version: 3.2.0.0

This version uses the latest skarnet.org packages. It also changes the default service startup timeout to infinite, and it adds support for more unprivileged environments. Signed-off-by: Laurent Bercot <ska@appnovation.com>
just-containers · Jun 7, 2024 · e2738d1 · e2738d1
1 parent 1661108
commit e2738d1
Show file tree

Hide file tree

Showing 8 changed files with 80 additions and 34 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,18 @@ Please view the git log to see all the minor changes made to the code. This docu
 
 ## Major changes
 
+### Version 3.2.0.0
+
+* There is no default global timeout for starting services anymore. Previously,
+if the services took more than 5 seconds to be brought up, they would
+fail; the intent was to detect hanged containers (waiting on a dysfunctional
+network connection, for instance) and make them fail early, but it has
+proven to create more problems than it was solving - so the timeout has
+been removed. If you need it, you can, as before, use the `S6_CMD_WAIT_FOR_SERVICES_MAXTIME`
+variable.
+* More unprivileged configurations are supported: you should now be
+able to use s6-overlay in containers created by Kubernetes, for instance.
+
 ### Version 3.1.0.0
 
 * `/etc/s6-overlay/config/global_path` isn't provided or taken into

diff --git a/COPYING b/COPYING
@@ -1,7 +1,7 @@
 Internet Systems Consortium license
 ===================================
 
-Copyright (c) 2021-2023 Laurent Bercot <ska-skaware@skarnet.org>, John Regan <john@jrjrtech.com>
+Copyright (c) 2021-2024 Laurent Bercot <ska-skaware@skarnet.org>, John Regan <john@jrjrtech.com>
 
 Permission to use, copy, modify, and distribute this software for any
 purpose with or without fee is hereby granted, provided that the above

diff --git a/README.md b/README.md
@@ -42,7 +42,7 @@ Build the following Dockerfile and try it out:
 ```
 # Use your favorite image
 FROM ubuntu
-ARG S6_OVERLAY_VERSION=3.1.6.2
+ARG S6_OVERLAY_VERSION=3.2.0.0
 
 RUN apt-get update && apt-get install -y nginx xz-utils
 RUN echo "daemon off;" >> /etc/nginx/nginx.conf
@@ -873,11 +873,13 @@ starting the `user2` bundle and the CMD, if any of these is defined. If
 will wait until the services in `/etc/services.d` are *ready* before proceeding
 with the rest of the sequence. Note that this is only significant if the services in `/etc/services.d`
 [notify their readiness](https://skarnet.org/software/s6/notifywhenup.html) to s6.
-* `S6_CMD_WAIT_FOR_SERVICES_MAXTIME` (default = 5000): The maximum time (in milliseconds) the services could take to bring up before proceding to CMD executing.
-Note that this value also includes the time setting up legacy container initialization (`/etc/cont-init.d`) and services (`/etc/services.d`),
-and that it is taken into account even if you are not running a CMD. In other words: no matter whether you're running a CMD or not,
-if you have scripts in `/etc/cont-init.d` that take a long time to run, you should set this variable to either 0, or a value high
-enough so that your scripts have time to finish without s6-overlay interrupting them and diagnosing an error.
+* `S6_CMD_WAIT_FOR_SERVICES_MAXTIME` (default = 0, i.e. infinite): The maximum time (in milliseconds) the services could take to bring up before proceding to CMD executing.
+Set this variable to a positive value if you have services that can potentially block indefinitely and you prefer the container to fail
+if not everything is up after a given time.
+Note that this value also includes the time setting up legacy container initialization (`/etc/cont-init.d`) and services (`/etc/services.d`), so
+take that into account when computing a suitable value. In versions of s6-overlay up to 3.1.6.2, the default was 5000 (five seconds),
+but it caused more unwanted container failures than it solved issues, so now there's no timeout by default: s6-overlay will wait as long as
+is necessary for all the services to be brought up.
 * `S6_READ_ONLY_ROOT` (default = 0): When running in a container whose root filesystem is read-only, set this env to **1** to inform init stage 2 that it should copy user-provided initialization scripts from `/etc` to `/run/s6/etc` before it attempts to change permissions, etc. See [Read-Only Root Filesystem](#read-only-root-filesystem) for more information.
 * `S6_SYNC_DISKS` (default = 0): Set this env to **1** to inform init stage 3 that it should attempt to sync filesystems before stopping the container. Note: this will likely sync all filesystems on the host.
 * `S6_STAGE2_HOOK` (default = none): If this variable exists, its contents
@@ -956,7 +958,7 @@ RUN cd /tmp && sha256sum -c *.sha256
 
 ### `USER` directive
 
-As of version 3.1.6.2, s6-overlay has limited support for running as a user other than `root`:
+As of version 3.2.0.0, s6-overlay has limited support for running as a user other than `root`:
 
 * Tools like `fix-attrs` and `logutil-service` are unlikely to work (they rely
   on being able to change UIDs).

diff --git a/conf/defaults.mk b/conf/defaults.mk
@@ -3,7 +3,7 @@
 # e.g.: make SHEBANGDIR=/usr/bin VERSION=3.1.6.0
 
 # The version of the software being built.
-VERSION := 3.1.6.2
+VERSION := 3.2.0.0
 
 # Where stuff is going to be built. Change for out-of-tree builds.
 OUTPUT := output
@@ -21,7 +21,7 @@ TOOLCHAIN_PATH :=
 
 # When fetching one from the web, what version we want.
 # Only a few versions are available, don't change blindly.
-TOOLCHAIN_VERSION := 13.2.0
+TOOLCHAIN_VERSION := 14.1.0
 
 # For fetching toolchains: the download command.
 # Change to curl -O if you don't have wget.

diff --git a/conf/versions b/conf/versions
@@ -6,32 +6,32 @@
 BEARSSL_VERSION=79c060eea3eea1257797f15ea1608a9a9923aa6f
 # BEARSSL_VERSION=v0.6
 
-# SKALIBS_VERSION=c0e625ea5d47d32110dae6b1cf7671060e5c47bf
-SKALIBS_VERSION=v2.14.0.1
+# SKALIBS_VERSION=4dcf9fa0521a1c4243c28fb2f657d8029317e55e
+SKALIBS_VERSION=v2.14.2.0
 
-# EXECLINE_VERSION=813a7ae859c0563f87c2afef79d346b853c20e36
-EXECLINE_VERSION=v2.9.4.0
+# EXECLINE_VERSION=9983edf33b1eb4d91bf1187f8e4b7c0c3d288e53
+EXECLINE_VERSION=v2.9.6.0
 
-# S6_VERSION=8d032b7ff814b08aba0b23c03cdd589eae98d22a
-S6_VERSION=v2.12.0.2
+# S6_VERSION=9778ca30e4415698dbb1f736cf5fe132a7cec04d
+S6_VERSION=v2.13.0.0
 
-# S6_RC_VERSION=940e4bb20f7927a54c9ee92bcea1c54f8b60666d
-S6_RC_VERSION=v0.5.4.2
+# S6_RC_VERSION=f3a8a60eb872096084c98ccaabf65656df349998
+S6_RC_VERSION=v0.5.4.3
 
-# S6_LINUX_INIT_VERSION=421ff132dee36124fd6fe4eaaffe3576179c3812
+# S6_LINUX_INIT_VERSION=28787fc0512f8df17809c1a0507da2bfed552082
 S6_LINUX_INIT_VERSION=v1.1.2.0
 
-# S6_PORTABLE_UTILS_VERSION=aed143be3f5deace8e7b57ed48151fc17265cd9b
+# S6_PORTABLE_UTILS_VERSION=00ad09ecf7ad44e32c3cc54819bbf50e944fd4f9
 S6_PORTABLE_UTILS_VERSION=v2.3.0.3
 
-# S6_LINUX_UTILS_VERSION=d492e79229d1f5f96c5c618cbd5504ffb32e2d72
+# S6_LINUX_UTILS_VERSION=4ac235b523cd1b50bd681e31c8241a2b8bdd3060
 S6_LINUX_UTILS_VERSION=v2.6.2.0
 
-# S6_DNS_VERSION=20d8277451d8fd7cbce316b80a0018bc2639335d
-S6_DNS_VERSION=v2.3.7.0
+# S6_DNS_VERSION=33e4b9d9137b5dbb02a087956f1558ef30647aea
+S6_DNS_VERSION=v2.3.7.2
 
-# S6_NETWORKING_VERSION=8fe924c3da6ab919f512029a15464e77cbeede8a
-S6_NETWORKING_VERSION=v2.7.0.0
+# S6_NETWORKING_VERSION=42cb4c7b043964874caea0268b6c814e68a6e7a5
+S6_NETWORKING_VERSION=v2.7.0.3
 
-# S6_OVERLAY_HELPERS_VERSION=b23f96cbfabf23f686f71de826a482c272dd3645
-S6_OVERLAY_HELPERS_VERSION=v0.1.0.2
+# S6_OVERLAY_HELPERS_VERSION=a6281ad45dd43f4e8ddb6818a9b0513e391e64bb
+S6_OVERLAY_HELPERS_VERSION=v0.1.1.0
diff --git a/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/rc.init b/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/etc/s6-linux-init/skel/rc.init
@@ -41,7 +41,7 @@ s6-rc-compile -v"$cv" /run/s6/db "$etc/s6-overlay/s6-rc.d" /package/admin/s6-ove
 s6-rc-init -c /run/s6/db /run/service
 
 if timeout=`printcontenv S6_CMD_WAIT_FOR_SERVICES_MAXTIME` && eltest "$timeout" =~ '^[[:digit:]]+$' ; then : ; else
-  timeout=5000
+  timeout=0
 fi
 
 set +e

diff --git a/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/libexec/preinit b/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/libexec/preinit
@@ -2,9 +2,19 @@
 
 # This script is spawned by s6-overlay-suexec, as the
 # first thing in the userland boot process.
-# It is run as root even with a USER directive present.
-# If USER, then UID and GID hold the uid and gid of the user
-# (this is used by s6-chown -U).
+# It is normally run as root, but some configurations want to
+# run completely unprivileged and s6-overlay-suexec is denied
+# suid, in which case preinit will be unprivileged as well.
+
+# The point of preinit is to sanity check the system to make
+# sure s6-linux-init can run in a safe configuration. If we
+# are root, or if the system has been correctly prepared by the
+# container manager for a privilegeless execution, we can fix
+# any issue we encounter. Otherwise, we just report the problem
+# and abort execution.
+
+# The UID, USER, EUID, GID, GROUP and EGID variables are set for
+# us by s6-overlay-suexec, so we can check every possible case.
 
 prog=/package/admin/s6-overlay/libexec/preinit
 
@@ -59,8 +69,30 @@ is likely to crash soon, if /run is (incorrectly) mounted noexec." 1>&2
 else
   s6-mkdir -p -m 0755 /run
 fi
-if test "0$UID" -ne 0 ; then
-  s6-chown -U -- /run
+
+eval `s6-overlay-stat /run`
+
+if test "0$S6_VERBOSITY" -gt 1 ; then
+  echo "$prog: info: container permissions: uid=$UID ($USER), euid=$EUID, gid=$GID ($GROUP), egid=$EGID"
+  echo "$prog: info: /run permissions: uid=$uid ($user), gid=$gid ($group), perms=$perms"
+fi
+
+if test "$UID" -ne "$uid" ; then  # /run does not belong to the container user
+  if test "$EUID" -eq 0 ; then
+    echo "$prog: info: /run belongs to uid $uid instead of $UID - fixing it"
+    s6-chown -U -- /run
+    s6-chmod 0755 /run
+  elif test "$GID" -eq 0 && test "$gid" -eq 0 ; then  # Unprivileged Kubernetes Environment
+    if echo "$perms" | s6-grep -qF gxgwgr && echo "$perms" | s6-grep -qvF ow ; then
+      echo "$prog: info: using /run with gid 0"
+    else
+      echo "$prog: fatal: wrong permissions on /run for a gid 0 setup" 
+      exit 100
+    fi
+  else
+    echo "$prog: fatal: /run belongs to uid $uid instead of $UID and we're lacking the privileges to fix it."
+    exit 100
+  fi
 fi
 
 # Ensure /var/run is a symlink to /run

diff --git a/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/libexec/stage0 b/layout/rootfs-overlay/package/admin/s6-overlay-@VERSION@/libexec/stage0
@@ -1,7 +1,7 @@
 #!/bin/sh -e
 
 # This script is run as pid 1 after preinit has exited.
-# It doesn't need privileges: it will run with or without USER.
+# It doesn't need privileges: it should run in all configurations.
 # It invokes s6-linux-init-maker with options depending on run-time
 # control variables, then execs into the init script created by
 # s6-linux-init-maker, which is stage 1.