r2cn-dev
diff --git a/‎project/libcgroups/Cargo.toml
Copy file name to clipboardExpand all lines: project/libcgroups/Cargo.toml
+4-4Lines changed: 4 additions & 4 deletions b/‎project/libcgroups/Cargo.toml
Copy file name to clipboardExpand all lines: project/libcgroups/Cargo.toml
+4-4Lines changed: 4 additions & 4 deletions
diff --git a/‎project/libcgroups/src/v1/devices.rs
Copy file name to clipboardExpand all lines: project/libcgroups/src/v1/devices.rs
+1-2Lines changed: 1 addition & 2 deletions b/‎project/libcgroups/src/v1/devices.rs
Copy file name to clipboardExpand all lines: project/libcgroups/src/v1/devices.rs
+1-2Lines changed: 1 addition & 2 deletions
diff --git a/‎project/libcontainer/Cargo.toml
Copy file name to clipboardExpand all lines: project/libcontainer/Cargo.toml
+6-6Lines changed: 6 additions & 6 deletions b/‎project/libcontainer/Cargo.toml
Copy file name to clipboardExpand all lines: project/libcontainer/Cargo.toml
+6-6Lines changed: 6 additions & 6 deletions
diff --git a/‎project/libcontainer/src/config.rs
Copy file name to clipboardExpand all lines: project/libcontainer/src/config.rs
+2-2Lines changed: 2 additions & 2 deletions b/‎project/libcontainer/src/config.rs
Copy file name to clipboardExpand all lines: project/libcontainer/src/config.rs
+2-2Lines changed: 2 additions & 2 deletions
diff --git a/‎project/libcontainer/src/container/tenant_builder.rs
Copy file name to clipboardExpand all lines: project/libcontainer/src/container/tenant_builder.rs
+82-4Lines changed: 82 additions & 4 deletions b/‎project/libcontainer/src/container/tenant_builder.rs
Copy file name to clipboardExpand all lines: project/libcontainer/src/container/tenant_builder.rs
+82-4Lines changed: 82 additions & 4 deletions
diff --git a/‎project/libcontainer/src/process/channel.rs
Copy file name to clipboardExpand all lines: project/libcontainer/src/process/channel.rs
+10-10Lines changed: 10 additions & 10 deletions b/‎project/libcontainer/src/process/channel.rs
Copy file name to clipboardExpand all lines: project/libcontainer/src/process/channel.rs
+10-10Lines changed: 10 additions & 10 deletions
diff --git a/‎project/libcontainer/src/process/container_init_process.rs
Copy file name to clipboardExpand all lines: project/libcontainer/src/process/container_init_process.rs
+35-38Lines changed: 35 additions & 38 deletions b/‎project/libcontainer/src/process/container_init_process.rs
Copy file name to clipboardExpand all lines: project/libcontainer/src/process/container_init_process.rs
+35-38Lines changed: 35 additions & 38 deletions
diff --git a/‎project/libipam/src/main.rs
Copy file name to clipboardExpand all lines: project/libipam/src/main.rs
+1-2Lines changed: 1 addition & 2 deletions b/‎project/libipam/src/main.rs
Copy file name to clipboardExpand all lines: project/libipam/src/main.rs
+1-2Lines changed: 1 addition & 2 deletions
@@ -22,19 +22,19 @@ cgroupsv2_devices = ["rbpf", "libbpf-sys", "errno", "libc", "nix/dir"]
 [dependencies]
 nix = { version = "0.29.0", features = ["signal", "user", "fs"] }
 procfs = "0.17.0"
-oci-spec = { version = "~0.7.1", features = ["runtime"] }
+oci-spec = { version = "~0.8.1", features = ["runtime"] }
 fixedbitset = "0.5.7"
 serde = { version = "1.0", features = ["derive"] }
 rbpf = { version = "0.3.0", optional = true }
 libbpf-sys = { version = "1.5.0", optional = true }
-errno = { version = "0.3.10", optional = true }
-libc = { version = "0.2.171", optional = true }
+errno = { version = "0.3.11", optional = true }
+libc = { version = "0.2.172", optional = true }
 thiserror = "2.0.12"
 tracing = { version = "0.1.41", features = ["attributes"] }
 
 [dev-dependencies]
 anyhow = "1.0"
-oci-spec = { version = "~0.7.1", features = ["proptests", "runtime"] }
+oci-spec = { version = "~0.8.1", features = ["proptests", "runtime"] }
 quickcheck = "1"
 mockall = { version = "0.13.1", features = [] }
 clap = "4.1.6"
 
@@ -158,7 +158,7 @@ mod tests {
         fn property_test_apply_multiple_devices(devices: Vec<LinuxDeviceCgroup>) -> bool {
             let tmp = tempfile::tempdir().unwrap();
             devices.iter()
-                .map(|device| {
+                .all(|device| {
                     set_fixture(tmp.path(), "devices.allow", "").expect("create allowed devices list");
                     set_fixture(tmp.path(), "devices.deny", "").expect("create denied devices list");
                     Devices::apply_device(device, tmp.path()).expect("Apply default device");
@@ -172,7 +172,6 @@ mod tests {
                         denied_content == device.to_string()
                     }
                 })
-                .all(|is_ok| is_ok)
         }
     }
 }
@@ -26,7 +26,7 @@ chrono = { version = "0.4", default-features = false, features = [
     "serde",
 ] }
 fastrand = "^2.3.0"
-libc = "0.2.171"
+libc = "0.2.172"
 nix = { version = "0.29.0", features = [
     "socket",
     "sched",
@@ -37,8 +37,8 @@ nix = { version = "0.29.0", features = [
     "term",
     "hostname",
 ] }
-oci-spec = { version = "0.7.1", features = ["runtime"] }
-once_cell = "1.21.2"
+oci-spec = { version = "0.8.1", features = ["runtime"] }
+once_cell = "1.21.3"
 procfs = "0.17.0"
 prctl = "1.0.0"
 libcgroups = { path = "../libcgroups", default-features = false, version = "0.5.3" } # MARK: Version
@@ -50,13 +50,13 @@ regex = { version = "1.10.6", default-features = false, features = ["std", "unic
 thiserror = "2.0.12"
 tracing = { version = "0.1.41", features = ["attributes"] }
 safe-path = "0.1.0"
-nc = "0.9.5"
+nc = "0.9.6"
 
 [dev-dependencies]
-oci-spec = { version = "~0.7.1", features = ["proptests", "runtime"] }
+oci-spec = { version = "~0.8.1", features = ["proptests", "runtime"] }
 quickcheck = "1"
 serial_test = "3.1.1"
 tempfile = "3"
 anyhow = "1.0"
-rand = "0.9.0"
+rand = "0.9.1"
 scopeguard = "1"
@@ -46,8 +46,8 @@ pub struct YoukiConfig {
     pub cgroup_path: PathBuf,
 }
 
-impl<'a> YoukiConfig {
-    pub fn from_spec(spec: &'a Spec, container_id: &str) -> Result<Self> {
+impl YoukiConfig {
+    pub fn from_spec(spec: &Spec, container_id: &str) -> Result<Self> {
         Ok(YoukiConfig {
             hooks: spec.hooks().clone(),
             cgroup_path: utils::get_cgroup_path(
 
@@ -14,7 +14,7 @@ use nix::unistd::{pipe2, read, Pid};
 use oci_spec::runtime::{
     Capabilities as SpecCapabilities, Capability as SpecCapability, LinuxBuilder,
     LinuxCapabilities, LinuxCapabilitiesBuilder, LinuxNamespace, LinuxNamespaceBuilder,
-    LinuxNamespaceType, LinuxSchedulerPolicy, Process, ProcessBuilder, Spec,
+    LinuxNamespaceType, LinuxSchedulerPolicy, Process, ProcessBuilder, Spec, UserBuilder,
 };
 use procfs::process::Namespace;
 
@@ -32,6 +32,26 @@ const NAMESPACE_TYPES: &[&str] = &["ipc", "uts", "net", "pid", "mnt", "cgroup"];
 const TENANT_NOTIFY: &str = "tenant-notify-";
 const TENANT_TTY: &str = "tenant-tty-";
 
+fn get_path_from_spec(spec: &Spec) -> Option<String> {
+    let process = match spec.process() {
+        Some(p) => p,
+        None => return None,
+    };
+    let env = match process.env() {
+        Some(e) => e,
+        None => return None,
+    };
+    // as per runtime spec, env vars should follow https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_01
+    // and that specifies having multiple env with same name is undefined behaviour
+    // so we take the last occurrence of PATH as that is somewhat intuitional of last
+    // specified value overriding
+    env.iter()
+        .find(|e| e.starts_with("PATH"))
+        .iter()
+        .last()
+        .map(|s| s.to_string())
+}
+
 /// Builder that can be used to configure the properties of a process
 /// that will join an existing container sandbox
 pub struct TenantContainerBuilder {
@@ -44,6 +64,9 @@ pub struct TenantContainerBuilder {
     process: Option<PathBuf>,
     detached: bool,
     as_sibling: bool,
+    additional_gids: Vec<u32>,
+    user: Option<u32>,
+    group: Option<u32>,
 }
 
 /// This is a helper function to get capabilities for tenant container, based on
@@ -136,6 +159,9 @@ impl TenantContainerBuilder {
             process: None,
             detached: false,
             as_sibling: false,
+            additional_gids: vec![],
+            user: None,
+            group: None,
         }
     }
 
@@ -184,6 +210,21 @@ impl TenantContainerBuilder {
         self
     }
 
+    pub fn with_additional_gids(mut self, gids: Vec<u32>) -> Self {
+        self.additional_gids = gids;
+        self
+    }
+
+    pub fn with_user(mut self, user: Option<u32>) -> Self {
+        self.user = user;
+        self
+    }
+
+    pub fn with_group(mut self, group: Option<u32>) -> Self {
+        self.group = group;
+        self
+    }
+
     /// Joins an existing container
     pub fn build(self) -> Result<Pid, LibcontainerError> {
         let container_dir = self.lookup_container_dir()?;
@@ -398,9 +439,10 @@ impl TenantContainerBuilder {
         let process = if let Some(process) = &self.process {
             self.get_process(process)?
         } else {
+            let original_path_env = get_path_from_spec(spec);
             let mut process_builder = ProcessBuilder::default()
                 .args(self.get_args()?)
-                .env(self.get_environment());
+                .env(self.get_environment(original_path_env));
             if let Some(cwd) = self.get_working_dir()? {
                 process_builder = process_builder.cwd(cwd);
             }
@@ -412,6 +454,22 @@ impl TenantContainerBuilder {
             let capabilities = get_capabilities(&self.capabilities, spec)?;
             process_builder = process_builder.capabilities(capabilities);
 
+            let mut user_builder = UserBuilder::default();
+
+            if !self.additional_gids.is_empty() {
+                user_builder = user_builder.additional_gids(self.additional_gids.clone());
+            }
+
+            if let Some(uid) = self.user {
+                user_builder = user_builder.uid(uid);
+            }
+
+            if let Some(gid) = self.group {
+                user_builder = user_builder.gid(gid);
+            }
+
+            process_builder = process_builder.user(user_builder.build()?);
+
             process_builder.build()?
         };
 
@@ -471,8 +529,28 @@ impl TenantContainerBuilder {
         Ok(self.args.clone())
     }
 
-    fn get_environment(&self) -> Vec<String> {
-        self.env.iter().map(|(k, v)| format!("{k}={v}")).collect()
+    fn get_environment(&self, path: Option<String>) -> Vec<String> {
+        let mut env_exists = false;
+        let mut env: Vec<String> = self
+            .env
+            .iter()
+            .map(|(k, v)| {
+                if k == "PATH" {
+                    env_exists = true;
+                }
+                format!("{k}={v}")
+            })
+            .collect();
+        // It is not possible in normal flow that path is None. The original container
+        // creation would have failed if path was absent. However we use Option
+        // just as a caution, and if neither exec cmd not original spec has PATH,
+        // the container creation will fail later which is ok
+        if let Some(p) = path {
+            if !env_exists {
+                env.push(p);
+            }
+        }
+        env
     }
 
     fn get_no_new_privileges(&self) -> Option<bool> {
 
@@ -28,16 +28,16 @@ pub enum ChannelError {
     OtherError(String),
 }
 
-/// Channel Design
-///
-/// Each of the main, intermediate, and init process will have a uni-directional
-/// channel, a sender and a receiver. Each process will hold the receiver and
-/// listen message on it. Each sender is shared between each process to send
-/// message to the corresponding receiver. For example, main_sender and
-/// main_receiver is used for the main process. The main process will use
-/// receiver to receive all message sent to the main process. The other
-/// processes will share the main_sender and use it to send message to the main
-/// process.
+// Channel Design
+//
+// Each of the main, intermediate, and init process will have a uni-directional
+// channel, a sender and a receiver. Each process will hold the receiver and
+// listen message on it. Each sender is shared between each process to send
+// message to the corresponding receiver. For example, main_sender and
+// main_receiver is used for the main process. The main process will use
+// receiver to receive all message sent to the main process. The other
+// processes will share the main_sender and use it to send message to the main
+// process.
 
 pub fn main_channel() -> Result<(MainSender, MainReceiver), ChannelError> {
     let (sender, receiver) = channel::<Message>()?;
 
@@ -613,12 +613,12 @@ pub fn container_init_process(
         tracing::error!(?err, "failed to reset effective capabilities");
         InitProcessError::SyscallOther(err)
     })?;
-    // if let Some(caps) = proc.capabilities() {
-    //     capabilities::drop_privileges(caps, syscall.as_ref()).map_err(|err| {
-    //         tracing::error!(?err, "failed to drop capabilities");
-    //         InitProcessError::SyscallOther(err)
-    //     })?;
-    // }
+    if let Some(caps) = proc.capabilities() {
+        capabilities::drop_privileges(caps, syscall.as_ref()).map_err(|err| {
+            tracing::error!(?err, "failed to drop capabilities");
+            InitProcessError::SyscallOther(err)
+        })?;
+    }
 
     // Change directory to process.cwd if process.cwd is not empty
     if do_chdir {
@@ -795,41 +795,38 @@ fn set_supplementary_gids(
 
 /// set_io_priority set io priority
 fn set_io_priority(syscall: &dyn Syscall, io_priority_op: &Option<LinuxIOPriority>) -> Result<()> {
-    match io_priority_op {
-        Some(io_priority) => {
-            let io_prio_class_mapping: HashMap<_, _> = [
-                (IOPriorityClass::IoprioClassRt, 1i64),
-                (IOPriorityClass::IoprioClassBe, 2i64),
-                (IOPriorityClass::IoprioClassIdle, 3i64),
-            ]
-            .iter()
-            .filter_map(|(class, num)| match serde_json::to_string(&class) {
-                Ok(class_str) => Some((class_str, *num)),
-                Err(err) => {
-                    tracing::error!(?err, "failed to parse io priority class");
-                    None
-                }
-            })
-            .collect();
+    if let Some(io_priority) = io_priority_op {
+        let io_prio_class_mapping: HashMap<_, _> = [
+            (IOPriorityClass::IoprioClassRt, 1i64),
+            (IOPriorityClass::IoprioClassBe, 2i64),
+            (IOPriorityClass::IoprioClassIdle, 3i64),
+        ]
+        .iter()
+        .filter_map(|(class, num)| match serde_json::to_string(&class) {
+            Ok(class_str) => Some((class_str, *num)),
+            Err(err) => {
+                tracing::error!(?err, "failed to parse io priority class");
+                None
+            }
+        })
+        .collect();
 
-            let iop_class = serde_json::to_string(&io_priority.class())
-                .map_err(|err| InitProcessError::IoPriorityClass(err.to_string()))?;
-
-            match io_prio_class_mapping.get(&iop_class) {
-                Some(value) => {
-                    syscall
-                        .set_io_priority(*value, io_priority.priority())
-                        .map_err(|err| {
-                            tracing::error!(?err, ?io_priority, "failed to set io_priority");
-                            InitProcessError::SyscallOther(err)
-                        })?;
-                }
-                None => {
-                    return Err(InitProcessError::IoPriorityClass(iop_class));
-                }
+        let iop_class = serde_json::to_string(&io_priority.class())
+            .map_err(|err| InitProcessError::IoPriorityClass(err.to_string()))?;
+
+        match io_prio_class_mapping.get(&iop_class) {
+            Some(value) => {
+                syscall
+                    .set_io_priority(*value, io_priority.priority())
+                    .map_err(|err| {
+                        tracing::error!(?err, ?io_priority, "failed to set io_priority");
+                        InitProcessError::SyscallOther(err)
+                    })?;
+            }
+            None => {
+                return Err(InitProcessError::IoPriorityClass(iop_class));
             }
         }
-        None => {}
     }
     Ok(())
 }
 
@@ -38,7 +38,7 @@ fn main() {
     );
 
     let rt = tokio::runtime::Builder::new_current_thread()
-        .enable_all() // 开启 IO、定时器等必要功能
+        .enable_all()
         .build()
         .unwrap();
 
@@ -133,7 +133,6 @@ async fn cmd_del(inputs: Inputs) -> Result<IpamSuccessReply, CniError> {
     }
 
     if !errors.is_empty() {
-        // 合并所有错误信息，用分号分隔
         let combined_error = errors.join("; ");
         return Err(CniError::Generic(combined_error));
     }
Original file line number	Diff line number	Diff line change
`@@ -158,7 +158,7 @@ mod tests {`
`158`	`158`	`fn property_test_apply_multiple_devices(devices: Vec<LinuxDeviceCgroup>) -> bool {`
`159`	`159`	`let tmp = tempfile::tempdir().unwrap();`
`160`	`160`	`devices.iter()`
`161`		`- .map(\|device\| {`
	`161`	`+ .all(\|device\| {`
`162`	`162`	`set_fixture(tmp.path(), "devices.allow", "").expect("create allowed devices list");`
`163`	`163`	`set_fixture(tmp.path(), "devices.deny", "").expect("create denied devices list");`
`164`	`164`	`Devices::apply_device(device, tmp.path()).expect("Apply default device");`
`@@ -172,7 +172,6 @@ mod tests {`
`172`	`172`	`denied_content == device.to_string()`
`173`	`173`	`}`
`174`	`174`	`})`
`175`		`- .all(\|is_ok\| is_ok)`
`176`	`175`	`}`
`177`	`176`	`}`
`178`	`177`	`}`