[1.0] cgroupv2: ebpf: ignore inaccessible existing programs#3087
Merged
cyphar merged 2 commits intoopencontainers:release-1.0from Jul 15, 2021
Merged
[1.0] cgroupv2: ebpf: ignore inaccessible existing programs#3087cyphar merged 2 commits intoopencontainers:release-1.0from
cyphar merged 2 commits intoopencontainers:release-1.0from
Conversation
Closed
AkihiroSuda
previously approved these changes
Jul 14, 2021
cyphar
requested changes
Jul 14, 2021
Member
cyphar
left a comment
There was a problem hiding this comment.
Ah wait, this PR was made against the wrong branch -- should be against release-1.0.
Member
|
(Good thing I do merges manually -- |
9389a44 to
29924cc
Compare
Contributor
Author
My bad 🤦🏻 Fixed. |
We need to update the eBPF library so that we can get the raw syscall errors from bpf(2) syscalls using errors.Is. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (cherry picked from commit fe518a0) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This is necessary in order for runc to be able to configure device cgroups with --systemd-cgroup on distributions that have very strict SELinux policies such as openSUSE MicroOS[1]. The core issue here is that systemd is adding its own BPF policy that has an SELinux label such that runc cannot interact with it. In order to work around this, we can just ignore the policy -- in theory this behaviour is not correct but given that the most obvious case (--systemd-cgroup) will still handle updates correctly, this logic is reasonable. [1]: https://bugzilla.suse.com/show_bug.cgi?id=1182428 Fixes: d0f2c25 ("cgroup2: devices: replace all existing filters when attaching") Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (cherry picked from commit 57e3c54) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
29924cc to
4dc207a
Compare
mrunalp
approved these changes
Jul 14, 2021
3 tasks
breakings
added a commit
to breakings/packages
that referenced
this pull request
Aug 8, 2021
This is the first stable release in the 1.0 branch, fixing a few medium
and high priority issues with runc 1.0.0, including a few that affect
Kubernetes' usage of libcontainer.
Bugfixes:
- Fixed occasional runc exec/run failure ("interrupted system call") on an
Azure volume. ([#3074](opencontainers/runc#3074))
- Fixed "unable to find groups ... token too long" error with /etc/group
containing lines longer than 64K characters. ([#3079](opencontainers/runc#3079))
- cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is
frozen. This is a regression in 1.0.0, not affecting runc itself but some
of libcontainer users (e.g Kubernetes). ([#3085](opencontainers/runc#3085))
- cgroupv2: bpf: Ignore inaccessible existing programs in case of
permission error when handling replacement of existing bpf cgroup
programs. This fixes a regression in 1.0.0, where some SELinux
policies would block runc from being able to run entirely. ([#3087](opencontainers/runc#3087))
- cgroup/systemd/v2: don't freeze cgroup on Set. ([#3092](opencontainers/runc#3092))
- cgroup/systemd/v1: avoid unnecessary freeze on Set. ([#3093](opencontainers/runc#3093))
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a backport of PR #3055 to 1.0 branch.
Draft until that one is merged.Original description follows.This is necessary in order for runc to be able to configure device
cgroups with --systemd-cgroup on distributions that have very strict
SELinux policies such as openSUSE MicroOS.
The core issue here is that systemd is adding its own BPF policy that
has an SELinux label such that runc cannot interact with it. In order to
work around this, we can just ignore the policy -- in theory this
behaviour is not correct but given that the most obvious case
(--systemd-cgroup) will still handle updates correctly, this logic is
reasonable.
Fixes: d0f2c25 ("cgroup2: devices: replace all existing filters when attaching")
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
Changelog Entry