Skip to content

libcontainer/validator: allow setting user.* sysctls inside userns #4889

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rata merged 1 commit into from
Sep 15, 2025
Merged

libcontainer/validator: allow setting user.* sysctls inside userns #4889

rata merged 1 commit into from
Sep 15, 2025

Conversation

@tych0
Copy link
Member

@tych0 tych0 commented Sep 11, 2025

These sysctls are all per-userns (termed ucounts in the kernel code) are settable with CAP_SYS_RESOURCE in the user namespace.

@tych0
Copy link
Member Author

tych0 commented Sep 11, 2025

hmm, failure seems unrelated?

=== RUN   TestCheckpoint
time="2025-09-11T18:35:31Z" level=warning msg="--- Quoting \"/tmp/TestCheckpoint2801704420/003/criu/dump.log\""
time="2025-09-11T18:35:31Z" level=warning msg="887:(00.132940) page-xfer: Transferring pages:"
time="2025-09-11T18:35:31Z" level=warning msg="888:(00.132942) page-xfer: \tbuf 1/1"
time="2025-09-11T18:35:31Z" level=warning msg="889:(00.132943) page-xfer: \tp 0x7ffeeb14c000 [1]"
time="2025-09-11T18:35:31Z" level=warning msg="890:(00.132950) page-xfer: \th 0x7ffeeb14d000 [1]"
time="2025-09-11T18:35:31Z" level=warning msg="891:(00.132964) page-xfer: Checking 0x7ffeeb14d000/4096 hole"
time="2025-09-11T18:35:31Z" level=warning msg="892:(00.132970) Error (criu/page-xfer.c:299): page-xfer: Missing 7ffeeb14d000 in parent pagemap"
time="2025-09-11T18:35:31Z" level=warning msg="893:(00.132973) Error (criu/page-xfer.c:342): page-xfer: Hole 0x7ffeeb14d000/4096 not found in parent"
time="2025-09-11T18:35:31Z" level=warning msg="894:(00.132994) page-pipe: Killing page pipe"
time="2025-09-11T18:35:31Z" level=warning msg="895:(00.133020) ----------------------------------------"
time="2025-09-11T18:35:31Z" level=warning msg="896:(00.133022) Error (criu/mem.c:672): Can't dump page with parasite"
time="2025-09-11T18:35:31Z" level=warning msg=...
time="2025-09-11T18:35:31Z" level=warning msg="906:(00.133265) net: Unlock network"
time="2025-09-11T18:35:31Z" level=warning msg="907:(00.133269) Running network-unlock scripts"
time="2025-09-11T18:35:31Z" level=warning msg="908:(00.133271) \tRPC"
time="2025-09-11T18:35:31Z" level=warning msg="909:(00.145852) Unfreezing tasks into 1"
time="2025-09-11T18:35:31Z" level=warning msg="910:(00.145868) \tUnseizing 44198 into 1"
time="2025-09-11T18:35:31Z" level=warning msg="911:(00.145896) Error (criu/cr-dump.c:2111): Dumping FAILED."
time="2025-09-11T18:35:31Z" level=warning msg=---
    checkpoint_test.go:113: criu failed: type DUMP errno 0
--- FAIL: TestCheckpoint (0.54s)

@cyphar
Copy link
Member

cyphar commented Sep 11, 2025

Unfortunately that criu test has been flaky for years, I'll re-run it.

@rata
Copy link
Member

rata commented Sep 12, 2025
edited
Loading

@tych0 wanna add a test for this?

Also, some docs on the namespace-aware of these things? Or how did you verify?

@tych0
Copy link
Member Author

tych0 commented Sep 12, 2025

Good point, I added some tests, thanks.

As for docs, there really aren't any. If you read the kernel source, you can see the perms checks: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/ucount.c#n42

The infra was added a long time ago in https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dbec28460a89aa7c02c3301e9e108d98272549d2 and has been slowly growing, but I don't think many people are aware of it.

@cyphar
Copy link
Member

cyphar commented Sep 12, 2025

Yeah the ucount stuff is a really well hidden interface, I think I only found out about it when Eric sent patches related to it a few years ago and it was like I'd found some lost treasure.

cyphar
cyphar reviewed Sep 12, 2025
View reviewed changes
@tych0
libcontainer/validator: allow setting user.* sysctls inside userns
70d88bc 
These sysctls are all per-userns (termed `ucounts` in the kernel code) are
settable with CAP_SYS_RESOURCE in the user namespace.

Signed-off-by: Tycho Andersen <[email protected]>
@rata rata enabled auto-merge September 15, 2025 12:17
rata
rata approved these changes Sep 15, 2025
View reviewed changes
Copy link
Member

@rata rata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@tych0 Do you need this in 1.4? It's so simple that I'm fine with it if that is better for you

@rata rata merged commit f3ea522 into opencontainers:main Sep 15, 2025
36 checks passed
@tych0
Copy link
Member Author

tych0 commented Sep 15, 2025

Sure, that would be great! Do i need to cherry pick and send another PR?

@rata
Copy link
Member

rata commented Sep 15, 2025

Yes, please :). cherry-pick -x would be great and open a PR against the 1.4 branch :)

@tych0
Copy link
Member Author

tych0 commented Sep 15, 2025

#4892 thank you!

@cyphar cyphar added the backport/1.4-todo A PR in main branch which needs to backported to release-1.4 label Sep 15, 2025
@cyphar cyphar mentioned this pull request Sep 15, 2025
Merged
@cyphar cyphar added backport/1.4-done A PR in main branch which has been backported to release-1.4 and removed backport/1.4-todo A PR in main branch which needs to backported to release-1.4 labels Sep 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rata rata rata approved these changes

@cyphar cyphar cyphar approved these changes

Assignees

No one assigned

Labels

backport/1.4-done A PR in main branch which has been backported to release-1.4 impact/changelog

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tych0 @cyphar @rata