containerd · mxpv · Oct 6, 2023 · Oct 5, 2023
diff --git a/Cargo.toml b/Cargo.toml
@@ -28,7 +28,7 @@ async-trait = "0.1.52"
 futures = "0.3.19"
 libc = "0.2.112"
 log = "0.4"
-nix = "0.26"
+nix = "0.27"
 oci-spec = "0.6"
 os_pipe = "1.1"
 prost = "0.12"

diff --git a/crates/runc-shim/Cargo.toml b/crates/runc-shim/Cargo.toml
@@ -29,7 +29,7 @@ containerd-shim = { path = "../shim", version = "0.5.0", features = ["async"] }
 crossbeam = "0.8.1"
 libc.workspace = true
 log.workspace = true
-nix.workspace = true
+nix = { workspace = true, features = ["socket", "uio", "term"] }
 oci-spec.workspace = true
 runc = { path = "../runc", version = "0.2.0", features = ["async"] }
 serde.workspace = true

diff --git a/crates/runc-shim/src/common.rs b/crates/runc-shim/src/common.rs
@@ -14,7 +14,18 @@
    limitations under the License.
 */
 
-use std::{env, fs::File, io::IoSliceMut, ops::Deref, os::unix::io::RawFd, path::Path, sync::Arc};
+use std::{
+    env,
+    fs::File,
+    io::IoSliceMut,
+    ops::Deref,
+    os::{
+        fd::{AsRawFd, FromRawFd, OwnedFd},
+        unix::io::RawFd,
+    },
+    path::Path,
+    sync::Arc,
+};
 
 use containerd_shim::{
     api::{ExecProcessRequest, Options},
@@ -176,7 +187,7 @@ pub fn create_runc(
 #[derive(Default)]
 pub(crate) struct CreateConfig {}
 
-pub fn receive_socket(stream_fd: RawFd) -> containerd_shim::Result<RawFd> {
+pub fn receive_socket(stream_fd: RawFd) -> containerd_shim::Result<OwnedFd> {
     let mut buf = [0u8; 4096];
     let mut iovec = [IoSliceMut::new(&mut buf)];
     let mut space = cmsg_space!([RawFd; 2]);
@@ -201,13 +212,17 @@ pub fn receive_socket(stream_fd: RawFd) -> containerd_shim::Result<RawFd> {
         warn!("failed to get path from array {}", e);
         "".to_string()
     });
+
+    let fd = unsafe { OwnedFd::from_raw_fd(fds[0]) };
+
     let path = path.trim_matches(char::from(0));
     debug!(
         "copy_console: console socket get path: {}, fd: {}",
-        path, &fds[0]
+        path,
+        fd.as_raw_fd(),
     );
-    tcgetattr(fds[0])?;
-    Ok(fds[0])
+    tcgetattr(&fd)?;
+    Ok(fd)
 }
 
 pub fn has_shared_pid_namespace(spec: &Spec) -> bool {

diff --git a/crates/runc-shim/src/runc.rs b/crates/runc-shim/src/runc.rs
@@ -16,9 +16,12 @@
 
 use std::{
     convert::TryFrom,
-    os::unix::{
-        io::{AsRawFd, FromRawFd, RawFd},
-        prelude::ExitStatusExt,
+    os::{
+        fd::{IntoRawFd, OwnedFd},
+        unix::{
+            io::{AsRawFd, FromRawFd},
+            prelude::ExitStatusExt,
+        },
     },
     path::{Path, PathBuf},
     process::ExitStatus,
@@ -479,8 +482,8 @@ async fn copy_console(
 ) -> Result<Console> {
     debug!("copy_console: waiting for runtime to send console fd");
     let stream = console_socket.accept().await?;
-    let fd = asyncify(move || -> Result<RawFd> { receive_socket(stream.as_raw_fd()) }).await?;
-    let f = unsafe { File::from_raw_fd(fd) };
+    let fd = asyncify(move || -> Result<OwnedFd> { receive_socket(stream.as_raw_fd()) }).await?;
+    let f = unsafe { File::from_raw_fd(fd.into_raw_fd()) };
     if !stdio.stdin.is_empty() {
         debug!("copy_console: pipe stdin to console");
         let console_stdin = f

diff --git a/crates/runc/Cargo.toml b/crates/runc/Cargo.toml
@@ -18,7 +18,7 @@ docs = []
 [dependencies]
 libc.workspace = true
 log.workspace = true
-nix.workspace = true
+nix = { workspace = true, features = ["user", "fs"] }
 oci-spec.workspace = true
 os_pipe.workspace = true
 path-absolutize = "3.0.11"

diff --git a/crates/shim/Cargo.toml b/crates/shim/Cargo.toml
@@ -38,7 +38,13 @@ go-flag = "0.1.0"
 lazy_static = "1.4.0"
 libc.workspace = true
 log = { workspace = true, features = ["std"] }
-nix.workspace = true
+nix = { workspace = true, features = [
+  "ioctl",
+  "fs",
+  "socket",
+  "signal",
+  "mount",
+] }
 oci-spec.workspace = true
 page_size = "0.6.0"
 prctl = "1.0.0"

diff --git a/crates/shim/src/synchronous/publisher.rs b/crates/shim/src/synchronous/publisher.rs
@@ -27,10 +27,11 @@ use containerd_shim_protos as client;
 
 #[cfg(unix)]
 use crate::util::connect;
+#[cfg(not(target_os = "macos"))] // Prevent unused warning.
+use crate::Error;
 use crate::{
     error::Result,
     util::{convert_to_any, timestamp},
-    Error,
 };
 
 #[cfg(windows)]

diff --git a/crates/shim/src/util.rs b/crates/shim/src/util.rs
@@ -101,6 +101,8 @@ impl From<JsonOptions> for Options {
 
 #[cfg(unix)]
 pub fn connect(address: impl AsRef<str>) -> Result<RawFd> {
+    use std::os::fd::IntoRawFd;
+
     use nix::{sys::socket::*, unistd::close};
 
     let unix_addr = UnixAddr::new(address.as_ref())?;
@@ -112,7 +114,7 @@ pub fn connect(address: impl AsRef<str>) -> Result<RawFd> {
     #[cfg(not(target_os = "linux"))]
     const SOCK_CLOEXEC: SockFlag = SockFlag::empty();
 
-    let fd = socket(AddressFamily::Unix, SockType::Stream, SOCK_CLOEXEC, None)?;
+    let fd = socket(AddressFamily::Unix, SockType::Stream, SOCK_CLOEXEC, None)?.into_raw_fd();
 
     // MacOS doesn't support atomic creation of a socket descriptor with `SOCK_CLOEXEC` flag,
     // so there is a chance of leak if fork + exec happens in between of these calls.