-10-10 21:17:27 +00:00
|
|
|
mrand.Seed(gtime.Now().UnixNano())
|
2018-04-27 17:37:02 +00:00
|
|
|
|
|
|
|
|
// Register the global syscall table.
|
|
|
|
|
kernel.RegisterSyscallTable(slinux.AMD64)
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-10 15:59:25 +00:00
|
|
|
// Args are the arguments for New().
|
|
|
|
|
type Args struct {
|
|
|
|
|
// Id is the sandbox ID.
|
|
|
|
|
ID string
|
|
|
|
|
// Spec is the sandbox specification.
|
|
|
|
|
Spec *specs.Spec
|
|
|
|
|
// Conf is the system configuration.
|
|
|
|
|
Conf *Config
|
|
|
|
|
// ControllerFD is the FD to the URPC controller.
|
|
|
|
|
ControllerFD int
|
|
|
|
|
// DeviceFD is an optional argument that is passed to the platform.
|
|
|
|
|
DeviceFD int
|
|
|
|
|
// GoferFDs is an array of FDs used to connect with the Gofer.
|
|
|
|
|
GoferFDs []int
|
|
|
|
|
// StdioFDs is the stdio for the application.
|
|
|
|
|
StdioFDs []int
|
|
|
|
|
// Console is set to true if using TTY.
|
|
|
|
|
Console bool
|
|
|
|
|
// NumCPU is the number of CPUs to create inside the sandbox.
|
|
|
|
|
NumCPU int
|
|
|
|
|
// TotalMem is the initial amount of total memory to report back to the
|
|
|
|
|
// container.
|
|
|
|
|
TotalMem uint64
|
2018-10-11 18:55:45 +00:00
|
|
|
// UserLogFD is the file descriptor to write user logs to.
|
|
|
|
|
UserLogFD int
|
2018-10-10 15:59:25 +00:00
|
|
|
}
|
|
|
|
|
|
2018-04-27 17:37:02 +00:00
|
|
|
// New initializes a new kernel loader configured by spec.
|
2018-06-29 21:46:45 +00:00
|
|
|
// New also handles setting up a kernel for restoring a container.
|
2018-10-10 15:59:25 +00:00
|
|
|
func New(args Args) (*Loader, error) {
|
2018-10-10 21:17:27 +00:00
|
|
|
// We initialize the rand package now to make sure /dev/urandom is pre-opened
|
|
|
|
|
// on kernels that do not support getrandom(2).
|
|
|
|
|
if err := rand.Init(); err != nil {
|
|
|
|
|
return nil, fmt.Errorf("error setting up rand: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-18 04:33:51 +00:00
|
|
|
if err := usage.Init(); err != nil {
|
2018-10-09 00:43:31 +00:00
|
|
|
return nil, fmt.Errorf("error setting up memory usage: %v", err)
|
2018-09-18 04:33:51 +00:00
|
|
|
}
|
2018-10-10 21:17:27 +00:00
|
|
|
|
2018-04-27 17:37:02 +00:00
|
|
|
// Create kernel and platform.
|
2018-10-10 15:59:25 +00:00
|
|
|
p, err := createPlatform(args.Conf, args.DeviceFD)
|
2018-04-27 17:37:02 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("error creating platform: %v", err)
|
|
|
|
|
}
|
|
|
|
|
k := &kernel.Kernel{
|
|
|
|
|
Platform: p,
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-18 23:57:29 +00:00
|
|
|
// Create VDSO.
|
|
|
|
|
//
|
|
|
|
|
// Pass k as the platform since it is savable, unlike the actual platform.
|
|
|
|
|
vdso, err := loader.PrepareVDSO(k)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("error creating vdso: %v", err)
|
|
|
|
|
}
|
2018-04-27 17:37:02 +00:00
|
|
|
|
2018-07-18 23:57:29 +00:00
|
|
|
// Create timekeeper.
|
|
|
|
|
tk, err := kernel.NewTimekeeper(k, vdso.ParamPage.FileRange())
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("error creating timekeeper: %v", err)
|
|
|
|
|
}
|
|
|
|
|
tk.SetClocks(time.NewCalibratedClocks())
|
2018-04-27 17:37:02 +00:00
|
|
|
|
2018-10-10 15:59:25 +00:00
|
|
|
if err := enableStrace(args.Conf); err != nil {
|
2018-09-07 17:44:50 +00:00
|
|
|
return nil, fmt.Errorf("failed to enable strace: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Create an empty network stack because the network namespace may be empty at
|
|
|
|
|
// this point. Netns is configured before Run() is called. Netstack is
|
|
|
|
|
// configured using a control uRPC message. Host network is configured inside
|
|
|
|
|
// Run().
|
2018-10-10 15:59:25 +00:00
|
|
|
networkStack, err := newEmptyNetworkStack(args.Conf, k)
|
2018-09-07 17:44:50 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("failed to create network: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-18 23:57:29 +00:00
|
|
|
// Create capabilities.
|
2018-10-10 15:59:25 +00:00
|
|
|
caps, err := specutils.Capabilities(args.Spec.Process.Capabilities)
|
2018-07-18 23:57:29 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("error creating capabilities: %v", err)
|
|
|
|
|
}
|
2018-04-27 17:37:02 +00:00
|
|
|
|
2018-07-18 23:57:29 +00:00
|
|
|
// Convert the spec's additional GIDs to KGIDs.
|
2018-10-10 15:59:25 +00:00
|
|
|
extraKGIDs := make([]auth.KGID, 0, len(args.Spec.Process.User.AdditionalGids))
|
|
|
|
|
for _, GID := range args.Spec.Process.User.AdditionalGids {
|
2018-07-18 23:57:29 +00:00
|
|
|
extraKGIDs = append(extraKGIDs, auth.KGID(GID))
|
|
|
|
|
}
|
2018-06-29 21:46:45 +00:00
|
|
|
|
2018-07-18 23:57:29 +00:00
|
|
|
// Create credentials.
|
|
|
|
|
creds := auth.NewUserCredentials(
|
2018-10-10 15:59:25 +00:00
|
|
|
auth.KUID(args.Spec.Process.User.UID),
|
|
|
|
|
auth.KGID(args.Spec.Process.User.GID),
|
2018-07-18 23:57:29 +00:00
|
|
|
extraKGIDs,
|
|
|
|
|
caps,
|
|
|
|
|
auth.NewRootUserNamespace())
|
2018-04-27 17:37:02 +00:00
|
|
|
|
2018-10-10 15:59:25 +00:00
|
|
|
if args.NumCPU == 0 {
|
|
|
|
|
args.NumCPU = runtime.NumCPU()
|
|
|
|
|
}
|
|
|
|
|
log.Infof("CPUs: %d", args.NumCPU)
|
|
|
|
|
|
|
|
|
|
if args.TotalMem > 0 {
|
|
|
|
|
// Adjust the total memory returned by the Sentry so that applications that
|
|
|
|
|
// use /proc/meminfo can make allocations based on this limit.
|
|
|
|
|
usage.MinimumTotalMemoryBytes = args.TotalMem
|
|
|
|
|
log.Infof("Setting total memory to %.2f GB", float64(args.TotalMem)/(2^30))
|
2018-09-19 20:34:28 +00:00
|
|
|
}
|
|
|
|
|
|
2018-07-18 23:57:29 +00:00
|
|
|
// Initiate the Kernel object, which is required by the Context passed
|
|
|
|
|
// to createVFS in order to mount (among other things) procfs.
|
|
|
|
|
if err = k.Init(kernel.InitKernelArgs{
|
2018-09-19 20:34:28 +00:00
|
|
|
FeatureSet: cpuid.HostFeatureSet(),
|
|
|
|
|
Timekeeper: tk,
|
|
|
|
|
RootUserNamespace: creds.UserNamespace,
|
|
|
|
|
NetworkStack: networkStack,
|
2018-10-10 15:59:25 +00:00
|
|
|
ApplicationCores: uint(args.NumCPU),
|
2018-09-07 17:44:50 +00:00
|
|
|
Vdso: vdso,
|
2018-10-10 15:59:25 +00:00
|
|
|
RootUTSNamespace: kernel.NewUTSNamespace(args.Spec.Hostname, "", creds.UserNamespace),
|
2018-09-07 17:44:50 +00:00
|
|
|
RootIPCNamespace: kernel.NewIPCNamespace(creds.UserNamespace),
|
|
|
|
|
RootAbstractSocketNamespace: kernel.NewAbstractSocketNamespace(),
|
2018-07-18 23:57:29 +00:00
|
|
|
}); err != nil {
|
|
|
|
|
return nil, fmt.Errorf("error initializing kernel: %v", err)
|
2018-04-27 17:37:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Turn on packet logging if enabled.
|
2018-10-10 15:59:25 +00:00
|
|
|
if args.Conf.LogPackets {
|
2018-04-27 17:37:02 +00:00
|
|
|
log.Infof("Packet logging enabled")
|
|
|
|
|
atomic.StoreUint32(&sniffer.LogPackets, 1)
|
|
|
|
|
} else {
|
|
|
|
|
log.Infof("Packet logging disabled")
|
|
|
|
|
atomic.StoreUint32(&sniffer.LogPackets, 0)
|
|
|
|
|
}
|
|
|
|
|
|
2018-06-06 18:43:01 +00:00
|
|
|
// Create a watchdog.
|
2018-10-10 15:59:25 +00:00
|
|
|
watchdog := watchdog.New(k, watchdog.DefaultTimeout, args.Conf.WatchdogAction)
|
2018-06-06 18:43:01 +00:00
|
|
|
|
2018-04-27 17:37:02 +00:00
|
|
|
// Create the control server using the provided FD.
|
|
|
|
|
//
|
|
|
|
|
// This must be done *after* we have initialized the kernel since the
|
|
|
|
|
// controller is used to configure the kernel's network stack.
|
|
|
|
|
//
|
|
|
|
|
// This should also be *before* we create the process, since a
|
|
|
|
|
// misconfigured process will cause an error, and we want the control
|
|
|
|
|
// server up before that so that we don't time out trying to connect to
|
|
|
|
|
// it.
|
2018-10-10 15:59:25 +00:00
|
|
|
ctrl, err := newController(args.ControllerFD, k, watchdog)
|
2018-04-27 17:37:02 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("error creating control server: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-10 15:59:25 +00:00
|
|
|
procArgs, err := newProcess(args.ID, args.Spec, creds, k)
|
2018-07-18 23:57:29 +00:00
|
|
|
if err != nil {
|
2018-10-17 19:27:58 +00:00
|
|
|
return nil, fmt.Errorf("failed to create init process for root container: %v", err)
|
2018-06-20 04:42:21 +00:00
|
|
|
}
|
|
|
|
|
|
2018-10-11 18:55:45 +00:00
|
|
|
if err := initCompatLogs(args.UserLogFD); err != nil {
|
|
|
|
|
return nil, fmt.Errorf("init compat logs: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
2018-06-20 04:42:21 +00:00
|
|
|
l := &Loader{
|
2018-10-17 19:27:58 +00:00
|
|
|
k: k,
|
|
|
|
|
ctrl: ctrl,
|
|
|
|
|
conf: args.Conf,
|
|
|
|
|
console: args.Console,
|
|
|
|
|
watchdog: watchdog,
|
|
|
|
|
spec: args.Spec,
|
|
|
|
|
goferFDs: args.GoferFDs,
|
|
|
|
|
stdioFDs: args.StdioFDs,
|
|
|
|
|
rootProcArgs: procArgs,
|
|
|
|
|
sandboxID: args.ID,
|
|
|
|
|
processes: make(map[execID]*execProcess),
|
2018-06-20 04:42:21 +00:00
|
|
|
}
|
2018-10-17 19:27:58 +00:00
|
|
|
|
|
|
|
|
// We don't care about child signals; some platforms can generate a
|
|
|
|
|
// tremendous number of useless ones (I'm looking at you, ptrace).
|
|
|
|
|
if err := sighandling.IgnoreChildStop(); err != nil {
|
|
|
|
|
return nil, fmt.Errorf("failed to ignore child stop signals: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Handle signals by forwarding them to the root container process
|
|
|
|
|
// (except for panic signal, which should cause a panic).
|
|
|
|
|
l.startSignalForwarding = sighandling.PrepareHandler(func(sig linux.Signal) {
|
|
|
|
|
// Panic signal should cause a panic.
|
|
|
|
|
if args.Conf.PanicSignal != -1 && sig == linux.Signal(args.Conf.PanicSignal) {
|
|
|
|
|
panic("Signal-induced panic")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Otherwise forward to root container.
|
|
|
|
|
deliveryMode := DeliverToProcess
|
|
|
|
|
if args.Console {
|
|
|
|
|
// Since we are running with a console, we should
|
|
|
|
|
// forward the signal to the foreground process group
|
|
|
|
|
// so that job control signals like ^C can be handled
|
|
|
|
|
// properly.
|
|
|
|
|
deliveryMode = DeliverToForegroundProcessGroup
|
|
|
|
|
}
|
|
|
|
|
if err := l.signal(args.ID, 0, int32(sig), deliveryMode); err != nil {
|
|
|
|
|
log.Warningf("error sending signal %v to container %q: %v", sig, args.ID, err)
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
|
2018-06-20 04:42:21 +00:00
|
|
|
ctrl.manager.l = l
|
|
|
|
|
return l, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// newProcess creates a process that can be run with kernel.CreateProcess.
|
2018-09-27 22:00:03 +00:00
|
|
|
func newProcess(id string, spec *specs.Spec, creds *auth.Credentials, k *kernel.Kernel) (kernel.CreateProcessArgs, error) {
|
2018-06-20 04:42:21 +00:00
|
|
|
// Create initial limits.
|
|
|
|
|
ls, err := createLimitSet(spec)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return kernel.CreateProcessArgs{}, fmt.Errorf("error creating limits: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
2018-05-24 21:27:05 +00:00
|
|
|
// Create the process arguments.
|
|
|
|
|
procArgs := kernel.CreateProcessArgs{
|
2018-09-07 17:44:50 +00:00
|
|
|
Argv: spec.Process.Args,
|
|
|
|
|
Envv: spec.Process.Env,
|
|
|
|
|
WorkingDirectory: spec.Process.Cwd, // Defaults to '/' if empty.
|
|
|
|
|
Credentials: creds,
|
|
|
|
|
Umask: 0022,
|
|
|
|
|
Limits: ls,
|
|
|
|
|
MaxSymlinkTraversals: linux.MaxSymlinkTraversals,
|
|
|
|
|
UTSNamespace: k.RootUTSNamespace(),
|
|
|
|
|
IPCNamespace: k.RootIPCNamespace(),
|
|
|
|
|
AbstractSocketNamespace: k.RootAbstractSocketNamespace(),
|
2018-09-27 22:00:03 +00:00
|
|
|
ContainerID: id,
|
2018-05-24 21:27:05 +00:00
|
|
|
}
|
2018-06-20 04:42:21 +00:00
|
|
|
return procArgs, nil
|
2018-04-27 17:37:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Destroy cleans up all resources used by the loader.
|
2018-07-12 20:36:01 +00:00
|
|
|
//
|
|
|
|
|
// Note that this will block until all open control server connections have
|
|
|
|
|
// been closed. For that reason, this should NOT be called in a defer, because
|
|
|
|
|
// a panic in a control server rpc would then hang forever.
|
2018-04-27 17:37:02 +00:00
|
|
|
func (l *Loader) Destroy() {
|
|
|
|
|
if l.ctrl != nil {
|
|
|
|
|
l.ctrl.srv.Stop()
|
|
|
|
|
}
|
2018-09-07 20:38:12 +00:00
|
|
|
if l.stopSignalForwarding != nil {
|
|
|
|
|
l.stopSignalForwarding()
|
|
|
|
|
}
|
2018-04-27 17:37:02 +00:00
|
|
|
l.watchdog.Stop()
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-11 20:08:36 +00:00
|
|
|
func createPlatform(conf *Config, deviceFD int) (platform.Platform, error) {
|
2018-04-27 17:37:02 +00:00
|
|
|
switch conf.Platform {
|
|
|
|
|
case PlatformPtrace:
|
|
|
|
|
log.Infof("Platform: ptrace")
|
|
|
|
|
return ptrace.New()
|
|
|
|
|
case PlatformKVM:
|
|
|
|
|
log.Infof("Platform: kvm")
|
2018-09-11 20:08:36 +00:00
|
|
|
if deviceFD < 0 {
|
runsc: Support job control signals in "exec -it".
Terminal support in runsc relies on host tty file descriptors that are imported
into the sandbox. Application tty ioctls are sent directly to the host fd.
However, those host tty ioctls are associated in the host kernel with a host
process (in this case runsc), and the host kernel intercepts job control
characters like ^C and send signals to the host process. Thus, typing ^C into a
"runsc exec" shell will send a SIGINT to the runsc process.
This change makes "runsc exec" handle all signals, and forward them into the
sandbox via the "ContainerSignal" urpc method. Since the "runsc exec" is
associated with a particular container process in the sandbox, the signal must
be associated with the same container process.
One big difficulty is that the signal should not necessarily be sent to the
sandbox process started by "exec", but instead must be sent to the foreground
process group for the tty. For example, we may exec "bash", and from bash call
"sleep 100". A ^C at this point should SIGINT sleep, not bash.
To handle this, tty files inside the sandbox must keep track of their
foreground process group, which is set/get via ioctls. When an incoming
ContainerSignal urpc comes in, we look up the foreground process group via the
tty file. Unfortunately, this means we have to expose and cache the tty file in
the Loader.
Note that "runsc exec" now handles signals properly, but "runs run" does not.
That will come in a later CL, as this one is complex enough already.
Example:
root@:/usr/local/apache2# sleep 100
^C
root@:/usr/local/apache2# sleep 100
^Z
[1]+ Stopped sleep 100
root@:/usr/local/apache2# fg
sleep 100
^C
root@:/usr/local/apache2#
PiperOrigin-RevId: 215334554
Change-Id: I53cdce39653027908510a5ba8d08c49f9cf24f39
2018-10-02 05:05:41 +00:00
|
|
|
return nil, fmt.Errorf("kvm device FD must be provided")
|
2018-09-11 20:08:36 +00:00
|
|
|
}
|
|
|
|
|
return kvm.New(os.NewFile(uintptr(deviceFD), "kvm device"))
|
2018-04-27 17:37:02 +00:00
|
|
|
default:
|
|
|
|
|
return nil, fmt.Errorf("invalid platform %v", conf.Platform)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-05-17 18:54:36 +00:00
|
|
|
// Run runs the root container..
|
2018-04-27 17:37:02 +00:00
|
|
|
func (l *Loader) Run() error {
|
|
|
|
|
err := l.run()
|
2018-05-17 18:54:36 +00:00
|
|
|
l.ctrl.manager.startResultChan <- err
|
2018-05-09 21:12:44 +00:00
|
|
|
if err != nil {
|
|
|
|
|
// Give the controller some time to send the error to the
|
|
|
|
|
// runtime. If we return too quickly here the process will exit
|
|
|
|
|
// and the control connection will be closed before the error
|
|
|
|
|
// is returned.
|
|
|
|
|
gtime.Sleep(2 * gtime.Second)
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
return nil
|
2018-04-27 17:37:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (l *Loader) run() error {
|
|
|
|
|
if l.conf.Network == NetworkHost {
|
|
|
|
|
// Delay host network configuration to this point because network namespace
|
|
|
|
|
// is configured after the loader is created and before Run() is called.
|
|
|
|
|
log.Debugf("Configuring host network")
|
|
|
|
|
stack := l.k.NetworkStack().(*hostinet.Stack)
|
|
|
|
|
if err := stack.Configure(); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Finally done with all configuration. Setup filters before user code
|
|
|
|
|
// is loaded.
|
|
|
|
|
if l.conf.DisableSeccomp {
|
|
|
|
|
filter.Report("syscall filter is DISABLED. Running in less secure mode.")
|
|
|
|
|
} else {
|
2018-08-29 00:08:49 +00:00
|
|
|
opts := filter.Options{
|
|
|
|
|
Platform: l.k.Platform,
|
|
|
|
|
HostNetwork: l.conf.Network == NetworkHost,
|
|
|
|
|
ControllerFD: l.ctrl.srv.FD(),
|
|
|
|
|
}
|
|
|
|
|
if err := filter.Install(opts); err != nil {
|
2018-04-27 17:37:02 +00:00
|
|
|
return fmt.Errorf("Failed to install seccomp filters: %v", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-06-29 21:46:45 +00:00
|
|
|
// If we are restoring, we do not want to create a process.
|
2018-07-18 23:57:29 +00:00
|
|
|
// l.restore is set by the container manager when a restore call is made.
|
2018-06-29 21:46:45 +00:00
|
|
|
if !l.restore {
|
2018-09-28 19:20:56 +00:00
|
|
|
if err := setupContainerFS(
|
2018-07-18 23:57:29 +00:00
|
|
|
&l.rootProcArgs,
|
|
|
|
|
l.spec,
|
|
|
|
|
l.conf,
|
2018-09-20 05:19:10 +00:00
|
|
|
l.stdioFDs,
|
|
|
|
|
l.goferFDs,
|
2018-07-18 23:57:29 +00:00
|
|
|
l.console,
|
|
|
|
|
l.rootProcArgs.Credentials,
|
|
|
|
|
l.rootProcArgs.Limits,
|
2018-08-15 23:24:07 +00:00
|
|
|
l.k,
|
2018-09-05 20:00:08 +00:00
|
|
|
"" /* CID, which isn't needed for the root container */); err != nil {
|
2018-07-18 23:57:29 +00:00
|
|
|
return err
|
|
|
|
|
}
|
2018-09-05 20:00:08 +00:00
|
|
|
|
|
|
|
|
rootCtx := l.rootProcArgs.NewContext(l.k)
|
|
|
|
|
rootMns := l.k.RootMountNamespace()
|
|
|
|
|
if err := setExecutablePath(rootCtx, rootMns, &l.rootProcArgs); err != nil {
|
|
|
|
|
return fmt.Errorf("error setting executable path for %+v: %v", l.rootProcArgs, err)
|
|
|
|
|
}
|
|
|
|
|
|
2018-06-29 21:46:45 +00:00
|
|
|
// Create the root container init task.
|
2018-09-17 23:24:05 +00:00
|
|
|
_, _, err := l.k.CreateProcess(l.rootProcArgs)
|
|
|
|
|
if err != nil {
|
2018-06-29 21:46:45 +00:00
|
|
|
return fmt.Errorf("failed to create init process: %v", err)
|
|
|
|
|
}
|
2018-04-27 17:37:02 +00:00
|
|
|
|
2018-06-29 21:46:45 +00:00
|
|
|
// CreateProcess takes a reference on FDMap if successful.
|
|
|
|
|
l.rootProcArgs.FDMap.DecRef()
|
|
|
|
|
}
|
2018-04-27 17:37:02 +00:00
|
|
|
|
runsc: Support job control signals in "exec -it".
Terminal support in runsc relies on host tty file descriptors that are imported
into the sandbox. Application tty ioctls are sent directly to the host fd.
However, those host tty ioctls are associated in the host kernel with a host
process (in this case runsc), and the host kernel intercepts job control
characters like ^C and send signals to the host process. Thus, typing ^C into a
"runsc exec" shell will send a SIGINT to the runsc process.
This change makes "runsc exec" handle all signals, and forward them into the
sandbox via the "ContainerSignal" urpc method. Since the "runsc exec" is
associated with a particular container process in the sandbox, the signal must
be associated with the same container process.
One big difficulty is that the signal should not necessarily be sent to the
sandbox process started by "exec", but instead must be sent to the foreground
process group for the tty. For example, we may exec "bash", and from bash call
"sleep 100". A ^C at this point should SIGINT sleep, not bash.
To handle this, tty files inside the sandbox must keep track of their
foreground process group, which is set/get via ioctls. When an incoming
ContainerSignal urpc comes in, we look up the foreground process group via the
tty file. Unfortunately, this means we have to expose and cache the tty file in
the Loader.
Note that "runsc exec" now handles signals properly, but "runs run" does not.
That will come in a later CL, as this one is complex enough already.
Example:
root@:/usr/local/apache2# sleep 100
^C
root@:/usr/local/apache2# sleep 100
^Z
[1]+ Stopped sleep 100
root@:/usr/local/apache2# fg
sleep 100
^C
root@:/usr/local/apache2#
PiperOrigin-RevId: 215334554
Change-Id: I53cdce39653027908510a5ba8d08c49f9cf24f39
2018-10-02 05:05:41 +00:00
|
|
|
eid := execID{cid: l.sandboxID}
|
2018-10-17 19:27:58 +00:00
|
|
|
ep := execProcess{tg: l.k.GlobalInit()}
|
|
|
|
|
if l.console {
|
|
|
|
|
ttyFile := l.rootProcArgs.FDMap.GetFile(0)
|
|
|
|
|
defer ttyFile.DecRef()
|
|
|
|
|
ep.tty = ttyFile.FileOperations.(*host.TTYFileOperations)
|
|
|
|
|
}
|
|
|
|
|
l.mu.Lock()
|
|
|
|
|
l.processes[eid] = &ep
|
2018-09-27 17:25:19 +00:00
|
|
|
l.mu.Unlock()
|
2018-09-17 23:24:05 +00:00
|
|
|
|
2018-09-07 20:38:12 +00:00
|
|
|
// Start signal forwarding only after an init process is created.
|
|
|
|
|
l.stopSignalForwarding = l.startSignalForwarding()
|
|
|
|
|
|
2018-07-18 23:57:29 +00:00
|
|
|
log.Infof("Process should have started...")
|
2018-04-27 17:37:02 +00:00
|
|
|
l.watchdog.Start()
|
|
|
|
|
return l.k.Start()
|
|
|
|
|
}
|
|
|
|
|
|
2018-06-22 21:30:33 +00:00
|
|
|
// startContainer starts a child container. It returns the thread group ID of
|
|
|
|
|
// the newly created process.
|
2018-09-13 23:36:53 +00:00
|
|
|
func (l *Loader) startContainer(k *kernel.Kernel, spec *specs.Spec, conf *Config, cid string, files []*os.File) error {
|
2018-06-20 04:42:21 +00:00
|
|
|
// Create capabilities.
|
|
|
|
|
caps, err := specutils.Capabilities(spec.Process.Capabilities)
|
|
|
|
|
if err != nil {
|
2018-09-13 23:36:53 +00:00
|
|
|
return fmt.Errorf("error creating capabilities: %v", err)
|
2018-06-20 04:42:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Convert the spec's additional GIDs to KGIDs.
|
|
|
|
|
extraKGIDs := make([]auth.KGID, 0, len(spec.Process.User.AdditionalGids))
|
|
|
|
|
for _, GID := range spec.Process.User.AdditionalGids {
|
|
|
|
|
extraKGIDs = append(extraKGIDs, auth.KGID(GID))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Create credentials. We reuse the root user namespace because the
|
|
|
|
|
// sentry currently supports only 1 mount namespace, which is tied to a
|
|
|
|
|
// single user namespace. Thus we must run in the same user namespace
|
|
|
|
|
// to access mounts.
|
|
|
|
|
// TODO: Create a new mount namespace for the container.
|
|
|
|
|
creds := auth.NewUserCredentials(
|
|
|
|
|
auth.KUID(spec.Process.User.UID),
|
|
|
|
|
auth.KGID(spec.Process.User.GID),
|
|
|
|
|
extraKGIDs,
|
|
|
|
|
caps,
|
|
|
|
|
l.k.RootUserNamespace())
|
|
|
|
|
|
2018-09-27 22:00:03 +00:00
|
|
|
procArgs, err := newProcess(cid, spec, creds, l.k)
|
2018-06-20 04:42:21 +00:00
|
|
|
if err != nil {
|
2018-09-13 23:36:53 +00:00
|
|
|
return fmt.Errorf("failed to create new process: %v", err)
|
2018-06-22 21:30:33 +00:00
|
|
|
}
|
2018-08-27 18:09:06 +00:00
|
|
|
|
|
|
|
|
// Can't take ownership away from os.File. dup them to get a new FDs.
|
|
|
|
|
var ioFDs []int
|
|
|
|
|
for _, f := range files {
|
|
|
|
|
fd, err := syscall.Dup(int(f.Fd()))
|
|
|
|
|
if err != nil {
|
2018-09-13 23:36:53 +00:00
|
|
|
return fmt.Errorf("failed to dup file: %v", err)
|
2018-08-27 18:09:06 +00:00
|
|
|
}
|
|
|
|
|
f.Close()
|
|
|
|
|
ioFDs = append(ioFDs, fd)
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-20 05:19:10 +00:00
|
|
|
stdioFDs := ioFDs[:3]
|
|
|
|
|
goferFDs := ioFDs[3:]
|
2018-09-28 19:20:56 +00:00
|
|
|
if err := setupContainerFS(
|
2018-07-18 23:57:29 +00:00
|
|
|
&procArgs,
|
2018-08-15 23:24:07 +00:00
|
|
|
spec,
|
|
|
|
|
conf,
|
2018-09-20 05:19:10 +00:00
|
|
|
stdioFDs,
|
|
|
|
|
goferFDs,
|
2018-07-18 23:57:29 +00:00
|
|
|
false,
|
|
|
|
|
creds,
|
|
|
|
|
procArgs.Limits,
|
2018-08-15 23:24:07 +00:00
|
|
|
k,
|
2018-09-05 20:00:08 +00:00
|
|
|
cid); err != nil {
|
2018-09-13 23:36:53 +00:00
|
|
|
return fmt.Errorf("failed to create new process: %v", err)
|
2018-07-18 23:57:29 +00:00
|
|
|
}
|
2018-06-22 21:30:33 +00:00
|
|
|
|
2018-09-20 05:19:10 +00:00
|
|
|
// setFileSystemForProcess dup'd stdioFDs, so we can close them.
|
|
|
|
|
for i, fd := range stdioFDs {
|
|
|
|
|
if err := syscall.Close(fd); err != nil {
|
|
|
|
|
return fmt.Errorf("failed to close stdioFD #%d: %v", i, fd)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-05 20:00:08 +00:00
|
|
|
ctx := procArgs.NewContext(l.k)
|
|
|
|
|
mns := k.RootMountNamespace()
|
|
|
|
|
if err := setExecutablePath(ctx, mns, &procArgs); err != nil {
|
2018-09-13 23:36:53 +00:00
|
|
|
return fmt.Errorf("error setting executable path for %+v: %v", procArgs, err)
|
2018-08-24 21:41:38 +00:00
|
|
|
}
|
|
|
|
|
|
2018-09-17 23:24:05 +00:00
|
|
|
tg, _, err := l.k.CreateProcess(procArgs)
|
2018-06-22 21:30:33 +00:00
|
|
|
if err != nil {
|
2018-09-13 23:36:53 +00:00
|
|
|
return fmt.Errorf("failed to create process in sentry: %v", err)
|
2018-06-20 04:42:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// CreateProcess takes a reference on FDMap if successful.
|
|
|
|
|
procArgs.FDMap.DecRef()
|
|
|
|
|
|
2018-06-22 21:30:33 +00:00
|
|
|
l.mu.Lock()
|
|
|
|
|
defer l.mu.Unlock()
|
runsc: Support job control signals in "exec -it".
Terminal support in runsc relies on host tty file descriptors that are imported
into the sandbox. Application tty ioctls are sent directly to the host fd.
However, those host tty ioctls are associated in the host kernel with a host
process (in this case runsc), and the host kernel intercepts job control
characters like ^C and send signals to the host process. Thus, typing ^C into a
"runsc exec" shell will send a SIGINT to the runsc process.
This change makes "runsc exec" handle all signals, and forward them into the
sandbox via the "ContainerSignal" urpc method. Since the "runsc exec" is
associated with a particular container process in the sandbox, the signal must
be associated with the same container process.
One big difficulty is that the signal should not necessarily be sent to the
sandbox process started by "exec", but instead must be sent to the foreground
process group for the tty. For example, we may exec "bash", and from bash call
"sleep 100". A ^C at this point should SIGINT sleep, not bash.
To handle this, tty files inside the sandbox must keep track of their
foreground process group, which is set/get via ioctls. When an incoming
ContainerSignal urpc comes in, we look up the foreground process group via the
tty file. Unfortunately, this means we have to expose and cache the tty file in
the Loader.
Note that "runsc exec" now handles signals properly, but "runs run" does not.
That will come in a later CL, as this one is complex enough already.
Example:
root@:/usr/local/apache2# sleep 100
^C
root@:/usr/local/apache2# sleep 100
^Z
[1]+ Stopped sleep 100
root@:/usr/local/apache2# fg
sleep 100
^C
root@:/usr/local/apache2#
PiperOrigin-RevId: 215334554
Change-Id: I53cdce39653027908510a5ba8d08c49f9cf24f39
2018-10-02 05:05:41 +00:00
|
|
|
eid := execID{cid: cid}
|
|
|
|
|
l.processes[eid] = &execProcess{tg: tg}
|
2018-06-22 21:30:33 +00:00
|
|
|
|
2018-09-13 23:36:53 +00:00
|
|
|
return nil
|
2018-06-22 21:30:33 +00:00
|
|
|
}
|
|
|
|
|
|
2018-09-28 19:20:56 +00:00
|
|
|
// destroyContainer stops a container if it is still running and cleans up its
|
|
|
|
|
// filesystem.
|
|
|
|
|
func (l *Loader) destroyContainer(cid string) error {
|
|
|
|
|
// First kill and wait for all processes in the container.
|
2018-10-17 19:27:58 +00:00
|
|
|
if err := l.signal(cid, 0, int32(linux.SIGKILL), DeliverToAllProcesses); err != nil {
|
2018-09-28 19:20:56 +00:00
|
|
|
return fmt.Errorf("failed to SIGKILL all container processes: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
l.mu.Lock()
|
|
|
|
|
defer l.mu.Unlock()
|
|
|
|
|
|
|
|
|
|
// Remove all container thread groups from the map.
|
|
|
|
|
for key := range l.processes {
|
|
|
|
|
if key.cid == cid {
|
|
|
|
|
delete(l.processes, key)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ctx := l.rootProcArgs.NewContext(l.k)
|
|
|
|
|
if err := destroyContainerFS(ctx, cid, l.k); err != nil {
|
|
|
|
|
return fmt.Errorf("failed to destroy filesystem for container %q: %v", cid, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// We made it!
|
|
|
|
|
log.Debugf("Container destroyed %q", cid)
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-27 22:00:03 +00:00
|
|
|
func (l *Loader) executeAsync(args *control.ExecArgs) (kernel.ThreadID, error) {
|
2018-09-17 23:24:05 +00:00
|
|
|
// Get the container Root Dirent from the Task, since we must run this
|
|
|
|
|
// process with the same Root.
|
|
|
|
|
l.mu.Lock()
|
2018-09-28 06:54:13 +00:00
|
|
|
rootKey := execID{cid: args.ContainerID}
|
runsc: Support job control signals in "exec -it".
Terminal support in runsc relies on host tty file descriptors that are imported
into the sandbox. Application tty ioctls are sent directly to the host fd.
However, those host tty ioctls are associated in the host kernel with a host
process (in this case runsc), and the host kernel intercepts job control
characters like ^C and send signals to the host process. Thus, typing ^C into a
"runsc exec" shell will send a SIGINT to the runsc process.
This change makes "runsc exec" handle all signals, and forward them into the
sandbox via the "ContainerSignal" urpc method. Since the "runsc exec" is
associated with a particular container process in the sandbox, the signal must
be associated with the same container process.
One big difficulty is that the signal should not necessarily be sent to the
sandbox process started by "exec", but instead must be sent to the foreground
process group for the tty. For example, we may exec "bash", and from bash call
"sleep 100". A ^C at this point should SIGINT sleep, not bash.
To handle this, tty files inside the sandbox must keep track of their
foreground process group, which is set/get via ioctls. When an incoming
ContainerSignal urpc comes in, we look up the foreground process group via the
tty file. Unfortunately, this means we have to expose and cache the tty file in
the Loader.
Note that "runsc exec" now handles signals properly, but "runs run" does not.
That will come in a later CL, as this one is complex enough already.
Example:
root@:/usr/local/apache2# sleep 100
^C
root@:/usr/local/apache2# sleep 100
^Z
[1]+ Stopped sleep 100
root@:/usr/local/apache2# fg
sleep 100
^C
root@:/usr/local/apache2#
PiperOrigin-RevId: 215334554
Change-Id: I53cdce39653027908510a5ba8d08c49f9cf24f39
2018-10-02 05:05:41 +00:00
|
|
|
ep, ok := l.processes[rootKey]
|
2018-09-17 23:24:05 +00:00
|
|
|
l.mu.Unlock()
|
|
|
|
|
if !ok {
|
2018-09-27 22:00:03 +00:00
|
|
|
return 0, fmt.Errorf("cannot exec in container %q: no such container", args.ContainerID)
|
2018-09-17 23:24:05 +00:00
|
|
|
}
|
runsc: Support job control signals in "exec -it".
Terminal support in runsc relies on host tty file descriptors that are imported
into the sandbox. Application tty ioctls are sent directly to the host fd.
However, those host tty ioctls are associated in the host kernel with a host
process (in this case runsc), and the host kernel intercepts job control
characters like ^C and send signals to the host process. Thus, typing ^C into a
"runsc exec" shell will send a SIGINT to the runsc process.
This change makes "runsc exec" handle all signals, and forward them into the
sandbox via the "ContainerSignal" urpc method. Since the "runsc exec" is
associated with a particular container process in the sandbox, the signal must
be associated with the same container process.
One big difficulty is that the signal should not necessarily be sent to the
sandbox process started by "exec", but instead must be sent to the foreground
process group for the tty. For example, we may exec "bash", and from bash call
"sleep 100". A ^C at this point should SIGINT sleep, not bash.
To handle this, tty files inside the sandbox must keep track of their
foreground process group, which is set/get via ioctls. When an incoming
ContainerSignal urpc comes in, we look up the foreground process group via the
tty file. Unfortunately, this means we have to expose and cache the tty file in
the Loader.
Note that "runsc exec" now handles signals properly, but "runs run" does not.
That will come in a later CL, as this one is complex enough already.
Example:
root@:/usr/local/apache2# sleep 100
^C
root@:/usr/local/apache2# sleep 100
^Z
[1]+ Stopped sleep 100
root@:/usr/local/apache2# fg
sleep 100
^C
root@:/usr/local/apache2#
PiperOrigin-RevId: 215334554
Change-Id: I53cdce39653027908510a5ba8d08c49f9cf24f39
2018-10-02 05:05:41 +00:00
|
|
|
ep.tg.Leader().WithMuLocked(func(t *kernel.Task) {
|
2018-09-17 23:24:05 +00:00
|
|
|
args.Root = t.FSContext().RootDirectory()
|
|
|
|
|
})
|
|
|
|
|
if args.Root != nil {
|
|
|
|
|
defer args.Root.DecRef()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Start the process.
|
|
|
|
|
proc := control.Proc{Kernel: l.k}
|
runsc: Support job control signals in "exec -it".
Terminal support in runsc relies on host tty file descriptors that are imported
into the sandbox. Application tty ioctls are sent directly to the host fd.
However, those host tty ioctls are associated in the host kernel with a host
process (in this case runsc), and the host kernel intercepts job control
characters like ^C and send signals to the host process. Thus, typing ^C into a
"runsc exec" shell will send a SIGINT to the runsc process.
This change makes "runsc exec" handle all signals, and forward them into the
sandbox via the "ContainerSignal" urpc method. Since the "runsc exec" is
associated with a particular container process in the sandbox, the signal must
be associated with the same container process.
One big difficulty is that the signal should not necessarily be sent to the
sandbox process started by "exec", but instead must be sent to the foreground
process group for the tty. For example, we may exec "bash", and from bash call
"sleep 100". A ^C at this point should SIGINT sleep, not bash.
To handle this, tty files inside the sandbox must keep track of their
foreground process group, which is set/get via ioctls. When an incoming
ContainerSignal urpc comes in, we look up the foreground process group via the
tty file. Unfortunately, this means we have to expose and cache the tty file in
the Loader.
Note that "runsc exec" now handles signals properly, but "runs run" does not.
That will come in a later CL, as this one is complex enough already.
Example:
root@:/usr/local/apache2# sleep 100
^C
root@:/usr/local/apache2# sleep 100
^Z
[1]+ Stopped sleep 100
root@:/usr/local/apache2# fg
sleep 100
^C
root@:/usr/local/apache2#
PiperOrigin-RevId: 215334554
Change-Id: I53cdce39653027908510a5ba8d08c49f9cf24f39
2018-10-02 05:05:41 +00:00
|
|
|
tg, tgid, ttyFile, err := control.ExecAsync(&proc, args)
|
2018-09-17 23:24:05 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return 0, fmt.Errorf("error executing: %+v: %v", args, err)
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-28 06:54:13 +00:00
|
|
|
// Insert the process into processes so that we can wait on it
|
2018-09-17 23:24:05 +00:00
|
|
|
// later.
|
|
|
|
|
l.mu.Lock()
|
|
|
|
|
defer l.mu.Unlock()
|
2018-09-27 22:00:03 +00:00
|
|
|
eid := execID{cid: args.ContainerID, pid: tgid}
|
runsc: Support job control signals in "exec -it".
Terminal support in runsc relies on host tty file descriptors that are imported
into the sandbox. Application tty ioctls are sent directly to the host fd.
However, those host tty ioctls are associated in the host kernel with a host
process (in this case runsc), and the host kernel intercepts job control
characters like ^C and send signals to the host process. Thus, typing ^C into a
"runsc exec" shell will send a SIGINT to the runsc process.
This change makes "runsc exec" handle all signals, and forward them into the
sandbox via the "ContainerSignal" urpc method. Since the "runsc exec" is
associated with a particular container process in the sandbox, the signal must
be associated with the same container process.
One big difficulty is that the signal should not necessarily be sent to the
sandbox process started by "exec", but instead must be sent to the foreground
process group for the tty. For example, we may exec "bash", and from bash call
"sleep 100". A ^C at this point should SIGINT sleep, not bash.
To handle this, tty files inside the sandbox must keep track of their
foreground process group, which is set/get via ioctls. When an incoming
ContainerSignal urpc comes in, we look up the foreground process group via the
tty file. Unfortunately, this means we have to expose and cache the tty file in
the Loader.
Note that "runsc exec" now handles signals properly, but "runs run" does not.
That will come in a later CL, as this one is complex enough already.
Example:
root@:/usr/local/apache2# sleep 100
^C
root@:/usr/local/apache2# sleep 100
^Z
[1]+ Stopped sleep 100
root@:/usr/local/apache2# fg
sleep 100
^C
root@:/usr/local/apache2#
PiperOrigin-RevId: 215334554
Change-Id: I53cdce39653027908510a5ba8d08c49f9cf24f39
2018-10-02 05:05:41 +00:00
|
|
|
l.processes[eid] = &execProcess{
|
|
|
|
|
tg: tg,
|
|
|
|
|
tty: ttyFile,
|
|
|
|
|
}
|
2018-09-28 06:54:13 +00:00
|
|
|
log.Debugf("updated processes: %v", l.processes)
|
2018-09-17 23:24:05 +00:00
|
|
|
|
|
|
|
|
return tgid, nil
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-17 19:27:58 +00:00
|
|
|
// waitContainer waits for the init process of a container to exit.
|
2018-06-28 21:55:46 +00:00
|
|
|
func (l *Loader) waitContainer(cid string, waitStatus *uint32) error {
|
|
|
|
|
// Don't defer unlock, as doing so would make it impossible for
|
|
|
|
|
// multiple clients to wait on the same container.
|
2018-06-22 21:30:33 +00:00
|
|
|
l.mu.Lock()
|
runsc: Support job control signals in "exec -it".
Terminal support in runsc relies on host tty file descriptors that are imported
into the sandbox. Application tty ioctls are sent directly to the host fd.
However, those host tty ioctls are associated in the host kernel with a host
process (in this case runsc), and the host kernel intercepts job control
characters like ^C and send signals to the host process. Thus, typing ^C into a
"runsc exec" shell will send a SIGINT to the runsc process.
This change makes "runsc exec" handle all signals, and forward them into the
sandbox via the "ContainerSignal" urpc method. Since the "runsc exec" is
associated with a particular container process in the sandbox, the signal must
be associated with the same container process.
One big difficulty is that the signal should not necessarily be sent to the
sandbox process started by "exec", but instead must be sent to the foreground
process group for the tty. For example, we may exec "bash", and from bash call
"sleep 100". A ^C at this point should SIGINT sleep, not bash.
To handle this, tty files inside the sandbox must keep track of their
foreground process group, which is set/get via ioctls. When an incoming
ContainerSignal urpc comes in, we look up the foreground process group via the
tty file. Unfortunately, this means we have to expose and cache the tty file in
the Loader.
Note that "runsc exec" now handles signals properly, but "runs run" does not.
That will come in a later CL, as this one is complex enough already.
Example:
root@:/usr/local/apache2# sleep 100
^C
root@:/usr/local/apache2# sleep 100
^Z
[1]+ Stopped sleep 100
root@:/usr/local/apache2# fg
sleep 100
^C
root@:/usr/local/apache2#
PiperOrigin-RevId: 215334554
Change-Id: I53cdce39653027908510a5ba8d08c49f9cf24f39
2018-10-02 05:05:41 +00:00
|
|
|
eid := execID{cid: cid}
|
|
|
|
|
ep, ok := l.processes[eid]
|
2018-09-28 06:54:13 +00:00
|
|
|
l.mu.Unlock()
|
2018-06-22 21:30:33 +00:00
|
|
|
if !ok {
|
2018-09-28 06:54:13 +00:00
|
|
|
return fmt.Errorf("can't find process for container %q in %v", cid, l.processes)
|
2018-06-22 21:30:33 +00:00
|
|
|
}
|
2018-07-13 20:45:13 +00:00
|
|
|
|
2018-06-22 21:30:33 +00:00
|
|
|
// If the thread either has already exited or exits during waiting,
|
|
|
|
|
// consider the container exited.
|
runsc: Support job control signals in "exec -it".
Terminal support in runsc relies on host tty file descriptors that are imported
into the sandbox. Application tty ioctls are sent directly to the host fd.
However, those host tty ioctls are associated in the host kernel with a host
process (in this case runsc), and the host kernel intercepts job control
characters like ^C and send signals to the host process. Thus, typing ^C into a
"runsc exec" shell will send a SIGINT to the runsc process.
This change makes "runsc exec" handle all signals, and forward them into the
sandbox via the "ContainerSignal" urpc method. Since the "runsc exec" is
associated with a particular container process in the sandbox, the signal must
be associated with the same container process.
One big difficulty is that the signal should not necessarily be sent to the
sandbox process started by "exec", but instead must be sent to the foreground
process group for the tty. For example, we may exec "bash", and from bash call
"sleep 100". A ^C at this point should SIGINT sleep, not bash.
To handle this, tty files inside the sandbox must keep track of their
foreground process group, which is set/get via ioctls. When an incoming
ContainerSignal urpc comes in, we look up the foreground process group via the
tty file. Unfortunately, this means we have to expose and cache the tty file in
the Loader.
Note that "runsc exec" now handles signals properly, but "runs run" does not.
That will come in a later CL, as this one is complex enough already.
Example:
root@:/usr/local/apache2# sleep 100
^C
root@:/usr/local/apache2# sleep 100
^Z
[1]+ Stopped sleep 100
root@:/usr/local/apache2# fg
sleep 100
^C
root@:/usr/local/apache2#
PiperOrigin-RevId: 215334554
Change-Id: I53cdce39653027908510a5ba8d08c49f9cf24f39
2018-10-02 05:05:41 +00:00
|
|
|
ws := l.wait(ep.tg)
|
2018-09-17 23:24:05 +00:00
|
|
|
*waitStatus = ws
|
2018-09-13 23:36:53 +00:00
|
|
|
return nil
|
2018-06-28 21:55:46 +00:00
|
|
|
}
|
|
|
|
|
|
2018-09-17 23:24:05 +00:00
|
|
|
func (l *Loader) waitPID(tgid kernel.ThreadID, cid string, clearStatus bool, waitStatus *uint32) error {
|
2018-06-28 21:55:46 +00:00
|
|
|
// TODO: Containers all currently share a PID namespace.
|
|
|
|
|
// When per-container PID namespaces are supported, wait should use cid
|
|
|
|
|
// to find the appropriate PID namespace.
|
2018-09-13 23:36:53 +00:00
|
|
|
/*if cid != l.sandboxID {
|
2018-06-28 21:55:46 +00:00
|
|
|
return errors.New("non-sandbox PID namespaces are not yet implemented")
|
2018-09-13 23:36:53 +00:00
|
|
|
}*/
|
2018-09-17 23:24:05 +00:00
|
|
|
|
|
|
|
|
// If the process was started via runsc exec, it will have an
|
2018-09-28 06:54:13 +00:00
|
|
|
// entry in l.processes.
|
2018-09-17 23:24:05 +00:00
|
|
|
l.mu.Lock()
|
|
|
|
|
eid := execID{cid: cid, pid: tgid}
|
runsc: Support job control signals in "exec -it".
Terminal support in runsc relies on host tty file descriptors that are imported
into the sandbox. Application tty ioctls are sent directly to the host fd.
However, those host tty ioctls are associated in the host kernel with a host
process (in this case runsc), and the host kernel intercepts job control
characters like ^C and send signals to the host process. Thus, typing ^C into a
"runsc exec" shell will send a SIGINT to the runsc process.
This change makes "runsc exec" handle all signals, and forward them into the
sandbox via the "ContainerSignal" urpc method. Since the "runsc exec" is
associated with a particular container process in the sandbox, the signal must
be associated with the same container process.
One big difficulty is that the signal should not necessarily be sent to the
sandbox process started by "exec", but instead must be sent to the foreground
process group for the tty. For example, we may exec "bash", and from bash call
"sleep 100". A ^C at this point should SIGINT sleep, not bash.
To handle this, tty files inside the sandbox must keep track of their
foreground process group, which is set/get via ioctls. When an incoming
ContainerSignal urpc comes in, we look up the foreground process group via the
tty file. Unfortunately, this means we have to expose and cache the tty file in
the Loader.
Note that "runsc exec" now handles signals properly, but "runs run" does not.
That will come in a later CL, as this one is complex enough already.
Example:
root@:/usr/local/apache2# sleep 100
^C
root@:/usr/local/apache2# sleep 100
^Z
[1]+ Stopped sleep 100
root@:/usr/local/apache2# fg
sleep 100
^C
root@:/usr/local/apache2#
PiperOrigin-RevId: 215334554
Change-Id: I53cdce39653027908510a5ba8d08c49f9cf24f39
2018-10-02 05:05:41 +00:00
|
|
|
ep, ok := l.processes[eid]
|
2018-09-17 23:24:05 +00:00
|
|
|
l.mu.Unlock()
|
|
|
|
|
if ok {
|
runsc: Support job control signals in "exec -it".
Terminal support in runsc relies on host tty file descriptors that are imported
into the sandbox. Application tty ioctls are sent directly to the host fd.
However, those host tty ioctls are associated in the host kernel with a host
process (in this case runsc), and the host kernel intercepts job control
characters like ^C and send signals to the host process. Thus, typing ^C into a
"runsc exec" shell will send a SIGINT to the runsc process.
This change makes "runsc exec" handle all signals, and forward them into the
sandbox via the "ContainerSignal" urpc method. Since the "runsc exec" is
associated with a particular container process in the sandbox, the signal must
be associated with the same container process.
One big difficulty is that the signal should not necessarily be sent to the
sandbox process started by "exec", but instead must be sent to the foreground
process group for the tty. For example, we may exec "bash", and from bash call
"sleep 100". A ^C at this point should SIGINT sleep, not bash.
To handle this, tty files inside the sandbox must keep track of their
foreground process group, which is set/get via ioctls. When an incoming
ContainerSignal urpc comes in, we look up the foreground process group via the
tty file. Unfortunately, this means we have to expose and cache the tty file in
the Loader.
Note that "runsc exec" now handles signals properly, but "runs run" does not.
That will come in a later CL, as this one is complex enough already.
Example:
root@:/usr/local/apache2# sleep 100
^C
root@:/usr/local/apache2# sleep 100
^Z
[1]+ Stopped sleep 100
root@:/usr/local/apache2# fg
sleep 100
^C
root@:/usr/local/apache2#
PiperOrigin-RevId: 215334554
Change-Id: I53cdce39653027908510a5ba8d08c49f9cf24f39
2018-10-02 05:05:41 +00:00
|
|
|
ws := l.wait(ep.tg)
|
2018-09-17 23:24:05 +00:00
|
|
|
*waitStatus = ws
|
|
|
|
|
if clearStatus {
|
|
|
|
|
// Remove tg from the cache.
|
|
|
|
|
l.mu.Lock()
|
2018-09-28 06:54:13 +00:00
|
|
|
delete(l.processes, eid)
|
|
|
|
|
log.Debugf("updated processes (removal): %v", l.processes)
|
2018-09-17 23:24:05 +00:00
|
|
|
l.mu.Unlock()
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// This process wasn't created by runsc exec or start, so just find it
|
runsc: Support job control signals in "exec -it".
Terminal support in runsc relies on host tty file descriptors that are imported
into the sandbox. Application tty ioctls are sent directly to the host fd.
However, those host tty ioctls are associated in the host kernel with a host
process (in this case runsc), and the host kernel intercepts job control
characters like ^C and send signals to the host process. Thus, typing ^C into a
"runsc exec" shell will send a SIGINT to the runsc process.
This change makes "runsc exec" handle all signals, and forward them into the
sandbox via the "ContainerSignal" urpc method. Since the "runsc exec" is
associated with a particular container process in the sandbox, the signal must
be associated with the same container process.
One big difficulty is that the signal should not necessarily be sent to the
sandbox process started by "exec", but instead must be sent to the foreground
process group for the tty. For example, we may exec "bash", and from bash call
"sleep 100". A ^C at this point should SIGINT sleep, not bash.
To handle this, tty files inside the sandbox must keep track of their
foreground process group, which is set/get via ioctls. When an incoming
ContainerSignal urpc comes in, we look up the foreground process group via the
tty file. Unfortunately, this means we have to expose and cache the tty file in
the Loader.
Note that "runsc exec" now handles signals properly, but "runs run" does not.
That will come in a later CL, as this one is complex enough already.
Example:
root@:/usr/local/apache2# sleep 100
^C
root@:/usr/local/apache2# sleep 100
^Z
[1]+ Stopped sleep 100
root@:/usr/local/apache2# fg
sleep 100
^C
root@:/usr/local/apache2#
PiperOrigin-RevId: 215334554
Change-Id: I53cdce39653027908510a5ba8d08c49f9cf24f39
2018-10-02 05:05:41 +00:00
|
|
|
// by PID and hope it hasn't exited yet.
|
|
|
|
|
tg := l.k.TaskSet().Root.ThreadGroupWithID(kernel.ThreadID(tgid))
|
2018-09-13 23:36:53 +00:00
|
|
|
if tg == nil {
|
|
|
|
|
return fmt.Errorf("no thread group with ID %d", tgid)
|
2018-06-28 21:55:46 +00:00
|
|
|
}
|
2018-09-17 23:24:05 +00:00
|
|
|
ws := l.wait(tg)
|
|
|
|
|
*waitStatus = ws
|
2018-09-13 23:36:53 +00:00
|
|
|
return nil
|
2018-06-28 21:55:46 +00:00
|
|
|
}
|
2018-06-22 21:30:33 +00:00
|
|
|
|
2018-06-28 21:55:46 +00:00
|
|
|
// wait waits for the process with TGID 'tgid' in a container's PID namespace
|
|
|
|
|
// to exit.
|
2018-09-17 23:24:05 +00:00
|
|
|
func (l *Loader) wait(tg *kernel.ThreadGroup) uint32 {
|
2018-06-22 21:30:33 +00:00
|
|
|
tg.WaitExited()
|
2018-09-17 23:24:05 +00:00
|
|
|
return tg.ExitStatus().Status()
|
2018-06-20 04:42:21 +00:00
|
|
|
}
|
|
|
|
|
|
2018-04-27 17:37:02 +00:00
|
|
|
// WaitForStartSignal waits for a start signal from the control server.
|
|
|
|
|
func (l *Loader) WaitForStartSignal() {
|
2018-05-17 18:54:36 +00:00
|
|
|
<-l.ctrl.manager.startChan
|
2018-04-27 17:37:02 +00:00
|
|
|
}
|
|
|
|
|
|
2018-07-18 23:57:29 +00:00
|
|
|
// NotifyLoaderCreated sends a signal to the container manager that this
|
|
|
|
|
// loader has been created.
|
|
|
|
|
func (l *Loader) NotifyLoaderCreated() {
|
|
|
|
|
l.ctrl.manager.loaderCreatedChan <- struct{}{}
|
|
|
|
|
}
|
|
|
|
|
|
2018-05-17 18:54:36 +00:00
|
|
|
// WaitExit waits for the root container to exit, and returns its exit status.
|
2018-04-27 17:37:02 +00:00
|
|
|
func (l *Loader) WaitExit() kernel.ExitStatus {
|
2018-05-17 18:54:36 +00:00
|
|
|
// Wait for container.
|
2018-04-27 17:37:02 +00:00
|
|
|
l.k.WaitExited()
|
|
|
|
|
|
|
|
|
|
return l.k.GlobalInit().ExitStatus()
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-08 17:24:53 +00:00
|
|
|
func newEmptyNetworkStack(conf *Config, clock tcpip.Clock) (inet.Stack, error) {
|
2018-04-27 17:37:02 +00:00
|
|
|
switch conf.Network {
|
|
|
|
|
case NetworkHost:
|
2018-08-08 17:24:53 +00:00
|
|
|
return hostinet.NewStack(), nil
|
2018-04-27 17:37:02 +00:00
|
|
|
|
|
|
|
|
case NetworkNone, NetworkSandbox:
|
|
|
|
|
// NetworkNone sets up loopback using netstack.
|
|
|
|
|
netProtos := []string{ipv4.ProtocolName, ipv6.ProtocolName, arp.ProtocolName}
|
2018-05-02 05:50:55 +00:00
|
|
|
protoNames := []string{tcp.ProtocolName, udp.ProtocolName, ping.ProtocolName4}
|
2018-10-09 22:11:46 +00:00
|
|
|
s := epsocket.Stack{stack.New(netProtos, protoNames, stack.Options{
|
|
|
|
|
Clock: clock,
|
|
|
|
|
Stats: epsocket.Metrics,
|
|
|
|
|
})}
|
2018-08-08 17:24:53 +00:00
|
|
|
if err := s.Stack.SetTransportProtocolOption(tcp.ProtocolNumber, tcp.SACKEnabled(true)); err != nil {
|
|
|
|
|
return nil, fmt.Errorf("failed to enable SACK: %v", err)
|
|
|
|
|
}
|
2018-10-09 22:11:46 +00:00
|
|
|
return &s, nil
|
2018-04-27 17:37:02 +00:00
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
panic(fmt.Sprintf("invalid network configuration: %v", conf.Network))
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-09-06 04:13:46 +00:00
|
|
|
|
2018-10-17 19:27:58 +00:00
|
|
|
// signal sends a signal to one or more processes in a container. If PID is 0,
|
|
|
|
|
// then the container init process is used. Depending on the SignalDeliveryMode
|
|
|
|
|
// option, the signal may be sent directly to the indicated process, to all
|
|
|
|
|
// processes in the container, or to the foreground process group.
|
|
|
|
|
func (l *Loader) signal(cid string, pid, signo int32, mode SignalDeliveryMode) error {
|
|
|
|
|
if pid < 0 {
|
runsc: Support job control signals in "exec -it".
Terminal support in runsc relies on host tty file descriptors that are imported
into the sandbox. Application tty ioctls are sent directly to the host fd.
However, those host tty ioctls are associated in the host kernel with a host
process (in this case runsc), and the host kernel intercepts job control
characters like ^C and send signals to the host process. Thus, typing ^C into a
"runsc exec" shell will send a SIGINT to the runsc process.
This change makes "runsc exec" handle all signals, and forward them into the
sandbox via the "ContainerSignal" urpc method. Since the "runsc exec" is
associated with a particular container process in the sandbox, the signal must
be associated with the same container process.
One big difficulty is that the signal should not necessarily be sent to the
sandbox process started by "exec", but instead must be sent to the foreground
process group for the tty. For example, we may exec "bash", and from bash call
"sleep 100". A ^C at this point should SIGINT sleep, not bash.
To handle this, tty files inside the sandbox must keep track of their
foreground process group, which is set/get via ioctls. When an incoming
ContainerSignal urpc comes in, we look up the foreground process group via the
tty file. Unfortunately, this means we have to expose and cache the tty file in
the Loader.
Note that "runsc exec" now handles signals properly, but "runs run" does not.
That will come in a later CL, as this one is complex enough already.
Example:
root@:/usr/local/apache2# sleep 100
^C
root@:/usr/local/apache2# sleep 100
^Z
[1]+ Stopped sleep 100
root@:/usr/local/apache2# fg
sleep 100
^C
root@:/usr/local/apache2#
PiperOrigin-RevId: 215334554
Change-Id: I53cdce39653027908510a5ba8d08c49f9cf24f39
2018-10-02 05:05:41 +00:00
|
|
|
return fmt.Errorf("failed to signal container %q PID %d: PID must be positive", cid, pid)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
eid := execID{
|
|
|
|
|
cid: cid,
|
|
|
|
|
pid: kernel.ThreadID(pid),
|
|
|
|
|
}
|
2018-09-06 04:13:46 +00:00
|
|
|
l.mu.Lock()
|
runsc: Support job control signals in "exec -it".
Terminal support in runsc relies on host tty file descriptors that are imported
into the sandbox. Application tty ioctls are sent directly to the host fd.
However, those host tty ioctls are associated in the host kernel with a host
process (in this case runsc), and the host kernel intercepts job control
characters like ^C and send signals to the host process. Thus, typing ^C into a
"runsc exec" shell will send a SIGINT to the runsc process.
This change makes "runsc exec" handle all signals, and forward them into the
sandbox via the "ContainerSignal" urpc method. Since the "runsc exec" is
associated with a particular container process in the sandbox, the signal must
be associated with the same container process.
One big difficulty is that the signal should not necessarily be sent to the
sandbox process started by "exec", but instead must be sent to the foreground
process group for the tty. For example, we may exec "bash", and from bash call
"sleep 100". A ^C at this point should SIGINT sleep, not bash.
To handle this, tty files inside the sandbox must keep track of their
foreground process group, which is set/get via ioctls. When an incoming
ContainerSignal urpc comes in, we look up the foreground process group via the
tty file. Unfortunately, this means we have to expose and cache the tty file in
the Loader.
Note that "runsc exec" now handles signals properly, but "runs run" does not.
That will come in a later CL, as this one is complex enough already.
Example:
root@:/usr/local/apache2# sleep 100
^C
root@:/usr/local/apache2# sleep 100
^Z
[1]+ Stopped sleep 100
root@:/usr/local/apache2# fg
sleep 100
^C
root@:/usr/local/apache2#
PiperOrigin-RevId: 215334554
Change-Id: I53cdce39653027908510a5ba8d08c49f9cf24f39
2018-10-02 05:05:41 +00:00
|
|
|
ep, ok := l.processes[eid]
|
2018-09-06 04:13:46 +00:00
|
|
|
l.mu.Unlock()
|
runsc: Support job control signals in "exec -it".
Terminal support in runsc relies on host tty file descriptors that are imported
into the sandbox. Application tty ioctls are sent directly to the host fd.
However, those host tty ioctls are associated in the host kernel with a host
process (in this case runsc), and the host kernel intercepts job control
characters like ^C and send signals to the host process. Thus, typing ^C into a
"runsc exec" shell will send a SIGINT to the runsc process.
This change makes "runsc exec" handle all signals, and forward them into the
sandbox via the "ContainerSignal" urpc method. Since the "runsc exec" is
associated with a particular container process in the sandbox, the signal must
be associated with the same container process.
One big difficulty is that the signal should not necessarily be sent to the
sandbox process started by "exec", but instead must be sent to the foreground
process group for the tty. For example, we may exec "bash", and from bash call
"sleep 100". A ^C at this point should SIGINT sleep, not bash.
To handle this, tty files inside the sandbox must keep track of their
foreground process group, which is set/get via ioctls. When an incoming
ContainerSignal urpc comes in, we look up the foreground process group via the
tty file. Unfortunately, this means we have to expose and cache the tty file in
the Loader.
Note that "runsc exec" now handles signals properly, but "runs run" does not.
That will come in a later CL, as this one is complex enough already.
Example:
root@:/usr/local/apache2# sleep 100
^C
root@:/usr/local/apache2# sleep 100
^Z
[1]+ Stopped sleep 100
root@:/usr/local/apache2# fg
sleep 100
^C
root@:/usr/local/apache2#
PiperOrigin-RevId: 215334554
Change-Id: I53cdce39653027908510a5ba8d08c49f9cf24f39
2018-10-02 05:05:41 +00:00
|
|
|
|
2018-10-17 19:27:58 +00:00
|
|
|
switch mode {
|
|
|
|
|
case DeliverToProcess:
|
|
|
|
|
if ok {
|
|
|
|
|
// Send signal directly to the identified process.
|
|
|
|
|
return ep.tg.SendSignal(&arch.SignalInfo{Signo: signo})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The caller may be signaling a process not started directly via exec.
|
|
|
|
|
// In this case, find the process in the container's PID namespace and
|
|
|
|
|
// signal it.
|
2018-10-17 17:50:24 +00:00
|
|
|
ep, ok := l.processes[execID{cid: cid}]
|
|
|
|
|
if !ok {
|
|
|
|
|
return fmt.Errorf("no container with ID: %q", cid)
|
|
|
|
|
}
|
|
|
|
|
tg := ep.tg.PIDNamespace().ThreadGroupWithID(kernel.ThreadID(pid))
|
|
|
|
|
if tg == nil {
|
|
|
|
|
return fmt.Errorf("failed to signal container %q PID %d: no such process", cid, pid)
|
|
|
|
|
}
|
|
|
|
|
if tg.Leader().ContainerID() != cid {
|
|
|
|
|
return fmt.Errorf("process %d is part of a different container: %q", pid, tg.Leader().ContainerID())
|
|
|
|
|
}
|
|
|
|
|
return tg.SendSignal(&arch.SignalInfo{Signo: signo})
|
2018-09-06 04:13:46 +00:00
|
|
|
|
2018-10-17 19:27:58 +00:00
|
|
|
case DeliverToForegroundProcessGroup:
|
|
|
|
|
if !ok {
|
|
|
|
|
return fmt.Errorf("failed to signal foreground process group for container %q PID %d: no such PID", cid, pid)
|
|
|
|
|
}
|
runsc: Support job control signals in "exec -it".
Terminal support in runsc relies on host tty file descriptors that are imported
into the sandbox. Application tty ioctls are sent directly to the host fd.
However, those host tty ioctls are associated in the host kernel with a host
process (in this case runsc), and the host kernel intercepts job control
characters like ^C and send signals to the host process. Thus, typing ^C into a
"runsc exec" shell will send a SIGINT to the runsc process.
This change makes "runsc exec" handle all signals, and forward them into the
sandbox via the "ContainerSignal" urpc method. Since the "runsc exec" is
associated with a particular container process in the sandbox, the signal must
be associated with the same container process.
One big difficulty is that the signal should not necessarily be sent to the
sandbox process started by "exec", but instead must be sent to the foreground
process group for the tty. For example, we may exec "bash", and from bash call
"sleep 100". A ^C at this point should SIGINT sleep, not bash.
To handle this, tty files inside the sandbox must keep track of their
foreground process group, which is set/get via ioctls. When an incoming
ContainerSignal urpc comes in, we look up the foreground process group via the
tty file. Unfortunately, this means we have to expose and cache the tty file in
the Loader.
Note that "runsc exec" now handles signals properly, but "runs run" does not.
That will come in a later CL, as this one is complex enough already.
Example:
root@:/usr/local/apache2# sleep 100
^C
root@:/usr/local/apache2# sleep 100
^Z
[1]+ Stopped sleep 100
root@:/usr/local/apache2# fg
sleep 100
^C
root@:/usr/local/apache2#
PiperOrigin-RevId: 215334554
Change-Id: I53cdce39653027908510a5ba8d08c49f9cf24f39
2018-10-02 05:05:41 +00:00
|
|
|
|
2018-10-17 19:27:58 +00:00
|
|
|
// Lookup foreground process group from the TTY for the given process,
|
|
|
|
|
// and send the signal to it.
|
|
|
|
|
if ep.tty == nil {
|
|
|
|
|
return fmt.Errorf("failed to signal foreground process group in container %q PID %d: no TTY attached", cid, pid)
|
2018-10-09 03:47:47 +00:00
|
|
|
}
|
2018-10-17 19:27:58 +00:00
|
|
|
pg := ep.tty.ForegroundProcessGroup()
|
|
|
|
|
if pg == nil {
|
|
|
|
|
// No foreground process group has been set. Signal the
|
|
|
|
|
// original thread group.
|
|
|
|
|
log.Warningf("No foreground process group for container %q and PID %d. Sending signal directly to PID %d.", cid, pid, pid)
|
|
|
|
|
return ep.tg.SendSignal(&arch.SignalInfo{Signo: signo})
|
|
|
|
|
}
|
|
|
|
|
// Send the signal to all processes in the process group.
|
|
|
|
|
var lastErr error
|
|
|
|
|
for _, tg := range l.k.TaskSet().Root.ThreadGroups() {
|
|
|
|
|
if tg.ProcessGroup() != pg {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
if err := tg.SendSignal(&arch.SignalInfo{Signo: signo}); err != nil {
|
|
|
|
|
lastErr = err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return lastErr
|
|
|
|
|
case DeliverToAllProcesses:
|
|
|
|
|
if !ok {
|
|
|
|
|
return fmt.Errorf("failed to signal all processes in container %q PID %d: no such PID", cid, pid)
|
2018-10-09 03:47:47 +00:00
|
|
|
}
|
2018-09-28 19:20:56 +00:00
|
|
|
|
2018-10-17 19:27:58 +00:00
|
|
|
// Pause the kernel to prevent new processes from being created while
|
|
|
|
|
// the signal is delivered. This prevents process leaks when SIGKILL is
|
|
|
|
|
// sent to the entire container.
|
|
|
|
|
l.k.Pause()
|
|
|
|
|
if err := l.k.SendContainerSignal(cid, &arch.SignalInfo{Signo: signo}); err != nil {
|
|
|
|
|
l.k.Unpause()
|
|
|
|
|
return err
|
|
|
|
|
}
|
2018-09-28 19:20:56 +00:00
|
|
|
l.k.Unpause()
|
|
|
|
|
|
2018-10-17 19:27:58 +00:00
|
|
|
// If SIGKILLing all processes, wait for them to exit.
|
|
|
|
|
if linux.Signal(signo) == linux.SIGKILL {
|
|
|
|
|
for _, t := range l.k.TaskSet().Root.Tasks() {
|
|
|
|
|
if t.ContainerID() == cid {
|
|
|
|
|
t.ThreadGroup().WaitExited()
|
|
|
|
|
}
|
2018-09-28 19:20:56 +00:00
|
|
|
}
|
|
|
|
|
}
|
2018-10-17 19:27:58 +00:00
|
|
|
return nil
|
|
|
|
|
default:
|
|
|
|
|
panic(fmt.Sprintf("unknown signal signal delivery mode %v", mode))
|
2018-09-28 19:20:56 +00:00
|
|
|
}
|
2018-09-06 04:13:46 +00:00
|
|
|
}
|
