build: use libpathrs by default

[cyphar]

Draft until these PRs / issues are resolved and libpathrs has a new release:

• build: improve builds for runc cyphar/libpathrs#327
• fdinfo "ino" field was only added in Linux 5.14 cyphar/libpathrs#334
  • utils: fdinfo: do not require "ino" field for pre-5.14 kernels cyphar/libpathrs#337
• release: generate and sign archives cyphar/libpathrs#328

---

pathrs-lite supports transparently switching to libpathrs.so as a backend
with the libpathrs build tag. In order to permit us to eventually require
libpathrs.so (and get rid of some of the duplicated wrappers in
internal/pathrs), we need to make libpathrs opt-out for at least one
release before making it mandatory.

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

[AkihiroSuda]

This should be in the matrix?

[cyphar]

Will do, I'm just trying to validate that cyphar/libpathrs#327 is sufficient to make runc builds happy (both with make releaseall and in GHA). I also still need to set up signed release archives and switch script/build-libpathrs.sh back to pulling from a release as well.

[kolyshkin]

Perhaps you can set up OBS to build (and serve) libpathrs deb packages, similar to how it's currently done for criu? This will save a lot of hassle (in this repo, not for you I'm afraid). We can probably also reuse this from Dockerfile, too, eliminating the need for script/build-libpathrs.sh (the seccomp one is really needed as we have to include the sources, and there's no such requirement for libpathrs IMO).

[cyphar]

Yeah, I was thinking about doing that to be honest, but was hoping to be able to do this later rather than upfront (I don't mind maintaining unofficial packages for this stuff eventually but learning Rust packaging for 3-4 different distros as a prerequisite for this PR seems a little harsh 😅).

eliminating the need for script/build-libpathrs.sh (the seccomp one is really needed as we have to include the sources, and there's no such requirement for libpathrs IMO).

libpathrs is MPLv2 (or LGPLv3), so we do need to include a copy of the sources.

[rata]

This mostly LGTM. I like that it is basically contained on the CI/release files. Ping me when you want another review.

I left some comments. I think I'd nto try to figure out the "correct" location for a library on each distro, if something like /usr/local works on all. I'd let the right destdir to when we have an OBS package for each distro or so. But I feel usr/local probably doesn't work?

Left some other comments too, mostly nits.

[cyphar]

What the heck...

=== RUN   TestBindMountAndUser
    exec_test.go:1819: unexpected error:
      unable to start container process:
      error during container init:
      error mounting "proc" to rootfs at "/proc":
      cannot re-open [12]"/tmp/TestBindMountAndUser164197807/002" with O_DIRECTORY:
      get safe procfs handle:
      open fd 13 fdinfo:
      open raw procfs subpath failed:
      openat2([13]"/proc", "./thread-self/fdinfo/13", { flags: OpenFlags(O_CLOEXEC | O_NOFOLLOW | O_NOCTTY), resolve: ResolveFlags(RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS | RESOLVE_NO_XDEV) }, 24):
      Permission denied (os error 13)
--- FAIL: TestBindMountAndUser (0.08s)

🤨

Hmmmm, this is probably caused by the annoying procfs behaviour with user namespaces and non-dumpability... (ptrace_may_access would allow access but procfs DAC permissions block it.)

I guess in the case where we would accept no mnt_id we can also accept non-dumpable blocking access to fdinfo...? Ew...