Merge pull request #176 from golemfactory/late-chroot

Late chroot
golemfactory · Dec 12, 2023 · 3ceccee · 3ceccee
2 parents 847ac34 + 613cf64
commit 3ceccee
Show file tree

Hide file tree

Showing 10 changed files with 1,214 additions and 123 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -47,10 +47,10 @@ jobs:
             }
   build-init:
     name: Build container Init
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       - name: Install Musl
-        run: sudo apt-get install -y musl-tools musl
+        run: sudo apt-get install -y musl-tools musl autoconf gperf libtool automake
       - uses: actions/checkout@v1
       - name: Make
         run: |

diff --git a/.gitmodules b/.gitmodules
@@ -1,3 +1,6 @@
 [submodule "runtime/init-container/liburing"]
 	path = runtime/init-container/liburing
 	url = https://github.com/axboe/liburing
+[submodule "runtime/init-container/libseccomp"]
+	path = runtime/init-container/libseccomp
+	url = https://github.com/seccomp/libseccomp.git
diff --git a/Cargo.toml b/Cargo.toml
@@ -3,6 +3,7 @@ members = [
     "runtime",
     "gvmkit",
 ]
+resolver = "2"
 
 [patch.crates-io]
 ya-runtime-sdk = { git = "https://github.com/golemfactory/ya-runtime-sdk.git", rev = "0395b0c704ef644d7f0554ac41e319f03b11c068" }

diff --git a/runtime/examples/direct.rs b/runtime/examples/direct.rs
@@ -63,7 +63,6 @@ async fn run_process_with_output(
         .expect("Run process failed");
     println!("Spawned process with id: {}", id);
     notifications.process_died.notified().await;
-    notifications.output_available.notified().await;
     match ga.query_output(id, 1, 0, u64::MAX).await? {
         Ok(out) => {
             println!("Output:");
@@ -96,11 +95,10 @@ fn join_as_string<P: AsRef<Path>>(path: P, file: impl ToString) -> String {
 fn spawn_vm<'a, P: AsRef<Path>>(temp_path: P, mount_args: &'a [(&'a str, impl ToString)]) -> Child {
     let root_dir = get_root_dir();
     let project_dir = get_project_dir();
-    let runtime_dir = project_dir.join("poc").join("runtime");
     let init_dir = project_dir.join("init-container");
 
-    let mut cmd = Command::new("vmrt");
-    cmd.current_dir(runtime_dir).args([
+    let mut cmd = Command::new("qemu-system-x86_64");
+    cmd.current_dir(&init_dir).args([
         "-m",
         "256m",
         "-nographic",
@@ -113,9 +111,6 @@ fn spawn_vm<'a, P: AsRef<Path>>(temp_path: P, mount_args: &'a [(&'a str, impl To
         "-no-reboot",
         "-net",
         "none",
-        "-enable-kvm",
-        "-cpu",
-        "host",
         "-smp",
         "1",
         "-append",
@@ -126,7 +121,7 @@ fn spawn_vm<'a, P: AsRef<Path>>(temp_path: P, mount_args: &'a [(&'a str, impl To
         "virtio-rng-pci",
         "-chardev",
         format!(
-            "socket,path={},server,nowait,id=manager_cdev",
+            "socket,path={},server=true,wait=false,id=manager_cdev",
             temp_path.as_ref().join("manager.sock").display()
         )
         .as_str(),
@@ -213,6 +208,8 @@ async fn main() -> io::Result<()> {
     )
     .await?;
 
+    run_process_with_output(&mut ga, &notifications, "/bin/mount", &["mount"]).await?;
+
     let fds = [
         None,
         Some(RedirectFdType::RedirectFdFile(
@@ -324,15 +321,15 @@ async fn main() -> io::Result<()> {
         .expect("Output query failed");
     println!("Big output 2: {}, expected 0", out.len());
 
-    // ga.quit().await?.expect("Quit failed");
-
     let id = ga
-        .run_entrypoint("/bin/sleep", &["sleep", "2"], None, 0, 0, &no_redir, None)
+        .run_entrypoint("/bin/sleep", &["sleep", "100"], None, 0, 0, &no_redir, None)
         .await?
         .expect("Run process failed");
     println!("Spawned process with id: {}", id);
     notifications.process_died.notified().await;
 
+    ga.quit().await?.expect("Quit failed");
+
     /* VM should quit now. */
     let e = child.wait().await.expect("failed to wait on child");
     println!("{:?}", e);

diff --git a/runtime/init-container/Makefile b/runtime/init-container/Makefile
@@ -1,7 +1,9 @@
 CC := musl-gcc
 CXX := /bin/false
+LIBSECCOMP_SUBMODULE ?= libseccomp
+NEW_ROOT := newroot
 # -MMD to create dependency files (*.d) on first compilation
-CFLAGS := -MMD -std=c11 -O2 -Wall -Wextra -Werror -fPIE -pie -Iinclude/
+CFLAGS := -MMD -std=c11 -O2 -Wall -Wextra -Werror -fPIE -pie -Iinclude/ -Wmaybe-uninitialized -Iunpacked_headers/usr/include -I$(CURDIR)/$(LIBSECCOMP_SUBMODULE)/include '-DNEW_ROOT="$(NEW_ROOT)"'
 
 ifneq ($(DEBUG), "")
 CFLAGS += -DNDEBUG
@@ -26,7 +28,7 @@ LIBURING_SUBMODULE ?= liburing
 SRC_DIR ?= src
 TEST_DIR ?= tests
 
-OBJECTS = $(addprefix $(SRC_DIR)/,init.o communication.o process_bookkeeping.o cyclic_buffer.o)
+OBJECTS = $(addprefix $(SRC_DIR)/,init.o communication.o process_bookkeeping.o cyclic_buffer.o seccomp.o)
 OBJECTS_EXT = $(addprefix $(SRC_DIR)/,network.o forward.o)
 
 # Add headers to object dependencies for conditional recompilation on header change
@@ -54,7 +56,8 @@ $(SRC_DIR)/network.o: $(SRC_DIR)/network.c
 	    -I"$(CURDIR)/$(UNPACKED_HEADERS)/usr/include" \
 	    -o $@ -c $<
 
-$(SRC_DIR)/forward.o: $(SRC_DIR)/forward.c uring
+$(SRC_DIR)/seccomp.o: $(CURDIR)/$(LIBSECCOMP_SUBMODULE)/include/seccomp.h
+$(SRC_DIR)/forward.o: $(SRC_DIR)/forward.c uring $(CURDIR)/$(LIBSECCOMP_SUBMODULE)/src/.libs/libseccomp.a
 	$(QUIET_CC)$(CC) -MMD -O2 -Wall -Wextra -Werror -fPIE -pie \
 	    -I"$(CURDIR)/$(UNPACKED_HEADERS)/usr/include/" \
         -I"$(CURDIR)/$(LIBURING_SUBMODULE)/src/include/" \
@@ -65,9 +68,9 @@ $(SRC_DIR)/forward.o: $(SRC_DIR)/forward.c uring
 %.o: %.c
 	$(QUIET_CC)$(CC) $(CFLAGS) -o $@ -c $<
 
-init: $(UNPACKED_HEADERS) uring $(OBJECTS) $(OBJECTS_EXT)
+init: $(UNPACKED_HEADERS) uring $(OBJECTS) $(OBJECTS_EXT) $(CURDIR)/$(LIBSECCOMP_SUBMODULE)/src/.libs/libseccomp.a
 	@echo init
-	$(QUIET_CC)$(CC) $(CFLAGS) -static -o $@ $(wordlist 3, $(words $^), $^) "$(CURDIR)/$(LIBURING_SUBMODULE)/src/liburing.a"
+	$(QUIET_CC)$(CC) $(CFLAGS) -static -o $@ $(wordlist 3, $(words $^), $^) "$(CURDIR)/$(LIBURING_SUBMODULE)/src/liburing.a" "$(CURDIR)/$(LIBSECCOMP_SUBMODULE)/src/.libs/libseccomp.a"
 	@# default musl libs on some distros have debug symbols, lets strip them (and everything else)
 	strip $@
 
@@ -91,6 +94,15 @@ uring: $(UNPACKED_HEADERS)
 	(cd $(LIBURING_SUBMODULE) && CC=$(CC) CXX=$(CXX) ./configure > /dev/null)
 	$(MAKE) -e CC=$(CC) -e CFLAGS=-I"$(CURDIR)/$(UNPACKED_HEADERS)/usr/include" -C "$(LIBURING_SUBMODULE)/src" all
 
+SHELL := /bin/bash
+$(CURDIR)/$(LIBSECCOMP_SUBMODULE)/src/.libs/libseccomp.a $(CURDIR)/$(LIBSECCOMP_SUBMODULE)/include/seccomp.h: $(UNPACKED_HEADERS) $(LIBSECCOMP_SUBMODULE)
+	set -euo pipefail; \
+	cd $(LIBSECCOMP_SUBMODULE); \
+	export CC=$(CC) CXX=$(CXX) CFLAGS=-I"$$PWD/../$(UNPACKED_HEADERS)/usr/include";\
+	./autogen.sh; \
+	./configure --disable-python;\
+	$(MAKE) all
+
 vmlinuz-virt: $(UNPACKED_KERNEL)
 	cp $(UNPACKED_KERNEL)/boot/vmlinuz-virt .
 
@@ -117,7 +129,8 @@ initramfs.cpio.gz: init $(UNPACKED_KERNEL)
 	cp $(UNPACKED_KERNEL)/lib/modules/$(KERNEL_VER)/kernel/net/core/failover.ko initramfs
 	cp $(UNPACKED_KERNEL)/lib/modules/$(KERNEL_VER)/kernel/net/ipv6/ipv6.ko initramfs
 	cp $(UNPACKED_KERNEL)/lib/modules/$(KERNEL_VER)/kernel/net/packet/af_packet.ko initramfs
-	cd initramfs && find . | cpio --quiet -o -H newc -R 0:0 | gzip -9 > ../$@
+	mkdir initramfs/$(NEW_ROOT)
+	set -euo pipefail; cd initramfs && find . | cpio --quiet -o -H newc -R 0:0 | gzip -9 > ../$@
 	$(RM) -rf initramfs
 
 TESTS_NAMES := cyclic_buffer
@@ -137,6 +150,7 @@ clean:
 	$(RM) init $(SRC_DIR)/*.o $(SRC_DIR)/*.d $(TEST_DIR)/*.o *.o $(TESTS)
 	$(RM) vmlinuz-virt initramfs.cpio.gz
 	$(MAKE) -s -C $(LIBURING_SUBMODULE) clean
+	$(MAKE) -s -C $(LIBSECCOMP_SUBMODULE) clean
 
 .PHONY: distclean
 distclean:

diff --git a/runtime/init-container/include/init-seccomp.h b/runtime/init-container/include/init-seccomp.h
@@ -0,0 +1,7 @@
+#ifndef GOLEM_INIT_SANDBOX_H
+#define GOLEM_INIT_SANDBOX_H GOLEM_INIT_SANDBOX_H
+// Prepares for sandbox setup
+void setup_sandbox(void);
+// Actually enforces the sandbox.
+void sandbox_apply(void);
+#endif
diff --git a/runtime/init-container/libseccomp b/runtime/init-container/libseccomp