!399 sync from openeuler iSulad

From: @duguhaotian 
Reviewed-by: @jingwoo, @wangfengtu 
Signed-off-by: @jingwoo

0001-do-not-use-tmpfile.patch

@@ -1,7 +1,7 @@
 From 2e404b3aa5fcea87a905fbd7ff3465b6135b701e Mon Sep 17 00:00:00 2001
 From: WangFengTu <wangfengtu@huawei.com>
 Date: Wed, 20 Jul 2022 14:26:58 +0800
-Subject: [PATCH 1/6] do not use tmpfile()
+Subject: [PATCH 01/15] do not use tmpfile()
 
 Signed-off-by: WangFengTu <wangfengtu@huawei.com>
 ---

0002-use-only-TLS-v1.2-or-later.patch

@@ -1,7 +1,7 @@
 From 025d2c2dad2786eda40f2367cdd727a36b8249df Mon Sep 17 00:00:00 2001
 From: WangFengTu <wangfengtu@huawei.com>
 Date: Thu, 21 Jul 2022 15:37:07 +0800
-Subject: [PATCH 2/6] use only TLS v1.2 or later
+Subject: [PATCH 02/15] use only TLS v1.2 or later
 
 Signed-off-by: WangFengTu <wangfengtu@huawei.com>
 ---

0003-don-t-mount-shareable-dirs-if-user-set-mount-for-dev.patch

@@ -1,7 +1,8 @@
 From a475d8da1122af712dbc79dc5d92f1cb95d519f9 Mon Sep 17 00:00:00 2001
 From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
 Date: Mon, 25 Jul 2022 20:31:15 +0800
-Subject: [PATCH 3/6] don't mount shareable dirs if user set mount for dev shm
+Subject: [PATCH 03/15] don't mount shareable dirs if user set mount for dev
+ shm
 
 Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
 ---

0004-tolerate-arch-unspecified-seccomp-profiles.patch

@@ -1,7 +1,7 @@
 From 73e02e66102b3e066d5d6424624461c3024cabe4 Mon Sep 17 00:00:00 2001
 From: chengzrz <czrzrichard@gmail.com>
 Date: Fri, 29 Jul 2022 14:44:55 +0800
-Subject: [PATCH 4/6] tolerate arch unspecified seccomp profiles
+Subject: [PATCH 04/15] tolerate arch unspecified seccomp profiles
 
 Signed-off-by: chengzrz <czrzrichard@gmail.com>
 ---

0005-add-a-CI-test-case-checking-seccomp-option.patch

@@ -1,7 +1,7 @@
 From c9c2bb6bfbe2060bdc6af53ca0d752572b21594d Mon Sep 17 00:00:00 2001
 From: chengzrz <czrzrichard@gmail.com>
 Date: Fri, 29 Jul 2022 14:45:20 +0800
-Subject: [PATCH 5/6] add a CI test case, checking seccomp option
+Subject: [PATCH 05/15] add a CI test case, checking seccomp option
 
 Signed-off-by: chengzrz <czrzrichard@gmail.com>
 ---

0006-fix-cri-attach-when-stdout-and-stderr-are-false.patch

@@ -1,7 +1,7 @@
 From 9498a8df59f69acbf75f9aa69fef465350288bb8 Mon Sep 17 00:00:00 2001
 From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
 Date: Mon, 1 Aug 2022 11:20:31 +0800
-Subject: [PATCH 6/6] fix cri attach when stdout and stderr are false
+Subject: [PATCH 06/15] fix cri attach when stdout and stderr are false
 
 Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
 ---

0007-fix-cpu-quota-out-of-range-when-update-to-1.patch

@@ -0,0 +1,49 @@
+From 5174fd2608a25a8f7f4b61be79d125b19fb420f9 Mon Sep 17 00:00:00 2001
+From: "Neil.wrz" <wangrunze13@huawei.com>
+Date: Tue, 26 Jul 2022 02:08:43 -0700
+Subject: [PATCH 07/15] fix cpu-quota out of range when update to -1
+
+Signed-off-by: Neil.wrz <wangrunze13@huawei.com>
+---
+ src/daemon/modules/runtime/engines/engine.h         | 2 +-
+ src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/daemon/modules/runtime/engines/engine.h b/src/daemon/modules/runtime/engines/engine.h
+index 8935f845..95428e0f 100644
+--- a/src/daemon/modules/runtime/engines/engine.h
++++ b/src/daemon/modules/runtime/engines/engine.h
+@@ -33,7 +33,7 @@ struct engine_cgroup_resources {
+     uint64_t blkio_weight;
+     uint64_t cpu_shares;
+     uint64_t cpu_period;
+-    uint64_t cpu_quota;
++    int64_t cpu_quota;
+     char *cpuset_cpus;
+     char *cpuset_mems;
+     uint64_t memory_limit;
+diff --git a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c
+index dd310091..a2b93b72 100644
+--- a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c
++++ b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c
+@@ -518,7 +518,7 @@ static void to_engine_resources(const host_config *hostconfig, struct engine_cgr
+     cr->blkio_weight = hostconfig->blkio_weight;
+     cr->cpu_shares = (uint64_t)hostconfig->cpu_shares;
+     cr->cpu_period = (uint64_t)hostconfig->cpu_period;
+-    cr->cpu_quota = (uint64_t)hostconfig->cpu_quota;
++    cr->cpu_quota = hostconfig->cpu_quota;
+     cr->cpuset_cpus = hostconfig->cpuset_cpus;
+     cr->cpuset_mems = hostconfig->cpuset_mems;
+     cr->memory_limit = (uint64_t)hostconfig->memory;
+@@ -532,7 +532,7 @@ static void to_engine_resources(const host_config *hostconfig, struct engine_cgr
+         period = (uint64_t)(100 * Time_Milli / Time_Micro);
+         quota = hostconfig->nano_cpus * (int64_t)period / 1e9;
+         cr->cpu_period = period;
+-        cr->cpu_quota = (uint64_t)quota;
++        cr->cpu_quota = quota;
+     }
+ }
+ 
+-- 
+2.25.1
+

0008-stop-health-check-monitor-before-stopping-container.patch

@@ -0,0 +1,146 @@
+From b8fd21e636b643fe9f257a77808d53b067f3d105 Mon Sep 17 00:00:00 2001
+From: songbuhuang <544824346@qq.com>
+Date: Wed, 3 Aug 2022 16:06:16 +0800
+Subject: [PATCH 08/15] stop health check monitor before stopping container
+
+Signed-off-by: songbuhuang <544824346@qq.com>
+---
+ src/daemon/executor/container_cb/execution.c         |  2 --
+ src/daemon/executor/container_cb/execution_extend.c  |  2 +-
+ src/daemon/modules/api/container_api.h               |  2 +-
+ .../modules/container/health_check/health_check.c    | 12 ++----------
+ src/daemon/modules/service/service_container.c       |  3 +++
+ test/mocks/health_check_mock.cc                      |  4 ++--
+ test/mocks/health_check_mock.h                       |  2 +-
+ .../execute/execution_extend/execution_extend_ut.cc  |  2 +-
+ 8 files changed, 11 insertions(+), 18 deletions(-)
+
+diff --git a/src/daemon/executor/container_cb/execution.c b/src/daemon/executor/container_cb/execution.c
+index edc8b42e..68d0d8d6 100644
+--- a/src/daemon/executor/container_cb/execution.c
++++ b/src/daemon/executor/container_cb/execution.c
+@@ -676,8 +676,6 @@ static int container_stop_cb(const container_stop_request *request, container_st
+         goto pack_response;
+     }
+ 
+-    container_stop_health_checks(id);
+-
+     if (stop_container(cont, timeout, force, false)) {
+         cc = ISULAD_ERR_EXEC;
+         container_state_set_error(cont->state, (const char *)g_isulad_errmsg);
+diff --git a/src/daemon/executor/container_cb/execution_extend.c b/src/daemon/executor/container_cb/execution_extend.c
+index 9c2a213b..b0da705e 100644
+--- a/src/daemon/executor/container_cb/execution_extend.c
++++ b/src/daemon/executor/container_cb/execution_extend.c
+@@ -715,7 +715,7 @@ static int do_pause_container(container_t *cont)
+     params.rootpath = cont->root_path;
+     params.state = cont->state_path;
+ 
+-    container_stop_health_checks(cont->common_config->id);
++    container_stop_health_checks(cont);
+ 
+     if (runtime_pause(id, cont->runtime, &params)) {
+         container_update_health_monitor(cont->common_config->id);
+diff --git a/src/daemon/modules/api/container_api.h b/src/daemon/modules/api/container_api.h
+index 1140d4d5..ed97633f 100644
+--- a/src/daemon/modules/api/container_api.h
++++ b/src/daemon/modules/api/container_api.h
+@@ -254,7 +254,7 @@ extern char *container_exit_fifo_create(const char *cont_state_path);
+ extern int container_exit_fifo_open(const char *cont_exit_fifo);
+ 
+ void container_init_health_monitor(const char *id);
+-void container_stop_health_checks(const char *container_id);
++void container_stop_health_checks(container_t *cont);
+ 
+ bool container_is_in_gc_progress(const char *id);
+ 
+diff --git a/src/daemon/modules/container/health_check/health_check.c b/src/daemon/modules/container/health_check/health_check.c
+index b2feee91..273d3531 100644
+--- a/src/daemon/modules/container/health_check/health_check.c
++++ b/src/daemon/modules/container/health_check/health_check.c
+@@ -182,23 +182,15 @@ static void close_health_check_monitor(container_t *cont)
+ 
+ // Called when the container is being stopped (whether because the health check is
+ // failing or for any other reason).
+-void container_stop_health_checks(const char *container_id)
++void container_stop_health_checks(container_t *cont)
+ {
+-    container_t *cont = NULL;
+-
+-    if (container_id == NULL) {
+-        return;
+-    }
+-
+-    cont = containers_store_get(container_id);
+     if (cont == NULL) {
+-        ERROR("Failed to get container info");
+         return;
+     }
++
+     if (cont->state != NULL && cont->state->state != NULL && cont->state->state->health != NULL) {
+         close_health_check_monitor(cont);
+     }
+-    container_unref(cont);
+ }
+ 
+ /* health check manager free */
+diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c
+index a9b14043..2f688f57 100644
+--- a/src/daemon/modules/service/service_container.c
++++ b/src/daemon/modules/service/service_container.c
+@@ -1401,6 +1401,9 @@ int stop_container(container_t *cont, int timeout, bool force, bool restart)
+         ret = -1;
+         goto out;
+     }
++
++    container_stop_health_checks(cont);
++
+     // set AutoRemove flag to false before stop so the container won't be
+     // removed during restart process
+     if (restart) {
+diff --git a/test/mocks/health_check_mock.cc b/test/mocks/health_check_mock.cc
+index eab18be7..5e2f210b 100644
+--- a/test/mocks/health_check_mock.cc
++++ b/test/mocks/health_check_mock.cc
+@@ -32,10 +32,10 @@ void container_update_health_monitor(const char *container_id)
+     return;
+ }
+ 
+-void container_stop_health_checks(const char *container_id)
++void container_stop_health_checks(container_t *cont)
+ {
+     if (g_health_check_mock != nullptr) {
+-        return g_health_check_mock->ContainerStopHealthCheck(container_id);
++        return g_health_check_mock->ContainerStopHealthCheck(cont);
+     }
+     return;
+ }
+diff --git a/test/mocks/health_check_mock.h b/test/mocks/health_check_mock.h
+index ab8e20b0..29dad8ca 100644
+--- a/test/mocks/health_check_mock.h
++++ b/test/mocks/health_check_mock.h
+@@ -22,7 +22,7 @@
+ class MockHealthCheck {
+ public:
+     MOCK_METHOD1(UpdateHealthMonitor, void(const char *container_id));
+-    MOCK_METHOD1(ContainerStopHealthCheck, void(const char *container_id));
++    MOCK_METHOD1(ContainerStopHealthCheck, void(container_t *cont));
+ };
+ 
+ void MockHealthCheck_SetMock(MockHealthCheck* mock);
+diff --git a/test/services/execution/execute/execution_extend/execution_extend_ut.cc b/test/services/execution/execute/execution_extend/execution_extend_ut.cc
+index 03872340..e4e6d8d4 100644
+--- a/test/services/execution/execute/execution_extend/execution_extend_ut.cc
++++ b/test/services/execution/execute/execution_extend/execution_extend_ut.cc
+@@ -204,7 +204,7 @@ void invokeStateSetPaused(container_state_t *s)
+     return;
+ }
+ 
+-void invokeContainerStopHealthCheck(const char *container_id)
++void invokeContainerStopHealthCheck(container_t *cont)
+ {
+     return;
+ }
+-- 
+2.25.1
+

0009-set-dup_option-null-after-free.patch

@@ -0,0 +1,25 @@
+From 3d8258777c2265ea00c9fe13a11d37d0b3320e4c Mon Sep 17 00:00:00 2001
+From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
+Date: Fri, 5 Aug 2022 14:37:38 +0800
+Subject: [PATCH 09/15] set dup_option null after free
+
+Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
+---
+ .../oci/storage/layer_store/graphdriver/devmapper/deviceset.c    | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c
+index a0e749dd..10c7fafd 100644
+--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c
++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c
+@@ -239,6 +239,7 @@ static int devmapper_parse_options(struct device_set *devset, const char **optio
+         }
+ 
+         free(dup_option);
++        dup_option = NULL;
+     }
+ 
+ out:
+-- 
+2.25.1
+

0010-ensure-read-string-must-have-space-store-null-char.patch

@@ -0,0 +1,136 @@
+From 6e0b890c16d851bd29009b8a778234ce9e82339e Mon Sep 17 00:00:00 2001
+From: haozi007 <liuhao27@huawei.com>
+Date: Mon, 8 Aug 2022 16:46:22 +0800
+Subject: [PATCH 10/15] ensure read string must have space store null char
+
+Signed-off-by: haozi007 <liuhao27@huawei.com>
+---
+ src/cmd/isulad-shim/process.c                   | 2 +-
+ src/daemon/entry/cri/sysctl_tools.c             | 4 ++--
+ src/daemon/modules/runtime/isula/isula_rt_ops.c | 2 +-
+ src/daemon/modules/runtime/shim/shim_rt_ops.c   | 8 ++++----
+ src/utils/tar/util_archive.c                    | 4 ++--
+ src/utils/tar/util_gzip.c                       | 2 +-
+ 6 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/src/cmd/isulad-shim/process.c b/src/cmd/isulad-shim/process.c
+index cb859920..4d665b26 100644
+--- a/src/cmd/isulad-shim/process.c
++++ b/src/cmd/isulad-shim/process.c
+@@ -1166,7 +1166,7 @@ int create_process(process_t *p)
+         close_fd(&p->stdio->err);
+         close_fd(&p->stdio->resize);
+     }
+-    nread = read_nointr(exec_fd[0], exec_buff, sizeof(exec_buff));
++    nread = read_nointr(exec_fd[0], exec_buff, sizeof(exec_buff) - 1);
+     if (nread > 0) {
+         write_message(g_log_fd, ERR_MSG, "runtime error");
+         ret = SHIM_ERR;
+diff --git a/src/daemon/entry/cri/sysctl_tools.c b/src/daemon/entry/cri/sysctl_tools.c
+index 9883f9ff..257ccf8f 100644
+--- a/src/daemon/entry/cri/sysctl_tools.c
++++ b/src/daemon/entry/cri/sysctl_tools.c
+@@ -31,7 +31,7 @@ int get_sysctl(const char *sysctl, char **err)
+     int fd = -1;
+     ssize_t rsize;
+     char fullpath[PATH_MAX] = { 0 };
+-    char buff[MAX_BUFFER_SIZE] = { 0 };
++    char buff[MAX_BUFFER_SIZE + 1] = { 0 };
+ 
+     ret = snprintf(fullpath, PATH_MAX, "%s/%s", SYSCTL_BASE, sysctl);
+     if (ret < 0 || ret >= PATH_MAX) {
+@@ -46,7 +46,7 @@ int get_sysctl(const char *sysctl, char **err)
+         }
+         goto free_out;
+     }
+-    rsize = util_read_nointr(fd, buff, MAX_BUFFER_SIZE);
++    rsize = util_read_nointr(fd, buff, sizeof(buff) - 1);
+     if (rsize <= 0) {
+         if (asprintf(err, "Read file failed: %s", strerror(errno)) < 0) {
+             *err = util_strdup_s("Out of memory");
+diff --git a/src/daemon/modules/runtime/isula/isula_rt_ops.c b/src/daemon/modules/runtime/isula/isula_rt_ops.c
+index 42f1cda6..2ccdde2e 100644
+--- a/src/daemon/modules/runtime/isula/isula_rt_ops.c
++++ b/src/daemon/modules/runtime/isula/isula_rt_ops.c
+@@ -712,7 +712,7 @@ realexec:
+     }
+ 
+     close(exec_fd[1]);
+-    num = util_read_nointr(exec_fd[0], exec_buff, sizeof(exec_buff));
++    num = util_read_nointr(exec_fd[0], exec_buff, sizeof(exec_buff) - 1);
+     close(exec_fd[0]);
+     if (num > 0) {
+         ERROR("exec failed: %s", exec_buff);
+diff --git a/src/daemon/modules/runtime/shim/shim_rt_ops.c b/src/daemon/modules/runtime/shim/shim_rt_ops.c
+index 21d339e5..9c9446a8 100644
+--- a/src/daemon/modules/runtime/shim/shim_rt_ops.c
++++ b/src/daemon/modules/runtime/shim/shim_rt_ops.c
+@@ -110,7 +110,7 @@ static int shim_bin_v2_create(const char *runtime, const char *id, const char *w
+     int err_fd[2] = {-1, -1};
+     int out_fd[2] = {-1, -1};
+     char exec_buff[BUFSIZ + 1] = {0};
+-    char stdout_buff[PATH_MAX] = {0};
++    char stdout_buff[PATH_MAX + 1] = {0};
+     char stderr_buff[BUFSIZ + 1] = {0};
+ 
+ 
+@@ -186,7 +186,7 @@ static int shim_bin_v2_create(const char *runtime, const char *id, const char *w
+     }
+ 
+     close(exec_fd[1]);
+-    if (util_read_nointr(exec_fd[0], exec_buff, sizeof(exec_buff)) > 0) {
++    if (util_read_nointr(exec_fd[0], exec_buff, sizeof(exec_buff) - 1) > 0) {
+         ERROR("exec failed: %s", exec_buff);
+         ret = -1;
+         goto out;
+@@ -203,10 +203,10 @@ static int shim_bin_v2_create(const char *runtime, const char *id, const char *w
+     status = status_to_exit_code(status);
+ 
+     close(out_fd[1]);
+-    util_read_nointr(out_fd[0], stdout_buff, sizeof(stdout_buff));
++    util_read_nointr(out_fd[0], stdout_buff, sizeof(stdout_buff) - 1);
+     close(out_fd[0]);
+     close(err_fd[1]);
+-    util_read_nointr(err_fd[0], stderr_buff, sizeof(stderr_buff));
++    util_read_nointr(err_fd[0], stderr_buff, sizeof(stderr_buff) - 1);
+     close(err_fd[0]);
+ 
+     if (status != 0) {
+diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c
+index 1128b947..da814c94 100644
+--- a/src/utils/tar/util_archive.c
++++ b/src/utils/tar/util_archive.c
+@@ -596,7 +596,7 @@ int archive_unpack(const struct io_read_wrapper *content, const char *dstdir, co
+     pid_t pid = -1;
+     int keepfds[] = { -1, -1, -1 };
+     int pipe_stderr[2] = { -1, -1 };
+-    char errbuf[BUFSIZ] = { 0 };
++    char errbuf[BUFSIZ + 1] = { 0 };
+ 
+     if (pipe2(pipe_stderr, O_CLOEXEC) != 0) {
+         ERROR("Failed to create pipe");
+@@ -980,7 +980,7 @@ int archive_chroot_tar(char *path, char *file, char **errmsg)
+     pid_t pid;
+     int pipe_for_read[2] = { -1, -1 };
+     int keepfds[] = { -1, -1 };
+-    char errbuf[BUFSIZ] = { 0 };
++    char errbuf[BUFSIZ + 1] = { 0 };
+     int fd = 0;
+ 
+     if (pipe2(pipe_for_read, O_CLOEXEC) != 0) {
+diff --git a/src/utils/tar/util_gzip.c b/src/utils/tar/util_gzip.c
+index 9b17e9d7..5c34d719 100644
+--- a/src/utils/tar/util_gzip.c
++++ b/src/utils/tar/util_gzip.c
+@@ -203,7 +203,7 @@ int gzip(const char *filename, size_t len)
+     }
+ 
+     ssize_t size_read = 0;
+-    char buffer[BUFSIZ] = { 0 };
++    char buffer[BUFSIZ + 1] = { 0 };
+ 
+     close(pipefd[1]);
+ 
+-- 
+2.25.1
+

0011-remove-unused-include-files.patch

@@ -0,0 +1,50 @@
+From 448e4c5b0327916c05d8354e4e99565de7a8129d Mon Sep 17 00:00:00 2001
+From: haozi007 <liuhao27@huawei.com>
+Date: Tue, 9 Aug 2022 14:36:33 +0800
+Subject: [PATCH 11/15] remove unused include files
+
+Signed-off-by: haozi007 <liuhao27@huawei.com>
+---
+ .../storage/layer_store/graphdriver/quota/project_quota.h  | 1 -
+ src/utils/cutils/utils_network.c                           | 7 -------
+ 2 files changed, 8 deletions(-)
+
+diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/quota/project_quota.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/quota/project_quota.h
+index 2aae6bcd..94230faa 100644
+--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/quota/project_quota.h
++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/quota/project_quota.h
+@@ -35,7 +35,6 @@
+ #include <inttypes.h>
+ #include <linux/magic.h>
+ #include <linux/dqblk_xfs.h>
+-#include <linux/fs.h>
+ #include <errno.h>
+ #include <libgen.h>
+ #include <dirent.h>
+diff --git a/src/utils/cutils/utils_network.c b/src/utils/cutils/utils_network.c
+index 5192d06f..c77edc3c 100644
+--- a/src/utils/cutils/utils_network.c
++++ b/src/utils/cutils/utils_network.c
+@@ -18,19 +18,12 @@
+ #include "utils_network.h"
+ 
+ #include <unistd.h>
+-#include <sched.h>
+ #include <stdlib.h>
+ #include <pthread.h>
+ #include <sys/mount.h>
+-#include <linux/fs.h>
+-#include <syscall.h>
+ #include <isula_libutils/log.h>
+-#include <fcntl.h>
+ 
+ #include "utils.h"
+-#include "utils_fs.h"
+-#include "utils_file.h"
+-#include "constants.h"
+ 
+ int util_create_netns_file(const char *netns_path)
+ {
+-- 
+2.25.1
+

0012-fix-lose-override-flag.patch

@@ -0,0 +1,25 @@
+From ec627e1564baf4e77311c917bde9bddf23b63b9b Mon Sep 17 00:00:00 2001
+From: haozi007 <liuhao27@huawei.com>
+Date: Wed, 10 Aug 2022 17:40:36 +0800
+Subject: [PATCH 12/15] fix lose override flag
+
+Signed-off-by: haozi007 <liuhao27@huawei.com>
+---
+ src/daemon/entry/cri/websocket/service/exec_serve.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/daemon/entry/cri/websocket/service/exec_serve.h b/src/daemon/entry/cri/websocket/service/exec_serve.h
+index 65ee6b3a..3f84e0c8 100644
+--- a/src/daemon/entry/cri/websocket/service/exec_serve.h
++++ b/src/daemon/entry/cri/websocket/service/exec_serve.h
+@@ -37,6 +37,6 @@ private:
+     virtual void *SetContainerStreamRequest(::google::protobuf::Message *grequest, const std::string &suffix) override;
+     virtual int ExecuteStreamCommand(SessionData *lwsCtx, void *request) override;
+     virtual void CloseConnect(SessionData *lwsCtx) override;
+-    virtual void FreeRequest(void *m_request);
++    virtual void FreeRequest(void *m_request) override;
+ };
+ #endif // DAEMON_ENTRY_CRI_WEBSOCKET_SERVICE_EXEC_SERVE_H
+-- 
+2.25.1
+

0013-Add-read-and-execute-permissions-for-libhttpclient.s.patch

@@ -0,0 +1,38 @@
+From e524923aeeeb96f999dd153ea51f778289fade52 Mon Sep 17 00:00:00 2001
+From: zhongtao <taozh97@163.com>
+Date: Fri, 12 Aug 2022 17:17:44 +0800
+Subject: [PATCH 13/15] Add read and execute permissions for libhttpclient.so
+ and libisulad_tools.so for other users, so that non-root users who join the
+ isula group can use the isula command normally
+
+---
+ src/CMakeLists.txt            | 2 +-
+ src/utils/http/CMakeLists.txt | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
+index b8843f16..65bcb978 100644
+--- a/src/CMakeLists.txt
++++ b/src/CMakeLists.txt
+@@ -197,7 +197,7 @@ endif()
+ 
+ # ------ install binary --------
+ install(TARGETS libisulad_tools
+-    ${INSTALL_TYPE} DESTINATION ${LIB_INSTALL_DIR_DEFAULT} PERMISSIONS OWNER_READ OWNER_EXECUTE GROUP_READ GROUP_EXECUTE)
++    ${INSTALL_TYPE} DESTINATION ${LIB_INSTALL_DIR_DEFAULT} PERMISSIONS OWNER_READ OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+ install(TARGETS libisula
+     ${INSTALL_TYPE} DESTINATION ${LIB_INSTALL_DIR_DEFAULT} PERMISSIONS OWNER_READ OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+ install(TARGETS isula
+diff --git a/src/utils/http/CMakeLists.txt b/src/utils/http/CMakeLists.txt
+index 0937cfab..ad7d0747 100644
+--- a/src/utils/http/CMakeLists.txt
++++ b/src/utils/http/CMakeLists.txt
+@@ -29,4 +29,4 @@ if (ISULAD_GCOV)
+ endif()
+ 
+ install(TARGETS libhttpclient
+-    ${INSTALL_TYPE} DESTINATION ${LIB_INSTALL_DIR_DEFAULT} PERMISSIONS OWNER_READ OWNER_EXECUTE GROUP_READ GROUP_EXECUTE)
++    ${INSTALL_TYPE} DESTINATION ${LIB_INSTALL_DIR_DEFAULT} PERMISSIONS OWNER_READ OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+-- 
+2.25.1
+

0014-fix-exec_request_to_rest-forgot-to-handle-suffix.patch

@@ -0,0 +1,27 @@
+From dfcd1cbd6403af11d7afed96b0c8e3ca292722f9 Mon Sep 17 00:00:00 2001
+From: "Neil.wrz" <wangrunze13@huawei.com>
+Date: Fri, 12 Aug 2022 15:30:50 -0700
+Subject: [PATCH 14/15] fix exec_request_to_rest forgot to handle suffix
+
+Signed-off-by: Neil.wrz <wangrunze13@huawei.com>
+---
+ src/client/connect/rest/rest_containers_client.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/client/connect/rest/rest_containers_client.c b/src/client/connect/rest/rest_containers_client.c
+index 7e549339..dfa20c75 100644
+--- a/src/client/connect/rest/rest_containers_client.c
++++ b/src/client/connect/rest/rest_containers_client.c
+@@ -1620,6 +1620,9 @@ static int exec_request_to_rest(const struct isula_exec_request *le_request, cha
+     if (le_request->stderr != NULL) {
+         crequest->stderr = util_strdup_s(le_request->stderr);
+     }
++    if (le_request->suffix != NULL) {
++        crequest->suffix = util_strdup_s(le_request->suffix);
++    }
+ 
+     int i = 0;
+     if (le_request->argc > 0) {
+-- 
+2.25.1
+

0015-add-fuzz-dict.patch

@@ -0,0 +1,29 @@
+From 13c9523f3f69bafc62be8465dea235bdc7e6df4f Mon Sep 17 00:00:00 2001
+From: WangFengTu <wangfengtu@huawei.com>
+Date: Thu, 11 Aug 2022 20:30:48 +0800
+Subject: [PATCH 15/15] add fuzz dict
+
+Signed-off-by: WangFengTu <wangfengtu@huawei.com>
+---
+ test/fuzz/dict/test_volume_mount_spec_fuzz.dict | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/test/fuzz/dict/test_volume_mount_spec_fuzz.dict b/test/fuzz/dict/test_volume_mount_spec_fuzz.dict
+index 8ef79c0b..39ae41df 100644
+--- a/test/fuzz/dict/test_volume_mount_spec_fuzz.dict
++++ b/test/fuzz/dict/test_volume_mount_spec_fuzz.dict
+@@ -31,4 +31,11 @@
+ "bind-selinux-opts"
+ "selinux-opts"
+ "volume-nocopy"
++"volume-nocopy=true"
++"volume-nocopy=false"
+ "empty"
++"type=bind,src=/bind,dst=/bind,volume-nocopy=true,volume-nocopy=true"
++"type=bind,src=/bind,dst=/bind"
++"type=tmpfs,dst=/tmpfs,volume-nocopy=true"
++"type=squashfs,src=/bind,dst=/tmpfs"
++"type=squashfs,src=/,dst=/tmpfs"
+-- 
+2.25.1
+

iSulad.spec

@@ -1,5 +1,5 @@
 %global _version 2.0.15
-%global _release 2
+%global _release 3
 %global is_systemd 1
 %global enable_shimv2 1
 %global is_embedded 1
@@ -19,6 +19,15 @@ Patch6002: 0003-don-t-mount-shareable-dirs-if-user-set-mount-for-dev.patch
 Patch6003: 0004-tolerate-arch-unspecified-seccomp-profiles.patch
 Patch6004: 0005-add-a-CI-test-case-checking-seccomp-option.patch
 Patch6005: 0006-fix-cri-attach-when-stdout-and-stderr-are-false.patch
+Patch6006: 0007-fix-cpu-quota-out-of-range-when-update-to-1.patch
+Patch6007: 0008-stop-health-check-monitor-before-stopping-container.patch
+Patch6008: 0009-set-dup_option-null-after-free.patch
+Patch6009: 0010-ensure-read-string-must-have-space-store-null-char.patch
+Patch6010: 0011-remove-unused-include-files.patch
+Patch6011: 0012-fix-lose-override-flag.patch
+Patch6012: 0013-Add-read-and-execute-permissions-for-libhttpclient.s.patch
+Patch6013: 0014-fix-exec_request_to_rest-forgot-to-handle-suffix.patch
+Patch6014: 0015-add-fuzz-dict.patch
 
 %ifarch x86_64 aarch64
 Provides:       libhttpclient.so()(64bit)
@@ -246,6 +255,12 @@ fi
 %endif
 
 %changelog
+* Tue Aug 9 2022 haozi007 <liuhao27@huawei.com> - 2.0.15-3
+- Type: enhancement
+- ID: NA
+- SUG: NA
+- DESC: sycn patches from openeuler
+
 * Mon Aug 1 2022 chengzeruizhi <chengzeruizhi@huawei.com> - 2.0.15-2
 - Type: enhancement
 - ID: NA