Merge pull request #1875 from giuseppe/tag-1.24

giuseppe · web-flow · commit 6f0a3c5013e6 · 2025-09-09T21:55:43.000+02:00
NEWS: tag 1.24
diff --git a/NEWS b/NEWS
@@ -1,3 +1,16 @@
+* crun-1.24
+
+- linux: add support for NUMA set_mempolicy.
+- intelrdt: add support for EnableMonitoring
+- linux: optimize masked paths with shared empty directory.
+- cgroup, systemd: validate the specified ebpf program is loaded by systemd.
+- krun: avoid failing if sev/nitro are not available.
+- linux: limit tmpfs memory usage for masked paths.
+- linux: fix regression mounting within userns.  Detect when running inside a
+  user namespace and treat the mounts in the same way as they would be treated
+  with a new user namespace.
+- linux: never chown devices.
+
 * crun-1.23.1
 
 - exec: fix a bug where the terminal could lose some bytes when
diff --git a/src/libcrun/criu.c b/src/libcrun/criu.c
@@ -267,6 +267,54 @@ criu_check_mem_track (char *work_path, libcrun_error_t *err)
 
 #  endif
 
+static int
+register_masked_paths_mounts (runtime_spec_schema_config_schema *def, libcrun_container_t *container,
+                              struct libcriu_wrapper_s *libcriu_wrapper, bool is_restore, libcrun_error_t *err)
+{
+  cleanup_free char *empty_dir_path = NULL;
+  bool shared_dir_registered = false;
+  size_t i;
+  int ret;
+
+  for (i = 0; i < def->linux->masked_paths_len; i++)
+    {
+      struct stat statbuf;
+      ret = stat (def->linux->masked_paths[i], &statbuf);
+      if (ret != 0)
+        continue;
+
+      if (S_ISDIR (statbuf.st_mode))
+        {
+          if (! shared_dir_registered)
+            {
+              ret = get_shared_empty_directory_path (&empty_dir_path,
+                                                     (container->context ? container->context->state_root : NULL), err);
+              if (UNLIKELY (ret < 0))
+                return ret;
+
+              ret = libcriu_wrapper->criu_add_ext_mount (empty_dir_path, empty_dir_path);
+              if (UNLIKELY (ret < 0))
+                return crun_make_error (err, -ret, "CRIU: failed adding external mount for shared empty directory `%s`", empty_dir_path);
+
+              shared_dir_registered = true;
+            }
+
+          ret = libcriu_wrapper->criu_add_ext_mount (def->linux->masked_paths[i], empty_dir_path);
+          if (UNLIKELY (ret < 0))
+            return crun_make_error (err, -ret, "CRIU: failed adding external mount for masked directory `%s`", def->linux->masked_paths[i]);
+        }
+      else if (S_ISREG (statbuf.st_mode))
+        {
+          const char *bind_target = is_restore ? "/dev/null" : def->linux->masked_paths[i];
+          ret = libcriu_wrapper->criu_add_ext_mount (def->linux->masked_paths[i], bind_target);
+          if (UNLIKELY (ret < 0))
+            return crun_make_error (err, -ret, "CRIU: failed adding external mount to `%s`", bind_target);
+        }
+    }
+
+  return 0;
+}
+
 static int
 restore_cgroup_v1_mount (runtime_spec_schema_config_schema *def, libcrun_error_t *err)
 {
@@ -609,17 +657,9 @@ libcrun_container_checkpoint_linux_criu (libcrun_container_status_t *status, lib
         }
     }
 
-  for (i = 0; i < def->linux->masked_paths_len; i++)
-    {
-      struct stat statbuf;
-      ret = stat (def->linux->masked_paths[i], &statbuf);
-      if (ret == 0 && S_ISREG (statbuf.st_mode))
-        {
-          ret = libcriu_wrapper->criu_add_ext_mount (def->linux->masked_paths[i], def->linux->masked_paths[i]);
-          if (UNLIKELY (ret < 0))
-            return crun_make_error (err, -ret, "CRIU: failed adding external mount to `%s`", def->linux->masked_paths[i]);
-        }
-    }
+  ret = register_masked_paths_mounts (def, container, libcriu_wrapper, false, err);
+  if (UNLIKELY (ret < 0))
+    return ret;
 
   /* CRIU tries to checkpoint and restore all namespaces. However,
    * namespaces could be shared between containers in a pod.
@@ -947,17 +987,9 @@ libcrun_container_restore_linux_criu (libcrun_container_status_t *status, libcru
         }
     }
 
-  for (i = 0; i < def->linux->masked_paths_len; i++)
-    {
-      struct stat statbuf;
-      ret = stat (def->linux->masked_paths[i], &statbuf);
-      if (ret == 0 && S_ISREG (statbuf.st_mode))
-        {
-          ret = libcriu_wrapper->criu_add_ext_mount (def->linux->masked_paths[i], "/dev/null");
-          if (UNLIKELY (ret < 0))
-            return crun_make_error (err, -ret, "CRIU: failed adding external mount to `%s`", "/dev/null");
-        }
-    }
+  ret = register_masked_paths_mounts (def, container, libcriu_wrapper, true, err);
+  if (UNLIKELY (ret < 0))
+    return ret;
 
   /* do realpath on root */
   bundle_cleanup = realpath (status->bundle, NULL);
diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
@@ -1087,7 +1087,6 @@ get_shared_empty_dir_cached (libcrun_container_t *container, char **proc_fd_path
 {
   struct private_data_s *private_data = get_private_data (container);
   cleanup_close int fd = -1;
-  cleanup_free char *run_dir = NULL;
   cleanup_free char *empty_dir_path = NULL;
   int ret;
 
@@ -1099,16 +1098,7 @@ get_shared_empty_dir_cached (libcrun_container_t *container, char **proc_fd_path
     }
 
   /* Slow path: create directory and cache everything once */
-  ret = get_run_directory (&run_dir, container->context->state_root, err);
-  if (UNLIKELY (ret < 0))
-    return ret;
-
-  ret = append_paths (&empty_dir_path, err, run_dir, ".empty-directory", NULL);
-  if (UNLIKELY (ret < 0))
-    return ret;
-
-  /* Ensure the empty directory exists (once per container) */
-  ret = crun_ensure_directory (empty_dir_path, 0555, false, err);
+  ret = get_shared_empty_directory_path (&empty_dir_path, container->context->state_root, err);
   if (UNLIKELY (ret < 0))
     return ret;
 
@@ -2674,7 +2664,9 @@ do_notify_socket (libcrun_container_t *container, const char *rootfs, libcrun_er
   if (notify_socket == NULL)
     return 0;
 
-  ret = libcrun_get_state_directory (&state_dir, container->context->state_root, container->context->id, err);
+  ret = libcrun_get_state_directory (&state_dir,
+                                     (container->context ? container->context->state_root : NULL),
+                                     container->context->id, err);
   if (UNLIKELY (ret < 0))
     return ret;
 
@@ -4637,7 +4629,9 @@ prepare_and_send_dev_mounts (libcrun_container_t *container, int sync_socket_hos
   if (! has_userns || is_empty_string (container->context->id) || geteuid () > 0)
     return send_mounts (sync_socket_host, dev_fds, how_many, def->linux->devices_len, err);
 
-  ret = libcrun_get_state_directory (&state_dir, container->context->state_root, container->context->id, err);
+  ret = libcrun_get_state_directory (&state_dir,
+                                     (container->context ? container->context->state_root : NULL),
+                                     container->context->id, err);
   if (UNLIKELY (ret < 0))
     return ret;
 
@@ -5909,7 +5903,7 @@ libcrun_configure_network (libcrun_container_t *container, libcrun_error_t *err)
   else
     {
       struct nlmsghdr *hdr_recv;
-      char buf[sizeof (struct nlmsghdr) + sizeof (struct ifinfomsg)];
+      char buf[sizeof (struct nlmsghdr) + sizeof (struct nlmsgerr)];
       struct sockaddr_nl addr = {
         .nl_family = AF_NETLINK,
         .nl_pid = getpid (),
diff --git a/src/libcrun/seccomp.c b/src/libcrun/seccomp.c
@@ -589,7 +589,7 @@ store_seccomp_cache (struct libcrun_seccomp_gen_ctx_s *ctx, libcrun_error_t *err
   if (is_empty_string (ctx->checksum))
     return 0;
 
-  dirfd = open_rundir_dirfd (container->context->state_root, err);
+  dirfd = open_rundir_dirfd ((container->context ? container->context->state_root : NULL), err);
   if (UNLIKELY (dirfd < 0))
     return dirfd;
 
@@ -874,7 +874,7 @@ libcrun_open_seccomp_bpf (struct libcrun_seccomp_gen_ctx_s *ctx, int *fd, libcru
   if (container == NULL || container->context == NULL)
     return crun_make_error (err, EINVAL, "invalid internal state");
 
-  dirfd = open_rundir_dirfd (container->context->state_root, err);
+  dirfd = open_rundir_dirfd ((container->context ? container->context->state_root : NULL), err);
   if (UNLIKELY (dirfd < 0))
     return dirfd;
 
diff --git a/src/libcrun/status.c b/src/libcrun/status.c
@@ -85,6 +85,28 @@ get_run_directory (char **out, const char *state_root, libcrun_error_t *err)
   return 0;
 }
 
+int
+get_shared_empty_directory_path (char **out, const char *state_root, libcrun_error_t *err)
+{
+  cleanup_free char *run_dir = NULL;
+  int ret;
+
+  ret = get_run_directory (&run_dir, state_root, err);
+  if (UNLIKELY (ret < 0))
+    return ret;
+
+  ret = append_paths (out, err, run_dir, ".empty-directory", NULL);
+  if (UNLIKELY (ret < 0))
+    return ret;
+
+  /* Ensure the empty directory exists */
+  ret = crun_ensure_directory (*out, 0555, false, err);
+  if (UNLIKELY (ret < 0))
+    return ret;
+
+  return 0;
+}
+
 int
 libcrun_get_state_directory (char **out, const char *state_root, const char *id, libcrun_error_t *err)
 {
diff --git a/src/libcrun/status.h b/src/libcrun/status.h
@@ -65,6 +65,7 @@ int libcrun_status_write_exec_fifo (const char *state_root, const char *id, libc
 int libcrun_status_has_read_exec_fifo (const char *state_root, const char *id, libcrun_error_t *err);
 int libcrun_check_pid_valid (libcrun_container_status_t *status, libcrun_error_t *err);
 int get_run_directory (char **out, const char *state_root, libcrun_error_t *err);
+int get_shared_empty_directory_path (char **out, const char *state_root, libcrun_error_t *err);
 
 static inline void
 libcrun_free_container_listp (void *p)
