[feature] add support of a runc sandboxer #94
Conversation
abel-von
force-pushed
the
support-runc-for-shim
branch
from
f04a84c
to
b9c97a8
Compare
|
any update on it? |
|
Maybe we will have a community meeting next week to discuss the design. @xiaods |
any update on it? |
any update on this community meeting? |
I just want to learn about the latest project progress and it doesn't matter about the time. I also need more time to understand this project, so there is no need to worry about time pressure. Thank you. |
|
We will follow this design to make a runc sandboxer |
|
@abel-von if the runc sandboxer feature is implemented, can I replace the containerd with the kuasar component? |
|
any update? |
runc/src/exitsnoop.c
Outdated
| { | ||
| struct task_struct *task = (typeof(task)) bpf_get_current_task(); | ||
| struct process_exit_data_t data = {}; | ||
| //data.start_time = PROCESS_START_TIME_NS, |
There was a problem hiding this comment.
What does this line of code mean? If it's not necessary, it can be removed.
The code is basically complete but still needs some time. |
runc/src/exitsnoop.c
Outdated
| @@ -0,0 +1,36 @@ | |||
| #include<linux/sched.h> | |||
There was a problem hiding this comment.
new version removed the eBPF file
runc/src/exitsnoop.rs
Outdated
| @@ -0,0 +1,64 @@ | |||
| use bcc::{BPF, Tracepoint}; | |||
There was a problem hiding this comment.
I think we also shoule update CI workflow to test runc package.
There was a problem hiding this comment.
new version removed the eBPF file
runc/src/main.rs
Outdated
| mod exitsnoop; | ||
|
|
||
| pub const TASK_ADDRESS_SOCK: &str = "/run/kuasar/task.sock"; | ||
| const DEFAULT_CONTAINERD_STATE_DIR: &str = "/run/containerd/"; |
There was a problem hiding this comment.
Should BOUDLE_DIR be better? Runc sandboxer does not care about what exactly the container engine is, it only care about the bundle dir of container.
There was a problem hiding this comment.
codes removed of the new version
runc/src/sandbox.rs
Outdated
| } | ||
| let log_pipe = format!("{}/log", self.base_dir); | ||
| unsafe { | ||
| mkfifo(&*log_pipe, Mode::from_bits_unchecked(0700)) |
runc/src/sandbox.rs
Outdated
| } | ||
| let child = cmd | ||
| .spawn() | ||
| .map_err(|e| anyhow!("failed to spawn shim {}", e))?; |
runc/task/src/runc.rs
Outdated
|
|
||
| pub async fn copy_io(pio: &ProcessIO, stdio: &Stdio, exit_signal: Arc<ExitSignal>) -> Result<()> { | ||
| if !pio.copy { | ||
| return Ok(()); |
There was a problem hiding this comment.
Should open the read end of fifo.
|
We also have to provide a |
abel-von
force-pushed
the
support-runc-for-shim
branch
from
b9c97a8
to
353536e
Compare
I think it's necessary to update this architecture diagram corresponding to the runc sandboxer in the |
Signed-off-by: Abel Feng <fshb1988@gmail.com>
Signed-off-by: Abel Feng <fshb1988@gmail.com>
Signed-off-by: Abel Feng <fshb1988@gmail.com>
Signed-off-by: Abel Feng <fshb1988@gmail.com>
Signed-off-by: Abel Feng <fshb1988@gmail.com>
Signed-off-by: Abel Feng <fshb1988@gmail.com>
Signed-off-by: Abel Feng <fshb1988@gmail.com>
Signed-off-by: Abel Feng <fshb1988@gmail.com>
abel-von
force-pushed
the
support-runc-for-shim
branch
from
6dbd861
to
121951d
Compare
| loop { | ||
| let buffer = read_count(reqr, 512).unwrap(); | ||
| let id = String::from_utf8_lossy(&buffer[0..64]).to_string(); | ||
| let mut zero_index = 64; |
There was a problem hiding this comment.
what's the meaning of the 64, a static const maybe suitable
runc/src/main.rs
Outdated
| close(reqw).unwrap_or_default(); | ||
| close(respr).unwrap_or_default(); | ||
| prctl::set_child_subreaper(true).unwrap(); | ||
| let comm = format!("[sandbox-parent]"); |
There was a problem hiding this comment.
I find the naming convention for sandbox-parent somewhat ambiguous, conflicting with the naming convention of kernel threads in the Linux system.
There was a problem hiding this comment.
I just want to to highlight the process as a special process, do you have any good suggestion?
There was a problem hiding this comment.
I think it's sufficient to distinguish using the unique process name directly, there's no need to add square brackets.
| exit(0); | ||
| } | ||
| ForkResult::Child => { | ||
| let comm = format!("[sandbox-{}]", id); |
There was a problem hiding this comment.
Same as before, naming convention is confused with kernel threads.
abel-von
force-pushed
the
support-runc-for-shim
branch
2 times, most recently
from
4e5874e
to
228d3a9
Compare
Signed-off-by: Abel Feng <fshb1988@gmail.com>
abel-von
force-pushed
the
support-runc-for-shim
branch
from
228d3a9
to
d0bd129
Compare
A remote runc sandboxer which will run a process in seperate namespaces and this process will serve the Task API by a unix domain socket, and this process will also be the process to carry the common namespaces of containers in the same pod. so that we don't have a pause process, the "shim" process will act as the "pause" process