Skip to content

runc: 1.1.15 -> 1.2.2 #353610

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

runc: 1.1.15 -> 1.2.2 #353610

wants to merge 1 commit into from

Conversation

saschagrunert
Copy link
Member

@saschagrunert saschagrunert commented Nov 4, 2024
edited
Loading

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

cc @offlinehacker @NixOS/podman

vdemeester
vdemeester approved these changes Nov 4, 2024
View reviewed changes
Copy link
Member

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🐯

@wegank wegank added the 12.approvals: 1 This PR was reviewed and approved by one reputable person label Nov 4, 2024
@ofborg ofborg bot requested review from offlinehacker and vdemeester November 4, 2024 22:02
@ofborg ofborg bot added 11.by: package-maintainer This PR was created by the maintainer of the package it changes 10.rebuild-darwin: 1-10 10.rebuild-linux: 11-100 labels Nov 4, 2024
@wegank wegank added the 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in the package label Nov 5, 2024
@r-vdp
Copy link
Contributor

r-vdp commented Nov 7, 2024

The tests are falling on Linux, is that expected?

@wegank wegank added the 2.status: merge conflict This PR has merge conflicts with the target branch label Nov 10, 2024
Kamillaova
Kamillaova suggested changes Nov 16, 2024
View reviewed changes
Copy link
Contributor

@Kamillaova Kamillaova left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1.2.2 is released, please update!
https://github.com/opencontainers/runc/releases/tag/v1.2.2

@saschagrunert
runc: 1.1.15 -> 1.2.2
27fe998 
Signed-off-by: Sascha Grunert <[email protected]>
@saschagrunert saschagrunert changed the title runc: 1.1.15 -> 1.2.1 runc: 1.1.15 -> 1.2.2 Nov 18, 2024
@saschagrunert
Copy link
Member Author

1.2.2 is released, please update! https://github.com/opencontainers/runc/releases/tag/v1.2.2

Done 👍

@ofborg ofborg bot removed the 2.status: merge conflict This PR has merge conflicts with the target branch label Nov 18, 2024
@khaneliman
Copy link
Contributor

khaneliman commented Nov 19, 2024
edited
Loading

ofborg test failure

container init: error mounting "/run/current-system/sw/bin" to rootfs at "/bin": mount dst=/bin, dstFd=/proc/thread-self/fd/8, flags=0x5020: operation not permitted
rootless # [   65.775141] conmon[1000]: conmon c538799f57dae22099d8 <error>: Failed to create container: exit status 1
rootless # Error: runc: runc create failed: unable to start container process: error during container init: error mounting "/run/current-system/sw/bin" to rootfs at "/bin": mount dst=/bin, dstFd=/proc/thread-self/fd/8, flags=0x5020: operation not permitted: OCI permission denied
rootless # [   65.852220] su[970]: pam_unix(su:session): session closed for user alice
rootless: output: 
Test "Run container rootless with runc" failed with error: "command `su alice -l -c 'podman run --runtime=runc -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10'` failed (exit code 126)"

But, seems to build fine locally. Not sure if it's just an ofborg issue.

@khaneliman
Copy link
Contributor

khaneliman commented Nov 19, 2024
edited
Loading

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 353610

x86_64-linux

⏩ 1 package marked as broken and skipped:
  • docker_24
✅ 36 packages built:
  • airlift
  • airlift.dist
  • ansible-navigator
  • ansible-navigator.dist
  • apx
  • apx-gui
  • buildah
  • buildah.man
  • charliecloud
  • cri-o
  • cri-o.man
  • devcontainer
  • docker (docker_27)
  • docker-gc
  • docker-sbom
  • docker_25
  • docker_26
  • flintlock
  • fn-cli
  • img
  • k3s (k3s_1_31)
  • k3s_1_28
  • k3s_1_29
  • k3s_1_30
  • krunvm
  • out-of-tree
  • pipework
  • podman
  • podman.man
  • python311Packages.jupyter-repo2docker
  • python311Packages.jupyter-repo2docker.dist
  • python312Packages.jupyter-repo2docker
  • python312Packages.jupyter-repo2docker.dist
  • runc
  • runc.man
  • tests.devShellTools.nixos

aarch64-linux

⏩ 1 package marked as broken and skipped:
  • docker_24
✅ 36 packages built:
  • airlift
  • airlift.dist
  • ansible-navigator
  • ansible-navigator.dist
  • apx
  • apx-gui
  • buildah
  • buildah.man
  • charliecloud
  • cri-o
  • cri-o.man
  • devcontainer
  • docker (docker_27)
  • docker-gc
  • docker-sbom
  • docker_25
  • docker_26
  • flintlock
  • fn-cli
  • img
  • k3s (k3s_1_31)
  • k3s_1_28
  • k3s_1_29
  • k3s_1_30
  • krunvm
  • out-of-tree
  • pipework
  • podman
  • podman.man
  • python311Packages.jupyter-repo2docker
  • python311Packages.jupyter-repo2docker.dist
  • python312Packages.jupyter-repo2docker
  • python312Packages.jupyter-repo2docker.dist
  • runc
  • runc.man
  • tests.devShellTools.nixos

aarch64-darwin

⏩ 1 package marked as broken and skipped:
  • img
✅ 1 package built:
  • tests.devShellTools.nixos

x86_64-darwin

x86 darwin test just hangs with

vm-test-run-docker-tools-nix-shell-x86_64-darwin> qemu-system-x86_64: Error: ret = [unknown hv_return value] (0x4, at ../accel/hvf/hvf-accel-ops.c:328)

@saschagrunert
Copy link
Member Author

ofborg test failure

Are there any security constraints within the tests? Hm, … 🤔

@wegank wegank removed 12.approvals: 1 This PR was reviewed and approved by one reputable person 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in the package labels Nov 19, 2024
@Kamillaova Kamillaova requested a review from Scrumplex December 2, 2024 16:32
@Scrumplex
Copy link
Member

@ofborg test podman

@Scrumplex
Copy link
Member

Scrumplex commented Dec 2, 2024
edited
Loading

The podman test fails for me when run locally. Works fine for HEAD^

Last few lines:

vm-test-run-podman> rootless # [   59.919076] systemd[907]: Started libcontainer container 7ae5e6f90526c70805a60348cfb75f08ff2f664c25b4fa8ef04063c8b2aeab2a.
vm-test-run-podman> rootless # [   59.942466] conmon[991]: conmon 7ae5e6f90526c70805a6 <nwarn>: runtime stderr: runc create failed: unable to start container process: error during container init: error mounting "/run/current-system/sw/bin" to rootfs at "/bin": mount dst=/bin, dstFd=/proc/thread-self/fd/8, flags=0x5020: operation not permitted
vm-test-run-podman> rootless # [   59.951712] conmon[991]: conmon 7ae5e6f90526c70805a6 <error>: Failed to create container: exit status 1
vm-test-run-podman> rootless # Error: runc: runc create failed: unable to start container process: error during container init: error mounting "/run/current-system/sw/bin" to rootfs at "/bin": mount dst=/bin, dstFd=/proc/thread-self/fd/8, flags=0x5020: operation not permitted: OCI permission denied
vm-test-run-podman> rootless # [   60.078159] su[961]: pam_unix(su:session): session closed for user alice

@colonelpanic8
Copy link
Contributor

status?

@ck3d
Copy link
Contributor

ck3d commented Jan 2, 2025

I spend some time to investigate the issue. The root cause is a forbidden re-mount for /bin. Following strace log shows the failling system call:
13286 mount("", "/proc/thread-self/fd/8", 0x4000121115, MS_REMOUNT|MS_BIND|MS_REC, NULL) = -1 EPERM (Operation not permitted)
I update to runc version 1.2.3, which shows the same issue.

The re-mount is not performed with runc version 1.1.15. It was implemented with following PR:
opencontainers/runc#3967

Next step is to investigate, why the re-mount is not allowed.

@ck3d
Copy link
Contributor

ck3d commented Jan 2, 2025

In rootless mode, it is not possible to bind volumes from /nix/store . See following example:

$ tar cv --files-from /dev/null | podman import - scratchimg
$ podman run --runtime=runc -d --name=sleeping -v /nix/store:/bin scratchimg /bin/sleep 10
Error: runc: runc create failed: unable to start container process: error during container init: error mounting "/nix/store" to rootfs at "/bin": mount dst=/bin, dstFd=/proc/thread-self/fd/8, flags=0x5020: operation not permitted: OCI permission denied

@ck3d
Copy link
Contributor

ck3d commented Jan 2, 2025

When mount option ro is explicit given, then the test passes:
podman run --runtime=runc -d --name=sleeping -v /nix/store:/nix/store:ro -v /run/current-system/sw/bin:/bin:ro scratchimg /bin/sleep 10

@ck3d ck3d mentioned this pull request Jan 2, 2025
Open
@ck3d
Copy link
Contributor

ck3d commented Jan 5, 2025

In the test VM the path /nix/store is mounted twice. It is a rw overlay in first place and afterwards a read-only re-mounted (see option boot.readOnlyNixStore).

Runc on the other hand tries to re-mount the "double" mounted /nix/store, which fails.

I do not see a issue on runc side, so I would pass ro to the volumes as shown in my last comment.

@Scrumplex
Copy link
Member

I assume this issue is also present outside our test VMs? I think mounting /nix/store into a container is quite common, so this might break for our users.

@ck3d
Copy link
Contributor

ck3d commented Jan 5, 2025

My last comment ist not right. The double-mount is not the reason. I could now reproduce the problem und re-opened the issue on runc, see
opencontainers/runc#4575 (comment)

@wegank wegank added the 2.status: merge conflict This PR has merge conflicts with the target branch label Apr 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Aleksanaa Aleksanaa Aleksanaa left review comments

@Kamillaova Kamillaova Kamillaova requested changes

@offlinehacker offlinehacker Awaiting requested review from offlinehacker

@vdemeester vdemeester Awaiting requested review from vdemeester

@Scrumplex Scrumplex Awaiting requested review from Scrumplex

Assignees
No one assigned
Labels
2.status: merge conflict This PR has merge conflicts with the target branch 10.rebuild-darwin: 1-10 10.rebuild-linux: 11-100 11.by: package-maintainer This PR was created by the maintainer of the package it changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@saschagrunert @r-vdp @khaneliman @Scrumplex @colonelpanic8 @ck3d @vdemeester @Aleksanaa @Kamillaova @wegank