2017-11-21 08:08:36 +00:00
|
|
|
package runcexecutor
|
2017-06-01 22:24:23 +00:00
|
|
|
|
|
|
|
import (
|
2018-01-16 22:30:10 +00:00
|
|
|
"context"
|
2017-06-01 22:24:23 +00:00
|
|
|
"encoding/json"
|
2017-06-02 00:30:02 +00:00
|
|
|
"io"
|
2018-05-30 02:49:43 +00:00
|
|
|
"io/ioutil"
|
2017-06-01 22:24:23 +00:00
|
|
|
"os"
|
2017-06-02 00:30:02 +00:00
|
|
|
"os/exec"
|
2017-06-01 22:24:23 +00:00
|
|
|
"path/filepath"
|
2018-05-30 02:49:43 +00:00
|
|
|
"strconv"
|
|
|
|
"strings"
|
2017-06-01 22:24:23 +00:00
|
|
|
"syscall"
|
2018-09-19 22:50:46 +00:00
|
|
|
"time"
|
2017-06-01 22:24:23 +00:00
|
|
|
|
2018-03-22 12:53:05 +00:00
|
|
|
"github.com/containerd/containerd/contrib/seccomp"
|
2017-06-01 22:24:23 +00:00
|
|
|
"github.com/containerd/containerd/mount"
|
2017-12-11 21:17:07 +00:00
|
|
|
containerdoci "github.com/containerd/containerd/oci"
|
2018-02-09 19:39:48 +00:00
|
|
|
"github.com/containerd/continuity/fs"
|
2017-06-01 22:24:23 +00:00
|
|
|
runc "github.com/containerd/go-runc"
|
2017-06-22 20:15:46 +00:00
|
|
|
"github.com/moby/buildkit/cache"
|
2017-11-21 08:08:36 +00:00
|
|
|
"github.com/moby/buildkit/executor"
|
|
|
|
"github.com/moby/buildkit/executor/oci"
|
2017-10-03 23:13:35 +00:00
|
|
|
"github.com/moby/buildkit/identity"
|
2018-08-04 19:42:01 +00:00
|
|
|
"github.com/moby/buildkit/solver/pb"
|
2018-03-16 02:51:32 +00:00
|
|
|
"github.com/moby/buildkit/util/network"
|
2018-07-04 07:13:30 +00:00
|
|
|
rootlessspecconv "github.com/moby/buildkit/util/rootless/specconv"
|
2018-05-24 23:34:35 +00:00
|
|
|
"github.com/moby/buildkit/util/system"
|
2018-08-01 21:15:43 +00:00
|
|
|
specs "github.com/opencontainers/runtime-spec/specs-go"
|
2017-06-01 22:24:23 +00:00
|
|
|
"github.com/pkg/errors"
|
2017-07-19 01:05:19 +00:00
|
|
|
"github.com/sirupsen/logrus"
|
2017-06-01 22:24:23 +00:00
|
|
|
)
|
|
|
|
|
2018-04-17 23:37:45 +00:00
|
|
|
type Opt struct {
|
2018-05-30 02:49:43 +00:00
|
|
|
// root directory
|
2018-04-17 23:37:45 +00:00
|
|
|
Root string
|
|
|
|
CommandCandidates []string
|
2018-05-30 02:49:43 +00:00
|
|
|
// without root privileges (has nothing to do with Opt.Root directory)
|
|
|
|
Rootless bool
|
2018-08-19 06:05:26 +00:00
|
|
|
// DefaultCgroupParent is the cgroup-parent name for executor
|
|
|
|
DefaultCgroupParent string
|
2018-04-17 23:37:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
var defaultCommandCandidates = []string{"buildkit-runc", "runc"}
|
|
|
|
|
2017-11-21 08:08:36 +00:00
|
|
|
type runcExecutor struct {
|
2018-08-21 15:51:28 +00:00
|
|
|
runc *runc.Runc
|
|
|
|
root string
|
|
|
|
cmd string
|
2018-08-19 06:05:26 +00:00
|
|
|
cgroupParent string
|
2018-08-21 15:51:28 +00:00
|
|
|
rootless bool
|
|
|
|
networkProviders map[pb.NetMode]network.Provider
|
2017-06-01 22:24:23 +00:00
|
|
|
}
|
|
|
|
|
2018-08-21 15:51:28 +00:00
|
|
|
func New(opt Opt, networkProviders map[pb.NetMode]network.Provider) (executor.Executor, error) {
|
2018-04-17 23:37:45 +00:00
|
|
|
cmds := opt.CommandCandidates
|
|
|
|
if cmds == nil {
|
|
|
|
cmds = defaultCommandCandidates
|
2017-06-22 20:42:13 +00:00
|
|
|
}
|
|
|
|
|
2018-04-17 23:37:45 +00:00
|
|
|
var cmd string
|
|
|
|
var found bool
|
|
|
|
for _, cmd = range cmds {
|
|
|
|
if _, err := exec.LookPath(cmd); err == nil {
|
|
|
|
found = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if !found {
|
|
|
|
return nil, errors.Errorf("failed to find %s binary", cmd)
|
|
|
|
}
|
|
|
|
|
|
|
|
root := opt.Root
|
|
|
|
|
2017-06-09 01:16:19 +00:00
|
|
|
if err := os.MkdirAll(root, 0700); err != nil {
|
|
|
|
return nil, errors.Wrapf(err, "failed to create %s", root)
|
|
|
|
}
|
|
|
|
|
|
|
|
root, err := filepath.Abs(root)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2018-06-07 07:04:55 +00:00
|
|
|
root, err = filepath.EvalSymlinks(root)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2017-06-09 01:16:19 +00:00
|
|
|
|
2018-10-03 20:59:33 +00:00
|
|
|
// clean up old hosts/resolv.conf file. ignore errors
|
|
|
|
os.RemoveAll(filepath.Join(root, "hosts"))
|
|
|
|
os.RemoveAll(filepath.Join(root, "resolv.conf"))
|
|
|
|
|
2017-06-01 22:24:23 +00:00
|
|
|
runtime := &runc.Runc{
|
2018-04-19 00:01:20 +00:00
|
|
|
Command: cmd,
|
2017-06-01 22:24:23 +00:00
|
|
|
Log: filepath.Join(root, "runc-log.json"),
|
|
|
|
LogFormat: runc.JSON,
|
2018-09-19 22:50:46 +00:00
|
|
|
PdeathSignal: syscall.SIGKILL, // this can still leak the process
|
2017-07-03 04:21:40 +00:00
|
|
|
Setpgid: true,
|
2018-07-04 07:13:30 +00:00
|
|
|
// we don't execute runc with --rootless=(true|false) explicitly,
|
|
|
|
// so as to support non-runc runtimes
|
2017-06-01 22:24:23 +00:00
|
|
|
}
|
|
|
|
|
2017-11-21 08:08:36 +00:00
|
|
|
w := &runcExecutor{
|
2018-08-21 15:51:28 +00:00
|
|
|
runc: runtime,
|
|
|
|
root: root,
|
2018-08-19 06:05:26 +00:00
|
|
|
cgroupParent: opt.DefaultCgroupParent,
|
2018-08-21 15:51:28 +00:00
|
|
|
rootless: opt.Rootless,
|
|
|
|
networkProviders: networkProviders,
|
2017-06-01 22:24:23 +00:00
|
|
|
}
|
|
|
|
return w, nil
|
|
|
|
}
|
|
|
|
|
2017-11-21 08:08:36 +00:00
|
|
|
func (w *runcExecutor) Exec(ctx context.Context, meta executor.Meta, root cache.Mountable, mounts []executor.Mount, stdin io.ReadCloser, stdout, stderr io.WriteCloser) error {
|
2018-08-21 15:51:28 +00:00
|
|
|
provider, ok := w.networkProviders[meta.NetMode]
|
|
|
|
if !ok {
|
|
|
|
return errors.Errorf("unknown network mode %s", meta.NetMode)
|
|
|
|
}
|
|
|
|
namespace, err := provider.New()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
2018-08-03 17:00:54 +00:00
|
|
|
}
|
2018-08-21 15:51:28 +00:00
|
|
|
defer namespace.Close()
|
|
|
|
|
2018-08-04 19:42:01 +00:00
|
|
|
if meta.NetMode == pb.NetMode_HOST {
|
2018-08-03 17:00:54 +00:00
|
|
|
logrus.Info("enabling HostNetworking")
|
|
|
|
}
|
2017-08-08 01:45:31 +00:00
|
|
|
|
2017-12-11 02:18:18 +00:00
|
|
|
resolvConf, err := oci.GetResolvConf(ctx, w.root)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2018-08-03 21:01:54 +00:00
|
|
|
hostsFile, clean, err := oci.GetHostsFile(ctx, w.root, meta.ExtraHosts)
|
2017-12-11 02:18:18 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2018-08-03 21:01:54 +00:00
|
|
|
if clean != nil {
|
|
|
|
defer clean()
|
2018-08-01 21:15:43 +00:00
|
|
|
}
|
2017-12-11 02:18:18 +00:00
|
|
|
|
2018-04-16 22:23:10 +00:00
|
|
|
mountable, err := root.Mount(ctx, false)
|
2017-06-01 22:24:23 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2018-04-16 22:23:10 +00:00
|
|
|
rootMount, err := mountable.Mount()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer mountable.Release()
|
|
|
|
|
2017-10-03 23:13:35 +00:00
|
|
|
id := identity.NewID()
|
2017-06-01 22:24:23 +00:00
|
|
|
bundle := filepath.Join(w.root, id)
|
2017-06-09 01:16:19 +00:00
|
|
|
|
2017-06-01 22:24:23 +00:00
|
|
|
if err := os.Mkdir(bundle, 0700); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer os.RemoveAll(bundle)
|
|
|
|
rootFSPath := filepath.Join(bundle, "rootfs")
|
|
|
|
if err := os.Mkdir(rootFSPath, 0700); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2017-12-11 21:17:07 +00:00
|
|
|
if err := mount.All(rootMount, rootFSPath); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer mount.Unmount(rootFSPath, 0)
|
|
|
|
|
2018-06-29 23:00:24 +00:00
|
|
|
uid, gid, sgids, err := oci.GetUser(ctx, rootFSPath, meta.User)
|
2017-12-11 21:17:07 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2017-06-01 22:24:23 +00:00
|
|
|
f, err := os.Create(filepath.Join(bundle, "config.json"))
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer f.Close()
|
2018-03-16 02:51:32 +00:00
|
|
|
|
2018-06-29 23:00:24 +00:00
|
|
|
opts := []containerdoci.SpecOpts{oci.WithUIDGID(uid, gid, sgids)}
|
2018-05-24 23:34:35 +00:00
|
|
|
if system.SeccompSupported() {
|
|
|
|
opts = append(opts, seccomp.WithDefaultProfile())
|
|
|
|
}
|
2018-03-26 13:51:08 +00:00
|
|
|
if meta.ReadonlyRootFS {
|
|
|
|
opts = append(opts, containerdoci.WithRootFSReadonly())
|
|
|
|
}
|
2018-08-19 06:05:26 +00:00
|
|
|
|
|
|
|
if w.cgroupParent != "" {
|
|
|
|
var cgroupsPath string
|
|
|
|
lastSeparator := w.cgroupParent[len(w.cgroupParent)-1:]
|
|
|
|
if strings.Contains(w.cgroupParent, ".slice") && lastSeparator == ":" {
|
|
|
|
cgroupsPath = w.cgroupParent + id
|
|
|
|
} else {
|
|
|
|
cgroupsPath = filepath.Join("/", w.cgroupParent, "buildkit", id)
|
|
|
|
}
|
|
|
|
opts = append(opts, containerdoci.WithCgroup(cgroupsPath))
|
|
|
|
}
|
2018-08-21 15:51:28 +00:00
|
|
|
spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, namespace, opts...)
|
2017-06-01 22:24:23 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2017-08-08 01:45:31 +00:00
|
|
|
defer cleanup()
|
2017-06-01 22:24:23 +00:00
|
|
|
|
|
|
|
spec.Root.Path = rootFSPath
|
2017-07-07 21:35:10 +00:00
|
|
|
if _, ok := root.(cache.ImmutableRef); ok { // TODO: pass in with mount, not ref type
|
2017-06-01 22:24:23 +00:00
|
|
|
spec.Root.Readonly = true
|
|
|
|
}
|
|
|
|
|
2017-12-17 23:45:12 +00:00
|
|
|
newp, err := fs.RootPath(rootFSPath, meta.Cwd)
|
2017-07-07 21:35:10 +00:00
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "working dir %s points to invalid target", newp)
|
|
|
|
}
|
2018-07-23 09:21:03 +00:00
|
|
|
if err := os.MkdirAll(newp, 0755); err != nil {
|
2017-07-07 21:35:10 +00:00
|
|
|
return errors.Wrapf(err, "failed to create working directory %s", newp)
|
|
|
|
}
|
|
|
|
|
2018-07-04 07:13:30 +00:00
|
|
|
if err := setOOMScoreAdj(spec); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2018-05-30 02:49:43 +00:00
|
|
|
if w.rootless {
|
2018-07-04 07:13:30 +00:00
|
|
|
if err := rootlessspecconv.ToRootless(spec); err != nil {
|
2018-05-30 02:49:43 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-06-01 22:24:23 +00:00
|
|
|
if err := json.NewEncoder(f).Encode(spec); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2018-09-19 22:50:46 +00:00
|
|
|
// runCtx/killCtx is used for extra check in case the kill command blocks
|
|
|
|
runCtx, cancelRun := context.WithCancel(context.Background())
|
|
|
|
defer cancelRun()
|
|
|
|
|
|
|
|
done := make(chan struct{})
|
|
|
|
go func() {
|
|
|
|
for {
|
|
|
|
select {
|
|
|
|
case <-ctx.Done():
|
|
|
|
killCtx, timeout := context.WithTimeout(context.Background(), 7*time.Second)
|
|
|
|
if err := w.runc.Kill(killCtx, id, int(syscall.SIGKILL), nil); err != nil {
|
|
|
|
logrus.Errorf("failed to kill runc %s: %+v", id, err)
|
|
|
|
select {
|
|
|
|
case <-killCtx.Done():
|
|
|
|
timeout()
|
|
|
|
cancelRun()
|
|
|
|
return
|
|
|
|
default:
|
|
|
|
}
|
|
|
|
}
|
|
|
|
timeout()
|
|
|
|
select {
|
|
|
|
case <-time.After(50 * time.Millisecond):
|
|
|
|
case <-done:
|
|
|
|
return
|
|
|
|
}
|
|
|
|
case <-done:
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
|
2018-03-16 02:51:32 +00:00
|
|
|
logrus.Debugf("> creating %s %v", id, meta.Args)
|
2018-09-19 22:50:46 +00:00
|
|
|
status, err := w.runc.Run(runCtx, id, bundle, &runc.CreateOpts{
|
2018-09-12 05:40:48 +00:00
|
|
|
IO: &forwardIO{stdin: stdin, stdout: stdout, stderr: stderr},
|
2018-08-03 17:00:54 +00:00
|
|
|
})
|
2018-09-19 22:50:46 +00:00
|
|
|
close(done)
|
2018-08-03 17:00:54 +00:00
|
|
|
if err != nil {
|
2018-03-16 02:51:32 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if status != 0 {
|
2018-09-26 22:52:31 +00:00
|
|
|
err := errors.Errorf("exit code: %d", status)
|
|
|
|
select {
|
|
|
|
case <-ctx.Done():
|
|
|
|
return errors.Wrapf(ctx.Err(), err.Error())
|
|
|
|
default:
|
|
|
|
return err
|
|
|
|
}
|
2018-03-16 02:51:32 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
2017-06-01 22:24:23 +00:00
|
|
|
}
|
|
|
|
|
2017-06-02 00:30:02 +00:00
|
|
|
type forwardIO struct {
|
2018-09-12 05:40:48 +00:00
|
|
|
stdin io.ReadCloser
|
|
|
|
stdout, stderr io.WriteCloser
|
2017-06-02 00:30:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *forwardIO) Close() error {
|
2018-08-21 15:51:28 +00:00
|
|
|
return nil
|
2017-06-02 00:30:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *forwardIO) Set(cmd *exec.Cmd) {
|
2017-10-01 00:58:07 +00:00
|
|
|
cmd.Stdin = s.stdin
|
2017-06-02 00:30:02 +00:00
|
|
|
cmd.Stdout = s.stdout
|
|
|
|
cmd.Stderr = s.stderr
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *forwardIO) Stdin() io.WriteCloser {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *forwardIO) Stdout() io.ReadCloser {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *forwardIO) Stderr() io.ReadCloser {
|
|
|
|
return nil
|
|
|
|
}
|
2018-05-30 02:49:43 +00:00
|
|
|
|
|
|
|
// setOOMScoreAdj comes from https://github.com/genuinetools/img/blob/2fabe60b7dc4623aa392b515e013bbc69ad510ab/executor/runc/executor.go#L182-L192
|
|
|
|
func setOOMScoreAdj(spec *specs.Spec) error {
|
|
|
|
// Set the oom_score_adj of our children containers to that of the current process.
|
|
|
|
b, err := ioutil.ReadFile("/proc/self/oom_score_adj")
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrap(err, "failed to read /proc/self/oom_score_adj")
|
|
|
|
}
|
|
|
|
s := strings.TrimSpace(string(b))
|
|
|
|
oom, err := strconv.Atoi(s)
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "failed to parse %s as int", s)
|
|
|
|
}
|
|
|
|
spec.Process.OOMScoreAdj = &oom
|
|
|
|
return nil
|
|
|
|
}
|