Use libcontainer in vendor locally for enhanced debugging

Signed-off-by: Guvenc Gulce <[email protected]>

Author: guvenc

Cargo.lock

@@ -33,7 +33,7 @@ net_util = {tag = "v41.0",  git = "https://github.com/cloud-hypervisor/cloud-hyp
 vmm = { tag = "v41.0",  git = "https://github.com/cloud-hypervisor/cloud-hypervisor", features = ["kvm"] }
 openssl = { version = "0.10.68", features = ["vendored"] }
 libcgroups = { version = "0.4.1", default-features = false, features = ["v2",] }
-libcontainer = { version = "0.4.1", default-features = false, features = [ "v2",] }
+libcontainer = { path = "vendor/libcontainer", default-features = false, features = ["v2"] }
 dhcproto = "0.12.0"
 rand = "0.8.5"
 pnet = "0.35.0"

Cargo.toml

@@ -8,10 +8,12 @@ use hyper_util::rt::TokioIo;
 use isolated_container_service::isolated_container_service_server::IsolatedContainerService;
 use log::info;
 use std::sync::Arc;
+use std::time::Duration;
 use std::{collections::HashMap, sync::Mutex};
 use std::{fmt::Debug, io, path::PathBuf};
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::UnixStream;
+use tokio::time::sleep;
 use tonic::transport::{Channel, Endpoint, Uri};
 use tonic::{transport, Request, Response, Status};
 use tower::service_fn;
@@ -129,15 +131,15 @@ impl IsolatedContainerAPI {
             )
             .map_err(Error::VMError)?;
 
-        self.vmm.boot_vm(id).map_err(Error::VMError)?;
-
         self.vmm
             .add_net_device(
                 id,
                 NetworkMode::TAPDeviceName(network::Manager::device_name(&id)),
             )
             .map_err(Error::VMError)?;
 
+        self.vmm.boot_vm(id).map_err(Error::VMError)?;
+
         Ok(())
     }
 
@@ -191,6 +193,7 @@ impl IsolatedContainerService for IsolatedContainerAPI {
         let id = Uuid::new_v4();
 
         self.prepare_vm(id).map_err(|e| self.handle_error(e))?;
+        sleep(Duration::from_secs(2)).await;
 
         self.network
             .start_dhcp(id)

src/isolated_container/mod.rs

@@ -9,7 +9,7 @@ use std::{env::args, ffi::CString};
 use tokio::io;
 use tokio::io::{AsyncBufReadExt, BufReader};
 
-#[tokio::main]
+#[tokio::main(flavor = "current_thread")]
 async fn main() -> Result<(), String> {
     let mut ipv6_address = Ipv6Addr::UNSPECIFIED;
     let mut prefix_length = 64;

src/main.rs

@@ -84,6 +84,6 @@ pub fn init_logger(buffer: Arc<RingBuffer>) -> Arc<Mutex<mpsc::Receiver<String>>
     let (sender, receiver) = mpsc::channel(100);
     let logger = SimpleLogger::new(buffer, sender);
     log::set_boxed_logger(Box::new(logger)).unwrap();
-    log::set_max_level(LevelFilter::Info);
+    log::set_max_level(LevelFilter::Debug);
     Arc::new(Mutex::new(receiver))
 }

src/ringbuffer.rs

@@ -0,0 +1,45 @@
+[package]
+name = "libcgroups"
+version = "0.4.1" # MARK: Version
+description = "Library for cgroup"
+license-file = "../../LICENSE"
+repository = "https://github.com/containers/youki"
+homepage = "https://containers.github.io/youki"
+readme = "README.md"
+authors = ["youki team"]
+edition = "2021"
+rust-version = "1.58.1"
+autoexamples = true
+keywords = ["youki", "container", "cgroups"]
+
+[features]
+default = ["v1", "v2", "systemd"]
+v1 = []
+v2 = []
+systemd = ["v2", "nix/socket", "nix/uio"]
+cgroupsv2_devices = ["rbpf", "libbpf-sys", "errno", "libc", "nix/dir"]
+
+[dependencies]
+nix = { version = "0.28.0", features = ["signal", "user", "fs"] }
+procfs = "0.16.0"
+oci-spec = { version = "~0.6.8", features = ["runtime"] }
+fixedbitset = "0.5.7"
+serde = { version = "1.0", features = ["derive"] }
+rbpf = { version = "0.2.0", optional = true }
+libbpf-sys = { version = "1.4.5", optional = true }
+errno = { version = "0.3.9", optional = true }
+libc = { version = "0.2.158", optional = true }
+thiserror = "1.0.63"
+tracing = { version = "0.1.40", features = ["attributes"] }
+
+[dev-dependencies]
+anyhow = "1.0"
+oci-spec = { version = "~0.6.8", features = ["proptests", "runtime"] }
+quickcheck = "1"
+mockall = { version = "0.13.0", features = [] }
+clap = "4.1.6"
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+env_logger = "0.11"
+serial_test = "3.1.1"
+tempfile = "3"

vendor/libcgroups/Cargo.toml

@@ -0,0 +1 @@
+# libcgroups

vendor/libcgroups/README.md

@@ -0,0 +1,113 @@
+use anyhow::Result;
+
+#[cfg(feature = "cgroupsv2_devices")]
+mod bpf {
+    use std::os::unix::io::AsRawFd;
+    use std::path::Path;
+
+    use anyhow::{bail, Result};
+    use clap::{Arg, Command};
+    use libcgroups::v2::devices::{bpf, emulator, program};
+    use nix::fcntl::OFlag;
+    use nix::sys::stat::Mode;
+    use oci_spec::runtime::LinuxDeviceCgroup;
+
+    const LICENSE: &str = "Apache";
+    fn cli() -> Command {
+        clap::Command::new("bpf")
+            .version("0.1")
+            .about("tools to test BPF program for cgroups v2 devices")
+            .arg(Arg::new("cgroup_dir").short('c').value_name("CGROUP_DIR"))
+            .subcommand(
+                Command::new("query").about("query list of BPF programs attached to cgroup dir"),
+            )
+            .subcommand(
+                Command::new("detach")
+                    .about("detach BPF program by id")
+                    .arg(
+                        Arg::new("id")
+                            .value_name("PROG_ID")
+                            .required(true)
+                            .help("ID of BPF program returned by query command"),
+                    ),
+            )
+            .subcommand(
+                Command::new("attach")
+                    .about("compile rules to BPF and attach to cgroup dir")
+                    .arg(
+                        Arg::new("input_file")
+                            .value_name("INPUT_FILE")
+                            .required(true)
+                            .help("File contains Vec<LinuxDeviceCgroup> in json format"),
+                    ),
+            )
+    }
+
+    fn parse_cgroupv1_device_rules<P: AsRef<Path>>(path: P) -> Result<Vec<LinuxDeviceCgroup>> {
+        let content = std::fs::read_to_string(path)?;
+        let devices = serde_json::from_str(&content)?;
+        Ok(devices)
+    }
+
+    pub fn run() -> Result<()> {
+        let matches = cli().get_matches();
+        let cgroup_dir = matches.get_one::<String>("cgroup_dir").unwrap();
+        let cgroup_fd = nix::dir::Dir::open(
+            cgroup_dir.as_str(),
+            OFlag::O_RDONLY | OFlag::O_DIRECTORY,
+            Mode::from_bits(0o600).unwrap(),
+        )?;
+        match matches.subcommand() {
+            Some(("query", _)) => {
+                let progs = bpf::prog::query(cgroup_fd.as_raw_fd())?;
+                for prog in &progs {
+                    println!("prog: id={}, fd={}", prog.id, prog.fd);
+                }
+            }
+            Some(("detach", submatch)) => {
+                let prog_id = submatch.get_one::<String>("id").unwrap().parse::<u32>()?;
+                let progs = bpf::prog::query(cgroup_fd.as_raw_fd())?;
+                let prog = progs.iter().find(|v| v.id == prog_id);
+                if prog.is_none() {
+                    bail!("can't get prog fd by prog id");
+                }
+
+                bpf::prog::detach2(prog.unwrap().fd, cgroup_fd.as_raw_fd())?;
+                println!("detach ok");
+            }
+            Some(("attach", submatch)) => {
+                let input_file = submatch.get_one::<String>("input_file").unwrap();
+                let rules = parse_cgroupv1_device_rules(input_file)?;
+                let mut emulator = emulator::Emulator::with_default_allow(false);
+                emulator.add_rules(&rules);
+                let prog = program::Program::from_rules(&emulator.rules, emulator.default_allow)?;
+                let prog_fd = bpf::prog::load(LICENSE, prog.bytecodes())?;
+                bpf::prog::attach(prog_fd, cgroup_fd.as_raw_fd())?;
+                println!("attach ok");
+            }
+
+            _ => unreachable!(),
+        };
+        Ok(())
+    }
+}
+
+#[cfg(not(feature = "cgroupsv2_devices"))]
+mod bpf {
+    use anyhow::{bail, Result};
+
+    pub fn run() -> Result<()> {
+        if !cfg!(feature = "cgroupsv2_devices") {
+            bail!("cgroupsv2_devices feature is not enabled");
+        }
+
+        unreachable!()
+    }
+}
+
+fn main() -> Result<()> {
+    env_logger::init();
+    bpf::run()?;
+
+    Ok(())
+}

vendor/libcgroups/examples/bpf.rs

@@ -0,0 +1,17 @@
+[
+    {
+        "allow": false,
+        "access": "rwm"
+    },
+    {
+        "allow": true,
+        "type": "c",
+        "access": "rwm"
+    },
+    {
+        "allow": true,
+        "type": "b",
+        "major": 8,
+        "access": "rm"
+    }
+]