2018-09-24 18:37:45 +00:00
|
|
|
package executor
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"os"
|
2020-11-25 14:34:10 +00:00
|
|
|
"os/exec"
|
2018-09-24 18:37:45 +00:00
|
|
|
"os/user"
|
|
|
|
"strconv"
|
|
|
|
"syscall"
|
|
|
|
|
2019-06-17 03:56:20 +00:00
|
|
|
"github.com/containernetworking/plugins/pkg/ns"
|
2018-09-24 18:37:45 +00:00
|
|
|
multierror "github.com/hashicorp/go-multierror"
|
2019-09-30 15:50:22 +00:00
|
|
|
"github.com/hashicorp/nomad/plugins/drivers"
|
2018-09-24 18:37:45 +00:00
|
|
|
"github.com/opencontainers/runc/libcontainer/cgroups"
|
|
|
|
cgroupFs "github.com/opencontainers/runc/libcontainer/cgroups/fs"
|
|
|
|
lconfigs "github.com/opencontainers/runc/libcontainer/configs"
|
2020-08-19 15:57:26 +00:00
|
|
|
"github.com/opencontainers/runc/libcontainer/specconv"
|
2018-09-24 18:37:45 +00:00
|
|
|
)
|
|
|
|
|
2020-11-25 14:34:10 +00:00
|
|
|
// setCmdUser takes a user id as a string and looks up the user, and sets the command
|
2018-09-24 18:37:45 +00:00
|
|
|
// to execute as that user.
|
2020-11-25 14:34:10 +00:00
|
|
|
func setCmdUser(cmd *exec.Cmd, userid string) error {
|
2018-09-24 18:37:45 +00:00
|
|
|
u, err := user.Lookup(userid)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Failed to identify user %v: %v", userid, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get the groups the user is a part of
|
|
|
|
gidStrings, err := u.GroupIds()
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Unable to lookup user's group membership: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
gids := make([]uint32, len(gidStrings))
|
|
|
|
for _, gidString := range gidStrings {
|
|
|
|
u, err := strconv.Atoi(gidString)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Unable to convert user's group to int %s: %v", gidString, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
gids = append(gids, uint32(u))
|
|
|
|
}
|
|
|
|
|
|
|
|
// Convert the uid and gid
|
|
|
|
uid, err := strconv.ParseUint(u.Uid, 10, 32)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Unable to convert userid to uint32: %s", err)
|
|
|
|
}
|
|
|
|
gid, err := strconv.ParseUint(u.Gid, 10, 32)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("Unable to convert groupid to uint32: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set the command to run as that user and group.
|
2020-11-25 14:34:10 +00:00
|
|
|
if cmd.SysProcAttr == nil {
|
|
|
|
cmd.SysProcAttr = &syscall.SysProcAttr{}
|
2018-09-24 18:37:45 +00:00
|
|
|
}
|
2020-11-25 14:34:10 +00:00
|
|
|
if cmd.SysProcAttr.Credential == nil {
|
|
|
|
cmd.SysProcAttr.Credential = &syscall.Credential{}
|
2018-09-24 18:37:45 +00:00
|
|
|
}
|
2020-11-25 14:34:10 +00:00
|
|
|
cmd.SysProcAttr.Credential.Uid = uint32(uid)
|
|
|
|
cmd.SysProcAttr.Credential.Gid = uint32(gid)
|
|
|
|
cmd.SysProcAttr.Credential.Groups = gids
|
2018-09-24 18:37:45 +00:00
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// configureResourceContainer configured the cgroups to be used to track pids
|
|
|
|
// created by the executor
|
|
|
|
func (e *UniversalExecutor) configureResourceContainer(pid int) error {
|
|
|
|
cfg := &lconfigs.Config{
|
|
|
|
Cgroups: &lconfigs.Cgroup{
|
2020-08-19 15:57:26 +00:00
|
|
|
Resources: &lconfigs.Resources{},
|
2018-09-24 18:37:45 +00:00
|
|
|
},
|
|
|
|
}
|
2020-08-19 15:57:26 +00:00
|
|
|
for _, device := range specconv.AllowedDevices {
|
2021-03-31 14:57:02 +00:00
|
|
|
cfg.Cgroups.Resources.Devices = append(cfg.Cgroups.Resources.Devices, &device.Rule)
|
2020-08-19 15:57:26 +00:00
|
|
|
}
|
2018-09-24 18:37:45 +00:00
|
|
|
|
2019-07-10 17:45:32 +00:00
|
|
|
err := configureBasicCgroups(cfg)
|
|
|
|
if err != nil {
|
2019-07-24 16:10:05 +00:00
|
|
|
// Log this error to help diagnose cases where nomad is run with too few
|
2019-07-22 19:16:13 +00:00
|
|
|
// permissions, but don't return an error. There is no separate check for
|
|
|
|
// cgroup creation permissions, so this may be the happy path.
|
2019-07-24 16:10:05 +00:00
|
|
|
e.logger.Warn("failed to create cgroup",
|
|
|
|
"docs", "https://www.nomadproject.io/docs/drivers/raw_exec.html#no_cgroups",
|
|
|
|
"error", err)
|
2019-07-22 19:16:13 +00:00
|
|
|
return nil
|
2019-07-10 17:45:32 +00:00
|
|
|
}
|
2018-09-24 18:37:45 +00:00
|
|
|
e.resConCtx.groups = cfg.Cgroups
|
|
|
|
return cgroups.EnterPid(cfg.Cgroups.Paths, pid)
|
|
|
|
}
|
|
|
|
|
2019-07-10 17:45:32 +00:00
|
|
|
func (e *UniversalExecutor) getAllPids() (map[int]*nomadPid, error) {
|
|
|
|
if e.resConCtx.isEmpty() {
|
|
|
|
return getAllPidsByScanning()
|
|
|
|
} else {
|
|
|
|
return e.resConCtx.getAllPidsByCgroup()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-09-24 18:37:45 +00:00
|
|
|
// DestroyCgroup kills all processes in the cgroup and removes the cgroup
|
|
|
|
// configuration from the host. This function is idempotent.
|
|
|
|
func DestroyCgroup(groups *lconfigs.Cgroup, executorPid int) error {
|
|
|
|
mErrs := new(multierror.Error)
|
|
|
|
if groups == nil {
|
|
|
|
return fmt.Errorf("Can't destroy: cgroup configuration empty")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Move the executor into the global cgroup so that the task specific
|
|
|
|
// cgroup can be destroyed.
|
|
|
|
path, err := cgroups.GetInitCgroupPath("freezer")
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := cgroups.EnterPid(map[string]string{"freezer": path}, executorPid); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Freeze the Cgroup so that it can not continue to fork/exec.
|
|
|
|
groups.Resources.Freezer = lconfigs.Frozen
|
|
|
|
freezer := cgroupFs.FreezerGroup{}
|
2022-01-14 15:46:06 +00:00
|
|
|
if err := freezer.Set(groups.Paths[freezer.Name()], groups.Resources); err != nil {
|
2018-09-24 18:37:45 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
var procs []*os.Process
|
|
|
|
pids, err := cgroups.GetAllPids(groups.Paths[freezer.Name()])
|
|
|
|
if err != nil {
|
|
|
|
multierror.Append(mErrs, fmt.Errorf("error getting pids: %v", err))
|
|
|
|
|
|
|
|
// Unfreeze the cgroup.
|
|
|
|
groups.Resources.Freezer = lconfigs.Thawed
|
|
|
|
freezer := cgroupFs.FreezerGroup{}
|
2022-01-14 15:46:06 +00:00
|
|
|
if err := freezer.Set(groups.Paths[freezer.Name()], groups.Resources); err != nil {
|
2018-09-24 18:37:45 +00:00
|
|
|
multierror.Append(mErrs, fmt.Errorf("failed to unfreeze cgroup: %v", err))
|
|
|
|
return mErrs.ErrorOrNil()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Kill the processes in the cgroup
|
|
|
|
for _, pid := range pids {
|
|
|
|
proc, err := os.FindProcess(pid)
|
|
|
|
if err != nil {
|
|
|
|
multierror.Append(mErrs, fmt.Errorf("error finding process %v: %v", pid, err))
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
procs = append(procs, proc)
|
|
|
|
if e := proc.Kill(); e != nil {
|
|
|
|
multierror.Append(mErrs, fmt.Errorf("error killing process %v: %v", pid, e))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Unfreeze the cgroug so we can wait.
|
|
|
|
groups.Resources.Freezer = lconfigs.Thawed
|
2022-01-14 15:46:06 +00:00
|
|
|
if err := freezer.Set(groups.Paths[freezer.Name()], groups.Resources); err != nil {
|
2018-09-24 18:37:45 +00:00
|
|
|
multierror.Append(mErrs, fmt.Errorf("failed to unfreeze cgroup: %v", err))
|
|
|
|
return mErrs.ErrorOrNil()
|
|
|
|
}
|
|
|
|
|
|
|
|
// Wait on the killed processes to ensure they are cleaned up.
|
|
|
|
for _, proc := range procs {
|
|
|
|
// Don't capture the error because we expect this to fail for
|
|
|
|
// processes we didn't fork.
|
|
|
|
proc.Wait()
|
|
|
|
}
|
|
|
|
|
|
|
|
// Remove the cgroup.
|
|
|
|
if err := cgroups.RemovePaths(groups.Paths); err != nil {
|
|
|
|
multierror.Append(mErrs, fmt.Errorf("failed to delete the cgroup directories: %v", err))
|
|
|
|
}
|
|
|
|
return mErrs.ErrorOrNil()
|
|
|
|
}
|
2019-06-17 03:56:20 +00:00
|
|
|
|
2019-10-01 01:38:31 +00:00
|
|
|
// withNetworkIsolation calls the passed function the network namespace `spec`
|
|
|
|
func withNetworkIsolation(f func() error, spec *drivers.NetworkIsolationSpec) error {
|
2019-09-30 15:50:22 +00:00
|
|
|
if spec != nil && spec.Path != "" {
|
2019-06-17 03:56:20 +00:00
|
|
|
// Get a handle to the target network namespace
|
2019-09-30 15:50:22 +00:00
|
|
|
netns, err := ns.GetNS(spec.Path)
|
2019-06-17 03:56:20 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Start the container in the network namespace
|
|
|
|
return netns.Do(func(ns.NetNS) error {
|
2019-09-30 15:50:22 +00:00
|
|
|
return f()
|
2019-06-17 03:56:20 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2019-09-30 15:50:22 +00:00
|
|
|
return f()
|
2019-06-17 03:56:20 +00:00
|
|
|
}
|