WIP: Try to implement CLONE_NEWTIME

Fixes opencontainers#2345

go.mod

@@ -22,5 +22,5 @@ require (
 	// NOTE: urfave/cli must be <= v1.22.1 due to a regression: https://github.com/urfave/cli/issues/1092
 	github.com/urfave/cli v1.22.1
 	github.com/vishvananda/netlink v1.1.0
-	golang.org/x/sys v0.0.0-20200327173247-9dae0f8f5775
+	golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f
 )

go.sum

@@ -59,6 +59,8 @@ golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200327173247-9dae0f8f5775 h1:TC0v2RSO1u2kn1ZugjrFXkRZAEaqMN/RW+OTZkBzmLE=
 golang.org/x/sys v0.0.0-20200327173247-9dae0f8f5775/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f h1:gWF768j/LaZugp8dyS4UwsslYCYz9XgFxvlgsn0n9H8=
+golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

libcontainer/SPEC.md

@@ -30,6 +30,7 @@ Minimum requirements:
 | CLONE_NEWNS     |    1    |
 | CLONE_NEWUSER   |    1    |
 | CLONE_NEWCGROUP |    1    |
+| CLONE_NEWTIME   |    1    |
 
 Namespaces are created for the container via the `unshare` syscall.
 

libcontainer/configs/config.go

@@ -114,6 +114,9 @@ type Config struct {
 	// If a namespace is not provided that namespace is shared from the container's parent process
 	Namespaces Namespaces `json:"namespaces"`
 
+	// TimeOffset specifies the containers time offset in seconds
+	TimeOffset *int `json:"time_offset"`
+
 	// Capabilities specify the capabilities to keep when executing the process inside the container
 	// All capabilities not specified will be dropped from the processes capability mask
 	Capabilities *Capabilities `json:"capabilities"`

libcontainer/configs/namespaces_linux.go

@@ -14,6 +14,7 @@ const (
 	NEWIPC    NamespaceType = "NEWIPC"
 	NEWUSER   NamespaceType = "NEWUSER"
 	NEWCGROUP NamespaceType = "NEWCGROUP"
+	NEWTIME   NamespaceType = "NEWTIME"
 )
 
 var (
@@ -38,6 +39,8 @@ func NsName(ns NamespaceType) string {
 		return "uts"
 	case NEWCGROUP:
 		return "cgroup"
+	case NEWTIME:
+		return "time"
 	}
 	return ""
 }
@@ -72,6 +75,7 @@ func NamespaceTypes() []NamespaceType {
 		NEWPID,
 		NEWNS,
 		NEWCGROUP,
+		NEWTIME,
 	}
 }
 

libcontainer/configs/namespaces_syscall.go

@@ -16,6 +16,7 @@ var namespaceInfo = map[NamespaceType]int{
 	NEWUTS:    unix.CLONE_NEWUTS,
 	NEWPID:    unix.CLONE_NEWPID,
 	NEWCGROUP: unix.CLONE_NEWCGROUP,
+	NEWTIME:   unix.CLONE_NEWTIME,
 }
 
 // CloneFlags parses the container's Namespaces options to set the correct

libcontainer/container_linux.go

@@ -2057,6 +2057,15 @@ func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.Na
 		})
 	}
 
+	if c.config.TimeOffset != nil {
+		// write timens_offsets
+		r.AddData(&Bytemsg{
+			Type: TimeOffsetAttr,
+			Value: []byte(fmt.Sprintf("monotonic %d 0\nboottime %d 0",
+				*c.config.TimeOffset, *c.config.TimeOffset)),
+		})
+	}
+
 	// write rootless
 	r.AddData(&Boolmsg{
 		Type:  RootlessEUIDAttr,

libcontainer/message_linux.go

@@ -20,6 +20,7 @@ const (
 	RootlessEUIDAttr uint16 = 27287
 	UidmapPathAttr   uint16 = 27288
 	GidmapPathAttr   uint16 = 27289
+	TimeOffsetAttr   uint16 = 27290
 )
 
 type Int32msg struct {

libcontainer/nsenter/namespace.h

@@ -28,5 +28,8 @@
 #ifndef CLONE_NEWNET
 #	define CLONE_NEWNET 0x40000000 /* New network namespace */
 #endif
+#ifndef CLONE_NEWTIME
+#	define CLONE_NEWTIME 0x00000080 /* New time namespace */
+#endif
 
 #endif /* NSENTER_NAMESPACE_H */

libcontainer/nsenter/nsexec.c

@@ -71,6 +71,8 @@ struct nlconfig_t {
 	uint32_t cloneflags;
 	char *oom_score_adj;
 	size_t oom_score_adj_len;
+	char *time_offset;
+	size_t time_offset_len;
 
 	/* User namespace settings. */
 	char *uidmap;
@@ -112,6 +114,7 @@ static int logfd = -1;
 #define ROOTLESS_EUID_ATTR	27287
 #define UIDMAPPATH_ATTR	    27288
 #define GIDMAPPATH_ATTR	    27289
+#define TIME_OFFSET_ATTR	    27290
 
 /*
  * Use the raw syscall for versions of glibc which don't include a function for
@@ -327,6 +330,15 @@ static void update_oom_score_adj(char *data, size_t len)
 		bail("failed to update /proc/self/oom_score_adj");
 }
 
+static void update_time_offset(char *data, size_t len)
+{
+	if (data == NULL || len <= 0)
+		return;
+
+	if (write_file(data, len, "/proc/self/timens_offsets") < 0)
+		bail("failed to update /proc/self/timens_offsets");
+}
+
 /* A dummy function that just jumps to the given jumpval. */
 static int child_func(void *arg) __attribute__ ((noinline));
 static int child_func(void *arg)
@@ -401,6 +413,8 @@ static int nsflag(char *name)
 		return CLONE_NEWUSER;
 	else if (!strcmp(name, "uts"))
 		return CLONE_NEWUTS;
+	else if (!strcmp(name, "time"))
+		return CLONE_NEWTIME;
 
 	/* If we don't recognise a name, fallback to 0. */
 	return 0;
@@ -464,6 +478,10 @@ static void nl_parse(int fd, struct nlconfig_t *config)
 			config->oom_score_adj = current;
 			config->oom_score_adj_len = payload_len;
 			break;
+		case TIME_OFFSET_ATTR:
+			config->time_offset = current;
+			config->time_offset_len = payload_len;
+			break;
 		case NS_PATHS_ATTR:
 			config->namespaces = current;
 			config->namespaces_len = payload_len;
@@ -912,6 +930,9 @@ void nsexec(void)
 			if (unshare(config.cloneflags & ~CLONE_NEWCGROUP) < 0)
 				bail("failed to unshare namespaces");
 
+			// TODO: Time offset settings description -> why here
+			update_time_offset(config.time_offset, config.time_offset_len);
+
 			/*
 			 * TODO: What about non-namespace clone flags that we're dropping here?
 			 *

libcontainer/specconv/spec_linux.go

@@ -34,6 +34,7 @@ var namespaceMapping = map[specs.LinuxNamespaceType]configs.NamespaceType{
 	specs.IPCNamespace:     configs.NEWIPC,
 	specs.UTSNamespace:     configs.NEWUTS,
 	specs.CgroupNamespace:  configs.NEWCGROUP,
+	specs.TimeNamespace:    configs.NEWTIME,
 }
 
 var mountPropagationMapping = map[string]int{
@@ -260,6 +261,7 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
 	}
 	if spec.Process != nil {
 		config.OomScoreAdj = spec.Process.OOMScoreAdj
+		config.TimeOffset = spec.Process.TimeOffset
 		if spec.Process.SelinuxLabel != "" {
 			config.ProcessLabel = spec.Process.SelinuxLabel
 		}