search

ioi / isolate

Sandbox for securely executing untrusted programs
Other
1.1k stars 161 forks source link

Error using isolate #153

Closed raviprakash007 closed 6 months ago

raviprakash007 commented 6 months ago

root@workers-5556b96ff8-snsrl:/api# mount | grep cgroup cgroup on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime)

root@workers-5556b96ff8-snsrl:/api# isolate --cg -b 1 --init Cannot open /run/isolate/cgroup: No such file or directory root@workers-5556b96ff8-snsrl:/api#

root@workers-5556b96ff8-snsrl:/api# ls /sys/fs/cgroup/ cgroup.controllers dev-hugepages.mount memory.stat cgroup.max.depth dev-mqueue.mount misc.capacity cgroup.max.descendants init.scope proc-sys-fs-binfmt_misc.mount cgroup.procs io.cost.model sys-fs-fuse-connections.mount cgroup.stat io.cost.qos sys-kernel-config.mount cgroup.subtree_control io.pressure sys-kernel-debug.mount cgroup.threads io.prio.class sys-kernel-tracing.mount cpu.pressure io.stat system.slice cpu.stat kubepods.slice user.slice cpuset.cpus.effective memory.numa_stat cpuset.mems.effective memory.pressure

What can be the reason?

Env:

Ubuntu : 22.04 Jammy isolate : master with cgroup v2 merged

gollux commented 6 months ago

Is isolate.service running?

raviprakash007 commented 6 months ago

No, Is it required?

Can you please mention the steps required to run isolate and what all checks we have to perform to make sure it is working.

gollux commented 6 months ago

Yes. Please see the section Installation in the man page.

raviprakash007 commented 6 months ago

user@workers-5556b96ff8-snsrl:/api$ ls /usr/local/sbin/
isolate-cg-keeper unminimize

user@workers-5556b96ff8-snsrl:/api$ sudo /usr/local/sbin/isolate-cg-keeper Cannot write to /sys/fs/cgroup/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod945302c5_e850_4408_9381_fd5f03f26f6a.slice/cri-containerd-ad80d1be3a89e17ae9eecdf2217b3018e12bf6144eaff62d48a031207eb972af.scope/cgroup.subtree_control: Device or resource busy

user@workers-5556b96ff8-snsrl:/api$ /usr/local/sbin/isolate-cg-keeper Cannot create /run/isolate/cgroup: Permission denied

user@workers-5556b96ff8-snsrl:/api$ sudo su

root@workers-5556b96ff8-snsrl:/api# /usr/local/sbin/isolate-cg-keeper Cannot create subgroup /sys/fs/cgroup/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod945302c5_e850_4408_9381_fd5f03f26f6a.slice/cri-containerd-ad80d1be3a89e17ae9eecdf2217b3018e12bf6144eaff62d48a031207eb972af.scope/daemon: File exists root@workers-5556b96ff8-snsrl:/api#

raviprakash007 commented 6 months ago

@gollux , Do we need to start Ubuntu with systemd? As When I run my application, PID 1 is given to my application in Docker Container.

raviprakash007 commented 6 months ago

root@80eba255f2ee:/api/scripts# service isolate start Job for isolate.service failed because the control process exited with error code. See "systemctl status isolate.service" and "journalctl -xeu isolate.service" for details. root@80eba255f2ee:/api/scripts# systemctl status isolate.service × isolate.service - A trivial daemon to keep Isolate's control group hierarchy Loaded: loaded (/etc/systemd/system/isolate.service; disabled; vendor preset: enabled) Active: failed (Result: exit-code) since Sat 2024-03-23 12:23:39 UTC; 25s ago Process: 516 ExecStart=/usr/local/sbin/isolate-cg-keeper (code=exited, status=1/FAILURE) Main PID: 516 (code=exited, status=1/FAILURE)

Mar 23 12:23:39 80eba255f2ee systemd[1]: Starting A trivial daemon to keep Isolate's control group hierarchy... Mar 23 12:23:39 80eba255f2ee isolate-cg-keeper[516]: Cannot find my own cgroup Mar 23 12:23:39 80eba255f2ee systemd[1]: isolate.service: Main process exited, code=exited, status=1/FAILURE Mar 23 12:23:39 80eba255f2ee systemd[1]: isolate.service: Failed with result 'exit-code'. Mar 23 12:23:39 80eba255f2ee systemd[1]: Failed to start A trivial daemon to keep Isolate's control group hierarchy. root@80eba255f2ee:/api/scripts#

root@80eba255f2ee:/api/scripts# ps -elf F S UID PID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD 4 S root 1 0 0 80 0 - 41348 do_epo 12:18 ? 00:00:01 /lib/systemd/systemd 4 S root 23 1 0 79 -1 - 9882 do_epo 12:18 ? 00:00:00 /lib/systemd/systemd-journald 4 S systemd+ 39 1 0 80 0 - 6384 do_epo 12:18 ? 00:00:00 /lib/systemd/systemd-resolved 4 S message+ 41 1 0 80 0 - 2030 do_epo 12:18 ? 00:00:00 @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only 4 S syslog 44 1 0 80 0 - 55523 core_s 12:18 ? 00:00:00 /usr/sbin/rsyslogd -n -iNONE 4 S root 48 1 0 80 0 - 3727 do_epo 12:18 ? 00:00:00 /lib/systemd/systemd-logind 4 S root 60 0 0 80 0 - 1156 - 12:19 pts/0 00:00:00 bash 4 S root 323 1 0 80 0 - 73249 x64_sy 12:21 ? 00:00:00 /usr/libexec/packagekitd 4 S root 327 1 0 80 0 - 58623 x64_sy 12:21 ? 00:00:00 /usr/libexec/polkitd --no-debug 4 R root 520 60 0 80 0 - 1765 - 12:25 pts/0 00:00:00 ps -elf root@80eba255f2ee:/api/scripts#

raviprakash007 commented 6 months ago

@gollux Please suggest why am I gettting "Cannot find my own cgroup" while starting isolate?

gollux commented 6 months ago

@gollux , Do we need to start Ubuntu with systemd? As When I run my application, PID 1 is given to my application in Docker Container.

Using systemd is the recommended way. It is not necessary, but otherwise you have to set cg_root in the configuration file manually and ensure that the cgroup subtree is properly delegated.

gollux commented 6 months ago

@gollux Please suggest why am I gettting "Cannot find my own cgroup" while starting isolate?

Interesting. Please try the following patch and tell me what it prints:

diff --git a/isolate-cg-keeper.c b/isolate-cg-keeper.c
index 74bd731..937ebdd 100644
--- a/isolate-cg-keeper.c
+++ b/isolate-cg-keeper.c
@@ -67,6 +67,7 @@ get_my_cgroup(void)
     {
       if (len > 0 && line[len-1] == '\n')
        line[--len] = 0;
+      fprintf(stderr, "<<< %s\n", line);
       if (line[0] == '0' && line[1] == ':' && line[2] == ':')
        {
          cg = xsprintf("/sys/fs/cgroup%s", line + 3);
raviprakash007 commented 6 months ago

I have fixed the problem "Cannot find my own cgroup". thanks for pointing the locaiton.

gollux commented 6 months ago

Just curious: what was the reason?

Also, can we close this issue now?

raviprakash007 commented 6 months ago

Yes, obviously. The crux, is we need a system initialized with systemd.

raviprakash007 commented 6 months ago

Just curious: what was the reason?

The host cgroup was mismatching.

ArtemkaKun commented 3 months ago

Sorry for reactivating this thread, but I decided this thread contains context, and creating another "why it doesn't work in Docker" thread makes no sense.

@gollux , Do we need to start Ubuntu with systemd? As When I run my application, PID 1 is given to my application in Docker Container.

Using systemd is the recommended way. It is not necessary, but otherwise you have to set cg_root in the configuration file manually and ensure that the cgroup subtree is properly delegated.

Could you please evaluate your response? What exactly configuration file and what exactly do I need to set to cg_root, and how would I ensure that the cgroup subtree is properly delegated?

Thanks in advance

gollux commented 3 months ago

Isolate's configuration file (by default installed to `/usr/local/etc/isolate).

Otherwise, if you want to use Isolate outside the recommended setup (which is running it under systemd, preferably without Docker), you are on your own and you are expected to understand your control group setup thoroughly. Without such understanding, you will likely end up with a sandbox, which seems working, but which is insecure.