Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libkrun for openSUSE:Factory checked in at 2021-03-19 16:43:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libkrun (Old) and /work/SRC/openSUSE:Factory/.libkrun.new.2401 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libkrun" Fri Mar 19 16:43:07 2021 rev:2 rq:880001 version:0.1.7 Changes: -------- --- /work/SRC/openSUSE:Factory/libkrun/libkrun.changes 2021-03-05 13:47:03.155719073 +0100 +++ /work/SRC/openSUSE:Factory/.libkrun.new.2401/libkrun.changes 2021-03-19 16:43:13.930120149 +0100 @@ -1,0 +2,31 @@ +Fri Mar 19 02:14:29 UTC 2021 - Dario Faggioli <[email protected]> + +- enable only the arch-es that we know are supported (x86_64 and Arm64) +- build fails with old versions of cargo. Set a minimum version + +------------------------------------------------------------------- +Fri Mar 19 00:52:32 UTC 2021 - Dario Faggioli <[email protected]> + +- fixup the obscpio files for 0.1.7 + +------------------------------------------------------------------- +Fri Mar 19 00:36:40 UTC 2021 - [email protected] + +- Update to version 0.1.7: + * libkrun: Bump version to 0.1.7 + * devices/fs: fix listxattr on macOS + * libkrun: Bump version to 0.1.6 + * vmm: Add "no-kvmapf" to the kernel command line + * libkrun: Bump version to 0.1.5 + * libkrun: Put env vars values between quotes + * init: Fix format warning in printf() + * init: Compile with -Wall + * Makefile: Have init.c as a prerequisite of init + * init: Fix the perror() messages + +------------------------------------------------------------------- +Fri Mar 19 00:17:49 UTC 2021 - Dario Faggioli <[email protected]> + +- there's no libkrunfw for i586 so exclude it here as well + +------------------------------------------------------------------- Old: ---- libkrun-0.1.4.obscpio New: ---- libkrun-0.1.7.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libkrun.spec ++++++ --- /var/tmp/diff_new_pack.JVFqiQ/_old 2021-03-19 16:43:17.350124765 +0100 +++ /var/tmp/diff_new_pack.JVFqiQ/_new 2021-03-19 16:43:17.354124771 +0100 @@ -18,7 +18,7 @@ %global rustflags '-Clink-arg=-Wl,-z,relro,-z,now' Name: libkrun -Version: 0.1.4 +Version: 0.1.7 Release: 0 Summary: A dynamic library providing KVM-based process isolation capabilities License: Apache-2.0 @@ -26,7 +26,8 @@ Source0: libkrun-%{version}.tar.gz Source1: vendor.tar.xz Source2: cargo_config -BuildRequires: cargo +ExclusiveArch: x86_64 aarch64 +BuildRequires: cargo >= 1.43.0 BuildRequires: gcc BuildRequires: glibc-static BuildRequires: libkrunfw-devel >= 0.6 @@ -53,6 +54,7 @@ %package devel Summary: Development files for libkrun Requires: libkrun0 + %description devel Development files for libkrun ++++++ _service ++++++ --- /var/tmp/diff_new_pack.JVFqiQ/_old 2021-03-19 16:43:17.382124808 +0100 +++ /var/tmp/diff_new_pack.JVFqiQ/_new 2021-03-19 16:43:17.382124808 +0100 @@ -2,7 +2,7 @@ <service name="obs_scm" mode="disabled"> <param name="scm">git</param> - <param name="revision">v0.1.4</param> + <param name="revision">v0.1.7</param> <param name="url">https://github.com/containers/libkrun.git</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> ++++++ libkrun-0.1.4.obscpio -> libkrun-0.1.7.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libkrun-0.1.4/Makefile new/libkrun-0.1.7/Makefile --- old/libkrun-0.1.4/Makefile 2021-02-02 18:22:57.000000000 +0100 +++ new/libkrun-0.1.7/Makefile 2021-03-01 17:48:28.000000000 +0100 @@ -19,8 +19,8 @@ debug: $(LIBRARY_DEBUG_$(OS)) -$(INIT_BINARY): - gcc -O2 -static -o $@ init/init.c +$(INIT_BINARY): init/init.c + gcc -O2 -static -Wall -o $@ init/init.c $(LIBRARY_RELEASE_$(OS)): $(INIT_BINARY) cargo build --release diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libkrun-0.1.4/README.md new/libkrun-0.1.7/README.md --- old/libkrun-0.1.4/README.md 2021-02-02 18:22:57.000000000 +0100 +++ new/libkrun-0.1.7/README.md 2021-03-01 17:48:28.000000000 +0100 @@ -51,23 +51,41 @@ ## Building and installing -### Requirements +### Linux + +#### Requirements * [libkrunfw](https://github.com/containers/libkrunfw) * A working [Rust](https://www.rust-lang.org/) toolchain +* C Library static libraries, as the [init](init/init.c) binary is statically linked (package ```glibc-static``` in Fedora) -### Compiling +#### Compiling ``` make ``` -### Installing +#### Installing ``` sudo make install ``` +### macOS + +#### Requirements + +As part of ```libkrun``` building process, it's necessary to produce a Linux ELF binary from [init/init.c](init/init.c). The easiest way to do this is by using a binary version of [krunvm](https://github.com/slp/krunvm) and its dependencies ([libkrunfw](https://github.com/containers/libkrunfw), and ```libkrun``` itself), such as the one available in the [krunvm Homebrew repo](https://github.com/slp/homebrew-krun), and then executing the [build_on_krunvm.sh](build_on_krunvm.sh) script found in this repository. + +This will create a lightweight Linux VM using ```krunvm``` with the current working directory mapped inside it, and produce the Linux ELF binary from [init/init.c](init/init.c). + +#### Building the library using krunvm + +``` +./build_on_krunvm.sh +make +``` + ## Using the library Despite being written in Rust, this library provides a simple C API defined in [include/libkrun.h](include/libkrun.h) @@ -87,19 +105,18 @@ #### Running chroot_vm -To be able to ```chroot_vm```, you need first a directory to act as the root filesystem for your isolated program. An easy way to prepare one, is by using [podman](https://podman.io/): +To be able to ```chroot_vm```, you need first a directory to act as the root filesystem for your isolated program. + +Use the ```rootfs``` target to get a rootfs prepared from the Fedora container image (note: you must have [podman](https://podman.io/) installed): ``` -podman create --name chroot_vm fedora -mkdir rootfs -podman export chroot_vm | tar xpf - -C rootfs -podman rm chroot_vm +make rootfs ``` Now you can use ```chroot_vm``` to run a process within this new root filesystem: ``` -./chroot_vm ./rootfs /bin/sh +./chroot_vm ./rootfs_fedora /bin/sh ``` If the ```libkrun``` and/or ```libkrunfw``` libraries were installed on a path that's not included in your ```/etc/ld.so.conf``` configuration, you may get an error like this one: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libkrun-0.1.4/examples/Makefile new/libkrun-0.1.7/examples/Makefile --- old/libkrun-0.1.4/examples/Makefile 2021-02-02 18:22:57.000000000 +0100 +++ new/libkrun-0.1.7/examples/Makefile 2021-03-01 17:48:28.000000000 +0100 @@ -5,8 +5,10 @@ LDFLAGS_arm64_Darwin = -L/opt/homebrew/lib -lkrun -lfdt CFLAGS_Linux = -O2 -g CFLAGS_Darwin = -O2 -g -I/opt/homebrew/include +ROOTFS_DISTRO := fedora +ROOTFS_DIR = rootfs_$(ROOTFS_DISTRO) -.PHONY: clean +.PHONY: clean rootfs all: chroot_vm @@ -16,5 +18,12 @@ codesign --entitlements chroot_vm.entitlements --force -s - $@ endif +# Build the rootfs to be used with chroot_vm. +rootfs: + mkdir -p $(ROOTFS_DIR) + podman create --name libkrun_chroot_vm $(ROOTFS_DISTRO) + podman export libkrun_chroot_vm | tar xpf - -C $(ROOTFS_DIR) + podman rm libkrun_chroot_vm + clean: - rm -f chroot_vm + rm -rf chroot_vm $(ROOTFS_DIR) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libkrun-0.1.4/examples/chroot_vm.c new/libkrun-0.1.7/examples/chroot_vm.c --- old/libkrun-0.1.4/examples/chroot_vm.c 2021-02-02 18:22:57.000000000 +0100 +++ new/libkrun-0.1.7/examples/chroot_vm.c 2021-03-01 17:48:28.000000000 +0100 @@ -29,6 +29,12 @@ "18000:8000", 0 }; + char *const rlimits[] = + { + // RLIMIT_NPROC = 6 + "6=4096:8192", + 0 + }; char *mapped_volumes[2]; char current_path[MAX_PATH]; char volume_tail[] = ":/work\0"; @@ -105,6 +111,13 @@ return -1; } + // Configure the rlimits that will be set in the guest + if (err = krun_set_rlimits(ctx_id, &rlimits[0])) { + errno = -err; + perror("Error configuring rlimits"); + return -1; + } + // Set the working directory to "/", just for the sake of completeness. if (err = krun_set_workdir(ctx_id, "/")) { errno = -err; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libkrun-0.1.4/include/libkrun.h new/libkrun-0.1.7/include/libkrun.h --- old/libkrun-0.1.4/include/libkrun.h 2021-02-02 18:22:57.000000000 +0100 +++ new/libkrun-0.1.7/include/libkrun.h 2021-03-01 17:48:28.000000000 +0100 @@ -73,7 +73,7 @@ * Returns: * Zero on success or a negative error number on failure. */ -int32_t krun_set_mapped_volumes(uint32_t ctx_id, const char *mapped_volumes[]); +int32_t krun_set_mapped_volumes(uint32_t ctx_id, char *const mapped_volumes[]); /* * Configures a map of host to guest TCP ports for the microVM. @@ -85,7 +85,19 @@ * Returns: * Zero on success or a negative error number on failure. */ -int32_t krun_set_port_map(uint32_t ctx_id, const char *port_map[]); +int32_t krun_set_port_map(uint32_t ctx_id, char *const port_map[]); + +/* + * Configures a map of rlimits to be set in the guest before starting the isolated binary. + * + * Arguments: + * "ctx_id" - the configuration context ID. + * "rlimits" - an array of string pointers with format "RESOURCE=RLIM_CUR:RLIM_MAX". + * + * Returns: + * Zero on success or a negative error number on failure. + */ +int32_t krun_set_rlimits(uint32_t ctx_id, char *const rlimits[]); /* * Sets the working directory for the executable to be run inside the microVM. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libkrun-0.1.4/init/init.c new/libkrun-0.1.7/init/init.c --- old/libkrun-0.1.4/init/init.c 2021-02-02 18:22:57.000000000 +0100 +++ new/libkrun-0.1.7/init/init.c 2021-03-01 17:48:28.000000000 +0100 @@ -1,3 +1,4 @@ +#include <limits.h> #include <unistd.h> #include <stdio.h> #include <stdlib.h> @@ -5,12 +6,48 @@ #include <net/if.h> #include <sys/ioctl.h> #include <sys/mount.h> +#include <sys/resource.h> #include <sys/socket.h> #include <sys/stat.h> +#include <sys/time.h> #include <sys/types.h> char DEFAULT_KRUN_INIT[] = "/bin/sh"; +void set_rlimits(const char *rlimits) +{ + unsigned long long int lim_id, lim_cur, lim_max; + struct rlimit rlim; + char *item = (char *) rlimits; + + while (1) { + lim_id = lim_cur = lim_max = ULLONG_MAX; + + lim_id = strtoull(item, &item, 10); + if (lim_id == ULLONG_MAX) { + printf("Invalid rlimit ID\n"); + break; + } + + item++; + lim_cur = strtoull(item, &item, 10); + item++; + lim_max = strtoull(item, &item, 10); + + rlim.rlim_cur = lim_cur; + rlim.rlim_max = lim_max; + if (setrlimit(lim_id, &rlim) != 0) { + printf("Error setting rlimit for ID=%lld\n", lim_id); + } + + if (*item != '\0') { + item++; + } else { + break; + } + } +} + int main(int argc, char **argv) { struct ifreq ifr; @@ -18,33 +55,34 @@ char *hostname; char *krun_init; char *workdir; + char *rlimits; if (mount("proc", "/proc", "proc", MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RELATIME, NULL) < 0) { - perror("mount(/proc): "); + perror("mount(/proc)"); exit(-1); } if (mount("sysfs", "/sys", "sysfs", MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RELATIME, NULL) < 0) { - perror("mount(/sys): "); + perror("mount(/sys)"); exit(-1); } if (mount("cgroup2", "/sys/fs/cgroup", "cgroup2", MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RELATIME, NULL) < 0) { - perror("mount(/sys/fs/cgroup): "); + perror("mount(/sys/fs/cgroup)"); exit(-1); } if (mkdir("/dev/pts", 0755) != 0) { - perror("mkdir(/dev/pts): "); + perror("mkdir(/dev/pts)"); exit(-1); } if (mount("devpts", "/dev/pts", "devpts", MS_NOEXEC | MS_NOSUID | MS_RELATIME, NULL) < 0) { - perror("mount(/dev/pts): "); + perror("mount(/dev/pts)"); exit(-1); } @@ -52,7 +90,7 @@ mkdir("/dev/shm", 0755); if (mount("tmpfs", "/dev/shm", "tmpfs", MS_NOEXEC | MS_NOSUID | MS_RELATIME, NULL) < 0) { - perror("mount(/dev/shm): "); + perror("mount(/dev/shm)"); exit(-1); } @@ -76,6 +114,11 @@ close(sockfd); } + rlimits = getenv("KRUN_RLIMITS"); + if (rlimits) { + set_rlimits(rlimits); + } + workdir = getenv("KRUN_WORKDIR"); if (workdir) { chdir(workdir); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libkrun-0.1.4/src/devices/src/virtio/fs/macos/passthrough.rs new/libkrun-0.1.7/src/devices/src/virtio/fs/macos/passthrough.rs --- old/libkrun-0.1.4/src/devices/src/virtio/fs/macos/passthrough.rs 2021-02-02 18:22:57.000000000 +0100 +++ new/libkrun-0.1.7/src/devices/src/virtio/fs/macos/passthrough.rs 2021-03-01 17:48:28.000000000 +0100 @@ -1812,7 +1812,7 @@ return Err(linux_error(io::Error::last_os_error())); } - let mut clean_buf = Vec::new(); + buf.truncate(res as usize); if size == 0 { let mut clean_size = res as usize; @@ -1829,8 +1829,11 @@ Ok(ListxattrReply::Count(clean_size as u32)) } else { + let mut clean_buf = Vec::new(); + for attr in buf.split(|c| *c == 0) { - if attr.starts_with(&XATTR_UID[..XATTR_UID.len() - 1]) + if attr.len() == 0 + || attr.starts_with(&XATTR_UID[..XATTR_UID.len() - 1]) || attr.starts_with(&XATTR_GID[..XATTR_GID.len() - 1]) || attr.starts_with(&XATTR_MODE[..XATTR_MODE.len() - 1]) { @@ -1838,8 +1841,11 @@ } clean_buf.extend_from_slice(attr); + clean_buf.push(0); } + clean_buf.shrink_to_fit(); + if clean_buf.len() > size as usize { Err(io::Error::from_raw_os_error(LINUX_ERANGE)) } else { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libkrun-0.1.4/src/libkrun/Cargo.toml new/libkrun-0.1.7/src/libkrun/Cargo.toml --- old/libkrun-0.1.4/src/libkrun/Cargo.toml 2021-02-02 18:22:57.000000000 +0100 +++ new/libkrun-0.1.7/src/libkrun/Cargo.toml 2021-03-01 17:48:28.000000000 +0100 @@ -1,6 +1,6 @@ [package] name = "libkrun" -version = "0.1.4" +version = "0.1.7" authors = ["Sergio Lopez <[email protected]>"] edition = "2018" build = "build.rs" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libkrun-0.1.4/src/libkrun/src/lib.rs new/libkrun-0.1.7/src/libkrun/src/lib.rs --- old/libkrun-0.1.4/src/libkrun/src/lib.rs 2021-02-02 18:22:57.000000000 +0100 +++ new/libkrun-0.1.7/src/libkrun/src/lib.rs 2021-03-01 17:48:28.000000000 +0100 @@ -46,6 +46,7 @@ exec_path: Option<String>, env: Option<String>, args: Option<String>, + rlimits: Option<String>, fs_cfg: Option<FsDeviceConfig>, port_map: Option<HashMap<u16, u16>>, } @@ -95,6 +96,17 @@ } } + fn set_rlimits(&mut self, rlimits: String) { + self.rlimits = Some(rlimits); + } + + fn get_rlimits(&self) -> String { + match &self.rlimits { + Some(rlimits) => format!("KRUN_RLIMITS={}", rlimits), + None => "".to_string(), + } + } + fn set_fs_cfg(&mut self, fs_cfg: FsDeviceConfig) { self.fs_cfg = Some(fs_cfg); } @@ -359,6 +371,40 @@ #[allow(clippy::missing_safety_doc)] #[no_mangle] +pub unsafe extern "C" fn krun_set_rlimits(ctx_id: u32, c_rlimits: *const *const c_char) -> i32 { + let rlimits = if c_rlimits.is_null() { + return -libc::EINVAL; + } else { + let mut strvec = Vec::new(); + + let array: &[*const c_char] = slice::from_raw_parts(c_rlimits, MAX_ARGS); + for item in array.iter().take(MAX_ARGS) { + if item.is_null() { + break; + } else { + let s = match CStr::from_ptr(*item).to_str() { + Ok(s) => s, + Err(_) => return -libc::EINVAL, + }; + strvec.push(s); + } + } + + format!("\"{}\"", strvec.join(",")) + }; + + match CTX_MAP.lock().unwrap().entry(ctx_id) { + Entry::Occupied(mut ctx_cfg) => { + ctx_cfg.get_mut().set_rlimits(rlimits.to_string()); + } + Entry::Vacant(_) => return -libc::ENOENT, + } + + KRUN_SUCCESS +} + +#[allow(clippy::missing_safety_doc)] +#[no_mangle] pub unsafe extern "C" fn krun_set_workdir(ctx_id: u32, c_workdir_path: *const c_char) -> i32 { let workdir_path = match CStr::from_ptr(c_workdir_path).to_str() { Ok(workdir) => workdir, @@ -430,7 +476,7 @@ } } else { env::vars() - .map(|(key, value)| format!(" {}={}", key, value)) + .map(|(key, value)| format!(" {}=\"{}\"", key, value)) .collect() }; @@ -479,11 +525,12 @@ let mut boot_source = BootSourceConfig::default(); boot_source.kernel_cmdline_prolog = Some(format!( - "{} init={} KRUN_INIT={} KRUN_WORKDIR={} {}", + "{} init={} KRUN_INIT={} KRUN_WORKDIR={} {} {}", DEFAULT_KERNEL_CMDLINE, INIT_PATH, ctx_cfg.get_exec_path(), ctx_cfg.get_workdir(), + ctx_cfg.get_rlimits(), ctx_cfg.get_env(), )); boot_source.kernel_cmdline_epilog = Some(format!(" -- {}", ctx_cfg.get_args())); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libkrun-0.1.4/src/vmm/src/vmm_config/boot_source.rs new/libkrun-0.1.7/src/vmm/src/vmm_config/boot_source.rs --- old/libkrun-0.1.4/src/vmm/src/vmm_config/boot_source.rs 2021-02-02 18:22:57.000000000 +0100 +++ new/libkrun-0.1.7/src/vmm/src/vmm_config/boot_source.rs 2021-03-01 17:48:28.000000000 +0100 @@ -17,7 +17,7 @@ // i8042.noaux i8042.nomux i8042.nopnp i8042.dumbkbd"; pub const DEFAULT_KERNEL_CMDLINE: &str = "reboot=k panic=-1 panic_print=0 pci=off nomodules \ - console=hvc0 rootfstype=virtiofs rw quiet"; + console=hvc0 rootfstype=virtiofs rw quiet no-kvmapf"; //pub const DEFAULT_KERNEL_CMDLINE: &str = "reboot=k panic=1 pci=off nomodules earlyprintk=ttyS0 \ // console=ttyS0"; ++++++ libkrun.obsinfo ++++++ --- /var/tmp/diff_new_pack.JVFqiQ/_old 2021-03-19 16:43:17.618125127 +0100 +++ /var/tmp/diff_new_pack.JVFqiQ/_new 2021-03-19 16:43:17.618125127 +0100 @@ -1,5 +1,5 @@ name: libkrun -version: 0.1.4 -mtime: 1612286577 -commit: 3ac13201de5945628c46824381b407f6fc9a8204 +version: 0.1.7 +mtime: 1614617308 +commit: e9809dbf0f5f3fd92eb1817861b3e08e27b8a8d1 ++++++ vendor.tar.xz ++++++
