chore(deps): upgrade youki, nix, and related crates (#598)

Author: mccormickt

Cargo.lock

@@ -31,7 +31,7 @@ fancy-regex = "0.14.0"
 futures-util = "0.3.28"
 heck = "0.5.0"
 lazy_static = "1.4.0"
-nix = "0.28.0"
+nix = "0.29.0"
 proc-macro2 = "1.0"
 proto = { path = "./proto" }
 proto-reader = { path = "./crates/proto-reader" }

Cargo.toml

@@ -38,18 +38,17 @@ fancy-regex = { workspace = true }
 futures = "0.3.28"
 ipnetwork = "0.21.1"
 iter_tools = "0.24.0"
-libc = "0.2.169" # TODO: Nix comes with libc, can we rely on that?
 lazy_static = { workspace = true }
-libcgroups = { git = "https://github.com/containers/youki", tag = "v0.5.2", default-features = false, features = [
+libcgroups = { version = "0.5.7", default-features = false, features = [
     "v2",
 ] }
-libcontainer = { git = "https://github.com/containers/youki", tag = "v0.5.2", default-features = false, features = [
+libcontainer = { version = "0.5.7", default-features = false, features = [
     "v2",
 ] }
 log = "0.4.21"
 netlink-packet-route = "0.28.0"
-nix = { workspace = true, features = ["sched", "mount", "signal", "net"] }
-oci-spec = "0.7.1"
+nix = { workspace = true, features = ["sched", "mount", "signal", "net", "dir", "user", "process", "hostname"] }
+oci-spec = "0.8.4"
 once_cell = "1"
 procfs = "0.17.0"
 proto = { workspace = true }

auraed/Cargo.toml

@@ -13,8 +13,8 @@
  * SPDX-License-Identifier: Apache-2.0                                        *
 \* -------------------------------------------------------------------------- */
 
-use libc::c_char;
-use std::io::{self};
+use nix::libc::{c_char, setdomainname};
+use std::io;
 use std::path::PathBuf;
 use tracing::info;
 
@@ -43,13 +43,12 @@ impl Isolation {
         // Bind mount root:root with MS_REC and MS_PRIVATE flags
         // We are not sharing the mounts at this point (in other words we are in a new mount namespace)
         nix::mount::mount(
-            None::<&str>, // ignored
+            None::<&str>,
             "/",
-            None::<&str>, // ignored
+            None::<&str>,
             nix::mount::MsFlags::MS_PRIVATE | nix::mount::MsFlags::MS_REC,
-            None::<&str>, // ignored
-        )
-        .map_err(|e| io::Error::from_raw_os_error(e as i32))?;
+            None::<&str>,
+        )?;
         info!("Isolation: Mounted root dir (/) in cell");
         Ok(())
     }
@@ -62,37 +61,23 @@ impl Isolation {
             return Ok(());
         }
 
-        //Mount proc in the new pid and mount namespace
+        // Mount proc in the new pid and mount namespace
         let target = PathBuf::from("/proc");
         nix::mount::mount(
             Some("/proc"),
             &target,
             Some("proc"),
             nix::mount::MsFlags::empty(),
             None::<&str>,
-        )
-        .map_err(|e| io::Error::from_raw_os_error(e as i32))?;
+        )?;
 
         // We are in a new UTS namespace so we manage hostname and domainname.
-        // hostname and domainname both allow null bytes and are not required to be null terminated.
-        if unsafe {
-            #[allow(trivial_casts)]
-            libc::sethostname(
-                self.name.as_ptr() as *const c_char,
-                self.name.len(),
-            )
-        } == -1
-        {
-            return Err(io::Error::last_os_error());
-        }
+        nix::unistd::sethostname(&self.name)?;
 
         // Set domainname
         if unsafe {
             #[allow(trivial_casts)]
-            libc::setdomainname(
-                self.name.as_ptr() as *const c_char,
-                self.name.len(),
-            )
+            setdomainname(self.name.as_ptr() as *const c_char, self.name.len())
         } == -1
         {
             return Err(io::Error::last_os_error());

auraed/src/cells/cell_service/cells/nested_auraed/isolation_controls.rs

@@ -18,13 +18,17 @@ use crate::AURAED_RUNTIME;
 use client::AuraeSocket;
 use clone3::Flags;
 use nix::{
+    errno::Errno,
     libc::SIGCHLD,
-    sys::signal::{Signal, Signal::SIGKILL, Signal::SIGTERM},
+    sys::{
+        signal::{Signal, Signal::SIGKILL, Signal::SIGTERM},
+        wait::{WaitStatus, waitpid},
+    },
     unistd::Pid,
 };
 use std::path::PathBuf;
 use std::{
-    io::{self, ErrorKind},
+    io,
     os::unix::process::{CommandExt, ExitStatusExt},
     process::{Command, ExitStatus},
 };
@@ -136,9 +140,7 @@ impl NestedAuraed {
         }
 
         // Execute the clone system call and create the new process with the relevant namespaces.
-        match unsafe { clone.call() }
-            .map_err(|e| io::Error::from_raw_os_error(e.0))?
-        {
+        match unsafe { clone.call() }? {
             0 => {
                 // child
                 let command = {
@@ -187,33 +189,67 @@ impl NestedAuraed {
     ) -> io::Result<()> {
         let signal = signal.into();
         let pid = Pid::from_raw(self.process.pid);
-
-        nix::sys::signal::kill(pid, signal)
-            .map_err(|e| io::Error::from_raw_os_error(e as i32))
+        nix::sys::signal::kill(pid, signal)?;
+        Ok(())
     }
 
     fn wait(&mut self) -> io::Result<ExitStatus> {
         let pid = Pid::from_raw(self.process.pid);
 
-        let mut exit_status = 0;
-        let _child_pid = loop {
-            let res =
-                unsafe { libc::waitpid(pid.as_raw(), &mut exit_status, 0) };
+        let status = loop {
+            match waitpid(pid, None) {
+                Ok(status) => break status,
+                Err(Errno::EINTR) => continue,
+                Err(e) => return Err(e.into()),
+            }
+        };
 
-            if res == -1 {
-                let err = io::Error::last_os_error();
-                match err.kind() {
-                    ErrorKind::Interrupted => continue,
-                    _ => break Err(err),
+        let exit_status = match status {
+            WaitStatus::Exited(_, code) => {
+                trace!("Pid {pid} exited with code {code}");
+                ExitStatus::from_raw(code << 8)
+            }
+            WaitStatus::Signaled(_, sig, core_dumped) => {
+                if core_dumped {
+                    error!("Pid {pid} killed by signal {sig} (core dumped)");
+                } else {
+                    trace!("Pid {pid} killed by signal {sig}");
                 }
+                ExitStatus::from_raw(sig as i32)
             }
-
-            break Ok(res);
-        }?;
-
-        let exit_status = ExitStatus::from_raw(exit_status);
-
-        trace!("Pid {pid} exited with status {exit_status}");
+            WaitStatus::Stopped(_, sig) => {
+                error!("Pid {pid} unexpectedly stopped by signal {sig}");
+                return Err(io::Error::other(format!(
+                    "process {pid} stopped by signal {sig}"
+                )));
+            }
+            WaitStatus::Continued(_) => {
+                error!("Pid {pid} unexpectedly continued");
+                return Err(io::Error::other(format!(
+                    "process {pid} continued unexpectedly"
+                )));
+            }
+            WaitStatus::PtraceEvent(_, sig, event) => {
+                error!(
+                    "Pid {pid} unexpected ptrace event {event} (signal {sig})"
+                );
+                return Err(io::Error::other(format!(
+                    "unexpected ptrace event for process {pid}"
+                )));
+            }
+            WaitStatus::PtraceSyscall(_) => {
+                error!("Pid {pid} unexpected ptrace syscall-stop");
+                return Err(io::Error::other(format!(
+                    "unexpected ptrace syscall-stop for process {pid}"
+                )));
+            }
+            WaitStatus::StillAlive => {
+                error!("Pid {pid} still alive after waitpid");
+                return Err(io::Error::other(format!(
+                    "process {pid} still alive after waitpid"
+                )));
+            }
+        };
 
         Ok(exit_status)
     }

auraed/src/cells/cell_service/cells/nested_auraed/nested_auraed.rs

@@ -12,35 +12,6 @@
  * Copyright 2022 - 2024, the aurae contributors                              *
  * SPDX-License-Identifier: Apache-2.0                                        *
 \* -------------------------------------------------------------------------- */
-/* -------------------------------------------------------------------------- *\
- *             Apache 2.0 License Copyright © 2022-2023 The Aurae Authors          *
- *                                                                            *
- *                +--------------------------------------------+              *
- *                |   █████╗ ██╗   ██╗██████╗  █████╗ ███████╗ |              *
- *                |  ██╔══██╗██║   ██║██╔══██╗██╔══██╗██╔════╝ |              *
- *                |  ███████║██║   ██║██████╔╝███████║█████╗   |              *
- *                |  ██╔══██║██║   ██║██╔══██╗██╔══██║██╔══╝   |              *
- *                |  ██║  ██║╚██████╔╝██║  ██║██║  ██║███████╗ |              *
- *                |  ╚═╝  ╚═╝ ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚══════╝ |              *
- *                +--------------------------------------------+              *
- *                                                                            *
- *                         Distributed Systems Runtime                        *
- *                                                                            *
- * -------------------------------------------------------------------------- *
- *                                                                            *
- *   Licensed under the Apache License, Version 2.0 (the "License");          *
- *   you may not use this file except in compliance with the License.         *
- *   You may obtain a copy of the License at                                  *
- *                                                                            *
- *       http://www.apache.org/licenses/LICENSE-2.0                           *
- *                                                                            *
- *   Unless required by applicable law or agreed to in writing, software      *
- *   distributed under the License is distributed on an "AS IS" BASIS,        *
- *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. *
- *   See the License for the specific language governing permissions and      *
- *   limitations under the License.                                           *
- *                                                                            *
-\* -------------------------------------------------------------------------- */
 
 #[allow(unused_imports)]
 use crate::cri::oci::AuraeOCIBuilder;
@@ -229,7 +200,6 @@ impl runtime_service_server::RuntimeService for RuntimeService {
         let container_status = proto::cri::ContainerStatus {
             id: sandbox_id,
             state: state as i32,
-
             ..Default::default()
         };
         Ok(Response::new(PodSandboxStatusResponse {

auraed/src/cri/runtime_service.rs

@@ -15,9 +15,9 @@
 
 use futures::stream::TryStreamExt;
 use ipnetwork::{IpNetwork, Ipv4Network, Ipv6Network};
-use libc::EEXIST;
 use netlink_packet_route::address::AddressAttribute;
 use netlink_packet_route::link::LinkAttribute;
+use nix::libc::EEXIST;
 use rtnetlink::{Handle, LinkUnspec, RouteMessageBuilder};
 use std::collections::HashMap;
 use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};

auraed/src/init/network/mod.rs

@@ -23,7 +23,7 @@ use std::{
 };
 use tracing::{info, trace, warn};
 
-use ::libc;
+use nix::libc;
 
 pub(crate) fn syscall_reboot(action: i32) {
     unsafe {

auraed/src/init/power.rs

@@ -18,7 +18,7 @@ use std::sync::{
 };
 
 use hypervisor::Hypervisor;
-use libc::EFD_NONBLOCK;
+use nix::libc::EFD_NONBLOCK;
 use vmm::{VmmThreadHandle, api::ApiRequest};
 use vmm_sys_util::eventfd::EventFd;
 

auraed/src/vms/manager.rs

@@ -16,6 +16,7 @@ use std::{collections::HashMap, net::Ipv4Addr};
 
 use anyhow::anyhow;
 use net_util::MacAddr;
+use nix::libc;
 use tracing::error;
 use vmm_sys_util::{rand, signal::block_signal};