Less interfaces

CHANGELOG.md

@@ -6,6 +6,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Deprecated
+
+ * `runc` option `--criu` is now ignored (with a warning), and the option will
+   be removed entirely in a future release. Users who need a non-standard
+   `criu` binary should rely on the standard way of looking up binaries in
+   `$PATH`. (#3316)
+
 ### Changed
 
  * When Intel RDT feature is not available, its initialization is skipped,

contrib/completions/bash/runc

@@ -231,12 +231,11 @@ _runc_runc() {
 		--log
 		--log-format
 		--root
-		--criu
 		--rootless
 	"
 
 	case "$prev" in
-	--log | --root | --criu)
+	--log | --root)
 		case "$cur" in
 		*:*) ;; # TODO somehow do _filedir for stuff inside the image, if it's already specified (which is also somewhat difficult to determine)
 		'')

delete.go

@@ -13,7 +13,7 @@ import (
 	"golang.org/x/sys/unix"
 )
 
-func killContainer(container libcontainer.Container) error {
+func killContainer(container *libcontainer.Container) error {
 	_ = container.Signal(unix.SIGKILL, false)
 	for i := 0; i < 100; i++ {
 		time.Sleep(100 * time.Millisecond)

init.go

@@ -3,11 +3,9 @@ package main
 import (
 	"os"
 	"runtime"
-	"strconv"
 
 	"github.com/opencontainers/runc/libcontainer"
 	_ "github.com/opencontainers/runc/libcontainer/nsenter"
-	"github.com/sirupsen/logrus"
 )
 
 func init() {
@@ -17,23 +15,7 @@ func init() {
 		runtime.GOMAXPROCS(1)
 		runtime.LockOSThread()
 
-		level, err := strconv.Atoi(os.Getenv("_LIBCONTAINER_LOGLEVEL"))
-		if err != nil {
-			panic(err)
-		}
-
-		logPipeFd, err := strconv.Atoi(os.Getenv("_LIBCONTAINER_LOGPIPE"))
-		if err != nil {
-			panic(err)
-		}
-
-		logrus.SetLevel(logrus.Level(level))
-		logrus.SetOutput(os.NewFile(uintptr(logPipeFd), "logpipe"))
-		logrus.SetFormatter(new(logrus.JSONFormatter))
-		logrus.Debug("child process in init()")
-
-		factory, _ := libcontainer.New("")
-		if err := factory.StartInitialization(); err != nil {
+		if err := libcontainer.StartInitialization(); err != nil {
 			// as the error is sent back to the parent there is no need to log
 			// or write it to stderr because the parent process will handle this
 			os.Exit(1)

libcontainer/README.md

@@ -32,8 +32,7 @@ func init() {
 	if len(os.Args) > 1 && os.Args[1] == "init" {
 		runtime.GOMAXPROCS(1)
 		runtime.LockOSThread()
-		factory, _ := libcontainer.New("")
-		if err := factory.StartInitialization(); err != nil {
+		if err := libcontainer.StartInitialization(); err != nil {
 			logrus.Fatal(err)
 		}
 		panic("--this line should have never been executed, congratulations--")
@@ -45,7 +44,7 @@ Then to create a container you first have to initialize an instance of a factory
 that will handle the creation and initialization for a container.
 
 ```go
-factory, err := libcontainer.New("/var/lib/container", libcontainer.Cgroupfs, libcontainer.InitArgs(os.Args[0], "init"))
+factory, err := libcontainer.New("/var/lib/container")
 if err != nil {
 	logrus.Fatal(err)
 	return

libcontainer/capabilities/capabilities.go

@@ -7,7 +7,7 @@ import (
 	"sort"
 	"strings"
 
-	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 	"github.com/syndtr/gocapability/capability"
 )
@@ -49,7 +49,7 @@ func KnownCapabilities() []string {
 // New creates a new Caps from the given Capabilities config. Unknown Capabilities
 // or Capabilities that are unavailable in the current environment are ignored,
 // printing a warning instead.
-func New(capConfig *configs.Capabilities) (*Caps, error) {
+func New(capConfig *specs.LinuxCapabilities) (*Caps, error) {
 	var (
 		err error
 		c   Caps

libcontainer/capabilities/capabilities_linux_test.go

@@ -5,15 +5,15 @@ import (
 	"os"
 	"testing"
 
-	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 	"github.com/sirupsen/logrus/hooks/test"
 	"github.com/syndtr/gocapability/capability"
 )
 
 func TestNew(t *testing.T) {
 	cs := []string{"CAP_CHOWN", "CAP_UNKNOWN", "CAP_UNKNOWN2"}
-	conf := configs.Capabilities{
+	conf := specs.LinuxCapabilities{
 		Bounding:    cs,
 		Effective:   cs,
 		Inheritable: cs,

libcontainer/configs/config.go

@@ -83,9 +83,6 @@ type Syscall struct {
 	Args     []*Arg `json:"args"`
 }
 
-// TODO Windows. Many of these fields should be factored out into those parts
-// which are common across platforms, and those which are platform specific.
-
 // Config defines configuration options for executing a process inside a contained environment.
 type Config struct {
 	// NoPivotRoot will use MS_MOVE and a chroot to jail the process into the container's rootfs
@@ -127,7 +124,7 @@ type Config struct {
 
 	// Capabilities specify the capabilities to keep when executing the process inside the container
 	// All capabilities not specified will be dropped from the processes capability mask
-	Capabilities *Capabilities `json:"capabilities"`
+	Capabilities *specs.LinuxCapabilities `json:"capabilities"`
 
 	// Networks specifies the container's network setup to be created
 	Networks []*Network `json:"networks"`
@@ -264,19 +261,6 @@ func KnownHookNames() []string {
 	}
 }
 
-type Capabilities struct {
-	// Bounding is the set of capabilities checked by the kernel.
-	Bounding []string
-	// Effective is the set of capabilities checked by the kernel.
-	Effective []string
-	// Inheritable is the capabilities preserved across execve.
-	Inheritable []string
-	// Permitted is the limiting superset for effective capabilities.
-	Permitted []string
-	// Ambient is the ambient set of capabilities that are kept.
-	Ambient []string
-}
-
 func (hooks HookList) RunHooks(state *specs.State) error {
 	for i, h := range hooks {
 		if err := h.Run(state); err != nil {

libcontainer/configs/validate/rootless.go

@@ -8,9 +8,9 @@ import (
 	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
-// rootlessEUID makes sure that the config can be applied when runc
+// rootlessEUIDCheck makes sure that the config can be applied when runc
 // is being executed as a non-root user (euid != 0) in the current user namespace.
-func (v *ConfigValidator) rootlessEUID(config *configs.Config) error {
+func rootlessEUIDCheck(config *configs.Config) error {
 	if !config.RootlessEUID {
 		return nil
 	}

libcontainer/configs/validate/rootless_test.go

@@ -34,42 +34,34 @@ func rootlessEUIDConfig() *configs.Config {
 }
 
 func TestValidateRootlessEUID(t *testing.T) {
-	validator := New()
-
 	config := rootlessEUIDConfig()
-	if err := validator.Validate(config); err != nil {
+	if err := Validate(config); err != nil {
 		t.Errorf("Expected error to not occur: %+v", err)
 	}
 }
 
 /* rootlessEUIDMappings */
 
 func TestValidateRootlessEUIDUserns(t *testing.T) {
-	validator := New()
-
 	config := rootlessEUIDConfig()
 	config.Namespaces = nil
-	if err := validator.Validate(config); err == nil {
+	if err := Validate(config); err == nil {
 		t.Errorf("Expected error to occur if user namespaces not set")
 	}
 }
 
 func TestValidateRootlessEUIDMappingUid(t *testing.T) {
-	validator := New()
-
 	config := rootlessEUIDConfig()
 	config.UidMappings = nil
-	if err := validator.Validate(config); err == nil {
+	if err := Validate(config); err == nil {
 		t.Errorf("Expected error to occur if no uid mappings provided")
 	}
 }
 
 func TestValidateNonZeroEUIDMappingGid(t *testing.T) {
-	validator := New()
-
 	config := rootlessEUIDConfig()
 	config.GidMappings = nil
-	if err := validator.Validate(config); err == nil {
+	if err := Validate(config); err == nil {
 		t.Errorf("Expected error to occur if no gid mappings provided")
 	}
 }
@@ -78,8 +70,6 @@ func TestValidateNonZeroEUIDMappingGid(t *testing.T) {
 
 func TestValidateRootlessEUIDMountUid(t *testing.T) {
 	config := rootlessEUIDConfig()
-	validator := New()
-
 	config.Mounts = []*configs.Mount{
 		{
 			Source:      "devpts",
@@ -88,37 +78,35 @@ func TestValidateRootlessEUIDMountUid(t *testing.T) {
 		},
 	}
 
-	if err := validator.Validate(config); err != nil {
+	if err := Validate(config); err != nil {
 		t.Errorf("Expected error to not occur when uid= not set in mount options: %+v", err)
 	}
 
 	config.Mounts[0].Data = "uid=5"
-	if err := validator.Validate(config); err == nil {
+	if err := Validate(config); err == nil {
 		t.Errorf("Expected error to occur when setting uid=5 in mount options")
 	}
 
 	config.Mounts[0].Data = "uid=0"
-	if err := validator.Validate(config); err != nil {
+	if err := Validate(config); err != nil {
 		t.Errorf("Expected error to not occur when setting uid=0 in mount options: %+v", err)
 	}
 
 	config.Mounts[0].Data = "uid=2"
 	config.UidMappings[0].Size = 10
-	if err := validator.Validate(config); err != nil {
+	if err := Validate(config); err != nil {
 		t.Errorf("Expected error to not occur when setting uid=2 in mount options and UidMapping[0].size is 10")
 	}
 
 	config.Mounts[0].Data = "uid=20"
 	config.UidMappings[0].Size = 10
-	if err := validator.Validate(config); err == nil {
+	if err := Validate(config); err == nil {
 		t.Errorf("Expected error to occur when setting uid=20 in mount options and UidMapping[0].size is 10")
 	}
 }
 
 func TestValidateRootlessEUIDMountGid(t *testing.T) {
 	config := rootlessEUIDConfig()
-	validator := New()
-
 	config.Mounts = []*configs.Mount{
 		{
 			Source:      "devpts",
@@ -127,29 +115,29 @@ func TestValidateRootlessEUIDMountGid(t *testing.T) {
 		},
 	}
 
-	if err := validator.Validate(config); err != nil {
+	if err := Validate(config); err != nil {
 		t.Errorf("Expected error to not occur when gid= not set in mount options: %+v", err)
 	}
 
 	config.Mounts[0].Data = "gid=5"
-	if err := validator.Validate(config); err == nil {
+	if err := Validate(config); err == nil {
 		t.Errorf("Expected error to occur when setting gid=5 in mount options")
 	}
 
 	config.Mounts[0].Data = "gid=0"
-	if err := validator.Validate(config); err != nil {
+	if err := Validate(config); err != nil {
 		t.Errorf("Expected error to not occur when setting gid=0 in mount options: %+v", err)
 	}
 
 	config.Mounts[0].Data = "gid=5"
 	config.GidMappings[0].Size = 10
-	if err := validator.Validate(config); err != nil {
+	if err := Validate(config); err != nil {
 		t.Errorf("Expected error to not occur when setting gid=5 in mount options and GidMapping[0].size is 10")
 	}
 
 	config.Mounts[0].Data = "gid=11"
 	config.GidMappings[0].Size = 10
-	if err := validator.Validate(config); err == nil {
+	if err := Validate(config); err == nil {
 		t.Errorf("Expected error to occur when setting gid=11 in mount options and GidMapping[0].size is 10")
 	}
 }