From 89a2cac377e28ea796fb8aa1be5d8135ffc01edc Mon Sep 17 00:00:00 2001 From: Rodrigo Campos Date: Wed, 3 Jul 2024 16:10:19 +0200 Subject: [PATCH 1/3] scripts/critest.sh: Prepare for userns tests in runc When runc 1.2.0 is released, it will expose support for userns and therefore the critest suite will run those tests. The thing is, runc needs to be able to traverse the path to mount the rootfs on itself. Let's just mark the paths from the BDIR upwards with +x permissions, so the tests run fine. Containerd already makes sure that the paths below (the ones it creates) have the right permissions and for the right group, etc. I've tested with runc 1.2.0-rc.2 and CI fails without this path, with this patch it works just fine. Signed-off-by: Rodrigo Campos --- script/critest.sh | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/script/critest.sh b/script/critest.sh index 1493c1827..17bdf3b66 100755 --- a/script/critest.sh +++ b/script/critest.sh @@ -19,7 +19,26 @@ set -eu -o pipefail report_dir=$1 mkdir -p $report_dir + +function traverse_path() { + local path=$1 + cd "$path" + sudo chmod go+rx "$PWD" + + while [ $PWD != "/" ]; do + sudo chmod go+x "$PWD/../" + cd .. + done +} + BDIR="$(mktemp -d -p $PWD)" +# runc needs to traverse (+x) the directories in the path to the rootfs. This is important when we +# create a user namespace, as the final stage of the runc initialization is not as root on the host. +# While containerd creates the directories with the right permissions, the right group (so only the +# hostGID has access, etc.), those directories live below $BDIR. So, to make sure runc can traverse +# the directories, let's fix the dirs from $BDIR up, as the ones below are managed by containerd +# that does the right thing. +traverse_path "$BDIR" function cleanup() { pkill containerd || true From e1adfaeb921fce7e8098b6b43d24253597a68cf7 Mon Sep 17 00:00:00 2001 From: Rodrigo Campos Date: Thu, 4 Jul 2024 18:04:12 +0200 Subject: [PATCH 2/3] script/setup/config-containerd: Use slow_chown slow_chown is safe to add on all kernels, and when running in old kernels (as some CI distros on purpose are), we want the expensive fallback. Vagrant setup and others use this script to config containerd. This fixes userns tests with runc 1.2.0-rc.2 when running with old kernels. Signed-off-by: Rodrigo Campos --- script/setup/config-containerd | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/script/setup/config-containerd b/script/setup/config-containerd index 945172a5a..cd1a20437 100755 --- a/script/setup/config-containerd +++ b/script/setup/config-containerd @@ -30,6 +30,15 @@ mkdir -p /etc/containerd cat << EOF | sudo tee /etc/containerd/config.toml version = 2 + +[plugins."io.containerd.snapshotter.v1.overlayfs"] +# slow_chown is needed to avoid an error with kernel < 5.19: +# > "snapshotter \"overlayfs\" doesn't support idmap mounts on this host, +# > configure \`slow_chown\` to allow a slower and expensive fallback" +# https://github.com/containerd/containerd/pull/9920#issuecomment-1978901454 +# This is safely ignored for kernel >= 5.19. +slow_chown = true + [plugins] [plugins."io.containerd.grpc.v1.cri"] enable_selinux = ${enable_selinux} From 7c4de2821061a397df5cefafec7ed8c692b26892 Mon Sep 17 00:00:00 2001 From: Rodrigo Campos Date: Thu, 11 Jul 2024 14:58:44 +0200 Subject: [PATCH 3/3] Update cri-tools to v1.30.1 This patch release includes just a fix to skip userns tests on host that don't support the feature. See: https://github.com/kubernetes-sigs/cri-tools/releases/tag/v1.30.1 This is needed for CI to work fine when we update to runc 1.2 (not yet released). It is also a blocker for the final runc release to make sure it works in all known downstreams. This makes it work fine here :) Signed-off-by: Rodrigo Campos --- script/setup/critools-version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/setup/critools-version b/script/setup/critools-version index c8c2eaea5..46aa51be0 100644 --- a/script/setup/critools-version +++ b/script/setup/critools-version @@ -1 +1 @@ -v1.30.0 +v1.30.1