libcontainer/intelrdt: add support for EnableMonitoring field

[marquiz]

The linux.intelRdt.enableMonitoring field enables the creation of a per-container monitoring group. The monitoring group is removed when the container is destroyed.

Refs: opencontainers/runtime-spec#1287

[rata]

Where is this path? Inside the container? On the host?

[marquiz]

This is on the host (now changed to Mkdir)

[marquiz]

Review comments from @rata addressed. Rebased. Submitted the first commit as a separate PR (#4840), too

[marquiz]

Rebased

[marquiz]

Updated:

• rebased
• go.mod: bumped runtime-spec to latest tip of the main branch
• features.go: set linux.intelRdt.monitoring to true

[marquiz]

@rata @kolyshkin @AkihiroSuda @cyphar

[rata]

Please remove the fmt.Println() lines

[rata]

Who has control of this path? In runc this is trusted, okay, but is it exposed in k8s or containerd or some other to the user?

Not sure with the https://github.com/intel/k8s-rdt-controller what is exposed to an end user

[marquiz]

It's runc, it's in this very same file (and patch):

func (m *Manager) GetMonPath() string {
	if closPath := m.GetPath(); closPath != "" && m.config.IntelRdt.EnableMonitoring {
		path, err := securejoin.SecureJoin(filepath.Join(closPath, "mon_groups"), m.id)

So it's basically <clos-dir>/mon_groups/<container-id>

[rata]

Thanks, and that comes from intelRdtRoot. But where does that come from? Is there any way an unprivileged user (or just anyone that is not the sysadmin or so) can control any path component (or the intelRDT root)?

[marquiz]

That, in turn, comes from parsing the output of statfs syscall (unix.Statfs()). Note that in the case of runc update the closPath is taken from the config.json of the container.

In any case I cannot see any way that an unprivileged user can control the path

[rata]

So statfs will have some string value and we will mkdir it on the host, outside of the container rootfs?

[rata]

This conversation was broken out of this thread, it continued in the main PR discussion. The final answer I found for this is posted here: #4832 (comment)

Basically, the fs will be mounted somewhere on the host by the admin and we might create/delete some dirs inside that. None of that is accessible to the container process.

@marquiz correct me if I'm getting something wrong.

[rata]

@kolyshkin PTAL, I'd like someone else to look at this part too, just in case I'm missing something :)

[marquiz]

Rebased (see if the unrelated linter errors go away...)

[rata]

So statfs will have some string value and we will mkdir it on the host, outside of the container rootfs?

[marquiz]

So statfs will have some string value and we will mkdir it on the host, outside of the container rootfs?

Yes the data comes from the Linux kernel. See statfs syscall, e.g. https://man7.org/linux/man-pages/man2/statfs.2.html

[rata]

@marquiz that manpage doesn't tell anything about intelrdt :-). But ok, I guess you need to mount the restctrl fs like shown here and therefore the host admin decides where it is mounted, no container will have write access to any file/dir there, I guess.

[rata]

This mostly LGTM. But let's use the well-known table tests (or are you avoiding them for a reason?)

[marquiz]

Updated, review comments addressed

@rata @kolyshkin

[marquiz]

Updated @rata

[marquiz]

Rebased to resolve conflicts

[rata]

Sorry I didn't check the tests before. Let's improve and reduce the c&p. Let's make it more standard golang table-tests.

[rata]

nit: Let's do a quick return if intelRdt is nil and remove the indentation for the rest of the function

[marquiz]

Changed as suggested

[rata]

It seems this can be part of the for ... range tests loop,a s it's c&p in every testFunc(). Yes, one needs a slightly different param, but that can be part of the test struct, I think.

[marquiz]

Tests refactored

[rata]

idem

[marquiz]

Refactored

[marquiz]

Updated: test refactored

@rata @kolyshkin