Merge branch 'main' into add-test-process

README.md

@@ -29,7 +29,7 @@ youki is named after the Japanese word 'youki', which means 'a container'. In Ja
 > $ sudo podman run --cgroup-manager=cgroupfs --runtime /workspaces/youki/youki hello-world
 > ```
 
-[User Documentation](https://containers.github.io/youki/user/basic_setup.html#quick-install)
+[User Documentation](https://youki-dev.github.io/youki/user/basic_setup.html#quick-install)
 
 # 🎯 Motivation
 
@@ -96,7 +96,7 @@ We have [our roadmap](https://github.com/orgs/containers/projects/15).
 
 # 🎨 Design and implementation of youki
 
-The User and Developer Documentation for youki is hosted at [https://containers.github.io/youki/](https://containers.github.io/youki/)
+The User and Developer Documentation for youki is hosted at [https://youki-dev.github.io/youki/](https://youki-dev.github.io/youki/)
 
 ![Architecture](docs/.drawio.svg)
 
@@ -277,7 +277,7 @@ just youki-dev # or youki-release
 
 # 👥 Community and Contributing
 
-Please refer to [our community page](https://containers.github.io/youki/community/introduction.html).
+Please refer to [our community page](https://youki-dev.github.io/youki/community/introduction.html).
 
 Thanks to all the people who already contributed!
 

crates/libcgroups/Cargo.toml

@@ -4,7 +4,7 @@ version = "0.4.1" # MARK: Version
 description = "Library for cgroup"
 license-file = "../../LICENSE"
 repository = "https://github.com/containers/youki"
-homepage = "https://containers.github.io/youki"
+homepage = "https://youki-dev.github.io/youki/"
 readme = "README.md"
 authors = ["youki team"]
 edition = "2021"
@@ -22,19 +22,19 @@ cgroupsv2_devices = ["rbpf", "libbpf-sys", "errno", "libc", "nix/dir"]
 [dependencies]
 nix = { version = "0.28.0", features = ["signal", "user", "fs"] }
 procfs = "0.16.0"
-oci-spec = { version = "~0.7.0", features = ["runtime"] }
+oci-spec = { version = "~0.7.1", features = ["runtime"] }
 fixedbitset = "0.5.7"
 serde = { version = "1.0", features = ["derive"] }
 rbpf = { version = "0.3.0", optional = true }
-libbpf-sys = { version = "1.4.5", optional = true }
+libbpf-sys = { version = "1.5.0", optional = true }
 errno = { version = "0.3.9", optional = true }
-libc = { version = "0.2.161", optional = true }
-thiserror = "1.0.65"
+libc = { version = "0.2.162", optional = true }
+thiserror = "1.0.66"
 tracing = { version = "0.1.40", features = ["attributes"] }
 
 [dev-dependencies]
 anyhow = "1.0"
-oci-spec = { version = "~0.7.0", features = ["proptests", "runtime"] }
+oci-spec = { version = "~0.7.1", features = ["proptests", "runtime"] }
 quickcheck = "1"
 mockall = { version = "0.13.0", features = [] }
 clap = "4.1.6"

crates/libcontainer/Cargo.toml

@@ -4,7 +4,7 @@ version = "0.4.1" # MARK: Version
 description = "Library for container control"
 license-file = "../../LICENSE"
 repository = "https://github.com/containers/youki"
-homepage = "https://containers.github.io/youki"
+homepage = "https://youki-dev.github.io/youki/"
 readme = "README.md"
 authors = ["youki team"]
 edition = "2021"
@@ -26,7 +26,7 @@ chrono = { version = "0.4", default-features = false, features = [
     "serde",
 ] }
 fastrand = "^2.1.1"
-libc = "0.2.161"
+libc = "0.2.162"
 nix = { version = "0.28.0", features = [
     "socket",
     "sched",
@@ -37,7 +37,7 @@ nix = { version = "0.28.0", features = [
     "term",
     "hostname",
 ] }
-oci-spec = { version = "0.7.0", features = ["runtime"] }
+oci-spec = { version = "0.7.1", features = ["runtime"] }
 once_cell = "1.20.2"
 procfs = "0.16.0"
 prctl = "1.0.0"
@@ -47,13 +47,13 @@ serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 rust-criu = "0.4.0"
 regex = { version = "1.10.6", default-features = false, features = ["std", "unicode-perl"] }
-thiserror = "1.0.65"
+thiserror = "1.0.66"
 tracing = { version = "0.1.40", features = ["attributes"] }
 safe-path = "0.1.0"
 nc = "0.9.5"
 
 [dev-dependencies]
-oci-spec = { version = "~0.7.0", features = ["proptests", "runtime"] }
+oci-spec = { version = "~0.7.1", features = ["proptests", "runtime"] }
 quickcheck = "1"
 serial_test = "3.1.1"
 tempfile = "3"

crates/libcontainer/src/rootfs/rootfs.rs

@@ -31,17 +31,14 @@ impl RootFS {
         }
     }
 
-    pub fn prepare_rootfs(
+    pub fn mount_to_rootfs(
         &self,
+        linux: &Linux,
         spec: &Spec,
         rootfs: &Path,
-        bind_devices: bool,
         cgroup_ns: bool,
     ) -> Result<()> {
-        tracing::debug!(?rootfs, "prepare rootfs");
         let mut flags = MsFlags::MS_REC;
-        let linux = spec.linux().as_ref().ok_or(MissingSpecError::Linux)?;
-
         match linux.rootfs_propagation().as_deref() {
             Some("shared") => flags |= MsFlags::MS_SHARED,
             Some("private") => flags |= MsFlags::MS_PRIVATE,
@@ -92,6 +89,20 @@ impl RootFS {
                 mounter.setup_mount(mount, &global_options)?;
             }
         }
+        Ok(())
+    }
+
+    pub fn prepare_rootfs(
+        &self,
+        spec: &Spec,
+        rootfs: &Path,
+        bind_devices: bool,
+        cgroup_ns: bool,
+    ) -> Result<()> {
+        tracing::debug!(?rootfs, "prepare rootfs");
+        let linux = spec.linux().as_ref().ok_or(MissingSpecError::Linux)?;
+
+        self.mount_to_rootfs(linux, spec, rootfs, cgroup_ns)?;
 
         let symlinker = Symlink::new();
         symlinker.setup_kcore_symlink(rootfs)?;

crates/liboci-cli/Cargo.toml

@@ -4,7 +4,7 @@ version = "0.4.1" # MARK: Version
 description = "Parse command line arguments for OCI container runtimes"
 license-file = "../../LICENSE"
 repository = "https://github.com/containers/youki"
-homepage = "https://containers.github.io/youki"
+homepage = "https://youki-dev.github.io/youki/"
 readme = "README.md"
 authors = ["youki team"]
 edition = "2021"

crates/youki/Cargo.toml

@@ -4,7 +4,7 @@ version = "0.4.1" # MARK: Version
 description = "A container runtime written in Rust"
 license-file = "../../LICENSE"
 repository = "https://github.com/containers/youki"
-homepage = "https://containers.github.io/youki"
+homepage = "https://youki-dev.github.io/youki/"
 readme = "../../README.md"
 authors = ["youki team"]
 edition = "2021"
@@ -28,7 +28,7 @@ default-features = false
 features = ["std", "suggestions", "derive", "cargo", "help", "usage", "error-context"]
 
 [dependencies]
-anyhow = "1.0.91"
+anyhow = "1.0.93"
 chrono = { version = "0.4", default-features = false, features = ["clock", "serde"] }
 libcgroups = { path = "../libcgroups", default-features = false, version = "0.4.1" } # MARK: Version
 libcontainer = { path = "../libcontainer", default-features = false, version = "0.4.1" } # MARK: Version
@@ -43,8 +43,8 @@ caps = "0.5.5"
 wasmer = { version = "4.0.0", optional = true }
 wasmer-wasix = { version = "0.9.0", optional = true }
 wasmedge-sdk = { version = "0.14.0", optional = true }
-wasmtime = { version = "26.0.0", optional = true }
-wasi-common = { version = "26.0.0", optional = true }
+wasmtime = { version = "26.0.1", optional = true }
+wasi-common = { version = "26.0.1", optional = true }
 tracing = { version = "0.1.40", features = ["attributes"] }
 tracing-subscriber = { version = "0.3.18", features = ["json", "env-filter"] }
 tracing-journald = "0.3.0"
@@ -55,5 +55,5 @@ tempfile = "3"
 scopeguard = "1.2.0"
 
 [build-dependencies]
-anyhow = "1.0.91"
+anyhow = "1.0.93"
 vergen-gitcl = { version = "1.0.1", features = ["build"] }

docs/src/developer/documentation_mdbook.md

@@ -4,7 +4,7 @@ This documentation is created using mdbook and aims to provide a concise referen
 
 Please make sure that you update this documentation along with newly added features and resources that you found helpful while developing, so that it will be helpful for newcomers.
 
-Currently this documentation is hosted at [https://containers.github.io/youki/](https://containers.github.io/youki/), using GitHub pages. GitHub CI actions are used to automatically check if any files are changed in /docs on each push / PR merge to main branch, and if there are any changes, the mdbook is build and deployed to gh-pages. We use [https://github.com/peaceiris/actions-mdbook](https://github.com/peaceiris/actions-mdbook) to build and then [https://github.com/peaceiris/actions-gh-pages](https://github.com/peaceiris/actions-gh-pages) GitHub action to deploy the mdbook.
+Currently this documentation is hosted at [https://youki-dev.github.io/youki/](https://youki-dev.github.io/youki/), using GitHub pages. GitHub CI actions are used to automatically check if any files are changed in /docs on each push / PR merge to main branch, and if there are any changes, the mdbook is build and deployed to gh-pages. We use [https://github.com/peaceiris/actions-mdbook](https://github.com/peaceiris/actions-mdbook) to build and then [https://github.com/peaceiris/actions-gh-pages](https://github.com/peaceiris/actions-gh-pages) GitHub action to deploy the mdbook.
 
 When testing locally you can manually test the changes by running `mdbook serve` in the docs directory (after installing mdbook), which will temporarily serve the mdbook at `localhost:3000` by default. You can check the mdbook documentation for more information.
 

experiment/seccomp/Cargo.toml

@@ -4,7 +4,7 @@ version = "0.0.0"
 description = "Library for seccomp"
 license-file = "../../LICENSE"
 repository = "https://github.com/containers/youki"
-homepage = "https://containers.github.io/youki"
+homepage = "https://youki-dev.github.io/youki/"
 readme = "README.md"
 authors = ["youki team"]
 edition = "2021"

experiment/selinux/Cargo.toml

@@ -4,7 +4,7 @@ version = "0.1.0"
 description = "Library for selinux"
 license-file = "../../LICENSE"
 repository = "https://github.com/containers/youki"
-homepage = "https://containers.github.io/youki"
+homepage = "https://youki-dev.github.io/youki/"
 readme = "README.md"
 authors = ["youki team"]
 edition = "2021"

tests/contest/contest/Cargo.toml

@@ -10,7 +10,7 @@ libcgroups = { path = "../../../crates/libcgroups" }
 libcontainer = { path = "../../../crates/libcontainer" }
 nix = "0.28.0"
 num_cpus = "1.16"
-oci-spec = { version = "0.7.0", features = ["runtime"] }
+oci-spec = { version = "0.7.1", features = ["runtime"] }
 once_cell = "1.20.2"
 pnet_datalink = "0.35.0"
 procfs = "0.16.0"
@@ -20,7 +20,7 @@ serde_json = "1.0"
 tar = "0.4"
 test_framework = { path = "../test_framework" }
 uuid = "1.11"
-which = "6.0.3"
+which = "7.0.0"
 tempfile = "3"
 scopeguard = "1.2.0"
 tracing = { version = "0.1.40", features = ["attributes"]}

tests/contest/contest/src/main.rs

@@ -22,6 +22,7 @@ use crate::tests::mounts_recursive::get_mounts_recursive_test;
 use crate::tests::no_pivot::get_no_pivot_test;
 use crate::tests::pidfile::get_pidfile_test;
 use crate::tests::process::get_process_test;
+use crate::tests::process_rlimits::get_process_rlimits_test;
 use crate::tests::readonly_paths::get_ro_paths_test;
 use crate::tests::scheduler::get_scheduler_test;
 use crate::tests::seccomp::get_seccomp_test;
@@ -116,6 +117,7 @@ fn main() -> Result<()> {
     let io_priority_test = get_io_priority_test();
     let devices = get_devices_test();
     let process = get_process_test();
+    let process_rlimtis = get_process_rlimits_test();
     let no_pivot = get_no_pivot_test();
 
     tm.add_test_group(Box::new(cl));
@@ -141,6 +143,7 @@ fn main() -> Result<()> {
     tm.add_test_group(Box::new(scheduler));
     tm.add_test_group(Box::new(devices));
     tm.add_test_group(Box::new(process));
+    tm.add_test_group(Box::new(process_rlimtis));
     tm.add_test_group(Box::new(no_pivot));
 
     tm.add_test_group(Box::new(io_priority_test));

tests/contest/contest/src/tests/mod.rs

@@ -12,6 +12,7 @@ pub mod mounts_recursive;
 pub mod no_pivot;
 pub mod pidfile;
 pub mod process;
+pub mod process_rlimits;
 pub mod readonly_paths;
 pub mod scheduler;
 pub mod seccomp;

tests/contest/contest/src/tests/process_rlimits/mod.rs

@@ -0,0 +1,2 @@
+mod process_rlimits_test;
+pub use process_rlimits_test::get_process_rlimits_test;

tests/contest/contest/src/tests/process_rlimits/process_rlimits_test.rs

@@ -0,0 +1,67 @@
+use anyhow::{Context, Ok, Result};
+use oci_spec::runtime::{
+    PosixRlimit, PosixRlimitBuilder, PosixRlimitType, ProcessBuilder, Spec, SpecBuilder,
+};
+use test_framework::{test_result, Test, TestGroup, TestResult};
+
+use crate::utils::test_inside_container;
+
+const GIGABYTES: u64 = 1024 * 1024 * 1024;
+
+fn create_rlimit(
+    rlimit_type: PosixRlimitType,
+    hard_val: u64,
+    soft_val: u64,
+) -> Result<PosixRlimit> {
+    let rlimit = PosixRlimitBuilder::default()
+        .typ(rlimit_type)
+        .hard(hard_val)
+        .soft(soft_val)
+        .build()?;
+    Ok(rlimit)
+}
+
+#[allow(clippy::identity_op)]
+fn create_spec() -> Result<Spec> {
+    let spec = SpecBuilder::default()
+        .process(
+            ProcessBuilder::default()
+                .args(vec![
+                    "runtimetest".to_string(),
+                    "process_rlimits".to_string(),
+                ])
+                .rlimits(vec![
+                    create_rlimit(PosixRlimitType::RlimitAs, 2 * GIGABYTES, 1 * GIGABYTES).unwrap(),
+                    create_rlimit(PosixRlimitType::RlimitCore, 4 * GIGABYTES, 3 * GIGABYTES)
+                        .unwrap(),
+                    create_rlimit(PosixRlimitType::RlimitData, 6 * GIGABYTES, 5 * GIGABYTES)
+                        .unwrap(),
+                    create_rlimit(PosixRlimitType::RlimitFsize, 8 * GIGABYTES, 7 * GIGABYTES)
+                        .unwrap(),
+                    create_rlimit(PosixRlimitType::RlimitStack, 10 * GIGABYTES, 9 * GIGABYTES)
+                        .unwrap(),
+                    create_rlimit(PosixRlimitType::RlimitCpu, 120, 60).unwrap(),
+                    create_rlimit(PosixRlimitType::RlimitNofile, 4000, 3000).unwrap(),
+                ])
+                .build()
+                .expect("error in creating process config"),
+        )
+        .build()
+        .context("failed to build spec")?;
+
+    Ok(spec)
+}
+
+fn process_rlimits_test() -> TestResult {
+    let spec = test_result!(create_spec());
+    test_inside_container(spec, &|_| Ok(()))
+}
+
+pub fn get_process_rlimits_test() -> TestGroup {
+    let mut process_rlimits_test_group = TestGroup::new("process_rlimits");
+
+    let test = Test::new("process_rlimits_test", Box::new(process_rlimits_test));
+    process_rlimits_test_group.add(vec![Box::new(test)]);
+
+    process_rlimits_test_group
+}

tests/contest/runtimetest/Cargo.toml

@@ -4,8 +4,8 @@ version = "0.0.1"
 edition = "2021"
 
 [dependencies]
-oci-spec = { version = "0.7.0", features = ["runtime"] }
+oci-spec = { version = "0.7.1", features = ["runtime"] }
 nix = "0.28.0"
 anyhow = "1.0"
-libc = "0.2.161" # TODO (YJDoc2) upgrade to latest
+libc = "0.2.162" # TODO (YJDoc2) upgrade to latest
 nc = "0.9.5"

tests/contest/runtimetest/src/main.rs

@@ -45,6 +45,7 @@ fn main() {
         "io_priority_class_idle" => tests::test_io_priority_class(&spec, IoprioClassIdle),
         "devices" => tests::validate_devices(&spec),
         "process" => tests::validate_process(&spec),
+        "process_rlimits" => tests::validate_process_rlimits(&spec),
         "no_pivot" => tests::validate_rootfs(),
         _ => eprintln!("error due to unexpected execute test name: {execute_test}"),
     }