Skip to content

libct: don't send config to nsexec when joining an existing timens#4636

Merged
rata merged 2 commits intoopencontainers:mainfrom
lifubang:fix-exec-timens
Feb 26, 2025
Merged

libct: don't send config to nsexec when joining an existing timens#4636
rata merged 2 commits intoopencontainers:mainfrom
lifubang:fix-exec-timens

Conversation

@lifubang
Copy link
Member

@lifubang lifubang commented Feb 19, 2025
edited
Loading

Fix #4635

When we exec a process in a container has private timens, we need to
join the init process's timens path, so, we should not send the timens
config to nsexec, otherwise, runc will try to update the process's time
ns configuration when joining the timens path.
We should configure the process's timens offset only when we need to
create new time namespace, we shouldn't do it if we are joining an
existing time namespace.

kolyshkin
kolyshkin reviewed Feb 21, 2025
View reviewed changes
@kolyshkin kolyshkin added the backport/1.2-todo A PR in main branch which needs to be backported to release-1.2 label Feb 21, 2025
@kolyshkin
Copy link
Contributor

kolyshkin commented Feb 21, 2025

Nice find, nice fix, thanks! Just a single nit about the test case.

Also, we might need to backport it to 1.2.

cyphar
cyphar requested changes Feb 22, 2025
View reviewed changes
Copy link
Member

@cyphar cyphar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless I'm mistaken this will stop us from detecting broken configurations (i.e. configurations with timens offsets configured but not joining a time namespace). Of course it's easy to add a step to the validator but the previous version already did validation by getting an error from the kernel if appropriate.

Also, it is theoretically possible for someone to want to join a timens that hasn't been used yet and so configuring a timens offset of a timens we didn't create (while a little weird) is perfectly valid.

Personally, I think the old behaviour was better -- the user gets the same error from the kernel they would get if they tried to apply an incorrect configuration manually.

@lifubang
test: exec into a container with private time ns
7461968 
Signed-off-by: lifubang <lifubang@acmcoder.com>
@lifubang
libct: don't send config to nsexec when joining an existing timens
ad09197 
We should configure the process's timens offset only when we need to
create new time namespace, we shouldn't do it if we are joining an
existing time namespace. (opencontainers#4635)

Signed-off-by: lifubang <lifubang@acmcoder.com>
@lifubang lifubang changed the title libct/nsexec: don't update timens offset when joining a time ns libct: don't send config to nsexec when joining an existing timens Feb 22, 2025
@lifubang
Copy link
Member Author

lifubang commented Feb 22, 2025

Unless I'm mistaken this will stop us from detecting broken configurations (i.e. configurations with timens offsets configured but not joining a time namespace). Of course it's easy to add a step to the validator but the previous version already did validation by getting an error from the kernel if appropriate.

Also, it is theoretically possible for someone to want to join a timens that hasn't been used yet and so configuring a timens offset of a timens we didn't create (while a little weird) is perfectly valid.

Personally, I think the old behaviour was better -- the user gets the same error from the kernel they would get if they tried to apply an incorrect configuration manually.

Yes, make sense, I changed the logic to the same way as USERNS.

runc/libcontainer/container_linux.go

Lines 1082 to 1084 in ad09197

// write namespace paths only when we are not joining an existing user ns
_, joinExistingUser := nsMaps[configs.NEWUSER]
if !joinExistingUser {

@kolyshkin kolyshkin added this to the 1.3.0-rc.1 milestone Feb 25, 2025
cyphar
cyphar approved these changes Feb 26, 2025
View reviewed changes
libcontainer/container_linux.go
if c.config.TimeOffsets != nil {
// write boottime and monotonic time ns offsets only when we are not joining an existing time ns
_, joinExistingTime := nsMaps[configs.NEWTIME]
if !joinExistingTime && c.config.TimeOffsets != nil {
Copy link
Member

@cyphar cyphar Feb 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is theoretically possible someone will want to be able to do this, but I guess it's a fairly esoteric thing.

rata
rata approved these changes Feb 26, 2025
View reviewed changes
Copy link
Member

@rata rata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@rata rata merged commit 352c8d4 into opencontainers:main Feb 26, 2025
34 checks passed
@kolyshkin kolyshkin mentioned this pull request Feb 26, 2025
Merged
@kolyshkin kolyshkin added backport/1.2-done A PR in main branch which has been backported to release-1.2 and removed backport/1.2-todo A PR in main branch which needs to be backported to release-1.2 labels Feb 26, 2025
@kolyshkin
Copy link
Contributor

kolyshkin commented Feb 26, 2025

@lifubang lifubang deleted the fix-exec-timens branch March 1, 2025 16:21
@lifubang lifubang mentioned this pull request Mar 4, 2025
Merged
@tomaszduda23 tomaszduda23 mentioned this pull request Mar 4, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kolyshkin kolyshkin kolyshkin left review comments

@rata rata rata approved these changes

@cyphar cyphar cyphar approved these changes

Assignees

No one assigned

Labels

backport/1.2-done A PR in main branch which has been backported to release-1.2

Projects

None yet

Milestone

1.3.0-rc.1

Development

Successfully merging this pull request may close these issues.

Can't exec into a container with private time namespace

4 participants

@lifubang @kolyshkin @rata @cyphar