criyle / go-sandbox Goto Github PK

我想学习一下你的沙盒实现方法，但是这么多文件完全不知道该从哪里开始理解学习。你能稍微指点一下，可以吗？拜托了

Hello!
First of all, you have done a great job! The project is awesome.
To tell the truth, there are a lot difficult details in the code. I guess a strong linux knowlange is required %)

Some time an error happens:

results: Result[RunnerFailed(no such process)][2.937ms 2.8 MiB][2.893533ms 3.997806ms] <nil>
setupTime:  2.893533ms
runningTime:  3.997806ms
Runner Error

The problem is 'floating' and restart, usually, helps. It doensn't depend on programm or input parameters

May be you have some thoughts about this?

Hello! I'am still researching your great codebase.
I have some problems to run sandbox in docker.
For example with this Dockerfile

FROM golang:1.19
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build ./cmd/runprog
CMD ./runprog -runner ptrace -show-trace-details ls

The output is

rlimit:  RLimits[CPU[1 s:3 s],Data[256.0 MiB:256.0 MiB],File[64.0 MiB:64.0 MiB],Stack[256.0 MiB:256.0 MiB],OpenFile[256:256],Core[0 B:0 B]]
tracer started:  13 <nil>
------  13  ------ 13
process exited:  13 38
results: Result[RunnerFailed(child process exit before execve)][329µs 1.7 MiB][57.369µs 565.723µs] <nil>
setupTime:  57.369µs
runningTime:  565.723µs
Runner Error
7 0 1732 0

But, If I changed the runner type to container, the output is

rlimit:  RLimits[CPU[1 s:3 s],Data[256.0 MiB:256.0 MiB],File[64.0 MiB:64.0 MiB],Stack[256.0 MiB:256.0 MiB],OpenFile[256:256],Core[0 B:0 B]]
/usr/bin/ls: error while loading shared libraries: libselinux.so.1: cannot stat shared object: Error 38
results: Result[Nonzero Exit Status( 127)][855µs 1.6 MiB][507.993µs 8.342936ms] <nil>
2 1 1632 127
setupTime:  507.993µs
runningTime:  8.342936ms
Nonzero Exit Status

On my local Linux 5.19.0-32-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Jan 30 17:03:34 UTC 2 x86_64 x86_64 x86_64 GNU/Linux the both container and ptrace run successfull. It is look like that ptrace in docker container can't start subprcess.
The command to run dockerfile: docker build -t app . && docker run --privileged --rm app

May you have some thoughts about that problem?
And could you provide a small description, what type of executor is faster/safer ? If I understand right, with container executor we can't control file access, but ptrace executor, I guess, i slower

I found a deadlock when hammering the forkexec-runner with a bunch of executions.

System: Ubuntu Jammy amd64

Steps to reproduce:

• Compile this source: https://gist.github.com/nename0/1d77883609ea26f4f52b35e848a3665e
• Run it with GOMAXPROCS=4 ./deadlock (with permissions to create a cgroup e.g. root)
• If the above exits normally, just try again. It might take ~10 tries.
• If the execution is stuck, use Ctrl+z to get the parent pid
• Then use gdb -p <pid> to attach
• And run thread apply all bt in gdb
  You will see that four threads are stuck at RawSyscall() called from syncWithChild() in Line 117.
  This effectively deadlocks the go scheduler.

If you dig a bit you will also see a few forked child pre-exec (all child after exec should be zombies cause of the rlimit).
If you gdb into them they are stuck at forkAndExecInChild1() in Line 427.

I'm not really sure whats causes this, why those reads from the socketpair block.
You can fix the symptoms by replacing the RawSyscall with Syscall like I did in 73c169b.
However im not sure if this fixes the cause or just the symptoms.
Especially because sometimes you get a runner unknown: broken pipe output from the execution, even with the above fix.