diff --git a/go.mod b/go.mod index 000dbb5644b..77ca78b4ca1 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/godbus/dbus/v5 v5.1.0 github.com/moby/sys/mountinfo v0.6.2 github.com/mrunalp/fileutils v0.5.0 - github.com/opencontainers/runtime-spec v1.0.3-0.20220718201635-a8106e99982b + github.com/opencontainers/runtime-spec v1.0.3-0.20220909204839-494a5a6aca78 github.com/opencontainers/selinux v1.10.1 github.com/seccomp/libseccomp-golang v0.10.0 github.com/sirupsen/logrus v1.9.0 diff --git a/go.sum b/go.sum index 578c5b555ff..30290621b55 100644 --- a/go.sum +++ b/go.sum @@ -31,8 +31,8 @@ github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vyg github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI= github.com/mrunalp/fileutils v0.5.0 h1:NKzVxiH7eSk+OQ4M+ZYW1K6h27RUV3MI6NUTsHhU6Z4= github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= -github.com/opencontainers/runtime-spec v1.0.3-0.20220718201635-a8106e99982b h1:udwtfS44rxYE/ViMLchHQBjfE60GZSB1arY7BFbyxLs= -github.com/opencontainers/runtime-spec v1.0.3-0.20220718201635-a8106e99982b/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.0.3-0.20220909204839-494a5a6aca78 h1:R5M2qXZiK/mWPMT4VldCOiSL9HIAMuxQZWdG0CSM5+4= +github.com/opencontainers/runtime-spec v1.0.3-0.20220909204839-494a5a6aca78/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.10.1 h1:09LIPVRP3uuZGQvgR+SgMSNBd1Eb3vlRbGqQpoHsF8w= github.com/opencontainers/selinux v1.10.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go index 18955cf95c9..8ce881b1e9f 100644 --- a/libcontainer/configs/config.go +++ b/libcontainer/configs/config.go @@ -119,6 +119,9 @@ type Config struct { // Hostname optionally sets the container's hostname if provided Hostname string `json:"hostname"` + // Hostname optionally sets the container's domainname if provided + Domainname string `json:"domainname"` + // Namespaces specifies the container's namespaces that it should setup when cloning the init process // If a namespace is not provided that namespace is shared from the container's parent process Namespaces Namespaces `json:"namespaces"` diff --git a/libcontainer/configs/validate/validator.go b/libcontainer/configs/validate/validator.go index 2027a37203e..56313d22296 100644 --- a/libcontainer/configs/validate/validator.go +++ b/libcontainer/configs/validate/validator.go @@ -24,6 +24,7 @@ func Validate(config *configs.Config) error { rootfs, network, hostname, + domainname, security, namespaces, sysctl, @@ -82,6 +83,13 @@ func hostname(config *configs.Config) error { return nil } +func domainname(config *configs.Config) error { + if config.Domainname != "" && !config.Namespaces.Contains(configs.NEWUTS) { + return errors.New("unable to set domainname without a private UTS namespace") + } + return nil +} + func security(config *configs.Config) error { // restrict sys without mount namespace if (len(config.MaskPaths) > 0 || len(config.ReadonlyPaths) > 0) && diff --git a/libcontainer/configs/validate/validator_test.go b/libcontainer/configs/validate/validator_test.go index 59a4033899e..6858d2719ab 100644 --- a/libcontainer/configs/validate/validator_test.go +++ b/libcontainer/configs/validate/validator_test.go @@ -82,6 +82,23 @@ func TestValidateHostname(t *testing.T) { } } +func TestValidateDomainname(t *testing.T) { + config := &configs.Config{ + Rootfs: "/var", + Domainname: "runc", + Namespaces: configs.Namespaces( + []configs.Namespace{ + {Type: configs.NEWUTS}, + }, + ), + } + + err := Validate(config) + if err != nil { + t.Errorf("Expected error to not occur: %+v", err) + } +} + func TestValidateHostnameWithoutUTSNamespace(t *testing.T) { config := &configs.Config{ Rootfs: "/var", @@ -94,6 +111,18 @@ func TestValidateHostnameWithoutUTSNamespace(t *testing.T) { } } +func TestValidateDomainnameWithoutUTSNamespace(t *testing.T) { + config := &configs.Config{ + Rootfs: "/var", + Domainname: "runc", + } + + err := Validate(config) + if err == nil { + t.Error("Expected error to occur but it was nil") + } +} + func TestValidateSecurityWithMaskPaths(t *testing.T) { config := &configs.Config{ Rootfs: "/var", diff --git a/libcontainer/integration/template_test.go b/libcontainer/integration/template_test.go index 0e054b55b45..3de1d3e325d 100644 --- a/libcontainer/integration/template_test.go +++ b/libcontainer/integration/template_test.go @@ -129,8 +129,9 @@ func newTemplateConfig(t *testing.T, p *tParam) *configs.Config { ReadonlyPaths: []string{ "/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus", }, - Devices: specconv.AllowedDevices, - Hostname: "integration", + Devices: specconv.AllowedDevices, + Hostname: "integration", + Domainname: "integration", Mounts: []*configs.Mount{ { Source: "proc", diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go index d62e34be713..9b8b1f1871d 100644 --- a/libcontainer/specconv/spec_linux.go +++ b/libcontainer/specconv/spec_linux.go @@ -354,6 +354,7 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) { NoPivotRoot: opts.NoPivotRoot, Readonlyfs: spec.Root.Readonly, Hostname: spec.Hostname, + Domainname: spec.Domainname, Labels: append(labels, "bundle="+cwd), NoNewKeyring: opts.NoNewKeyring, RootlessEUID: opts.RootlessEUID, diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go index cf1b338c81a..068edd052c1 100644 --- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go +++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go @@ -12,6 +12,8 @@ type Spec struct { Root *Root `json:"root,omitempty"` // Hostname configures the container's hostname. Hostname string `json:"hostname,omitempty"` + // Domainname configures the container's domainname. + Domainname string `json:"domainname,omitempty"` // Mounts configures additional mounts (on top of Root). Mounts []Mount `json:"mounts,omitempty"` // Hooks configures callbacks for container lifecycle events. @@ -317,6 +319,10 @@ type LinuxMemory struct { DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"` // Enables hierarchical memory accounting UseHierarchy *bool `json:"useHierarchy,omitempty"` + // CheckBeforeUpdate enables checking if a new memory limit is lower + // than the current usage during update, and if so, rejecting the new + // limit. + CheckBeforeUpdate *bool `json:"checkBeforeUpdate,omitempty"` } // LinuxCPU for Linux cgroup 'cpu' resource management @@ -643,6 +649,10 @@ const ( // LinuxSeccompFlagSpecAllow can be used to disable Speculative Store // Bypass mitigation. (since Linux 4.17) LinuxSeccompFlagSpecAllow LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_SPEC_ALLOW" + + // LinuxSeccompFlagWaitKillableRecv can be used to switch to the wait + // killable semantics. (since Linux 5.19) + LinuxSeccompFlagWaitKillableRecv LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV" ) // Additional architectures permitted to be used for system calls diff --git a/vendor/modules.txt b/vendor/modules.txt index 989cbe8a964..6e6ee91f083 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -36,7 +36,7 @@ github.com/moby/sys/mountinfo # github.com/mrunalp/fileutils v0.5.0 ## explicit; go 1.13 github.com/mrunalp/fileutils -# github.com/opencontainers/runtime-spec v1.0.3-0.20220718201635-a8106e99982b +# github.com/opencontainers/runtime-spec v1.0.3-0.20220909204839-494a5a6aca78 ## explicit github.com/opencontainers/runtime-spec/specs-go # github.com/opencontainers/selinux v1.10.1