diff --git a/Cargo.toml b/Cargo.toml index 7e447392..44f95681 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -28,7 +28,7 @@ async-trait = "0.1.52" futures = "0.3.19" libc = "0.2.112" log = "0.4" -nix = "0.26" +nix = "0.27" oci-spec = "0.6" os_pipe = "1.1" prost = "0.12" diff --git a/crates/runc-shim/Cargo.toml b/crates/runc-shim/Cargo.toml index e73eb2f7..015957f6 100644 --- a/crates/runc-shim/Cargo.toml +++ b/crates/runc-shim/Cargo.toml @@ -29,7 +29,7 @@ containerd-shim = { path = "../shim", version = "0.5.0", features = ["async"] } crossbeam = "0.8.1" libc.workspace = true log.workspace = true -nix.workspace = true +nix = { workspace = true, features = ["socket", "uio", "term"] } oci-spec.workspace = true runc = { path = "../runc", version = "0.2.0", features = ["async"] } serde.workspace = true diff --git a/crates/runc-shim/src/common.rs b/crates/runc-shim/src/common.rs index 60fa3f5f..d6dd8bb7 100644 --- a/crates/runc-shim/src/common.rs +++ b/crates/runc-shim/src/common.rs @@ -14,7 +14,18 @@ limitations under the License. */ -use std::{env, fs::File, io::IoSliceMut, ops::Deref, os::unix::io::RawFd, path::Path, sync::Arc}; +use std::{ + env, + fs::File, + io::IoSliceMut, + ops::Deref, + os::{ + fd::{AsRawFd, FromRawFd, OwnedFd}, + unix::io::RawFd, + }, + path::Path, + sync::Arc, +}; use containerd_shim::{ api::{ExecProcessRequest, Options}, @@ -176,7 +187,7 @@ pub fn create_runc( #[derive(Default)] pub(crate) struct CreateConfig {} -pub fn receive_socket(stream_fd: RawFd) -> containerd_shim::Result { +pub fn receive_socket(stream_fd: RawFd) -> containerd_shim::Result { let mut buf = [0u8; 4096]; let mut iovec = [IoSliceMut::new(&mut buf)]; let mut space = cmsg_space!([RawFd; 2]); @@ -201,13 +212,17 @@ pub fn receive_socket(stream_fd: RawFd) -> containerd_shim::Result { warn!("failed to get path from array {}", e); "".to_string() }); + + let fd = unsafe { OwnedFd::from_raw_fd(fds[0]) }; + let path = path.trim_matches(char::from(0)); debug!( "copy_console: console socket get path: {}, fd: {}", - path, &fds[0] + path, + fd.as_raw_fd(), ); - tcgetattr(fds[0])?; - Ok(fds[0]) + tcgetattr(&fd)?; + Ok(fd) } pub fn has_shared_pid_namespace(spec: &Spec) -> bool { diff --git a/crates/runc-shim/src/runc.rs b/crates/runc-shim/src/runc.rs index 8a5fdf6f..92bb0f23 100644 --- a/crates/runc-shim/src/runc.rs +++ b/crates/runc-shim/src/runc.rs @@ -16,9 +16,12 @@ use std::{ convert::TryFrom, - os::unix::{ - io::{AsRawFd, FromRawFd, RawFd}, - prelude::ExitStatusExt, + os::{ + fd::{IntoRawFd, OwnedFd}, + unix::{ + io::{AsRawFd, FromRawFd}, + prelude::ExitStatusExt, + }, }, path::{Path, PathBuf}, process::ExitStatus, @@ -479,8 +482,8 @@ async fn copy_console( ) -> Result { debug!("copy_console: waiting for runtime to send console fd"); let stream = console_socket.accept().await?; - let fd = asyncify(move || -> Result { receive_socket(stream.as_raw_fd()) }).await?; - let f = unsafe { File::from_raw_fd(fd) }; + let fd = asyncify(move || -> Result { receive_socket(stream.as_raw_fd()) }).await?; + let f = unsafe { File::from_raw_fd(fd.into_raw_fd()) }; if !stdio.stdin.is_empty() { debug!("copy_console: pipe stdin to console"); let console_stdin = f diff --git a/crates/runc/Cargo.toml b/crates/runc/Cargo.toml index a6fa3d50..393a92bb 100644 --- a/crates/runc/Cargo.toml +++ b/crates/runc/Cargo.toml @@ -18,7 +18,7 @@ docs = [] [dependencies] libc.workspace = true log.workspace = true -nix.workspace = true +nix = { workspace = true, features = ["user", "fs"] } oci-spec.workspace = true os_pipe.workspace = true path-absolutize = "3.0.11" diff --git a/crates/shim/Cargo.toml b/crates/shim/Cargo.toml index 9cc0cd8c..ca00dc33 100644 --- a/crates/shim/Cargo.toml +++ b/crates/shim/Cargo.toml @@ -38,7 +38,13 @@ go-flag = "0.1.0" lazy_static = "1.4.0" libc.workspace = true log = { workspace = true, features = ["std"] } -nix.workspace = true +nix = { workspace = true, features = [ + "ioctl", + "fs", + "socket", + "signal", + "mount", +] } oci-spec.workspace = true page_size = "0.6.0" prctl = "1.0.0" diff --git a/crates/shim/src/synchronous/publisher.rs b/crates/shim/src/synchronous/publisher.rs index 71449972..f4ac393d 100644 --- a/crates/shim/src/synchronous/publisher.rs +++ b/crates/shim/src/synchronous/publisher.rs @@ -27,10 +27,11 @@ use containerd_shim_protos as client; #[cfg(unix)] use crate::util::connect; +#[cfg(not(target_os = "macos"))] // Prevent unused warning. +use crate::Error; use crate::{ error::Result, util::{convert_to_any, timestamp}, - Error, }; #[cfg(windows)] diff --git a/crates/shim/src/util.rs b/crates/shim/src/util.rs index 4c6f74d5..3d02bddf 100644 --- a/crates/shim/src/util.rs +++ b/crates/shim/src/util.rs @@ -101,6 +101,8 @@ impl From for Options { #[cfg(unix)] pub fn connect(address: impl AsRef) -> Result { + use std::os::fd::IntoRawFd; + use nix::{sys::socket::*, unistd::close}; let unix_addr = UnixAddr::new(address.as_ref())?; @@ -112,7 +114,7 @@ pub fn connect(address: impl AsRef) -> Result { #[cfg(not(target_os = "linux"))] const SOCK_CLOEXEC: SockFlag = SockFlag::empty(); - let fd = socket(AddressFamily::Unix, SockType::Stream, SOCK_CLOEXEC, None)?; + let fd = socket(AddressFamily::Unix, SockType::Stream, SOCK_CLOEXEC, None)?.into_raw_fd(); // MacOS doesn't support atomic creation of a socket descriptor with `SOCK_CLOEXEC` flag, // so there is a chance of leak if fork + exec happens in between of these calls.