Unverified Commit 209818fc authored by boklm's avatar boklm
Browse files

Bug 23039: add support for runc 1.0.0

The var_p/runc100 option is used to detect the version of runc we are
using. The format of the output of `runc --version` is different in both
versions, so it is not easy to parse. However I noticed that runc 0.1.1
does not exit with an error when we try to use a command that does not
exist while runc >= 1.0.0 does, so we use that to detect the runc
version we are using.

When using runc >= 1.0.0, we use `runc run` instead of `runc start':
https://github.com/opencontainers/runc/commit/c669b8d1568633c68bd915561ceb2e5ecc1bfc6a

In the runc config.json file, the format of the capabilities has been
changed. Instead of having one list of capabilities, there are now
separate lists for bounding, effective, inheritable, permitted and
ambient capabilities (and we use the same list for all of them):
https://github.com/opencontainers/runtime-spec/commit/eb114f057094dd2314682d55f8cb9c189915ac86

We also add /proc/timer_list and /sys/firmware to the "maskedPaths", as
those paths are now listed by default in the config.json file generated
by `runc spec` with runc 1.0.0.
parent 90653b4d
......@@ -8,9 +8,6 @@ To build Tor Browser, you need a Linux distribution that has support
for runc (such as Debian jessie, Ubuntu 16.04, Fedora 20, etc ...).
On Debian jessie, the runc package is available in backports. On Debian
stretch, the runc package is available in the main repository.
Version 0.1.1 of runc is required (which is the version available in
Debian stretch and jessie-backports). It is not yet working with runc
version 1.0.0: https://trac.torproject.org/projects/tor/ticket/23039
Your user account should have sudo access, which is required to be able
to extract container file systems, start containers and copy files to and
......
{
"ociVersion": "1.0.0-rc1",
"ociVersion": "1.0.0[% IF !c("var_p/runc100") %]-rc1[% END %]",
"platform": {
"os": "linux",
[% IF c("var/container/arch") == 'i386' -%]
......@@ -22,6 +22,90 @@
"TERM=xterm"
],
"cwd": "/",
[% IF c("var_p/runc100") -%]
"capabilities": {
"bounding": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE",
"CAP_SETGID",
"CAP_SETUID",
"CAP_MKNOD",
"CAP_SYS_CHROOT",
[% IF c("var/container/CAP_SYS_ADMIN") -%]
"CAP_SYS_ADMIN",
[% END -%]
"CAP_FSETID",
"CAP_FOWNER",
"CAP_DAC_OVERRIDE",
"CAP_CHOWN"
],
"effective": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE",
"CAP_SETGID",
"CAP_SETUID",
"CAP_MKNOD",
"CAP_SYS_CHROOT",
[% IF c("var/container/CAP_SYS_ADMIN") -%]
"CAP_SYS_ADMIN",
[% END -%]
"CAP_FSETID",
"CAP_FOWNER",
"CAP_DAC_OVERRIDE",
"CAP_CHOWN"
],
"inheritable": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE",
"CAP_SETGID",
"CAP_SETUID",
"CAP_MKNOD",
"CAP_SYS_CHROOT",
[% IF c("var/container/CAP_SYS_ADMIN") -%]
"CAP_SYS_ADMIN",
[% END -%]
"CAP_FSETID",
"CAP_FOWNER",
"CAP_DAC_OVERRIDE",
"CAP_CHOWN"
],
"permitted": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE",
"CAP_SETGID",
"CAP_SETUID",
"CAP_MKNOD",
"CAP_SYS_CHROOT",
[% IF c("var/container/CAP_SYS_ADMIN") -%]
"CAP_SYS_ADMIN",
[% END -%]
"CAP_FSETID",
"CAP_FOWNER",
"CAP_DAC_OVERRIDE",
"CAP_CHOWN"
],
"ambient": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE",
"CAP_SETGID",
"CAP_SETUID",
"CAP_MKNOD",
"CAP_SYS_CHROOT",
[% IF c("var/container/CAP_SYS_ADMIN") -%]
"CAP_SYS_ADMIN",
[% END -%]
"CAP_FSETID",
"CAP_FOWNER",
"CAP_DAC_OVERRIDE",
"CAP_CHOWN"
]
},
[% ELSE -%]
"capabilities": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
......@@ -38,6 +122,7 @@
"CAP_DAC_OVERRIDE",
"CAP_CHOWN"
],
[% END -%]
"rlimits": [
{
"type": "RLIMIT_NOFILE",
......@@ -165,6 +250,10 @@
"/proc/kcore",
"/proc/latency_stats",
"/proc/timer_stats",
[% IF c("var_p/runc100") -%]
"/proc/timer_list",
"/sys/firmware",
[% END -%]
"/proc/sched_debug"
],
"readonlyPaths": [
......
......@@ -329,7 +329,7 @@ runc:
cat > '[% c("var/container/dir") %]'/config.json << EOF
[% INCLUDE 'runc-config.json' %]
EOF
sudo runc start -b '[% c("var/container/dir") %]' rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %] [% IF c("runc_hide_stderr") %]2>/dev/null[% END %]
sudo runc [% IF c("var_p/runc100") %]run[% ELSE %]start[% END %] -b '[% c("var/container/dir") %]' rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %] [% IF c("runc_hide_stderr") %]2>/dev/null[% END %]
remote_put: |
#!/bin/sh
......@@ -369,3 +369,17 @@ runc:
ENV:
TZ: UTC
LC_ALL: C
--- |
# This part of the file contains options written in perl
use IO::CaptureOutput qw(capture_exec);
(
var_p => {
# runc100 is true if we are using runc >= 1.0.0
runc100 => sub {
# runc >= 1.0.0 exits with an error when trying to use an unknown
# command while older versions exit with 0
my (undef, undef, $success) = capture_exec('sudo', 'runc', 'xyzxyzxyz');
return !$success;
},
},
)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment