Skip to content

Commit

Permalink
Validate runsc version during restore.
Browse files Browse the repository at this point in the history 
PiperOrigin-RevId: 684516557
  • Loading branch information
@nybidari @gvisor-bot
nybidari authored and gvisor-bot committed Oct 28, 2024
1 parent 6bae0a7 commit 38f8c33
Show file tree
Hide file tree
Showing 4 changed files with 29 additions and 1 deletion.
1 change: 1 addition & 0 deletions runsc/boot/BUILD
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,7 @@ go_library(
"//runsc/profile",
"//runsc/specutils",
"//runsc/specutils/seccomp",
"//runsc/version",
"@com_github_opencontainers_runtime_spec//specs-go:go_default_library",
"@com_github_syndtr_gocapability//capability:go_default_library",
"@org_golang_google_protobuf//proto:go_default_library",
Expand Down
2 changes: 2 additions & 0 deletions runsc/boot/autosave.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ func getSaveOpts(l *Loader, k *kernel.Kernel, isResume bool) state.SaveOpts {

func getTargetForSaveResume(l *Loader) func(k *kernel.Kernel) {
return func(k *kernel.Kernel) {
l.addVersionToCheckpoint()
l.addContainerSpecsToCheckpoint()
saveOpts := getSaveOpts(l, k, true /* isResume */)
// Store the state file contents in a buffer for save-resume.
Expand All @@ -75,6 +76,7 @@ func getTargetForSaveRestore(l *Loader, files []*fd.FD) func(k *kernel.Kernel) {
var once sync.Once
return func(k *kernel.Kernel) {
once.Do(func() {
l.addVersionToCheckpoint()
l.addContainerSpecsToCheckpoint()
saveOpts := getSaveOpts(l, k, false /* isResume */)
saveOpts.Destination = files[0]
Expand Down
15 changes: 15 additions & 0 deletions runsc/boot/loader.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ import (
"gvisor.dev/gvisor/runsc/profile"
"gvisor.dev/gvisor/runsc/specutils"
"gvisor.dev/gvisor/runsc/specutils/seccomp"
"gvisor.dev/gvisor/runsc/version"

// Top-level inet providers.
"gvisor.dev/gvisor/pkg/sentry/socket/hostinet"
Expand Down Expand Up @@ -369,6 +370,10 @@ const (
// containerSpecsKey is the key used to add and pop the container specs to the
// kernel during save/restore.
containerSpecsKey = "container_specs"

// versionKey is the key used to add and pop runsc version to the kernel
// during save/restore.
versionKey = "runsc_version"
)

func getRootCredentials(spec *specs.Spec, conf *config.Config, userNs *auth.UserNamespace) *auth.Credentials {
Expand Down Expand Up @@ -1989,3 +1994,13 @@ func popContainerSpecsFromCheckpoint(k *kernel.Kernel) (map[string]*specs.Spec,
}
return oldSpecs, nil
}

// addVersionToCheckpoint adds the runsc version to the kernel.
func (l *Loader) addVersionToCheckpoint() {
l.k.AddStateToCheckpoint(versionKey, version.Version())
}

// popVersionFromCheckpoint pops the runsc version from the kernel.
func popVersionFromCheckpoint(k *kernel.Kernel) string {
return (k.PopCheckpointState(versionKey)).(string)
}
12 changes: 11 additions & 1 deletion runsc/boot/restore.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ import (
"gvisor.dev/gvisor/pkg/tcpip/stack"
"gvisor.dev/gvisor/runsc/boot/pprof"
"gvisor.dev/gvisor/runsc/config"
"gvisor.dev/gvisor/runsc/version"
)

const (
Expand Down Expand Up @@ -350,7 +351,7 @@ func validateSpecForContainer(oldSpec, newSpec *specs.Spec, cName string) error
}
}

// TODO(b/359591006): Validate runsc version, Linux.Resources, Process.Capabilities and Annotations.
// TODO(b/359591006): Validate Linux.Resources, Process.Capabilities and Annotations.
// TODO(b/359591006): Check other remaining fields for equality.
return nil
}
Expand Down Expand Up @@ -464,6 +465,12 @@ func (r *restorer) restore(l *Loader) error {
return err
}

checkpointVersion := popVersionFromCheckpoint(l.k)
currentVersion := version.Version()
if checkpointVersion != currentVersion {
return fmt.Errorf("runsc version does not match across checkpoint restore, checkpoint: %v current: %v", checkpointVersion, currentVersion)
}

oldSpecs, err := popContainerSpecsFromCheckpoint(l.k)
if err != nil {
return err
Expand Down Expand Up @@ -578,6 +585,9 @@ func (l *Loader) save(o *control.SaveOpts) (err error) {
}
o.Metadata["container_count"] = strconv.Itoa(l.containerCount())

// Save runsc version.
l.addVersionToCheckpoint()

// Save container specs.
l.addContainerSpecsToCheckpoint()

Expand Down

0 comments on commit 38f8c33

Please sign in to comment.