From c15b117f127253d2f7d0daf7cde542c7bb736a43 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 19 Jan 2024 08:34:00 +0000 Subject: [PATCH] fix(deps): update module github.com/containers/storage to v1.52.0 Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 +- .../github.com/containers/storage/.cirrus.yml | 4 +- vendor/github.com/containers/storage/VERSION | 2 +- .../storage/drivers/quota/projectquota.go | 448 ----------------- .../drivers/quota/projectquota_supported.go | 449 ++++++++++++++++++ .../storage/pkg/chunked/storage_linux.go | 118 +++-- .../pkg/chunked/storage_unsupported.go | 3 +- .../storage/pkg/homedir/homedir_unix.go | 7 +- vendor/modules.txt | 4 +- 10 files changed, 546 insertions(+), 495 deletions(-) create mode 100644 vendor/github.com/containers/storage/drivers/quota/projectquota_supported.go diff --git a/go.mod b/go.mod index db6b7cd4c..7cf48a6ec 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/containernetworking/plugins v1.4.0 github.com/containers/image/v5 v5.29.1-0.20231221164234-1b221d4a9c28 github.com/containers/ocicrypt v1.1.9 - github.com/containers/storage v1.51.1-0.20231221151421-1020ab61b4e5 + github.com/containers/storage v1.52.0 github.com/coreos/go-systemd/v22 v22.5.0 github.com/cyphar/filepath-securejoin v0.2.4 github.com/davecgh/go-spew v1.1.1 diff --git a/go.sum b/go.sum index 1b6e2eb89..7d558792f 100644 --- a/go.sum +++ b/go.sum @@ -56,8 +56,8 @@ github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYgle github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY= github.com/containers/ocicrypt v1.1.9 h1:2Csfba4jse85Raxk5HIyEk8OwZNjRvfkhEGijOjIdEM= github.com/containers/ocicrypt v1.1.9/go.mod h1:dTKx1918d8TDkxXvarscpNVY+lyPakPNFN4jwA9GBys= -github.com/containers/storage v1.51.1-0.20231221151421-1020ab61b4e5 h1:HzlHfy8C02EMrA9YUMUxAAgL9G1XCD0saMU9Lwg4Gfg= -github.com/containers/storage v1.51.1-0.20231221151421-1020ab61b4e5/go.mod h1:s37+wxZpGp2eh4vzBKZl9vil/s+j6KhcrdgdMoWZGCg= +github.com/containers/storage v1.52.0 h1:8QFFeJg2cQFN0TyJguxHrSz3bl7XtMRnfXrTsvLVkuY= +github.com/containers/storage v1.52.0/go.mod h1:PE+L330tisEjQrAVkfAlW8ECvqzc/jusrxJzu9TEi2w= github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= diff --git a/vendor/github.com/containers/storage/.cirrus.yml b/vendor/github.com/containers/storage/.cirrus.yml index 43cfef280..09f4d9e9f 100644 --- a/vendor/github.com/containers/storage/.cirrus.yml +++ b/vendor/github.com/containers/storage/.cirrus.yml @@ -167,7 +167,7 @@ vendor_task: cross_task: container: - image: golang:1.19 + image: golang:1.20 build_script: make cross @@ -181,6 +181,6 @@ success_task: - vendor - cross container: - image: golang:1.19 + image: golang:1.20 clone_script: 'mkdir -p "$CIRRUS_WORKING_DIR"' # Source code not needed script: /bin/true diff --git a/vendor/github.com/containers/storage/VERSION b/vendor/github.com/containers/storage/VERSION index 6abf1916f..a63cb35e6 100644 --- a/vendor/github.com/containers/storage/VERSION +++ b/vendor/github.com/containers/storage/VERSION @@ -1 +1 @@ -1.51.1-dev +1.52.0 diff --git a/vendor/github.com/containers/storage/drivers/quota/projectquota.go b/vendor/github.com/containers/storage/drivers/quota/projectquota.go index 2be79698d..081fb2b10 100644 --- a/vendor/github.com/containers/storage/drivers/quota/projectquota.go +++ b/vendor/github.com/containers/storage/drivers/quota/projectquota.go @@ -1,453 +1,5 @@ -//go:build linux && !exclude_disk_quota && cgo -// +build linux,!exclude_disk_quota,cgo - -// -// projectquota.go - implements XFS project quota controls -// for setting quota limits on a newly created directory. -// It currently supports the legacy XFS specific ioctls. -// -// TODO: use generic quota control ioctl FS_IOC_FS{GET,SET}XATTR -// for both xfs/ext4 for kernel version >= v4.5 -// - package quota -/* -#include -#include -#include -#include -#include - -#ifndef FS_XFLAG_PROJINHERIT -struct fsxattr { - __u32 fsx_xflags; - __u32 fsx_extsize; - __u32 fsx_nextents; - __u32 fsx_projid; - unsigned char fsx_pad[12]; -}; -#define FS_XFLAG_PROJINHERIT 0x00000200 -#endif -#ifndef FS_IOC_FSGETXATTR -#define FS_IOC_FSGETXATTR _IOR ('X', 31, struct fsxattr) -#endif -#ifndef FS_IOC_FSSETXATTR -#define FS_IOC_FSSETXATTR _IOW ('X', 32, struct fsxattr) -#endif - -#ifndef PRJQUOTA -#define PRJQUOTA 2 -#endif -#ifndef FS_PROJ_QUOTA -#define FS_PROJ_QUOTA 2 -#endif -#ifndef Q_XSETPQLIM -#define Q_XSETPQLIM QCMD(Q_XSETQLIM, PRJQUOTA) -#endif -#ifndef Q_XGETPQUOTA -#define Q_XGETPQUOTA QCMD(Q_XGETQUOTA, PRJQUOTA) -#endif -*/ -import "C" - -import ( - "errors" - "fmt" - "math" - "os" - "path" - "path/filepath" - "sync" - "syscall" - "unsafe" - - "github.com/containers/storage/pkg/directory" - "github.com/sirupsen/logrus" - "golang.org/x/sys/unix" -) - -const projectIDsAllocatedPerQuotaHome = 10000 - // BackingFsBlockDeviceLink is the name of a file that we place in // the home directory of a driver that uses this package. const BackingFsBlockDeviceLink = "backingFsBlockDev" - -// Quota limit params - currently we only control blocks hard limit and inodes -type Quota struct { - Size uint64 - Inodes uint64 -} - -// Control - Context to be used by storage driver (e.g. overlay) -// who wants to apply project quotas to container dirs -type Control struct { - backingFsBlockDev string - nextProjectID uint32 - quotas *sync.Map - basePath string -} - -// Attempt to generate a unigue projectid. Multiple directories -// per file system can have quota and they need a group of unique -// ids. This function attempts to allocate at least projectIDsAllocatedPerQuotaHome(10000) -// unique projectids, based on the inode of the basepath. -func generateUniqueProjectID(path string) (uint32, error) { - fileinfo, err := os.Stat(path) - if err != nil { - return 0, err - } - stat, ok := fileinfo.Sys().(*syscall.Stat_t) - if !ok { - return 0, fmt.Errorf("not a syscall.Stat_t %s", path) - } - projectID := projectIDsAllocatedPerQuotaHome + (stat.Ino*projectIDsAllocatedPerQuotaHome)%(math.MaxUint32-projectIDsAllocatedPerQuotaHome) - return uint32(projectID), nil -} - -// NewControl - initialize project quota support. -// Test to make sure that quota can be set on a test dir and find -// the first project id to be used for the next container create. -// -// Returns nil (and error) if project quota is not supported. -// -// First get the project id of the basePath directory. -// This test will fail if the backing fs is not xfs. -// -// xfs_quota tool can be used to assign a project id to the driver home directory, e.g.: -// echo 100000:/var/lib/containers/storage/overlay >> /etc/projects -// echo 200000:/var/lib/containers/storage/volumes >> /etc/projects -// echo storage:100000 >> /etc/projid -// echo volumes:200000 >> /etc/projid -// xfs_quota -x -c 'project -s storage volumes' / -// -// In the example above, the storage directory project id will be used as a -// "start offset" and all containers will be assigned larger project ids -// (e.g. >= 100000). Then the volumes directory project id will be used as a -// "start offset" and all volumes will be assigned larger project ids -// (e.g. >= 200000). -// This is a way to prevent xfs_quota management from conflicting with -// containers/storage. - -// Then try to create a test directory with the next project id and set a quota -// on it. If that works, continue to scan existing containers to map allocated -// project ids. -func NewControl(basePath string) (*Control, error) { - // - // Get project id of parent dir as minimal id to be used by driver - // - minProjectID, err := getProjectID(basePath) - if err != nil { - return nil, err - } - if minProjectID == 0 { - // Indicates the storage was never initialized - // Generate a unique range of Projectids for this basepath - minProjectID, err = generateUniqueProjectID(basePath) - if err != nil { - return nil, err - } - - } - // - // create backing filesystem device node - // - backingFsBlockDev, err := makeBackingFsDev(basePath) - if err != nil { - return nil, err - } - - // - // Test if filesystem supports project quotas by trying to set - // a quota on the first available project id - // - quota := Quota{ - Size: 0, - Inodes: 0, - } - - q := Control{ - backingFsBlockDev: backingFsBlockDev, - nextProjectID: minProjectID + 1, - quotas: &sync.Map{}, - basePath: basePath, - } - - if err := q.setProjectQuota(minProjectID, quota); err != nil { - return nil, err - } - - // - // get first project id to be used for next container - // - err = q.findNextProjectID() - if err != nil { - return nil, err - } - - logrus.Debugf("NewControl(%s): nextProjectID = %d", basePath, q.nextProjectID) - return &q, nil -} - -// SetQuota - assign a unique project id to directory and set the quota limits -// for that project id -func (q *Control) SetQuota(targetPath string, quota Quota) error { - var projectID uint32 - value, ok := q.quotas.Load(targetPath) - if ok { - projectID, ok = value.(uint32) - } - if !ok { - projectID = q.nextProjectID - - // - // assign project id to new container directory - // - err := setProjectID(targetPath, projectID) - if err != nil { - return err - } - - q.quotas.Store(targetPath, projectID) - q.nextProjectID++ - } - - // - // set the quota limit for the container's project id - // - logrus.Debugf("SetQuota path=%s, size=%d, inodes=%d, projectID=%d", targetPath, quota.Size, quota.Inodes, projectID) - return q.setProjectQuota(projectID, quota) -} - -// ClearQuota removes the map entry in the quotas map for targetPath. -// It does so to prevent the map leaking entries as directories are deleted. -func (q *Control) ClearQuota(targetPath string) { - q.quotas.Delete(targetPath) -} - -// setProjectQuota - set the quota for project id on xfs block device -func (q *Control) setProjectQuota(projectID uint32, quota Quota) error { - var d C.fs_disk_quota_t - d.d_version = C.FS_DQUOT_VERSION - d.d_id = C.__u32(projectID) - d.d_flags = C.FS_PROJ_QUOTA - - if quota.Size > 0 { - d.d_fieldmask = d.d_fieldmask | C.FS_DQ_BHARD | C.FS_DQ_BSOFT - d.d_blk_hardlimit = C.__u64(quota.Size / 512) - d.d_blk_softlimit = d.d_blk_hardlimit - } - if quota.Inodes > 0 { - d.d_fieldmask = d.d_fieldmask | C.FS_DQ_IHARD | C.FS_DQ_ISOFT - d.d_ino_hardlimit = C.__u64(quota.Inodes) - d.d_ino_softlimit = d.d_ino_hardlimit - } - - cs := C.CString(q.backingFsBlockDev) - defer C.free(unsafe.Pointer(cs)) - - runQuotactl := func() syscall.Errno { - _, _, errno := unix.Syscall6(unix.SYS_QUOTACTL, C.Q_XSETPQLIM, - uintptr(unsafe.Pointer(cs)), uintptr(d.d_id), - uintptr(unsafe.Pointer(&d)), 0, 0) - return errno - } - - errno := runQuotactl() - - // If the backingFsBlockDev does not exist any more then try to recreate it. - if errors.Is(errno, unix.ENOENT) { - if _, err := makeBackingFsDev(q.basePath); err != nil { - return fmt.Errorf( - "failed to recreate missing backingFsBlockDev %s for projid %d: %w", - q.backingFsBlockDev, projectID, err, - ) - } - - if errno := runQuotactl(); errno != 0 { - return fmt.Errorf("failed to set quota limit for projid %d on %s after backingFsBlockDev recreation: %w", - projectID, q.backingFsBlockDev, errno) - } - - } else if errno != 0 { - return fmt.Errorf("failed to set quota limit for projid %d on %s: %w", - projectID, q.backingFsBlockDev, errno) - } - - return nil -} - -// GetQuota - get the quota limits of a directory that was configured with SetQuota -func (q *Control) GetQuota(targetPath string, quota *Quota) error { - d, err := q.fsDiskQuotaFromPath(targetPath) - if err != nil { - return err - } - quota.Size = uint64(d.d_blk_hardlimit) * 512 - quota.Inodes = uint64(d.d_ino_hardlimit) - return nil -} - -// GetDiskUsage - get the current disk usage of a directory that was configured with SetQuota -func (q *Control) GetDiskUsage(targetPath string, usage *directory.DiskUsage) error { - d, err := q.fsDiskQuotaFromPath(targetPath) - if err != nil { - return err - } - usage.Size = int64(d.d_bcount) * 512 - usage.InodeCount = int64(d.d_icount) - - return nil -} - -func (q *Control) fsDiskQuotaFromPath(targetPath string) (C.fs_disk_quota_t, error) { - var d C.fs_disk_quota_t - var projectID uint32 - value, ok := q.quotas.Load(targetPath) - if ok { - projectID, ok = value.(uint32) - } - if !ok { - return d, fmt.Errorf("quota not found for path : %s", targetPath) - } - - // - // get the quota limit for the container's project id - // - cs := C.CString(q.backingFsBlockDev) - defer C.free(unsafe.Pointer(cs)) - - _, _, errno := unix.Syscall6(unix.SYS_QUOTACTL, C.Q_XGETPQUOTA, - uintptr(unsafe.Pointer(cs)), uintptr(C.__u32(projectID)), - uintptr(unsafe.Pointer(&d)), 0, 0) - if errno != 0 { - return d, fmt.Errorf("failed to get quota limit for projid %d on %s: %w", - projectID, q.backingFsBlockDev, errno) - } - - return d, nil -} - -// getProjectID - get the project id of path on xfs -func getProjectID(targetPath string) (uint32, error) { - dir, err := openDir(targetPath) - if err != nil { - return 0, err - } - defer closeDir(dir) - - var fsx C.struct_fsxattr - _, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.FS_IOC_FSGETXATTR, - uintptr(unsafe.Pointer(&fsx))) - if errno != 0 { - return 0, fmt.Errorf("failed to get projid for %s: %w", targetPath, errno) - } - - return uint32(fsx.fsx_projid), nil -} - -// setProjectID - set the project id of path on xfs -func setProjectID(targetPath string, projectID uint32) error { - dir, err := openDir(targetPath) - if err != nil { - return err - } - defer closeDir(dir) - - var fsx C.struct_fsxattr - _, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.FS_IOC_FSGETXATTR, - uintptr(unsafe.Pointer(&fsx))) - if errno != 0 { - return fmt.Errorf("failed to get projid for %s: %w", targetPath, errno) - } - fsx.fsx_projid = C.__u32(projectID) - fsx.fsx_xflags |= C.FS_XFLAG_PROJINHERIT - _, _, errno = unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.FS_IOC_FSSETXATTR, - uintptr(unsafe.Pointer(&fsx))) - if errno != 0 { - return fmt.Errorf("failed to set projid for %s: %w", targetPath, errno) - } - - return nil -} - -// findNextProjectID - find the next project id to be used for containers -// by scanning driver home directory to find used project ids -func (q *Control) findNextProjectID() error { - files, err := os.ReadDir(q.basePath) - if err != nil { - return fmt.Errorf("read directory failed : %s", q.basePath) - } - for _, file := range files { - if !file.IsDir() { - continue - } - path := filepath.Join(q.basePath, file.Name()) - projid, err := getProjectID(path) - if err != nil { - return err - } - if projid > 0 { - q.quotas.Store(path, projid) - } - if q.nextProjectID <= projid { - q.nextProjectID = projid + 1 - } - } - - return nil -} - -func free(p *C.char) { - C.free(unsafe.Pointer(p)) -} - -func openDir(path string) (*C.DIR, error) { - Cpath := C.CString(path) - defer free(Cpath) - - dir, errno := C.opendir(Cpath) - if dir == nil { - return nil, fmt.Errorf("can't open dir %v: %w", Cpath, errno) - } - return dir, nil -} - -func closeDir(dir *C.DIR) { - if dir != nil { - C.closedir(dir) - } -} - -func getDirFd(dir *C.DIR) uintptr { - return uintptr(C.dirfd(dir)) -} - -// Get the backing block device of the driver home directory -// and create a block device node under the home directory -// to be used by quotactl commands -func makeBackingFsDev(home string) (string, error) { - var stat unix.Stat_t - if err := unix.Stat(home, &stat); err != nil { - return "", err - } - - backingFsBlockDev := path.Join(home, BackingFsBlockDeviceLink) - backingFsBlockDevTmp := backingFsBlockDev + ".tmp" - // Re-create just in case someone copied the home directory over to a new device - if err := unix.Mknod(backingFsBlockDevTmp, unix.S_IFBLK|0o600, int(stat.Dev)); err != nil { - if !errors.Is(err, unix.EEXIST) { - return "", fmt.Errorf("failed to mknod %s: %w", backingFsBlockDevTmp, err) - } - // On EEXIST, try again after unlinking any potential leftover. - _ = unix.Unlink(backingFsBlockDevTmp) - if err := unix.Mknod(backingFsBlockDevTmp, unix.S_IFBLK|0o600, int(stat.Dev)); err != nil { - return "", fmt.Errorf("failed to mknod %s: %w", backingFsBlockDevTmp, err) - } - } - if err := unix.Rename(backingFsBlockDevTmp, backingFsBlockDev); err != nil { - return "", fmt.Errorf("failed to rename %s to %s: %w", backingFsBlockDevTmp, backingFsBlockDev, err) - } - - return backingFsBlockDev, nil -} diff --git a/vendor/github.com/containers/storage/drivers/quota/projectquota_supported.go b/vendor/github.com/containers/storage/drivers/quota/projectquota_supported.go new file mode 100644 index 000000000..b0623bdac --- /dev/null +++ b/vendor/github.com/containers/storage/drivers/quota/projectquota_supported.go @@ -0,0 +1,449 @@ +//go:build linux && !exclude_disk_quota && cgo +// +build linux,!exclude_disk_quota,cgo + +// +// projectquota.go - implements XFS project quota controls +// for setting quota limits on a newly created directory. +// It currently supports the legacy XFS specific ioctls. +// +// TODO: use generic quota control ioctl FS_IOC_FS{GET,SET}XATTR +// for both xfs/ext4 for kernel version >= v4.5 +// + +package quota + +/* +#include +#include +#include +#include +#include + +#ifndef FS_XFLAG_PROJINHERIT +struct fsxattr { + __u32 fsx_xflags; + __u32 fsx_extsize; + __u32 fsx_nextents; + __u32 fsx_projid; + unsigned char fsx_pad[12]; +}; +#define FS_XFLAG_PROJINHERIT 0x00000200 +#endif +#ifndef FS_IOC_FSGETXATTR +#define FS_IOC_FSGETXATTR _IOR ('X', 31, struct fsxattr) +#endif +#ifndef FS_IOC_FSSETXATTR +#define FS_IOC_FSSETXATTR _IOW ('X', 32, struct fsxattr) +#endif + +#ifndef PRJQUOTA +#define PRJQUOTA 2 +#endif +#ifndef FS_PROJ_QUOTA +#define FS_PROJ_QUOTA 2 +#endif +#ifndef Q_XSETPQLIM +#define Q_XSETPQLIM QCMD(Q_XSETQLIM, PRJQUOTA) +#endif +#ifndef Q_XGETPQUOTA +#define Q_XGETPQUOTA QCMD(Q_XGETQUOTA, PRJQUOTA) +#endif +*/ +import "C" + +import ( + "errors" + "fmt" + "math" + "os" + "path" + "path/filepath" + "sync" + "syscall" + "unsafe" + + "github.com/containers/storage/pkg/directory" + "github.com/sirupsen/logrus" + "golang.org/x/sys/unix" +) + +const projectIDsAllocatedPerQuotaHome = 10000 + +// Quota limit params - currently we only control blocks hard limit and inodes +type Quota struct { + Size uint64 + Inodes uint64 +} + +// Control - Context to be used by storage driver (e.g. overlay) +// who wants to apply project quotas to container dirs +type Control struct { + backingFsBlockDev string + nextProjectID uint32 + quotas *sync.Map + basePath string +} + +// Attempt to generate a unigue projectid. Multiple directories +// per file system can have quota and they need a group of unique +// ids. This function attempts to allocate at least projectIDsAllocatedPerQuotaHome(10000) +// unique projectids, based on the inode of the basepath. +func generateUniqueProjectID(path string) (uint32, error) { + fileinfo, err := os.Stat(path) + if err != nil { + return 0, err + } + stat, ok := fileinfo.Sys().(*syscall.Stat_t) + if !ok { + return 0, fmt.Errorf("not a syscall.Stat_t %s", path) + } + projectID := projectIDsAllocatedPerQuotaHome + (stat.Ino*projectIDsAllocatedPerQuotaHome)%(math.MaxUint32-projectIDsAllocatedPerQuotaHome) + return uint32(projectID), nil +} + +// NewControl - initialize project quota support. +// Test to make sure that quota can be set on a test dir and find +// the first project id to be used for the next container create. +// +// Returns nil (and error) if project quota is not supported. +// +// First get the project id of the basePath directory. +// This test will fail if the backing fs is not xfs. +// +// xfs_quota tool can be used to assign a project id to the driver home directory, e.g.: +// echo 100000:/var/lib/containers/storage/overlay >> /etc/projects +// echo 200000:/var/lib/containers/storage/volumes >> /etc/projects +// echo storage:100000 >> /etc/projid +// echo volumes:200000 >> /etc/projid +// xfs_quota -x -c 'project -s storage volumes' / +// +// In the example above, the storage directory project id will be used as a +// "start offset" and all containers will be assigned larger project ids +// (e.g. >= 100000). Then the volumes directory project id will be used as a +// "start offset" and all volumes will be assigned larger project ids +// (e.g. >= 200000). +// This is a way to prevent xfs_quota management from conflicting with +// containers/storage. + +// Then try to create a test directory with the next project id and set a quota +// on it. If that works, continue to scan existing containers to map allocated +// project ids. +func NewControl(basePath string) (*Control, error) { + // + // Get project id of parent dir as minimal id to be used by driver + // + minProjectID, err := getProjectID(basePath) + if err != nil { + return nil, err + } + if minProjectID == 0 { + // Indicates the storage was never initialized + // Generate a unique range of Projectids for this basepath + minProjectID, err = generateUniqueProjectID(basePath) + if err != nil { + return nil, err + } + + } + // + // create backing filesystem device node + // + backingFsBlockDev, err := makeBackingFsDev(basePath) + if err != nil { + return nil, err + } + + // + // Test if filesystem supports project quotas by trying to set + // a quota on the first available project id + // + quota := Quota{ + Size: 0, + Inodes: 0, + } + + q := Control{ + backingFsBlockDev: backingFsBlockDev, + nextProjectID: minProjectID + 1, + quotas: &sync.Map{}, + basePath: basePath, + } + + if err := q.setProjectQuota(minProjectID, quota); err != nil { + return nil, err + } + + // + // get first project id to be used for next container + // + err = q.findNextProjectID() + if err != nil { + return nil, err + } + + logrus.Debugf("NewControl(%s): nextProjectID = %d", basePath, q.nextProjectID) + return &q, nil +} + +// SetQuota - assign a unique project id to directory and set the quota limits +// for that project id +func (q *Control) SetQuota(targetPath string, quota Quota) error { + var projectID uint32 + value, ok := q.quotas.Load(targetPath) + if ok { + projectID, ok = value.(uint32) + } + if !ok { + projectID = q.nextProjectID + + // + // assign project id to new container directory + // + err := setProjectID(targetPath, projectID) + if err != nil { + return err + } + + q.quotas.Store(targetPath, projectID) + q.nextProjectID++ + } + + // + // set the quota limit for the container's project id + // + logrus.Debugf("SetQuota path=%s, size=%d, inodes=%d, projectID=%d", targetPath, quota.Size, quota.Inodes, projectID) + return q.setProjectQuota(projectID, quota) +} + +// ClearQuota removes the map entry in the quotas map for targetPath. +// It does so to prevent the map leaking entries as directories are deleted. +func (q *Control) ClearQuota(targetPath string) { + q.quotas.Delete(targetPath) +} + +// setProjectQuota - set the quota for project id on xfs block device +func (q *Control) setProjectQuota(projectID uint32, quota Quota) error { + var d C.fs_disk_quota_t + d.d_version = C.FS_DQUOT_VERSION + d.d_id = C.__u32(projectID) + d.d_flags = C.FS_PROJ_QUOTA + + if quota.Size > 0 { + d.d_fieldmask = d.d_fieldmask | C.FS_DQ_BHARD | C.FS_DQ_BSOFT + d.d_blk_hardlimit = C.__u64(quota.Size / 512) + d.d_blk_softlimit = d.d_blk_hardlimit + } + if quota.Inodes > 0 { + d.d_fieldmask = d.d_fieldmask | C.FS_DQ_IHARD | C.FS_DQ_ISOFT + d.d_ino_hardlimit = C.__u64(quota.Inodes) + d.d_ino_softlimit = d.d_ino_hardlimit + } + + cs := C.CString(q.backingFsBlockDev) + defer C.free(unsafe.Pointer(cs)) + + runQuotactl := func() syscall.Errno { + _, _, errno := unix.Syscall6(unix.SYS_QUOTACTL, C.Q_XSETPQLIM, + uintptr(unsafe.Pointer(cs)), uintptr(d.d_id), + uintptr(unsafe.Pointer(&d)), 0, 0) + return errno + } + + errno := runQuotactl() + + // If the backingFsBlockDev does not exist any more then try to recreate it. + if errors.Is(errno, unix.ENOENT) { + if _, err := makeBackingFsDev(q.basePath); err != nil { + return fmt.Errorf( + "failed to recreate missing backingFsBlockDev %s for projid %d: %w", + q.backingFsBlockDev, projectID, err, + ) + } + + if errno := runQuotactl(); errno != 0 { + return fmt.Errorf("failed to set quota limit for projid %d on %s after backingFsBlockDev recreation: %w", + projectID, q.backingFsBlockDev, errno) + } + + } else if errno != 0 { + return fmt.Errorf("failed to set quota limit for projid %d on %s: %w", + projectID, q.backingFsBlockDev, errno) + } + + return nil +} + +// GetQuota - get the quota limits of a directory that was configured with SetQuota +func (q *Control) GetQuota(targetPath string, quota *Quota) error { + d, err := q.fsDiskQuotaFromPath(targetPath) + if err != nil { + return err + } + quota.Size = uint64(d.d_blk_hardlimit) * 512 + quota.Inodes = uint64(d.d_ino_hardlimit) + return nil +} + +// GetDiskUsage - get the current disk usage of a directory that was configured with SetQuota +func (q *Control) GetDiskUsage(targetPath string, usage *directory.DiskUsage) error { + d, err := q.fsDiskQuotaFromPath(targetPath) + if err != nil { + return err + } + usage.Size = int64(d.d_bcount) * 512 + usage.InodeCount = int64(d.d_icount) + + return nil +} + +func (q *Control) fsDiskQuotaFromPath(targetPath string) (C.fs_disk_quota_t, error) { + var d C.fs_disk_quota_t + var projectID uint32 + value, ok := q.quotas.Load(targetPath) + if ok { + projectID, ok = value.(uint32) + } + if !ok { + return d, fmt.Errorf("quota not found for path : %s", targetPath) + } + + // + // get the quota limit for the container's project id + // + cs := C.CString(q.backingFsBlockDev) + defer C.free(unsafe.Pointer(cs)) + + _, _, errno := unix.Syscall6(unix.SYS_QUOTACTL, C.Q_XGETPQUOTA, + uintptr(unsafe.Pointer(cs)), uintptr(C.__u32(projectID)), + uintptr(unsafe.Pointer(&d)), 0, 0) + if errno != 0 { + return d, fmt.Errorf("failed to get quota limit for projid %d on %s: %w", + projectID, q.backingFsBlockDev, errno) + } + + return d, nil +} + +// getProjectID - get the project id of path on xfs +func getProjectID(targetPath string) (uint32, error) { + dir, err := openDir(targetPath) + if err != nil { + return 0, err + } + defer closeDir(dir) + + var fsx C.struct_fsxattr + _, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.FS_IOC_FSGETXATTR, + uintptr(unsafe.Pointer(&fsx))) + if errno != 0 { + return 0, fmt.Errorf("failed to get projid for %s: %w", targetPath, errno) + } + + return uint32(fsx.fsx_projid), nil +} + +// setProjectID - set the project id of path on xfs +func setProjectID(targetPath string, projectID uint32) error { + dir, err := openDir(targetPath) + if err != nil { + return err + } + defer closeDir(dir) + + var fsx C.struct_fsxattr + _, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.FS_IOC_FSGETXATTR, + uintptr(unsafe.Pointer(&fsx))) + if errno != 0 { + return fmt.Errorf("failed to get projid for %s: %w", targetPath, errno) + } + fsx.fsx_projid = C.__u32(projectID) + fsx.fsx_xflags |= C.FS_XFLAG_PROJINHERIT + _, _, errno = unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.FS_IOC_FSSETXATTR, + uintptr(unsafe.Pointer(&fsx))) + if errno != 0 { + return fmt.Errorf("failed to set projid for %s: %w", targetPath, errno) + } + + return nil +} + +// findNextProjectID - find the next project id to be used for containers +// by scanning driver home directory to find used project ids +func (q *Control) findNextProjectID() error { + files, err := os.ReadDir(q.basePath) + if err != nil { + return fmt.Errorf("read directory failed : %s", q.basePath) + } + for _, file := range files { + if !file.IsDir() { + continue + } + path := filepath.Join(q.basePath, file.Name()) + projid, err := getProjectID(path) + if err != nil { + return err + } + if projid > 0 { + q.quotas.Store(path, projid) + } + if q.nextProjectID <= projid { + q.nextProjectID = projid + 1 + } + } + + return nil +} + +func free(p *C.char) { + C.free(unsafe.Pointer(p)) +} + +func openDir(path string) (*C.DIR, error) { + Cpath := C.CString(path) + defer free(Cpath) + + dir, errno := C.opendir(Cpath) + if dir == nil { + return nil, fmt.Errorf("can't open dir %v: %w", Cpath, errno) + } + return dir, nil +} + +func closeDir(dir *C.DIR) { + if dir != nil { + C.closedir(dir) + } +} + +func getDirFd(dir *C.DIR) uintptr { + return uintptr(C.dirfd(dir)) +} + +// Get the backing block device of the driver home directory +// and create a block device node under the home directory +// to be used by quotactl commands +func makeBackingFsDev(home string) (string, error) { + var stat unix.Stat_t + if err := unix.Stat(home, &stat); err != nil { + return "", err + } + + backingFsBlockDev := path.Join(home, BackingFsBlockDeviceLink) + backingFsBlockDevTmp := backingFsBlockDev + ".tmp" + // Re-create just in case someone copied the home directory over to a new device + if err := unix.Mknod(backingFsBlockDevTmp, unix.S_IFBLK|0o600, int(stat.Dev)); err != nil { + if !errors.Is(err, unix.EEXIST) { + return "", fmt.Errorf("failed to mknod %s: %w", backingFsBlockDevTmp, err) + } + // On EEXIST, try again after unlinking any potential leftover. + _ = unix.Unlink(backingFsBlockDevTmp) + if err := unix.Mknod(backingFsBlockDevTmp, unix.S_IFBLK|0o600, int(stat.Dev)); err != nil { + return "", fmt.Errorf("failed to mknod %s: %w", backingFsBlockDevTmp, err) + } + } + if err := unix.Rename(backingFsBlockDevTmp, backingFsBlockDev); err != nil { + return "", fmt.Errorf("failed to rename %s to %s: %w", backingFsBlockDevTmp, backingFsBlockDev, err) + } + + return backingFsBlockDev, nil +} diff --git a/vendor/github.com/containers/storage/pkg/chunked/storage_linux.go b/vendor/github.com/containers/storage/pkg/chunked/storage_linux.go index f278628e8..8c54a5ae2 100644 --- a/vendor/github.com/containers/storage/pkg/chunked/storage_linux.go +++ b/vendor/github.com/containers/storage/pkg/chunked/storage_linux.go @@ -86,6 +86,11 @@ type chunkedDiffer struct { // the layer are trusted and should not be validated. skipValidation bool + // blobDigest is the digest of the whole compressed layer. It is used if + // convertToZstdChunked to validate a layer when it is converted since there + // is no TOC referenced by the manifest. + blobDigest digest.Digest + blobSize int64 storeOpts *types.StoreOptions @@ -188,33 +193,7 @@ func (f *seekableFile) GetBlobAt(chunks []ImageSourceChunk) (chan io.ReadCloser, return streams, errs, nil } -func convertTarToZstdChunked(destDirectory string, blobSize int64, iss ImageSourceSeekable) (*seekableFile, digest.Digest, map[string]string, error) { - var payload io.ReadCloser - var streams chan io.ReadCloser - var errs chan error - var err error - - chunksToRequest := []ImageSourceChunk{ - { - Offset: 0, - Length: uint64(blobSize), - }, - } - - streams, errs, err = iss.GetBlobAt(chunksToRequest) - if err != nil { - return nil, "", nil, err - } - select { - case p := <-streams: - payload = p - case err := <-errs: - return nil, "", nil, err - } - if payload == nil { - return nil, "", nil, errors.New("invalid stream returned") - } - +func convertTarToZstdChunked(destDirectory string, payload *os.File) (*seekableFile, digest.Digest, map[string]string, error) { diff, err := archive.DecompressStream(payload) if err != nil { return nil, "", nil, err @@ -235,10 +214,8 @@ func convertTarToZstdChunked(destDirectory string, blobSize int64, iss ImageSour return nil, "", nil, err } - digester := digest.Canonical.Digester() - hash := digester.Hash() - - if _, err := io.Copy(io.MultiWriter(chunked, hash), diff); err != nil { + convertedOutputDigester := digest.Canonical.Digester() + if _, err := io.Copy(io.MultiWriter(chunked, convertedOutputDigester.Hash()), diff); err != nil { f.Close() return nil, "", nil, err } @@ -249,11 +226,12 @@ func convertTarToZstdChunked(destDirectory string, blobSize int64, iss ImageSour is := seekableFile{ file: f, } - return &is, digester.Digest(), newAnnotations, nil + + return &is, convertedOutputDigester.Digest(), newAnnotations, nil } // GetDiffer returns a differ than can be used with ApplyDiffWithDiffer. -func GetDiffer(ctx context.Context, store storage.Store, blobSize int64, annotations map[string]string, iss ImageSourceSeekable) (graphdriver.Differ, error) { +func GetDiffer(ctx context.Context, store storage.Store, blobDigest digest.Digest, blobSize int64, annotations map[string]string, iss ImageSourceSeekable) (graphdriver.Differ, error) { storeOpts, err := types.DefaultStoreOptions() if err != nil { return nil, err @@ -273,10 +251,10 @@ func GetDiffer(ctx context.Context, store storage.Store, blobSize int64, annotat return makeEstargzChunkedDiffer(ctx, store, blobSize, annotations, iss, &storeOpts) } - return makeConvertFromRawDiffer(ctx, store, blobSize, annotations, iss, &storeOpts) + return makeConvertFromRawDiffer(ctx, store, blobDigest, blobSize, annotations, iss, &storeOpts) } -func makeConvertFromRawDiffer(ctx context.Context, store storage.Store, blobSize int64, annotations map[string]string, iss ImageSourceSeekable, storeOpts *types.StoreOptions) (*chunkedDiffer, error) { +func makeConvertFromRawDiffer(ctx context.Context, store storage.Store, blobDigest digest.Digest, blobSize int64, annotations map[string]string, iss ImageSourceSeekable, storeOpts *types.StoreOptions) (*chunkedDiffer, error) { if !parseBooleanPullOption(storeOpts, "convert_images", false) { return nil, errors.New("convert_images not configured") } @@ -287,6 +265,7 @@ func makeConvertFromRawDiffer(ctx context.Context, store storage.Store, blobSize } return &chunkedDiffer{ + blobDigest: blobDigest, blobSize: blobSize, convertToZstdChunked: true, copyBuffer: makeCopyBuffer(), @@ -1498,6 +1477,43 @@ func makeEntriesFlat(mergedEntries []internal.FileMetadata) ([]internal.FileMeta return new, nil } +func (c *chunkedDiffer) copyAllBlobToFile(destination *os.File) (digest.Digest, error) { + var payload io.ReadCloser + var streams chan io.ReadCloser + var errs chan error + var err error + + chunksToRequest := []ImageSourceChunk{ + { + Offset: 0, + Length: uint64(c.blobSize), + }, + } + + streams, errs, err = c.stream.GetBlobAt(chunksToRequest) + if err != nil { + return "", err + } + select { + case p := <-streams: + payload = p + case err := <-errs: + return "", err + } + if payload == nil { + return "", errors.New("invalid stream returned") + } + + originalRawDigester := digest.Canonical.Digester() + + r := io.TeeReader(payload, originalRawDigester.Hash()) + + // copy the entire tarball and compute its digest + _, err = io.Copy(destination, r) + + return originalRawDigester.Digest(), err +} + func (c *chunkedDiffer) ApplyDiff(dest string, options *archive.TarOptions, differOpts *graphdriver.DifferOptions) (graphdriver.DriverWithDifferOutput, error) { defer c.layersCache.release() defer func() { @@ -1510,7 +1526,32 @@ func (c *chunkedDiffer) ApplyDiff(dest string, options *archive.TarOptions, diff stream := c.stream if c.convertToZstdChunked { - fileSource, diffID, annotations, err := convertTarToZstdChunked(dest, c.blobSize, c.stream) + fd, err := unix.Open(dest, unix.O_TMPFILE|unix.O_RDWR|unix.O_CLOEXEC, 0o600) + if err != nil { + return graphdriver.DriverWithDifferOutput{}, err + } + blobFile := os.NewFile(uintptr(fd), "blob-file") + defer func() { + if blobFile != nil { + blobFile.Close() + } + }() + + // calculate the checksum before accessing the file. + compressedDigest, err := c.copyAllBlobToFile(blobFile) + if err != nil { + return graphdriver.DriverWithDifferOutput{}, err + } + + if compressedDigest != c.blobDigest { + return graphdriver.DriverWithDifferOutput{}, fmt.Errorf("invalid digest to convert: expected %q, got %q", c.blobDigest, compressedDigest) + } + + if _, err := blobFile.Seek(0, io.SeekStart); err != nil { + return graphdriver.DriverWithDifferOutput{}, err + } + + fileSource, diffID, annotations, err := convertTarToZstdChunked(dest, blobFile) if err != nil { return graphdriver.DriverWithDifferOutput{}, err } @@ -1518,6 +1559,10 @@ func (c *chunkedDiffer) ApplyDiff(dest string, options *archive.TarOptions, diff // need to keep it open until the entire file is processed. defer fileSource.Close() + // Close the file so that the file descriptor is released and the file is deleted. + blobFile.Close() + blobFile = nil + manifest, tarSplit, tocOffset, err := readZstdChunkedManifest(fileSource, c.blobSize, annotations) if err != nil { return graphdriver.DriverWithDifferOutput{}, fmt.Errorf("read zstd:chunked manifest: %w", err) @@ -1530,6 +1575,7 @@ func (c *chunkedDiffer) ApplyDiff(dest string, options *archive.TarOptions, diff c.fileType = fileTypeZstdChunked c.manifest = manifest c.tarSplit = tarSplit + // since we retrieved the whole file and it was validated, use the diffID instead of the TOC digest. c.contentDigest = diffID c.tocOffset = tocOffset diff --git a/vendor/github.com/containers/storage/pkg/chunked/storage_unsupported.go b/vendor/github.com/containers/storage/pkg/chunked/storage_unsupported.go index 8d3fcf2ba..ac6bdfec7 100644 --- a/vendor/github.com/containers/storage/pkg/chunked/storage_unsupported.go +++ b/vendor/github.com/containers/storage/pkg/chunked/storage_unsupported.go @@ -9,9 +9,10 @@ import ( storage "github.com/containers/storage" graphdriver "github.com/containers/storage/drivers" + digest "github.com/opencontainers/go-digest" ) // GetDiffer returns a differ than can be used with ApplyDiffWithDiffer. -func GetDiffer(ctx context.Context, store storage.Store, blobSize int64, annotations map[string]string, iss ImageSourceSeekable) (graphdriver.Differ, error) { +func GetDiffer(ctx context.Context, store storage.Store, blobDigest digest.Digest, blobSize int64, annotations map[string]string, iss ImageSourceSeekable) (graphdriver.Differ, error) { return nil, errors.New("format not supported on this system") } diff --git a/vendor/github.com/containers/storage/pkg/homedir/homedir_unix.go b/vendor/github.com/containers/storage/pkg/homedir/homedir_unix.go index 3ac9ff699..45be87659 100644 --- a/vendor/github.com/containers/storage/pkg/homedir/homedir_unix.go +++ b/vendor/github.com/containers/storage/pkg/homedir/homedir_unix.go @@ -118,10 +118,13 @@ func GetConfigHome() (string, error) { tmpDir := filepath.Join(resolvedHome, ".config") _ = os.MkdirAll(tmpDir, 0o700) st, err := os.Stat(tmpDir) - if err == nil && int(st.Sys().(*syscall.Stat_t).Uid) == os.Geteuid() && isWriteableOnlyByOwner(st.Mode().Perm()) { + if err != nil { + rootlessConfigHomeDirError = err + return + } else if int(st.Sys().(*syscall.Stat_t).Uid) == os.Geteuid() { cfgHomeDir = tmpDir } else { - rootlessConfigHomeDirError = fmt.Errorf("path %q exists and it is not writeable only by the current user", tmpDir) + rootlessConfigHomeDirError = fmt.Errorf("path %q exists and it is not owned by the current user", tmpDir) return } } diff --git a/vendor/modules.txt b/vendor/modules.txt index d84830d3f..fb957fda6 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -179,8 +179,8 @@ github.com/containers/ocicrypt/keywrap/pkcs7 github.com/containers/ocicrypt/spec github.com/containers/ocicrypt/utils github.com/containers/ocicrypt/utils/keyprovider -# github.com/containers/storage v1.51.1-0.20231221151421-1020ab61b4e5 -## explicit; go 1.19 +# github.com/containers/storage v1.52.0 +## explicit; go 1.20 github.com/containers/storage github.com/containers/storage/drivers github.com/containers/storage/drivers/aufs