Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

runc aways open "/proc/sys/kernel/cap_last_cap" #4356

Open
ningmingxiao opened this issue Jul 22, 2024 · 5 comments
Open

runc aways open "/proc/sys/kernel/cap_last_cap" #4356

ningmingxiao opened this issue Jul 22, 2024 · 5 comments

Comments

@ningmingxiao
Copy link

Description

runc aways open "/proc/sys/kernel/cap_last_cap" because it it done it init().

func init() {
	var hdr capHeader
	capget(&hdr, nil)
	capVers = hdr.version

	if initLastCap() == nil {
		CAP_LAST_CAP = capLastCap
		if capLastCap > 31 {
			capUpperMask = (uint32(1) << (uint(capLastCap) - 31)) - 1
		} else {
			capUpperMask = 0
		}
	}
}

func initLastCap() error {
	if capLastCap != 0 {
		return nil
	}

	f, err := os.Open("/proc/sys/kernel/cap_last_cap")
	if err != nil {
		return err
	}
	defer f.Close()

	var b []byte = make([]byte, 11)
	_, err = f.Read(b)
	if err != nil {
		return err
	}

	fmt.Sscanf(string(b), "%d", &capLastCap)

	return nil
}

Steps to reproduce the issue

1.runc --help will read /proc/sys/kernel/cap_last_cap

Describe the results you received and expected

read /proc/sys/kernel/cap_last_cap when needed

What version of runc are you using?

1.1.12

Host OS information

linux

Host kernel information

any
@ningmingxiao
Copy link
Author

ping @lifubang @kolyshkin

@cyphar
Copy link
Member

cyphar commented Jul 22, 2024
edited
Loading

This is a bug in https://github.com/syndtr/gocapability. You would just need to switch to using sync.Once.

EDIT: Ah, you already made a bug (syndtr/gocapability#26). Please link related bugs so they're easier to find.

@ningmingxiao
Copy link
Author

ningmingxiao commented Jul 22, 2024
edited
Loading

this library hasn't been updated for a long time. maybe nobody will maintain it. Can we move it to
github.com/opencontainers/runc/libcontainer/capabilities ? use sync.Once is not a good idea. I want use it only when we need it.
if use sync.Once runc version also call it.

@ningmingxiao ningmingxiao mentioned this issue Jul 22, 2024
Open
@cyphar
Copy link
Member

cyphar commented Jul 22, 2024
edited
Loading

I mean to do sync.Once like this (which is what we usually do elsewhere in runc):

var (
  someBoolOnce sync.Once
  someBool bool
)

func getSomeBool() bool {
  someBoolOnce.Do(func() { ... })
  return someBool
}

@ningmingxiao ningmingxiao mentioned this issue Jul 22, 2024
Closed
@kolyshkin
Copy link
Contributor

kolyshkin commented Jul 23, 2024
edited
Loading

A slightly more modern way is to use sync.OnceValue. For usage example, see #4358.

Alas there's no way to stop init() functions from vendored packages to be run at startup.

Re github.com/syndtr/gocapability, I have 4 easy-to-review PRs in there opened Feb 2023, and it seems the original maintainer is not interested. Guess it's time to fork it.

@ningmingxiao ningmingxiao mentioned this issue Jul 31, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

DRAFT:replace github.com/syndtr/gocapability with github.com/kolyshkin/capa… ningmingxiao/runc
3 participants
@cyphar @kolyshkin @ningmingxiao