Update nix to 0.28.0

Signed-off-by: omprakaash <omsuseela@gmail.com> Signed-off-by: om prakaash <omsuseela@gmail.com>
omprakaash · May 17, 2024 · 3144355 · 3144355
1 parent 2b86907
commit 3144355
Show file tree

Hide file tree

Showing 15 changed files with 474 additions and 33 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/libcgroups/Cargo.toml b/crates/libcgroups/Cargo.toml
@@ -20,7 +20,7 @@ systemd = ["v2", "nix/socket", "nix/uio"]
 cgroupsv2_devices = ["rbpf", "libbpf-sys", "errno", "libc", "nix/dir"]
 
 [dependencies]
-nix = { version = "0.27.1", features = ["signal", "user", "fs"] }
+nix = { version = "0.28.0", features = ["signal", "user", "fs"] }
 procfs = "0.16.0"
 oci-spec = { version = "~0.6.4", features = ["runtime"] }
 fixedbitset = "0.5.7"

diff --git a/crates/libcgroups/src/v1/memory.rs b/crates/libcgroups/src/v1/memory.rs
@@ -331,7 +331,7 @@ impl Memory {
             Err(e) => {
                 // we need to look into the raw OS error for an EBUSY status
                 match e.inner().raw_os_error() {
-                    Some(code) => match Errno::from_i32(code) {
+                    Some(code) => match Errno::from_raw(code) {
                         Errno::EBUSY => {
                             let usage = Self::get_memory_usage(cgroup_root)?;
                             let max_usage = Self::get_memory_max_usage(cgroup_root)?;

diff --git a/crates/libcontainer/Cargo.toml b/crates/libcontainer/Cargo.toml
@@ -29,7 +29,7 @@ chrono = { version = "0.4", default-features = false, features = [
 fastrand = "^2.1.0"
 futures = { version = "0.3", features = ["thread-pool"] }
 libc = "0.2.154"
-nix = { version = "0.27.1", features = [
+nix = { version = "0.28.0", features = [
     "socket",
     "sched",
     "mount",

diff --git a/crates/libcontainer/src/container/builder_impl.rs b/crates/libcontainer/src/container/builder_impl.rs
@@ -133,7 +133,7 @@ impl ContainerBuilderImpl {
             prctl::set_dumpable(false).map_err(|e| {
                 LibcontainerError::Other(format!(
                     "error in setting dumpable to false : {}",
-                    nix::errno::from_i32(e)
+                    nix::errno::Errno::from_raw(e)
                 ))
             })?;
         }

diff --git a/crates/libcontainer/src/container/tenant_builder.rs b/crates/libcontainer/src/container/tenant_builder.rs
@@ -10,7 +10,7 @@ use std::str::FromStr;
 
 use caps::Capability;
 use nix::fcntl::OFlag;
-use nix::unistd::{close, pipe2, read, Pid};
+use nix::unistd::{self, pipe2, read, Pid};
 use oci_spec::runtime::{
     Capabilities as SpecCapabilities, Capability as SpecCapability, LinuxBuilder,
     LinuxCapabilities, LinuxCapabilitiesBuilder, LinuxNamespace, LinuxNamespaceBuilder,
@@ -22,6 +22,19 @@ use super::builder::ContainerBuilder;
 use super::Container;
 use crate::capabilities::CapabilityExt;
 use crate::container::builder_impl::ContainerBuilderImpl;
+use std::os::fd::AsRawFd;
+use std::rc::Rc;
+use std::{
+    collections::HashMap,
+    convert::TryFrom,
+    ffi::{OsStr, OsString},
+    fs,
+    io::BufReader,
+    os::unix::prelude::RawFd,
+    path::{Path, PathBuf},
+    str::FromStr,
+};
+
 use crate::error::{ErrInvalidSpec, LibcontainerError, MissingSpecError};
 use crate::notify_socket::NotifySocket;
 use crate::process::args::ContainerType;
@@ -126,7 +139,7 @@ impl TenantContainerBuilder {
 
         let mut builder_impl = ContainerBuilderImpl {
             container_type: ContainerType::TenantContainer {
-                exec_notify_fd: write_end,
+                exec_notify_fd: write_end.as_raw_fd(),
             },
             syscall: self.base.syscall,
             container_id: self.base.container_id,
@@ -148,13 +161,16 @@ impl TenantContainerBuilder {
         let mut notify_socket = NotifySocket::new(notify_path);
         notify_socket.notify_container_start()?;
 
-        close(write_end).map_err(LibcontainerError::OtherSyscall)?;
+        // write_end is of type Owned_Fd and the fd is automatically closed when the variable is dropped(end of scope).
+        // Explicitly calling drop at the moment to make it clear the fd is indeed being closed.
+        // Info: https://github.com/containers/youki/pull/2728#issuecomment-2068639411
+        drop(write_end);
 
         let mut err_str_buf = Vec::new();
 
         loop {
             let mut buf = [0; 3];
-            match read(read_end, &mut buf).map_err(LibcontainerError::OtherSyscall)? {
+            match read(read_end.as_raw_fd(), &mut buf).map_err(LibcontainerError::OtherSyscall)? {
                 0 => {
                     if err_str_buf.is_empty() {
                         return Ok(pid);

diff --git a/crates/libcontainer/src/process/container_intermediate_process.rs b/crates/libcontainer/src/process/container_intermediate_process.rs
@@ -1,3 +1,7 @@
+use std::os::fd::FromRawFd;
+
+use crate::error::MissingSpecError;
+use crate::{namespaces::Namespaces, process::channel, process::fork};
 use libcgroups::common::CgroupManager;
 use nix::unistd::{close, write, Gid, Pid, Uid};
 use oci_spec::runtime::{LinuxNamespace, LinuxNamespaceType, LinuxResources};
@@ -130,12 +134,16 @@ pub fn container_intermediate_process(
                     }
                     if let ContainerType::TenantContainer { exec_notify_fd } = args.container_type {
                         let buf = format!("{e}");
-                        if let Err(err) = write(exec_notify_fd, buf.as_bytes()) {
+                        let exec_notify_fd =
+                            unsafe { std::os::fd::OwnedFd::from_raw_fd(exec_notify_fd) };
+                        if let Err(err) = write(&exec_notify_fd, buf.as_bytes()) {
                             tracing::error!(?err, "failed to write to exec notify fd");
                         }
-                        if let Err(err) = close(exec_notify_fd) {
-                            tracing::error!(?err, "failed to close exec notify fd");
-                        }
+
+                        // exec_notify_fd is of type Owned_Fd and the fd is automatically closed when the variable is dropped(end of scope).
+                        // Explicitly calling drop at the moment to make it clear the fd is indeed being closed.
+                        // Info: https://github.com/containers/youki/pull/2728#issuecomment-2068639411
+                        drop(exec_notify_fd);
                     }
                     -1
                 }
@@ -206,7 +214,7 @@ fn setup_userns(
     prctl::set_dumpable(true).map_err(|e| {
         IntermediateProcessError::Other(format!(
             "error in setting dumpable to true : {}",
-            nix::errno::from_i32(e)
+            nix::errno::Errno::from_raw(e)
         ))
     })?;
     sender.identifier_mapping_request().map_err(|err| {
@@ -220,7 +228,7 @@ fn setup_userns(
     prctl::set_dumpable(false).map_err(|e| {
         IntermediateProcessError::Other(format!(
             "error in setting dumplable to false : {}",
-            nix::errno::from_i32(e)
+            nix::errno::Errno::from_raw(e)
         ))
     })?;
     Ok(())

diff --git a/crates/libcontainer/src/process/fork.rs b/crates/libcontainer/src/process/fork.rs
@@ -1,6 +1,5 @@
-use std::ffi::c_int;
+use std::{ffi::c_int, num::NonZeroUsize};
 use std::fs::File;
-use std::num::NonZeroUsize;
 
 use libc::SIGCHLD;
 use nix::sys::{mman, resource};
@@ -164,15 +163,11 @@ fn clone(cb: CloneCb, flags: u64, exit_signal: Option<u64>) -> Result<Pid, Clone
     // do not use MAP_GROWSDOWN since it is not well supported.
     // Ref: https://man7.org/linux/man-pages/man2/mmap.2.html
     let child_stack = unsafe {
-        // Since nix = "0.27.1", `mmap()` requires a generic type `F: AsFd`.
-        // `::<File>` doesn't have any meaning because we won't use it.
-        mman::mmap::<File>(
+        mman::mmap_anonymous(
             None,
             NonZeroUsize::new(default_stack_size).ok_or(CloneError::ZeroStackSize)?,
             mman::ProtFlags::PROT_READ | mman::ProtFlags::PROT_WRITE,
-            mman::MapFlags::MAP_PRIVATE | mman::MapFlags::MAP_ANONYMOUS | mman::MapFlags::MAP_STACK,
-            None,
-            0,
+            mman::MapFlags::MAP_PRIVATE | mman::MapFlags::MAP_STACK,
         )
         .map_err(CloneError::StackAllocation)?
     };
@@ -187,7 +182,7 @@ fn clone(cb: CloneCb, flags: u64, exit_signal: Option<u64>) -> Result<Pid, Clone
 
     // Since the child stack for clone grows downward, we need to pass in
     // the top of the stack address.
-    let child_stack_top = unsafe { child_stack.add(default_stack_size) };
+    let child_stack_top = unsafe { child_stack.as_ptr().add(default_stack_size) };
 
     // Combine the clone flags with exit signals.
     let combined_flags = (flags | exit_signal.unwrap_or(0)) as c_int;

diff --git a/crates/libcontainer/src/seccomp/mod.rs b/crates/libcontainer/src/seccomp/mod.rs
@@ -329,7 +329,7 @@ mod tests {
             }
 
             if let Some(errno) = ret.err() {
-                if errno != nix::errno::from_i32(expect_error) {
+                if errno != nix::errno::Errno::from_raw(expect_error) {
                     Err(TestCallbackError::Custom(format!(
                         "getcwd failed but we didn't get the expected error from seccomp profile: {}",
                         errno

diff --git a/crates/libcontainer/src/syscall/linux.rs b/crates/libcontainer/src/syscall/linux.rs
@@ -314,7 +314,7 @@ impl Syscall for LinuxSyscall {
     fn set_id(&self, uid: Uid, gid: Gid) -> Result<()> {
         prctl::set_keep_capabilities(true).map_err(|errno| {
             tracing::error!(?errno, "failed to set keep capabilities to true");
-            nix::errno::from_i32(errno)
+            nix::errno::Errno::from_raw(errno)
         })?;
         // args : real *id, effective *id, saved set *id respectively
 
@@ -350,7 +350,7 @@ impl Syscall for LinuxSyscall {
         }
         prctl::set_keep_capabilities(false).map_err(|errno| {
             tracing::error!(?errno, "failed to set keep capabilities to false");
-            nix::errno::from_i32(errno)
+            nix::errno::Errno::from_raw(errno)
         })?;
         Ok(())
     }

diff --git a/crates/youki/Cargo.toml b/crates/youki/Cargo.toml
@@ -32,7 +32,7 @@ chrono = { version = "0.4", default-features = false, features = ["clock", "serd
 libcgroups = { path = "../libcgroups", default-features = false, version = "0.3.2" } # MARK: Version
 libcontainer = { path = "../libcontainer", default-features = false, version = "0.3.2" } # MARK: Version
 liboci-cli = { path = "../liboci-cli", version = "0.3.2" } # MARK: Version
-nix = "0.27.1"
+nix = "0.28.0"
 once_cell = "1.19.0"
 pentacle = "1.0.0"
 procfs = "0.16.0"

diff --git a/tests/contest/contest/Cargo.toml b/tests/contest/contest/Cargo.toml
@@ -9,7 +9,7 @@ chrono = { version = "0.4", default-features = false, features = ["clock"] }
 flate2 = "1.0"
 libcgroups = { path = "../../../crates/libcgroups" }
 libcontainer = { path = "../../../crates/libcontainer" }
-nix = "0.27.1"
+nix = "0.28.0"
 num_cpus = "1.16"
 oci-spec = { version = "0.6.4", features = ["runtime"] }
 once_cell = "1.19.0"

diff --git a/tests/contest/contest/src/tests/seccomp_notify/seccomp_agent.rs b/tests/contest/contest/src/tests/seccomp_notify/seccomp_agent.rs
@@ -7,6 +7,18 @@ use anyhow::{bail, Context, Result};
 use libcontainer::container::ContainerProcessState;
 use nix::sys::socket::{self, UnixAddr};
 use nix::unistd;
+use nix::{
+    sys::socket::{self, Backlog, UnixAddr},
+    unistd,
+};
+use std::{
+    io::IoSliceMut,
+    os::{
+        fd::{AsFd, AsRawFd},
+        unix::prelude::RawFd,
+    },
+    path::Path,
+};
 
 const DEFAULT_BUFFER_SIZE: usize = 4096;
 
@@ -30,7 +42,8 @@ pub fn recv_seccomp_listener(seccomp_listener: &Path) -> SeccompAgentResult {
     socket::bind(socket.as_raw_fd(), &addr).context("failed to bind to seccomp listener socket")?;
     // Force the backlog to be 1 so in the case of an error, only one connection
     // from clients will be waiting.
-    socket::listen(&socket.as_fd(), 1).context("failed to listen on seccomp listener")?;
+    socket::listen(&socket.as_fd(), Backlog::new(1)?)
+        .context("failed to listen on seccomp listener")?;
     let conn = match socket::accept(socket.as_raw_fd()) {
         Ok(conn) => conn,
         Err(e) => {

diff --git a/tests/contest/runtimetest/Cargo.toml b/tests/contest/runtimetest/Cargo.toml
@@ -5,7 +5,7 @@ edition = "2021"
 
 [dependencies]
 oci-spec = { version = "0.6.4", features = ["runtime"] }
-nix = "0.27.1"
+nix = "0.28.0"
 anyhow = "1.0"
 libc = "0.2.154" # TODO (YJDoc2) upgrade to latest
 nc = "0.8.20"

diff --git a/tests/contest/runtimetest/src/tests.rs b/tests/contest/runtimetest/src/tests.rs
@@ -38,7 +38,7 @@ pub fn validate_readonly_paths(spec: &Spec) {
     // change manual matching of i32 to e.kind() and match statement
     for path in ro_paths {
         if let std::io::Result::Err(e) = test_read_access(path) {
-            let errno = Errno::from_i32(e.raw_os_error().unwrap());
+            let errno = Errno::from_raw(e.raw_os_error().unwrap());
             // In the integration tests we test for both existing and non-existing readonly paths
             // to be specified in the spec, so we allow ENOENT here
             if errno == Errno::ENOENT {
@@ -54,7 +54,7 @@ pub fn validate_readonly_paths(spec: &Spec) {
         }
 
         if let std::io::Result::Err(e) = test_write_access(path) {
-            let errno = Errno::from_i32(e.raw_os_error().unwrap());
+            let errno = Errno::from_raw(e.raw_os_error().unwrap());
             // In the integration tests we test for both existing and non-existing readonly paths
             // being specified in the spec, so we allow ENOENT, and we expect EROFS as the paths
             // should be read-only