packages/iSulad
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!419 update iSulad version to v2.0.16-1

Browse Source 
From: @wangfengtu 
Reviewed-by: @duguhaotian 
Signed-off-by: @duguhaotian
This commit is contained in:
openeuler-ci-bot 2022-08-23 07:10:34 +00:00 committed by Gitee
commit 27ae204a3e
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
23 changed files with 8 additions and 1901 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
0001-do-not-use-tmpfile.patch
View File

@ -1,49 +0,0 @@
From 2e404b3aa5fcea87a905fbd7ff3465b6135b701e Mon Sep 17 00:00:00 2001
From: WangFengTu <wangfengtu@huawei.com>
Date: Wed, 20 Jul 2022 14:26:58 +0800
Subject: [PATCH 01/21] do not use tmpfile()
Signed-off-by: WangFengTu <wangfengtu@huawei.com>
---
.../image/oci/storage/layer_store/layer_store.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
index 7e95a52f..208bb3bc 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
@@ -2115,7 +2115,9 @@ static void free_tar_split(tar_split *ts)
static tar_split *new_tar_split(layer_t *l, const char *tspath)
{
int ret = 0;
+ int nret = 0;
tar_split *ts = NULL;
+ char path[PATH_MAX] = {0};
ts = util_common_calloc_s(sizeof(tar_split));
if (ts == NULL) {
@@ -2124,12 +2126,20 @@ static tar_split *new_tar_split(layer_t *l, const char *tspath)
goto out;
}
- ts->tmp_file = tmpfile();
+ nret = snprintf(path, sizeof(path), ".%s.tmp", tspath);
+ if (nret < 0 || nret >= PATH_MAX) {
+ ERROR("sprintf .%s.tmp failed", tspath);
+ ret = -1;
+ goto out;
+ }
+
+ ts->tmp_file = fopen(path, "w+");
if (ts->tmp_file == NULL) {
ERROR("create tmpfile failed: %s", strerror(errno));
ret = -1;
goto out;
}
+ (void)unlink(path);
ret = util_gzip_d(tspath, ts->tmp_file);
if (ret != 0) {
--
2.25.1

31
0002-use-only-TLS-v1.2-or-later.patch
View File

@ -1,31 +0,0 @@
From 025d2c2dad2786eda40f2367cdd727a36b8249df Mon Sep 17 00:00:00 2001
From: WangFengTu <wangfengtu@huawei.com>
Date: Thu, 21 Jul 2022 15:37:07 +0800
Subject: [PATCH 02/21] use only TLS v1.2 or later
Signed-off-by: WangFengTu <wangfengtu@huawei.com>
---
src/utils/http/http.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/utils/http/http.c b/src/utils/http/http.c
index edd05f92..20131660 100644
--- a/src/utils/http/http.c
+++ b/src/utils/http/http.c
@@ -449,6 +449,13 @@ int http_request(const char *url, struct http_get_options *options, long *respon
curl_easy_setopt(curl_handle, CURLOPT_SUPPRESS_CONNECT_HEADERS, 1L);
#endif
+ /* libcurl support option CURL_SSLVERSION_TLSv1_2 when version >= 7.34.0
+ * #define CURL_VERSION_BITS(x,y,z) ((x)<<16|(y)<<8|(z))
+ * CURL_VERSION_BITS(7,34,0) = 0x072200 */
+#if (LIBCURL_VERSION_NUM >= 0x072200)
+ curl_easy_setopt(curl_handle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
+#endif
+
ret = http_custom_options(curl_handle, options);
if (ret) {
goto out;
--
2.25.1

123
0003-don-t-mount-shareable-dirs-if-user-set-mount-for-dev.patch
View File

@ -1,123 +0,0 @@
From a475d8da1122af712dbc79dc5d92f1cb95d519f9 Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Mon, 25 Jul 2022 20:31:15 +0800
Subject: [PATCH 03/21] don't mount shareable dirs if user set mount for dev
shm
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
src/daemon/modules/spec/specs_mount.c | 51 +++++++++++++++------------
1 file changed, 28 insertions(+), 23 deletions(-)
diff --git a/src/daemon/modules/spec/specs_mount.c b/src/daemon/modules/spec/specs_mount.c
index 85623f79..8966293f 100644
--- a/src/daemon/modules/spec/specs_mount.c
+++ b/src/daemon/modules/spec/specs_mount.c
@@ -2699,7 +2699,12 @@ int setup_ipc_dirs(host_config *host_spec, container_config_v2_common_config *v2
int ret = -1;
int nret = 0;
bool has_mount = false;
- char *spath = NULL;
+ const char *spath = NULL;
+
+ if (host_spec == NULL || v2_spec == NULL) {
+ ERROR("Invalid args");
+ return -1;
+ }
// ignore shm of system container
if (host_spec->system_container) {
@@ -2709,16 +2714,20 @@ int setup_ipc_dirs(host_config *host_spec, container_config_v2_common_config *v2
if (host_spec->ipc_mode != NULL && !namespace_is_shareable(host_spec->ipc_mode)) {
return 0;
}
+ // has mount for /dev/shm
+ if (has_mount_shm(host_spec, v2_spec)) {
+ return 0;
+ }
- spath = get_prepare_share_shm_path(host_spec->runtime, v2_spec->id);
+ spath = v2_spec->shm_path;
if (spath == NULL) {
+ ERROR("No shm path");
return -1;
}
// container shm has been mounted
if (util_detect_mounted(spath)) {
DEBUG("shm path %s has been mounted", spath);
- free(spath);
return 0;
}
@@ -2757,7 +2766,6 @@ out:
if (ret != 0 && has_mount) {
(void)umount(spath);
}
- free(spath);
return ret;
}
@@ -2808,20 +2816,6 @@ out_free:
return ret;
}
-static int set_share_shm(const host_config *host_spec, container_config_v2_common_config *v2_spec)
-{
- char *spath = NULL;
-
- spath = get_prepare_share_shm_path(host_spec->runtime, v2_spec->id);
- if (spath == NULL) {
- return -1;
- }
-
- v2_spec->shm_path = spath;
-
- return 0;
-}
-
#define SHM_MOUNT_POINT "/dev/shm"
static int set_shm_path(host_config *host_spec, container_config_v2_common_config *v2_spec)
{
@@ -2836,7 +2830,18 @@ static int set_shm_path(host_config *host_spec, container_config_v2_common_confi
}
// setup shareable dirs
if (host_spec->ipc_mode == NULL || namespace_is_shareable(host_spec->ipc_mode)) {
- return set_share_shm(host_spec, v2_spec);
+ // has mount for /dev/shm
+ if (has_mount_shm(host_spec, v2_spec)) {
+ return 0;
+ }
+
+ v2_spec->shm_path = get_prepare_share_shm_path(host_spec->runtime, v2_spec->id);
+ if (v2_spec->shm_path == NULL) {
+ ERROR("Failed to get prepare share shm path");
+ return -1;
+ }
+
+ return 0;
}
if (namespace_is_container(host_spec->ipc_mode)) {
@@ -3373,14 +3378,14 @@ int merge_conf_mounts(oci_runtime_spec *oci_spec, host_config *host_spec, contai
host_spec->shm_size = DEFAULT_SHM_SIZE;
}
- /* setup ipc dir */
- if (setup_ipc_dirs(host_spec, v2_spec) != 0) {
+ if (set_shm_path(host_spec, v2_spec) != 0) {
+ ERROR("Failed to set shm path");
ret = -1;
goto out;
}
- if (set_shm_path(host_spec, v2_spec) != 0) {
- ERROR("Failed to set shm path");
+ /* setup ipc dir */
+ if (setup_ipc_dirs(host_spec, v2_spec) != 0) {
ret = -1;
goto out;
}
--
2.25.1

64
0004-tolerate-arch-unspecified-seccomp-profiles.patch
View File

@ -1,64 +0,0 @@
From 73e02e66102b3e066d5d6424624461c3024cabe4 Mon Sep 17 00:00:00 2001
From: chengzrz <czrzrichard@gmail.com>
Date: Fri, 29 Jul 2022 14:44:55 +0800
Subject: [PATCH 04/21] tolerate arch unspecified seccomp profiles
Signed-off-by: chengzrz <czrzrichard@gmail.com>
---
src/daemon/modules/spec/specs_security.c | 25 +++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/src/daemon/modules/spec/specs_security.c b/src/daemon/modules/spec/specs_security.c
index 643c2745..62f67082 100644
--- a/src/daemon/modules/spec/specs_security.c
+++ b/src/daemon/modules/spec/specs_security.c
@@ -42,11 +42,11 @@
static const char * const g_system_caps[] = { "SYS_BOOT", "SETPCAP", "NET_RAW", "NET_BIND_SERVICE",
#ifdef CAP_AUDIT_WRITE
- "AUDIT_WRITE",
+ "AUDIT_WRITE",
#endif
- "DAC_OVERRIDE", "SETFCAP", "SETGID", "SETUID", "MKNOD", "CHOWN",
- "FOWNER", "FSETID", "KILL", "SYS_CHROOT"
- };
+ "DAC_OVERRIDE", "SETFCAP", "SETGID", "SETUID", "MKNOD", "CHOWN",
+ "FOWNER", "FSETID", "KILL", "SYS_CHROOT"
+ };
static int append_capability(char ***dstcaps, size_t *dstcaps_len, const char *cap)
{
@@ -472,11 +472,6 @@ static size_t docker_seccomp_arches_count(const char *seccomp_architecture, cons
}
}
- if (count == 0) {
- ERROR("seccomp architecture not found");
- count = -1;
- }
-
return count;
}
@@ -498,6 +493,18 @@ static int dup_architectures_to_oci_spec(const char *seccomp_architecture, const
return -1;
}
+ if (arch_size == 0) {
+ WARN("arch map is not provided in specified seccomp profile");
+ oci_seccomp_spec->architectures = util_smart_calloc_s(sizeof(char *), 1);
+ if (oci_seccomp_spec->architectures == NULL) {
+ ERROR("Failed to allocate memory for architectures in seccomp spec");
+ return -1;
+ }
+ oci_seccomp_spec->architectures[oci_seccomp_spec->architectures_len++] =
+ util_strdup_s(seccomp_architecture);
+ return 0;
+ }
+
oci_seccomp_spec->architectures = util_smart_calloc_s(sizeof(char *), arch_size);
if (oci_seccomp_spec->architectures == NULL) {
ERROR("Failed to calloc memory for architectures in seccomp spec");
--
2.25.1

115
0005-add-a-CI-test-case-checking-seccomp-option.patch
View File

@ -1,115 +0,0 @@
From c9c2bb6bfbe2060bdc6af53ca0d752572b21594d Mon Sep 17 00:00:00 2001
From: chengzrz <czrzrichard@gmail.com>
Date: Fri, 29 Jul 2022 14:45:20 +0800
Subject: [PATCH 05/21] add a CI test case, checking seccomp option
Signed-off-by: chengzrz <czrzrichard@gmail.com>
---
CI/test_cases/container_cases/seccomp.sh | 76 +++++++++++++++++++
.../seccomp_profile_without_archmap.json | 11 +++
2 files changed, 87 insertions(+)
create mode 100755 CI/test_cases/container_cases/seccomp.sh
create mode 100644 CI/test_cases/container_cases/test_data/seccomp_profile_without_archmap.json
diff --git a/CI/test_cases/container_cases/seccomp.sh b/CI/test_cases/container_cases/seccomp.sh
new file mode 100755
index 00000000..9e886d10
--- /dev/null
+++ b/CI/test_cases/container_cases/seccomp.sh
@@ -0,0 +1,76 @@
+#!/bin/bash
+#
+# attributes: isulad seccomp run
+# concurrent: NO
+# spend time: 4
+
+#######################################################################
+##- Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+# - iSulad licensed under the Mulan PSL v2.
+# - You can use this software according to the terms and conditions of the Mulan PSL v2.
+# - You may obtain a copy of Mulan PSL v2 at:
+# - http://license.coscl.org.cn/MulanPSL2
+# - THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+# - IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+# - PURPOSE.
+# - See the Mulan PSL v2 for more details.
+##- @Description:CI
+##- @Author: chengzeruizhi
+##- @Create: 2022-07-29
+#######################################################################
+
+curr_path=$(dirname $(readlink -f "$0"))
+test_data_path=$(realpath $curr_path/test_data)
+source ../helpers.sh
+
+function do_pre() {
+ local ret=0
+
+ isula rm -f $(isula ps -qa)
+
+ check_valgrind_log
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++))
+
+ start_isulad_with_valgrind
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++))
+
+ return $ret
+}
+
+function do_test() {
+ local ret=0
+
+ msg_info "this is $0 do_test"
+
+ cid1=$(isula run -tid --security-opt seccomp=/etc/isulad/seccomp_default.json busybox sh)
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - Failed to run container with the default seccomp profile" && ((ret++))
+
+ cid2=$(isula run -tid --security-opt seccomp=${test_data_path}/seccomp_profile_without_archmap.json busybox sh)
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - Failed to run container with a customized seccomp profile" && ((ret++))
+
+ cid3=$(isula run -tid --security-opt seccomp=/etc/isulad/seccomp_default.json \
+ --security-opt seccomp=${test_data_path}/seccomp_profile_without_archmap.json busybox sh)
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - Failed to run container with multiple seccomp profiles" && ((ret++))
+
+ isula stop "${cid1}" "${cid2}" "${cid3}"
+
+ isula rm -f $(isula ps -qa)
+
+ msg_info "${test} finished with return ${ret}..."
+ return ${ret}
+}
+
+function do_post() {
+ check_valgrind_log
+ start_isulad_with_valgrind
+}
+
+declare -i ans=0
+
+do_pre || ((ans++))
+
+do_test || ((ans++))
+
+do_post
+
+show_result ${ans} "${curr_path}/${0}"
diff --git a/CI/test_cases/container_cases/test_data/seccomp_profile_without_archmap.json b/CI/test_cases/container_cases/test_data/seccomp_profile_without_archmap.json
new file mode 100644
index 00000000..1fade163
--- /dev/null
+++ b/CI/test_cases/container_cases/test_data/seccomp_profile_without_archmap.json
@@ -0,0 +1,11 @@
+{
+ "defaultAction": "SCMP_ACT_ALLOW",
+ "syscalls": [
+ {
+ "names": ["getcwd"],
+ "action": "SCMP_ACT_ERRNO",
+ "args": null
+ }
+ ]
+
+}
--
2.25.1

129
0006-fix-cri-attach-when-stdout-and-stderr-are-false.patch
View File

@ -1,129 +0,0 @@
From 9498a8df59f69acbf75f9aa69fef465350288bb8 Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Mon, 1 Aug 2022 11:20:31 +0800
Subject: [PATCH 06/21] fix cri attach when stdout and stderr are false
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
.../cri/websocket/service/attach_serve.cc | 28 +++++++++++++------
.../entry/cri/websocket/service/ws_server.cc | 22 +++++++++++++++
.../entry/cri/websocket/service/ws_server.h | 2 ++
3 files changed, 44 insertions(+), 8 deletions(-)
diff --git a/src/daemon/entry/cri/websocket/service/attach_serve.cc b/src/daemon/entry/cri/websocket/service/attach_serve.cc
index abb08363..57711180 100644
--- a/src/daemon/entry/cri/websocket/service/attach_serve.cc
+++ b/src/daemon/entry/cri/websocket/service/attach_serve.cc
@@ -101,31 +101,40 @@ int AttachServe::ExecuteStreamCommand(SessionData *lwsCtx, void *request)
return -1;
}
+ // stdout
struct AttachContext stdoutContext = { 0 };
stdoutContext.lwsCtx = lwsCtx;
stdoutContext.sem = &attachSem;
- stdoutContext.attachWriter = WsWriteStdoutToClient;
+ // write stdout to client if attach stdout is true
+ stdoutContext.attachWriter = m_request->attach_stdout ? WsWriteStdoutToClient : WsDoNotWriteStdoutToClient;
struct io_write_wrapper stdoutstringWriter = { 0 };
stdoutstringWriter.context = static_cast<void *>(&stdoutContext);
stdoutstringWriter.write_func = AttachWriteToClient;
- // the close function of StderrstringWriter is preferred unless StderrstringWriter is nullptr
- stdoutstringWriter.close_func = m_request->attach_stderr ? nullptr : AttachConnectClosed;
+ stdoutstringWriter.close_func = AttachConnectClosed;
+ // stderr
struct AttachContext stderrContext = { 0 };
stderrContext.lwsCtx = lwsCtx;
- stderrContext.sem = &attachSem;
- stderrContext.attachWriter = WsWriteStderrToClient;
+ stderrContext.sem = nullptr;
+ // write stderr to client if attach stderr is true
+ stderrContext.attachWriter = m_request->attach_stderr ? WsWriteStderrToClient : WsDoNotWriteStderrToClient;
struct io_write_wrapper stderrstringWriter = { 0 };
stderrstringWriter.context = static_cast<void *>(&stderrContext);
stderrstringWriter.write_func = AttachWriteToClient;
- stderrstringWriter.close_func = m_request->attach_stderr ? AttachConnectClosed : nullptr;
+ stderrstringWriter.close_func = nullptr;
+
+ // Maybe attach stdout and stderr are both false.
+ // To make sure the close func sem_post, set attach stdout and stderr true.
+ bool record_attach_stdout = m_request->attach_stdout;
+ bool record_attach_stderr = m_request->attach_stderr;
+ m_request->attach_stdout=true;
+ m_request->attach_stderr=true;
container_attach_response *m_response { nullptr };
int ret = cb->container.attach(m_request, &m_response, m_request->attach_stdin ? lwsCtx->pipes.at(0) : -1,
- m_request->attach_stdout ? &stdoutstringWriter : nullptr,
- m_request->attach_stderr ? &stderrstringWriter : nullptr);
+ &stdoutstringWriter, &stderrstringWriter);
if (ret != 0) {
// join io copy thread in attach callback
@@ -139,11 +148,14 @@ int AttachServe::ExecuteStreamCommand(SessionData *lwsCtx, void *request)
}
WsWriteStdoutToClient(lwsCtx, message.c_str(), message.length());
} else {
+ // wait io copy thread complete
(void)sem_wait(&attachSem);
}
(void)sem_destroy(&attachSem);
free_container_attach_response(m_response);
+ m_request->attach_stdout = record_attach_stdout;
+ m_request->attach_stderr = record_attach_stderr;
return ret;
}
diff --git a/src/daemon/entry/cri/websocket/service/ws_server.cc b/src/daemon/entry/cri/websocket/service/ws_server.cc
index 98c0fee0..08f2cff0 100644
--- a/src/daemon/entry/cri/websocket/service/ws_server.cc
+++ b/src/daemon/entry/cri/websocket/service/ws_server.cc
@@ -703,6 +703,28 @@ ssize_t WsWriteStderrToClient(void *context, const void *data, size_t len)
return WsWriteToClient(context, data, len, STDERRCHANNEL);
}
+ssize_t WsDoNotWriteStdoutToClient(void *context, const void *data, size_t len)
+{
+ if (context == nullptr) {
+ ERROR("websocket session context empty");
+ return -1;
+ }
+
+ TRACE("Ws do not write stdout to client");
+ return len;
+}
+
+ssize_t WsDoNotWriteStderrToClient(void *context, const void *data, size_t len)
+{
+ if (context == nullptr) {
+ ERROR("websocket session context empty");
+ return -1;
+ }
+
+ TRACE("Ws do not write stderr to client");
+ return len;
+}
+
int closeWsConnect(void *context, char **err)
{
(void)err;
diff --git a/src/daemon/entry/cri/websocket/service/ws_server.h b/src/daemon/entry/cri/websocket/service/ws_server.h
index b871aabc..a2a180ec 100644
--- a/src/daemon/entry/cri/websocket/service/ws_server.h
+++ b/src/daemon/entry/cri/websocket/service/ws_server.h
@@ -113,6 +113,8 @@ private:
ssize_t WsWriteStdoutToClient(void *context, const void *data, size_t len);
ssize_t WsWriteStderrToClient(void *context, const void *data, size_t len);
+ssize_t WsDoNotWriteStdoutToClient(void *context, const void *data, size_t len);
+ssize_t WsDoNotWriteStderrToClient(void *context, const void *data, size_t len);
int closeWsConnect(void *context, char **err);
#endif // DAEMON_ENTRY_CRI_WEBSOCKET_SERVICE_WS_SERVER_H
--
2.25.1

49
0007-fix-cpu-quota-out-of-range-when-update-to-1.patch
View File

@ -1,49 +0,0 @@
From 5174fd2608a25a8f7f4b61be79d125b19fb420f9 Mon Sep 17 00:00:00 2001
From: "Neil.wrz" <wangrunze13@huawei.com>
Date: Tue, 26 Jul 2022 02:08:43 -0700
Subject: [PATCH 07/21] fix cpu-quota out of range when update to -1
Signed-off-by: Neil.wrz <wangrunze13@huawei.com>
---
src/daemon/modules/runtime/engines/engine.h | 2 +-
src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/daemon/modules/runtime/engines/engine.h b/src/daemon/modules/runtime/engines/engine.h
index 8935f845..95428e0f 100644
--- a/src/daemon/modules/runtime/engines/engine.h
+++ b/src/daemon/modules/runtime/engines/engine.h
@@ -33,7 +33,7 @@ struct engine_cgroup_resources {
uint64_t blkio_weight;
uint64_t cpu_shares;
uint64_t cpu_period;
- uint64_t cpu_quota;
+ int64_t cpu_quota;
char *cpuset_cpus;
char *cpuset_mems;
uint64_t memory_limit;
diff --git a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c
index dd310091..a2b93b72 100644
--- a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c
+++ b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c
@@ -518,7 +518,7 @@ static void to_engine_resources(const host_config *hostconfig, struct engine_cgr
cr->blkio_weight = hostconfig->blkio_weight;
cr->cpu_shares = (uint64_t)hostconfig->cpu_shares;
cr->cpu_period = (uint64_t)hostconfig->cpu_period;
- cr->cpu_quota = (uint64_t)hostconfig->cpu_quota;
+ cr->cpu_quota = hostconfig->cpu_quota;
cr->cpuset_cpus = hostconfig->cpuset_cpus;
cr->cpuset_mems = hostconfig->cpuset_mems;
cr->memory_limit = (uint64_t)hostconfig->memory;
@@ -532,7 +532,7 @@ static void to_engine_resources(const host_config *hostconfig, struct engine_cgr
period = (uint64_t)(100 * Time_Milli / Time_Micro);
quota = hostconfig->nano_cpus * (int64_t)period / 1e9;
cr->cpu_period = period;
- cr->cpu_quota = (uint64_t)quota;
+ cr->cpu_quota = quota;
}
}
--
2.25.1

146
0008-stop-health-check-monitor-before-stopping-container.patch
View File

@ -1,146 +0,0 @@
From b8fd21e636b643fe9f257a77808d53b067f3d105 Mon Sep 17 00:00:00 2001
From: songbuhuang <544824346@qq.com>
Date: Wed, 3 Aug 2022 16:06:16 +0800
Subject: [PATCH 08/21] stop health check monitor before stopping container
Signed-off-by: songbuhuang <544824346@qq.com>
---
src/daemon/executor/container_cb/execution.c | 2 --
src/daemon/executor/container_cb/execution_extend.c | 2 +-
src/daemon/modules/api/container_api.h | 2 +-
.../modules/container/health_check/health_check.c | 12 ++----------
src/daemon/modules/service/service_container.c | 3 +++
test/mocks/health_check_mock.cc | 4 ++--
test/mocks/health_check_mock.h | 2 +-
.../execute/execution_extend/execution_extend_ut.cc | 2 +-
8 files changed, 11 insertions(+), 18 deletions(-)
diff --git a/src/daemon/executor/container_cb/execution.c b/src/daemon/executor/container_cb/execution.c
index edc8b42e..68d0d8d6 100644
--- a/src/daemon/executor/container_cb/execution.c
+++ b/src/daemon/executor/container_cb/execution.c
@@ -676,8 +676,6 @@ static int container_stop_cb(const container_stop_request *request, container_st
goto pack_response;
}
- container_stop_health_checks(id);
-
if (stop_container(cont, timeout, force, false)) {
cc = ISULAD_ERR_EXEC;
container_state_set_error(cont->state, (const char *)g_isulad_errmsg);
diff --git a/src/daemon/executor/container_cb/execution_extend.c b/src/daemon/executor/container_cb/execution_extend.c
index 9c2a213b..b0da705e 100644
--- a/src/daemon/executor/container_cb/execution_extend.c
+++ b/src/daemon/executor/container_cb/execution_extend.c
@@ -715,7 +715,7 @@ static int do_pause_container(container_t *cont)
params.rootpath = cont->root_path;
params.state = cont->state_path;
- container_stop_health_checks(cont->common_config->id);
+ container_stop_health_checks(cont);
if (runtime_pause(id, cont->runtime, &params)) {
container_update_health_monitor(cont->common_config->id);
diff --git a/src/daemon/modules/api/container_api.h b/src/daemon/modules/api/container_api.h
index 1140d4d5..ed97633f 100644
--- a/src/daemon/modules/api/container_api.h
+++ b/src/daemon/modules/api/container_api.h
@@ -254,7 +254,7 @@ extern char *container_exit_fifo_create(const char *cont_state_path);
extern int container_exit_fifo_open(const char *cont_exit_fifo);
void container_init_health_monitor(const char *id);
-void container_stop_health_checks(const char *container_id);
+void container_stop_health_checks(container_t *cont);
bool container_is_in_gc_progress(const char *id);
diff --git a/src/daemon/modules/container/health_check/health_check.c b/src/daemon/modules/container/health_check/health_check.c
index b2feee91..273d3531 100644
--- a/src/daemon/modules/container/health_check/health_check.c
+++ b/src/daemon/modules/container/health_check/health_check.c
@@ -182,23 +182,15 @@ static void close_health_check_monitor(container_t *cont)
// Called when the container is being stopped (whether because the health check is
// failing or for any other reason).
-void container_stop_health_checks(const char *container_id)
+void container_stop_health_checks(container_t *cont)
{
- container_t *cont = NULL;
-
- if (container_id == NULL) {
- return;
- }
-
- cont = containers_store_get(container_id);
if (cont == NULL) {
- ERROR("Failed to get container info");
return;
}
+
if (cont->state != NULL && cont->state->state != NULL && cont->state->state->health != NULL) {
close_health_check_monitor(cont);
}
- container_unref(cont);
}
/* health check manager free */
diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c
index a9b14043..2f688f57 100644
--- a/src/daemon/modules/service/service_container.c
+++ b/src/daemon/modules/service/service_container.c
@@ -1401,6 +1401,9 @@ int stop_container(container_t *cont, int timeout, bool force, bool restart)
ret = -1;
goto out;
}
+
+ container_stop_health_checks(cont);
+
// set AutoRemove flag to false before stop so the container won't be
// removed during restart process
if (restart) {
diff --git a/test/mocks/health_check_mock.cc b/test/mocks/health_check_mock.cc
index eab18be7..5e2f210b 100644
--- a/test/mocks/health_check_mock.cc
+++ b/test/mocks/health_check_mock.cc
@@ -32,10 +32,10 @@ void container_update_health_monitor(const char *container_id)
return;
}
-void container_stop_health_checks(const char *container_id)
+void container_stop_health_checks(container_t *cont)
{
if (g_health_check_mock != nullptr) {
- return g_health_check_mock->ContainerStopHealthCheck(container_id);
+ return g_health_check_mock->ContainerStopHealthCheck(cont);
}
return;
}
diff --git a/test/mocks/health_check_mock.h b/test/mocks/health_check_mock.h
index ab8e20b0..29dad8ca 100644
--- a/test/mocks/health_check_mock.h
+++ b/test/mocks/health_check_mock.h
@@ -22,7 +22,7 @@
class MockHealthCheck {
public:
MOCK_METHOD1(UpdateHealthMonitor, void(const char *container_id));
- MOCK_METHOD1(ContainerStopHealthCheck, void(const char *container_id));
+ MOCK_METHOD1(ContainerStopHealthCheck, void(container_t *cont));
};
void MockHealthCheck_SetMock(MockHealthCheck* mock);
diff --git a/test/services/execution/execute/execution_extend/execution_extend_ut.cc b/test/services/execution/execute/execution_extend/execution_extend_ut.cc
index 03872340..e4e6d8d4 100644
--- a/test/services/execution/execute/execution_extend/execution_extend_ut.cc
+++ b/test/services/execution/execute/execution_extend/execution_extend_ut.cc
@@ -204,7 +204,7 @@ void invokeStateSetPaused(container_state_t *s)
return;
}
-void invokeContainerStopHealthCheck(const char *container_id)
+void invokeContainerStopHealthCheck(container_t *cont)
{
return;
}
--
2.25.1

25
0009-set-dup_option-null-after-free.patch
View File

@ -1,25 +0,0 @@
From 3d8258777c2265ea00c9fe13a11d37d0b3320e4c Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Fri, 5 Aug 2022 14:37:38 +0800
Subject: [PATCH 09/21] set dup_option null after free
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
.../oci/storage/layer_store/graphdriver/devmapper/deviceset.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c
index a0e749dd..10c7fafd 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c
@@ -239,6 +239,7 @@ static int devmapper_parse_options(struct device_set *devset, const char **optio
}
free(dup_option);
+ dup_option = NULL;
}
out:
--
2.25.1

136
0010-ensure-read-string-must-have-space-store-null-char.patch
View File

@ -1,136 +0,0 @@
From 6e0b890c16d851bd29009b8a778234ce9e82339e Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Mon, 8 Aug 2022 16:46:22 +0800
Subject: [PATCH 10/21] ensure read string must have space store null char
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/cmd/isulad-shim/process.c | 2 +-
src/daemon/entry/cri/sysctl_tools.c | 4 ++--
src/daemon/modules/runtime/isula/isula_rt_ops.c | 2 +-
src/daemon/modules/runtime/shim/shim_rt_ops.c | 8 ++++----
src/utils/tar/util_archive.c | 4 ++--
src/utils/tar/util_gzip.c | 2 +-
6 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/src/cmd/isulad-shim/process.c b/src/cmd/isulad-shim/process.c
index cb859920..4d665b26 100644
--- a/src/cmd/isulad-shim/process.c
+++ b/src/cmd/isulad-shim/process.c
@@ -1166,7 +1166,7 @@ int create_process(process_t *p)
close_fd(&p->stdio->err);
close_fd(&p->stdio->resize);
}
- nread = read_nointr(exec_fd[0], exec_buff, sizeof(exec_buff));
+ nread = read_nointr(exec_fd[0], exec_buff, sizeof(exec_buff) - 1);
if (nread > 0) {
write_message(g_log_fd, ERR_MSG, "runtime error");
ret = SHIM_ERR;
diff --git a/src/daemon/entry/cri/sysctl_tools.c b/src/daemon/entry/cri/sysctl_tools.c
index 9883f9ff..257ccf8f 100644
--- a/src/daemon/entry/cri/sysctl_tools.c
+++ b/src/daemon/entry/cri/sysctl_tools.c
@@ -31,7 +31,7 @@ int get_sysctl(const char *sysctl, char **err)
int fd = -1;
ssize_t rsize;
char fullpath[PATH_MAX] = { 0 };
- char buff[MAX_BUFFER_SIZE] = { 0 };
+ char buff[MAX_BUFFER_SIZE + 1] = { 0 };
ret = snprintf(fullpath, PATH_MAX, "%s/%s", SYSCTL_BASE, sysctl);
if (ret < 0 || ret >= PATH_MAX) {
@@ -46,7 +46,7 @@ int get_sysctl(const char *sysctl, char **err)
}
goto free_out;
}
- rsize = util_read_nointr(fd, buff, MAX_BUFFER_SIZE);
+ rsize = util_read_nointr(fd, buff, sizeof(buff) - 1);
if (rsize <= 0) {
if (asprintf(err, "Read file failed: %s", strerror(errno)) < 0) {
*err = util_strdup_s("Out of memory");
diff --git a/src/daemon/modules/runtime/isula/isula_rt_ops.c b/src/daemon/modules/runtime/isula/isula_rt_ops.c
index 42f1cda6..2ccdde2e 100644
--- a/src/daemon/modules/runtime/isula/isula_rt_ops.c
+++ b/src/daemon/modules/runtime/isula/isula_rt_ops.c
@@ -712,7 +712,7 @@ realexec:
}
close(exec_fd[1]);
- num = util_read_nointr(exec_fd[0], exec_buff, sizeof(exec_buff));
+ num = util_read_nointr(exec_fd[0], exec_buff, sizeof(exec_buff) - 1);
close(exec_fd[0]);
if (num > 0) {
ERROR("exec failed: %s", exec_buff);
diff --git a/src/daemon/modules/runtime/shim/shim_rt_ops.c b/src/daemon/modules/runtime/shim/shim_rt_ops.c
index 21d339e5..9c9446a8 100644
--- a/src/daemon/modules/runtime/shim/shim_rt_ops.c
+++ b/src/daemon/modules/runtime/shim/shim_rt_ops.c
@@ -110,7 +110,7 @@ static int shim_bin_v2_create(const char *runtime, const char *id, const char *w
int err_fd[2] = {-1, -1};
int out_fd[2] = {-1, -1};
char exec_buff[BUFSIZ + 1] = {0};
- char stdout_buff[PATH_MAX] = {0};
+ char stdout_buff[PATH_MAX + 1] = {0};
char stderr_buff[BUFSIZ + 1] = {0};
@@ -186,7 +186,7 @@ static int shim_bin_v2_create(const char *runtime, const char *id, const char *w
}
close(exec_fd[1]);
- if (util_read_nointr(exec_fd[0], exec_buff, sizeof(exec_buff)) > 0) {
+ if (util_read_nointr(exec_fd[0], exec_buff, sizeof(exec_buff) - 1) > 0) {
ERROR("exec failed: %s", exec_buff);
ret = -1;
goto out;
@@ -203,10 +203,10 @@ static int shim_bin_v2_create(const char *runtime, const char *id, const char *w
status = status_to_exit_code(status);
close(out_fd[1]);
- util_read_nointr(out_fd[0], stdout_buff, sizeof(stdout_buff));
+ util_read_nointr(out_fd[0], stdout_buff, sizeof(stdout_buff) - 1);
close(out_fd[0]);
close(err_fd[1]);
- util_read_nointr(err_fd[0], stderr_buff, sizeof(stderr_buff));
+ util_read_nointr(err_fd[0], stderr_buff, sizeof(stderr_buff) - 1);
close(err_fd[0]);
if (status != 0) {
diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c
index 1128b947..da814c94 100644
--- a/src/utils/tar/util_archive.c
+++ b/src/utils/tar/util_archive.c
@@ -596,7 +596,7 @@ int archive_unpack(const struct io_read_wrapper *content, const char *dstdir, co
pid_t pid = -1;
int keepfds[] = { -1, -1, -1 };
int pipe_stderr[2] = { -1, -1 };
- char errbuf[BUFSIZ] = { 0 };
+ char errbuf[BUFSIZ + 1] = { 0 };
if (pipe2(pipe_stderr, O_CLOEXEC) != 0) {
ERROR("Failed to create pipe");
@@ -980,7 +980,7 @@ int archive_chroot_tar(char *path, char *file, char **errmsg)
pid_t pid;
int pipe_for_read[2] = { -1, -1 };
int keepfds[] = { -1, -1 };
- char errbuf[BUFSIZ] = { 0 };
+ char errbuf[BUFSIZ + 1] = { 0 };
int fd = 0;
if (pipe2(pipe_for_read, O_CLOEXEC) != 0) {
diff --git a/src/utils/tar/util_gzip.c b/src/utils/tar/util_gzip.c
index 9b17e9d7..5c34d719 100644
--- a/src/utils/tar/util_gzip.c
+++ b/src/utils/tar/util_gzip.c
@@ -203,7 +203,7 @@ int gzip(const char *filename, size_t len)
}
ssize_t size_read = 0;
- char buffer[BUFSIZ] = { 0 };
+ char buffer[BUFSIZ + 1] = { 0 };
close(pipefd[1]);
--
2.25.1

50
0011-remove-unused-include-files.patch
View File

@ -1,50 +0,0 @@
From 448e4c5b0327916c05d8354e4e99565de7a8129d Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Tue, 9 Aug 2022 14:36:33 +0800
Subject: [PATCH 11/21] remove unused include files
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
.../storage/layer_store/graphdriver/quota/project_quota.h | 1 -
src/utils/cutils/utils_network.c | 7 -------
2 files changed, 8 deletions(-)
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/quota/project_quota.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/quota/project_quota.h
index 2aae6bcd..94230faa 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/quota/project_quota.h
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/quota/project_quota.h
@@ -35,7 +35,6 @@
#include <inttypes.h>
#include <linux/magic.h>
#include <linux/dqblk_xfs.h>
-#include <linux/fs.h>
#include <errno.h>
#include <libgen.h>
#include <dirent.h>
diff --git a/src/utils/cutils/utils_network.c b/src/utils/cutils/utils_network.c
index 5192d06f..c77edc3c 100644
--- a/src/utils/cutils/utils_network.c
+++ b/src/utils/cutils/utils_network.c
@@ -18,19 +18,12 @@
#include "utils_network.h"
#include <unistd.h>
-#include <sched.h>
#include <stdlib.h>
#include <pthread.h>
#include <sys/mount.h>
-#include <linux/fs.h>
-#include <syscall.h>
#include <isula_libutils/log.h>
-#include <fcntl.h>
#include "utils.h"
-#include "utils_fs.h"
-#include "utils_file.h"
-#include "constants.h"
int util_create_netns_file(const char *netns_path)
{
--
2.25.1

25
0012-fix-lose-override-flag.patch
View File

@ -1,25 +0,0 @@
From ec627e1564baf4e77311c917bde9bddf23b63b9b Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Wed, 10 Aug 2022 17:40:36 +0800
Subject: [PATCH 12/21] fix lose override flag
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/daemon/entry/cri/websocket/service/exec_serve.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/daemon/entry/cri/websocket/service/exec_serve.h b/src/daemon/entry/cri/websocket/service/exec_serve.h
index 65ee6b3a..3f84e0c8 100644
--- a/src/daemon/entry/cri/websocket/service/exec_serve.h
+++ b/src/daemon/entry/cri/websocket/service/exec_serve.h
@@ -37,6 +37,6 @@ private:
virtual void *SetContainerStreamRequest(::google::protobuf::Message *grequest, const std::string &suffix) override;
virtual int ExecuteStreamCommand(SessionData *lwsCtx, void *request) override;
virtual void CloseConnect(SessionData *lwsCtx) override;
- virtual void FreeRequest(void *m_request);
+ virtual void FreeRequest(void *m_request) override;
};
#endif // DAEMON_ENTRY_CRI_WEBSOCKET_SERVICE_EXEC_SERVE_H
--
2.25.1

38
0013-Add-read-and-execute-permissions-for-libhttpclient.s.patch
View File

@ -1,38 +0,0 @@
From e524923aeeeb96f999dd153ea51f778289fade52 Mon Sep 17 00:00:00 2001
From: zhongtao <taozh97@163.com>
Date: Fri, 12 Aug 2022 17:17:44 +0800
Subject: [PATCH 13/21] Add read and execute permissions for libhttpclient.so
and libisulad_tools.so for other users, so that non-root users who join the
isula group can use the isula command normally
---
src/CMakeLists.txt | 2 +-
src/utils/http/CMakeLists.txt | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index b8843f16..65bcb978 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -197,7 +197,7 @@ endif()
# ------ install binary --------
install(TARGETS libisulad_tools
- ${INSTALL_TYPE} DESTINATION ${LIB_INSTALL_DIR_DEFAULT} PERMISSIONS OWNER_READ OWNER_EXECUTE GROUP_READ GROUP_EXECUTE)
+ ${INSTALL_TYPE} DESTINATION ${LIB_INSTALL_DIR_DEFAULT} PERMISSIONS OWNER_READ OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
install(TARGETS libisula
${INSTALL_TYPE} DESTINATION ${LIB_INSTALL_DIR_DEFAULT} PERMISSIONS OWNER_READ OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
install(TARGETS isula
diff --git a/src/utils/http/CMakeLists.txt b/src/utils/http/CMakeLists.txt
index 0937cfab..ad7d0747 100644
--- a/src/utils/http/CMakeLists.txt
+++ b/src/utils/http/CMakeLists.txt
@@ -29,4 +29,4 @@ if (ISULAD_GCOV)
endif()
install(TARGETS libhttpclient
- ${INSTALL_TYPE} DESTINATION ${LIB_INSTALL_DIR_DEFAULT} PERMISSIONS OWNER_READ OWNER_EXECUTE GROUP_READ GROUP_EXECUTE)
+ ${INSTALL_TYPE} DESTINATION ${LIB_INSTALL_DIR_DEFAULT} PERMISSIONS OWNER_READ OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
--
2.25.1

27
0014-fix-exec_request_to_rest-forgot-to-handle-suffix.patch
View File

@ -1,27 +0,0 @@
From dfcd1cbd6403af11d7afed96b0c8e3ca292722f9 Mon Sep 17 00:00:00 2001
From: "Neil.wrz" <wangrunze13@huawei.com>
Date: Fri, 12 Aug 2022 15:30:50 -0700
Subject: [PATCH 14/21] fix exec_request_to_rest forgot to handle suffix
Signed-off-by: Neil.wrz <wangrunze13@huawei.com>
---
src/client/connect/rest/rest_containers_client.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/client/connect/rest/rest_containers_client.c b/src/client/connect/rest/rest_containers_client.c
index 7e549339..dfa20c75 100644
--- a/src/client/connect/rest/rest_containers_client.c
+++ b/src/client/connect/rest/rest_containers_client.c
@@ -1620,6 +1620,9 @@ static int exec_request_to_rest(const struct isula_exec_request *le_request, cha
if (le_request->stderr != NULL) {
crequest->stderr = util_strdup_s(le_request->stderr);
}
+ if (le_request->suffix != NULL) {
+ crequest->suffix = util_strdup_s(le_request->suffix);
+ }
int i = 0;
if (le_request->argc > 0) {
--
2.25.1

29
0015-add-fuzz-dict.patch
View File

@ -1,29 +0,0 @@
From 13c9523f3f69bafc62be8465dea235bdc7e6df4f Mon Sep 17 00:00:00 2001
From: WangFengTu <wangfengtu@huawei.com>
Date: Thu, 11 Aug 2022 20:30:48 +0800
Subject: [PATCH 15/21] add fuzz dict
Signed-off-by: WangFengTu <wangfengtu@huawei.com>
---
test/fuzz/dict/test_volume_mount_spec_fuzz.dict | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/test/fuzz/dict/test_volume_mount_spec_fuzz.dict b/test/fuzz/dict/test_volume_mount_spec_fuzz.dict
index 8ef79c0b..39ae41df 100644
--- a/test/fuzz/dict/test_volume_mount_spec_fuzz.dict
+++ b/test/fuzz/dict/test_volume_mount_spec_fuzz.dict
@@ -31,4 +31,11 @@
"bind-selinux-opts"
"selinux-opts"
"volume-nocopy"
+"volume-nocopy=true"
+"volume-nocopy=false"
"empty"
+"type=bind,src=/bind,dst=/bind,volume-nocopy=true,volume-nocopy=true"
+"type=bind,src=/bind,dst=/bind"
+"type=tmpfs,dst=/tmpfs,volume-nocopy=true"
+"type=squashfs,src=/bind,dst=/tmpfs"
+"type=squashfs,src=/,dst=/tmpfs"
--
2.25.1

121
0016-clang-analyzer-ensure-agrument-with-nonnull-attirbut.patch
View File

@ -1,121 +0,0 @@
From 9d365a82ceea7e50bce8069a9b14a529b6467299 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Mon, 15 Aug 2022 19:34:42 +0800
Subject: [PATCH 16/21] [clang-analyzer] ensure agrument with nonnull attirbute
passed nonnull
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/daemon/executor/container_cb/execution_create.c | 3 ++-
.../storage/layer_store/graphdriver/devmapper/deviceset.c | 8 +++-----
.../layer_store/graphdriver/devmapper/wrapper_devmapper.c | 4 ++--
src/daemon/modules/spec/specs_mount.c | 6 ++++--
src/utils/cutils/utils_file.c | 3 +--
5 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/src/daemon/executor/container_cb/execution_create.c b/src/daemon/executor/container_cb/execution_create.c
index 626cfbc6..da01a57f 100644
--- a/src/daemon/executor/container_cb/execution_create.c
+++ b/src/daemon/executor/container_cb/execution_create.c
@@ -833,7 +833,8 @@ static int prepare_host_channel(const host_config_host_channel *host_channel, co
}
#endif
- if (host_channel == NULL) {
+ if (host_channel == NULL || host_channel->path_on_host == NULL) {
+ DEBUG("Host channel is not setting.");
goto out;
}
if (util_dir_exists(host_channel->path_on_host)) {
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c
index 10c7fafd..78d8737d 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c
@@ -3340,15 +3340,14 @@ static int umount_deactivate_dev_all(const struct device_set *devset)
mnt_root = util_path_join(devset->root, "mnt");
if (mnt_root == NULL) {
ERROR("devmapper:join path %s/mnt failed", devset->root);
- ret = -1;
- goto out;
+ return -1;
}
dp = opendir(mnt_root);
if (dp == NULL) {
ERROR("devmapper: open dir %s failed", mnt_root);
- ret = -1;
- goto out;
+ free(mnt_root);
+ return -1;
}
// Do my best to umount all of the device that has been mounted
@@ -3398,7 +3397,6 @@ static int umount_deactivate_dev_all(const struct device_set *devset)
devmapper_device_info_ref_dec(device_info);
}
-out:
closedir(dp);
free(mnt_root);
return ret;
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.c
index 07d64318..8a1dfff5 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.c
@@ -393,13 +393,13 @@ void dev_udev_wait(uint32_t cookie)
if (gettimeofday(&start, NULL) != 0) {
ERROR("devmapper: get time failed");
- goto free_out;
+ return;
}
uwait = util_common_calloc_s(sizeof(udev_wait_pth_t));
if (uwait == NULL) {
ERROR("Out of memory");
- goto free_out;
+ return;
}
uwait->cookie = cookie;
uwait->state = DEV_INIT;
diff --git a/src/daemon/modules/spec/specs_mount.c b/src/daemon/modules/spec/specs_mount.c
index 8966293f..12f66d8c 100644
--- a/src/daemon/modules/spec/specs_mount.c
+++ b/src/daemon/modules/spec/specs_mount.c
@@ -3358,7 +3358,7 @@ int merge_conf_mounts(oci_runtime_spec *oci_spec, host_config *host_spec, contai
/* mounts to mount filesystem */
ret = merge_fs_mounts_to_v2_spec(all_fs_mounts, all_fs_mounts_len, v2_spec);
- if (ret) {
+ if (ret != 0) {
ERROR("Failed to merge mounts in to v2 spec");
goto out;
}
@@ -3404,7 +3404,9 @@ int merge_conf_mounts(oci_runtime_spec *oci_spec, host_config *host_spec, contai
}
}
- qsort(all_fs_mounts, all_fs_mounts_len, sizeof(all_fs_mounts[0]), destination_compare);
+ if (all_fs_mounts_len > 0) {
+ qsort(all_fs_mounts, all_fs_mounts_len, sizeof(all_fs_mounts[0]), destination_compare);
+ }
ret = merge_fs_mounts_to_oci_spec(oci_spec, all_fs_mounts, all_fs_mounts_len);
if (ret) {
diff --git a/src/utils/cutils/utils_file.c b/src/utils/cutils/utils_file.c
index 00f586f1..67e7a707 100644
--- a/src/utils/cutils/utils_file.c
+++ b/src/utils/cutils/utils_file.c
@@ -1531,8 +1531,7 @@ int util_atomic_write_file(const char *fname, const char *content, size_t conten
tmp_file = get_random_tmp_file(fname);
if (tmp_file == NULL) {
ERROR("Failed to get tmp file for %s", fname);
- ret = -1;
- goto free_out;
+ return -1;
}
ret = do_atomic_write_file(tmp_file, content, content_len, mode, sync);
--
2.25.1

26
0017-change-default-umask-to-0022.patch
View File

@ -1,26 +0,0 @@
From 53ba0431c50a618bee0e17315ec176e6c400ed86 Mon Sep 17 00:00:00 2001
From: WangFengTu <wangfengtu@huawei.com>
Date: Mon, 15 Aug 2022 19:41:27 +0800
Subject: [PATCH 17/21] change default umask to 0022
Signed-off-by: WangFengTu <wangfengtu@huawei.com>
---
src/contrib/config/daemon.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/contrib/config/daemon.json b/src/contrib/config/daemon.json
index 92cd6c47..75fc25ad 100644
--- a/src/contrib/config/daemon.json
+++ b/src/contrib/config/daemon.json
@@ -27,7 +27,7 @@
"insecure-registries": [
],
"pod-sandbox-image": "",
- "native.umask": "secure",
+ "native.umask": "normal",
"network-plugin": "",
"cni-bin-dir": "",
"cni-conf-dir": "",
--
2.25.1

208
0018-clang-analyzer-remove-dead-assignment.patch
View File

@ -1,208 +0,0 @@
From 348c79c8ee9379f5237d1fdbcdb3678c9a9e9527 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Tue, 16 Aug 2022 10:23:39 +0800
Subject: [PATCH 18/21] [clang-analyzer] remove dead assignment
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/cmd/isulad-shim/process.c | 2 +-
src/cmd/options/opt_log.c | 4 ++++
src/daemon/executor/container_cb/execution_network.c | 1 -
src/daemon/modules/image/oci/oci_import.c | 2 --
src/daemon/modules/image/oci/registry/auths.c | 2 +-
src/daemon/modules/image/oci/registry/registry.c | 4 +---
.../graphdriver/overlay2/driver_overlay2.c | 2 +-
.../image/oci/storage/layer_store/layer_store.c | 12 ++++++++----
src/daemon/modules/log/log_gather.c | 1 -
src/daemon/modules/plugin/plugin.c | 1 -
src/utils/cutils/map/map.c | 2 +-
src/utils/cutils/path.c | 2 +-
12 files changed, 18 insertions(+), 17 deletions(-)
diff --git a/src/cmd/isulad-shim/process.c b/src/cmd/isulad-shim/process.c
index 4d665b26..c8ce7a44 100644
--- a/src/cmd/isulad-shim/process.c
+++ b/src/cmd/isulad-shim/process.c
@@ -297,7 +297,7 @@ static void *do_io_copy(void *data)
}
fd_node_t *fn = ioc->fd_to;
- fd_node_t *next = fn;
+ fd_node_t *next = NULL;
for (; fn != NULL; fn = next) {
next = fn->next;
if (fn->is_log) {
diff --git a/src/cmd/options/opt_log.c b/src/cmd/options/opt_log.c
index 7ec7591f..b1abcfaf 100644
--- a/src/cmd/options/opt_log.c
+++ b/src/cmd/options/opt_log.c
@@ -162,6 +162,10 @@ bool parse_container_log_opt(const char *key, const char *val, json_map_string_s
}
nret = append_json_map_string_string(opts, support_parsers[i].real_key, parsed_val);
free(parsed_val);
+ if (nret != 0) {
+ ERROR("Out of memory.");
+ return false;
+ }
return true;
}
}
diff --git a/src/daemon/executor/container_cb/execution_network.c b/src/daemon/executor/container_cb/execution_network.c
index 6ca79a8c..fa0ec612 100644
--- a/src/daemon/executor/container_cb/execution_network.c
+++ b/src/daemon/executor/container_cb/execution_network.c
@@ -625,7 +625,6 @@ static int merge_resolv(const host_config *host_spec, const char *rootfs, const
if (ret != 0) {
WARN("Failed to handle resolv config %s, skip", pline);
free(tmp_content);
- ret = 0;
} else {
free(content);
content = tmp_content;
diff --git a/src/daemon/modules/image/oci/oci_import.c b/src/daemon/modules/image/oci/oci_import.c
index ae2f547a..335ee8d4 100644
--- a/src/daemon/modules/image/oci/oci_import.c
+++ b/src/daemon/modules/image/oci/oci_import.c
@@ -335,8 +335,6 @@ static int register_image(import_desc *desc)
ret = -1;
goto out;
}
-
- ret = 0;
}
image_created = true;
diff --git a/src/daemon/modules/image/oci/registry/auths.c b/src/daemon/modules/image/oci/registry/auths.c
index 02b9753c..a95127f2 100644
--- a/src/daemon/modules/image/oci/registry/auths.c
+++ b/src/daemon/modules/image/oci/registry/auths.c
@@ -218,7 +218,7 @@ out:
free(err);
err = NULL;
- return 0;
+ return ret;
}
static int add_allocated_auth(registry_auths *auths, char *host, char *auth)
diff --git a/src/daemon/modules/image/oci/registry/registry.c b/src/daemon/modules/image/oci/registry/registry.c
index e6369f90..17464c34 100644
--- a/src/daemon/modules/image/oci/registry/registry.c
+++ b/src/daemon/modules/image/oci/registry/registry.c
@@ -696,6 +696,7 @@ static int create_image(pull_descriptor *desc, char *image_id, bool *reuse)
goto out;
}
+ *reuse = false;
ret = storage_img_create(image_id, top_layer_id, NULL, &opts);
if (ret != 0) {
pre_top_layer = storage_get_img_top_layer(image_id);
@@ -712,10 +713,7 @@ static int create_image(pull_descriptor *desc, char *image_id, bool *reuse)
goto out;
}
- ret = 0;
*reuse = true;
- } else {
- *reuse = false;
}
ret = storage_img_add_name(image_id, desc->dest_image_name);
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c
index 7a45f880..eac40eb4 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c
@@ -475,7 +475,7 @@ static int do_diff_symlink(const char *id, char *link_id, const char *driver_hom
}
nret = symlink(target_path, clean_path);
- if (ret < 0) {
+ if (nret < 0) {
SYSERROR("Failed to create symlink from \"%s\" to \"%s\"", clean_path, target_path);
ret = -1;
goto out;
diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
index 208bb3bc..cd18c6aa 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
@@ -885,12 +885,12 @@ static char *caculate_playload(struct archive *ar)
break;
}
if (r != ARCHIVE_OK) {
- nret = -1;
- break;
+ ERROR("Read archive failed");
+ goto out;
}
if (!isula_crc_update(ctab, &crc, block_buf, block_size)) {
- nret = -1;
- break;
+ ERROR("Do crc update failed");
+ goto out;
}
empty = false;
}
@@ -930,6 +930,10 @@ static int archive_entry_parse(struct archive_entry *entry, struct archive *ar,
sentry.position = position;
// caculate playload
sentry.payload = caculate_playload(ar);
+ if (sentry.payload == NULL) {
+ ERROR("Caculate playload failed.");
+ goto out;
+ }
data = storage_entry_generate_json(&sentry, &ctx, &jerr);
if (data == NULL) {
diff --git a/src/daemon/modules/log/log_gather.c b/src/daemon/modules/log/log_gather.c
index 51c112a3..49facaa2 100644
--- a/src/daemon/modules/log/log_gather.c
+++ b/src/daemon/modules/log/log_gather.c
@@ -342,7 +342,6 @@ static int init_log(const struct log_gather_conf *lgconf)
break;
case LOG_GATHER_DRIVER_NOSET:
g_save_log_op = write_into_stdout;
- driver = LOG_GATHER_DRIVER_STDOUT;
COMMAND_ERROR("Unset log driver, use stderr to log.");
break;
default:
diff --git a/src/daemon/modules/plugin/plugin.c b/src/daemon/modules/plugin/plugin.c
index 501271ae..725bca5b 100644
--- a/src/daemon/modules/plugin/plugin.c
+++ b/src/daemon/modules/plugin/plugin.c
@@ -1268,7 +1268,6 @@ int pm_init(void)
ret = pthread_rwlock_init(&gpm->pm_rwlock, NULL);
if (ret != 0) {
- ret = -1;
goto bad;
}
diff --git a/src/utils/cutils/map/map.c b/src/utils/cutils/map/map.c
index 2fe96a54..cca04fe5 100644
--- a/src/utils/cutils/map/map.c
+++ b/src/utils/cutils/map/map.c
@@ -340,7 +340,7 @@ map_t *map_new(map_type_t kvtype, map_cmp_func comparator, map_kvfree_func kvfre
} else {
freer = kvfree;
}
- cmpor = comparator;
+
if (is_key_ptr(kvtype) && (comparator == MAP_DEFAULT_CMP_FUNC)) {
cmpor = rbtree_ptr_cmp;
} else if (is_key_int(kvtype) && (comparator == MAP_DEFAULT_CMP_FUNC)) {
diff --git a/src/utils/cutils/path.c b/src/utils/cutils/path.c
index 2446f479..79cd7af6 100644
--- a/src/utils/cutils/path.c
+++ b/src/utils/cutils/path.c
@@ -55,7 +55,7 @@ static int do_clean_path(const char *respath, const char *limit_respath, const c
char *dest = *dst;
const char *endpos = NULL;
- for (endpos = stpos; *stpos; stpos = endpos) {
+ for (; *stpos; stpos = endpos) {
while (ISSLASH(*stpos)) {
++stpos;
}
--
2.25.1

188
0019-clang-anaylzer-ensure-derenference-of-non-null-point.patch
View File

@ -1,188 +0,0 @@
From befc89eb26ff693ecb4fc5209985da9183bfd796 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Tue, 16 Aug 2022 16:12:13 +0800
Subject: [PATCH 19/21] [clang-anaylzer] ensure derenference of non-null
pointer
1. ensure derenference non-null pointer;
2. fix double free;
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/cmd/isula/information/ps.c | 5 ++---
.../entry/cri/cri_pod_sandbox_manager_service_impl.cc | 2 +-
src/daemon/executor/image_cb/image_cb.c | 10 ++++------
.../modules/container/container_events_handler.c | 3 +--
.../modules/container/health_check/health_check.c | 3 ++-
src/daemon/modules/image/oci/registry/http_request.c | 5 ++---
.../image/oci/storage/image_store/image_store.c | 2 +-
src/daemon/modules/spec/specs.c | 5 +++--
8 files changed, 16 insertions(+), 19 deletions(-)
diff --git a/src/cmd/isula/information/ps.c b/src/cmd/isula/information/ps.c
index 805cbbd6..71c01acb 100644
--- a/src/cmd/isula/information/ps.c
+++ b/src/cmd/isula/information/ps.c
@@ -731,6 +731,7 @@ static int append_first_non_header_field(const char *index, struct filters *ff)
goto out;
}
tmp->name = first_non_field;
+ first_non_field = NULL;
tmp->is_field = false;
if (append_field(ff, tmp) != 0) {
ERROR("Failed to append field");
@@ -738,7 +739,6 @@ static int append_first_non_header_field(const char *index, struct filters *ff)
goto out;
}
tmp = NULL;
- first_non_field = NULL;
out:
free_filter_field(tmp);
@@ -870,15 +870,14 @@ static int append_header_item_field(const char *index, const char *prefix, const
goto out;
}
field->name = filter_string;
+ filter_string = NULL;
field->is_field = true;
if (append_field(ff, field) != 0) {
ERROR("Failed to append field");
ret = -1;
goto out;
}
-
field = NULL;
- filter_string = NULL;
out:
free(sub_patten);
diff --git a/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc b/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc
index f0c0c6bb..fc0616e8 100644
--- a/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc
+++ b/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc
@@ -851,7 +851,7 @@ auto PodSandboxManagerServiceImpl::RemoveAllContainersInSandbox(const std::strin
}
// Remove all containers in the sandbox.
- for (size_t i = 0; i < list_response->containers_len; i++) {
+ for (size_t i = 0; list_response != nullptr && i < list_response->containers_len; i++) {
Errors rmError;
CRIHelpers::RemoveContainer(m_cb, list_response->containers[i]->id, rmError);
if (rmError.NotEmpty() && !CRIHelpers::IsContainerNotFoundError(rmError.GetMessage())) {
diff --git a/src/daemon/executor/image_cb/image_cb.c b/src/daemon/executor/image_cb/image_cb.c
index 75ae7b74..55e12d51 100644
--- a/src/daemon/executor/image_cb/image_cb.c
+++ b/src/daemon/executor/image_cb/image_cb.c
@@ -1009,8 +1009,7 @@ static int image_pull_cb(const image_pull_image_request *request, image_pull_ima
*response = util_common_calloc_s(sizeof(image_pull_image_response));
if (*response == NULL) {
ERROR("Out of memory");
- cc = ISULAD_ERR_MEMOUT;
- goto out;
+ return ISULAD_ERR_MEMOUT;
}
EVENT("Image Event: {Object: %s, Type: Pulling}", request->image_name);
@@ -1030,12 +1029,11 @@ static int image_pull_cb(const image_pull_image_request *request, image_pull_ima
EVENT("Image Event: {Object: %s, Type: Pulled}", request->image_name);
out:
- if (*response != NULL) {
- (*response)->image_ref = util_strdup_s(im_rsp->image_ref);
- (*response)->cc = cc;
+ (*response)->cc = cc;
+ if (im_rsp != NULL) {
(*response)->errmsg = util_strdup_s(im_rsp->errmsg);
+ (*response)->image_ref = util_strdup_s(im_rsp->image_ref);
}
-
free_im_pull_request(im_req);
free_im_pull_response(im_rsp);
diff --git a/src/daemon/modules/container/container_events_handler.c b/src/daemon/modules/container/container_events_handler.c
index 994c11cc..55dbfbe6 100644
--- a/src/daemon/modules/container/container_events_handler.c
+++ b/src/daemon/modules/container/container_events_handler.c
@@ -282,8 +282,7 @@ int container_events_handler_post_events(const struct isulad_events_format *even
cont = containers_store_get(event->id);
if (cont == NULL) {
ERROR("No such container:%s", event->id);
- ret = -1;
- goto out;
+ return -1;
}
it = util_common_calloc_s(sizeof(struct linked_list));
diff --git a/src/daemon/modules/container/health_check/health_check.c b/src/daemon/modules/container/health_check/health_check.c
index 273d3531..e9dcbdb9 100644
--- a/src/daemon/modules/container/health_check/health_check.c
+++ b/src/daemon/modules/container/health_check/health_check.c
@@ -813,7 +813,8 @@ static void *health_check_monitor(void *arg)
cont = containers_store_get(container_id);
if (cont == NULL) {
ERROR("Failed to get container info");
- goto out;
+ free(container_id);
+ return NULL;
}
set_monitor_exist_flag(cont->health_check, true);
if (util_get_now_time_stamp(&start_timestamp) == false) {
diff --git a/src/daemon/modules/image/oci/registry/http_request.c b/src/daemon/modules/image/oci/registry/http_request.c
index e812f947..f29c2017 100644
--- a/src/daemon/modules/image/oci/registry/http_request.c
+++ b/src/daemon/modules/image/oci/registry/http_request.c
@@ -704,9 +704,8 @@ int http_request_file(pull_descriptor *desc, const char *url, const char **custo
options = util_common_calloc_s(sizeof(struct http_get_options));
if (options == NULL) {
- ERROR("Failed to malloc http_get_options");
- ret = -1;
- goto out;
+ ERROR("Out of memory");
+ return -1;
}
memset(options, 0x00, sizeof(struct http_get_options));
diff --git a/src/daemon/modules/image/oci/storage/image_store/image_store.c b/src/daemon/modules/image/oci/storage/image_store/image_store.c
index 3ee69ee7..9dab66fd 100644
--- a/src/daemon/modules/image/oci/storage/image_store/image_store.c
+++ b/src/daemon/modules/image/oci/storage/image_store/image_store.c
@@ -2026,7 +2026,7 @@ static bool validate_digest(const char *digest)
char *encode = NULL;
// contains ':' and is not the last character
- if (index == NULL && index - value + 1 == strlen(value)) {
+ if (index == NULL || index - value + 1 == strlen(value)) {
INFO("Invalid checksum digest format");
ret = false;
goto out;
diff --git a/src/daemon/modules/spec/specs.c b/src/daemon/modules/spec/specs.c
index cf4aa111..44e38674 100644
--- a/src/daemon/modules/spec/specs.c
+++ b/src/daemon/modules/spec/specs.c
@@ -1794,12 +1794,12 @@ int parse_security_opt(const host_config *host_spec, bool *no_new_privileges, ch
continue;
}
- if (split_security_opt(host_spec->security_opt[i], &items, &items_size)) {
+ if (split_security_opt(host_spec->security_opt[i], &items, &items_size) != 0) {
ret = -1;
goto out;
}
- if (items_size != 2) {
+ if (items == NULL || items_size != 2) {
ERROR("invalid --security-opt: %s", host_spec->security_opt[i]);
ret = -1;
goto out;
@@ -1823,6 +1823,7 @@ int parse_security_opt(const host_config *host_spec, bool *no_new_privileges, ch
}
util_free_array(items);
items = NULL;
+ items_size = 0;
}
out:
--
2.25.1

141
0020-do-clean-path-and-check-if-file-exist.patch
View File

@ -1,141 +0,0 @@
From 2cc83682862c28c05f68c0070b26f8dfa36bd2f7 Mon Sep 17 00:00:00 2001
From: WangFengTu <wangfengtu@huawei.com>
Date: Tue, 16 Aug 2022 10:07:09 +0800
Subject: [PATCH 20/21] do clean path and check if file exist
Signed-off-by: WangFengTu <wangfengtu@huawei.com>
---
src/daemon/executor/image_cb/image_cb.c | 19 +++++++++++++++++--
src/daemon/modules/image/oci/oci_export.c | 20 ++++++++++++++++++--
2 files changed, 35 insertions(+), 4 deletions(-)
diff --git a/src/daemon/executor/image_cb/image_cb.c b/src/daemon/executor/image_cb/image_cb.c
index 55e12d51..5beda5f4 100644
--- a/src/daemon/executor/image_cb/image_cb.c
+++ b/src/daemon/executor/image_cb/image_cb.c
@@ -55,11 +55,13 @@
#include "utils_regex.h"
#include "utils_timestamp.h"
#include "utils_verify.h"
+#include "path.h"
static int do_import_image(const char *file, const char *tag, char **id)
{
int ret = 0;
im_import_request *request = NULL;
+ char cleanpath[PATH_MAX] = { 0 };
if (file == NULL || tag == NULL || id == NULL) {
ERROR("Invalid input arguments");
@@ -67,6 +69,12 @@ static int do_import_image(const char *file, const char *tag, char **id)
goto out;
}
+ if (util_clean_path(file, cleanpath, sizeof(cleanpath)) == NULL) {
+ ERROR("clean path for %s failed", file);
+ ret = -1;
+ goto out;
+ }
+
request = util_common_calloc_s(sizeof(im_import_request));
if (request == NULL) {
ERROR("Out of memory");
@@ -75,7 +83,7 @@ static int do_import_image(const char *file, const char *tag, char **id)
}
request->tag = util_strdup_s(tag);
- request->file = util_strdup_s(file);
+ request->file = util_strdup_s(cleanpath);
ret = im_import_image(request, id);
if (ret != 0) {
@@ -147,6 +155,7 @@ static int do_load_image(const char *file, const char *tag, const char *type)
int ret = 0;
im_load_request *request = NULL;
im_load_response *response = NULL;
+ char cleanpath[PATH_MAX] = { 0 };
if (file == NULL || type == NULL) {
ERROR("Invalid input arguments");
@@ -154,6 +163,12 @@ static int do_load_image(const char *file, const char *tag, const char *type)
goto out;
}
+ if (util_clean_path(file, cleanpath, sizeof(cleanpath)) == NULL) {
+ ERROR("clean path for %s failed", file);
+ ret = -1;
+ goto out;
+ }
+
request = util_common_calloc_s(sizeof(im_load_request));
if (request == NULL) {
ERROR("Out of memory");
@@ -163,7 +178,7 @@ static int do_load_image(const char *file, const char *tag, const char *type)
if (tag != NULL) {
request->tag = util_strdup_s(tag);
}
- request->file = util_strdup_s(file);
+ request->file = util_strdup_s(cleanpath);
request->type = util_strdup_s(type);
ret = im_load_image(request, &response);
diff --git a/src/daemon/modules/image/oci/oci_export.c b/src/daemon/modules/image/oci/oci_export.c
index 4b9d5183..e27ed6d8 100644
--- a/src/daemon/modules/image/oci/oci_export.c
+++ b/src/daemon/modules/image/oci/oci_export.c
@@ -15,11 +15,14 @@
#include "oci_export.h"
#include <stdbool.h>
#include <stdlib.h>
+#include <linux/limits.h>
#include "storage.h"
#include "isula_libutils/log.h"
#include "err_msg.h"
#include "util_archive.h"
+#include "path.h"
+#include "utils_file.h"
int oci_do_export(char *id, char *file)
{
@@ -27,12 +30,25 @@ int oci_do_export(char *id, char *file)
int ret2 = 0;
char *mount_point = NULL;
char *errmsg = NULL;
+ char cleanpath[PATH_MAX] = { 0 };
if (id == NULL || file == NULL) {
ERROR("Invalid NULL param");
return -1;
}
+ if (util_clean_path(file, cleanpath, sizeof(cleanpath)) == NULL) {
+ ERROR("clean path for %s failed", file);
+ ret = -1;
+ goto out;
+ }
+
+ if (util_fileself_exists(cleanpath)) {
+ ERROR("dst file %s exist", cleanpath);
+ ret = -1;
+ goto out;
+ }
+
mount_point = storage_rootfs_mount(id);
if (mount_point == NULL) {
ERROR("mount container %s failed", id);
@@ -40,9 +56,9 @@ int oci_do_export(char *id, char *file)
return -1;
}
- ret = archive_chroot_tar(mount_point, file, &errmsg);
+ ret = archive_chroot_tar(mount_point, cleanpath, &errmsg);
if (ret != 0) {
- ERROR("failed to export container %s to file %s: %s", id, file, errmsg);
+ ERROR("failed to export container %s to file %s: %s", id, cleanpath, errmsg);
isulad_set_error_message("Failed to export rootfs with error: %s", errmsg);
goto out;
}
--
2.25.1

157
0021-clang-analyzer-fix-memory-leak-and-use-after-free.patch
View File

@ -1,157 +0,0 @@
From 1530d542f0beaf9aca8eee68096996240a755b1c Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Tue, 16 Aug 2022 19:50:29 +0800
Subject: [PATCH 21/21] [clang-analyzer] fix memory leak and use after free
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
.../connect/grpc/grpc_containers_client.cc | 5 +++++
.../entry/cri/websocket/service/ws_server.cc | 1 +
.../oci/storage/layer_store/layer_store.c | 21 +++++++++----------
src/utils/cpputils/url.cc | 2 +-
src/utils/cutils/utils_file.c | 2 +-
5 files changed, 18 insertions(+), 13 deletions(-)
diff --git a/src/client/connect/grpc/grpc_containers_client.cc b/src/client/connect/grpc/grpc_containers_client.cc
index 85cafe9b..33c7c631 100644
--- a/src/client/connect/grpc/grpc_containers_client.cc
+++ b/src/client/connect/grpc/grpc_containers_client.cc
@@ -1926,6 +1926,7 @@ public:
ClientBaseConstants::COMMON_NAME_LEN);
if (ret != 0) {
ERROR("Failed to get common name in: %s", m_certFile.c_str());
+ delete ctx;
return -1;
}
ctx->context.AddMetadata("username", std::string(common_name_value, strlen(common_name_value)));
@@ -1945,11 +1946,15 @@ public:
ERROR("Invalid json: %s", err);
free(err);
CopyFromContainerFinish(ctx, &response->errmsg);
+ delete ctx->reader;
+ delete ctx;
return -1;
}
free(err);
} else {
CopyFromContainerFinish(ctx, &response->errmsg);
+ delete ctx->reader;
+ delete ctx;
return -1;
}
// Ignore the first reader which is used for transform metadata
diff --git a/src/daemon/entry/cri/websocket/service/ws_server.cc b/src/daemon/entry/cri/websocket/service/ws_server.cc
index 08f2cff0..63afc9dd 100644
--- a/src/daemon/entry/cri/websocket/service/ws_server.cc
+++ b/src/daemon/entry/cri/websocket/service/ws_server.cc
@@ -391,6 +391,7 @@ int WebsocketServer::RegisterStreamTask(struct lws *wsi) noexcept
}
if (GenerateSessionData(session, containerID) != 0) {
ERROR("failed to fill generate session data");
+ delete session;
return -1;
}
diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
index cd18c6aa..e563a8ef 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
@@ -853,7 +853,7 @@ static void free_storage_entry_data(storage_entry *entry)
}
}
-static char *caculate_playload(struct archive *ar)
+static int caculate_playload(struct archive *ar, char **result)
{
int r = 0;
unsigned char *block_buf = NULL;
@@ -863,8 +863,7 @@ static char *caculate_playload(struct archive *ar)
#else
off_t block_offset = 0;
#endif
- char *ret = NULL;
- int nret = 0;
+ int ret = 0;
const isula_crc_table_t *ctab = NULL;
uint64_t crc = 0;
// max crc bits is 8
@@ -876,7 +875,7 @@ static char *caculate_playload(struct archive *ar)
ctab = new_isula_crc_table(ISO_POLY);
if (ctab == NULL) {
- return NULL;
+ return -1;
}
for (;;) {
@@ -886,10 +885,12 @@ static char *caculate_playload(struct archive *ar)
}
if (r != ARCHIVE_OK) {
ERROR("Read archive failed");
+ ret = -1;
goto out;
}
if (!isula_crc_update(ctab, &crc, block_buf, block_size)) {
ERROR("Do crc update failed");
+ ret = -1;
goto out;
}
empty = false;
@@ -903,10 +904,9 @@ static char *caculate_playload(struct archive *ar)
for (r = 0; r < 8; r++) {
tmp_data[r] = sum_data[r];
}
- nret = util_base64_encode(tmp_data, 8, &ret);
-
- if (nret != 0) {
- return NULL;
+ ret = util_base64_encode(tmp_data, 8, result);
+ if (ret != 0) {
+ ERROR("Do encode failed");
}
out:
@@ -929,9 +929,8 @@ static int archive_entry_parse(struct archive_entry *entry, struct archive *ar,
sentry.size = archive_entry_size(entry);
sentry.position = position;
// caculate playload
- sentry.payload = caculate_playload(ar);
- if (sentry.payload == NULL) {
- ERROR("Caculate playload failed.");
+ if (caculate_playload(ar, &sentry.payload) != 0) {
+ ERROR("Caculate playload failed");
goto out;
}
diff --git a/src/utils/cpputils/url.cc b/src/utils/cpputils/url.cc
index ab1355a3..c78cf787 100644
--- a/src/utils/cpputils/url.cc
+++ b/src/utils/cpputils/url.cc
@@ -32,7 +32,7 @@ bool GetHexDigit(char c, char &d)
d = c - '0';
} else if (c >= 'a' && c <= 'f') {
d = c - 'a' + 10;
- } else if (c >= 'A' && c <= 'F') {
+ } else {
d = c - 'A' + 10;
}
return true;
diff --git a/src/utils/cutils/utils_file.c b/src/utils/cutils/utils_file.c
index 67e7a707..f06f4d49 100644
--- a/src/utils/cutils/utils_file.c
+++ b/src/utils/cutils/utils_file.c
@@ -1549,10 +1549,10 @@ int util_atomic_write_file(const char *fname, const char *content, size_t conten
}
free_out:
- free(tmp_file);
if (ret != 0 && unlink(tmp_file) != 0 && errno != ENOENT) {
SYSERROR("Failed to remove temp file:%s", tmp_file);
}
+ free(tmp_file);
return ret;
}
--
2.25.1

32
iSulad.spec
View File

@ -1,5 +1,5 @@
%global _version 2.0.15 %global _version 2.0.16
%global _release 6 %global _release 1
%global is_systemd 1 %global is_systemd 1
%global enable_shimv2 1 %global enable_shimv2 1
%global is_embedded 1 %global is_embedded 1
@ -13,28 +13,6 @@ URL: https://gitee.com/openeuler/iSulad
Source: https://gitee.com/openeuler/iSulad/repository/archive/v%{version}.tar.gz Source: https://gitee.com/openeuler/iSulad/repository/archive/v%{version}.tar.gz
BuildRoot: {_tmppath}/iSulad-%{version} BuildRoot: {_tmppath}/iSulad-%{version}
Patch6000: 0001-do-not-use-tmpfile.patch
Patch6001: 0002-use-only-TLS-v1.2-or-later.patch
Patch6002: 0003-don-t-mount-shareable-dirs-if-user-set-mount-for-dev.patch
Patch6003: 0004-tolerate-arch-unspecified-seccomp-profiles.patch
Patch6004: 0005-add-a-CI-test-case-checking-seccomp-option.patch
Patch6005: 0006-fix-cri-attach-when-stdout-and-stderr-are-false.patch
Patch6006: 0007-fix-cpu-quota-out-of-range-when-update-to-1.patch
Patch6007: 0008-stop-health-check-monitor-before-stopping-container.patch
Patch6008: 0009-set-dup_option-null-after-free.patch
Patch6009: 0010-ensure-read-string-must-have-space-store-null-char.patch
Patch6010: 0011-remove-unused-include-files.patch
Patch6011: 0012-fix-lose-override-flag.patch
Patch6012: 0013-Add-read-and-execute-permissions-for-libhttpclient.s.patch
Patch6013: 0014-fix-exec_request_to_rest-forgot-to-handle-suffix.patch
Patch6014: 0015-add-fuzz-dict.patch
Patch6015: 0016-clang-analyzer-ensure-agrument-with-nonnull-attirbut.patch
Patch6016: 0017-change-default-umask-to-0022.patch
Patch6017: 0018-clang-analyzer-remove-dead-assignment.patch
Patch6018: 0019-clang-anaylzer-ensure-derenference-of-non-null-point.patch
Patch6019: 0020-do-clean-path-and-check-if-file-exist.patch
Patch6020: 0021-clang-analyzer-fix-memory-leak-and-use-after-free.patch
%ifarch x86_64 aarch64 %ifarch x86_64 aarch64
Provides: libhttpclient.so()(64bit) Provides: libhttpclient.so()(64bit)
Provides: libisula.so()(64bit) Provides: libisula.so()(64bit)
@ -261,6 +239,12 @@ fi
%endif %endif
%changelog %changelog
* Tue Aug 23 2022 wangfengtu <wangfengtu@huawei.com> - 2.0.16-1
- Type: enhancement
- ID: NA
- SUG: NA
- DESC: update iSulad version to 2.0.16-1
* Mon Aug 22 2022 zhongtao <zhongtao17@huawei.com> - 2.0.15-6 * Mon Aug 22 2022 zhongtao <zhongtao17@huawei.com> - 2.0.15-6
- Type: enhancement - Type: enhancement
- ID: NA - ID: NA

BIN
v2.0.15.tar.gz → v2.0.16.tar.gz
View File

Binary file not shown.