commit 209818fc10ba14e8ebfb126cc364c26300795af9 Author: Nicolas Vigier boklm@torproject.org Date: Thu Sep 14 19:08:14 2017 +0200
Bug 23039: add support for runc 1.0.0
The var_p/runc100 option is used to detect the version of runc we are using. The format of the output of `runc --version` is different in both versions, so it is not easy to parse. However I noticed that runc 0.1.1 does not exit with an error when we try to use a command that does not exist while runc >= 1.0.0 does, so we use that to detect the runc version we are using.
When using runc >= 1.0.0, we use `runc run` instead of `runc start': https://github.com/opencontainers/runc/commit/c669b8d1568633c68bd915561ceb2e...
In the runc config.json file, the format of the capabilities has been changed. Instead of having one list of capabilities, there are now separate lists for bounding, effective, inheritable, permitted and ambient capabilities (and we use the same list for all of them): https://github.com/opencontainers/runtime-spec/commit/eb114f057094dd2314682d...
We also add /proc/timer_list and /sys/firmware to the "maskedPaths", as those paths are now listed by default in the config.json file generated by `runc spec` with runc 1.0.0. --- README | 3 -- projects/common/runc-config.json | 91 +++++++++++++++++++++++++++++++++++++++- rbm.conf | 16 ++++++- 3 files changed, 105 insertions(+), 5 deletions(-)
diff --git a/README b/README index 10cadec..5b4a2bc 100644 --- a/README +++ b/README @@ -8,9 +8,6 @@ To build Tor Browser, you need a Linux distribution that has support for runc (such as Debian jessie, Ubuntu 16.04, Fedora 20, etc ...). On Debian jessie, the runc package is available in backports. On Debian stretch, the runc package is available in the main repository. -Version 0.1.1 of runc is required (which is the version available in -Debian stretch and jessie-backports). It is not yet working with runc -version 1.0.0: https://trac.torproject.org/projects/tor/ticket/23039
Your user account should have sudo access, which is required to be able to extract container file systems, start containers and copy files to and diff --git a/projects/common/runc-config.json b/projects/common/runc-config.json index 02be3b0..a4386c6 100644 --- a/projects/common/runc-config.json +++ b/projects/common/runc-config.json @@ -1,5 +1,5 @@ { - "ociVersion": "1.0.0-rc1", + "ociVersion": "1.0.0[% IF !c("var_p/runc100") %]-rc1[% END %]", "platform": { "os": "linux", [% IF c("var/container/arch") == 'i386' -%] @@ -22,6 +22,90 @@ "TERM=xterm" ], "cwd": "/", +[% IF c("var_p/runc100") -%] + "capabilities": { + "bounding": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_SETGID", + "CAP_SETUID", + "CAP_MKNOD", + "CAP_SYS_CHROOT", +[% IF c("var/container/CAP_SYS_ADMIN") -%] + "CAP_SYS_ADMIN", +[% END -%] + "CAP_FSETID", + "CAP_FOWNER", + "CAP_DAC_OVERRIDE", + "CAP_CHOWN" + ], + "effective": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_SETGID", + "CAP_SETUID", + "CAP_MKNOD", + "CAP_SYS_CHROOT", +[% IF c("var/container/CAP_SYS_ADMIN") -%] + "CAP_SYS_ADMIN", +[% END -%] + "CAP_FSETID", + "CAP_FOWNER", + "CAP_DAC_OVERRIDE", + "CAP_CHOWN" + ], + "inheritable": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_SETGID", + "CAP_SETUID", + "CAP_MKNOD", + "CAP_SYS_CHROOT", +[% IF c("var/container/CAP_SYS_ADMIN") -%] + "CAP_SYS_ADMIN", +[% END -%] + "CAP_FSETID", + "CAP_FOWNER", + "CAP_DAC_OVERRIDE", + "CAP_CHOWN" + ], + "permitted": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_SETGID", + "CAP_SETUID", + "CAP_MKNOD", + "CAP_SYS_CHROOT", +[% IF c("var/container/CAP_SYS_ADMIN") -%] + "CAP_SYS_ADMIN", +[% END -%] + "CAP_FSETID", + "CAP_FOWNER", + "CAP_DAC_OVERRIDE", + "CAP_CHOWN" + ], + "ambient": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_SETGID", + "CAP_SETUID", + "CAP_MKNOD", + "CAP_SYS_CHROOT", +[% IF c("var/container/CAP_SYS_ADMIN") -%] + "CAP_SYS_ADMIN", +[% END -%] + "CAP_FSETID", + "CAP_FOWNER", + "CAP_DAC_OVERRIDE", + "CAP_CHOWN" + ] + }, +[% ELSE -%] "capabilities": [ "CAP_AUDIT_WRITE", "CAP_KILL", @@ -38,6 +122,7 @@ "CAP_DAC_OVERRIDE", "CAP_CHOWN" ], +[% END -%] "rlimits": [ { "type": "RLIMIT_NOFILE", @@ -165,6 +250,10 @@ "/proc/kcore", "/proc/latency_stats", "/proc/timer_stats", +[% IF c("var_p/runc100") -%] + "/proc/timer_list", + "/sys/firmware", +[% END -%] "/proc/sched_debug" ], "readonlyPaths": [ diff --git a/rbm.conf b/rbm.conf index 7bda275..ef37575 100644 --- a/rbm.conf +++ b/rbm.conf @@ -329,7 +329,7 @@ runc: cat > '[% c("var/container/dir") %]'/config.json << EOF [% INCLUDE 'runc-config.json' %] EOF - sudo runc start -b '[% c("var/container/dir") %]' rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %] [% IF c("runc_hide_stderr") %]2>/dev/null[% END %] + sudo runc [% IF c("var_p/runc100") %]run[% ELSE %]start[% END %] -b '[% c("var/container/dir") %]' rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %] [% IF c("runc_hide_stderr") %]2>/dev/null[% END %]
remote_put: | #!/bin/sh @@ -369,3 +369,17 @@ runc: ENV: TZ: UTC LC_ALL: C +--- | + # This part of the file contains options written in perl + use IO::CaptureOutput qw(capture_exec); + ( + var_p => { + # runc100 is true if we are using runc >= 1.0.0 + runc100 => sub { + # runc >= 1.0.0 exits with an error when trying to use an unknown + # command while older versions exit with 0 + my (undef, undef, $success) = capture_exec('sudo', 'runc', 'xyzxyzxyz'); + return !$success; + }, + }, + )