Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

restore: add lsm-profile and lsm-mount-context options #1578

Merged
merged 2 commits into from
Oct 21, 2024
Merged

restore: add lsm-profile and lsm-mount-context options #1578

merged 2 commits into from
Oct 21, 2024

Conversation

rst0git
Copy link
Contributor

@rst0git rst0git commented Oct 17, 2024

By default, CRIU restores containers with the same SELinux process labels used during checkpointing. However, when restoring multiple copies of a container, this results in all containers using identical SELinux labels, which is undesirable. In addition, all containers in a Pod share the SELinux label of the infrastructure container. To restore a new container into an existing Pod, we need to specify the SELinux label to be used during restore.

This pull request adds --lsm-profile and --lsm-mount-context options for the crun restore command to enable this functionality, similar to runc (opencontainers/runc#3005)

@giuseppe giuseppe marked this pull request as ready for review October 17, 2024 21:09
@giuseppe
Copy link
Member

could you take care of the build failures?

  CC       src/libcrun/libcrun_la-utils.lo
src/restore.c: In function 'parse_opt':
src/restore.c:133:30: error: this statement may fall through [-Werror=implicit-fallthrough=]
  133 |       cr_options.lsm_profile = argp_mandatory_argument (arg, state);
      |       ~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/restore.c:135:5: note: here
  135 |     case OPTION_LSM_MOUNT_CONTEXT:
      |     ^~~~
src/restore.c:136:36: error: this statement may fall through [-Werror=implicit-fallthrough=]
  136 |       cr_options.lsm_mount_context = argp_mandatory_argument (arg, state);
      |       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/restore.c:138:5: note: here
  138 |     default:
      |     ^~~~~~~

@giuseppe
Copy link
Member

@rst0git would you like that I take care of these build failures and push a fixed version?

I'd like to cut a new release and I think it would be good to include this PR

@packit-as-a-service Packit-as-a-Service
Copy link

Ephemeral COPR build failed. @containers/packit-build please check.

@rst0git
Copy link
Contributor Author

rst0git commented Oct 21, 2024
edited
Loading

Hi @giuseppe, thank you so much for your help! I've updated the pull request to fix the build failures.

I am working with Adrian (@adrianreber) on enabling container checkpointing with crun in Kubernetes. However, the static crun binary provided with the CRI-O package currently fails with could not load libcriu.so.2 (cri-o/cri-o#8518).

Would it be possible to fix this issue in the upcoming release?

@giuseppe
Copy link
Member

@rst0git using the static binary is a kind of a "hack" and crun should be better installed using a proper package manager.

How would that be fixed? Avoiding the entire dlopen part for libcriu? Wouldn't be easier if libcriu is installed as well on the system?

@rst0git
Copy link
Contributor Author

rst0git commented Oct 21, 2024

How would that be fixed? Avoiding the entire dlopen part for libcriu? Wouldn't be easier if libcriu is installed as well on the system?

The error appears when libcriu is installed on the system. We noticed that adding /usr/lib64 in LD_LIBRARY_PATH allows dlopen to find libcriu:

LD_LIBRARY_PATH="/usr/lib64:$LD_LIBRARY_PATH" /usr/libexec/crio/crun

However, checkpointing still fails with:

Can't read swrk pid: Success
Can't connect to criu: Bad file descriptor
Can't read swrk pid: Success
Can't connect to criu: Bad file descriptor

@giuseppe
Copy link
Member

could you please rebase on top of #1580 ?

giuseppe
giuseppe approved these changes Oct 21, 2024
View reviewed changes
Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rst0git @giuseppe
restore: add lsm-profile option
9efd6a8 
By default, CRIU restores containers with the same SELinux process
labels used during checkpointing. However, when restoring multiple
copies of a container, this results in all containers using identical
SELinux labels, which is undesirable.

In addition, all containers in a Pod share the SELinux label of the
infrastructure container. To restore a new container into an existing
Pod, we need to specify the SELinux label to be used during restore.

This patch adds `--lsm-profile` option for the `crun restore` command
to enable this functionality, similar to runc [1].

[1] opencontainers/runc#3005

Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
@rst0git @giuseppe
restore: add lsm-mount-context option
ce89aa6 
The lsm-mount-context option allows to specify a new mount context to be
used during restore. For example, if a mountpoint has been checkpointed
with context like

	context="system_u:object_r:container_file_t:s0:c82,c137"

it is possible to change this context using

	--lsm-mount-context "system_u:object_r:container_file_t:s0:c204,c495"

Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
@giuseppe giuseppe merged commit 2d36664 into containers:main Oct 21, 2024
29 of 55 checks passed
@rst0git rst0git deleted the lsm branch October 21, 2024 13:20
rst0git added a commit to rst0git/crun that referenced this pull request Oct 21, 2024
@rst0git
criu: load lsm functions
ed64259 
Fixes containers#1578

Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
@rst0git rst0git mentioned this pull request Oct 21, 2024
Merged
rst0git added a commit to rst0git/crun that referenced this pull request Oct 21, 2024
@rst0git
crun.1.md: add lsm-profile and lsm-mount-context
4146129 
This pull request updates the man page with description for the
`--lsm-profile` and `--lsm-mount-context` options introduced in
containers#1578

Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
@rst0git rst0git mentioned this pull request Oct 21, 2024
Merged
rst0git added a commit to rst0git/podman that referenced this pull request Oct 21, 2024
@rst0git
Enable pod restore with crun
642b61a 
`CRRuntimeSupportsPodCheckpointRestore()` is used to check if the current
container runtime (e.g., runc or crun) can restore a container into an
existing Pod. It does this by processing output message to check if the
`--lsm-mount-context` option is supported.  This option was recently
added to crun [1], however, crun and runc have slightly different output
messages:

```
$ crun restore--lsm-mount-contextt
restore: option '--lsm-mount-context' requires an argument
Try `restore --help' or `restore --usage' for more information.
```

```
$ runc restore --lsm-mount-context
ERRO[0000] flag needs an argument: -lsm-mount-context
```

This patch updates the function to support both runtimes.

[1] containers/crun#1578

Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
@rst0git rst0git mentioned this pull request Oct 21, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@giuseppe giuseppe giuseppe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rst0git @giuseppe