fix(3207, 3209) Difference between the exec command in runc and youki

[tommady]

Description

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional changes)
• Performance improvement
• Test updates
• CI/CD related changes
• Other (please describe):

Testing

• Added new unit tests
• Added new integration tests
• Ran existing test suite
• Tested manually (please provide steps)

Related Issues

Fixes #3207 #3209

Additional Context

[tommady]

The changes in #3347 will help address and enhance the testcase requested by saku3.

Just a memo for myself — turning this PR back to draft.

[saku3]

@tommady
I haven’t had much time to review this PR recently — sorry about that.

For this PR, if we can’t move it forward until issue #3347 is resolved, I think we could proceed by leaving TODO comments (or create sub-issue) for the parts related to #3347 for now.

What approach would be easiest for you to proceed?

[tommady]

@tommady I haven’t had much time to review this PR recently — sorry about that.

For this PR, if we can’t move it forward until issue #3347 is resolved, I think we could proceed by leaving TODO comments (or create sub-issue) for the parts related to #3347 for now.

What approach would be easiest for you to proceed?

Thanks for the suggestion!

From my point of view, this PR is ready for review.
Aside from the parts related to issue #3347, there was also an earlier comment from you:
#3210 (comment)

Because of that, some of the cgroup tests can’t be implemented right now.

So yes, please review it when you have time 🙂

[saku3]

Thank! I’ll review it this week.

[saku3]

I've left a few comments.
Everything else looks good to me.
Could you please take a look when you have a chance?
Thanks for the solid work on this!

[saku3]

It looks like we can avoid using clone().

Suggested change

	.or_else(|| spec.process().clone().and_then(|p| p.no_new_privileges()))
	.or_else(|| spec.process().as_ref().and_then(|p| p.no_new_privileges()))

[saku3]

This means we want to resume the paused container at the end, right?

This might be prone to flakiness.
Would you consider using scopeguard::defer!?

[tommady]

scopeguard was removed earlier (see commit below), and in this case it would also resume the container too late since it only runs at scope exit. I’ll use an mpsc channel instead to explicitly synchronize the resume during exec --ignore-paused. Thanks for the suggestion.

123b51a

[saku3]

Sorry, I understand now.

In this case, I think the previous implementation (adding a short sleep) is acceptable.
It aligns with runc’s behavior, so I don’t expect it to cause issues in practice.

Also, since the spawn order doesn’t guarantee the actual execution order, resume may run first, meaning the test might not actually verify that exec works while the container is paused.

[saku3]

Shouldn’t the final value we want to set be normalized?

Suggested change

	final_cgroups_path = potential_path;
	final_cgroups_path = normalized;

[tommady]

good catcha!

[saku3]

Sorry for the delayed review.

I left comments on with_apparmor and ignore_paused_test.rs. Could you please take a look?

Also, since this(998d1c2 and 691e046) change is unrelated to the issue we’re addressing here, let’s handle it in a separate PR.

[saku3]

with_apparmor seems to be missing.

[saku3]

Sorry, I understand now.

In this case, I think the previous implementation (adding a short sleep) is acceptable.
It aligns with runc’s behavior, so I don’t expect it to cause issues in practice.

Also, since the spawn order doesn’t guarantee the actual execution order, resume may run first, meaning the test might not actually verify that exec works while the container is paused.

[saku3]

I think everything looks mostly fine aside from the parts I commented on.

PTAL @utam0k