oci: add conmon to build via submodule

.circleci/config.yml

@@ -41,6 +41,11 @@ executors:
       image: ubuntu-2004:202111-02
 
 commands:
+  update-submodules:
+    steps:
+      - run:
+          name: Update submodules
+          command: git submodule update --init
   check-changes:
     steps:
       - run:
@@ -92,7 +97,7 @@ commands:
           command: <<# parameters.sudo >>sudo <</ parameters.sudo >>apt-get -q update
       - run:
           name: Install dependencies
-          command: <<# parameters.sudo >>sudo <</ parameters.sudo >>apt-get -q install -y build-essential squashfs-tools libseccomp-dev libssl-dev uuid-dev cryptsetup-bin conmon runc
+          command: <<# parameters.sudo >>sudo <</ parameters.sudo >>apt-get -q install -y build-essential squashfs-tools libseccomp-dev libssl-dev uuid-dev cryptsetup-bin runc libglib2.0-dev
   configure-singularity:
     steps:
       - run:
@@ -153,6 +158,7 @@ jobs:
       - checkout
       - install-deps-apt:
           sudo: false
+      - update-submodules
       - build-singularity
 
   build-source-alpine:
@@ -163,7 +169,8 @@ jobs:
       - checkout
       - run:
           name: Fetch deps
-          command: apk add -q --no-cache git alpine-sdk automake libtool linux-headers libarchive-dev util-linux-dev libuuid openssl-dev gawk sed cryptsetup
+          command: apk add -q --no-cache git alpine-sdk automake libtool linux-headers libarchive-dev util-linux-dev libuuid openssl-dev gawk sed cryptsetup libseccomp-dev glib-dev
+      - update-submodules
       - build-singularity
 
   lint-source:
@@ -172,6 +179,7 @@ jobs:
       - checkout
       - install-deps-apt:
           sudo: false
+      - update-submodules
       - configure-singularity
       - run:
           name: Check for Lint
@@ -186,6 +194,7 @@ jobs:
           version: << pipeline.parameters.go-version >>
       - stop-background-apt
       - install-deps-apt
+      - update-submodules
       - install-singularity
       - run:
           name: Run unit tests
@@ -200,6 +209,7 @@ jobs:
           version: << pipeline.parameters.go-version >>
       - stop-background-apt
       - install-deps-apt
+      - update-submodules
       - install-singularity
       - run:
           name: Run integration tests
@@ -215,6 +225,7 @@ jobs:
           version: << pipeline.parameters.go-version >>
       - stop-background-apt
       - install-deps-apt
+      - update-submodules
       - install-singularity
       - run:
           name: Run E2E tests
@@ -238,12 +249,13 @@ jobs:
           name: Install dependencies
           command: |-
             yum groupinstall -q -y 'Development Tools'
-            yum install -q -y cryptsetup libseccomp-devel squashfs-tools
+            yum install -q -y cryptsetup libseccomp-devel squashfs-tools glib2-devel
       - run:
           name: Install Go
           command: |-
             curl -f -L -sS "https://dl.google.com/go/go<< pipeline.parameters.go-version >>.linux-amd64.tar.gz" | tar -z -x -C /usr/local/
             echo "export PATH=$PATH:/usr/local/go/bin" >> $BASH_ENV
+      - update-submodules
       - configure-singularity
       - run:
           name: Build RPM
@@ -268,12 +280,13 @@ jobs:
           name: Install dependencies
           command: |-
             apt-get update
-            DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential git libseccomp-dev pkg-config squashfs-tools cryptsetup dh-golang devscripts fakeroot
+            DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential git libseccomp-dev pkg-config squashfs-tools cryptsetup dh-golang devscripts fakeroot libglib2.0-dev
       - run:
           name: Install Go
           command: |-
             curl -f -L -sS "https://dl.google.com/go/go<< pipeline.parameters.go-version >>.linux-amd64.tar.gz" | tar -z -x -C /usr/local/
             echo "export PATH=$PATH:/usr/local/go/bin" >> $BASH_ENV
+      - update-submodules
       - run:
           name: Build DEB
           command: |-

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "third_party/conmon"]
+	path = third_party/conmon
+	url = https://github.com/containers/conmon

CHANGELOG.md

@@ -10,6 +10,10 @@
   `systemd cgroups = no` in `singularity.conf` to manage cgroups directly via
   the cgroupfs.
 - The `singularity oci` command group now uses `runc` to manage containers.
+- The `singularity oci` commands use `conmon` which is built from a git submodule,
+  unless `--without-conmon` is specified as an argument to `mconfig`, in which
+  case Singularity will search `PATH` for conmon. Version >=2.0.24 of conmon
+  is required.
 - The `singularity oci` flags `--sync-socket`, `--empty-process`, and
   `--timeout` have been removed.
 

INSTALL.md

@@ -19,6 +19,7 @@ sudo apt-get update
 sudo apt-get install -y \
     build-essential \
     libseccomp-dev \
+    libglib2.0-dev \
     pkg-config \
     squashfs-tools \
     cryptsetup
@@ -32,6 +33,7 @@ sudo yum groupinstall -y 'Development Tools'
 # Install RPM packages for dependencies
 sudo yum install -y \
     libseccomp-devel \
+    glib2-devel \
     squashfs-tools \
     cryptsetup
 ```
@@ -100,7 +102,7 @@ repository to a specific location.
 Clone the repository with `git` in a location of your choice:
 
 ```sh
-git clone https://github.com/sylabs/singularity.git
+git clone --recurse-submodules https://github.com/sylabs/singularity.git
 cd singularity
 ```
 
@@ -110,7 +112,7 @@ out a [release tag](https://github.com/sylabs/singularity/tags) before
 compiling. E.g. to build the 3.9.5 release checkout the `v3.9.5` tag:
 
 ```sh
-git checkout v3.9.5
+git checkout --recurse-submodules v3.9.5
 ```
 
 ## Compiling SingularityCE

LICENSE_THIRD_PARTY.md

@@ -291,6 +291,14 @@ The source files:
 
 Contain code from the podman project, under the Apache License, Version 2.0.
 
+## github.com/containers/conmon
+
+The source files:
+
+* `third_party/conmon/*`
+
+Are code from the conmon project, under the Apache License, Version 2.0.
+
 ```text
                                  Apache License
                            Version 2.0, January 2004

debian/singularity-ce.install

@@ -1,5 +1,6 @@
 usr/bin/singularity
 usr/bin/run-singularity
+usr/lib/*/singularity/bin/conmon
 usr/lib/*/singularity/bin/starter
 usr/lib/*/singularity/bin/starter-suid
 usr/lib/*/singularity/cni/*

dist/rpm/singularity-ce.spec.in

@@ -42,6 +42,7 @@ BuildRequires: git
 BuildRequires: gcc
 BuildRequires: make
 BuildRequires: libseccomp-devel
+BuildRequires: glib2-devel
 %if "%{_target_vendor}" == "suse"
 Requires: squashfs
 %else
@@ -126,6 +127,7 @@ make -C builddir DESTDIR=$RPM_BUILD_ROOT install
 %{_bindir}/run-singularity
 %dir %{_libexecdir}/singularity
 %{_libexecdir}/singularity/bin/starter
+%{_libexecdir}/singularity/bin/conmon
 %{_libexecdir}/singularity/cni/*
 %dir %{_sysconfdir}/singularity
 %config(noreplace) %{_sysconfdir}/singularity/*.conf

internal/pkg/util/bin/bin.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path/filepath"
 
 	"github.com/pkg/errors"
 	"github.com/sylabs/singularity/internal/pkg/buildcfg"
@@ -34,8 +35,14 @@ func FindBin(name string) (path string, err error) {
 	// distro provided setUID executables that are used in the fakeroot flow to setup subuid/subgid mappings
 	case "newuidmap", "newgidmap":
 		return findOnPath(name)
-	// distro provided OCI runtime dependencies
-	case "conmon", "runc":
+	// distro provided OCI runtime
+	case "runc":
+		return findOnPath(name)
+	// our, or distro provided conmon
+	case "conmon":
+		if buildcfg.CONMON_LIBEXEC == 1 {
+			return filepath.Join(buildcfg.LIBEXECDIR, "singularity", "bin", name), nil
+		}
 		return findOnPath(name)
 	// cryptsetup & nvidia-container-cli paths must be explicitly specified
 	// They are called as root from the RPC server in a setuid install, so this

mconfig

@@ -56,6 +56,7 @@ if test -z "${package_version}" ; then
 fi
 
 with_network=1
+with_conmon=1
 with_suid=1
 with_seccomp_check=1
 
@@ -113,6 +114,9 @@ usage_args () {
 	echo "     --without-suid    do not install SUID binary (linux only)"
 	echo "     --without-network do not compile/install network plugins (linux only)"
 	echo "     --without-seccomp do not compile/install seccomp support even if available"
+  echo
+  echo "  Third-party dependencies:"
+  echo "     --without-conmon  do not build conmon, use distro provided version"
 	echo
 	echo "  Path modification options:"
 	echo "     --prefix         install project in \`prefix'"
@@ -365,6 +369,8 @@ while [ $# -ne 0 ]; do
    with_network=0; shift;;
   --without-seccomp)
    with_seccomp_check=0; shift;;
+  --without-conmon)
+   with_conmon=0; shift;;
   -V)
    if ! echo "$2" | awk '/^-.*/ || /^$/ { exit 2 }'; then
      echo "error: option requires an argument: $1"
@@ -820,6 +826,11 @@ if [ "$with_network" = 1 ]; then
     cat $makeit_fragsdir/build_network.mk >> $makeit_makefile
 fi
 
+if [ "$with_conmon" = 1 ]; then
+    drawline $makeit_fragsdir/build_conmon.mk
+    cat $makeit_fragsdir/build_conmon.mk >> $makeit_makefile
+fi
+
 if [ "$build_runtime" = 1 ]; then
 	drawline $makeit_fragsdir/build_runtime.mk
 	cat $makeit_fragsdir/build_runtime.mk >> $makeit_makefile
@@ -893,6 +904,11 @@ if [ "$with_network" = 0 ]; then
 else
 	echo "    - Network plugins: yes"
 fi
+if [ "$with_conmon" = 0 ]; then
+	echo "    - Build conmon: no"
+else
+	echo "    - Build conmon: yes"
+fi
 echo "      ---"
 if [ "$verbose" = 1 ]; then
 	echo "    - verbose: yes"

mlocal/checks/project-post.chk

@@ -45,6 +45,7 @@ config_add_def NVIDIALIBS_FILE SINGULARITY_CONFDIR \"/nvliblist.conf\"
 config_add_def SESSIONDIR LOCALSTATEDIR \"/singularity/mnt/session\"
 config_add_def SINGULARITY_SUID_INSTALL $with_suid
 config_add_def PLUGIN_ROOTDIR LIBEXECDIR \"/singularity/plugin\"
+config_add_def CONMON_LIBEXEC $with_conmon 
 
 # engine configuration constants
 engine_config_env="ENGINE_CONFIG"
@@ -303,7 +304,7 @@ fi
 ########################
 # libseccomp dev
 ########################
-if [ "$with_seccomp_check" = "1" ];then
+if [ "$with_seccomp_check" = "1" ]; then
     printf " checking: libseccomp+headers... "
     seccomp_iflags=`pkg-config --cflags-only-I libseccomp 2>/dev/null || true`
     if ! printf "#include <seccomp.h>\nint main() { seccomp_syscall_resolve_name(\"read\"); }" | \
@@ -316,6 +317,40 @@ if [ "$with_seccomp_check" = "1" ];then
     fi
 fi
 
+
+########################
+# conmon deps
+########################
+if [ "$with_conmon" = "1" ]; then
+   printf " checking: conmon source... "
+   if [ ! -f "$sourcedir/third_party/conmon/Makefile" ]; then
+      echo "no"
+      echo
+      echo "conmon source not found"
+      echo
+      echo "Unless you are building --without-conmon you must 'git clone recursive'"
+      echo "or 'git submodule update --init'."
+      echo
+      exit 2
+   fi
+   echo "yes"
+
+   printf " checking: conmon glib-2.0 headers... "
+   glib2_iflags=`pkg-config --cflags-only-I glib-2.0 2>/dev/null || true`
+   glib2_lflags=`pkg-config --libs glib-2.0 2>/dev/null || true`
+   if ! printf "#include <glib.h>\nint main() { }" | \
+      $tgtcc $user_cflags $ldflags $glib2_iflags -x c -o /dev/null - $glib2_lflags >/dev/null 2>&1; then  
+      echo "no"
+      echo
+      echo "glib-2.0 headers are required to build conmon."
+      echo
+      exit 2
+   else
+   echo "yes"
+   fi
+fi
+
+
 ################################
 # Configurable external programs
 ################################

mlocal/frags/Makefile.stub

@@ -124,7 +124,7 @@ cscope:
 		>/dev/null 2>&1 || true)
 
 .PHONY: clean
-clean:
+clean: $(CLEANTARGETS)
 	@printf " CLEAN\n"
 	$(V)rm -rf $(BUILDDIR)/mergeddeps cscope.* $(CLEANFILES)
 

mlocal/frags/build_conmon.mk

@@ -0,0 +1,31 @@
+# This file contains all of the rules for building conmon
+
+conmon := $(SOURCEDIR)/third_party/conmon/bin/conmon
+conmon_dir := $(SOURCEDIR)/third_party/conmon/
+conmon_src := $(SOURCEDIR)/third_party/conmon/Makefile
+conmon_INSTALL := $(DESTDIR)$(LIBEXECDIR)/singularity/bin/conmon
+
+# conmon currently fails to build with theses warnings as errors,
+# which are enforced for our own CGO compilations.
+conmon_CFLAGS := $(filter-out -Wstrict-prototypes,$(CFLAGS))
+conmon_CFLAGS := $(filter-out -Wframe-larger-than=2047,$(conmon_CFLAGS))
+conmon_CFLAGS := $(filter-out -Wpointer-arith,$(conmon_CFLAGS))
+conmon_CFLAGS += -std=c99
+
+$(conmon): $(conmon_src)
+	@echo " CONMON"
+	$(MAKE) CFLAGS='$(conmon_CFLAGS)' -C $(conmon_dir)
+
+$(conmon_INSTALL): $(conmon)
+	@echo " INSTALL CONMON" $@
+	$(V)umask 0022 && mkdir -p $(@D)
+	$(V)install -m 0755 $< $@
+
+.PHONY:
+conmon_CLEAN:
+	@echo " CLEAN CONMON"
+	$(MAKE) -C $(conmon_dir) clean
+
+INSTALLFILES += $(conmon_INSTALL)
+ALL += $(conmon)
+CLEANTARGETS += conmon_CLEAN

scripts/make-dist.sh

@@ -41,6 +41,12 @@ if test ! -d vendor ; then
     exit 1
 fi
 
+# conmon should have been vendored as a submodule
+if test ! -f third_party/conmon/Makefile ; then
+    echo 'E: conmon source not found. Abort.'
+    exit 1
+fi
+
 # XXX(mem): In order to accept filenames with colons in it (because of a
 # version number like x.y.z:1.2.3), pass the --force-local flag to tar.
 # This is understood by GNU tar. If other tar programs (also called