update runtime-spec version

[zhouhao3]

Update the runtime-spec version, some corresponding change questionable, what questions please suggest.

Signed-off-by: zhouhao zhouhao@cn.fujitsu.com

[zhouhao3]

Because the structure of capabilities changes, I do not know how to deal with these two functions, so temporarily delete, there are good ways to solve.

[mrunalp]

We can use these flags to add/drop from all the 5 sets. We can add other more specific flags like cap-bounding-add/cap-bounding-drop after this PR. Thanks!

[zhouhao3]

updated. In the subsequent PR can continue to improve.

[wking]

“separated” was right.

[wking]

This isn't right. You'll need different maps for each spec.Process.Capabilities.* and then different checks for each map below. For example, the current actuallySet := processCaps.Get(capability.EFFECTIVE, cap) should be compared against an expected value from spec.Process.Capabilities.Effective.

[wking]

What you're moving back towards here is close to what @mrunalp landed way back in b462307. But in 3a2ba61, @mrunalp changed that default to more closely match values extracted from Docker. In the absence of arguments for or against a given value, I expect we want to leave the values alone (and keep the fuller set from Docker as we move into the bounding/permitted/… capabilities world).

[wking]

Clearing all of process.capabilities is still a well-defined operation. We may need new operations to clear individual process.capabilities.*, but there's no need to drop this one.

[mrunalp]

Can we add the type of capability here?

return fmt.Errorf("Expected bounding capability %v not set for process", cap.String())`

[mrunalp]

Same here.

[mrunalp]

Can we add the type of capability here?

return fmt.Errorf("Expected effective capability %v not set for process", cap.String())`

[mrunalp]

Same here and for the other capability types below.

[mrunalp]

All of the system calls can now be added to a single Names list here.
For e.g.

Names: []string{
              "accept",
              "accept4",
              "access",
}

[zhouhao3]

updated, PTAL.

[mrunalp]

@grantseltzer Could you review the seccomp related changes?

[grantseltzer]

Everything appears to be working properly, but there should be capability added to place a comment inside the rules if we're updating to the new spec anyway.

[wking]

Is this intentionally bumping to a commit that is 30 commits after the tagged rc5? I don't think the LinuxSyscall.Comment removal or Linux.IntelRdt addition are so pressing that it's worth bringing in a non-release spec commit.

[zhouhao3]

Do you mean to only update to v1.0.0-rc5? Or like 237bca6?

[wking]

Do you mean to only update to v1.0.0-rc5?

That's what I mean. I'd rather avoid:

$ ./oci-runtime-tool validate
1 Errors detected:
internal error: validate currently only handles version 1.0.0-rc5-dev, but the supplied configuration targets 1.0.0-rc5

[zhouhao3]

I now use godep update to update the runtime-spec, after the update directly to the latest version (v1.0.0-rc5-30), what method can you only be updated to 1.0.0-rc5? Thanks.

[wking]

… what method can you only be updated to 1.0.0-rc5?

In whichever GOPATH you use, go to src/github.com/opencontainers/runtime-spec. Then:

$ git checkout v1.0.0-rc5

Now, back in runtime-tools:

$ godep update github.com/opencontainers/runtime-spec/specs-go

and you should be good to go.

[zhouhao3]

updated. Thank you very much for your guidance.

[vbatts]

LGTM

[mrunalp]

There is an issue with generate specifically in the syscall section.
runc run/ make localvalidation just hang.

[cyphar]

This is currently blocking a wide variety of things (like being able to use the newest version of runC with anything generated by this library). So umoci can't work with the latest runC at the moment, neither can cri-o or orca.

Are there any updates?

[mrunalp]

I'll look into this by tomorrow if there are no more updates to the PR.

[vbatts]

yeah. the generated config.json does not currently work with runc run
something in capabilities is not marshalling correctly as a []string, and the syscall names in seccomp are marshalling as empty strings.
I wish we could add a round-trip test for this (i realize that it's default to bootstrap that).

[wking]

On Thu, Apr 06, 2017 at 11:03:07AM -0700, Vincent Batts wrote: I wish we could add a round-trip test for this (i realize that it's default to bootstrap that).

It's one step down the stack, but I've started stubbing in round-trip tests in opencontainers/runtime-spec#759.

[wking]

This looks buggy to me (and may be the source of @mrunalp's problem). In master, only personality has an 0xffffffff arg, but here you have a whole bunch of names with that arg. I think you over-flattened here, and need to split this entry into separate entries for each []LinuxSeccompArg value in master.

[mrunalp]

Adding this diff makes this PR work.

diff --git a/generate/seccomp/seccomp_default.go b/generate/seccomp/seccomp_default.go
index e057ca7..e9561ae 100644
--- a/generate/seccomp/seccomp_default.go
+++ b/generate/seccomp/seccomp_default.go
@@ -344,23 +344,6 @@ func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp {
                                "writev",
                        },
                        Action: rspec.ActAllow,
-                       Args: []rspec.LinuxSeccompArg{
-                               {
-                                       Index: 0,
-                                       Value: 0x0,
-                                       Op:    rspec.OpEqualTo,
-                               },
-                               {
-                                       Index: 0,
-                                       Value: 0x0008,
-                                       Op:    rspec.OpEqualTo,
-                               },
-                               {
-                                       Index: 0,
-                                       Value: 0xffffffff,
-                                       Op:    rspec.OpEqualTo,
-                               },
-                       },
                },
        }
        var sysCloneFlagsIndex uint

[mrunalp]

@q384566678 could you include the diff from my comment above in the PR?

[wking]

… could you include the diff from my comment above in the PR?

I think that patch is too coarse. For example personality should probably keep its old entries. The algorithm for the change should be:

For all the old syscalls, group by (action, args) tuples, and create a new entry collecting all the old Names into the new Names.

It looks like:

      Action: rspec.ActAllow,
      Args:   []rspec.Arg{},

matches everything except personality (based on a very quick skim, may have missed something). And personality will still need three entries (one for each of its current []rspec.Arg values.

Or maybe personality can have a single entry:

    {
      Names: []string{"personality"},
      Action: rspec.ActAllow,
      Args: []rspec.Arg{
        {
          Index: 0,
          Value: 0x0,
          Op:    rspec.OpEqualTo,
        },
        {
          Index: 0,
          Value: 0x0008,
          Op:    rspec.OpEqualTo,
        },
        {
          Index: 0,
          Value: 0xffffffff,
          Op:    rspec.OpEqualTo,
        },
      },
    },

I'm not sure what the semantics are supposed to be for multiple Args.

[zhouhao3]

I think dc38a7d is better.
@mrunalp @wking PTAL

[mrunalp]

@q384566678 Did you test latest changes with latest runc? (I'll test it tomorrow).

[zhouhao3]

@mrunalp I was doing it, but when I executed the sudo make RUNTIME=runc localvalidation command, the following error occurred：

go: GOPATH entry is relative; must be absolute path: "".

I have already set up GOPATH, I'm looking for the solution, may want to make trouble you first test, thanks a lot.

[mrunalp]

@q384566678 I cannot find dc38a7d. Did you forget to push it?

[wking]

I cannot find dc38a7d. Did you forget to push it?

The current tip (afc8d35) includes the change I think we want, and was committed a few hours after @q384566678 mentioned dc38a7d. I expect he just fixed up some minor thing in the interim, and that afc8d35 is ready for testing/merging.

[mrunalp]

Much better now. runc start fine and tests also run. The one problem I see in the generated config is chroot being added to the seccomp section 5 times:

                               {
                                        "names": [
                                                "chroot"
                                        ],
                                        "action": "SCMP_ACT_ALLOW",
                                        "args": [],
                                        "comment": ""
                                },
                                {
                                        "names": [
                                                "chroot"
                                        ],
                                        "action": "SCMP_ACT_ALLOW",
                                        "args": [],
                                        "comment": ""
                                },
                                {
                                        "names": [
                                                "chroot"
                                        ],
                                        "action": "SCMP_ACT_ALLOW",
                                        "args": [],
                                        "comment": ""
                                },
                                {
                                        "names": [
                                                "chroot"
                                        ],
                                        "action": "SCMP_ACT_ALLOW",
                                        "args": [],
                                        "comment": ""
                                },
                                {
                                        "names": [
                                                "chroot"
                                        ],
                                        "action": "SCMP_ACT_ALLOW",
                                        "args": [],
                                        "comment": ""
                                },

[mrunalp]

The reason for repitition is because we are adding caps multiple times in this list. Practically the first 4 will be same for most containers and ambient could have extra capabilities. So, instead of adding all, can we just add the caps from permitted and ambient to a map and then iterate over the map to add the syscalls?

[wking]

So, instead of adding all, can we just add the caps from permitted and ambient to a map…

This is probably the way to go (although I'm not sure it has to be part of this PR). However, the map is going to be complicated, because you want to key by (LinuxSeccompAction, LinuxSeccompArg) with values that are []*LinuxSyscall (because the same backing LinuxSyscall may show up as the value for multiple keys in the map, and there may be multiple entries for each key). And then once you find the appropriate group of LinuxSyscalls you only need to add the syscall if it's not already listed in Names for any LinuxSyscall.

[wking]

On Mon, Apr 10, 2017 at 02:20:04PM -0700, Mrunal Patel wrote: The one problem I see in the generated config is `chroot` being added to the seccomp section 5 times…

This is a pre-existing bug, because we're appending (e.g. [1]) instead of using append-if-missing logic. While it would be good to address this, I don't think it needs to block this PR (it will work, and just be less efficient than if we consolidated those duplicates). [1]: https://github.com/opencontainers/runtime-tools/blob/133b95395cd847ef951c237784b9863cdf1ed860/generate/seccomp/seccomp_default.go#L1685-L1692

[mrunalp]

@wking Yeah, we can fix that up in a follow on PR.

[mrunalp]

LGTM
cc: @Mashimiao @liangchenye

[Mashimiao]

LGTM

[cyphar]

👍

[vbatts]

💯