Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Build runc.riscv64 #3463

Closed
wants to merge 2 commits into from
Closed

Build runc.riscv64 #3463

wants to merge 2 commits into from

Conversation

AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Apr 28, 2022
edited
Loading

The first commit bumps up libseccomp-golang (seccomp/libseccomp-golang@3879420...e214ef1) to support SCMP_ARCH_RISCV64 (seccomp/libseccomp-golang@e947d82).

The second commit updates the build scripts to build runc.riscv64.

Tested on Ubuntu 22.04 (kernel 5.15) on qemu-system-riscv64 -M virt -cpu rv64 (QEMU 6.2, lima-vm/lima#827)

# uname -a
Linux lima-riscv64 5.15.0-1007-generic #7-Ubuntu SMP Tue Apr 12 16:07:30 UTC 2022 riscv64 riscv64 riscv64 GNU/Linux
# runc --version
runc version 1.1.0+dev
commit: v1.1.0-161-gc0219678
spec: 1.0.2-dev
go: go1.18.1
libseccomp: 2.5.3
# mkdir rootfs
# curl -fsSL https://dl-cdn.alpinelinux.org/alpine/edge/releases/riscv64/alpine-minirootfs-20220316-riscv64.tar.gz | tar Cxz ./rootfs
# cat <<EOF >config.json
{
  "ociVersion": "1.0.2-dev",
  "process": {
    "terminal": true,
    "user": { "uid": 0, "gid": 0 },
    "args": [ "sh" ],
    "env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "TERM=xterm" ],
    "cwd": "/",
    "capabilities": {
      "bounding": [ "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" ],
      "effective": [ "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" ],
      "inheritable": [ "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" ],
      "permitted": [ "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" ],
      "ambient": [ "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" ]
    },
    "rlimits": [ { "type": "RLIMIT_NOFILE", "hard": 1024, "soft": 1024 } ],
    "noNewPrivileges": true
  },
  "root": { "path": "rootfs", "readonly":false },
  "hostname": "runc",
  "mounts": [
    { "destination": "/proc", "type": "proc", "source": "proc" },
    { "destination": "/dev", "type": "tmpfs", "source": "tmpfs", "options": [ "nosuid", "strictatime", "mode=755", "size=65536k" ] },
    { "destination": "/dev/pts", "type": "devpts", "source": "devpts", "options": [ "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5" ] },
    { "destination": "/dev/shm", "type": "tmpfs", "source": "shm", "options": [ "nosuid", "noexec", "nodev", "mode=1777", "size=65536k" ] },
    { "destination": "/dev/mqueue", "type": "mqueue", "source": "mqueue", "options": [ "nosuid", "noexec", "nodev" ] },
    { "destination": "/sys", "type": "sysfs", "source": "sysfs", "options": [ "nosuid", "noexec", "nodev", "ro" ] },
    { "destination": "/sys/fs/cgroup", "type": "cgroup", "source": "cgroup", "options": [ "nosuid", "noexec", "nodev", "relatime", "ro" ] }
  ],
  "linux": {
    "resources": { "devices": [ { "allow": false, "access": "rwm" } ] },
    "namespaces": [ { "type": "pid" }, { "type": "network" }, { "type": "ipc" }, { "type": "uts" }, { "type": "mount" }, { "type": "cgroup" } ],
    "maskedPaths": [ "/proc/acpi", "/proc/asound", "/proc/kcore", "/proc/keys", "/proc/latency_stats", "/proc/timer_list", "/proc/timer_stats", "/proc/sched_debug", "/sys/firmware", "/proc/scsi" ],
    "readonlyPaths": [ "/proc/bus", "/proc/fs", "/proc/irq", "/proc/sys", "/proc/sysrq-trigger" ],
    "seccomp": {
      "defaultAction": "SCMP_ACT_ALLOW",
      "architectures": [ "SCMP_ARCH_RISCV64" ],
      "syscalls": [ { "names": [ "unshare" ], "action": "SCMP_ACT_ERRNO", "errnoRet": 42 } ]
    }
  }
}
EOF
# runc run foo
/ # uname -a
Linux runc 5.15.0-1007-generic #7-Ubuntu SMP Tue Apr 12 16:07:30 UTC 2022 riscv64 Linux
/ # unshare
unshare: unshare(0x0): No message of desired type
/ # : unshare is failing with ENOMSG (errno 42) as expected
/ #

@AkihiroSuda AkihiroSuda mentioned this pull request Apr 28, 2022
Merged
thaJeztah
thaJeztah reviewed Apr 28, 2022
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thx! left some nits for consistency 😅

Dockerfile Outdated Show resolved Hide resolved
Dockerfile Outdated Show resolved Hide resolved
Makefile Outdated Show resolved Hide resolved
libcontainer/seccomp/config.go Outdated Show resolved Hide resolved
script/lib.sh Outdated Show resolved Hide resolved
@AkihiroSuda AkihiroSuda added this to the 1.2.0 milestone Apr 28, 2022
@AkihiroSuda AkihiroSuda mentioned this pull request Apr 28, 2022
Merged
thaJeztah
thaJeztah reviewed Apr 28, 2022
View reviewed changes
libcontainer/seccomp/config.go
@@ -64,6 +64,7 @@ var archs = map[string]string{
"SCMP_ARCH_PPC": "ppc",
"SCMP_ARCH_PPC64": "ppc64",
"SCMP_ARCH_PPC64LE": "ppc64le",
"SCMP_ARCH_RISCV64": "riscv64",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh! think this one ended up in the wrong commit, or was it intentional to be part of the vendor update?

Copy link
Member Author

@AkihiroSuda AkihiroSuda Apr 28, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. Tied with the new version of libseccomp-golang (seccomp/libseccomp-golang@e947d82).

runc/libcontainer reads "SCMP_ARCH_RISCV64" from config.json and converts it to "riscv64" via runc/libcontainer/seccomp.ConvertStringToArch().
And then libseccomp-golang converts it back to "riscv64" -> ArchRISCV64 -> C_ARCH_RISCV64 -> SCMP_ARCH_RISCV64.

thaJeztah
thaJeztah approved these changes Apr 28, 2022
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (left one question)

@crazy-max
Copy link
Contributor

@AkihiroSuda I can test on my side too if you want, I have an HiFive Unmatched. Let me know.

@AkihiroSuda
Copy link
Member Author

@crazy-max Thanks, testing on a real machine is highly appreciated 🙏 .
I only tested it on qemu-system-riscv64 -M virt -cpu rv64.

@crazy-max
Copy link
Contributor

@AkihiroSuda

$ uname -a
Linux sifive 5.11.0-1022-generic #23-Ubuntu SMP Wed Oct 20 17:18:01 UTC 2021 riscv64 riscv64 riscv64 GNU/Linux
$ git clone https://github.com/AkihiroSuda/runc
$ git checkout riscv64
$ cd runc/
$ make
$ file runc
runc: ELF 64-bit LSB pie executable, UCB RISC-V, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-riscv64-lp64d.so.1, BuildID[sha1]=024bc8788be092ecea2a41b1df7e6f9841e71fd8, for GNU/Linux 4.15.0, not stripped
$ runc --version
runc version 1.0.1-0ubuntu2~21.04.1
spec: 1.0.2-dev
go: go1.16.2
libseccomp: 2.5.1

Let me know if this is enough to test its behavior.

@AkihiroSuda
Copy link
Member Author

@crazy-max Thanks, could you test runc run with seccomp too?
Added an example config.json in the OP.

@AkihiroSuda AkihiroSuda mentioned this pull request Apr 28, 2022
Merged
@kolyshkin
Copy link
Contributor

Superceded by #3446

@crazy-max
Copy link
Contributor

@AkihiroSuda

$ runc run foo
/ # uname -a
Linux runc 5.11.0-1022-generic #23-Ubuntu SMP Wed Oct 20 17:18:01 UTC 2021 riscv64 Linux
/ # unshare
unshare: unshare(0x0): No message of desired type
/ #

@AkihiroSuda
Copy link
Member Author

Thank you @crazy-max , it is working as expected

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crazy-max crazy-max crazy-max left review comments

@thaJeztah thaJeztah thaJeztah approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.2.0
Development

Successfully merging this pull request may close these issues.
4 participants
@AkihiroSuda @crazy-max @kolyshkin @thaJeztah