packages/iSulad
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!632 Upgrade to v2.1.4

Browse Source 
* Upgrade to v2.1.4
This commit is contained in:
zhongtao 2023-11-15 03:46:42 +00:00 committed by haozi007
parent f2271d04b4
commit 8c5a1e32f7
51 changed files with 5019 additions and 13328 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
0001-2155-Use-reference-in-loop-in-listpodsandbox.patch
View File

@ -1,26 +0,0 @@
From 8dacc4a2740ed3ba99fab88324c50fa37274297d Mon Sep 17 00:00:00 2001
From: xuxuepeng <xuxuepeng1@huawei.com>
Date: Tue, 29 Aug 2023 11:50:52 +0000
Subject: [PATCH 01/33] !2155 Use reference in loop in listpodsandbox * Use
reference in loop in listpodsandbox
---
src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
index 33b700f3..687f4e6d 100644
--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
+++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
@@ -739,7 +739,7 @@ void PodSandboxManagerService::ListPodSandbox(const runtime::v1::PodSandboxFilte
sandbox::SandboxManager::GetInstance()->ListAllSandboxes(filter, sandboxes);
- for (const auto sandbox : sandboxes) {
+ for (const auto &sandbox : sandboxes) {
std::unique_ptr<runtime::v1::PodSandbox> pod(new runtime::v1::PodSandbox);
pod->set_id(sandbox->GetId());
--
2.40.1

347
0001-sandbox-del-m_containers-and-m_containersMutex.patch Normal file
View File

@ -0,0 +1,347 @@
From d1aa4166d8ce7f3db83ff1ffbd54b796943233b3 Mon Sep 17 00:00:00 2001
From: liuxu <liuxu156@huawei.com>
Date: Tue, 24 Oct 2023 16:19:15 +0800
Subject: [PATCH 01/14] sandbox:del m_containers and m_containersMutex
---
.../v1/v1_cri_container_manager_service.cc | 30 -----
.../cri/v1/v1_cri_container_manager_service.h | 1 -
.../v1/v1_cri_pod_sandbox_manager_service.cc | 103 +++++++++++++++---
.../v1/v1_cri_pod_sandbox_manager_service.h | 7 +-
src/daemon/sandbox/sandbox.cc | 31 ------
src/daemon/sandbox/sandbox.h | 7 --
6 files changed, 95 insertions(+), 84 deletions(-)
diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
index eb19cac6..70629591 100644
--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
+++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
@@ -499,7 +499,6 @@ std::string ContainerManagerService::CreateContainer(const std::string &podSandb
}
response_id = response->id;
- sandbox->AddContainer(response_id);
cleanup:
free_container_create_request(request);
@@ -591,37 +590,8 @@ void ContainerManagerService::StopContainer(const std::string &containerID, int6
CRIHelpers::StopContainer(m_cb, containerID, timeout, error);
}
-// TODO: Consider to refactor the way we handle container list in sandbox.
-// This function might be removed after that.
-void ContainerManagerService::RemoveContainerIDFromSandbox(const std::string &containerID)
-{
- std::string realContainerID;
- std::string podSandboxID;
- Errors error;
-
- CRIHelpersV1::GetContainerSandboxID(containerID, realContainerID, podSandboxID, error);
- if (error.NotEmpty()) {
- WARN("Failed to get sandbox id for container %s: %s", containerID.c_str(), error.GetCMessage());
- return;
- }
-
- std::shared_ptr<sandbox::Sandbox> sandbox = sandbox::SandboxManager::GetInstance()->GetSandbox(podSandboxID);
- if (sandbox == nullptr) {
- ERROR("Failed to get sandbox instance: %s for creating container", podSandboxID.c_str());
- error.Errorf("Failed to get sandbox instance: %s for creating container", podSandboxID.c_str());
- return;
- }
-
- sandbox->RemoveContainer(realContainerID);
-}
-
void ContainerManagerService::RemoveContainer(const std::string &containerID, Errors &error)
{
- // TODO: Refactor after adding the ability to use sandbox manager for sandboxid query
- // This will remove container id from sandbox container_list first,
- // if the following operation failed, it could cause inconsistency.
- RemoveContainerIDFromSandbox(containerID);
-
CRIHelpers::RemoveContainer(m_cb, containerID, error);
if (error.NotEmpty()) {
WARN("Failed to remove container %s", containerID.c_str());
diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h
index 31449170..1d210416 100644
--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h
+++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h
@@ -97,7 +97,6 @@ private:
void MakeContainerConfig(const runtime::v1::ContainerConfig &config, container_config *cConfig,
Errors &error);
void CreateContainerLogSymlink(const std::string &containerID, Errors &error);
- void RemoveContainerIDFromSandbox(const std::string &containerID);
void ListContainersFromGRPC(const runtime::v1::ContainerFilter *filter, container_list_request **request,
Errors &error);
void ListContainersToGRPC(container_list_response *response,
diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
index 901ef231..2c802900 100644
--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
+++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
@@ -452,20 +452,90 @@ auto PodSandboxManagerService::GetSandboxKey(const container_inspect *inspect_da
return std::string(inspect_data->network_settings->sandbox_key);
}
-auto PodSandboxManagerService::StopAllContainersInSandbox(const std::vector<std::string> &containers,
- Errors &error) -> bool
+auto PodSandboxManagerService::GetContainerListResponse(const std::string &readSandboxID,
+ std::vector<std::string> &errors) -> std::unique_ptr<CStructWrapper<container_list_response>>
{
+ int ret = 0;
+ container_list_request *list_request { nullptr };
+ container_list_response *list_response { nullptr };
+
+ if (m_cb == nullptr || m_cb->container.list == nullptr) {
+ ERROR("Unimplemented callback");
+ errors.push_back("Unimplemented callback");
+ return nullptr;
+ }
+
+ // list all containers to stop
+ auto list_request_wrapper = makeUniquePtrCStructWrapper<container_list_request>(free_container_list_request);
+ if (list_request_wrapper == nullptr) {
+ ERROR("Out of memory");
+ errors.push_back("Out of memory");
+ return nullptr;
+ }
+ list_request = list_request_wrapper->get();
+ list_request->all = true;
+
+ list_request->filters = (defs_filters *)util_common_calloc_s(sizeof(defs_filters));
+ if (list_request->filters == nullptr) {
+ ERROR("Out of memory");
+ errors.push_back("Out of memory");
+ return nullptr;
+ }
+
+ // Add sandbox label
+ if (CRIHelpers::FiltersAddLabel(list_request->filters, CRIHelpers::Constants::SANDBOX_ID_LABEL_KEY,
+ readSandboxID) != 0) {
+ std::string tmp_errmsg = "Failed to add label in sandbox" + readSandboxID;
+ ERROR(tmp_errmsg.c_str());
+ errors.push_back(tmp_errmsg);
+ return nullptr;
+ }
+
+ ret = m_cb->container.list(list_request, &list_response);
+ auto list_response_wrapper = makeUniquePtrCStructWrapper<container_list_response>(list_response, free_container_list_response);
+ if (list_response_wrapper == nullptr) {
+ ERROR("Failed to call list container callback");
+ errors.push_back("Failed to call list container callback");
+ return nullptr;
+ }
+ if (ret != 0) {
+ if (list_response != nullptr && list_response->errmsg != nullptr) {
+ ERROR(list_response->errmsg);
+ errors.push_back(list_response->errmsg);
+ } else {
+ ERROR("Failed to call list container callback");
+ errors.push_back("Failed to call list container callback");
+ }
+ return nullptr;
+ }
+
+ return list_response_wrapper;
+}
+
+auto PodSandboxManagerService::StopAllContainersInSandbox(const std::string &readSandboxID,
+ Errors &error) -> int
+{
+ int ret = 0;
+ std::vector<std::string> errors;
+ auto list_response_wrapper = GetContainerListResponse(readSandboxID, errors);
+ if (list_response_wrapper == nullptr) {
+ error.SetAggregate(errors);
+ return -1;
+ }
+ auto list_response = list_response_wrapper->get();
+
// Stop all containers in the sandbox.
- for (const auto &con : containers) {
+ for (size_t i = 0; i < list_response->containers_len; i++) {
Errors stopError;
- CRIHelpers::StopContainerHelper(m_cb, con, 0, stopError);
+ CRIHelpers::StopContainerHelper(m_cb, list_response->containers[i]->id, 0, stopError);
if (stopError.NotEmpty() && !CRIHelpers::IsContainerNotFoundError(stopError.GetMessage())) {
- ERROR("Error stop container: %s: %s", con.c_str(), stopError.GetCMessage());
+ ERROR("Error stop container: %s: %s", list_response->containers[i]->id, stopError.GetCMessage());
error.SetError(stopError.GetMessage());
- return false;
+ return -1;
}
}
- return true;
+
+ return ret;
}
auto PodSandboxManagerService::GetNetworkReady(const std::string &podSandboxID, Errors &error) -> bool
@@ -508,7 +578,7 @@ void PodSandboxManagerService::StopPodSandbox(const std::string &podSandboxID, E
// Stop all containers inside the sandbox. This terminates the container forcibly,
// and container may still be created, so production should not rely on this behavior.
// TODO: according to the state(stopping and removal) in sandbox to avoid future container creation.
- if (!StopAllContainersInSandbox(sandbox->GetContainers(), error)) {
+ if (StopAllContainersInSandbox(sandbox->GetId(), error) != 0) {
return;
}
@@ -524,15 +594,22 @@ void PodSandboxManagerService::StopPodSandbox(const std::string &podSandboxID, E
sandbox->Stop(sandbox::DEFAULT_STOP_TIMEOUT, error);
}
-void PodSandboxManagerService::RemoveAllContainersInSandbox(const std::vector<std::string> &containers,
+void PodSandboxManagerService::RemoveAllContainersInSandbox(const std::string &readSandboxID,
std::vector<std::string> &errors)
{
+ auto list_response_wrapper = GetContainerListResponse(readSandboxID, errors);
+ if (list_response_wrapper == nullptr) {
+ return;
+ }
+
+ auto list_response = list_response_wrapper->get();
+
// Remove all containers in the sandbox.
- for (const auto &con : containers) {
+ for (size_t i = 0; i < list_response->containers_len; i++) {
Errors rmError;
- CRIHelpers::RemoveContainerHelper(m_cb, con, rmError);
+ CRIHelpers::RemoveContainerHelper(m_cb, list_response->containers[i]->id, rmError);
if (rmError.NotEmpty() && !CRIHelpers::IsContainerNotFoundError(rmError.GetMessage())) {
- ERROR("Error remove container: %s: %s", con.c_str(), rmError.GetCMessage());
+ ERROR("Error remove container: %s: %s", list_response->containers[i]->id, rmError.GetCMessage());
errors.push_back(rmError.GetMessage());
}
}
@@ -598,7 +675,7 @@ void PodSandboxManagerService::RemovePodSandbox(const std::string &podSandboxID,
// Remove all containers inside the sandbox.
// container may still be created, so production should not rely on this behavior.
// TODO: according to the state(stopping and removal) in sandbox to avoid future container creation.
- RemoveAllContainersInSandbox(sandbox->GetContainers(), errors);
+ RemoveAllContainersInSandbox(sandbox->GetId(), errors);
if (errors.size() != 0) {
error.SetAggregate(errors);
return;
diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h
index 48a7cf7f..2bd28007 100644
--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h
+++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h
@@ -32,6 +32,7 @@
#include "cgroup.h"
#include "sandbox.h"
#include "v1_cri_container_manager_service.h"
+#include "cstruct_wrapper.h"
namespace CRIV1 {
class PodSandboxManagerService {
@@ -89,9 +90,11 @@ private:
Errors &error);
void ClearCniNetwork(const std::shared_ptr<sandbox::Sandbox> sandbox, Errors &error);
void StopContainerHelper(const std::string &containerID, Errors &error);
- auto StopAllContainersInSandbox(const std::vector<std::string> &containers, Errors &error) -> bool;
+ auto GetContainerListResponse(const std::string &readSandboxID,
+ std::vector<std::string> &errors) -> std::unique_ptr<CStructWrapper<container_list_response>>;
+ auto StopAllContainersInSandbox(const std::string &readSandboxID, Errors &error) -> int;
auto GetNetworkReady(const std::string &podSandboxID, Errors &error) -> bool;
- void RemoveAllContainersInSandbox(const std::vector<std::string> &containers, std::vector<std::string> &errors);
+ void RemoveAllContainersInSandbox(const std::string &readSandboxID, std::vector<std::string> &errors);
void ClearNetworkReady(const std::string &podSandboxID);
auto SharesHostNetwork(const container_inspect *inspect) -> runtime::v1::NamespaceMode;
auto SharesHostPid(const container_inspect *inspect) -> runtime::v1::NamespaceMode;
diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc
index ece28f4d..c8fd30be 100644
--- a/src/daemon/sandbox/sandbox.cc
+++ b/src/daemon/sandbox/sandbox.cc
@@ -135,12 +135,6 @@ auto Sandbox::GetRuntimeHandle() const -> const std::string &
return m_runtimeInfo.runtimeHandler;
}
-auto Sandbox::GetContainers() -> std::vector<std::string>
-{
- ReadGuard<RWMutex> lock(m_containersMutex);
- return m_containers;
-}
-
auto Sandbox::GetSandboxConfig() const -> const runtime::v1::PodSandboxConfig &
{
return *m_sandboxConfig;
@@ -409,27 +403,6 @@ void Sandbox::RemoveLabels(const std::string &key)
m_sandboxConfig->mutable_labels()->erase(key);
}
-void Sandbox::AddContainer(const std::string &id)
-{
- WriteGuard<RWMutex> lock(m_containersMutex);
- m_containers.push_back(id);
-}
-
-void Sandbox::SetConatiners(const std::vector<std::string> &cons)
-{
- WriteGuard<RWMutex> lock(m_containersMutex);
- m_containers = cons;
-}
-
-void Sandbox::RemoveContainer(const std::string &id)
-{
- WriteGuard<RWMutex> lock(m_containersMutex);
- auto it = std::find(m_containers.begin(), m_containers.end(), id);
- if (it != m_containers.end()) {
- m_containers.erase(it);
- }
-}
-
void Sandbox::UpdateNetworkSettings(const std::string &settingsJson, Errors &error)
{
if (settingsJson.length() == 0) {
@@ -1009,8 +982,6 @@ auto Sandbox::LoadMetadata(Errors &error) -> bool
m_networkReady = metadata->get()->network_ready;
m_taskAddress = std::string(metadata->get()->task_address);
m_netNsPath = std::string(metadata->get()->net_ns_path);
- Transform::CharArrayToStringVector((const char **)metadata->get()->containers,
- util_array_len((const char **)metadata->get()->containers), m_containers);
ret = google::protobuf::util::JsonStringToMessage(metadata->get()->sandbox_config_json, &config).ok();
if (!ret) {
@@ -1120,8 +1091,6 @@ void Sandbox::FillSandboxMetadata(sandbox_metadata* metadata, Errors &error)
metadata->task_address = util_strdup_s(m_taskAddress.c_str());
metadata->net_ns_path = util_strdup_s(m_netNsPath.c_str());
- metadata->containers = Transform::StringVectorToCharArray(m_containers);
-
google::protobuf::util::MessageToJsonString(*m_sandboxConfig.get(), &jsonStr);
if (jsonStr.length() == 0) {
error.Errorf("Failed to get sandbox config json for sandbox: '%s'", m_id.c_str());
diff --git a/src/daemon/sandbox/sandbox.h b/src/daemon/sandbox/sandbox.h
index 13ee4958..20a8e338 100644
--- a/src/daemon/sandbox/sandbox.h
+++ b/src/daemon/sandbox/sandbox.h
@@ -104,7 +104,6 @@ public:
auto GetCreatedAt() -> uint64_t;
auto GetPid() -> uint32_t;
auto GetTaskAddress() const -> const std::string &;
- auto GetContainers() -> std::vector<std::string>;
auto GetImage() -> const std::string &;
void SetNetMode(const std::string &mode);
void SetController(std::shared_ptr<Controller> controller);
@@ -112,9 +111,6 @@ public:
void RemoveAnnotations(const std::string &key);
void AddLabels(const std::string &key, const std::string &value);
void RemoveLabels(const std::string &key);
- void AddContainer(const std::string &id);
- void SetConatiners(const std::vector<std::string> &cons);
- void RemoveContainer(const std::string &id);
void UpdateNetworkSettings(const std::string &settingsJson, Errors &error);
auto UpdateStatsInfo(const StatsInfo &info) -> StatsInfo;
void SetNetworkReady(bool ready);
@@ -203,9 +199,6 @@ private:
bool m_networkReady;
std::string m_networkSettings;
std::string m_image;
- // container id lists
- std::vector<std::string> m_containers;
- RWMutex m_containersMutex;
// TOOD: m_sandboxConfig is a protobuf message, it can be converted to json string directly
// if save json string directly for sandbox recover, we need to consider hot
// upgrade between different CRI versions
--
2.42.0

28
0002-2156-Fix-sandbox-error-logging.patch
View File

@ -1,28 +0,0 @@
From cc6302549b722a5c309c90794afe27b2e7e7b29e Mon Sep 17 00:00:00 2001
From: xuxuepeng <xuxuepeng1@huawei.com>
Date: Tue, 29 Aug 2023 13:18:13 +0000
Subject: [PATCH 02/33] !2156 Fix sandbox error logging * Fix sandbox error
logging
---
src/daemon/sandbox/sandbox.cc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc
index 2433e11b..968dae24 100644
--- a/src/daemon/sandbox/sandbox.cc
+++ b/src/daemon/sandbox/sandbox.cc
@@ -581,8 +581,8 @@ auto Sandbox::Create(Errors &error) -> bool
nret = util_mkdir_p(m_rootdir.c_str(), CONFIG_DIRECTORY_MODE);
if (nret != 0 && errno != EEXIST) {
- error.Errorf("Failed to create sandbox path %s", m_rootdir);
- SYSERROR("Failed to create sandbox path %s", m_rootdir);
+ error.Errorf("Failed to create sandbox path %s", m_rootdir.c_str());
+ SYSERROR("Failed to create sandbox path %s", m_rootdir.c_str());
return false;
}
#ifdef ENABLE_USERNS_REMAP
--
2.40.1

167
0002-sandbox-adapt-UT-when-del-m_containers-and-m_contain.patch Normal file
View File

@ -0,0 +1,167 @@
From 415d7dca6175136ca4c1c780f1e512fd363d01c4 Mon Sep 17 00:00:00 2001
From: liuxu <liuxu156@huawei.com>
Date: Fri, 3 Nov 2023 14:27:45 +0800
Subject: [PATCH 02/14] sandbox:adapt UT when del m_containers and
m_containersMutex
---
.../design/detailed/Sandbox/sandbox_design_zh.md | 16 +---------------
test/mocks/sandbox_mock.cc | 11 -----------
test/mocks/sandbox_mock.h | 4 ----
test/sandbox/sandbox/sandbox_ut.cc | 14 --------------
4 files changed, 1 insertion(+), 44 deletions(-)
diff --git a/docs/design/detailed/Sandbox/sandbox_design_zh.md b/docs/design/detailed/Sandbox/sandbox_design_zh.md
index 86acd70b..109094cb 100644
--- a/docs/design/detailed/Sandbox/sandbox_design_zh.md
+++ b/docs/design/detailed/Sandbox/sandbox_design_zh.md
@@ -99,7 +99,6 @@ auto GetNetworkSettings() -> const std::string &;
auto GetCreatedAt() -> uint64_t;
auto GetPid() -> uint32_t;
auto GetTaskAddress() const -> const std::string &;
-auto GetContainers() -> std::vector<std::string>;
// 设置和更新sandbox的变量值
void SetNetMode(const std::string &mode);
@@ -108,9 +107,6 @@ void AddAnnotations(const std::string &key, const std::string &value);
void RemoveAnnotations(const std::string &key);
void AddLabels(const std::string &key, const std::string &value);
void RemoveLabels(const std::string &key);
-void AddContainer(const std::string &id);
-void SetConatiners(const std::vector<std::string> &cons);
-void RemoveContainer(const std::string &id);
void UpdateNetworkSettings(const std::string &settingsJson, Errors &error);
auto UpdateStatsInfo(const StatsInfo &info) -> StatsInfo;
void SetNetworkReady(bool ready);
@@ -252,16 +248,12 @@ public:
auto GetCreatedAt() -> uint64_t;
auto GetPid() -> uint32_t;
auto GetTaskAddress() const -> const std::string &;
- auto GetContainers() -> std::vector<std::string>;
void SetNetMode(const std::string &mode);
void SetController(std::shared_ptr<Controller> controller);
void AddAnnotations(const std::string &key, const std::string &value);
void RemoveAnnotations(const std::string &key);
void AddLabels(const std::string &key, const std::string &value);
void RemoveLabels(const std::string &key);
- void AddContainer(const std::string &id);
- void SetConatiners(const std::vector<std::string> &cons);
- void RemoveContainer(const std::string &id);
void UpdateNetworkSettings(const std::string &settingsJson, Errors &error);
auto UpdateStatsInfo(const StatsInfo &info) -> StatsInfo;
void SetNetworkReady(bool ready);
@@ -347,9 +339,6 @@ private:
std::string m_networkMode;
bool m_networkReady;
std::string m_networkSettings;
- // container id lists
- std::vector<std::string> m_containers;
- RWMutex m_containersMutex;
// TOOD: m_sandboxConfig is a protobuf message, it can be converted to json string directly
// if save json string directly for sandbox recover, we need to consider hot
// upgrade between different CRI versions
@@ -410,9 +399,7 @@ std::string m_netNsPath;
std::string m_networkMode;
bool m_networkReady;
std::string m_networkSettings;
-// container id lists
-std::vector<std::string> m_containers;
-RWMutex m_containersMutex;
+
// TOOD: m_sandboxConfig is a protobuf message, it can be converted to json string directly
// if save json string directly for sandbox recover, we need to consider hot
// upgrade between different CRI versions
@@ -430,7 +417,6 @@ std::set<uint32_t> m_vsockPorts;
1. m_mutex: 保障并发sandbox的生命周期操作start, stop, remove
2. m_stateMutex:保障并发对m_statem_statsInfom_networkSettings的修改与读取
-3. m_containersMutex保障对m_containers的并发操作
## 4.2 sandbox manage 模块
diff --git a/test/mocks/sandbox_mock.cc b/test/mocks/sandbox_mock.cc
index ab6c2d60..e5aefdda 100644
--- a/test/mocks/sandbox_mock.cc
+++ b/test/mocks/sandbox_mock.cc
@@ -77,14 +77,6 @@ const std::string &Sandbox::GetRuntimeHandle() const
return defaultStr;
}
-std::vector<std::string> Sandbox::GetContainers()
-{
- if (g_sandbox_mock != nullptr) {
- return g_sandbox_mock->GetContainers();
- }
- return defaultVec;
-}
-
const runtime::v1::PodSandboxConfig & Sandbox::GetSandboxConfig() const
{
if (g_sandbox_mock != nullptr) {
@@ -154,9 +146,6 @@ void Sandbox::AddAnnotations(const std::string &key, const std::string &value) {
void Sandbox::RemoveAnnotations(const std::string &key) {}
void Sandbox::AddLabels(const std::string &key, const std::string &value) {}
void Sandbox::RemoveLabels(const std::string &key) {}
-void Sandbox::AddContainer(const std::string &id) {}
-void Sandbox::SetConatiners(const std::vector<std::string> &cons) {}
-void Sandbox::RemoveContainer(const std::string &id) {}
void Sandbox::UpdateNetworkSettings(const std::string &settingsJson, Errors &error) {}
void Sandbox::PrepareSandboxDirs(Errors &error) {}
void Sandbox::CleanupSandboxDirs() {}
diff --git a/test/mocks/sandbox_mock.h b/test/mocks/sandbox_mock.h
index 6b46dca6..341042e9 100644
--- a/test/mocks/sandbox_mock.h
+++ b/test/mocks/sandbox_mock.h
@@ -31,7 +31,6 @@ public:
MOCK_METHOD0(GetName, const std::string & ());
MOCK_METHOD0(GetSandboxer, const std::string & ());
MOCK_METHOD0(GetRuntimeHandle, const std::string & ());
- MOCK_METHOD0(GetContainers, std::vector<std::string>());
MOCK_METHOD0(GetSandboxConfig, const runtime::v1::PodSandboxConfig &());
MOCK_METHOD0(GetMutableSandboxConfig, std::shared_ptr<runtime::v1::PodSandboxConfig>());
MOCK_METHOD0(GetRootDir, const std::string & ());
@@ -46,9 +45,6 @@ public:
MOCK_METHOD1(RemoveAnnotations, void(const std::string &key));
MOCK_METHOD2(AddLabels, void(const std::string &key, const std::string &value));
MOCK_METHOD1(RemoveLabels, void(const std::string &key));
- MOCK_METHOD1(AddContainer, void(const std::string &id));
- MOCK_METHOD1(SetConatiners, void(const std::vector<std::string> &cons));
- MOCK_METHOD1(RemoveContainer, void(const std::string &id));
MOCK_METHOD2(UpdateNetworkSettings, void(const std::string &settingsJson, Errors &error));
MOCK_METHOD1(UpdateStatsInfo, StatsInfo(const StatsInfo &info));
MOCK_METHOD1(SetNetworkReady, void(bool ready));
diff --git a/test/sandbox/sandbox/sandbox_ut.cc b/test/sandbox/sandbox/sandbox_ut.cc
index 494fb543..dd84d8fb 100644
--- a/test/sandbox/sandbox/sandbox_ut.cc
+++ b/test/sandbox/sandbox/sandbox_ut.cc
@@ -49,7 +49,6 @@ TEST_F(SandboxTest, TestDefaultGetters)
ASSERT_STREQ(sandbox->GetRuntime().c_str(), info.runtime.c_str());
ASSERT_STREQ(sandbox->GetSandboxer().c_str(), info.sandboxer.c_str());
ASSERT_STREQ(sandbox->GetRuntimeHandle().c_str(), info.runtimeHandler.c_str());
- ASSERT_EQ(sandbox->GetContainers().size(), 0);
ASSERT_STREQ(sandbox->GetRootDir().c_str(), sandbox_rootdir.c_str());
ASSERT_STREQ(sandbox->GetStateDir().c_str(), sandbox_statedir.c_str());
ASSERT_STREQ(sandbox->GetResolvPath().c_str(), (sandbox_rootdir + "/resolv.conf").c_str());
@@ -85,19 +84,6 @@ TEST_F(SandboxTest, TestGettersAndSetters)
sandbox->RemoveLabels("key");
EXPECT_TRUE(sandbox->GetSandboxConfig().labels().empty());
- std::string containerId = "container_id";
- sandbox->AddContainer(containerId);
- auto Mycontainers = sandbox->GetContainers();
- auto it = std::find(Mycontainers.begin(), Mycontainers.end(), containerId);
- EXPECT_NE(Mycontainers.end(), it);
-
- sandbox->RemoveContainer(containerId);
- EXPECT_EQ(sandbox->GetContainers().size(), 0);
-
- std::vector<std::string> containers = {"container1", "container2"};
- sandbox->SetConatiners(containers);
- EXPECT_EQ(sandbox->GetContainers(), containers);
-
StatsInfo statsInfo = {1234, 100};
sandbox->UpdateStatsInfo(statsInfo);
EXPECT_EQ(sandbox->GetStatsInfo().timestamp, statsInfo.timestamp);
--
2.42.0

26
0003-2158-Use-crictl-v1.22.0-for-ci.patch
View File

@ -1,26 +0,0 @@
From 384940dee7ed5bcc01014520b94917f5782f996e Mon Sep 17 00:00:00 2001
From: xuxuepeng <xuxuepeng1@huawei.com>
Date: Wed, 30 Aug 2023 03:36:45 +0000
Subject: [PATCH 03/33] !2158 Use crictl v1.22.0 for ci * Use crictl v1.22.0
for ci
---
CI/install_depends.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/CI/install_depends.sh b/CI/install_depends.sh
index ff919afe..bff825a8 100755
--- a/CI/install_depends.sh
+++ b/CI/install_depends.sh
@@ -46,7 +46,7 @@ function make_crictl()
cd cri-tools
# crictl v1.18 cannot recognise the SecurityProfile seccomp of LinuxSandboxSecurityContext
# and the LinuxContainerSecurityContext.has_seccomp() always false
- git checkout v1.24.2
+ git checkout v1.22.0
make -j $nproc
echo "make cri-tools: $?"
cp ./build/bin/crictl ${builddir}/bin/
--
2.40.1

642
0003-Add-Readonly-Masked-Path-and-RunAsGroup-support-for-.patch Normal file
View File

@ -0,0 +1,642 @@
From c1eb46b00ea65fc5601f0d843bc485d087f687e0 Mon Sep 17 00:00:00 2001
From: jikai <jikai11@huawei.com>
Date: Mon, 6 Nov 2023 17:31:58 +0800
Subject: [PATCH 03/14] Add Readonly/Masked Path and RunAsGroup support for cri
Signed-off-by: jikai<jikai11@huawei.com>
---
.../common/cri/v1/v1_cri_security_context.cc | 111 ++++++++++++++++--
.../v1/v1_cri_container_manager_service.cc | 16 ++-
.../entry/cri/v1alpha/cri_security_context.cc | 110 +++++++++++++++--
src/daemon/modules/spec/specs.c | 74 +++++++++++-
src/daemon/modules/spec/specs_extend.c | 17 ++-
src/daemon/modules/spec/specs_security.c | 19 +--
6 files changed, 294 insertions(+), 53 deletions(-)
diff --git a/src/daemon/common/cri/v1/v1_cri_security_context.cc b/src/daemon/common/cri/v1/v1_cri_security_context.cc
index f6441f42..930710e0 100644
--- a/src/daemon/common/cri/v1/v1_cri_security_context.cc
+++ b/src/daemon/common/cri/v1/v1_cri_security_context.cc
@@ -19,15 +19,28 @@
#include <memory>
namespace CRISecurityV1 {
-static void ModifyContainerConfig(const runtime::v1::LinuxContainerSecurityContext &sc, container_config *config)
+static void ModifyContainerConfig(const runtime::v1::LinuxContainerSecurityContext &sc, container_config *config, Errors &error)
{
+ // none -> ""; username -> username; username, uid -> username; username, uid, gid -> username:gid;
+ // username, gid -> username:gid; uid -> uid; uid, gid -> uid:gid; gid -> error
+ std::string user;
if (sc.has_run_as_user()) {
- free(config->user);
- config->user = util_strdup_s(std::to_string(sc.run_as_user().value()).c_str());
+ user = std::to_string(sc.run_as_user().value());
}
if (!sc.run_as_username().empty()) {
+ user = sc.run_as_username();
+ }
+ if (sc.has_run_as_group()) {
+ if (user.empty()) {
+ ERROR("Invalid security context: runAsGroup without runAsUser or runAsUsername");
+ error.SetError("Invalid security context: runAsGroup without runAsUser or runAsUsername");
+ return;
+ }
+ user += ":" + std::to_string(sc.run_as_group().value());
+ }
+ if (!user.empty()) {
free(config->user);
- config->user = util_strdup_s(sc.run_as_username().c_str());
+ config->user = util_strdup_s(user.c_str());
}
}
@@ -42,6 +55,7 @@ static void ModifyHostConfigCapabilities(const runtime::v1::LinuxContainerSecuri
if (!capAdd.empty()) {
hostConfig->cap_add = (char **)util_smart_calloc_s(sizeof(char *), capAdd.size());
if (hostConfig->cap_add == nullptr) {
+ ERROR("Out of memory");
error.SetError("Out of memory");
return;
}
@@ -54,6 +68,7 @@ static void ModifyHostConfigCapabilities(const runtime::v1::LinuxContainerSecuri
if (!capDrop.empty()) {
hostConfig->cap_drop = (char **)util_smart_calloc_s(sizeof(char *), capDrop.size());
if (hostConfig->cap_drop == nullptr) {
+ ERROR("Out of memory");
error.SetError("Out of memory");
return;
}
@@ -74,7 +89,8 @@ static void ModifyHostConfigNoNewPrivs(const runtime::v1::LinuxContainerSecurity
}
if (hostConfig->security_opt_len > (SIZE_MAX / sizeof(char *)) - 1) {
- error.Errorf("Out of memory");
+ ERROR("The size of security opts exceeds the limit");
+ error.Errorf("The size of security opts exceeds the limit");
return;
}
@@ -82,6 +98,7 @@ static void ModifyHostConfigNoNewPrivs(const runtime::v1::LinuxContainerSecurity
size_t newSize = oldSize + sizeof(char *);
int ret = util_mem_realloc((void **)(&tmp_security_opt), newSize, (void *)hostConfig->security_opt, oldSize);
if (ret != 0) {
+ ERROR("Out of memory");
error.Errorf("Out of memory");
return;
}
@@ -98,12 +115,9 @@ static void ModifyHostConfigscSupplementalGroups(const runtime::v1::LinuxContain
const google::protobuf::RepeatedField<google::protobuf::int64> &groups = sc.supplemental_groups();
if (!groups.empty()) {
- if (static_cast<size_t>(groups.size()) > SIZE_MAX / sizeof(char *)) {
- error.SetError("Invalid group size");
- return;
- }
- hostConfig->group_add = (char **)util_common_calloc_s(sizeof(char *) * groups.size());
+ hostConfig->group_add = (char **)util_smart_calloc_s(sizeof(char *), groups.size());
if (hostConfig->group_add == nullptr) {
+ ERROR("Out of memory");
error.SetError("Out of memory");
return;
}
@@ -114,6 +128,64 @@ static void ModifyHostConfigscSupplementalGroups(const runtime::v1::LinuxContain
}
}
+static void ApplyMaskedPathsToHostConfig(const runtime::v1::LinuxContainerSecurityContext &sc, host_config *hostConfig,
+ Errors &error)
+{
+ if (sc.masked_paths_size() <= 0) {
+ return;
+ }
+
+ if (hostConfig->masked_paths_len > ((SIZE_MAX / sizeof(char *)) - sc.masked_paths_size())) {
+ ERROR("The size of masked paths exceeds the limit");
+ error.Errorf("The size of masked paths exceeds the limit");
+ return;
+ }
+
+ char **tmp_masked_paths {nullptr};
+ size_t oldSize = hostConfig->masked_paths_len * sizeof(char *);
+ size_t newSize = oldSize + sc.masked_paths_size() * sizeof(char *);
+ int ret = util_mem_realloc((void **)&tmp_masked_paths, newSize, (void *)hostConfig->masked_paths, oldSize);
+ if (ret != 0) {
+ ERROR("Out of memory");
+ error.Errorf("Out of memory");
+ return;
+ }
+
+ hostConfig->masked_paths = tmp_masked_paths;
+ for (int i = 0; i < sc.masked_paths_size(); ++i) {
+ hostConfig->masked_paths[hostConfig->masked_paths_len++] = util_strdup_s(sc.masked_paths(i).c_str());
+ }
+}
+
+static void ApplyReadonlyPathsToHostConfig(const runtime::v1::LinuxContainerSecurityContext &sc, host_config *hostConfig,
+ Errors &error)
+{
+ if (sc.readonly_paths_size() <= 0) {
+ return;
+ }
+
+ if (hostConfig->readonly_paths_len > ((SIZE_MAX / sizeof(char *)) - sc.readonly_paths_size())) {
+ ERROR("The size of readonly paths exceeds the limit");
+ error.Errorf("The size of readonly paths exceeds the limit");
+ return;
+ }
+
+ char **tmp_readonly_paths {nullptr};
+ size_t oldSize = hostConfig->readonly_paths_len * sizeof(char *);
+ size_t newSize = oldSize + sc.readonly_paths_size() * sizeof(char *);
+ int ret = util_mem_realloc((void **)&tmp_readonly_paths, newSize, (void *)hostConfig->readonly_paths, oldSize);
+ if (ret != 0) {
+ ERROR("Out of memory");
+ error.Errorf("Out of memory");
+ return;
+ }
+
+ hostConfig->readonly_paths = tmp_readonly_paths;
+ for (int i = 0; i < sc.readonly_paths_size(); ++i) {
+ hostConfig->readonly_paths[hostConfig->readonly_paths_len++] = util_strdup_s(sc.readonly_paths(i).c_str());
+ }
+}
+
static void ModifyHostConfig(const runtime::v1::LinuxContainerSecurityContext &sc, host_config *hostConfig,
Errors &error)
{
@@ -123,6 +195,8 @@ static void ModifyHostConfig(const runtime::v1::LinuxContainerSecurityContext &s
ModifyHostConfigCapabilities(sc, hostConfig, error);
ModifyHostConfigNoNewPrivs(sc, hostConfig, error);
ModifyHostConfigscSupplementalGroups(sc, hostConfig, error);
+ ApplyMaskedPathsToHostConfig(sc, hostConfig, error);
+ ApplyReadonlyPathsToHostConfig(sc, hostConfig, error);
}
static void ModifyContainerNamespaceOptions(const runtime::v1::NamespaceOption &nsOpts,
@@ -196,11 +270,18 @@ void ApplySandboxSecurityContext(const runtime::v1::LinuxPodSandboxConfig &lc, c
*sc->mutable_supplemental_groups() = old.supplemental_groups();
sc->set_readonly_rootfs(old.readonly_rootfs());
}
- ModifyContainerConfig(*sc, config);
+ ModifyContainerConfig(*sc, config, error);
+ if (error.NotEmpty()) {
+ ERROR("Failed to modify container config for sandbox");
+ return;
+ }
+
ModifyHostConfig(*sc, hc, error);
if (error.NotEmpty()) {
+ ERROR("Failed to modify host config for sandbox");
return;
}
+
ModifySandboxNamespaceOptions(sc->namespace_options(), hc);
}
@@ -209,9 +290,15 @@ void ApplyContainerSecurityContext(const runtime::v1::LinuxContainerConfig &lc,
{
if (lc.has_security_context()) {
const runtime::v1::LinuxContainerSecurityContext &sc = lc.security_context();
- ModifyContainerConfig(sc, config);
+ ModifyContainerConfig(sc, config, error);
+ if (error.NotEmpty()) {
+ ERROR("Failed to modify container config for container");
+ return;
+ }
+
ModifyHostConfig(sc, hc, error);
if (error.NotEmpty()) {
+ ERROR("Failed to modify host config for container");
return;
}
}
diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
index 70629591..1f20d2d2 100644
--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
+++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
@@ -128,8 +128,22 @@ void ContainerManagerService::DoUsePodLevelSELinuxConfig(const runtime::v1::Cont
return;
}
+ const char securityOptSep = '=';
+
const runtime::v1::LinuxSandboxSecurityContext &context = config.linux().security_context();
- CRIHelpersV1::ApplySandboxSecurityContextToHostConfig(context, hostconfig, error);
+ std::vector<std::string> selinuxOpts = CRIHelpersV1::GetSELinuxLabelOpts(context.has_selinux_options(),
+ context.selinux_options(), securityOptSep, error);
+ if (error.NotEmpty()) {
+ ERROR("Failed to generate SELinuxLabel options for container %s", error.GetMessage().c_str());
+ error.Errorf("Failed to generate SELinuxLabel options for container %s", error.GetMessage().c_str());
+ return;
+ }
+ CRIHelpersV1::AddSecurityOptsToHostConfig(selinuxOpts, hostconfig, error);
+ if (error.NotEmpty()) {
+ ERROR("Failed to add securityOpts to hostconfig: %s", error.GetMessage().c_str());
+ error.Errorf("Failed to add securityOpts to hostconfig: %s", error.GetMessage().c_str());
+ return;
+ }
}
auto ContainerManagerService::IsSELinuxLabelEmpty(const ::runtime::v1::SELinuxOption &selinuxOption) -> bool
diff --git a/src/daemon/entry/cri/v1alpha/cri_security_context.cc b/src/daemon/entry/cri/v1alpha/cri_security_context.cc
index 0535b438..57ec3a63 100644
--- a/src/daemon/entry/cri/v1alpha/cri_security_context.cc
+++ b/src/daemon/entry/cri/v1alpha/cri_security_context.cc
@@ -20,15 +20,29 @@
#include <memory>
namespace CRISecurity {
-static void ModifyContainerConfig(const runtime::v1alpha2::LinuxContainerSecurityContext &sc, container_config *config)
+static void ModifyContainerConfig(const runtime::v1alpha2::LinuxContainerSecurityContext &sc, container_config *config,
+ Errors &error)
{
+ // none -> ""; username -> username; username, uid -> username; username, uid, gid -> username:gid;
+ // username, gid -> username:gid; uid -> uid; uid, gid -> uid:gid; gid -> error
+ std::string user;
if (sc.has_run_as_user()) {
- free(config->user);
- config->user = util_strdup_s(std::to_string(sc.run_as_user().value()).c_str());
+ user = std::to_string(sc.run_as_user().value());
}
if (!sc.run_as_username().empty()) {
+ user = sc.run_as_username();
+ }
+ if (sc.has_run_as_group()) {
+ if (user.empty()) {
+ ERROR("Invalid security context: runAsGroup without runAsUser or runAsUsername");
+ error.SetError("Invalid security context: runAsGroup without runAsUser or runAsUsername");
+ return;
+ }
+ user += ":" + std::to_string(sc.run_as_group().value());
+ }
+ if (!user.empty()) {
free(config->user);
- config->user = util_strdup_s(sc.run_as_username().c_str());
+ config->user = util_strdup_s(user.c_str());
}
}
@@ -43,6 +57,7 @@ static void ModifyHostConfigCapabilities(const runtime::v1alpha2::LinuxContainer
if (!capAdd.empty()) {
hostConfig->cap_add = (char **)util_smart_calloc_s(sizeof(char *), capAdd.size());
if (hostConfig->cap_add == nullptr) {
+ ERROR("Out of memory");
error.SetError("Out of memory");
return;
}
@@ -55,6 +70,7 @@ static void ModifyHostConfigCapabilities(const runtime::v1alpha2::LinuxContainer
if (!capDrop.empty()) {
hostConfig->cap_drop = (char **)util_smart_calloc_s(sizeof(char *), capDrop.size());
if (hostConfig->cap_drop == nullptr) {
+ ERROR("Out of memory");
error.SetError("Out of memory");
return;
}
@@ -75,7 +91,8 @@ static void ModifyHostConfigNoNewPrivs(const runtime::v1alpha2::LinuxContainerSe
}
if (hostConfig->security_opt_len > (SIZE_MAX / sizeof(char *)) - 1) {
- error.Errorf("Out of memory");
+ ERROR("The size of security opts exceeds the limit");
+ error.Errorf("The size of security opts exceeds the limit");
return;
}
@@ -83,6 +100,7 @@ static void ModifyHostConfigNoNewPrivs(const runtime::v1alpha2::LinuxContainerSe
size_t newSize = oldSize + sizeof(char *);
int ret = util_mem_realloc((void **)(&tmp_security_opt), newSize, (void *)hostConfig->security_opt, oldSize);
if (ret != 0) {
+ ERROR("Out of memory");
error.Errorf("Out of memory");
return;
}
@@ -99,12 +117,9 @@ static void ModifyHostConfigscSupplementalGroups(const runtime::v1alpha2::LinuxC
const google::protobuf::RepeatedField<google::protobuf::int64> &groups = sc.supplemental_groups();
if (!groups.empty()) {
- if (static_cast<size_t>(groups.size()) > SIZE_MAX / sizeof(char *)) {
- error.SetError("Invalid group size");
- return;
- }
- hostConfig->group_add = (char **)util_common_calloc_s(sizeof(char *) * groups.size());
+ hostConfig->group_add = (char **)util_smart_calloc_s(sizeof(char *), groups.size());
if (hostConfig->group_add == nullptr) {
+ ERROR("Out of memory");
error.SetError("Out of memory");
return;
}
@@ -115,6 +130,64 @@ static void ModifyHostConfigscSupplementalGroups(const runtime::v1alpha2::LinuxC
}
}
+static void ApplyMaskedPathsToHostConfig(const runtime::v1alpha2::LinuxContainerSecurityContext &sc, host_config *hostConfig,
+ Errors &error)
+{
+ if (sc.masked_paths_size() <= 0) {
+ return;
+ }
+
+ if (hostConfig->masked_paths_len > ((SIZE_MAX / sizeof(char *)) - sc.masked_paths_size())) {
+ ERROR("The size of masked paths exceeds the limit");
+ error.Errorf("The size of masked paths exceeds the limit");
+ return;
+ }
+
+ char **tmp_masked_paths {nullptr};
+ size_t oldSize = hostConfig->masked_paths_len * sizeof(char *);
+ size_t newSize = oldSize + sc.masked_paths_size() * sizeof(char *);
+ int ret = util_mem_realloc((void **)&tmp_masked_paths, newSize, (void *)hostConfig->masked_paths, oldSize);
+ if (ret != 0) {
+ ERROR("Out of memory");
+ error.Errorf("Out of memory");
+ return;
+ }
+
+ hostConfig->masked_paths = tmp_masked_paths;
+ for (int i = 0; i < sc.masked_paths_size(); ++i) {
+ hostConfig->masked_paths[hostConfig->masked_paths_len++] = util_strdup_s(sc.masked_paths(i).c_str());
+ }
+}
+
+static void ApplyReadonlyPathsToHostConfig(const runtime::v1alpha2::LinuxContainerSecurityContext &sc, host_config *hostConfig,
+ Errors &error)
+{
+ if (sc.readonly_paths_size() <= 0) {
+ return;
+ }
+
+ if (hostConfig->readonly_paths_len > ((SIZE_MAX / sizeof(char *)) - sc.readonly_paths_size())) {
+ ERROR("The size of readonly paths exceeds the limit");
+ error.Errorf("The size of readonly paths exceeds the limit");
+ return;
+ }
+
+ char **tmp_readonly_paths {nullptr};
+ size_t oldSize = hostConfig->readonly_paths_len * sizeof(char *);
+ size_t newSize = oldSize + sc.readonly_paths_size() * sizeof(char *);
+ int ret = util_mem_realloc((void **)&tmp_readonly_paths, newSize, (void *)hostConfig->readonly_paths, oldSize);
+ if (ret != 0) {
+ ERROR("Out of memory");
+ error.Errorf("Out of memory");
+ return;
+ }
+
+ hostConfig->readonly_paths = tmp_readonly_paths;
+ for (int i = 0; i < sc.readonly_paths_size(); ++i) {
+ hostConfig->readonly_paths[hostConfig->readonly_paths_len++] = util_strdup_s(sc.readonly_paths(i).c_str());
+ }
+}
+
static void ModifyHostConfig(const runtime::v1alpha2::LinuxContainerSecurityContext &sc, host_config *hostConfig,
Errors &error)
{
@@ -124,6 +197,8 @@ static void ModifyHostConfig(const runtime::v1alpha2::LinuxContainerSecurityCont
ModifyHostConfigCapabilities(sc, hostConfig, error);
ModifyHostConfigNoNewPrivs(sc, hostConfig, error);
ModifyHostConfigscSupplementalGroups(sc, hostConfig, error);
+ ApplyMaskedPathsToHostConfig(sc, hostConfig, error);
+ ApplyReadonlyPathsToHostConfig(sc, hostConfig, error);
}
static void ModifyContainerNamespaceOptions(const runtime::v1alpha2::NamespaceOption &nsOpts,
@@ -179,6 +254,7 @@ void ApplySandboxSecurityContext(const runtime::v1alpha2::LinuxPodSandboxConfig
std::unique_ptr<runtime::v1alpha2::LinuxContainerSecurityContext> sc(
new (std::nothrow) runtime::v1alpha2::LinuxContainerSecurityContext);
if (sc == nullptr) {
+ ERROR("Out of memory");
error.SetError("Out of memory");
return;
}
@@ -197,9 +273,14 @@ void ApplySandboxSecurityContext(const runtime::v1alpha2::LinuxPodSandboxConfig
*sc->mutable_supplemental_groups() = old.supplemental_groups();
sc->set_readonly_rootfs(old.readonly_rootfs());
}
- ModifyContainerConfig(*sc, config);
+ ModifyContainerConfig(*sc, config, error);
+ if (error.NotEmpty()) {
+ ERROR("Failed to modify container config for sandbox");
+ return;
+ }
ModifyHostConfig(*sc, hc, error);
if (error.NotEmpty()) {
+ ERROR("Failed to modify host config for sandbox");
return;
}
ModifySandboxNamespaceOptions(sc->namespace_options(), hc);
@@ -210,9 +291,14 @@ void ApplyContainerSecurityContext(const runtime::v1alpha2::LinuxContainerConfig
{
if (lc.has_security_context()) {
const runtime::v1alpha2::LinuxContainerSecurityContext &sc = lc.security_context();
- ModifyContainerConfig(sc, config);
+ ModifyContainerConfig(sc, config, error);
+ if (error.NotEmpty()) {
+ ERROR("Failed to modify container config for container");
+ return;
+ }
ModifyHostConfig(sc, hc, error);
if (error.NotEmpty()) {
+ ERROR("Failed to modify host config for container");
return;
}
}
diff --git a/src/daemon/modules/spec/specs.c b/src/daemon/modules/spec/specs.c
index a7751d1b..95346603 100644
--- a/src/daemon/modules/spec/specs.c
+++ b/src/daemon/modules/spec/specs.c
@@ -2133,6 +2133,58 @@ static int generate_security_opt(host_config *hc)
}
#endif
+static int merge_paths(char ***dest_paths, size_t *dest_paths_len, char **src_paths, size_t src_paths_len)
+{
+ if (dest_paths == NULL || dest_paths_len == NULL) {
+ ERROR("Invalid args");
+ return -1;
+ }
+
+ if (src_paths_len > SIZE_MAX / sizeof(char *) ||
+ *dest_paths_len > ((SIZE_MAX / sizeof(char *)) - src_paths_len)) {
+ ERROR("Out of memory");
+ return -1;
+ }
+
+ size_t i;
+ char **tmp_paths = NULL;
+ size_t old_size = *dest_paths_len * sizeof(char *);
+ size_t new_size = old_size + src_paths_len * sizeof(char *);
+ int ret = util_mem_realloc((void **)&tmp_paths, new_size,
+ (void *)*dest_paths, old_size);
+ if (ret != 0) {
+ ERROR("Out of memory");
+ return -1;
+ }
+
+ *dest_paths = tmp_paths;
+ for (i = 0; i < src_paths_len; i++) {
+ (*dest_paths)[(*dest_paths_len)++] = util_strdup_s(src_paths[i]);
+ }
+
+ return 0;
+}
+
+static int merge_masked_paths(oci_runtime_spec *oci_spec, char **masked_paths, size_t masked_paths_len)
+{
+ if (masked_paths == NULL || masked_paths_len == 0) {
+ return 0;
+ }
+
+ return merge_paths(&oci_spec->linux->masked_paths, &oci_spec->linux->masked_paths_len,
+ masked_paths, masked_paths_len);
+}
+
+static int merge_readonly_paths(oci_runtime_spec *oci_spec, char **readonly_paths, size_t readonly_paths_len)
+{
+ if (readonly_paths == NULL || readonly_paths_len == 0) {
+ return 0;
+ }
+
+ return merge_paths(&oci_spec->linux->readonly_paths, &oci_spec->linux->readonly_paths_len,
+ readonly_paths, readonly_paths_len);
+}
+
static int merge_security_conf(oci_runtime_spec *oci_spec, host_config *host_spec,
container_config_v2_common_config *v2_spec)
{
@@ -2180,6 +2232,18 @@ static int merge_security_conf(oci_runtime_spec *oci_spec, host_config *host_spe
}
#endif
+ ret = merge_masked_paths(oci_spec, host_spec->masked_paths, host_spec->masked_paths_len);
+ if (ret != 0) {
+ ERROR("Failed to merge masked paths");
+ goto out;
+ }
+
+ ret = merge_readonly_paths(oci_spec, host_spec->readonly_paths, host_spec->readonly_paths_len);
+ if (ret != 0) {
+ ERROR("Failed to merge readonly paths");
+ goto out;
+ }
+
out:
return ret;
}
@@ -2205,11 +2269,6 @@ static int merge_oci_cgroups_path(const char *id, oci_runtime_spec *oci_spec, co
return -1;
}
- if (make_sure_oci_spec_linux(oci_spec) != 0) {
- ERROR("Failed to make oci spec linux");
- return -1;
- }
-
free(oci_spec->linux->cgroups_path);
oci_spec->linux->cgroups_path = merge_container_cgroups_path(id, host_spec);
@@ -2228,6 +2287,11 @@ int merge_all_specs(host_config *host_spec, const char *real_rootfs, container_c
char *userns_remap = conf_get_isulad_userns_remap();
#endif
+ if (make_sure_oci_spec_linux(oci_spec) != 0) {
+ ERROR("Failed to make oci spec linux");
+ return -1;
+ }
+
ret = merge_root(oci_spec, real_rootfs, host_spec);
if (ret != 0) {
ERROR("Failed to merge root");
diff --git a/src/daemon/modules/spec/specs_extend.c b/src/daemon/modules/spec/specs_extend.c
index 5ede7936..199cba54 100644
--- a/src/daemon/modules/spec/specs_extend.c
+++ b/src/daemon/modules/spec/specs_extend.c
@@ -136,28 +136,21 @@ static int make_linux_uid_gid_mappings(oci_runtime_spec *container, unsigned int
unsigned int size)
{
int ret = 0;
-
- ret = make_sure_oci_spec_linux(container);
- if (ret < 0) {
- goto out;
- }
-
if (container->linux->uid_mappings == NULL) {
ret = make_one_id_mapping(&(container->linux->uid_mappings), host_uid, size);
if (ret < 0) {
- goto out;
+ return ret;
}
container->linux->uid_mappings_len++;
}
if (container->linux->gid_mappings == NULL) {
ret = make_one_id_mapping(&(container->linux->gid_mappings), host_gid, size);
if (ret < 0) {
- goto out;
+ return ret;
}
container->linux->gid_mappings_len++;
}
-out:
return ret;
}
@@ -180,6 +173,12 @@ int make_userns_remap(oci_runtime_spec *container, const char *user_remap)
if (host_uid == 0 && host_gid == 0) {
return 0;
}
+
+ if (make_sure_oci_spec_linux(container) != 0) {
+ ERROR("Failed to make oci spce linux");
+ return -1;
+ }
+
ret = make_linux_uid_gid_mappings(container, host_uid, host_gid, size);
if (ret) {
ERROR("Make linux uid and gid mappings failed");
diff --git a/src/daemon/modules/spec/specs_security.c b/src/daemon/modules/spec/specs_security.c
index 08db8d0d..e78cc744 100644
--- a/src/daemon/modules/spec/specs_security.c
+++ b/src/daemon/modules/spec/specs_security.c
@@ -879,13 +879,6 @@ int merge_caps(oci_runtime_spec *oci_spec, const char **adds, size_t adds_len, c
static int make_sure_oci_spec_linux_sysctl(oci_runtime_spec *oci_spec)
{
- int ret = 0;
-
- ret = make_sure_oci_spec_linux(oci_spec);
- if (ret < 0) {
- return -1;
- }
-
if (oci_spec->linux->sysctl == NULL) {
oci_spec->linux->sysctl = util_common_calloc_s(sizeof(json_map_string_string));
if (oci_spec->linux->sysctl == NULL) {
@@ -904,6 +897,11 @@ int merge_sysctls(oci_runtime_spec *oci_spec, const json_map_string_string *sysc
return 0;
}
+ ret = make_sure_oci_spec_linux(oci_spec);
+ if (ret < 0) {
+ return -1;
+ }
+
ret = make_sure_oci_spec_linux_sysctl(oci_spec);
if (ret < 0) {
goto out;
@@ -1004,13 +1002,6 @@ static void free_adds_cap_for_system_container(char **adds, size_t adds_len)
static int make_sure_oci_spec_linux_seccomp(oci_runtime_spec *oci_spec)
{
- int ret = 0;
-
- ret = make_sure_oci_spec_linux(oci_spec);
- if (ret < 0) {
- return -1;
- }
-
if (oci_spec->linux->seccomp == NULL) {
oci_spec->linux->seccomp = util_common_calloc_s(sizeof(oci_runtime_config_linux_seccomp));
if (oci_spec->linux->seccomp == NULL) {
--
2.42.0

113
0004-2162-Fix-rename-issue-for-id-manager.patch
View File

@ -1,113 +0,0 @@
From 0dbf21e22d51721e43fa2c1abecf30da271501c5 Mon Sep 17 00:00:00 2001
From: xuxuepeng <xuxuepeng1@huawei.com>
Date: Thu, 31 Aug 2023 04:11:22 +0000
Subject: [PATCH 04/33] !2162 Fix rename issue for id manager Merge pull
request !2162 from xuxuepeng/master
---
src/daemon/common/id_name_manager.c | 21 ++++++++++++++++++-
src/daemon/common/id_name_manager.h | 1 +
.../container_cb/execution_information.c | 12 +++++++++++
src/daemon/sandbox/sandbox_manager.cc | 6 ++++--
4 files changed, 37 insertions(+), 3 deletions(-)
diff --git a/src/daemon/common/id_name_manager.c b/src/daemon/common/id_name_manager.c
index e6b24798..3fc1c443 100644
--- a/src/daemon/common/id_name_manager.c
+++ b/src/daemon/common/id_name_manager.c
@@ -382,4 +382,23 @@ bool id_name_manager_remove_entry(const char *id, const char *name)
}
return ret;
-}
\ No newline at end of file
+}
+
+bool id_name_manager_rename(const char *new_name, const char *old_name)
+{
+ if (old_name == NULL || new_name == NULL) {
+ ERROR("Failed to rename empty name");
+ return false;
+ }
+
+ if (!try_add_name(new_name)) {
+ ERROR("Failed to add %s to name map", new_name);
+ return false;
+ }
+
+ if (!try_remove_name(old_name)) {
+ WARN("Failed to remove %s from name map", old_name);
+ }
+
+ return true;
+}
diff --git a/src/daemon/common/id_name_manager.h b/src/daemon/common/id_name_manager.h
index 3c9f6d45..09f0867e 100644
--- a/src/daemon/common/id_name_manager.h
+++ b/src/daemon/common/id_name_manager.h
@@ -27,6 +27,7 @@ bool id_name_manager_add_entry_with_existing_id(const char *id, const char *name
bool id_name_manager_add_entry_with_new_id(const char *name, char **id);
bool id_name_manager_add_entry_with_new_id_and_name(char **id, char **name);
bool id_name_manager_remove_entry(const char *id, const char *name);
+bool id_name_manager_rename(const char *new_name, const char *old_name);
#ifdef __cplusplus
}
diff --git a/src/daemon/executor/container_cb/execution_information.c b/src/daemon/executor/container_cb/execution_information.c
index 28480224..93e5032e 100644
--- a/src/daemon/executor/container_cb/execution_information.c
+++ b/src/daemon/executor/container_cb/execution_information.c
@@ -60,6 +60,7 @@
#include "utils_convert.h"
#include "utils_string.h"
#include "utils_verify.h"
+#include "id_name_manager.h"
static int container_version_cb(const container_version_request *request, container_version_response **response)
{
@@ -1075,11 +1076,22 @@ static int container_rename(container_t *cont, const char *new_name)
goto out;
}
+ if (!id_name_manager_rename(new_name, old_name)) {
+ ERROR("Failed to rename %s to %s in id-name manager", old_name, new_name);
+ isulad_set_error_message("Failed to rename %s to %s in id-name manager", old_name, new_name);
+ ret = -1;
+ goto out;
+ }
+
if (!container_name_index_rename(new_name, old_name, id)) {
ERROR("Name %s is in use", new_name);
isulad_set_error_message("Conflict. The name \"%s\" is already in use by container %s. "
"You have to remove (or rename) that container to be able to reuse that name.",
new_name, new_name);
+ // restore name in id-name manager
+ if (!id_name_manager_rename(old_name, new_name)) {
+ ERROR("Failed to restore name from \"%s\" to \"%s\" in id-name manager", new_name, old_name);
+ }
ret = -1;
goto out;
}
diff --git a/src/daemon/sandbox/sandbox_manager.cc b/src/daemon/sandbox/sandbox_manager.cc
index 527a9aec..e258320a 100644
--- a/src/daemon/sandbox/sandbox_manager.cc
+++ b/src/daemon/sandbox/sandbox_manager.cc
@@ -210,11 +210,13 @@ bool SandboxManager::IDNameManagerRemoveEntry(const std::string &id, const std::
// Save the id and name of the sandbox to the map of the id_name_manager module
bool SandboxManager::IDNameManagerNewEntry(std::string &id, const std::string &name)
{
- __isula_auto_free char *tmpId = NULL;
bool ret = false;
if (id.empty()) {
+ __isula_auto_free char *tmpId = NULL;
ret = id_name_manager_add_entry_with_new_id(name.c_str(), &tmpId);
- id = tmpId;
+ if (tmpId != NULL) {
+ id = tmpId;
+ }
} else {
ret = id_name_manager_add_entry_with_existing_id(id.c_str(), name.c_str());
}
--
2.40.1

482
0004-network-support-version-opt.patch Normal file
View File

@ -0,0 +1,482 @@
From 7a2dd92a527c1f5ee79239d93b792dc9a9758e27 Mon Sep 17 00:00:00 2001
From: liuxu <liuxu156@huawei.com>
Date: Tue, 7 Nov 2023 20:38:22 +0800
Subject: [PATCH 04/14] network:support version opt
---
.../network/cni_operator/cni_operate.c | 16 +++
.../network/cni_operator/cni_operate.h | 3 +
.../cni_operator/libcni/invoke/libcni_exec.c | 86 +++++++++++++-
.../cni_operator/libcni/invoke/libcni_exec.h | 2 +
.../libcni/invoke/libcni_result_parse.c | 29 +++++
.../libcni/invoke/libcni_result_parse.h | 6 +
.../network/cni_operator/libcni/libcni_api.c | 106 ++++++++++++++++++
.../network/cni_operator/libcni/libcni_api.h | 8 +-
.../cni_operator/libcni/libcni_result_type.c | 18 +++
.../cni_operator/libcni/libcni_result_type.h | 12 ++
.../modules/network/native/adaptor_native.c | 3 +-
11 files changed, 281 insertions(+), 8 deletions(-)
diff --git a/src/daemon/modules/network/cni_operator/cni_operate.c b/src/daemon/modules/network/cni_operator/cni_operate.c
index 62249f18..6db6db51 100644
--- a/src/daemon/modules/network/cni_operator/cni_operate.c
+++ b/src/daemon/modules/network/cni_operator/cni_operate.c
@@ -926,6 +926,22 @@ out:
return ret;
}
+int version_network_plane(const struct cni_network_list_conf *list,
+ struct cni_version_info_list **result_version_list)
+{
+ if (list == NULL || list->list == NULL) {
+ ERROR("Invalid input params");
+ return -1;
+ }
+
+ if (cni_version_network_list(list, result_version_list) != 0) {
+ ERROR("Version CNI network failed");
+ return -1;
+ }
+
+ return 0;
+}
+
int detach_loopback(const char *id, const char *netns)
{
int ret = 0;
diff --git a/src/daemon/modules/network/cni_operator/cni_operate.h b/src/daemon/modules/network/cni_operator/cni_operate.h
index 150c1154..7750ff00 100644
--- a/src/daemon/modules/network/cni_operator/cni_operate.h
+++ b/src/daemon/modules/network/cni_operator/cni_operate.h
@@ -61,6 +61,9 @@ int detach_network_plane(const struct cni_manager *manager, const struct cni_net
int check_network_plane(const struct cni_manager *manager, const struct cni_network_list_conf *list,
struct cni_opt_result **result);
+int version_network_plane(const struct cni_network_list_conf *list,
+ struct cni_version_info_list **result_version_list);
+
#ifdef __cplusplus
}
#endif
diff --git a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_exec.c b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_exec.c
index c4bc81c0..4908565e 100644
--- a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_exec.c
+++ b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_exec.c
@@ -28,7 +28,7 @@
#include <sys/wait.h>
#include <isula_libutils/cni_inner_plugin_info.h>
-#include <isula_libutils/cni_version.h>
+#include <isula_libutils/cni_version_info.h>
#include <isula_libutils/log.h>
#include <isula_libutils/cni_exec_error.h>
#include <isula_libutils/auto_cleanup.h>
@@ -183,10 +183,10 @@ static char *str_cni_exec_error(const cni_exec_error *e_err)
static char *cniversion_decode(const char *jsonstr)
{
__isula_auto_free parser_error err = NULL;
- cni_version *conf = NULL;
+ cni_version_info *conf = NULL;
char *result = NULL;
- conf = cni_version_parse_data(jsonstr, NULL, &err);
+ conf = cni_version_info_parse_data(jsonstr, NULL, &err);
if (conf == NULL) {
ERROR("decoding config \"%s\", failed: %s", jsonstr, err);
goto out;
@@ -198,7 +198,7 @@ static char *cniversion_decode(const char *jsonstr)
result = util_strdup_s(conf->cni_version);
out:
- free_cni_version(conf);
+ free_cni_version_info(conf);
return result;
}
@@ -466,6 +466,84 @@ out:
return ret;
}
+static char *get_default_version_stdin(void)
+{
+ char *stdin_str = NULL;
+ int ret;
+
+ ret = asprintf(&stdin_str, "{\"cniVersion\":\"%s\"}", CURRENT_VERSION);
+ if (ret < 0) {
+ ERROR("parse cni version failed");
+ }
+ return stdin_str;
+}
+
+static int do_parse_version_info_stdout_str(int exec_ret, const cni_exec_error *e_err,
+ const char *stdout_str, cni_version_info **result_version)
+{
+ __isula_auto_free char *err_msg = NULL;
+ struct parser_context ctx = { OPT_GEN_SIMPLIFY, 0 };
+ __isula_auto_free parser_error perr = NULL;
+
+ if (exec_ret != 0) {
+ err_msg = str_cni_exec_error(e_err);
+ ERROR("raw exec failed: %s", err_msg);
+ isulad_append_error_message("raw exec failed: %s. ", err_msg);
+ return -1;
+ }
+
+ if (stdout_str == NULL || strlen(stdout_str) == 0) {
+ ERROR("Get empty version result");
+ return -1;
+ }
+ free_cni_version_info(*result_version);
+ *result_version = cni_version_info_parse_data(stdout_str, &ctx, &perr);
+ if (*result_version == NULL) {
+ ERROR("parse cni result version failed: %s", perr);
+ return -1;
+ }
+
+ return 0;
+}
+
+int get_version_info(const char *plugin_path, cni_version_info **result_version)
+{
+ __isula_auto_free char *err_msg = NULL;
+ char **envs = NULL;
+ __isula_auto_free char *stdout_str = NULL;
+ __isula_auto_free char *stdin_str = NULL;
+ cni_exec_error *e_err = NULL;
+ int ret = 0;
+ const struct cni_args cniargs = {
+ .command = "VERSION",
+ .netns = "dummy",
+ .ifname = "dummy",
+ .path = "dummy",
+ .container_id = "dummy"
+ };
+
+ stdin_str = get_default_version_stdin();
+ if (stdin_str == NULL) {
+ return -1;
+ }
+
+ envs = as_env(&cniargs);
+ if (envs == NULL) {
+ ERROR("create env failed");
+ return -1;
+ }
+
+ ret = raw_exec(plugin_path, stdin_str, envs, &stdout_str, &e_err);
+ DEBUG("Raw exec \"%s\" result: %d", plugin_path, ret);
+ DEBUG("Raw exec stdout: %s", stdout_str);
+ ret = do_parse_version_info_stdout_str(ret, e_err, stdout_str, result_version);
+
+ util_free_array(envs);
+ free_cni_exec_error(e_err);
+ return ret;
+
+}
+
void free_cni_args(struct cni_args *cargs)
{
size_t i = 0;
diff --git a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_exec.h b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_exec.h
index 60b1c972..48d8d8b6 100644
--- a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_exec.h
+++ b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_exec.h
@@ -40,6 +40,8 @@ int exec_plugin_with_result(const char *plugin_path, const char *cni_net_conf_js
int exec_plugin_without_result(const char *plugin_path, const char *cni_net_conf_json, const struct cni_args *cniargs);
+int get_version_info(const char *plugin_path, cni_version_info **result_version);
+
#ifdef __cplusplus
}
#endif
diff --git a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_result_parse.c b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_result_parse.c
index 164b2e29..aa4f75cf 100644
--- a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_result_parse.c
+++ b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_result_parse.c
@@ -741,3 +741,32 @@ struct cni_opt_result *new_result(const char *version, const char *jsonstr)
ERROR("unsupported CNI result version \"%s\"", version);
return NULL;
}
+
+size_t get_curr_support_version_len(void)
+{
+ return CURR_SUPPORT_VERSION_LEN;
+}
+
+int get_support_version_pos(const char *version)
+{
+ int i = 0;
+ if (version == NULL) {
+ return -1;
+ }
+
+ for (i = CURR_SUPPORT_VERSION_LEN - 1; i >= 0; i--) {
+ if ((g_curr_support_versions[i] != NULL) && (strcmp(version, g_curr_support_versions[i]) == 0)) {
+ return i;
+ }
+ }
+
+ return -1;
+}
+
+const char *get_support_version_by_pos(size_t pos)
+{
+ if (pos >= CURR_SUPPORT_VERSION_LEN) {
+ return NULL;
+ }
+ return g_curr_support_versions[pos];
+}
\ No newline at end of file
diff --git a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_result_parse.h b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_result_parse.h
index 547bc915..438e1332 100644
--- a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_result_parse.h
+++ b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_result_parse.h
@@ -37,6 +37,12 @@ cni_result_curr *cni_result_curr_to_json_result(const struct cni_opt_result *src
struct cni_opt_result *copy_result_from_current(const cni_result_curr *curr_result);
+size_t get_curr_support_version_len(void);
+
+int get_support_version_pos(const char *version);
+
+const char *get_support_version_by_pos(size_t pos);
+
#ifdef __cplusplus
}
#endif
diff --git a/src/daemon/modules/network/cni_operator/libcni/libcni_api.c b/src/daemon/modules/network/cni_operator/libcni/libcni_api.c
index 781759e8..7f62df78 100644
--- a/src/daemon/modules/network/cni_operator/libcni/libcni_api.c
+++ b/src/daemon/modules/network/cni_operator/libcni/libcni_api.c
@@ -843,6 +843,112 @@ free_out:
return ret;
}
+static int version_network(const char *plugin_name, cni_version_info **result_version)
+{
+ int ret = 0;
+ __isula_auto_free char *plugin_path = NULL;
+
+ if (plugin_name == NULL) {
+ ERROR("Empty plugin name");
+ return -1;
+ }
+
+ ret = find_plugin_in_path(plugin_name, (const char * const *)g_module_conf.bin_paths,
+ g_module_conf.bin_paths_len, &plugin_path);
+ if (ret != 0) {
+ ERROR("Failed to find plugin: \"%s\"", plugin_name);
+ isulad_append_error_message("Failed to find plugin: \"%s\". ", plugin_name);
+ return ret;
+ }
+
+ // cni plugin calls should not take longer than 90 seconds
+ CALL_CHECK_TIMEOUT(90, ret = get_version_info(plugin_path, result_version));
+ return ret;
+}
+
+int cni_version_network_list(const struct cni_network_list_conf *list,
+ struct cni_version_info_list **result_version_list)
+{
+ int ret = 0;
+ int i;
+ cni_version_info *tmp_result_version = NULL;
+
+ if ((list == NULL) || (list->list == NULL) || (result_version_list == NULL)) {
+ ERROR("Empty arguments");
+ return -1;
+ }
+
+ *result_version_list = util_common_calloc_s(sizeof(struct cni_version_info_list));
+ if (*result_version_list == NULL) {
+ ERROR("Out of memory");
+ return -1;
+ }
+ (*result_version_list)->result_versions = util_smart_calloc_s(sizeof(cni_version_info *), list->list->plugins_len);
+ if ((*result_version_list)->result_versions == NULL) {
+ ERROR("Out of memory");
+ ret = -1;
+ goto free_out;
+ }
+
+ for (i = 0; i < list->list->plugins_len; i++) {
+ if (version_network(list->list->plugins[i]->type, &tmp_result_version) != 0) {
+ ret = -1;
+ ERROR("Run version plugin: %d failed", i);
+ goto free_out;
+ }
+ (*result_version_list)->result_versions[i] = tmp_result_version;
+ (*result_version_list)->result_versions_len += 1;
+ tmp_result_version = NULL;
+ }
+
+ return ret;
+
+free_out:
+ free_cni_version_info_list(*result_version_list);
+ *result_version_list = NULL;
+ return ret;
+}
+
+/* get the latest CNI version supported by all plugins */
+char *cni_get_plugins_supported_version(cni_net_conf_list *list)
+{
+ // init to default version, if no found, just return default version
+ char *cni_version = util_strdup_s(CURRENT_VERSION);
+ int i, j, version_pos;
+ struct cni_version_info_list *result_version_list = NULL;
+ struct cni_network_list_conf network_list = {
+ .list = list,
+ };
+ size_t curr_support_version_len = get_curr_support_version_len();
+ __isula_auto_free size_t *plugin_version_count = util_smart_calloc_s(sizeof(size_t), curr_support_version_len);
+ if (plugin_version_count == NULL) {
+ return cni_version;
+ }
+ if (cni_version_network_list(&network_list, &result_version_list) != 0) {
+ return cni_version;
+ }
+
+ // count plugin supported version
+ for (i = 0; i < result_version_list->result_versions_len; i++) {
+ for (j = result_version_list->result_versions[i]->supported_versions_len - 1; j >= 0 ; j--) {
+ version_pos = get_support_version_pos(result_version_list->result_versions[i]->supported_versions[j]);
+ if (version_pos < 0) {
+ break;
+ }
+ plugin_version_count[version_pos]++;
+ if (plugin_version_count[version_pos] == list->plugins_len) {
+ free(cni_version);
+ cni_version = util_strdup_s(get_support_version_by_pos(version_pos));
+ goto free_out;
+ }
+ }
+ }
+
+free_out:
+ free_cni_version_info_list(result_version_list);
+ return cni_version;
+}
+
static int do_copy_plugin_args(const struct runtime_conf *rc, struct cni_args **cargs)
{
size_t i = 0;
diff --git a/src/daemon/modules/network/cni_operator/libcni/libcni_api.h b/src/daemon/modules/network/cni_operator/libcni/libcni_api.h
index 878cb1bb..f94ab3f7 100644
--- a/src/daemon/modules/network/cni_operator/libcni/libcni_api.h
+++ b/src/daemon/modules/network/cni_operator/libcni/libcni_api.h
@@ -28,9 +28,6 @@
extern "C" {
#endif
-#define CURRENT_VERSION "1.0.0"
-#define SUPPORT_CACHE_AND_CHECK_VERSION "0.4.0"
-
#define SUPPORT_CAPABILITY_PORTMAPPINGS "portMappings"
#define SUPPORT_CAPABILITY_BANDWIDTH "bandwidth"
#define SUPPORT_CAPABILITY_IPRANGES "ipRanges"
@@ -87,6 +84,11 @@ int cni_del_network_list(const struct cni_network_list_conf *list, const struct
int cni_check_network_list(const struct cni_network_list_conf *list, const struct runtime_conf *rc,
struct cni_opt_result **p_result);
+
+int cni_version_network_list(const struct cni_network_list_conf *list,
+ struct cni_version_info_list **result_version_list);
+
+char *cni_get_plugins_supported_version(cni_net_conf_list *list);
void free_cni_port_mapping(struct cni_port_mapping *val);
diff --git a/src/daemon/modules/network/cni_operator/libcni/libcni_result_type.c b/src/daemon/modules/network/cni_operator/libcni/libcni_result_type.c
index fd1091de..8a0ce1dd 100644
--- a/src/daemon/modules/network/cni_operator/libcni/libcni_result_type.c
+++ b/src/daemon/modules/network/cni_operator/libcni/libcni_result_type.c
@@ -129,3 +129,21 @@ void free_cni_opt_result(struct cni_opt_result *val)
val->my_dns = NULL;
free(val);
}
+
+void free_cni_version_info_list(struct cni_version_info_list *val)
+{
+ size_t i = 0;
+
+ if (val == NULL) {
+ return;
+ }
+
+ for (i = 0; i < val->result_versions_len; i++) {
+ free_cni_version_info(val->result_versions[i]);
+ val->result_versions[i] = NULL;
+ }
+ free(val->result_versions);
+ val->result_versions = NULL;
+
+ free(val);
+}
diff --git a/src/daemon/modules/network/cni_operator/libcni/libcni_result_type.h b/src/daemon/modules/network/cni_operator/libcni/libcni_result_type.h
index abbc22fe..36640e63 100644
--- a/src/daemon/modules/network/cni_operator/libcni/libcni_result_type.h
+++ b/src/daemon/modules/network/cni_operator/libcni/libcni_result_type.h
@@ -19,10 +19,15 @@
#include <sys/types.h>
#include <stdbool.h>
+#include <isula_libutils/cni_version_info.h>
+
#ifdef __cplusplus
extern "C" {
#endif
+#define CURRENT_VERSION "1.0.0"
+#define SUPPORT_CACHE_AND_CHECK_VERSION "0.4.0"
+
/* define types for version */
struct cni_opt_result_interface {
char *name;
@@ -73,6 +78,11 @@ struct cni_opt_result {
struct cni_opt_result_dns *my_dns;
};
+struct cni_version_info_list {
+ cni_version_info **result_versions;
+ size_t result_versions_len;
+};
+
void free_cni_opt_result_ipconfig(struct cni_opt_result_ipconfig *ipc);
void free_cni_opt_result_route(struct cni_opt_result_route *val);
@@ -83,6 +93,8 @@ void free_cni_opt_result_dns(struct cni_opt_result_dns *val);
void free_cni_opt_result(struct cni_opt_result *val);
+void free_cni_version_info_list(struct cni_version_info_list *val);
+
#ifdef __cplusplus
}
#endif
diff --git a/src/daemon/modules/network/native/adaptor_native.c b/src/daemon/modules/network/native/adaptor_native.c
index 4c63dec1..45288d7e 100644
--- a/src/daemon/modules/network/native/adaptor_native.c
+++ b/src/daemon/modules/network/native/adaptor_native.c
@@ -26,6 +26,7 @@
#include "linked_list.h"
#include "isulad_config.h"
#include <isula_libutils/log.h>
+#include <isula_libutils/auto_cleanup.h>
#include "utils_network.h"
#include "network_tools.h"
#include "cni_operate.h"
@@ -1301,7 +1302,7 @@ static cni_net_conf_list *conf_bridge(const network_create_request *request, str
list->plugins_len++;
}
- list->cni_version = util_strdup_s(CURRENT_VERSION);
+ list->cni_version = cni_get_plugins_supported_version(list);
if (request->name != NULL) {
list->name = util_strdup_s(request->name);
} else {
--
2.42.0

936
0005-2163-add-bind-mount-file-lock.patch
View File

@ -1,936 +0,0 @@
From c1c5159675073450fe13906771cec6f666053380 Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Thu, 31 Aug 2023 13:14:02 +0000
Subject: [PATCH 05/33] !2163 add bind mount file lock * add bind mount file
lock
---
src/cmd/isula/stream/cp.c | 66 ++++++-
src/cmd/isulad/main.c | 51 ++++++
src/common/constants.h | 4 +
.../executor/container_cb/execution_stream.c | 23 ++-
src/daemon/modules/image/oci/oci_export.c | 13 +-
src/daemon/modules/image/oci/oci_load.c | 13 +-
.../graphdriver/devmapper/driver_devmapper.c | 12 +-
.../graphdriver/overlay2/driver_overlay2.c | 12 +-
src/utils/tar/isulad_tar.c | 16 +-
src/utils/tar/isulad_tar.h | 4 +-
src/utils/tar/util_archive.c | 163 +++++++++++++++---
src/utils/tar/util_archive.h | 8 +-
12 files changed, 332 insertions(+), 53 deletions(-)
diff --git a/src/cmd/isula/stream/cp.c b/src/cmd/isula/stream/cp.c
index f0cd99c9..b1e3bbd6 100644
--- a/src/cmd/isula/stream/cp.c
+++ b/src/cmd/isula/stream/cp.c
@@ -73,6 +73,44 @@ static void print_copy_from_container_error(const char *ops_err, const char *arc
}
}
+static int client_get_root_dir(const isula_connect_ops *ops, const client_connect_config_t *config, char **root_dir)
+{
+ int ret = 0;
+ struct isula_info_request request = { 0 };
+ struct isula_info_response *response = NULL;
+
+ response = util_common_calloc_s(sizeof(struct isula_info_response));
+ if (response == NULL) {
+ COMMAND_ERROR("Info: Out of memory");
+ return -1;
+ }
+
+ if (!ops->container.info) {
+ COMMAND_ERROR("Unimplemented info op");
+ ret = -1;
+ goto out;
+ }
+
+ ret = ops->container.info(&request, response, (void *)config);
+ if (ret != 0) {
+ client_print_error(response->cc, response->server_errono, response->errmsg);
+ ret = -1;
+ goto out;
+ }
+
+ if (response->isulad_root_dir == NULL) {
+ COMMAND_ERROR("None root dir");
+ ret = -1;
+ goto out;
+ }
+
+ *root_dir = util_strdup_s(response->isulad_root_dir);
+
+out:
+ isula_info_response_free(response);
+ return ret;
+}
+
static int client_copy_from_container(const struct client_arguments *args, const char *id, const char *srcpath,
const char *destpath)
{
@@ -84,6 +122,7 @@ static int client_copy_from_container(const struct client_arguments *args, const
char *archive_err = NULL;
char *ops_err = NULL;
char *resolved = NULL;
+ char *root_dir = NULL;
struct archive_copy_info *srcinfo = NULL;
client_connect_config_t config;
@@ -92,18 +131,24 @@ static int client_copy_from_container(const struct client_arguments *args, const
COMMAND_ERROR("Unimplemented copy from container operation");
return -1;
}
+ config = get_connect_config(args);
+
+ ret = client_get_root_dir(ops, &config, &root_dir);
+ if (ret != 0) {
+ return -1;
+ }
response = util_common_calloc_s(sizeof(struct isula_copy_from_container_response));
if (response == NULL) {
ERROR("Event: Out of memory");
- return -1;
+ ret = -1;
+ goto out;
}
request.id = (char *)id;
request.runtime = args->runtime;
request.srcpath = (char *)srcpath;
- config = get_connect_config(args);
ret = ops->container.copy_from_container(&request, response, &config);
if (ret) {
ops_err = (response->errmsg != NULL) ? util_strdup_s(response->errmsg) : NULL;
@@ -125,7 +170,7 @@ static int client_copy_from_container(const struct client_arguments *args, const
srcinfo->path = util_strdup_s(srcpath);
srcinfo->isdir = S_ISDIR(response->stat->mode);
- nret = archive_copy_to(&response->reader, srcinfo, resolved, &archive_err);
+ nret = archive_copy_to(&response->reader, srcinfo, resolved, root_dir, &archive_err);
if (nret != 0) {
ret = nret;
}
@@ -137,6 +182,7 @@ static int client_copy_from_container(const struct client_arguments *args, const
out:
print_copy_from_container_error(ops_err, archive_err, ret, args);
+ free(root_dir);
free(resolved);
free(archive_err);
free(ops_err);
@@ -167,6 +213,7 @@ static int client_copy_to_container(const struct client_arguments *args, const c
int nret = 0;
char *archive_err = NULL;
char *resolved = NULL;
+ char *root_dir = NULL;
struct archive_copy_info *srcinfo = NULL;
struct io_read_wrapper archive_reader = { 0 };
client_connect_config_t config = { 0 };
@@ -176,11 +223,18 @@ static int client_copy_to_container(const struct client_arguments *args, const c
COMMAND_ERROR("Unimplemented copy to container operation");
return -1;
}
+ config = get_connect_config(args);
+
+ ret = client_get_root_dir(ops, &config, &root_dir);
+ if (ret != 0) {
+ return -1;
+ }
response = util_common_calloc_s(sizeof(struct isula_copy_to_container_response));
if (response == NULL) {
ERROR("Event: Out of memory");
- return -1;
+ ret = -1;
+ goto out;
}
request.id = (char *)id;
@@ -199,7 +253,7 @@ static int client_copy_to_container(const struct client_arguments *args, const c
goto out;
}
- nret = tar_resource(srcinfo, &archive_reader, &archive_err);
+ nret = tar_resource(srcinfo, root_dir, &archive_reader, &archive_err);
if (nret != 0) {
ret = -1;
goto out;
@@ -212,7 +266,6 @@ static int client_copy_to_container(const struct client_arguments *args, const c
request.reader.read = archive_reader.read;
request.reader.close = archive_reader.close;
- config = get_connect_config(args);
ret = ops->container.copy_to_container(&request, response, &config);
// archive reader close if copy to container failed
@@ -223,6 +276,7 @@ static int client_copy_to_container(const struct client_arguments *args, const c
out:
print_copy_to_container_error(response, archive_err, ret, args);
+ free(root_dir);
free(resolved);
free(archive_err);
free_archive_copy_info(srcinfo);
diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c
index 681dcf03..b32b6626 100644
--- a/src/cmd/isulad/main.c
+++ b/src/cmd/isulad/main.c
@@ -72,6 +72,7 @@
#include "utils_file.h"
#include "utils_string.h"
#include "utils_verify.h"
+#include "path.h"
#include "volume_api.h"
#ifndef DISABLE_CLEANUP
#include "leftover_cleanup_api.h"
@@ -1383,6 +1384,50 @@ out:
return ret;
}
+static int create_mount_flock_file(const struct service_arguments *args)
+{
+ int nret = 0;
+ int fd = -1;
+ char path[PATH_MAX] = { 0 };
+ char cleanpath[PATH_MAX] = { 0 };
+
+ nret = snprintf(path, PATH_MAX, "%s/%s", args->json_confs->graph, MOUNT_FLOCK_FILE_PATH);
+ if (nret < 0 || (size_t)nret >= PATH_MAX) {
+ ERROR("Failed to snprintf");
+ return -1;
+ }
+
+ if (util_clean_path(path, cleanpath, sizeof(cleanpath)) == NULL) {
+ ERROR("clean path for %s failed", path);
+ return -1;
+ }
+
+ if (util_fileself_exists(cleanpath)) {
+ int err = 0;
+ // recreate mount flock file
+ // and make file uid/gid and permission correct
+ if (!util_force_remove_file(cleanpath, &err)) {
+ ERROR("Failed to delete %s, error: %s. Please delete %s manually.", path, strerror(err), path);
+ return -1;
+ }
+ }
+
+ fd = util_open(cleanpath, O_RDWR | O_CREAT, MOUNT_FLOCK_FILE_MODE);
+ if (fd < 0) {
+ ERROR("Failed to create file %s", cleanpath);
+ return -1;
+ }
+ close(fd);
+
+ nret = util_set_file_group(cleanpath, args->json_confs->group);
+ if (nret < 0) {
+ ERROR("set group of the path %s failed", cleanpath);
+ return -1;
+ }
+
+ return 0;
+}
+
static int isulad_server_init_service()
{
int ret = -1;
@@ -1413,6 +1458,12 @@ static int isulad_server_init_service()
goto unlock_out;
}
+ ret = create_mount_flock_file(args);
+ if (ret != 0) {
+ ERROR("Failed to create mount flock file");
+ goto unlock_out;
+ }
+
unlock_out:
if (isulad_server_conf_unlock()) {
ret = -1;
diff --git a/src/common/constants.h b/src/common/constants.h
index 409a83a1..d93bb464 100644
--- a/src/common/constants.h
+++ b/src/common/constants.h
@@ -68,6 +68,8 @@ extern "C" {
#define DEFAULT_HIGHEST_DIRECTORY_MODE 0755
+#define MOUNT_FLOCK_FILE_MODE 0660
+
#define ISULAD_CONFIG SYSCONFDIR_PREFIX"/etc/isulad"
#define ISULAD_DAEMON_CONTAINER_CONTEXTS ISULAD_CONFIG "/container_contexts"
@@ -119,6 +121,8 @@ extern "C" {
#define OCI_VERSION "1.0.1"
#endif
+#define MOUNT_FLOCK_FILE_PATH "isulad-chroot-mount.flock"
+
#define OCI_IMAGE_GRAPH_ROOTPATH_NAME "storage"
#ifdef ENABLE_GRPC_REMOTE_CONNECT
diff --git a/src/daemon/executor/container_cb/execution_stream.c b/src/daemon/executor/container_cb/execution_stream.c
index 32721e68..244ec6a0 100644
--- a/src/daemon/executor/container_cb/execution_stream.c
+++ b/src/daemon/executor/container_cb/execution_stream.c
@@ -62,6 +62,7 @@
#include "utils.h"
#include "utils_file.h"
#include "utils_verify.h"
+#include "isulad_config.h"
#if defined (__ANDROID__) || defined(__MUSL__)
#define SIG_CANCEL_SIGNAL SIGUSR1
@@ -442,6 +443,7 @@ static int archive_and_send_copy_data(const stream_func_wrapper *stream,
char *absbase = NULL;
char *err = NULL;
char *buf = NULL;
+ char *root_dir = NULL;
char cleaned[PATH_MAX + 2] = { 0 };
struct io_read_wrapper reader = { 0 };
char *tar_path = NULL;
@@ -474,9 +476,15 @@ static int archive_and_send_copy_data(const stream_func_wrapper *stream,
goto cleanup;
}
+ root_dir = conf_get_isulad_rootdir();
+ if (root_dir == NULL) {
+ ERROR("Failed to get isulad rootdir");
+ goto cleanup;
+ }
+
DEBUG("archive chroot tar stream container_fs(%s) srcdir(%s) relative(%s) srcbase(%s) absbase(%s)",
container_fs, srcdir, tar_path, srcbase, absbase);
- nret = archive_chroot_tar_stream(container_fs, tar_path, srcbase, absbase, &reader);
+ nret = archive_chroot_tar_stream(container_fs, tar_path, srcbase, absbase, root_dir, &reader);
if (nret != 0) {
ERROR("Archive %s failed", resolvedpath);
goto cleanup;
@@ -504,6 +512,7 @@ cleanup:
free(srcdir);
free(srcbase);
free(absbase);
+ free(root_dir);
if (reader.close != NULL) {
int cret = reader.close(reader.context, &err);
if (err != NULL) {
@@ -776,15 +785,25 @@ static int read_and_extract_archive(stream_func_wrapper *stream, const char *con
{
int ret = -1;
char *err = NULL;
+ char *root_dir = NULL;
struct io_read_wrapper content = { 0 };
content.context = stream;
content.read = extract_stream_to_io_read;
- ret = archive_chroot_untar_stream(&content, container_fs, dstdir_in_container, src_rebase, dst_rebase, &err);
+
+ root_dir = conf_get_isulad_rootdir();
+ if (root_dir == NULL) {
+ ERROR("Failed to get isulad rootdir");
+ isulad_set_error_message("Failed to get isulad rootdir");
+ return -1;
+ }
+
+ ret = archive_chroot_untar_stream(&content, container_fs, dstdir_in_container, src_rebase, dst_rebase, root_dir, &err);
if (ret != 0) {
ERROR("Can not untar to container: %s", (err != NULL) ? err : "unknown");
isulad_set_error_message("Can not untar to container: %s", (err != NULL) ? err : "unknown");
}
free(err);
+ free(root_dir);
return ret;
}
diff --git a/src/daemon/modules/image/oci/oci_export.c b/src/daemon/modules/image/oci/oci_export.c
index e27ed6d8..6bfcf4d5 100644
--- a/src/daemon/modules/image/oci/oci_export.c
+++ b/src/daemon/modules/image/oci/oci_export.c
@@ -23,6 +23,7 @@
#include "util_archive.h"
#include "path.h"
#include "utils_file.h"
+#include "isulad_config.h"
int oci_do_export(char *id, char *file)
{
@@ -30,6 +31,7 @@ int oci_do_export(char *id, char *file)
int ret2 = 0;
char *mount_point = NULL;
char *errmsg = NULL;
+ char *root_dir = NULL;
char cleanpath[PATH_MAX] = { 0 };
if (id == NULL || file == NULL) {
@@ -56,7 +58,15 @@ int oci_do_export(char *id, char *file)
return -1;
}
- ret = archive_chroot_tar(mount_point, cleanpath, &errmsg);
+ root_dir = conf_get_isulad_rootdir();
+ if (root_dir == NULL) {
+ ERROR("Failed to get isulad rootdir");
+ isulad_set_error_message("Failed to get isulad rootdir");
+ ret = -1;
+ goto out;
+ }
+
+ ret = archive_chroot_tar(mount_point, cleanpath, root_dir, &errmsg);
if (ret != 0) {
ERROR("failed to export container %s to file %s: %s", id, cleanpath, errmsg);
isulad_set_error_message("Failed to export rootfs with error: %s", errmsg);
@@ -68,6 +78,7 @@ out:
mount_point = NULL;
free(errmsg);
errmsg = NULL;
+ free(root_dir);
ret2 = storage_rootfs_umount(id, false);
if (ret2 != 0) {
diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c
index 04a9f947..4385e55e 100644
--- a/src/daemon/modules/image/oci/oci_load.c
+++ b/src/daemon/modules/image/oci/oci_load.c
@@ -41,6 +41,7 @@
#include "utils_file.h"
#include "utils_verify.h"
#include "oci_image.h"
+#include "isulad_config.h"
#define MANIFEST_BIG_DATA_KEY "manifest"
#define OCI_SCHEMA_VERSION 2
@@ -1068,6 +1069,7 @@ int oci_do_load(const im_load_request *request)
char *digest = NULL;
char *dstdir = NULL;
char *err = NULL;
+ char *root_dir = NULL;
if (request == NULL || request->file == NULL) {
ERROR("Invalid input arguments, cannot load image");
@@ -1088,8 +1090,16 @@ int oci_do_load(const im_load_request *request)
goto out;
}
+ root_dir = conf_get_isulad_rootdir();
+ if (root_dir == NULL) {
+ ERROR("Failed to get isulad rootdir");
+ isulad_try_set_error_message("Failed to get isulad rootdir");
+ ret = -1;
+ goto out;
+ }
+
options.whiteout_format = NONE_WHITEOUT_FORMATE;
- if (archive_unpack(&reader, dstdir, &options, &err) != 0) {
+ if (archive_unpack(&reader, dstdir, &options, root_dir, &err) != 0) {
ERROR("Failed to unpack to %s: %s", dstdir, err);
isulad_try_set_error_message("Failed to unpack to %s: %s", dstdir, err);
ret = -1;
@@ -1175,5 +1185,6 @@ out:
}
free(dstdir);
free(err);
+ free(root_dir);
return ret;
}
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c
index 998ea8c2..ecb62f79 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c
@@ -32,6 +32,7 @@
#include "utils_file.h"
#include "utils_fs.h"
#include "utils_string.h"
+#include "isulad_config.h"
struct io_read_wrapper;
@@ -346,6 +347,7 @@ int devmapper_apply_diff(const char *id, const struct graphdriver *driver, const
int ret = 0;
struct archive_options options = { 0 };
char *err = NULL;
+ char *root_dir = NULL;
if (!util_valid_str(id) || driver == NULL || content == NULL) {
ERROR("invalid argument to apply diff with id(%s)", id);
@@ -366,8 +368,15 @@ int devmapper_apply_diff(const char *id, const struct graphdriver *driver, const
goto out;
}
+ root_dir = conf_get_isulad_rootdir();
+ if (root_dir == NULL) {
+ ERROR("Failed to get isulad rootdir");
+ ret = -1;
+ goto umount_out;
+ }
+
options.whiteout_format = REMOVE_WHITEOUT_FORMATE;
- if (archive_unpack(content, layer_fs, &options, &err) != 0) {
+ if (archive_unpack(content, layer_fs, &options, root_dir, &err) != 0) {
ERROR("devmapper: failed to unpack to %s: %s", layer_fs, err);
ret = -1;
goto umount_out;
@@ -384,6 +393,7 @@ out:
free_driver_mount_opts(mount_opts);
free(layer_fs);
free(err);
+ free(root_dir);
return ret;
}
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c
index c5864c90..b177f594 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c
@@ -45,6 +45,7 @@
#include "utils_timestamp.h"
#include "selinux_label.h"
#include "err_msg.h"
+#include "isulad_config.h"
#ifdef ENABLE_REMOTE_LAYER_STORE
#include "ro_symlink_maintain.h"
#endif
@@ -1886,6 +1887,7 @@ int overlay2_apply_diff(const char *id, const struct graphdriver *driver, const
char *layer_diff = NULL;
struct archive_options options = { 0 };
char *err = NULL;
+ char *root_dir = NULL;
if (id == NULL || driver == NULL || content == NULL) {
ERROR("invalid argument");
@@ -1919,7 +1921,14 @@ int overlay2_apply_diff(const char *id, const struct graphdriver *driver, const
}
#endif
- ret = archive_unpack(content, layer_diff, &options, &err);
+ root_dir = conf_get_isulad_rootdir();
+ if (root_dir == NULL) {
+ ERROR("Failed to get isulad rootdir");
+ ret = -1;
+ goto out;
+ }
+
+ ret = archive_unpack(content, layer_diff, &options, root_dir ,&err);
if (ret != 0) {
ERROR("Failed to unpack to %s: %s", layer_diff, err);
ret = -1;
@@ -1928,6 +1937,7 @@ int overlay2_apply_diff(const char *id, const struct graphdriver *driver, const
out:
free(err);
+ free(root_dir);
free(layer_dir);
free(layer_diff);
#ifdef ENABLE_USERNS_REMAP
diff --git a/src/utils/tar/isulad_tar.c b/src/utils/tar/isulad_tar.c
index 74176b12..24269c70 100644
--- a/src/utils/tar/isulad_tar.c
+++ b/src/utils/tar/isulad_tar.c
@@ -385,7 +385,7 @@ cleanup:
}
int archive_copy_to(const struct io_read_wrapper *content, const struct archive_copy_info *srcinfo,
- const char *dstpath, char **err)
+ const char *dstpath, const char *root_dir, char **err)
{
int ret = -1;
struct archive_copy_info *dstinfo = NULL;
@@ -393,7 +393,7 @@ int archive_copy_to(const struct io_read_wrapper *content, const struct archive_
char *src_base = NULL;
char *dst_base = NULL;
- if (err == NULL || dstpath == NULL || srcinfo == NULL || content == NULL) {
+ if (err == NULL || dstpath == NULL || srcinfo == NULL || content == NULL || root_dir == NULL) {
return -1;
}
@@ -409,7 +409,7 @@ int archive_copy_to(const struct io_read_wrapper *content, const struct archive_
goto cleanup;
}
- ret = archive_chroot_untar_stream(content, dstdir, ".", src_base, dst_base, err);
+ ret = archive_chroot_untar_stream(content, dstdir, ".", src_base, dst_base, root_dir, err);
cleanup:
free_archive_copy_info(dstinfo);
@@ -419,7 +419,7 @@ cleanup:
return ret;
}
-static int tar_resource_rebase(const char *path, const char *rebase, struct io_read_wrapper *archive_reader, char **err)
+static int tar_resource_rebase(const char *path, const char *rebase, const char *root_dir, struct io_read_wrapper *archive_reader, char **err)
{
int ret = -1;
int nret;
@@ -438,7 +438,7 @@ static int tar_resource_rebase(const char *path, const char *rebase, struct io_r
}
DEBUG("chroot tar stream srcdir(%s) srcbase(%s) rebase(%s)", srcdir, srcbase, rebase);
- nret = archive_chroot_tar_stream(srcdir, srcbase, srcbase, rebase, archive_reader);
+ nret = archive_chroot_tar_stream(srcdir, srcbase, srcbase, rebase, root_dir, archive_reader);
if (nret < 0) {
ERROR("Can not archive path: %s", path);
goto cleanup;
@@ -450,11 +450,11 @@ cleanup:
return ret;
}
-int tar_resource(const struct archive_copy_info *info, struct io_read_wrapper *archive_reader, char **err)
+int tar_resource(const struct archive_copy_info *info, const char *root_dir, struct io_read_wrapper *archive_reader, char **err)
{
- if (info == NULL || archive_reader == NULL || err == NULL) {
+ if (info == NULL || root_dir == NULL || archive_reader == NULL || err == NULL) {
return -1;
}
- return tar_resource_rebase(info->path, info->rebase_name, archive_reader, err);
+ return tar_resource_rebase(info->path, info->rebase_name, root_dir, archive_reader, err);
}
diff --git a/src/utils/tar/isulad_tar.h b/src/utils/tar/isulad_tar.h
index cdd9858a..414bb024 100644
--- a/src/utils/tar/isulad_tar.h
+++ b/src/utils/tar/isulad_tar.h
@@ -43,10 +43,10 @@ struct archive_copy_info *copy_info_source_path(const char *path, bool follow_li
char *prepare_archive_copy(const struct archive_copy_info *srcinfo, const struct archive_copy_info *dstinfo,
char **src_base, char **dst_base, char **err);
-int tar_resource(const struct archive_copy_info *info, struct io_read_wrapper *archive_reader, char **err);
+int tar_resource(const struct archive_copy_info *info, const char *root_dir, struct io_read_wrapper *archive_reader, char **err);
int archive_copy_to(const struct io_read_wrapper *content, const struct archive_copy_info *srcinfo,
- const char *dstpath, char **err);
+ const char *dstpath, const char *root_dir, char **err);
#ifdef __cplusplus
}
diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c
index 0fb7769b..d2fc5488 100644
--- a/src/utils/tar/util_archive.c
+++ b/src/utils/tar/util_archive.c
@@ -33,10 +33,12 @@
#include <netdb.h>
#include <sys/mount.h>
#include <sys/capability.h>
+#include <sys/file.h>
#include <isula_libutils/log.h>
#include <isula_libutils/go_crc64.h>
#include <isula_libutils/storage_entry.h>
+#include <isula_libutils/auto_cleanup.h>
#include "error.h"
#include "map.h"
@@ -83,6 +85,31 @@ static ssize_t read_content(struct archive *a, void *client_data, const void **b
return mydata->content->read(mydata->content->context, mydata->buff, sizeof(mydata->buff));
}
+static char *generate_flock_path(const char *root_dir)
+{
+ int nret = 0;
+ char path[PATH_MAX] = { 0 };
+ char cleanpath[PATH_MAX] = { 0 };
+
+ nret = snprintf(path, PATH_MAX, "%s/%s", root_dir, MOUNT_FLOCK_FILE_PATH);
+ if (nret < 0 || (size_t)nret >= PATH_MAX) {
+ ERROR("Failed to snprintf");
+ return NULL;
+ }
+
+ if (util_clean_path(path, cleanpath, sizeof(cleanpath)) == NULL) {
+ ERROR("clean path for %s failed", path);
+ return NULL;
+ }
+
+ if (!util_file_exists(cleanpath)) {
+ ERROR("flock file %s doesn't exist", cleanpath);
+ return NULL;
+ }
+
+ return util_strdup_s(cleanpath);
+}
+
static void do_disable_unneccessary_caps()
{
cap_t caps;
@@ -104,7 +131,58 @@ static void do_disable_unneccessary_caps()
cap_free(caps);
}
-static int make_safedir_is_noexec(const char *dstdir, char **safe_dir)
+// Add flock when bind mount and make it private.
+// Because bind mount usually makes safedir shared mount point,
+// and sometimes it will cause "mount point explosion".
+// E.g. concurrently execute isula cp /tmp/<XXX-File> <CONTAINER-ID>:<CONTAINER-PAT>
+static int bind_mount_with_flock(const char *flock_path, const char *dstdir, const char *tmp_dir)
+{
+ __isula_auto_close int fd = -1;
+ int ret = -1;
+
+ fd = open(flock_path, O_RDWR | O_CLOEXEC);
+ if (fd < 0) {
+ SYSERROR("Failed to open file %s", flock_path);
+ return -1;
+ }
+
+ if (flock(fd, LOCK_EX) != 0) {
+ SYSERROR("Failed to lock file %s", flock_path);
+ return -1;
+ }
+
+ if (mount(dstdir, tmp_dir, "none", MS_BIND, NULL) != 0) {
+ SYSERROR("Mount safe dir failed");
+ goto unlock_out;
+ }
+
+ if (mount(tmp_dir, tmp_dir, "none", MS_BIND | MS_REMOUNT | MS_NOEXEC, NULL) != 0) {
+ SYSERROR("Mount safe dir failed");
+ if (umount(tmp_dir) != 0) {
+ SYSERROR("Failed to umount target %s", tmp_dir);
+ }
+ goto unlock_out;
+ }
+
+ // Change the propagation type.
+ if (mount("", tmp_dir, "", MS_PRIVATE, "") != 0) {
+ SYSERROR("Failed to change the propagation type");
+ if (umount(tmp_dir) != 0) {
+ SYSERROR("Failed to umount target %s", tmp_dir);
+ }
+ goto unlock_out;
+ }
+
+ ret = 0;
+
+unlock_out:
+ if (flock(fd, LOCK_UN) != 0) {
+ SYSERROR("Failed to unlock file %s", flock_path);
+ }
+ return ret;
+}
+
+static int make_safedir_is_noexec(const char *flock_path, const char *dstdir, char **safe_dir)
{
struct stat buf;
char *isulad_tmpdir_env = NULL;
@@ -156,19 +234,8 @@ static int make_safedir_is_noexec(const char *dstdir, char **safe_dir)
return -1;
}
- if (mount(dstdir, tmp_dir, "none", MS_BIND, NULL) != 0) {
- SYSERROR("Mount safe dir failed");
- if (util_path_remove(tmp_dir) != 0) {
- ERROR("Failed to remove path %s", tmp_dir);
- }
- return -1;
- }
-
- if (mount(tmp_dir, tmp_dir, "none", MS_BIND | MS_REMOUNT | MS_NOEXEC, NULL) != 0) {
- SYSERROR("Mount safe dir failed");
- if (umount(tmp_dir) != 0) {
- ERROR("Failed to umount target %s", tmp_dir);
- }
+ if (bind_mount_with_flock(flock_path, dstdir, tmp_dir) != 0) {
+ ERROR("Failed to bind mount from %s to %s with flock", dstdir, tmp_dir);
if (util_path_remove(tmp_dir) != 0) {
ERROR("Failed to remove path %s", tmp_dir);
}
@@ -723,7 +790,7 @@ static void set_child_process_pdeathsig(void)
}
int archive_unpack(const struct io_read_wrapper *content, const char *dstdir, const struct archive_options *options,
- char **errmsg)
+ const char *root_dir, char **errmsg)
{
int ret = 0;
pid_t pid = -1;
@@ -731,12 +798,24 @@ int archive_unpack(const struct io_read_wrapper *content, const char *dstdir, co
int pipe_stderr[2] = { -1, -1 };
char errbuf[BUFSIZ + 1] = { 0 };
char *safe_dir = NULL;
+ char *flock_path = NULL;
- if (make_safedir_is_noexec(dstdir, &safe_dir) != 0) {
- ERROR("Prepare safe dir failed");
+ if (content == NULL || dstdir == NULL || options == NULL || root_dir == NULL) {
return -1;
}
+ flock_path = generate_flock_path(root_dir);
+ if (flock_path == NULL) {
+ ERROR("Failed to generate flock path");
+ return -1;
+ }
+
+ if (make_safedir_is_noexec(flock_path, dstdir, &safe_dir) != 0) {
+ ERROR("Prepare safe dir failed");
+ ret = -1;
+ goto cleanup;
+ }
+
if (pipe2(pipe_stderr, O_CLOEXEC) != 0) {
ERROR("Failed to create pipe");
ret = -1;
@@ -816,6 +895,7 @@ cleanup:
ERROR("Failed to remove path %s", safe_dir);
}
free(safe_dir);
+ free(flock_path);
return ret;
}
@@ -1126,7 +1206,7 @@ static ssize_t fd_write(void *context, const void *data, size_t len)
return util_write_nointr(*(int *)context, data, len);
}
-int archive_chroot_tar(char *path, char *file, char **errmsg)
+int archive_chroot_tar(const char *path, const char *file, const char *root_dir, char **errmsg)
{
struct io_write_wrapper pipe_context = { 0 };
int ret = 0;
@@ -1136,12 +1216,24 @@ int archive_chroot_tar(char *path, char *file, char **errmsg)
char errbuf[BUFSIZ + 1] = { 0 };
int fd = 0;
char *safe_dir = NULL;
+ char *flock_path = NULL;
- if (make_safedir_is_noexec(path, &safe_dir) != 0) {
- ERROR("Prepare safe dir failed");
+ if (path == NULL || file == NULL || root_dir == NULL) {
+ return -1;
+ }
+
+ flock_path = generate_flock_path(root_dir);
+ if (flock_path == NULL) {
+ ERROR("Failed to generate flock path");
return -1;
}
+ if (make_safedir_is_noexec(flock_path, path, &safe_dir) != 0) {
+ ERROR("Prepare safe dir failed");
+ ret = -1;
+ goto cleanup;
+ }
+
if (pipe2(pipe_for_read, O_CLOEXEC) != 0) {
ERROR("Failed to create pipe");
ret = -1;
@@ -1232,6 +1324,7 @@ cleanup:
ERROR("Failed to remove path %s", safe_dir);
}
free(safe_dir);
+ free(flock_path);
return ret;
}
@@ -1352,7 +1445,7 @@ static int archive_context_close(void *context, char **err)
}
int archive_chroot_untar_stream(const struct io_read_wrapper *context, const char *chroot_dir, const char *untar_dir,
- const char *src_base, const char *dst_base, char **errmsg)
+ const char *src_base, const char *dst_base, const char *root_dir, char **errmsg)
{
struct io_read_wrapper pipe_context = { 0 };
int pipe_stream[2] = { -1, -1 };
@@ -1370,12 +1463,19 @@ int archive_chroot_untar_stream(const struct io_read_wrapper *context, const cha
.dst_base = dst_base
};
char *safe_dir = NULL;
+ char *flock_path = NULL;
- if (make_safedir_is_noexec(chroot_dir, &safe_dir) != 0) {
- ERROR("Prepare safe dir failed");
+ flock_path = generate_flock_path(root_dir);
+ if (flock_path == NULL) {
+ ERROR("Failed to generate flock path");
return -1;
}
+ if (make_safedir_is_noexec(flock_path, chroot_dir, &safe_dir) != 0) {
+ ERROR("Prepare safe dir failed");
+ goto cleanup;
+ }
+
if (pipe(pipe_stderr) != 0) {
ERROR("Failed to create pipe: %s", strerror(errno));
goto cleanup;
@@ -1483,12 +1583,13 @@ cleanup:
ERROR("Failed to remove path %s", safe_dir);
}
free(safe_dir);
+ free(flock_path);
return ret;
}
int archive_chroot_tar_stream(const char *chroot_dir, const char *tar_path, const char *src_base, const char *dst_base,
- struct io_read_wrapper *reader)
+ const char *root_dir, struct io_read_wrapper *reader)
{
struct io_write_wrapper pipe_context = { 0 };
int keepfds[] = { -1, -1, -1 };
@@ -1498,12 +1599,19 @@ int archive_chroot_tar_stream(const char *chroot_dir, const char *tar_path, cons
pid_t pid;
struct archive_context *ctx = NULL;
char *safe_dir = NULL;
+ char *flock_path = NULL;
- if (make_safedir_is_noexec(chroot_dir, &safe_dir) != 0) {
- ERROR("Prepare safe dir failed");
+ flock_path = generate_flock_path(root_dir);
+ if (flock_path == NULL) {
+ ERROR("Failed to generate flock path");
return -1;
}
+ if (make_safedir_is_noexec(flock_path, chroot_dir, &safe_dir) != 0) {
+ ERROR("Prepare safe dir failed");
+ goto free_out;
+ }
+
if (pipe(pipe_stderr) != 0) {
ERROR("Failed to create pipe: %s", strerror(errno));
goto free_out;
@@ -1607,6 +1715,7 @@ free_out:
close_archive_pipes_fd(pipe_stderr, 2);
close_archive_pipes_fd(pipe_stream, 2);
free(ctx);
+ free(flock_path);
if (safe_dir != NULL) {
if (umount(safe_dir) != 0) {
ERROR("Failed to umount target %s", safe_dir);
@@ -1848,4 +1957,4 @@ int archive_copy_oci_tar_split_and_ret_size(int src_fd, const char *dist_file, i
}
return foreach_archive_entry(archive_entry_parse, src_fd, dist_file, ret_size);
-}
\ No newline at end of file
+}
diff --git a/src/utils/tar/util_archive.h b/src/utils/tar/util_archive.h
index 5cc2c5ec..8f0ab2a4 100644
--- a/src/utils/tar/util_archive.h
+++ b/src/utils/tar/util_archive.h
@@ -45,17 +45,17 @@ struct archive_options {
};
int archive_unpack(const struct io_read_wrapper *content, const char *dstdir, const struct archive_options *options,
- char **errmsg);
+ const char *root_dir, char **errmsg);
bool valid_archive_format(const char *file);
-int archive_chroot_tar(char *path, char *file, char **errmsg);
+int archive_chroot_tar(const char *path, const char *file, const char *root_dir, char **errmsg);
int archive_chroot_tar_stream(const char *chroot_dir, const char *tar_path, const char *src_base,
- const char *dst_base, struct io_read_wrapper *content);
+ const char *dst_base, const char *root_dir, struct io_read_wrapper *content);
int archive_chroot_untar_stream(const struct io_read_wrapper *content, const char *chroot_dir,
const char *untar_dir, const char *src_base, const char *dst_base,
- char **errmsg);
+ const char *root_dir, char **errmsg);
int archive_copy_oci_tar_split_and_ret_size(int src_fd, const char *dist_file, int64_t *ret_size);
--
2.40.1

87
0005-doc-support-version-opt.patch Normal file
View File

@ -0,0 +1,87 @@
From e314c2ba64b6f7a8b88566e6c01fac791c8e4186 Mon Sep 17 00:00:00 2001
From: liuxu <liuxu156@huawei.com>
Date: Wed, 8 Nov 2023 16:03:50 +0800
Subject: [PATCH 05/14] doc:support version opt
---
.../detailed/Network/cni_1.0.0_change.md | 24 ++++++++++++++++++-
.../detailed/Network/cni_operator_design.md | 8 +++++++
.../Network/cni_operator_design_zh.md | 8 +++++++
3 files changed, 39 insertions(+), 1 deletion(-)
diff --git a/docs/design/detailed/Network/cni_1.0.0_change.md b/docs/design/detailed/Network/cni_1.0.0_change.md
index 35dde2f7..a91225fb 100644
--- a/docs/design/detailed/Network/cni_1.0.0_change.md
+++ b/docs/design/detailed/Network/cni_1.0.0_change.md
@@ -33,7 +33,29 @@ cni_net_conf_runtime_config;
## 2. Execution Protocol
### VERSION
-VERSION操作用于检查插件支持的CNI规范的版本在spec-v1.0.0中它增加了输入参数cniVersioniSulad未使用VERSION功能因此不涉及。
+VERSION操作用于检查插件支持的CNI规范的版本在spec-v1.0.0中它增加了输入参数cniVersion。
+
+整体时序:
+```mermaid
+sequenceDiagram
+ participant conf_bridge
+ participant cni_get_plugins_supported_version
+ participant cni_version_network_list
+ participant version_network
+ participant get_version_info
+ conf_bridge ->> cni_get_plugins_supported_version:post cni_net_conf_list
+ cni_get_plugins_supported_version ->> cni_version_network_list:post cni_net_conf_list
+ loop for each plugin
+ cni_version_network_list ->> version_network:post each cni_net_conf
+ version_network ->> get_version_info:post each cni_net_conf plugin path e.g.
+ get_version_info -->> version_network:get version_result
+ version_network -->> cni_version_network_list:get version_result
+ end
+ cni_version_network_list ->> cni_version_network_list:comb cni_version_info_list
+ cni_version_network_list -->> cni_get_plugins_supported_version:get cni_version_info_list
+ cni_get_plugins_supported_version ->> cni_get_plugins_supported_version:find the latest CNI version supported by all plugins
+ cni_get_plugins_supported_version -->> conf_bridge:get version
+```
## 3. Execution of Network Configurations
diff --git a/docs/design/detailed/Network/cni_operator_design.md b/docs/design/detailed/Network/cni_operator_design.md
index e77f4f94..64aaf2ed 100644
--- a/docs/design/detailed/Network/cni_operator_design.md
+++ b/docs/design/detailed/Network/cni_operator_design.md
@@ -73,6 +73,14 @@ int detach_network_plane(const struct cni_manager *manager, const struct cni_net
* Return value: return 0 on success, non-zero on failure
*/
int check_network_plane(const struct cni_manager *manager, const struct cni_network_list_conf *list, struct cni_opt_result **result);
+
+/*
+* Description: get the CNI version information supported by the plugins required for the single network plane of the container;
+* list: network configuration;
+* result_version_list: record the CNI version supported by the plugins;
+* Return value: return 0 on success, non-zero on failure
+*/
+int version_network_plane(const struct cni_network_list_conf *list, struct cni_result_version_list **result_version_list);
````
# 4. Detailed Design
diff --git a/docs/design/detailed/Network/cni_operator_design_zh.md b/docs/design/detailed/Network/cni_operator_design_zh.md
index ac88806e..6aa3c51a 100644
--- a/docs/design/detailed/Network/cni_operator_design_zh.md
+++ b/docs/design/detailed/Network/cni_operator_design_zh.md
@@ -73,6 +73,14 @@ int detach_network_plane(const struct cni_manager *manager, const struct cni_net
* 返回值成功返回0失败返回非0
*/
int check_network_plane(const struct cni_manager *manager, const struct cni_network_list_conf *list, struct cni_opt_result **result);
+
+/*
+* 说明获取容器单网络平面所需的插件支持的CNI版本信息
+* list: 网络配置;
+* result_version_list记录插件支持的CNI版本信息
+* 返回值成功返回0失败返回非0
+*/
+int version_network_plane(const struct cni_network_list_conf *list, struct cni_result_version_list **result_version_list);
```
# 4.详细设计
--
2.42.0

1054
0006-2168-fix-code-bug.patch
View File

File diff suppressed because it is too large Load Diff

26
0006-2242-disable-grpc-remote-connect-by-default.patch Normal file
View File

@ -0,0 +1,26 @@
From ee928d5af7ab7c42ee4597e1b6ae5871767c165d Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Mon, 13 Nov 2023 03:04:35 +0000
Subject: [PATCH 06/14] !2242 disable grpc remote connect by default * disable
grpc remote connect by default
---
cmake/options.cmake | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cmake/options.cmake b/cmake/options.cmake
index 8f1dfbbe..aeb24662 100644
--- a/cmake/options.cmake
+++ b/cmake/options.cmake
@@ -106,7 +106,7 @@ if (ENABLE_SELINUX STREQUAL "ON")
message("${Green}-- Enable selinux${ColourReset}")
endif()
-option(ENABLE_GRPC_REMOTE_CONNECT "enable gRPC remote connect" ON)
+option(ENABLE_GRPC_REMOTE_CONNECT "enable gRPC remote connect" OFF)
if (ENABLE_GRPC_REMOTE_CONNECT STREQUAL "ON")
add_definitions(-DENABLE_GRPC_REMOTE_CONNECT=1)
set(ENABLE_GRPC_REMOTE_CONNECT 1)
--
2.42.0

1807
0007-2171-Fix-nullptr-in-src-daemon-entry.patch
View File

File diff suppressed because it is too large Load Diff

209
0007-2244-Save-task-address-of-shim-v2.patch Normal file
View File

@ -0,0 +1,209 @@
From 23945e20c418595a7a4037e9258f23aa7bed6b48 Mon Sep 17 00:00:00 2001
From: jake <jikai11@huawei.com>
Date: Mon, 13 Nov 2023 08:15:12 +0000
Subject: [PATCH 07/14] !2244 Save task address of shim v2 * Save task address
of shim v2
---
.../v1/v1_cri_container_manager_service.cc | 6 ++
.../v1alpha/cri_container_manager_service.cc | 5 ++
src/daemon/modules/runtime/shim/shim_rt_ops.c | 86 ++++++++++++++-----
3 files changed, 74 insertions(+), 23 deletions(-)
diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
index 1f20d2d2..f635df2b 100644
--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
+++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
@@ -1013,6 +1013,12 @@ auto ContainerManagerService::ContainerStats(const std::string &containerID, Err
if (error.NotEmpty()) {
goto cleanup;
}
+ if (contStatsVec.size() == 0) {
+ ERROR("Failed to get container stats");
+ error.SetError("Failed to get container stats");
+ goto cleanup;
+ }
+
contStats = std::move(contStatsVec[0]);
cleanup:
diff --git a/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc b/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc
index 6f8ca114..9da25768 100644
--- a/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc
+++ b/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc
@@ -1019,6 +1019,11 @@ auto ContainerManagerService::ContainerStats(const std::string &containerID, Err
if (error.NotEmpty()) {
goto cleanup;
}
+ if (contStatsVec.size() == 0) {
+ ERROR("Failed to get container stats");
+ error.SetError("Failed to get container stats");
+ goto cleanup;
+ }
contStats = std::move(contStatsVec[0]);
cleanup:
diff --git a/src/daemon/modules/runtime/shim/shim_rt_ops.c b/src/daemon/modules/runtime/shim/shim_rt_ops.c
index d348dfe1..550b17f3 100644
--- a/src/daemon/modules/runtime/shim/shim_rt_ops.c
+++ b/src/daemon/modules/runtime/shim/shim_rt_ops.c
@@ -16,13 +16,17 @@
#define _GNU_SOURCE
#include "shim_rt_ops.h"
+
#include <stdlib.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <limits.h>
-#include "isula_libutils/log.h"
-#include "isula_libutils/shim_client_process_state.h"
+
+#include <isula_libutils/auto_cleanup.h>
+#include <isula_libutils/log.h>
+#include <isula_libutils/shim_client_process_state.h>
+
#include "utils.h"
#include "utils_string.h"
#include "constants.h"
@@ -318,16 +322,46 @@ bool rt_shim_detect(const char *runtime)
return false;
}
+static int save_shim_v2_address(const char *bundle, const char *addr)
+{
+ int nret;
+ char filename[PATH_MAX] = { 0 };
+
+ if (bundle == NULL) {
+ ERROR("Invalid input params");
+ return -1;
+ }
+
+ if (addr == NULL || strlen(addr) == 0) {
+ ERROR("Invalid shim v2 addr");
+ return -1;
+ }
+
+ nret = snprintf(filename, sizeof(filename), "%s/%s", bundle, "address");
+ if (nret < 0 || (size_t)nret >= sizeof(filename)) {
+ ERROR("Failed to print string");
+ return -1;
+ }
+
+ nret = util_atomic_write_file(filename, addr, strlen(addr), CONFIG_FILE_MODE, false);
+ if (nret != 0) {
+ ERROR("Failed to write file %s", filename);
+ return -1;
+ }
+
+ return 0;
+}
+
int rt_shim_create(const char *id, const char *runtime, const rt_create_params_t *params)
{
int ret = 0;
int pid = 0;
int fd = -1;
const char *task_address = NULL;
- char addr[PATH_MAX] = {0};
- char *exit_fifo_path = NULL;
- char *state_path = NULL;
- char *log_path = NULL;
+ char response[PATH_MAX] = {0};
+ __isula_auto_free char *exit_fifo_path = NULL;
+ __isula_auto_free char *state_path = NULL;
+ __isula_auto_free char *log_path = NULL;
if (id == NULL || runtime == NULL || params == NULL) {
ERROR("Invalid input params");
@@ -337,29 +371,25 @@ int rt_shim_create(const char *id, const char *runtime, const rt_create_params_t
exit_fifo_path = util_path_dir(params->exit_fifo);
if (exit_fifo_path == NULL) {
ERROR("%s: failed to get exit fifo dir from %s", id, params->exit_fifo);
- ret = -1;
- goto out;
+ return -1;
}
state_path = util_path_dir(exit_fifo_path);
if (state_path == NULL) {
ERROR("%s:failed to get state dir from %s", id, exit_fifo_path);
- ret = -1;
- goto out;
+ return -1;
}
log_path = util_string_append(SHIM_V2_LOG, params->bundle);
if (log_path == NULL) {
ERROR("Fail to append log path");
- ret = -1;
- goto out;
+ return -1;
}
fd = util_open(log_path, O_RDWR | O_CREAT | O_TRUNC, DEFAULT_SECURE_FILE_MODE);
if (fd < 0) {
ERROR("Failed to create log file for shim v2: %s", log_path);
- ret = -1;
- goto out;
+ return -1;
}
close(fd);
@@ -367,13 +397,13 @@ int rt_shim_create(const char *id, const char *runtime, const rt_create_params_t
* If task address is not set, create a new shim-v2 and get the address.
* If task address is set, use it directly.
*/
- if (params->task_addr == NULL) {
- if (shim_bin_v2_create(runtime, id, params->bundle, NULL, addr, state_path) != 0) {
+ if (params->task_addr == NULL || strlen(params->task_addr) == 0) {
+ if (shim_bin_v2_create(runtime, id, params->bundle, NULL, response, state_path) != 0) {
ERROR("%s: failed to create v2 shim", id);
- ret = -1;
- goto out;
+ return -1;
}
- task_address = addr;
+
+ task_address = response;
} else {
task_address = params->task_addr;
}
@@ -392,10 +422,20 @@ int rt_shim_create(const char *id, const char *runtime, const rt_create_params_t
goto out;
}
+ if (save_shim_v2_address(params->bundle, task_address) != 0) {
+ ERROR("%s: failed to save shim v2 address", id);
+ ret = -1;
+ goto out;
+ }
+
+ return 0;
+
out:
- free(log_path);
- free(exit_fifo_path);
- free(state_path);
+ if (ret != 0) {
+ if (shim_v2_kill(id, NULL, SIGKILL, false) != 0) {
+ ERROR("%s: kill shim v2 failed", id);
+ }
+ }
return ret;
}
@@ -614,7 +654,7 @@ int rt_shim_status(const char *id, const char *runtime, const rt_status_params_t
return -1;
}
- if (params->task_address != NULL) {
+ if (params->task_address != NULL && strlen(params->task_address) != 0) {
if (strlen(params->task_address) >= PATH_MAX) {
ERROR("Invalid task address");
return -1;
--
2.42.0

110
0008-2233-add-runc-append-function-design-doc.patch Normal file
View File

File diff suppressed because one or more lines are too long

1123
0008-Add-vsock-support-for-exec.patch
View File

File diff suppressed because it is too large Load Diff

1056
0009-2243-Refactor-capbilities-specs.patch Normal file
View File

File diff suppressed because it is too large Load Diff

2669
0009-remove-unneccessary-strerror.patch
View File

File diff suppressed because it is too large Load Diff

33
0010-2245-fix-utils_verify_ut-failure-when-remote-grpc-fu.patch Normal file
View File

@ -0,0 +1,33 @@
From c8415e904333c99a2fcd4f8d070942b6923d44ed Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Mon, 13 Nov 2023 08:52:42 +0000
Subject: [PATCH 10/14] !2245 fix utils_verify_ut failure when remote grpc
function is turned off * fix utils_verify_ut failure when remote grpc
function is turned off
---
test/cutils/utils_verify/utils_verify_ut.cc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/test/cutils/utils_verify/utils_verify_ut.cc b/test/cutils/utils_verify/utils_verify_ut.cc
index 79670ec1..f2ff57c7 100644
--- a/test/cutils/utils_verify/utils_verify_ut.cc
+++ b/test/cutils/utils_verify/utils_verify_ut.cc
@@ -70,12 +70,14 @@ TEST(utils_verify, test_util_validate_socket)
ASSERT_EQ(util_validate_socket("unix://./isulad"), false);
ASSERT_EQ(util_validate_socket("unix://isulad"), false);
+#ifdef ENABLE_GRPC_REMOTE_CONNECT
ASSERT_EQ(util_validate_socket("tcp://localhost:2375"), true);
ASSERT_EQ(util_validate_socket("tcp://127.0.0.1:2375"), true);
ASSERT_EQ(util_validate_socket("tcp://"), false);
ASSERT_EQ(util_validate_socket("tcp://127.0.0.1"), false);
ASSERT_EQ(util_validate_socket("tcp://127.0.0.1,2375"), false);
+#endif
}
TEST(utils_verify, test_util_valid_device_mode)
--
2.42.0

358
0010-do-not-report-low-level-error-to-user.patch
View File

@ -1,358 +0,0 @@
From ab03fdd4261ebc11f18e3b783dfc38558e5247b5 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Wed, 6 Sep 2023 10:45:37 +0800
Subject: [PATCH 10/33] do not report low level error to user
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/daemon/entry/cri/cri_helpers.cc | 4 ++--
.../v1alpha/cri_container_manager_service.cc | 3 ++-
src/daemon/executor/container_cb/execution.c | 4 ++--
.../executor/container_cb/execution_network.c | 17 ++++++++---------
.../executor/container_cb/execution_stream.c | 4 ++--
src/daemon/modules/container/container_unix.c | 2 +-
src/daemon/modules/image/external/ext_image.c | 4 ++--
src/daemon/modules/image/oci/oci_load.c | 2 +-
.../modules/runtime/engines/lcr/lcr_rt_ops.c | 3 +--
src/daemon/modules/service/service_container.c | 2 +-
src/daemon/modules/spec/verify.c | 2 +-
src/daemon/modules/volume/local.c | 8 ++++----
src/utils/tar/isulad_tar.c | 16 ++++++++--------
src/utils/tar/util_archive.c | 12 ++++++------
14 files changed, 41 insertions(+), 42 deletions(-)
diff --git a/src/daemon/entry/cri/cri_helpers.cc b/src/daemon/entry/cri/cri_helpers.cc
index a80ec7d0..2e1096f5 100644
--- a/src/daemon/entry/cri/cri_helpers.cc
+++ b/src/daemon/entry/cri/cri_helpers.cc
@@ -540,8 +540,8 @@ void RemoveContainerLogSymlink(const std::string &containerID, Errors &error)
if (path != nullptr) {
// Only remove the symlink when container log path is specified.
if (util_path_remove(path) != 0 && errno != ENOENT) {
- error.Errorf("Failed to remove container %s log symlink %s: %s", containerID.c_str(), path,
- strerror(errno));
+ SYSERROR("Failed to remove container %s log symlink %s.", containerID.c_str(), path);
+ error.Errorf("Failed to remove container %s log symlink %s.", containerID.c_str(), path);
goto cleanup;
}
}
diff --git a/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc b/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc
index b4faab95..013b938a 100644
--- a/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc
+++ b/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc
@@ -547,8 +547,9 @@ void ContainerManagerService::CreateContainerLogSymlink(const std::string &conta
WARN("Deleted previously existing symlink file: %s", path);
}
if (symlink(realPath, path) != 0) {
+ SYSERROR("failed to create symbolic link %s to the container log file %s for container %s", path, realPath, containerID.c_str());
error.Errorf("failed to create symbolic link %s to the container log file %s for container %s: %s", path,
- realPath, containerID.c_str(), strerror(errno));
+ realPath, containerID.c_str());
goto cleanup;
}
} else {
diff --git a/src/daemon/executor/container_cb/execution.c b/src/daemon/executor/container_cb/execution.c
index d3571b7f..63d8143c 100644
--- a/src/daemon/executor/container_cb/execution.c
+++ b/src/daemon/executor/container_cb/execution.c
@@ -345,13 +345,13 @@ static int maybe_create_cpu_realtime_file(int64_t value, const char *file, const
fd = util_open(fpath, O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC, 0700);
if (fd < 0) {
SYSERROR("Failed to open file: %s.", fpath);
- isulad_set_error_message("Failed to open file: %s: %s", fpath, strerror(errno));
+ isulad_set_error_message("Failed to open file: %s.", fpath);
return -1;
}
nwrite = util_write_nointr(fd, buf, strlen(buf));
if (nwrite < 0 || (size_t)nwrite != strlen(buf)) {
SYSERROR("Failed to write %s to %s.", buf, fpath);
- isulad_set_error_message("Failed to write '%s' to '%s': %s", buf, fpath, strerror(errno));
+ isulad_set_error_message("Failed to write '%s' to '%s'.", buf, fpath);
return -1;
}
diff --git a/src/daemon/executor/container_cb/execution_network.c b/src/daemon/executor/container_cb/execution_network.c
index ce924332..a145e33a 100644
--- a/src/daemon/executor/container_cb/execution_network.c
+++ b/src/daemon/executor/container_cb/execution_network.c
@@ -68,8 +68,8 @@ static int write_hostname_to_file(const char *rootfs, const char *hostname)
ret = util_write_file(file_path, hostname, strlen(hostname), NETWORK_MOUNT_FILE_MODE);
if (ret) {
- SYSERROR("Failed to write %s", file_path);
- isulad_set_error_message("Failed to write %s: %s", file_path, strerror(errno));
+ SYSERROR("Failed to write %s.", file_path);
+ isulad_set_error_message("Failed to write %s.", file_path);
goto out;
}
@@ -97,8 +97,8 @@ static int fopen_network(FILE **fp, char **file_path, const char *rootfs, const
*fp = util_fopen(*file_path, "a+");
if (*fp == NULL) {
- SYSERROR("Failed to open %s", *file_path);
- isulad_set_error_message("Failed to open %s: %s", *file_path, strerror(errno));
+ SYSERROR("Failed to open %s.", *file_path);
+ isulad_set_error_message("Failed to open %s.", *file_path);
return -1;
}
return 0;
@@ -169,8 +169,8 @@ static int write_content_to_file(const char *file_path, const char *content)
if (content != NULL) {
ret = util_write_file(file_path, content, strlen(content), NETWORK_MOUNT_FILE_MODE);
if (ret != 0) {
- SYSERROR("Failed to write file %s", file_path);
- isulad_set_error_message("Failed to write file %s: %s", file_path, strerror(errno));
+ SYSERROR("Failed to write file %s.", file_path);
+ isulad_set_error_message("Failed to write file %s.", file_path);
return ret;
}
}
@@ -702,9 +702,8 @@ static int chown_network(const char *user_remap, const char *rootfs, const char
goto out;
}
if (chown(file_path, host_uid, host_gid) != 0) {
- SYSERROR("Failed to chown network file '%s' to %u:%u", filename, host_uid, host_gid);
- isulad_set_error_message("Failed to chown network file '%s' to %u:%u: %s", filename, host_uid, host_gid,
- strerror(errno));
+ SYSERROR("Failed to chown network file '%s' to %u:%u.", filename, host_uid, host_gid);
+ isulad_set_error_message("Failed to chown network file '%s' to %u:%u.", filename, host_uid, host_gid);
ret = -1;
goto out;
}
diff --git a/src/daemon/executor/container_cb/execution_stream.c b/src/daemon/executor/container_cb/execution_stream.c
index 7e84cca3..aae9c234 100644
--- a/src/daemon/executor/container_cb/execution_stream.c
+++ b/src/daemon/executor/container_cb/execution_stream.c
@@ -536,7 +536,7 @@ static container_path_stat *do_container_stat_path(const char *rootpath, const c
nret = lstat(resolvedpath, &st);
if (nret < 0) {
SYSERROR("lstat %s failed.", resolvedpath);
- isulad_set_error_message("lstat %s: %s", resolvedpath, strerror(errno));
+ isulad_set_error_message("lstat %s failed.", resolvedpath);
goto cleanup;
}
@@ -922,7 +922,7 @@ static int copy_to_container_check_path_valid(const container_t *cont, const cha
nret = lstat(resolvedpath, &st);
if (nret < 0) {
SYSERROR("lstat %s failed", resolvedpath);
- isulad_set_error_message("lstat %s: %s", resolvedpath, strerror(errno));
+ isulad_set_error_message("lstat %s failed", resolvedpath);
goto cleanup;
}
diff --git a/src/daemon/modules/container/container_unix.c b/src/daemon/modules/container/container_unix.c
index e8c98441..fa53a85f 100644
--- a/src/daemon/modules/container/container_unix.c
+++ b/src/daemon/modules/container/container_unix.c
@@ -518,7 +518,7 @@ static int save_json_config_file(const char *id, const char *rootpath, const cha
nret = util_atomic_write_file(filename, json_data, strlen(json_data), CONFIG_FILE_MODE, false);
if (nret != 0) {
SYSERROR("Write file %s failed.", filename);
- isulad_set_error_message("Write file '%s' failed: %s", filename, strerror(errno));
+ isulad_set_error_message("Write file '%s' failed.", filename);
ret = -1;
}
diff --git a/src/daemon/modules/image/external/ext_image.c b/src/daemon/modules/image/external/ext_image.c
index 10af82a3..e1706469 100644
--- a/src/daemon/modules/image/external/ext_image.c
+++ b/src/daemon/modules/image/external/ext_image.c
@@ -65,8 +65,8 @@ int ext_prepare_rf(const im_prepare_request *request, char **real_rootfs)
return -1;
}
if (realpath(request->rootfs, real_path) == NULL) {
- SYSERROR("Failed to clean rootfs path '%s'", request->rootfs);
- isulad_set_error_message("Failed to clean rootfs path '%s': %s", request->rootfs, strerror(errno));
+ SYSERROR("Failed to clean rootfs path '%s'.", request->rootfs);
+ isulad_set_error_message("Failed to clean rootfs path '%s'.", request->rootfs);
return -1;
}
*real_rootfs = util_strdup_s(real_path);
diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c
index d2efab81..5511a70c 100644
--- a/src/daemon/modules/image/oci/oci_load.c
+++ b/src/daemon/modules/image/oci/oci_load.c
@@ -1046,7 +1046,7 @@ static char *oci_load_path_create()
if (mkdtemp(tmp_dir) == NULL) {
SYSERROR("make temporary dir failed");
- isulad_try_set_error_message("make temporary dir failed: %s", strerror(errno));
+ isulad_try_set_error_message("make temporary dir failed");
ret = -1;
goto out;
}
diff --git a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c
index e985cfc1..f61316d0 100644
--- a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c
+++ b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c
@@ -209,9 +209,8 @@ static int remove_container_rootpath(const char *id, const char *root_path)
}
ret = util_recursive_rmdir(cont_root_path, 0);
if (ret != 0) {
- const char *tmp_err = (errno != 0) ? strerror(errno) : "error";
SYSERROR("Failed to delete container's root directory %s.", cont_root_path);
- isulad_set_error_message("Failed to delete container's root directory %s: %s", cont_root_path, tmp_err);
+ isulad_set_error_message("Failed to delete container's root directory %s.", cont_root_path);
ret = -1;
goto out;
}
diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c
index 483670de..370ba059 100644
--- a/src/daemon/modules/service/service_container.c
+++ b/src/daemon/modules/service/service_container.c
@@ -596,7 +596,7 @@ static int valid_mount_point(container_config_v2_common_config_mount_points_elem
if (lstat(mp->source, &st) != 0) {
SYSERROR("lstat %s failed", mp->source);
- isulad_set_error_message("lstat %s: %s", mp->source, strerror(errno));
+ isulad_set_error_message("lstat %s failed", mp->source);
return -1;
}
diff --git a/src/daemon/modules/spec/verify.c b/src/daemon/modules/spec/verify.c
index 6180b887..92029cbd 100644
--- a/src/daemon/modules/spec/verify.c
+++ b/src/daemon/modules/spec/verify.c
@@ -1536,7 +1536,7 @@ static int verify_custom_mount(defs_mount **mounts, size_t len)
if (!util_file_exists(iter->source) && util_mkdir_p(iter->source, mode)) {
#endif
SYSERROR("Failed to create directory '%s'", iter->source);
- isulad_try_set_error_message("Failed to create directory '%s': %s", iter->source, strerror(errno));
+ isulad_try_set_error_message("Failed to create directory '%s'", iter->source);
ret = -1;
goto out;
}
diff --git a/src/daemon/modules/volume/local.c b/src/daemon/modules/volume/local.c
index 7f95757d..6c3354dc 100644
--- a/src/daemon/modules/volume/local.c
+++ b/src/daemon/modules/volume/local.c
@@ -556,15 +556,15 @@ static int remove_volume_dir(char *path)
// remain untouched if we remove the data directory failed.
ret = util_recursive_rmdir(path, 0);
if (ret != 0) {
- SYSERROR("failed to remove volume data dir %s", path);
- isulad_try_set_error_message("failed to remove volume data dir %s: %s", path, strerror(errno));
+ SYSERROR("failed to remove volume data dir %s.", path);
+ isulad_try_set_error_message("failed to remove volume data dir %s.", path);
goto out;
}
ret = util_recursive_rmdir(vol_dir, 0);
if (ret != 0) {
- SYSERROR("failed to remove volume dir %s", vol_dir);
- isulad_try_set_error_message("failed to remove volume dir %s: %s", vol_dir, strerror(errno));
+ SYSERROR("failed to remove volume dir %s.", vol_dir);
+ isulad_try_set_error_message("failed to remove volume dir %s.", vol_dir);
goto out;
}
diff --git a/src/utils/tar/isulad_tar.c b/src/utils/tar/isulad_tar.c
index 7218cca8..bffbb43b 100644
--- a/src/utils/tar/isulad_tar.c
+++ b/src/utils/tar/isulad_tar.c
@@ -114,7 +114,7 @@ static int resolve_host_source_path(const char *path, bool follow_link, char **r
if (follow_link) {
if (realpath(path, real_path) == NULL) {
SYSERROR("Can not get real path of %s.", real_path);
- format_errorf(err, "Can not get real path of %s: %s", real_path, strerror(errno));
+ format_errorf(err, "Can not get real path of %s.", real_path);
return -1;
}
nret = get_rebase_name(path, real_path, resolved_path, rebase_name);
@@ -131,7 +131,7 @@ static int resolve_host_source_path(const char *path, bool follow_link, char **r
}
if (realpath(dirpath, real_path) == NULL) {
SYSERROR("Can not get real path of %s.", dirpath);
- format_errorf(err, "Can not get real path of %s: %s", dirpath, strerror(errno));
+ format_errorf(err, "Can not get real path of %s.", dirpath);
goto cleanup;
}
nret = snprintf(resolved, sizeof(resolved), "%s/%s", real_path, basepath);
@@ -192,7 +192,7 @@ struct archive_copy_info *copy_info_source_path(const char *path, bool follow_li
nret = lstat(resolved_path, &st);
if (nret < 0) {
SYSERROR("lstat %s failed", resolved_path);
- format_errorf(err, "lstat %s: %s", resolved_path, strerror(errno));
+ format_errorf(err, "lstat %s failed", resolved_path);
goto cleanup;
}
@@ -225,8 +225,8 @@ static int copy_info_destination_path_ret(struct archive_copy_info *info, struct
ret = (int)readlink(iter_path, target, PATH_MAX);
if (ret < 0) {
- SYSERROR("Failed to read link of %s", iter_path);
- format_errorf(err, "Failed to read link of %s: %s", iter_path, strerror(errno));
+ SYSERROR("Failed to read link of %s.", iter_path);
+ format_errorf(err, "Failed to read link of %s.", iter_path);
goto cleanup;
}
// is not absolutely path
@@ -258,8 +258,8 @@ static int copy_info_destination_path_ret(struct archive_copy_info *info, struct
if (ret != 0) {
char *dst_parent = NULL;
if (errno != ENOENT) {
- SYSERROR("Can not stat %s", iter_path);
- format_errorf(err, "Can not stat %s: %s", iter_path, strerror(errno));
+ SYSERROR("Can not stat %s.", iter_path);
+ format_errorf(err, "Can not stat %s.", iter_path);
goto cleanup;
}
@@ -429,7 +429,7 @@ static int tar_resource_rebase(const char *path, const char *rebase, const char
if (lstat(path, &st) < 0) {
SYSERROR("lstat %s failed", path);
- format_errorf(err, "lstat %s: %s", path, strerror(errno));
+ format_errorf(err, "lstat %s failed", path);
return -1;
}
if (util_split_path_dir_entry(path, &srcdir, &srcbase) < 0) {
diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c
index f34572ae..82194654 100644
--- a/src/utils/tar/util_archive.c
+++ b/src/utils/tar/util_archive.c
@@ -257,8 +257,8 @@ static int do_safe_chroot(const char *dstdir)
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
if (chroot(dstdir) != 0) {
- SYSERROR("Failed to chroot to %s", dstdir);
- fprintf(stderr, "Failed to chroot to %s: %s", dstdir, strerror(errno));
+ SYSERROR("Failed to chroot to %s.", dstdir);
+ fprintf(stderr, "Failed to chroot to %s.", dstdir);
return -1;
}
@@ -846,15 +846,15 @@ int archive_unpack(const struct io_read_wrapper *content, const char *dstdir, co
}
if (do_safe_chroot(safe_dir) != 0) {
- SYSERROR("Failed to chroot to %s", safe_dir);
- fprintf(stderr, "Failed to chroot to %s: %s", safe_dir, strerror(errno));
+ SYSERROR("Failed to chroot to %s.", safe_dir);
+ fprintf(stderr, "Failed to chroot to %s.", safe_dir);
ret = -1;
goto child_out;
}
if (chdir("/") != 0) {
SYSERROR("Failed to chroot to /");
- fprintf(stderr, "Failed to chroot to /: %s", strerror(errno));
+ fprintf(stderr, "Failed to chroot to /");
ret = -1;
goto child_out;
}
@@ -1253,7 +1253,7 @@ int archive_chroot_tar(const char *path, const char *file, const char *root_dir,
fd = open(file, TAR_DEFAULT_FLAG, TAR_DEFAULT_MODE);
if (fd < 0) {
SYSERROR("Failed to open file %s for export", file);
- fprintf(stderr, "Failed to open file %s for export: %s\n", file, strerror(errno));
+ fprintf(stderr, "Failed to open file %s for export\n", file);
ret = -1;
goto child_out;
}
--
2.40.1

1312
0011-add-runc-attach-implement.patch Normal file
View File

File diff suppressed because it is too large Load Diff

891
0011-remove-usage-of-strerror-with-user-defined-errno.patch
View File

@ -1,891 +0,0 @@
From 16a4b6f334e4e81615a71cf7930158fb1bee5a12 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Wed, 6 Sep 2023 15:05:29 +0800
Subject: [PATCH 11/33] remove usage of strerror with user defined errno
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/cmd/command_parser.c | 12 ++++++----
src/cmd/isula/base/create.c | 3 ++-
src/cmd/isula/isula_host_spec.c | 9 ++++---
src/cmd/isulad/main.c | 8 ++++---
src/cmd/options/opt_ulimit.c | 6 +++--
src/daemon/entry/cri/cni_network_plugin.cc | 9 ++++---
src/daemon/entry/cri/sysctl_tools.c | 14 +++++++----
.../v1/v1_cri_container_manager_service.cc | 4 ++--
.../v1/v1_cri_pod_sandbox_manager_service.cc | 3 ++-
src/daemon/executor/network_cb/network_cb.c | 6 +++--
src/daemon/modules/image/oci/oci_image.c | 6 +++--
.../oci/storage/image_store/image_store.c | 6 +++--
.../graphdriver/devmapper/deviceset.c | 19 +++++++++------
.../storage/layer_store/graphdriver/driver.c | 9 ++++---
.../graphdriver/overlay2/driver_overlay2.c | 17 ++++++++-----
.../oci/storage/layer_store/layer_store.c | 6 +++--
.../remote_layer_support/remote_support.c | 6 +++--
.../oci/storage/rootfs_store/rootfs_store.c | 6 +++--
.../modules/image/oci/storage/storage.c | 6 +++--
.../cni_operator/libcni/invoke/libcni_errno.c | 8 -------
.../cni_operator/libcni/invoke/libcni_errno.h | 2 --
.../cni_operator/libcni/libcni_cached.c | 3 ++-
.../modules/network/native/adaptor_native.c | 17 ++++++++-----
src/daemon/modules/plugin/plugin.c | 24 ++++++++++++-------
src/daemon/modules/service/service_network.c | 6 ++---
src/daemon/sandbox/sandbox.cc | 8 ++++---
src/utils/cutils/network_namespace.c | 3 ++-
src/utils/cutils/utils_file.c | 4 +++-
28 files changed, 144 insertions(+), 86 deletions(-)
diff --git a/src/cmd/command_parser.c b/src/cmd/command_parser.c
index ac353b40..1ad1d92b 100644
--- a/src/cmd/command_parser.c
+++ b/src/cmd/command_parser.c
@@ -546,7 +546,8 @@ int command_convert_u16(command_option_t *option, const char *arg)
}
ret = util_safe_u16(arg, option->data);
if (ret != 0) {
- COMMAND_ERROR("Invalid value \"%s\" for flag --%s: %s", arg, option->large, strerror(-ret));
+ errno = -ret;
+ CMD_SYSERROR("Invalid value \"%s\" for flag --%s", arg, option->large);
return EINVALIDARGS;
}
return 0;
@@ -561,7 +562,8 @@ int command_convert_llong(command_option_t *opt, const char *arg)
}
ret = util_safe_llong(arg, opt->data);
if (ret != 0) {
- COMMAND_ERROR("Invalid value \"%s\" for flag --%s: %s", arg, opt->large, strerror(-ret));
+ errno = -ret;
+ CMD_SYSERROR("Invalid value \"%s\" for flag --%s", arg, opt->large);
return EINVALIDARGS;
}
return 0;
@@ -575,7 +577,8 @@ int command_convert_uint(command_option_t *opt, const char *arg)
}
ret = util_safe_uint(arg, opt->data);
if (ret != 0) {
- COMMAND_ERROR("Invalid value \"%s\" for flag --%s: %s", arg, opt->large, strerror(-ret));
+ errno = -ret;
+ CMD_SYSERROR("Invalid value \"%s\" for flag --%s", arg, opt->large);
return EINVALIDARGS;
}
return 0;
@@ -590,7 +593,8 @@ int command_convert_int(command_option_t *option, const char *arg)
}
ret = util_safe_int(arg, option->data);
if (ret != 0) {
- COMMAND_ERROR("Invalid value \"%s\" for flag --%s: %s", arg, option->large, strerror(-ret));
+ errno = -ret;
+ CMD_SYSERROR("Invalid value \"%s\" for flag --%s", arg, option->large);
return EINVALIDARGS;
}
return 0;
diff --git a/src/cmd/isula/base/create.c b/src/cmd/isula/base/create.c
index aa90c5d6..cd0d4abd 100644
--- a/src/cmd/isula/base/create.c
+++ b/src/cmd/isula/base/create.c
@@ -2032,7 +2032,8 @@ static int create_check_hugetlbs(const struct client_arguments *args)
}
ret = util_parse_byte_size_string(limit, &limitvalue);
if (ret != 0) {
- COMMAND_ERROR("Invalid hugetlb limit:%s:%s", limit, strerror(-ret));
+ errno = -ret;
+ CMD_SYSERROR("Invalid hugetlb limit:%s", limit);
free(dup);
ret = -1;
goto out;
diff --git a/src/cmd/isula/isula_host_spec.c b/src/cmd/isula/isula_host_spec.c
index 9fa08bd2..6f39588d 100644
--- a/src/cmd/isula/isula_host_spec.c
+++ b/src/cmd/isula/isula_host_spec.c
@@ -66,7 +66,8 @@ static bool parse_restart_policy(const char *policy, host_config_restart_policy
}
nret = util_safe_int(dotpos, &(*rp)->maximum_retry_count);
if (nret != 0) {
- COMMAND_ERROR("Maximum retry count must be an integer: %s", strerror(-nret));
+ errno = -nret;
+ CMD_SYSERROR("Maximum retry count must be an integer");
goto cleanup;
}
}
@@ -724,7 +725,8 @@ static host_config_hugetlbs_element *pase_hugetlb_limit(const char *input)
ret = util_parse_byte_size_string(limit_value, &tconverted);
if (ret != 0 || tconverted < 0) {
- COMMAND_ERROR("Parse limit value: %s failed:%s", limit_value, strerror(-ret));
+ errno = -ret;
+ CMD_SYSERROR("Parse limit value: %s failed", limit_value);
goto free_out;
}
limit = (uint64_t)tconverted;
@@ -733,7 +735,8 @@ static host_config_hugetlbs_element *pase_hugetlb_limit(const char *input)
tconverted = 0;
ret = util_parse_byte_size_string(pagesize, &tconverted);
if (ret != 0 || tconverted < 0) {
- COMMAND_ERROR("Parse pagesize error.Invalid hugepage size: %s: %s", pagesize, strerror(-ret));
+ errno = -ret;
+ CMD_SYSERROR("Parse pagesize error.Invalid hugepage size: %s", pagesize);
goto free_out;
}
page = (uint64_t)tconverted;
diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c
index 39cde6aa..8369f9e2 100644
--- a/src/cmd/isulad/main.c
+++ b/src/cmd/isulad/main.c
@@ -632,8 +632,9 @@ static int parse_time_duration(const char *value, unsigned int *seconds)
*(num_str + len - 1) = '\0';
ret = util_safe_uint(num_str, &tmp);
if (ret < 0) {
- ERROR("Illegal unsigned integer: %s", num_str);
- COMMAND_ERROR("Illegal unsigned integer:%s:%s", num_str, strerror(-ret));
+ errno = -ret;
+ SYSERROR("Illegal unsigned integer: %s", num_str);
+ COMMAND_ERROR("Illegal unsigned integer:%s", num_str);
ret = -1;
goto out;
}
@@ -1407,7 +1408,8 @@ static int create_mount_flock_file(const struct service_arguments *args)
// recreate mount flock file
// and make file uid/gid and permission correct
if (!util_force_remove_file(cleanpath, &err)) {
- ERROR("Failed to delete %s, error: %s. Please delete %s manually.", path, strerror(err), path);
+ errno = err;
+ SYSERROR("Failed to delete %s. Please delete %s manually.", path, path);
return -1;
}
}
diff --git a/src/cmd/options/opt_ulimit.c b/src/cmd/options/opt_ulimit.c
index 55912a16..6853c0d9 100644
--- a/src/cmd/options/opt_ulimit.c
+++ b/src/cmd/options/opt_ulimit.c
@@ -63,7 +63,8 @@ static int parse_soft_hard_ulimit(const char *val, char **limitvals, size_t limi
// parse soft
ret = util_safe_llong(limitvals[0], &converted);
if (ret < 0) {
- COMMAND_ERROR("Invalid ulimit soft value: \"%s\", parse int64 failed: %s", val, strerror(-ret));
+ errno = -ret;
+ CMD_SYSERROR("Invalid ulimit soft value: \"%s\", parse int64 failed", val);
ret = -1;
goto out;
}
@@ -74,7 +75,8 @@ static int parse_soft_hard_ulimit(const char *val, char **limitvals, size_t limi
converted = 0;
ret = util_safe_llong(limitvals[1], &converted);
if (ret < 0) {
- COMMAND_ERROR("Invalid ulimit hard value: \"%s\", parse int64 failed: %s", val, strerror(-ret));
+ errno = -ret;
+ CMD_SYSERROR("Invalid ulimit hard value: \"%s\", parse int64 failed", val);
ret = -1;
goto out;
}
diff --git a/src/daemon/entry/cri/cni_network_plugin.cc b/src/daemon/entry/cri/cni_network_plugin.cc
index 1c7fea2e..c186d185 100644
--- a/src/daemon/entry/cri/cni_network_plugin.cc
+++ b/src/daemon/entry/cri/cni_network_plugin.cc
@@ -796,7 +796,8 @@ void CniNetworkPlugin::RLockNetworkMap(Errors &error)
int ret = pthread_rwlock_rdlock(&m_netsLock);
if (ret != 0) {
error.Errorf("Failed to get read lock");
- ERROR("Get read lock failed: %s", strerror(ret));
+ errno = ret;
+ SYSERROR("Get read lock failed");
}
}
@@ -805,7 +806,8 @@ void CniNetworkPlugin::WLockNetworkMap(Errors &error)
int ret = pthread_rwlock_wrlock(&m_netsLock);
if (ret != 0) {
error.Errorf("Failed to get write lock");
- ERROR("Get write lock failed: %s", strerror(ret));
+ errno = ret;
+ SYSERROR("Get write lock failed");
}
}
@@ -814,7 +816,8 @@ void CniNetworkPlugin::UnlockNetworkMap(Errors &error)
int ret = pthread_rwlock_unlock(&m_netsLock);
if (ret != 0) {
error.Errorf("Failed to unlock");
- ERROR("Unlock failed: %s", strerror(ret));
+ errno = ret;
+ SYSERROR("Unlock failed");
}
}
diff --git a/src/daemon/entry/cri/sysctl_tools.c b/src/daemon/entry/cri/sysctl_tools.c
index 847c36e9..ac4fb226 100644
--- a/src/daemon/entry/cri/sysctl_tools.c
+++ b/src/daemon/entry/cri/sysctl_tools.c
@@ -22,6 +22,8 @@
#include <unistd.h>
#include <limits.h>
+#include <isula_libutils/log.h>
+
#include "utils.h"
int get_sysctl(const char *sysctl, char **err)
@@ -41,14 +43,16 @@ int get_sysctl(const char *sysctl, char **err)
ret = -1;
fd = util_open(fullpath, O_RDONLY, 0);
if (fd < 0) {
- if (asprintf(err, "Open %s failed: %s", sysctl, strerror(errno)) < 0) {
+ SYSWARN("Open %s failed", sysctl);
+ if (asprintf(err, "Open %s failed", sysctl) < 0) {
*err = util_strdup_s("Out of memory");
}
goto free_out;
}
rsize = util_read_nointr(fd, buff, sizeof(buff) - 1);
if (rsize <= 0) {
- if (asprintf(err, "Read file failed: %s", strerror(errno)) < 0) {
+ SYSWARN("Read file: %s failed", sysctl);
+ if (asprintf(err, "Read file: %s failed", sysctl) < 0) {
*err = util_strdup_s("Out of memory");
}
goto free_out;
@@ -93,14 +97,16 @@ int set_sysctl(const char *sysctl, int new_value, char **err)
ret = -1;
fd = util_open(fullpath, O_WRONLY, 0);
if (fd < 0) {
- if (asprintf(err, "Open %s failed: %s", sysctl, strerror(errno)) < 0) {
+ SYSWARN("Open %s failed", sysctl);
+ if (asprintf(err, "Open %s failed", sysctl) < 0) {
*err = util_strdup_s("Out of memory");
}
goto free_out;
}
rsize = util_write_nointr(fd, buff, strlen(buff));
if (rsize < 0 || (size_t)rsize != strlen(buff)) {
- if (asprintf(err, "Write new value failed: %s", strerror(errno)) < 0) {
+ SYSWARN("Write new value to %s failed", sysctl);
+ if (asprintf(err, "Write new value to %s failed", sysctl) < 0) {
*err = util_strdup_s("Out of memory");
}
goto free_out;
diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
index ecb7ffbd..daba21e4 100644
--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
+++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc
@@ -497,8 +497,8 @@ void ContainerManagerService::CreateContainerLogSymlink(const std::string &conta
WARN("Deleted previously existing symlink file: %s", path);
}
if (symlink(realPath, path) != 0) {
- error.Errorf("failed to create symbolic link %s to the container log file %s for container %s: %s", path,
- realPath, containerID.c_str(), strerror(errno));
+ SYSERROR("failed to create symbolic link %s to the container log file %s for container %s", path, realPath, containerID.c_str());
+ error.Errorf("failed to create symbolic link %s to the container log file %s for container %s", path, realPath, containerID.c_str());
goto cleanup;
}
} else {
diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
index d57338c8..41a02c54 100644
--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
+++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc
@@ -429,7 +429,8 @@ void PodSandboxManagerService::ClearCniNetwork(const std::shared_ptr<sandbox::Sa
// umount netns when cni removed network successfully
if (remove_network_namespace(sandboxKey.c_str()) != 0) {
- error.Errorf("Failed to umount directory %s:%s", sandboxKey.c_str(), strerror(errno));
+ SYSERROR("Failed to umount directory %s", sandboxKey.c_str());
+ error.Errorf("Failed to umount directory %s", sandboxKey.c_str());
}
}
diff --git a/src/daemon/executor/network_cb/network_cb.c b/src/daemon/executor/network_cb/network_cb.c
index e4f9ce3f..d0f361d0 100644
--- a/src/daemon/executor/network_cb/network_cb.c
+++ b/src/daemon/executor/network_cb/network_cb.c
@@ -43,7 +43,8 @@ static inline bool network_conflist_lock(enum lock_type type)
nret = pthread_rwlock_wrlock(&g_network_rwlock);
}
if (nret != 0) {
- ERROR("Lock network list failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Lock network list failed");
return false;
}
@@ -56,7 +57,8 @@ static inline void network_conflist_unlock()
nret = pthread_rwlock_unlock(&g_network_rwlock);
if (nret != 0) {
- FATAL("Unlock network list failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Unlock network list failed");
}
}
diff --git a/src/daemon/modules/image/oci/oci_image.c b/src/daemon/modules/image/oci/oci_image.c
index 40e9a88f..4a48016b 100644
--- a/src/daemon/modules/image/oci/oci_image.c
+++ b/src/daemon/modules/image/oci/oci_image.c
@@ -59,7 +59,8 @@ static inline bool oci_remote_lock(pthread_rwlock_t *remote_lock, bool writable)
nret = pthread_rwlock_rdlock(remote_lock);
}
if (nret != 0) {
- ERROR("Lock memory store failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Lock memory store failed");
return false;
}
@@ -72,7 +73,8 @@ static inline void oci_remote_unlock(pthread_rwlock_t *remote_lock)
nret = pthread_rwlock_unlock(remote_lock);
if (nret != 0) {
- FATAL("Unlock memory store failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Unlock memory store failed");
}
}
#endif
diff --git a/src/daemon/modules/image/oci/storage/image_store/image_store.c b/src/daemon/modules/image/oci/storage/image_store/image_store.c
index e9adab1a..55e3bb97 100644
--- a/src/daemon/modules/image/oci/storage/image_store/image_store.c
+++ b/src/daemon/modules/image/oci/storage/image_store/image_store.c
@@ -94,7 +94,8 @@ static inline bool image_store_lock(enum lock_type type)
nret = pthread_rwlock_wrlock(&g_image_store->rwlock);
}
if (nret != 0) {
- ERROR("Lock memory store failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Lock memory store failed");
return false;
}
@@ -107,7 +108,8 @@ static inline void image_store_unlock()
nret = pthread_rwlock_unlock(&g_image_store->rwlock);
if (nret != 0) {
- FATAL("Unlock memory store failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Unlock memory store failed");
}
}
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c
index 81e53ea7..4f19c26d 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c
@@ -107,8 +107,9 @@ static int handle_dm_min_free_space(char *val, struct device_set *devset)
int ret = util_parse_percent_string(val, &converted);
if (ret != 0 || converted >= 100) {
- ERROR("Invalid min free space: '%s': %s", val, strerror(-ret));
- isulad_set_error_message("Invalid min free space: '%s': %s", val, strerror(-ret));
+ errno = -ret;
+ SYSERROR("Invalid min free space: '%s'", val);
+ isulad_set_error_message("Invalid min free space: '%s'", val);
return -1;
}
devset->min_free_space_percent = (uint32_t)converted;
@@ -122,8 +123,9 @@ static int handle_dm_basesize(char *val, struct device_set *devset)
int ret = util_parse_byte_size_string(val, &converted);
if (ret != 0) {
- ERROR("Invalid size: '%s': %s", val, strerror(-ret));
- isulad_set_error_message("Invalid size: '%s': %s", val, strerror(-ret));
+ errno = -ret;
+ SYSERROR("Invalid size: '%s'", val);
+ isulad_set_error_message("Invalid size: '%s'", val);
return -1;
}
if (converted <= 0) {
@@ -2722,7 +2724,8 @@ static int determine_driver_capabilities(const char *version, struct device_set
ret = util_parse_byte_size_string(tmp_str[0], &major);
if (ret != 0) {
- ERROR("devmapper: invalid size: '%s': %s", tmp_str[0], strerror(-ret));
+ errno = -ret;
+ SYSERROR("devmapper: invalid size: '%s'", tmp_str[0]);
ret = -1;
goto out;
}
@@ -2742,7 +2745,8 @@ static int determine_driver_capabilities(const char *version, struct device_set
ret = util_parse_byte_size_string(tmp_str[1], &minor);
if (ret != 0) {
- ERROR("devmapper: invalid size: '%s': %s", tmp_str[1], strerror(-ret));
+ errno = -ret;
+ SYSERROR("devmapper: invalid size: '%s'", tmp_str[1]);
ret = -1;
goto out;
}
@@ -2915,7 +2919,8 @@ static int parse_storage_opt(const json_map_string_string *opts, uint64_t *size)
ret = util_parse_byte_size_string(opts->values[i], &converted);
if (ret != 0) {
- ERROR("Invalid size: '%s': %s", opts->values[i], strerror(-ret));
+ errno = -ret;
+ SYSERROR("Invalid size: '%s'", opts->values[i]);
ret = -1;
goto out;
}
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c
index b83c63b1..b1790af1 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c
@@ -86,7 +86,8 @@ static inline bool driver_rd_lock()
nret = pthread_rwlock_rdlock(&g_graphdriver->rwlock);
if (nret != 0) {
- ERROR("Lock driver memory store failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Lock driver memory store failed");
return false;
}
@@ -99,7 +100,8 @@ static inline bool driver_wr_lock()
nret = pthread_rwlock_wrlock(&g_graphdriver->rwlock);
if (nret != 0) {
- ERROR("Lock driver memory store failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Lock driver memory store failed");
return false;
}
@@ -112,7 +114,8 @@ static inline void driver_unlock()
nret = pthread_rwlock_unlock(&g_graphdriver->rwlock);
if (nret != 0) {
- FATAL("Unlock driver memory store failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Unlock driver memory store failed");
}
}
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c
index b177f594..3b27076c 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c
@@ -134,7 +134,8 @@ static int overlay2_parse_options(struct graphdriver *driver, const char **optio
int64_t converted = 0;
ret = util_parse_byte_size_string(val, &converted);
if (ret != 0) {
- ERROR("Invalid size: '%s': %s", val, strerror(-ret));
+ errno = -ret;
+ SYSERROR("Invalid size: '%s'", val);
ret = -1;
goto out;
}
@@ -143,7 +144,8 @@ static int overlay2_parse_options(struct graphdriver *driver, const char **optio
int64_t converted = 0;
ret = util_parse_byte_size_string(val, &converted);
if (ret != 0) {
- ERROR("Invalid size: '%s': %s", val, strerror(-ret));
+ errno = -ret;
+ SYSERROR("Invalid size: '%s'", val);
ret = -1;
goto out;
}
@@ -152,7 +154,8 @@ static int overlay2_parse_options(struct graphdriver *driver, const char **optio
bool converted_bool = 0;
ret = util_str_to_bool(val, &converted_bool);
if (ret != 0) {
- ERROR("Invalid bool: '%s': %s", val, strerror(-ret));
+ errno = -ret;
+ SYSERROR("Invalid bool: '%s'", val);
ret = -1;
goto out;
}
@@ -161,7 +164,8 @@ static int overlay2_parse_options(struct graphdriver *driver, const char **optio
bool converted_bool = 0;
ret = util_str_to_bool(val, &converted_bool);
if (ret != 0) {
- ERROR("Invalid bool: '%s': %s", val, strerror(-ret));
+ errno = -ret;
+ SYSERROR("Invalid bool: '%s'", val);
ret = -1;
goto out;
}
@@ -830,8 +834,9 @@ static int set_layer_quota(const char *dir, const json_map_string_string *opts,
int64_t converted = 0;
ret = util_parse_byte_size_string(opts->values[i], &converted);
if (ret != 0) {
- ERROR("Invalid size: '%s': %s", opts->values[i], strerror(-ret));
- isulad_set_error_message("Invalid quota size: '%s': %s", opts->values[i], strerror(-ret));
+ errno = -ret;
+ SYSERROR("Invalid size: '%s'", opts->values[i]);
+ isulad_set_error_message("Invalid quota size: '%s'", opts->values[i]);
ret = -1;
goto out;
}
diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
index ddf3a62c..8d8384b8 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
@@ -98,7 +98,8 @@ static inline bool layer_store_lock(bool writable)
nret = pthread_rwlock_rdlock(&g_metadata.rwlock);
}
if (nret != 0) {
- ERROR("Lock memory store failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Lock memory store failed");
return false;
}
@@ -111,7 +112,8 @@ static inline void layer_store_unlock()
nret = pthread_rwlock_unlock(&g_metadata.rwlock);
if (nret != 0) {
- FATAL("Unlock memory store failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Unlock memory store failed");
}
}
diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c
index 400678c4..1bac8dd5 100644
--- a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c
+++ b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c
@@ -39,7 +39,8 @@ static inline bool remote_refresh_lock(pthread_rwlock_t *remote_lock, bool writa
nret = pthread_rwlock_rdlock(remote_lock);
}
if (nret != 0) {
- ERROR("Lock memory store failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Lock memory store failed");
return false;
}
@@ -52,7 +53,8 @@ static inline void remote_refresh_unlock(pthread_rwlock_t *remote_lock)
nret = pthread_rwlock_unlock(remote_lock);
if (nret != 0) {
- FATAL("Unlock memory store failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Unlock memory store failed");
}
}
diff --git a/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.c b/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.c
index 1c5d2d84..ee1e15d0 100644
--- a/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.c
+++ b/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.c
@@ -69,7 +69,8 @@ static inline bool rootfs_store_lock(enum lock_type type)
}
if (nret != 0) {
- ERROR("Lock memory store failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Lock memory store failed");
return false;
}
@@ -82,7 +83,8 @@ static inline void rootfs_store_unlock()
nret = pthread_rwlock_unlock(&g_rootfs_store->rwlock);
if (nret != 0) {
- FATAL("Unlock memory store failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Unlock memory store failed");
}
}
diff --git a/src/daemon/modules/image/oci/storage/storage.c b/src/daemon/modules/image/oci/storage/storage.c
index d5e79207..aa442ecf 100644
--- a/src/daemon/modules/image/oci/storage/storage.c
+++ b/src/daemon/modules/image/oci/storage/storage.c
@@ -61,7 +61,8 @@ static inline bool storage_lock(pthread_rwlock_t *store_lock, bool writable)
nret = pthread_rwlock_rdlock(store_lock);
}
if (nret != 0) {
- ERROR("Lock memory store failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Lock memory store failed");
return false;
}
@@ -74,7 +75,8 @@ static inline void storage_unlock(pthread_rwlock_t *store_lock)
nret = pthread_rwlock_unlock(store_lock);
if (nret != 0) {
- FATAL("Unlock memory store failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Unlock memory store failed");
}
}
diff --git a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.c b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.c
index efdcfbc7..977f9fbb 100644
--- a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.c
+++ b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.c
@@ -30,14 +30,6 @@ const char * const g_INVOKE_ERR_MSGS[] = {
"Success"
};
-const char *get_invoke_err_msg(int errcode)
-{
- if (errcode > (int)INK_ERR_MIN && errcode <= (int)INK_ERR_SUCCESS) {
- return g_INVOKE_ERR_MSGS[errcode - (int)INK_ERR_MIN];
- }
- return strerror(errcode);
-}
-
const char * const g_CNI_WELL_KNOWN_ERR_MSGS[] = {
/* 0 */
"Success",
diff --git a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.h b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.h
index 9f63e5f5..236bc6ef 100644
--- a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.h
+++ b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.h
@@ -43,8 +43,6 @@ enum CNI_CUSTOM_ERROR {
CUSTOM_ERR_MAX, // max flag
};
-const char *get_invoke_err_msg(int errcode);
-
enum CNI_WELL_KNOW_ERROR {
CNI_ERR_UNKNOW = 0,
CNI_ERR_INCOMPATIBLE_CNI_VERSION,
diff --git a/src/daemon/modules/network/cni_operator/libcni/libcni_cached.c b/src/daemon/modules/network/cni_operator/libcni/libcni_cached.c
index 63ee6e10..17de527e 100644
--- a/src/daemon/modules/network/cni_operator/libcni/libcni_cached.c
+++ b/src/daemon/modules/network/cni_operator/libcni/libcni_cached.c
@@ -276,7 +276,8 @@ int cni_cache_delete(const char *cache_dir, const char *net_name, const struct r
}
if (!util_force_remove_file(file_path, &get_err)) {
- ERROR("Failed to delete %s, error: %s", file_path, strerror(get_err));
+ errno = get_err;
+ SYSERROR("Failed to delete %s.", file_path);
}
free(file_path);
diff --git a/src/daemon/modules/network/native/adaptor_native.c b/src/daemon/modules/network/native/adaptor_native.c
index 8bc386d1..8d403442 100644
--- a/src/daemon/modules/network/native/adaptor_native.c
+++ b/src/daemon/modules/network/native/adaptor_native.c
@@ -86,7 +86,8 @@ static inline bool native_store_lock(enum lock_type type)
nret = pthread_rwlock_wrlock(&g_store.rwlock);
}
if (nret != 0) {
- ERROR("Lock network list failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Lock network list failed");
return false;
}
@@ -99,7 +100,8 @@ static inline void native_store_unlock()
nret = pthread_rwlock_unlock(&g_store.rwlock);
if (nret != 0) {
- FATAL("Unlock network list failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Unlock network list failed");
}
}
@@ -113,7 +115,8 @@ static inline void native_network_lock(enum lock_type type, native_network *netw
nret = pthread_rwlock_wrlock(&network->rwlock);
}
if (nret != 0) {
- ERROR("Lock network list failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Lock network list failed");
}
}
@@ -123,7 +126,8 @@ static inline void native_network_unlock(native_network *network)
nret = pthread_rwlock_unlock(&network->rwlock);
if (nret != 0) {
- FATAL("Unlock network list failed: %s", strerror(nret));
+ errno = nret;
+ SYSERROR("Unlock network list failed");
}
}
@@ -1944,8 +1948,9 @@ int native_config_remove(const char *name, char **res_name)
WARN("Failed to get %s file path", network->conflist->list->name);
isulad_append_error_message("Failed to get %s file path. ", network->conflist->list->name);
} else if (!util_force_remove_file(path, &get_err)) {
- WARN("Failed to delete %s, error: %s", path, strerror(get_err));
- isulad_append_error_message("Failed to delete %s, error: %s. ", path, strerror(get_err));
+ errno = get_err;
+ SYSWARN("Failed to delete %s.", path);
+ isulad_append_error_message("Failed to delete %s.", path);
}
if (!map_remove(g_store.name_to_network, (void *)network->conflist->list->name)) {
diff --git a/src/daemon/modules/plugin/plugin.c b/src/daemon/modules/plugin/plugin.c
index b4d78dc9..c42cfd21 100644
--- a/src/daemon/modules/plugin/plugin.c
+++ b/src/daemon/modules/plugin/plugin.c
@@ -409,7 +409,8 @@ static void pm_rdlock(void)
errcode = pthread_rwlock_rdlock(&g_plugin_manager->pm_rwlock);
if (errcode != 0) {
- ERROR("Read lock failed: %s", strerror(errcode));
+ errno = errcode;
+ SYSERROR("Read lock failed");
}
}
@@ -419,7 +420,8 @@ static void pm_wrlock(void)
errcode = pthread_rwlock_wrlock(&g_plugin_manager->pm_rwlock);
if (errcode != 0) {
- ERROR("Write lock failed: %s", strerror(errcode));
+ errno = errcode;
+ SYSERROR("Write lock failed");
}
}
@@ -429,7 +431,8 @@ static void pm_unlock(void)
errcode = pthread_rwlock_unlock(&g_plugin_manager->pm_rwlock);
if (errcode != 0) {
- ERROR("Unlock failed: %s", strerror(errcode));
+ errno = errcode;
+ SYSERROR("Unlock failed");
}
}
@@ -659,7 +662,8 @@ static void *plugin_manager_routine(void *arg)
errcode = pthread_detach(pthread_self());
if (errcode != 0) {
- ERROR("Detach thread failed: %s", strerror(errcode));
+ errno = errcode;
+ SYSERROR("Detach thread failed");
return NULL;
}
if (pm_init() < 0) {
@@ -716,7 +720,8 @@ static void plugin_rdlock(plugin_t *plugin)
errcode = pthread_rwlock_rdlock(&plugin->lock);
if (errcode != 0) {
- ERROR("Plugin read lock failed: %s", strerror(errcode));
+ errno = errcode;
+ SYSERROR("Plugin read lock failed");
}
}
@@ -726,7 +731,8 @@ static void plugin_wrlock(plugin_t *plugin)
errcode = pthread_rwlock_wrlock(&plugin->lock);
if (errcode != 0) {
- ERROR("Plugin write lock failed: %s", strerror(errcode));
+ errno = errcode;
+ SYSERROR("Plugin write lock failed");
}
}
@@ -736,7 +742,8 @@ static void plugin_unlock(plugin_t *plugin)
errcode = pthread_rwlock_unlock(&plugin->lock);
if (errcode != 0) {
- ERROR("Plugin unlock failed: %s", strerror(errcode));
+ errno = errcode;
+ SYSERROR("Plugin unlock failed");
}
}
@@ -758,7 +765,8 @@ plugin_t *plugin_new(const char *name, const char *addr)
errcode = pthread_rwlock_init(&plugin->lock, NULL);
if (errcode != 0) {
- ERROR("Plugin init lock failed: %s", strerror(errcode));
+ errno = errcode;
+ SYSERROR("Plugin init lock failed");
goto bad;
}
plugin->name = util_strdup_s(name);
diff --git a/src/daemon/modules/service/service_network.c b/src/daemon/modules/service/service_network.c
index 5502bcbd..6754cf1a 100644
--- a/src/daemon/modules/service/service_network.c
+++ b/src/daemon/modules/service/service_network.c
@@ -962,7 +962,7 @@ static int do_update_internal_file(const char *id, const char *file_path,
ret = 0;
} else {
SYSERROR("Failed to write file %s", file_path);
- isulad_set_error_message("Failed to write file %s: %s", file_path, strerror(errno));
+ isulad_set_error_message("Failed to write file %s", file_path);
ret = -1;
}
@@ -1180,7 +1180,7 @@ static int do_drop_internal_file(const char *id, const char *file_path, const de
goto out;
} else {
SYSERROR("Failed to open %s", file_path);
- isulad_set_error_message("Failed to open %s: %s", file_path, strerror(errno));
+ isulad_set_error_message("Failed to open %s", file_path);
ret = -1;
goto out;
}
@@ -1213,7 +1213,7 @@ static int do_drop_internal_file(const char *id, const char *file_path, const de
ret = util_write_file(file_path, str, strlen(str), NETWORK_MOUNT_FILE_MODE);
if (ret != 0) {
SYSERROR("Failed to write file %s", file_path);
- isulad_set_error_message("Failed to write file %s: %s", file_path, strerror(errno));
+ isulad_set_error_message("Failed to write file %s", file_path);
goto out;
}
diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc
index d3fc7eea..1723e95e 100644
--- a/src/daemon/sandbox/sandbox.cc
+++ b/src/daemon/sandbox/sandbox.cc
@@ -817,7 +817,8 @@ auto Sandbox::SaveState(Errors &error) -> bool
nret = util_atomic_write_file(path.c_str(), stateJson.c_str(), stateJson.length(), CONFIG_FILE_MODE, false);
if (nret != 0) {
- error.Errorf("Failed to write file %s: %s", path.c_str(), strerror(errno));
+ SYSERROR("Failed to write file %s");
+ error.Errorf("Failed to write file %s", path.c_str());
return false;
}
@@ -834,7 +835,7 @@ auto Sandbox::SaveNetworkSetting(Errors &error) -> bool
false);
if (nret != 0) {
SYSERROR("Failed to write file %s", path.c_str());
- error.Errorf("Failed to write file %s: %s", path.c_str(), strerror(errno));
+ error.Errorf("Failed to write file %s", path.c_str());
return false;
}
@@ -877,7 +878,8 @@ auto Sandbox::SaveMetadata(Errors &error) -> bool
nret = util_atomic_write_file(path.c_str(), metadataJson.c_str(), metadataJson.length(), CONFIG_FILE_MODE, false);
if (nret != 0) {
- error.Errorf("Failed to write file %s: %s", path.c_str(), strerror(errno));
+ SYSERROR("Failed to write file %s", path.c_str());
+ error.Errorf("Failed to write file %s", path.c_str());
return false;
}
return true;
diff --git a/src/utils/cutils/network_namespace.c b/src/utils/cutils/network_namespace.c
index 0e225d9b..c9838104 100644
--- a/src/utils/cutils/network_namespace.c
+++ b/src/utils/cutils/network_namespace.c
@@ -231,7 +231,8 @@ int remove_network_namespace_file(const char *netns_path)
}
if (!util_force_remove_file(netns_path, &get_err)) {
- ERROR("Failed to remove file %s, error: %s", netns_path, strerror(get_err));
+ errno = get_err;
+ SYSERROR("Failed to remove file %s", netns_path);
return -1;
}
diff --git a/src/utils/cutils/utils_file.c b/src/utils/cutils/utils_file.c
index bc22ee95..1a148b0b 100644
--- a/src/utils/cutils/utils_file.c
+++ b/src/utils/cutils/utils_file.c
@@ -1061,7 +1061,9 @@ char *look_path(const char *file, char **err)
if (en == 0) {
return util_strdup_s(file);
}
- if (asprintf(err, "find exec %s : %s", file, strerror(en)) < 0) {
+ errno = en;
+ SYSERROR("find exec %s failed", file);
+ if (asprintf(err, "find exec %s failed", file) < 0) {
*err = util_strdup_s("Out of memory");
}
return NULL;
--
2.40.1

242
0012-add-runc-attach-implement-unit-test-and-ci-test.patch Normal file
View File

@ -0,0 +1,242 @@
From d37c0c7ded0e107167a98dc1eda2000142d274f0 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Tue, 7 Nov 2023 16:39:50 +0800
Subject: [PATCH 12/14] add runc attach implement unit test and ci test
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
CI/test_cases/container_cases/attach.sh | 153 ++++++++++++++++++++
CI/test_cases/container_cases/cri_stream.sh | 6 +-
test/cmd/isulad-shim/common/common_ut.cc | 42 ++++++
3 files changed, 197 insertions(+), 4 deletions(-)
create mode 100755 CI/test_cases/container_cases/attach.sh
diff --git a/CI/test_cases/container_cases/attach.sh b/CI/test_cases/container_cases/attach.sh
new file mode 100755
index 00000000..0d362757
--- /dev/null
+++ b/CI/test_cases/container_cases/attach.sh
@@ -0,0 +1,153 @@
+#!/bin/bash
+#
+# attributes: isula attach test
+# concurrent: NA
+# spend time: 5
+
+#######################################################################
+##- Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved.
+# - iSulad licensed under the Mulan PSL v2.
+# - You can use this software according to the terms and conditions of the Mulan PSL v2.
+# - You may obtain a copy of Mulan PSL v2 at:
+# - http://license.coscl.org.cn/MulanPSL2
+# - THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+# - IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+# - PURPOSE.
+# - See the Mulan PSL v2 for more details.
+##- @Description:CI
+##- @Author: zhongtao
+##- @Create: 2023-11-06
+#######################################################################
+
+declare -r curr_path=$(dirname $(readlink -f "$0"))
+source ../helpers.sh
+
+# $1 : retry limit
+# $2 : retry_interval
+# $3 : retry function
+function do_retry()
+{
+ for i in $(seq 1 "$1"); do
+ $3 $4 $5
+ if [ $? -ne 0 ]; then
+ return 0
+ fi
+ sleep $2
+ done
+ return 1
+}
+
+function get_ioCopy()
+{
+ ps -T -p $(cat /var/run/isulad.pid) | grep IoCopy
+ return $?
+}
+
+function inspect_container_status()
+{
+ [[ $(isula inspect -f '{{.State.Status}}' ${1}) != "${2}" ]]
+ return $?
+}
+
+function set_up()
+{
+ local ret=0
+ local runtime=$1
+
+ isula run -tid --name test --runtime $runtime busybox sh
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to run container with image: ${image}" && ((ret++))
+
+ msg_info "${test} finished with return ${ret}..."
+ return ${ret}
+}
+
+function test_attach_fun()
+{
+ local ret=0
+ local retry_limit=20
+ local retry_interval=1
+ container_name="test"
+ local test="test_attach_fun => (${FUNCNAME[@]})"
+
+ msg_info "${test} starting..."
+
+ expect <<-END
+spawn isula attach test
+send \n
+expect "*"
+sleep 1
+send "ls \r"
+expect "*"
+send "exit \r"
+expect "*"
+sleep 2
+expect eof
+END
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to attach container test" && ((ret++))
+
+ count=$(isula logs test | grep ls | wc -l)
+ [[ $count -ne 1 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to do attach" && ((ret++))
+
+ do_retry ${retry_limit} ${retry_interval} inspect_container_status ${container_name} exited
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container status: not Exited" && ((ret++))
+
+ (isula attach test > /tmp/test_attach1.log 2>&1) &
+ sleep 2
+ cat /tmp/test_attach1.log | grep "You cannot attach to a stopped container, start it first"
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to do attach, except fail" && ((ret++))
+
+ rm -rf /tmp/test_attach1.log
+
+ do_retry ${retry_limit} ${retry_interval} get_ioCopy
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - residual IO copy thread in CRI exec operation" && ((ret++))
+
+ msg_info "${test} finished with return ${ret}..."
+ return ${ret}
+}
+
+function tear_down()
+{
+ local ret=0
+
+ isula rm -f test
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to rm container: test" && ((ret++))
+
+ return ${ret}
+}
+
+function do_test_t()
+{
+ local ret=0
+ local runtime=$1
+ local test="basic attach test => (${runtime})"
+ msg_info "${test} starting..."
+
+ set_up $runtime || ((ret++))
+
+ test_attach_fun || ((ret++))
+
+ tear_down || ((ret++))
+
+ msg_info "${test} finished with return ${ret}..."
+
+ return $ret
+}
+
+ret=0
+
+isula pull busybox
+[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to pull image: ${image}" && return ${FAILURE}
+
+isula images | grep busybox
+[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - missing list image: ${image}" && ((ret++))
+
+for element in ${RUNTIME_LIST[@]};
+do
+ do_test_t $element
+ if [ $? -ne 0 ];then
+ let "ret=$ret + 1"
+ fi
+done
+
+show_result $ret "basic attach"
+
diff --git a/CI/test_cases/container_cases/cri_stream.sh b/CI/test_cases/container_cases/cri_stream.sh
index 2360e240..43ed3891 100755
--- a/CI/test_cases/container_cases/cri_stream.sh
+++ b/CI/test_cases/container_cases/cri_stream.sh
@@ -187,10 +187,8 @@ function do_test_t()
test_cri_exec_fun || ((ret++))
test_cri_exec_abn || ((ret++))
- # runc attach not support
- if [ $runtime == "lcr" ]; then
- test_cri_attach || ((ret++))
- fi
+ test_cri_attach || ((ret++))
+
tear_down || ((ret++))
msg_info "${test} finished with return ${ret}..."
diff --git a/test/cmd/isulad-shim/common/common_ut.cc b/test/cmd/isulad-shim/common/common_ut.cc
index 63395232..fb60f628 100644
--- a/test/cmd/isulad-shim/common/common_ut.cc
+++ b/test/cmd/isulad-shim/common/common_ut.cc
@@ -87,3 +87,45 @@ TEST_F(CommonUnitTest, test_combined_output)
params[0] = non_cmd.c_str();
EXPECT_EQ(cmd_combined_output(non_cmd.c_str(), params, output, &output_len), -1);
}
+
+TEST_F(CommonUnitTest, test_get_attach_fifo_item)
+{
+ struct isula_linked_list *attach_fifos = NULL;
+ attach_fifos = (struct isula_linked_list *)isula_common_calloc_s(sizeof(struct isula_linked_list));
+ ASSERT_TRUE(attach_fifos != nullptr);
+
+ isula_linked_list_init(attach_fifos);
+
+ EXPECT_EQ(get_attach_fifo_item(4, attach_fifos), nullptr);
+ EXPECT_EQ(get_attach_fifo_item(-1, attach_fifos), nullptr);
+ EXPECT_EQ(get_attach_fifo_item(4, NULL), nullptr);
+
+ struct shim_fifos_fd fifos1 = {
+ .in_fd = 1,
+ .out_fd = 2,
+ .err_fd = 3,
+ };
+ struct shim_fifos_fd fifos2 = {
+ .in_fd = 4,
+ .out_fd = 5,
+ .err_fd = 6,
+ };
+ struct isula_linked_list *node1 = NULL;
+ struct isula_linked_list *node2 = NULL;
+ node1 = (struct isula_linked_list *)isula_common_calloc_s(sizeof(struct isula_linked_list));
+ ASSERT_TRUE(node1 != nullptr);
+ node1->elem = &fifos1;
+ isula_linked_list_add(attach_fifos, node1);
+
+ node2 = (struct isula_linked_list *)isula_common_calloc_s(sizeof(struct isula_linked_list));
+ ASSERT_TRUE(node2 != nullptr);
+ node2->elem = &fifos2;
+ isula_linked_list_add(attach_fifos, node2);
+
+ EXPECT_EQ(get_attach_fifo_item(1, attach_fifos), node1);
+ EXPECT_EQ(get_attach_fifo_item(4, attach_fifos), node2);
+
+ free(node1);
+ free(node2);
+ free(attach_fifos);
+}
--
2.42.0

71
0012-use-gmtime_r-to-replace-gmtime.patch
View File

@ -1,71 +0,0 @@
From ec04faff6fba052b5bb4ed0b090ae441f888ce5c Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Wed, 6 Sep 2023 16:31:19 +0800
Subject: [PATCH 12/33] use gmtime_r to replace gmtime
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/utils/cutils/utils_timestamp.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/src/utils/cutils/utils_timestamp.c b/src/utils/cutils/utils_timestamp.c
index fee66ea8..8ae9e42a 100644
--- a/src/utils/cutils/utils_timestamp.c
+++ b/src/utils/cutils/utils_timestamp.c
@@ -652,9 +652,9 @@ int64_t util_time_seconds_since(const char *in)
int32_t nanos = 0;
int64_t result = 0;
struct tm tm = { 0 };
- struct tm *currentm = NULL;
struct types_timezone tz = { 0 };
time_t currentime;
+ struct tm result_time = { 0 };
if (in == NULL || !strcmp(in, defaultContainerTime) || !strcmp(in, "-")) {
return 0;
@@ -666,13 +666,12 @@ int64_t util_time_seconds_since(const char *in)
}
time(&currentime);
- currentm = gmtime(&currentime);
- if (currentm == NULL) {
+ if (gmtime_r(&currentime, &result_time) == NULL) {
ERROR("Get time error");
return 0;
}
- result = get_minmus_time(currentm, &tm);
+ result = get_minmus_time(&result_time, &tm);
result = result + (int64_t)tz.hour * 3600 + (int64_t)tz.min * 60;
if (result > 0) {
@@ -871,9 +870,9 @@ int util_time_format_duration(const char *in, char *out, size_t len)
int32_t nanos = 0;
int64_t result = 0;
struct tm tm = { 0 };
- struct tm *currentm = NULL;
struct types_timezone tz = { 0 };
time_t currentime = { 0 };
+ struct tm result_time = { 0 };
if (out == NULL) {
return -1;
@@ -888,13 +887,12 @@ int util_time_format_duration(const char *in, char *out, size_t len)
}
time(&currentime);
- currentm = gmtime(&currentime);
- if (currentm == NULL) {
+ if (gmtime_r(&currentime, &result_time) == NULL) {
ERROR("Get time error");
return -1;
}
- result = get_minmus_time(currentm, &tm);
+ result = get_minmus_time(&result_time, &tm);
result = result + (int64_t)tz.hour * 3600 + (int64_t)tz.min * 60;
if (result < 0 || !time_human_duration(result, out, len)) {
--
2.40.1

72
0013-improve-report-error-message-of-client.patch
View File

@ -1,72 +0,0 @@
From a446152d676cf5616784e3f8f80dea8fd2ac221a Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Thu, 7 Sep 2023 14:34:01 +0800
Subject: [PATCH 13/33] improve report error message of client
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/daemon/executor/container_cb/execution_stream.c | 4 ++--
src/daemon/modules/service/service_container.c | 2 +-
src/utils/tar/isulad_tar.c | 4 ++--
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/daemon/executor/container_cb/execution_stream.c b/src/daemon/executor/container_cb/execution_stream.c
index aae9c234..7db96b19 100644
--- a/src/daemon/executor/container_cb/execution_stream.c
+++ b/src/daemon/executor/container_cb/execution_stream.c
@@ -536,7 +536,7 @@ static container_path_stat *do_container_stat_path(const char *rootpath, const c
nret = lstat(resolvedpath, &st);
if (nret < 0) {
SYSERROR("lstat %s failed.", resolvedpath);
- isulad_set_error_message("lstat %s failed.", resolvedpath);
+ isulad_set_error_message("Check %s failed, get more information from log.", resolvedpath);
goto cleanup;
}
@@ -922,7 +922,7 @@ static int copy_to_container_check_path_valid(const container_t *cont, const cha
nret = lstat(resolvedpath, &st);
if (nret < 0) {
SYSERROR("lstat %s failed", resolvedpath);
- isulad_set_error_message("lstat %s failed", resolvedpath);
+ isulad_set_error_message("Check %s failed, get more information from log.", resolvedpath);
goto cleanup;
}
diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c
index 370ba059..83d82201 100644
--- a/src/daemon/modules/service/service_container.c
+++ b/src/daemon/modules/service/service_container.c
@@ -596,7 +596,7 @@ static int valid_mount_point(container_config_v2_common_config_mount_points_elem
if (lstat(mp->source, &st) != 0) {
SYSERROR("lstat %s failed", mp->source);
- isulad_set_error_message("lstat %s failed", mp->source);
+ isulad_set_error_message("Check %s failed, get more information from log.", mp->source);
return -1;
}
diff --git a/src/utils/tar/isulad_tar.c b/src/utils/tar/isulad_tar.c
index bffbb43b..2e61d823 100644
--- a/src/utils/tar/isulad_tar.c
+++ b/src/utils/tar/isulad_tar.c
@@ -192,7 +192,7 @@ struct archive_copy_info *copy_info_source_path(const char *path, bool follow_li
nret = lstat(resolved_path, &st);
if (nret < 0) {
SYSERROR("lstat %s failed", resolved_path);
- format_errorf(err, "lstat %s failed", resolved_path);
+ format_errorf(err, "Check %s failed, get more information from log.", resolved_path);
goto cleanup;
}
@@ -429,7 +429,7 @@ static int tar_resource_rebase(const char *path, const char *rebase, const char
if (lstat(path, &st) < 0) {
SYSERROR("lstat %s failed", path);
- format_errorf(err, "lstat %s failed", path);
+ format_errorf(err, "Check %s failed, get more information from log.", path);
return -1;
}
if (util_split_path_dir_entry(path, &srcdir, &srcbase) < 0) {
--
2.40.1

26
0013-support-gcov-of-CI.patch Normal file
View File

@ -0,0 +1,26 @@
From f4ea9145cea40cb97a86cd5eb91e1726cf48dd0d Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Tue, 14 Nov 2023 09:17:05 +0800
Subject: [PATCH 13/14] support gcov of CI
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
CI/dockerfiles/Dockerfile-fedora | 2 ++
1 file changed, 2 insertions(+)
diff --git a/CI/dockerfiles/Dockerfile-fedora b/CI/dockerfiles/Dockerfile-fedora
index c30a3d0b..bef44377 100644
--- a/CI/dockerfiles/Dockerfile-fedora
+++ b/CI/dockerfiles/Dockerfile-fedora
@@ -115,6 +115,8 @@ RUN echo "[source.crates-io]" >> ${HOME}/.cargo/config && \
echo "[source.local-registry]" >> ${HOME}/.cargo/config && \
echo "directory = \"vendor\"" >> ${HOME}/.cargo/config
+RUN dnf install -y lcov && dnf clean all
+
# install libevhtp
RUN export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH && \
set -x && \
--
2.42.0

43
0014-adapt-new-error-message-for-isula-cp.patch
View File

@ -1,43 +0,0 @@
From aba6d26fe34b3bea5964bca25f081a240312f08b Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Thu, 7 Sep 2023 14:41:48 +0800
Subject: [PATCH 14/33] adapt new error message for isula cp
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
CI/test_cases/container_cases/cp.sh | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/CI/test_cases/container_cases/cp.sh b/CI/test_cases/container_cases/cp.sh
index 7bec9170..e60ccbc2 100755
--- a/CI/test_cases/container_cases/cp.sh
+++ b/CI/test_cases/container_cases/cp.sh
@@ -57,10 +57,10 @@ test_cp_file_from_container()
fi
rm -rf $dstfile
- isula cp $containername:/etc/../etc/passwd/ $cpfiles 2>&1 | grep "Not a directory"
+ isula cp $containername:/etc/../etc/passwd/ $cpfiles 2>&1 | grep "get more information from log"
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to do copy" && ((ret++))
- isula cp $containername:/etc/nonexists $cpfiles 2>&1 | grep "No such file or directory"
+ isula cp $containername:/etc/nonexists $cpfiles 2>&1 | grep "get more information from log"
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to do copy" && ((ret++))
dstfile=$cpfiles/etc
@@ -146,10 +146,10 @@ test_cp_file_to_container()
isula cp /etc/passwd $containername:$cpfiles/nonexists/ 2>&1 | grep "no such directory"
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to do copy" && ((ret++))
- isula cp /etc/passwd $containername:$cpfiles/nonexists/nonexists 2>&1 | grep "No such file or directory"
+ isula cp /etc/passwd $containername:$cpfiles/nonexists/nonexists 2>&1 | grep "get more information from log"
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to do copy" && ((ret++))
- isula cp /etc/nonexists $containername:$cpfiles 2>&1 | grep "No such file or directory"
+ isula cp /etc/nonexists $containername:$cpfiles 2>&1 | grep "get more information from log"
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to do copy" && ((ret++))
rm -rf $dstfile
--
2.40.1

163
0014-compatibility-for-manage-pods-which-created-by-old-i.patch Normal file
View File

@ -0,0 +1,163 @@
From 2bf2acb51aec12e734c970b02cd7802f088a2222 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Tue, 14 Nov 2023 10:29:34 +0800
Subject: [PATCH 14/14] compatibility for manage pods which created by old
iSulad
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
.../cri_pod_sandbox_manager_service.cc | 12 +++-
src/daemon/entry/cri/v1alpha/naming.cc | 72 ++++++++++++++++---
src/daemon/entry/cri/v1alpha/naming.h | 2 +-
3 files changed, 72 insertions(+), 14 deletions(-)
diff --git a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc
index 6e8f40b9..8533bb8c 100644
--- a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc
+++ b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc
@@ -1153,7 +1153,11 @@ void PodSandboxManagerService::PodSandboxStatusToGRPC(const container_inspect *i
CRIHelpers::ExtractLabels(inspect->config->labels, *podStatus->mutable_labels());
CRIHelpers::ExtractAnnotations(inspect->config->annotations, *podStatus->mutable_annotations());
- CRINaming::ParseSandboxName(podStatus->annotations(), *podStatus->mutable_metadata(), error);
+ std::string name;
+ if (inspect->name != nullptr) {
+ name = std::string(inspect->name);
+ }
+ CRINaming::ParseSandboxName(name, podStatus->annotations(), *podStatus->mutable_metadata(), error);
if (error.NotEmpty()) {
return;
}
@@ -1266,7 +1270,11 @@ void PodSandboxManagerService::ListPodSandboxToGRPC(container_list_response *res
CRIHelpers::ExtractAnnotations(response->containers[i]->annotations, *pod->mutable_annotations());
- CRINaming::ParseSandboxName(pod->annotations(), *pod->mutable_metadata(), error);
+ std::string name;
+ if (response->containers[i]->name != nullptr) {
+ name = std::string(response->containers[i]->name);
+ }
+ CRINaming::ParseSandboxName(name, pod->annotations(), *pod->mutable_metadata(), error);
if (filterOutReadySandboxes && pod->state() == runtime::v1alpha2::SANDBOX_READY) {
continue;
diff --git a/src/daemon/entry/cri/v1alpha/naming.cc b/src/daemon/entry/cri/v1alpha/naming.cc
index abb6e57d..de47a97d 100644
--- a/src/daemon/entry/cri/v1alpha/naming.cc
+++ b/src/daemon/entry/cri/v1alpha/naming.cc
@@ -26,6 +26,38 @@
#include "utils.h"
namespace CRINaming {
+// default sandbox name create by MakeSandboxName();
+// format is 'k8s_containername_metadataname_namespace_uid_attempt'
+static int parseName(const std::string &name, std::vector<std::string> &items, unsigned int &attempt, Errors &err)
+{
+ std::istringstream f(name);
+ std::string part;
+
+ while (getline(f, part, CRI::Constants::nameDelimiterChar)) {
+ items.push_back(part);
+ }
+
+ // format: k8s_containername_metadataname_namespace_uid_attempt
+ // so split name by '_', length of result array must be 6
+ if (items.size() != 6) {
+ err.Errorf("failed to parse the sandbox name: %s", name.c_str());
+ return -1;
+ }
+
+ if (items[0] != CRI::Constants::kubePrefix) {
+ err.Errorf("container is not managed by kubernetes: %s", name.c_str());
+ return -1;
+ }
+
+ // last item index is 5, and must be attempt
+ if (util_safe_uint(items[5].c_str(), &attempt)) {
+ err.Errorf("failed to parse the sandbox name %s: %s", name.c_str(), strerror(errno));
+ return -1;
+ }
+
+ return 0;
+}
+
std::string MakeSandboxName(const runtime::v1alpha2::PodSandboxMetadata &metadata)
{
std::string sname;
@@ -44,9 +76,12 @@ std::string MakeSandboxName(const runtime::v1alpha2::PodSandboxMetadata &metadat
return sname;
}
-void ParseSandboxName(const google::protobuf::Map<std::string, std::string> &annotations,
+void ParseSandboxName(const std::string &name, const google::protobuf::Map<std::string, std::string> &annotations,
runtime::v1alpha2::PodSandboxMetadata &metadata, Errors &err)
{
+ // need check uid and attemp 2 items
+ int needSetUidAndAttemp = 2;
+
if (annotations.count(CRIHelpers::Constants::SANDBOX_NAME_ANNOTATION_KEY) == 0) {
err.Errorf("annotation don't contains the sandbox name, failed to parse it");
return;
@@ -57,21 +92,36 @@ void ParseSandboxName(const google::protobuf::Map<std::string, std::string> &ann
return;
}
- if (annotations.count(CRIHelpers::Constants::SANDBOX_UID_ANNOTATION_KEY) == 0) {
- err.Errorf("annotation don't contains the sandbox uid, failed to parse it");
- return;
+ metadata.set_name(annotations.at(CRIHelpers::Constants::SANDBOX_NAME_ANNOTATION_KEY));
+ metadata.set_namespace_(annotations.at(CRIHelpers::Constants::SANDBOX_NAMESPACE_ANNOTATION_KEY));
+
+ if (annotations.count(CRIHelpers::Constants::SANDBOX_UID_ANNOTATION_KEY) != 0) {
+ metadata.set_uid(annotations.at(CRIHelpers::Constants::SANDBOX_UID_ANNOTATION_KEY));
+ needSetUidAndAttemp--;
+ }
+
+ if (annotations.count(CRIHelpers::Constants::SANDBOX_ATTEMPT_ANNOTATION_KEY) != 0) {
+ auto sandboxAttempt = annotations.at(CRIHelpers::Constants::SANDBOX_ATTEMPT_ANNOTATION_KEY);
+ metadata.set_attempt(static_cast<google::protobuf::uint32>(std::stoul(sandboxAttempt)));
+ needSetUidAndAttemp--;
}
- if (annotations.count(CRIHelpers::Constants::SANDBOX_ATTEMPT_ANNOTATION_KEY) == 0) {
- err.Errorf("annotation don't contains the sandbox attempt, failed to parse it");
+ if (needSetUidAndAttemp == 0) {
return;
}
- metadata.set_name(annotations.at(CRIHelpers::Constants::SANDBOX_NAME_ANNOTATION_KEY));
- metadata.set_namespace_(annotations.at(CRIHelpers::Constants::SANDBOX_NAMESPACE_ANNOTATION_KEY));
- metadata.set_uid(annotations.at(CRIHelpers::Constants::SANDBOX_UID_ANNOTATION_KEY));
- auto sandboxAttempt = annotations.at(CRIHelpers::Constants::SANDBOX_ATTEMPT_ANNOTATION_KEY);
- metadata.set_attempt(static_cast<google::protobuf::uint32>(std::stoul(sandboxAttempt)));
+ // get uid and attempt from name,
+ // compatibility to new iSulad manage pods created by old version iSulad
+ // maybe should remove in next version of iSulad
+ std::vector<std::string> items;
+ unsigned int attempt;
+
+ if (parseName(name, items, attempt, err) != 0) {
+ return;
+ }
+ // index 4 in split array, must be uid
+ metadata.set_uid(items[4]);
+ metadata.set_attempt(static_cast<google::protobuf::uint32>(attempt));
}
std::string MakeContainerName(const runtime::v1alpha2::PodSandboxConfig &s, const runtime::v1alpha2::ContainerConfig &c)
diff --git a/src/daemon/entry/cri/v1alpha/naming.h b/src/daemon/entry/cri/v1alpha/naming.h
index 7eab41d3..f2d51a98 100644
--- a/src/daemon/entry/cri/v1alpha/naming.h
+++ b/src/daemon/entry/cri/v1alpha/naming.h
@@ -26,7 +26,7 @@ std::string MakeSandboxName(const runtime::v1alpha2::PodSandboxMetadata &metadat
std::string MakeContainerName(const runtime::v1alpha2::PodSandboxConfig &s,
const runtime::v1alpha2::ContainerConfig &c);
-void ParseSandboxName(const google::protobuf::Map<std::string, std::string> &annotations,
+void ParseSandboxName(const std::string &name, const google::protobuf::Map<std::string, std::string> &annotations,
runtime::v1alpha2::PodSandboxMetadata &metadata, Errors &err);
void ParseContainerName(const google::protobuf::Map<std::string, std::string> &annotations,
--
2.42.0

58
0015-2182-Add-mutex-for-container-list-in-sandbox.patch
View File

@ -1,58 +0,0 @@
From dcceff17d6c2e1c97cb18c65260edfd2d6a3a60a Mon Sep 17 00:00:00 2001
From: xuxuepeng <xuxuepeng1@huawei.com>
Date: Tue, 12 Sep 2023 03:20:33 +0000
Subject: [PATCH 15/33] !2182 Add mutex for container list in sandbox * Add
mutex for container list in sandbox
---
src/daemon/sandbox/sandbox.cc | 4 ++++
src/daemon/sandbox/sandbox.h | 1 +
2 files changed, 5 insertions(+)
diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc
index 1723e95e..f391e809 100644
--- a/src/daemon/sandbox/sandbox.cc
+++ b/src/daemon/sandbox/sandbox.cc
@@ -131,6 +131,7 @@ auto Sandbox::GetRuntimeHandle() const -> const std::string &
auto Sandbox::GetContainers() -> std::vector<std::string>
{
+ ReadGuard<RWMutex> lock(m_containersMutex);
return m_containers;
}
@@ -394,16 +395,19 @@ void Sandbox::RemoveLabels(const std::string &key)
void Sandbox::AddContainer(const std::string &id)
{
+ WriteGuard<RWMutex> lock(m_containersMutex);
m_containers.push_back(id);
}
void Sandbox::SetConatiners(const std::vector<std::string> &cons)
{
+ WriteGuard<RWMutex> lock(m_containersMutex);
m_containers = cons;
}
void Sandbox::RemoveContainer(const std::string &id)
{
+ WriteGuard<RWMutex> lock(m_containersMutex);
auto it = std::find(m_containers.begin(), m_containers.end(), id);
if (it != m_containers.end()) {
m_containers.erase(it);
diff --git a/src/daemon/sandbox/sandbox.h b/src/daemon/sandbox/sandbox.h
index 0f135e70..89350131 100644
--- a/src/daemon/sandbox/sandbox.h
+++ b/src/daemon/sandbox/sandbox.h
@@ -200,6 +200,7 @@ private:
std::string m_networkSettings;
// container id lists
std::vector<std::string> m_containers;
+ RWMutex m_containersMutex;
// TOOD: m_sandboxConfig is a protobuf message, it can be converted to json string directly
// if save json string directly for sandbox recover, we need to consider hot
// upgrade between different CRI versions
--
2.40.1

33
0015-2250-Remove-PERFMON-BPF-CHECKPOINT_RESTORE.patch Normal file
View File

@ -0,0 +1,33 @@
From ba0460408ab6118e1ecf3dda242af1d4b0980777 Mon Sep 17 00:00:00 2001
From: xuxuepeng <xuxuepeng1@huawei.com>
Date: Tue, 14 Nov 2023 14:00:31 +0000
Subject: [PATCH 15/16] !2250 Remove PERFMON, BPF, CHECKPOINT_RESTORE Merge
pull request !2250 from xuxuepeng/master
---
src/utils/cutils/utils_cap.c | 9 ---------
1 file changed, 9 deletions(-)
diff --git a/src/utils/cutils/utils_cap.c b/src/utils/cutils/utils_cap.c
index 6473df45..8c9cfafa 100644
--- a/src/utils/cutils/utils_cap.c
+++ b/src/utils/cutils/utils_cap.c
@@ -74,15 +74,6 @@ const char *g_all_caps[] = {
#ifdef CAP_AUDIT_READ
"CAP_AUDIT_READ",
#endif
-#ifdef CAP_PERFMON
- "CAP_PERFMON",
-#endif
-#ifdef CAP_BPF
- "CAP_BPF",
-#endif
-#ifdef CAP_CHECKPOINT_RESTORE
- "CAP_CHECKPOINT_RESTORE",
-#endif
};
static inline size_t util_get_all_caps_len()
--
2.42.0

54
0016-2180-fix-execlp-not-enough-args.patch
View File

@ -1,54 +0,0 @@
From e9c0fb3c72bd102f24afe247bb545df210fa9aee Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Tue, 12 Sep 2023 03:55:17 +0000
Subject: [PATCH 16/33] !2180 fix execlp not enough args * fix execlp not
enough args
---
cmake/set_build_flags.cmake | 2 +-
test/fuzz/CMakeLists.txt | 2 +-
test/image/oci/oci_ut_common.cc | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/cmake/set_build_flags.cmake b/cmake/set_build_flags.cmake
index ba250cdc..09c85c65 100644
--- a/cmake/set_build_flags.cmake
+++ b/cmake/set_build_flags.cmake
@@ -3,7 +3,7 @@ set(CMAKE_C_FLAGS "-fPIC -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall -fP
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D__FILENAME__='\"$(subst ${CMAKE_SOURCE_DIR}/,,$(abspath $<))\"'")
if (GRPC_CONNECTOR)
- set(CMAKE_CXX_FLAGS "-fPIC -std=c++11 -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall -Wno-error=deprecated-declarations")
+ set(CMAKE_CXX_FLAGS "-fPIC -std=c++17 -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall -Wno-error=deprecated-declarations")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -D__FILENAME__='\"$(subst ${CMAKE_SOURCE_DIR}/,,$(abspath $<))\"'")
endif()
set(CMAKE_SHARED_LINKER_FLAGS "-Wl,-E -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wtrampolines -shared -pthread")
diff --git a/test/fuzz/CMakeLists.txt b/test/fuzz/CMakeLists.txt
index 478a4012..617a168f 100644
--- a/test/fuzz/CMakeLists.txt
+++ b/test/fuzz/CMakeLists.txt
@@ -34,7 +34,7 @@ MESSAGE(STATUS "GCLANG_PP_BINARY is set to ${GCLANG_PP_BINARY}")
SET(CMAKE_C_COMPILER "${GCLANG_BINARY}")
SET(CMAKE_CXX_COMPILER "${GCLANG_PP_BINARY}")
SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O0 --coverage -fsanitize=fuzzer,address -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep")
-SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -g -O0 --coverage -std=c++11 -fsanitize=fuzzer,address -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep")
+SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -g -O0 --coverage -std=c++17 -fsanitize=fuzzer,address -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep")
SET(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
SET(EXE0 test_volume_mount_spec_fuzz)
diff --git a/test/image/oci/oci_ut_common.cc b/test/image/oci/oci_ut_common.cc
index 1158ae85..9fa25d1c 100644
--- a/test/image/oci/oci_ut_common.cc
+++ b/test/image/oci/oci_ut_common.cc
@@ -22,7 +22,7 @@
int execvp_success(const char *file, char * const argv[])
{
- execlp("echo", "echo");
+ execlp("echo", "echo", NULL);
return -1;
}
--
2.40.1

57
0016-open-ENABLE_GRPC_REMOTE_CONNECT-in-CI.patch Normal file
View File

@ -0,0 +1,57 @@
From d903cd356a9fb47ddbc7d23e2f4fe2f72b6242ef Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Wed, 15 Nov 2023 10:25:40 +0800
Subject: [PATCH 16/16] open ENABLE_GRPC_REMOTE_CONNECT in CI
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
CI/make-and-install.sh | 4 ++--
CI/only_build_isulad.sh | 2 +-
CI/pr-gateway.sh | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/CI/make-and-install.sh b/CI/make-and-install.sh
index cdd0e432..c1d26ff1 100755
--- a/CI/make-and-install.sh
+++ b/CI/make-and-install.sh
@@ -103,9 +103,9 @@ rm -rf build
mkdir build
cd build
if [[ ${enable_gcov} -ne 0 ]]; then
- cmake -DLIB_INSTALL_DIR=${builddir}/lib -DCMAKE_INSTALL_PREFIX=${builddir} -DCMAKE_INSTALL_SYSCONFDIR=${builddir}/etc -DCMAKE_BUILD_TYPE=Debug -DGCOV=ON -DENABLE_EMBEDDED=ON -DENABLE_COVERAGE=ON -DENABLE_CRI_API_V1=ON -DENABLE_UT=ON -DENABLE_METRICS=ON -DENABLE_REMOTE_LAYER_STORE=ON ..
+ cmake -DLIB_INSTALL_DIR=${builddir}/lib -DCMAKE_INSTALL_PREFIX=${builddir} -DCMAKE_INSTALL_SYSCONFDIR=${builddir}/etc -DCMAKE_BUILD_TYPE=Debug -DGCOV=ON -DENABLE_EMBEDDED=ON -DENABLE_COVERAGE=ON -DENABLE_CRI_API_V1=ON -DENABLE_UT=ON -DENABLE_METRICS=ON -DENABLE_REMOTE_LAYER_STORE=ON -DENABLE_GRPC_REMOTE_CONNECT=ON ..
else
- cmake -DLIB_INSTALL_DIR=${builddir}/lib -DCMAKE_INSTALL_PREFIX=${builddir} -DCMAKE_INSTALL_SYSCONFDIR=${builddir}/etc -DENABLE_EMBEDDED=ON -DENABLE_METRICS=ON -DENABLE_REMOTE_LAYER_STORE=ON -DENABLE_CRI_API_V1=ON ..
+ cmake -DLIB_INSTALL_DIR=${builddir}/lib -DCMAKE_INSTALL_PREFIX=${builddir} -DCMAKE_INSTALL_SYSCONFDIR=${builddir}/etc -DENABLE_EMBEDDED=ON -DENABLE_METRICS=ON -DENABLE_REMOTE_LAYER_STORE=ON -DENABLE_CRI_API_V1=ON -DENABLE_GRPC_REMOTE_CONNECT=ON ..
fi
make -j $(nproc)
make install
diff --git a/CI/only_build_isulad.sh b/CI/only_build_isulad.sh
index d2d3417d..c3dc39d6 100755
--- a/CI/only_build_isulad.sh
+++ b/CI/only_build_isulad.sh
@@ -67,7 +67,7 @@ popd
git clone https://gitee.com/openeuler/iSulad.git
pushd iSulad
mkdir build && pushd build
-cmake -DENABLE_UT=ON ../
+cmake -DENABLE_UT=ON -DENABLE_GRPC_REMOTE_CONNECT=ON ../
make -j2 && make install
ctest -V
popd
diff --git a/CI/pr-gateway.sh b/CI/pr-gateway.sh
index 291fc4ae..08bcfc4f 100755
--- a/CI/pr-gateway.sh
+++ b/CI/pr-gateway.sh
@@ -99,7 +99,7 @@ pushd iSulad
rm -rf build
mkdir build
pushd build
-cmake -DDEBUG=ON -DCMAKE_INSTALL_PREFIX=/usr -DENABLE_UT=ON -DENABLE_CRI_API_V1=ON -DENABLE_REMOTE_LAYER_STORE=ON -DENABLE_SHIM_V2=OFF ../ || exit 1
+cmake -DDEBUG=ON -DCMAKE_INSTALL_PREFIX=/usr -DENABLE_UT=ON -DENABLE_CRI_API_V1=ON -DENABLE_REMOTE_LAYER_STORE=ON -DENABLE_SHIM_V2=OFF -DENABLE_GRPC_REMOTE_CONNECT=ON ../ || exit 1
make -j $(nproc) || exit 1
ctest -V
popd
--
2.42.0

200
0017-2135-modify-incorrect-variable-type.patch
View File

@ -1,200 +0,0 @@
From e7f21e04b8710ec60045ba26ebdda5ce8a0c0f09 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Mon, 28 Aug 2023 06:46:10 +0000
Subject: [PATCH 17/33] !2135 modify incorrect variable type * modify incorrect
variable type
---
src/client/connect/protocol_type.h | 2 +-
src/daemon/modules/image/oci/oci_load.c | 4 ++--
src/daemon/modules/image/oci/registry/registry.c | 12 +++++++-----
.../oci/storage/layer_store/graphdriver/driver.c | 2 +-
.../image/oci/storage/layer_store/layer_store.c | 15 +++++++++------
src/daemon/modules/image/oci/storage/storage.c | 2 +-
src/daemon/modules/image/oci/utils_images.c | 4 ++--
src/daemon/modules/service/service_container.c | 2 +-
8 files changed, 24 insertions(+), 19 deletions(-)
diff --git a/src/client/connect/protocol_type.h b/src/client/connect/protocol_type.h
index 62d27c91..4206c50b 100644
--- a/src/client/connect/protocol_type.h
+++ b/src/client/connect/protocol_type.h
@@ -244,7 +244,7 @@ typedef struct container_events_format {
char *opt;
char *id;
char **annotations;
- char annotations_len;
+ size_t annotations_len;
} container_events_format_t;
typedef void (*container_events_callback_t)(const container_events_format_t *event);
diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c
index 5511a70c..5e062d44 100644
--- a/src/daemon/modules/image/oci/oci_load.c
+++ b/src/daemon/modules/image/oci/oci_load.c
@@ -164,7 +164,7 @@ static void oci_load_free_layer(load_layer_blob_t *l)
static void oci_load_free_image(load_image_t *im)
{
- int i = 0;
+ size_t i = 0;
if (im == NULL) {
return;
@@ -406,7 +406,7 @@ out:
static int check_time_valid(oci_image_spec *conf)
{
- int i = 0;
+ size_t i = 0;
if (!oci_valid_time(conf->created)) {
ERROR("Invalid created time %s", conf->created);
diff --git a/src/daemon/modules/image/oci/registry/registry.c b/src/daemon/modules/image/oci/registry/registry.c
index 5c660bc9..e0b46e2e 100644
--- a/src/daemon/modules/image/oci/registry/registry.c
+++ b/src/daemon/modules/image/oci/registry/registry.c
@@ -655,18 +655,20 @@ static int register_layer(pull_descriptor *desc, size_t i)
static int get_top_layer_index(pull_descriptor *desc, size_t *top_layer_index)
{
- int i = 0;
+ size_t i;
if (desc == NULL || top_layer_index == NULL) {
ERROR("Invalid NULL pointer");
return -1;
}
-
- for (i = desc->layers_len - 1; i >= 0; i--) {
- if (desc->layers[i].empty_layer) {
+ // iterate over the layers array in reverse order, starting from the last layer
+ // since i is an unsigned number, i traverses from layers_len to 1
+ for (i = desc->layers_len; i > 0; i--) {
+ // the corresponding array index is [i - 1]: layers_len - 1 -> 0
+ if (desc->layers[i - 1].empty_layer) {
continue;
}
- *top_layer_index = i;
+ *top_layer_index = i - 1;
return 0;
}
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c
index b1790af1..fc2857b6 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c
@@ -345,7 +345,7 @@ int graphdriver_apply_diff(const char *id, const struct io_read_wrapper *content
container_inspect_graph_driver *graphdriver_get_metadata(const char *id)
{
int ret = -1;
- int i = 0;
+ size_t i = 0;
container_inspect_graph_driver *inspect_driver = NULL;
json_map_string_string *metadata = NULL;
diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
index 8d8384b8..6ea3c48b 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
@@ -747,7 +747,7 @@ out:
static int insert_memory_stores(const char *id, const struct layer_opts *opts, layer_t *l)
{
int ret = 0;
- int i = 0;
+ size_t i = 0;
if (!append_layer_into_list(l)) {
ret = -1;
@@ -788,9 +788,12 @@ clear_compress_digest:
(void)delete_digest_from_map(g_metadata.by_compress_digest, l->slayer->compressed_diff_digest, id);
}
clear_by_name:
- for (i = i - 1; i >= 0; i--) {
- if (!map_remove(g_metadata.by_name, (void *)opts->names[i])) {
- WARN("Remove name: %s failed", opts->names[i]);
+ // iterate over the names in reverse order, starting from the last name
+ // since i is an unsigned number, i traverses from inserted name len to 1
+ for (; i > 0; i--) {
+ // the corresponding array index is [i - 1]: inserted name len - 1 -> 0
+ if (!map_remove(g_metadata.by_name, (void *)opts->names[i - 1])) {
+ WARN("Remove name: %s failed", opts->names[i - 1]);
}
}
if (!map_remove(g_metadata.by_id, (void *)id)) {
@@ -1812,7 +1815,7 @@ void layer_store_exit()
static uint64_t payload_to_crc(char *payload)
{
int ret = 0;
- int i = 0;
+ size_t i = 0;
uint64_t crc = 0;
uint8_t *crc_sums = NULL;
size_t crc_sums_len = 0;
@@ -2232,7 +2235,7 @@ int remote_load_one_layer(const char *id)
{
int ret = 0;
layer_t *tl = NULL;
- int i = 0;
+ size_t i = 0;
if (!layer_store_lock(true)) {
return -1;
diff --git a/src/daemon/modules/image/oci/storage/storage.c b/src/daemon/modules/image/oci/storage/storage.c
index aa442ecf..13f8bb53 100644
--- a/src/daemon/modules/image/oci/storage/storage.c
+++ b/src/daemon/modules/image/oci/storage/storage.c
@@ -1538,7 +1538,7 @@ out:
static bool is_rootfs_layer(const char *layer_id, const struct rootfs_list *all_rootfs)
{
- int j;
+ size_t j;
if (all_rootfs == NULL || layer_id == NULL) {
return false;
diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c
index a233c2b1..2c5656c6 100644
--- a/src/daemon/modules/image/oci/utils_images.c
+++ b/src/daemon/modules/image/oci/utils_images.c
@@ -450,7 +450,7 @@ static char *convert_created_by(image_manifest_v1_compatibility *config)
int add_rootfs_and_history(const layer_blob *layers, size_t layers_len, const registry_manifest_schema1 *manifest,
docker_image_config_v2 *config)
{
- int i = 0;
+ size_t i = 0;
int ret = 0;
size_t history_index = 0;
parser_error err = NULL;
@@ -511,7 +511,7 @@ int add_rootfs_and_history(const layer_blob *layers, size_t layers_len, const re
ret = util_array_append(&config->rootfs->diff_ids, layers[i].diff_id);
if (ret != 0) {
- ERROR("append diff id of layer %u to rootfs failed, diff id is %s", i, layers[i].diff_id);
+ ERROR("append diff id of layer %zu to rootfs failed, diff id is %s", i, layers[i].diff_id);
ret = -1;
goto out;
}
diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c
index 83d82201..1fa2559d 100644
--- a/src/daemon/modules/service/service_container.c
+++ b/src/daemon/modules/service/service_container.c
@@ -320,7 +320,6 @@ static int write_env_content(const char *env_path, const char **env, size_t env_
int fd = -1;
size_t i = 0;
ssize_t nret = 0;
- int env_max = 4096;
ret = create_env_path_dir(env_path);
if (ret < 0) {
@@ -335,6 +334,7 @@ static int write_env_content(const char *env_path, const char **env, size_t env_
}
if (env != NULL) {
for (i = 0; i < env_len; i++) {
+ size_t env_max = 4096;
if (strlen(env[i]) > env_max) {
ERROR("Env is too long");
ret = -1;
--
2.40.1

1575
0018-make-sure-the-input-parameter-is-not-empty-and-optim.patch
View File

File diff suppressed because it is too large Load Diff

332
0019-remove-password-in-url-module-and-clean-sensitive-in.patch
View File

@ -1,332 +0,0 @@
From 4adc923cfaf25142aa4cbb909d65c0f3a999cc02 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Tue, 29 Aug 2023 11:41:26 +0800
Subject: [PATCH 19/33] remove password in url module and clean sensitive info
in struct passwd
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
.../modules/image/image_rootfs_handler.c | 13 +-
src/utils/cpputils/url.cc | 144 +-----------------
src/utils/cpputils/url.h | 19 +--
3 files changed, 15 insertions(+), 161 deletions(-)
diff --git a/src/daemon/modules/image/image_rootfs_handler.c b/src/daemon/modules/image/image_rootfs_handler.c
index 1a3f4307..a8036ab9 100644
--- a/src/daemon/modules/image/image_rootfs_handler.c
+++ b/src/daemon/modules/image/image_rootfs_handler.c
@@ -85,6 +85,7 @@ static int proc_by_fpasswd(FILE *f_passwd, const char *user, defs_process_user *
char buf[BUFSIZ] = { 0 };
struct passwd pw;
struct passwd *pwbufp = NULL;
+ int ret = -1;
if (f_passwd != NULL) {
#if defined (__ANDROID__) || defined(__MUSL__)
@@ -116,7 +117,7 @@ static int proc_by_fpasswd(FILE *f_passwd, const char *user, defs_process_user *
if (errval != 0 && errval != ENOENT) {
ERROR("Failed to parse passwd file: Insufficient buffer space supplied");
isulad_set_error_message("Failed to parse passwd file: Insufficient buffer space supplied");
- return -1;
+ goto out;
}
if (!userfound && user != NULL) {
int uret = util_safe_llong(user, &n_user);
@@ -124,16 +125,20 @@ static int proc_by_fpasswd(FILE *f_passwd, const char *user, defs_process_user *
if (uret != 0) {
ERROR("Unable to find user '%s'", user);
isulad_set_error_message("Unable to find user '%s': no matching entries in passwd file", user);
- return -1;
+ goto out;
}
if (n_user < MINUID || n_user > MAXUID) {
uids_gids_range_err_log();
- return -1;
+ goto out;
}
puser->uid = (uid_t)n_user;
}
+ ret = 0;
- return 0;
+out:
+ memset(buf, 0, sizeof(buf));
+ memset(pwbufp, 0, sizeof(struct passwd));
+ return ret;
}
static int append_additional_gids(gid_t gid, gid_t **additional_gids, size_t *len)
diff --git a/src/utils/cpputils/url.cc b/src/utils/cpputils/url.cc
index 117eba7e..baaded07 100644
--- a/src/utils/cpputils/url.cc
+++ b/src/utils/cpputils/url.cc
@@ -266,12 +266,7 @@ std::string Escape(const std::string &s, const EncodeMode &mode)
UserInfo *User(const std::string &username) noexcept
{
- return new UserInfo { username, "", false };
-}
-
-UserInfo *UserPassword(const std::string &username, const std::string &password) noexcept
-{
- return new UserInfo { username, password, true };
+ return new UserInfo { username };
}
int Getscheme(const std::string &rawurl, std::string &scheme, std::string &path)
@@ -324,24 +319,6 @@ void Split(const std::string &s, const std::string &c, bool cutc, std::string &t
u = s.substr(i, s.size());
}
-URLDatum *Parse(const std::string &rawurl)
-{
- std::string u, frag;
- Split(rawurl, "#", true, u, frag);
- auto *url = Parse(u, false);
- if (url == nullptr) {
- return nullptr;
- }
- if (frag.empty()) {
- return url;
- }
- url->SetFragment(Unescape(frag, EncodeMode::ENCODE_FRAGMENT));
- if (url->GetFragment().empty()) {
- return nullptr;
- }
- return url;
-}
-
int SplitOffPossibleLeading(std::string &scheme, const std::string &rawurl, URLDatum *url, std::string &rest)
{
if (Getscheme(rawurl, scheme, rest) != 0) {
@@ -385,108 +362,6 @@ URLDatum *HandleNonBackslashPrefix(URLDatum *url, const std::string &scheme, con
return nullptr;
}
-int SetURLDatumInfo(URLDatum *url, const std::string &scheme, bool viaRequest, std::string &rest)
-{
- if ((!scheme.empty() || (!viaRequest && rest.substr(0, 3) == "///")) && rest.substr(0, 2) == "//") {
- std::string authority;
- Split(rest.substr(2, rest.size()), "/", false, authority, rest);
- std::string host = url->GetHost();
- UserInfo *user = url->GetUser();
- if (ParseAuthority(authority, &user, host)) {
- return -1;
- }
- url->SetHost(host);
- url->SetUser(user);
- }
- if (url->SetPath(rest)) {
- return -1;
- }
- url->SetScheme(scheme);
- return 0;
-}
-
-URLDatum *Parse(const std::string &rawurl, bool viaRequest)
-{
- if (rawurl.empty() && viaRequest) {
- ERROR("empty url!");
- return nullptr;
- }
- auto *url = new (std::nothrow) URLDatum;
- if (url == nullptr) {
- ERROR("Out of memory");
- return nullptr;
- }
- if (rawurl == "*") {
- url->SetPathWithoutEscape("*");
- return url;
- }
- std::string scheme = url->GetScheme();
- std::string rest;
- if (SplitOffPossibleLeading(scheme, rawurl, url, rest) != 0) {
- return nullptr;
- }
- bool shouldRet = false;
- auto *tmpret = HandleNonBackslashPrefix(url, scheme, rest, viaRequest, shouldRet);
- if (shouldRet) {
- return tmpret;
- }
- if (SetURLDatumInfo(url, scheme, viaRequest, rest) != 0) {
- return nullptr;
- }
- return url;
-}
-
-int ParseAuthority(const std::string &authority, UserInfo **user, std::string &host)
-{
- size_t i = authority.find("@");
- if (i == std::string::npos) {
- if (ParseHost(authority, host) != 0) {
- *user = nullptr;
- host = "";
- return -1;
- }
- } else {
- if (ParseHost(authority.substr(i + 1, authority.size()), host) != 0) {
- *user = nullptr;
- host = "";
- return -1;
- }
- }
- if (i == std::string::npos) {
- *user = nullptr;
- return 0;
- }
-
- std::string userinfo = authority.substr(0, i);
- if (!ValidUserinfo(userinfo)) {
- *user = nullptr;
- host = "";
- ERROR("net/url: invalid userinfo");
- return -1;
- }
- if (userinfo.find(":") == std::string::npos) {
- userinfo = Unescape(userinfo, EncodeMode::ENCODE_USER_PASSWORD);
- if (userinfo.empty()) {
- *user = nullptr;
- host = "";
- return -1;
- }
- *user = User(userinfo);
- } else {
- std::string servername, serverword;
- Split(userinfo, ":", true, servername, serverword);
- servername = Unescape(servername, EncodeMode::ENCODE_USER_PASSWORD);
- serverword = Unescape(serverword, EncodeMode::ENCODE_USER_PASSWORD);
- if (servername.empty() || serverword.empty()) {
- *user = nullptr;
- host = "";
- return -1;
- }
- *user = UserPassword(servername, serverword);
- }
- return 0;
-}
-
int ParseHost(std::string host, std::string &out)
{
if (host.at(0) == '[') {
@@ -756,9 +631,6 @@ std::string UserInfo::String() const
std::string s;
if (!m_username.empty()) {
s = Escape(m_username, EncodeMode::ENCODE_USER_PASSWORD);
- if (m_passwordSet) {
- s += ":" + Escape(m_password, EncodeMode::ENCODE_USER_PASSWORD);
- }
}
return s;
}
@@ -766,11 +638,6 @@ std::string UserInfo::Username() const
{
return m_username;
}
-std::string UserInfo::Password(bool &set) const
-{
- set = m_passwordSet;
- return m_password;
-}
URLDatum::~URLDatum()
{
@@ -860,15 +727,6 @@ bool URLDatum::IsAbs() const
return (m_scheme != "");
}
-std::unique_ptr<URLDatum> URLDatum::UrlParse(const std::string &ref)
-{
- auto *refurl = Parse(ref);
- if (refurl == nullptr) {
- return nullptr;
- }
- return ResolveReference(refurl);
-}
-
std::unique_ptr<URLDatum> URLDatum::ResolveReference(URLDatum *ref)
{
std::unique_ptr<URLDatum> url(new (std::nothrow) URLDatum(*ref));
diff --git a/src/utils/cpputils/url.h b/src/utils/cpputils/url.h
index abbf20f4..3dd40079 100644
--- a/src/utils/cpputils/url.h
+++ b/src/utils/cpputils/url.h
@@ -49,17 +49,13 @@ private:
class UserInfo {
public:
- UserInfo(const std::string &u, const std::string &p, bool b) : m_username(u), m_password(p),
- m_passwordSet(b) {}
+ UserInfo(const std::string &u) : m_username(u) {}
~UserInfo() = default;
std::string String() const;
std::string Username() const;
- std::string Password(bool &set) const;
private:
std::string m_username;
- std::string m_password;
- bool m_passwordSet;
};
class URLDatum {
@@ -69,7 +65,6 @@ public:
std::string EscapedPath();
std::string String();
bool IsAbs() const;
- std::unique_ptr<URLDatum> UrlParse(const std::string &ref);
std::unique_ptr<URLDatum> ResolveReference(URLDatum *ref);
auto Query()->std::map<std::string, std::vector<std::string>>;
std::string RequestURI();
@@ -88,7 +83,7 @@ public:
{
m_opaque = value;
}
- std::string GetOpaque() const
+ std::string GetOpaque() const
{
return m_opaque;
}
@@ -96,7 +91,7 @@ public:
{
m_user = value;
}
- UserInfo *GetUser() const
+ UserInfo *GetUser() const
{
return m_user;
}
@@ -128,7 +123,7 @@ public:
{
m_rawQuery = value;
}
- std::string GetRawQuery() const
+ std::string GetRawQuery() const
{
return m_rawQuery;
}
@@ -136,7 +131,7 @@ public:
{
m_fragment = value;
}
- std::string GetFragment() const
+ std::string GetFragment() const
{
return m_fragment;
}
@@ -163,13 +158,9 @@ std::string QueryUnescape(const std::string &s);
std::string Unescape(std::string s, const EncodeMode &mode);
std::string QueryEscape(const std::string &s);
std::string Escape(const std::string &s, const EncodeMode &mode);
-UserInfo *UserPassword(const std::string &username, const std::string &password) noexcept;
UserInfo *User(const std::string &username) noexcept;
int Getscheme(const std::string &rawurl, std::string &scheme, std::string &path);
void Split(const std::string &s, const std::string &c, bool cutc, std::string &t, std::string &u);
-URLDatum *Parse(const std::string &rawurl);
-URLDatum *Parse(const std::string &rawurl, bool viaRequest);
-int ParseAuthority(const std::string &authority, UserInfo **user, std::string &host);
int ParseHost(std::string host, std::string &out);
bool ValidEncodedPath(const std::string &s);
bool ValidOptionalPort(const std::string &port);
--
2.40.1

447
0020-2153-fix-codecheck.patch
View File

@ -1,447 +0,0 @@
From d9c60a7309f3616c1d9d0051ba338a8def37a538 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Tue, 29 Aug 2023 09:38:53 +0000
Subject: [PATCH 20/33] !2153 fix codecheck * fix codecheck
---
src/daemon/modules/image/embedded/load.c | 2 +-
src/daemon/modules/image/image.c | 4 +-
src/daemon/modules/image/oci/oci_login.h | 2 -
src/daemon/modules/image/oci/oci_logout.h | 2 -
.../oci/storage/image_store/image_store.c | 1 -
.../oci/storage/image_store/image_store.h | 2 -
.../graphdriver/devmapper/deviceset.c | 9 ++-
.../graphdriver/devmapper/deviceset.h | 5 +-
.../graphdriver/devmapper/driver_devmapper.h | 16 ++---
.../graphdriver/devmapper/wrapper_devmapper.h | 2 -
.../storage/layer_store/graphdriver/driver.c | 2 +-
.../storage/layer_store/graphdriver/driver.h | 59 ++++++++-----------
.../graphdriver/overlay2/driver_overlay2.c | 3 -
.../graphdriver/overlay2/driver_overlay2.h | 8 +--
.../graphdriver/quota/project_quota.h | 1 -
.../oci/storage/layer_store/layer_store.h | 4 --
.../overlay_remote_impl.c | 1 -
.../remote_layer_support/remote_support.c | 2 +-
.../remote_layer_support/remote_support.h | 2 +-
.../oci/storage/rootfs_store/rootfs_store.h | 4 --
20 files changed, 46 insertions(+), 85 deletions(-)
diff --git a/src/daemon/modules/image/embedded/load.c b/src/daemon/modules/image/embedded/load.c
index dc2aeba2..92ac42ad 100644
--- a/src/daemon/modules/image/embedded/load.c
+++ b/src/daemon/modules/image/embedded/load.c
@@ -36,7 +36,7 @@ static char *replace_suffix_to_sgn(const char *file)
ERROR("invalid NULL param");
return NULL;
}
- if (sizeof(".sgn") > SIZE_MAX - strlen(file)) {
+ if (strlen(file) > SIZE_MAX - sizeof(".sgn")) {
return NULL;
}
len = strlen(file) + sizeof(".sgn");
diff --git a/src/daemon/modules/image/image.c b/src/daemon/modules/image/image.c
index 408ceea2..a14f2ac3 100644
--- a/src/daemon/modules/image/image.c
+++ b/src/daemon/modules/image/image.c
@@ -784,7 +784,9 @@ int im_merge_image_config(const char *image_type, const char *image_name, contai
int ret = 0;
struct bim *bim = NULL;
- if (container_spec == NULL || image_name == NULL || image_type == NULL) {
+ // there is no need to judge the image name as empty,
+ // because the image name of external type allows it to be empty.
+ if (container_spec == NULL || image_type == NULL) {
ERROR("Invalid input arguments");
ret = -1;
goto out;
diff --git a/src/daemon/modules/image/oci/oci_login.h b/src/daemon/modules/image/oci/oci_login.h
index ab261ebd..acf6eeb6 100644
--- a/src/daemon/modules/image/oci/oci_login.h
+++ b/src/daemon/modules/image/oci/oci_login.h
@@ -15,8 +15,6 @@
#ifndef DAEMON_MODULES_IMAGE_OCI_OCI_LOGIN_H
#define DAEMON_MODULES_IMAGE_OCI_OCI_LOGIN_H
-#include <stdbool.h>
-
#ifdef __cplusplus
extern "C" {
#endif
diff --git a/src/daemon/modules/image/oci/oci_logout.h b/src/daemon/modules/image/oci/oci_logout.h
index 81f0196c..c0a9bb8b 100644
--- a/src/daemon/modules/image/oci/oci_logout.h
+++ b/src/daemon/modules/image/oci/oci_logout.h
@@ -15,8 +15,6 @@
#ifndef DAEMON_MODULES_IMAGE_OCI_OCI_LOGOUT_H
#define DAEMON_MODULES_IMAGE_OCI_OCI_LOGOUT_H
-#include <stdbool.h>
-
#ifdef __cplusplus
extern "C" {
#endif
diff --git a/src/daemon/modules/image/oci/storage/image_store/image_store.c b/src/daemon/modules/image/oci/storage/image_store/image_store.c
index b7e0f0cc..f49f4707 100644
--- a/src/daemon/modules/image/oci/storage/image_store/image_store.c
+++ b/src/daemon/modules/image/oci/storage/image_store/image_store.c
@@ -2123,7 +2123,6 @@ static int pack_repo_digest(char ***old_repo_digests, const char **image_tags, c
}
for (i = 0; i < util_array_len((const char **)*repo_digests); i++) {
- bool value = true;
if (!map_replace(digest_map, (void *)(*repo_digests)[i], &value)) {
ERROR("Failed to insert pair to digest map: %s", (*repo_digests)[i]);
ret = -1;
diff --git a/src/daemon/modules/image/oci/storage/image_store/image_store.h b/src/daemon/modules/image/oci/storage/image_store/image_store.h
index 019a2881..4544f84b 100644
--- a/src/daemon/modules/image/oci/storage/image_store/image_store.h
+++ b/src/daemon/modules/image/oci/storage/image_store/image_store.h
@@ -29,8 +29,6 @@
#include "isula_libutils/imagetool_images_list.h"
#include "isula_libutils/imagetool_image_summary.h"
-struct storage_module_init_options;
-
#ifdef __cplusplus
extern "C" {
#endif
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c
index 79541e54..4652c71a 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c
@@ -105,7 +105,6 @@ static int handle_dm_min_free_space(char *val, struct device_set *devset)
{
long converted = 0;
int ret = util_parse_percent_string(val, &converted);
-
if (ret != 0 || converted >= 100) {
errno = -ret;
SYSERROR("Invalid min free space: '%s'", val);
@@ -293,7 +292,8 @@ static char *deviceset_meta_file(const struct device_set *devset)
return file;
}
-// get_dm_name return value format:container-253:0-409697-401641a00390ccd2b21eb464f5eb5a7b735c3731b717e7bffafe65971f4cb498
+// get_dm_name return value format:
+// container-253:0-409697-401641a00390ccd2b21eb464f5eb5a7b735c3731b717e7bffafe65971f4cb498
static char *get_dm_name(const struct device_set *devset, const char *hash)
{
int nret = 0;
@@ -312,7 +312,8 @@ static char *get_dm_name(const struct device_set *devset, const char *hash)
return util_strdup_s(buff);
}
-// get_dev_name return value fromat:/dev/mapper/container-253:0-409697-401641a00390ccd2b21eb464f5eb5a7b735c3731b717e7bffafe65971f4cb498
+// get_dev_name return value fromat:
+// /dev/mapper/container-253:0-409697-401641a00390ccd2b21eb464f5eb5a7b735c3731b717e7bffafe65971f4cb498
static char *get_dev_name(const char *name)
{
return util_string_append(name, DEVMAPPER_DECICE_DIRECTORY);
@@ -2351,7 +2352,6 @@ static int setup_base_image(struct device_set *devset)
devmapper_device_info_t *device_info = NULL;
device_info = lookup_device(devset, "base");
-
// base image already exists. If it is initialized properly, do UUID
// verification and return. Otherwise remove image and set it up
// fresh.
@@ -2504,7 +2504,6 @@ static void cleanup_deleted_devices(struct graphdriver *driver)
goto unlock_driver;
}
-
if (driver->devset->nr_deleted_devices == 0) {
DEBUG("devmapper: no devices to delete");
goto unlock_devset;
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.h
index ec985e40..d7f7d184 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.h
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.h
@@ -23,10 +23,7 @@
#include "driver.h"
#include "metadata_store.h"
-
-struct device_set;
-struct driver_mount_opts;
-struct graphdriver;
+#include "devices_constants.h"
#ifdef __cplusplus
extern "C" {
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.h
index 9ee020de..dca2d614 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.h
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.h
@@ -16,22 +16,18 @@
#define DAEMON_MODULES_IMAGE_OCI_STORAGE_LAYER_STORE_GRAPHDRIVER_DEVMAPPER_DRIVER_DEVMAPPER_H
#include <pthread.h>
-#include <isula_libutils/imagetool_fs_info.h>
-#include <isula_libutils/json_common.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
+#include <isula_libutils/imagetool_fs_info.h>
+#include <isula_libutils/json_common.h>
+#include <isula_libutils/image_devmapper_transaction.h>
+#include <isula_libutils/image_devmapper_deviceset_metadata.h>
#include "driver.h"
#include "map.h"
-#include "isula_libutils/image_devmapper_transaction.h"
-#include "isula_libutils/image_devmapper_deviceset_metadata.h"
-
-struct driver_create_opts;
-struct driver_mount_opts;
-struct graphdriver;
-struct graphdriver_status;
-struct io_read_wrapper;
+#include "image_api.h"
+#include "io_wrapper.h"
#ifdef __cplusplus
extern "C" {
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.h
index 01771a3b..4b2ae82b 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.h
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.h
@@ -24,8 +24,6 @@
#include "driver.h"
-struct dm_task;
-
#ifdef __cplusplus
extern "C" {
#endif
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c
index fc2857b6..fb549bae 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c
@@ -1,5 +1,5 @@
/******************************************************************************
- * Copyright (c) Huawei Technologies Co., Ltd. 2017-2019. All rights reserved.
+ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
* iSulad licensed under the Mulan PSL v2.
* You can use this software according to the terms and conditions of the Mulan PSL v2.
* You may obtain a copy of Mulan PSL v2 at:
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.h
index acd847cc..2fcfa12b 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.h
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.h
@@ -1,5 +1,5 @@
/******************************************************************************
- * Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved.
+ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
* iSulad licensed under the Mulan PSL v2.
* You can use this software according to the terms and conditions of the Mulan PSL v2.
* You may obtain a copy of Mulan PSL v2 at:
@@ -20,25 +20,42 @@
#include <stddef.h>
#include <pthread.h>
#include <isula_libutils/imagetool_fs_info.h>
+#include <isula_libutils/container_inspect.h>
+#include <isula_libutils/json_common.h>
-#include "isula_libutils/container_inspect.h"
-#include "isula_libutils/json_common.h"
#include "io_wrapper.h"
#include "driver_overlay2_types.h"
#include "devices_constants.h"
#include "storage.h"
#include "image_api.h"
-#include "isula_libutils/container_inspect.h"
-
-struct graphdriver_status;
-struct io_read_wrapper;
-struct storage_module_init_options;
#ifdef __cplusplus
extern "C" {
#endif
-struct graphdriver;
+struct graphdriver {
+ // common implement
+ const struct graphdriver_ops *ops;
+ const char *name;
+ const char *home;
+ char *backing_fs;
+ bool support_dtype;
+
+ bool support_quota;
+#ifdef ENABLE_REMOTE_LAYER_STORE
+ bool enable_remote_layer;
+#endif
+ struct pquota_control *quota_ctrl;
+
+ // options for overlay2
+ struct overlay_options *overlay_opts;
+
+ // options for device mapper
+ struct device_set *devset;
+
+ // lock to protect graphdriver between cleanup and other operations
+ pthread_rwlock_t rwlock;
+};
struct driver_create_opts {
char *mount_label;
@@ -81,30 +98,6 @@ struct graphdriver_ops {
int (*get_layer_fs_info)(const char *id, const struct graphdriver *driver, imagetool_fs_info *fs_info);
};
-struct graphdriver {
- // common implement
- const struct graphdriver_ops *ops;
- const char *name;
- const char *home;
- char *backing_fs;
- bool support_dtype;
-
- bool support_quota;
-#ifdef ENABLE_REMOTE_LAYER_STORE
- bool enable_remote_layer;
-#endif
- struct pquota_control *quota_ctrl;
-
- // options for overlay2
- struct overlay_options *overlay_opts;
-
- // options for device mapper
- struct device_set *devset;
-
- // lock to protect graphdriver between cleanup and other operations
- pthread_rwlock_t rwlock;
-};
-
int graphdriver_init(const struct storage_module_init_options *opts);
int graphdriver_create_rw(const char *id, const char *parent, struct driver_create_opts *create_opts);
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c
index ced30b96..7517dd43 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c
@@ -648,7 +648,6 @@ const static int check_lower_depth(const char *lowers_str)
lowers_arr = util_string_split(lowers_str, ':');
lowers_size = util_array_len((const char **)lowers_arr);
-
if (lowers_size > OVERLAY_LAYER_MAX_DEPTH) {
ERROR("Max depth exceeded %s", lowers_str);
ret = -1;
@@ -1274,7 +1273,6 @@ static int append_rel_empty_path(const char *id, char ***rel_lowers)
char *rel_path = NULL;
rel_path = util_string_append("/empty", id);
-
if (util_array_append(rel_lowers, rel_path) != 0) {
SYSERROR("Can't append relative layer:%s", rel_path);
ret = -1;
@@ -2181,7 +2179,6 @@ int overlay2_repair_lowers(const char *id, const char *parent, const struct grap
lowers_str = read_layer_lower_file(layer_dir);
lowers_arr = util_string_split(lowers_str, ':');
lowers_size = util_array_len((const char **)lowers_arr);
-
if (lowers_size != 0) {
if (check_lower_valid(driver->home, lowers_arr[0]) == 0) {
DEBUG("Try to repair layer %s, success check", id);
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.h
index 438c508e..444c0670 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.h
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.h
@@ -22,12 +22,8 @@
#include <stdint.h>
#include "driver.h"
-
-struct driver_create_opts;
-struct driver_mount_opts;
-struct graphdriver;
-struct graphdriver_status;
-struct io_read_wrapper;
+#include "image_api.h"
+#include "io_wrapper.h"
#ifdef __cplusplus
extern "C" {
diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/quota/project_quota.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/quota/project_quota.h
index 94230faa..6cda7456 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/quota/project_quota.h
+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/quota/project_quota.h
@@ -33,7 +33,6 @@
#include <fcntl.h>
#include <stdlib.h>
#include <inttypes.h>
-#include <linux/magic.h>
#include <linux/dqblk_xfs.h>
#include <errno.h>
#include <libgen.h>
diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.h b/src/daemon/modules/image/oci/storage/layer_store/layer_store.h
index 20287119..eba406d4 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.h
+++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.h
@@ -24,10 +24,6 @@
#include "storage.h"
#include "io_wrapper.h"
-struct io_read_wrapper;
-struct layer_list;
-struct storage_module_init_options;
-
#ifdef __cplusplus
extern "C" {
#endif
diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c b/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c
index 38d9b0ce..86e05ac2 100644
--- a/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c
+++ b/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c
@@ -185,7 +185,6 @@ static int remove_one_remote_overlay_layer(struct remote_overlay_data *data, con
}
link_id = (char *)map_search(overlay_id_link, (void *)overlay_id);
-
if (link_id == NULL) {
ERROR("Failed to find link id for overlay layer: %s", overlay_id);
ret = -1;
diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c
index 5bf9869b..eb919321 100644
--- a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c
+++ b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c
@@ -1,5 +1,5 @@
/******************************************************************************
- * Copyright (c) Huawei Technologies Co., Ltd. 2020-2020. All rights reserved.
+ * Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved.
* iSulad licensed under the Mulan PSL v2.
* You can use this software according to the terms and conditions of the Mulan PSL v2.
* You may obtain a copy of Mulan PSL v2 at:
diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.h b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.h
index 30e3ebb0..545cbe49 100644
--- a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.h
+++ b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.h
@@ -1,5 +1,5 @@
/******************************************************************************
- * Copyright (c) Huawei Technologies Co., Ltd. 2020-2023. All rights reserved.
+ * Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved.
* iSulad licensed under the Mulan PSL v2.
* You can use this software according to the terms and conditions of the Mulan PSL v2.
* You may obtain a copy of Mulan PSL v2 at:
diff --git a/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.h b/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.h
index 63f3294b..d618c401 100644
--- a/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.h
+++ b/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.h
@@ -24,10 +24,6 @@
#include "storage.h"
#include "rootfs.h"
-struct rootfs_list;
-struct storage_module_init_options;
-struct storage_rootfs_options;
-
#ifdef __cplusplus
extern "C" {
#endif
--
2.40.1

25
0021-2157-bugfix-for-memset.patch
View File

@ -1,25 +0,0 @@
From 14bc12be8e4219a78b877e60affd4f584ccab220 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Tue, 29 Aug 2023 13:18:34 +0000
Subject: [PATCH 21/33] !2157 bugfix for memset * bugfix for memset
---
src/daemon/modules/image/image_rootfs_handler.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/daemon/modules/image/image_rootfs_handler.c b/src/daemon/modules/image/image_rootfs_handler.c
index a8036ab9..ceea4f5b 100644
--- a/src/daemon/modules/image/image_rootfs_handler.c
+++ b/src/daemon/modules/image/image_rootfs_handler.c
@@ -137,7 +137,7 @@ static int proc_by_fpasswd(FILE *f_passwd, const char *user, defs_process_user *
out:
memset(buf, 0, sizeof(buf));
- memset(pwbufp, 0, sizeof(struct passwd));
+ memset(&pw, 0, sizeof(struct passwd));
return ret;
}
--
2.40.1

223
0022-2159-use-macros-to-isolate-the-password-option-of-lo.patch
View File

@ -1,223 +0,0 @@
From 0c0bc7a873cb5377aa0d5587c28d711a09f00811 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Wed, 30 Aug 2023 09:56:29 +0000
Subject: [PATCH 22/33] !2159 use macros to isolate the password option of
login and the plugin module * use macros to isolate the password option of
login and the plugin module
---
cmake/options.cmake | 14 ++++++++++
src/cmd/isula/images/login.h | 28 +++++++++++++------
src/cmd/isulad/main.c | 2 ++
.../executor/container_cb/execution_create.c | 2 ++
src/daemon/modules/CMakeLists.txt | 13 +++++++--
src/daemon/modules/api/CMakeLists.txt | 3 ++
.../container/container_events_handler.c | 2 ++
.../modules/service/service_container.c | 4 +++
8 files changed, 57 insertions(+), 11 deletions(-)
diff --git a/cmake/options.cmake b/cmake/options.cmake
index 5fc5c221..e733fd1c 100644
--- a/cmake/options.cmake
+++ b/cmake/options.cmake
@@ -138,6 +138,20 @@ if (ENABLE_NATIVE_NETWORK OR ENABLE_GRPC)
set(ENABLE_NETWORK 1)
endif()
+option(ENABLE_PLUGIN "enable plugin module" OFF)
+if (ENABLE_PLUGIN STREQUAL "ON")
+ add_definitions(-DENABLE_PLUGIN=1)
+ set(ENABLE_PLUGIN 1)
+ message("${Green}-- Enable plugin module${ColourReset}")
+endif()
+
+option(ENABLE_LOGIN_PASSWORD_OPTION "enable login password option" ON)
+if (ENABLE_LOGIN_PASSWORD_OPTION STREQUAL "ON")
+ add_definitions(-DENABLE_LOGIN_PASSWORD_OPTION=1)
+ set(ENABLE_LOGIN_PASSWORD_OPTION 1)
+ message("${Green}-- Enable login password option${ColourReset}")
+endif()
+
option(EANBLE_IMAGE_LIBARAY "create libisulad_image.so" ON)
if (EANBLE_IMAGE_LIBARAY STREQUAL "ON")
add_definitions(-DEANBLE_IMAGE_LIBARAY)
diff --git a/src/cmd/isula/images/login.h b/src/cmd/isula/images/login.h
index 5f9a676c..38829cba 100644
--- a/src/cmd/isula/images/login.h
+++ b/src/cmd/isula/images/login.h
@@ -24,16 +24,28 @@
extern "C" {
#endif
+#ifdef ENABLE_LOGIN_PASSWORD_OPTION
#define LOGIN_OPTIONS(cmdargs) \
- { CMD_OPT_TYPE_STRING_DUP, false, "username", 'u', &(cmdargs).username, "Username", NULL }, \
- { CMD_OPT_TYPE_STRING_DUP, false, "password", 'p', &(cmdargs).password, "Password", NULL }, \
- { CMD_OPT_TYPE_BOOL, \
- false, \
- "password-stdin", \
- 0, \
- &(cmdargs).password_stdin, \
- "Take the password from stdin", \
+ { CMD_OPT_TYPE_STRING_DUP, false, "username", 'u', &(cmdargs).username, "Username", NULL }, \
+ { CMD_OPT_TYPE_STRING_DUP, false, "password", 'p', &(cmdargs).password, "Password", NULL }, \
+ { CMD_OPT_TYPE_BOOL, \
+ false, \
+ "password-stdin", \
+ 0, \
+ &(cmdargs).password_stdin, \
+ "Take the password from stdin", \
NULL },
+#else
+#define LOGIN_OPTIONS(cmdargs) \
+ { CMD_OPT_TYPE_STRING_DUP, false, "username", 'u', &(cmdargs).username, "Username", NULL }, \
+ { CMD_OPT_TYPE_BOOL, \
+ false, \
+ "password-stdin", \
+ 0, \
+ &(cmdargs).password_stdin, \
+ "Take the password from stdin", \
+ NULL },
+#endif
extern const char g_cmd_login_desc[];
extern const char g_cmd_login_usage[];
diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c
index 8369f9e2..4740f91a 100644
--- a/src/cmd/isulad/main.c
+++ b/src/cmd/isulad/main.c
@@ -1685,10 +1685,12 @@ int main(int argc, char **argv)
goto failure;
}
+#ifdef ENABLE_PLUGIN
if (start_plugin_manager()) {
ERROR("Failed to init plugin_manager");
goto failure;
}
+#endif
clock_gettime(CLOCK_MONOTONIC, &t_end);
use_time = (double)(t_end.tv_sec - t_start.tv_sec) * (double)1000000000 + (double)(t_end.tv_nsec - t_start.tv_nsec);
diff --git a/src/daemon/executor/container_cb/execution_create.c b/src/daemon/executor/container_cb/execution_create.c
index 9c097121..377aa1aa 100644
--- a/src/daemon/executor/container_cb/execution_create.c
+++ b/src/daemon/executor/container_cb/execution_create.c
@@ -1499,6 +1499,7 @@ int container_create_cb(const container_create_request *request, container_creat
goto clean_netns;
}
+#ifdef ENABLE_PLUGIN
/* modify oci_spec by plugin. */
if (plugin_event_container_pre_create(id, oci_spec) != 0) {
ERROR("Plugin event pre create failed");
@@ -1506,6 +1507,7 @@ int container_create_cb(const container_create_request *request, container_creat
cc = ISULAD_ERR_EXEC;
goto clean_netns;
}
+#endif
host_channel = dup_host_channel(host_spec->host_channel);
if (prepare_host_channel(host_channel, host_spec->user_remap)) {
diff --git a/src/daemon/modules/CMakeLists.txt b/src/daemon/modules/CMakeLists.txt
index 5d13412b..a70c094f 100644
--- a/src/daemon/modules/CMakeLists.txt
+++ b/src/daemon/modules/CMakeLists.txt
@@ -3,7 +3,6 @@
aux_source_directory(${CMAKE_CURRENT_SOURCE_DIR} modules_top_srcs)
add_subdirectory(runtime)
add_subdirectory(image)
-add_subdirectory(plugin)
add_subdirectory(spec)
add_subdirectory(container)
add_subdirectory(log)
@@ -17,7 +16,6 @@ set(local_modules_srcs
${modules_top_srcs}
${RUNTIME_SRCS}
${IMAGE_SRCS}
- ${PLUGIN_SRCS}
${SPEC_SRCS}
${MANAGER_SRCS}
${LOG_GATHER_SRCS}
@@ -31,7 +29,6 @@ set(local_modules_incs
${CMAKE_CURRENT_SOURCE_DIR}
${RUNTIME_INCS}
${IMAGE_INCS}
- ${PLUGIN_INCS}
${SPEC_INCS}
${MANAGER_INCS}
${LOG_GATHER_INCS}
@@ -42,6 +39,16 @@ set(local_modules_incs
${VOLUME_INCS}
)
+if (ENABLE_PLUGIN)
+ add_subdirectory(plugin)
+ list(APPEND local_modules_srcs
+ ${PLUGIN_SRCS}
+ )
+ list(APPEND local_modules_incs
+ ${PLUGIN_INCS}
+ )
+endif()
+
set(MODULES_SRCS
${local_modules_srcs}
PARENT_SCOPE
diff --git a/src/daemon/modules/api/CMakeLists.txt b/src/daemon/modules/api/CMakeLists.txt
index f577c45f..0735b25a 100644
--- a/src/daemon/modules/api/CMakeLists.txt
+++ b/src/daemon/modules/api/CMakeLists.txt
@@ -9,3 +9,6 @@ set(MODULES_API_INCS
PARENT_SCOPE
)
+if (NOT ENABLE_PLUGIN)
+ list(REMOVE_ITEM MODULES_API_INCS "${CMAKE_CURRENT_SOURCE_DIR}/plugin_api.h")
+endif()
diff --git a/src/daemon/modules/container/container_events_handler.c b/src/daemon/modules/container/container_events_handler.c
index d78e6fc1..d56c2ee0 100644
--- a/src/daemon/modules/container/container_events_handler.c
+++ b/src/daemon/modules/container/container_events_handler.c
@@ -155,7 +155,9 @@ static int container_state_changed(container_t *cont, const struct isulad_events
} else {
container_state_set_stopped(cont->state, (int)events->exit_status);
container_wait_stop_cond_broadcast(cont);
+#ifdef ENABLE_PLUGIN
plugin_event_container_post_stop(cont);
+#endif
}
auto_remove = !should_restart && cont->hostconfig != NULL && cont->hostconfig->auto_remove;
diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c
index 1fa2559d..2d393f62 100644
--- a/src/daemon/modules/service/service_container.c
+++ b/src/daemon/modules/service/service_container.c
@@ -807,12 +807,14 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
open_stdin = cont->common_config->config->open_stdin;
}
+#ifdef ENABLE_PLUGIN
if (plugin_event_container_pre_start(cont)) {
ERROR("Plugin event pre start failed ");
plugin_event_container_post_stop(cont); /* ignore error */
ret = -1;
goto close_exit_fd;
}
+#endif
#ifdef ENABLE_CRI_API_V1
if (cont->common_config->sandbox_info != NULL &&
@@ -1370,7 +1372,9 @@ int delete_container(container_t *cont, bool force)
}
}
+#ifdef ENABLE_PLUGIN
plugin_event_container_post_remove(cont);
+#endif
ret = do_delete_container(cont);
if (ret != 0) {
--
2.40.1

25
0023-2161-bugfix-for-api-cmakelist.patch
View File

@ -1,25 +0,0 @@
From 6b02ac8055379fa0b907f5ed10c5bd974cade90f Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Thu, 31 Aug 2023 01:55:41 +0000
Subject: [PATCH 23/33] !2161 bugfix for api cmakelist * bugfix for api
cmakelist
---
src/daemon/modules/api/CMakeLists.txt | 4 ----
1 file changed, 4 deletions(-)
diff --git a/src/daemon/modules/api/CMakeLists.txt b/src/daemon/modules/api/CMakeLists.txt
index 0735b25a..357566fa 100644
--- a/src/daemon/modules/api/CMakeLists.txt
+++ b/src/daemon/modules/api/CMakeLists.txt
@@ -8,7 +8,3 @@ set(MODULES_API_INCS
${CMAKE_CURRENT_SOURCE_DIR}
PARENT_SCOPE
)
-
-if (NOT ENABLE_PLUGIN)
- list(REMOVE_ITEM MODULES_API_INCS "${CMAKE_CURRENT_SOURCE_DIR}/plugin_api.h")
-endif()
--
2.40.1

140
0024-2165-preventing-the-use-of-insecure-isulad-tmpdir-di.patch
View File

@ -1,140 +0,0 @@
From 64f94112728f35ee76d56fa4cf6dc41bd5cd5d33 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Sat, 2 Sep 2023 08:56:38 +0000
Subject: [PATCH 24/33] !2165 preventing the use of insecure isulad tmpdir
directory * preventing the use of insecure isulad tmpdir directory
---
src/common/constants.h | 2 +
.../container/leftover_cleanup/cleanup.c | 66 ++++++++++++++++++-
src/daemon/modules/image/oci/utils_images.c | 10 +++
3 files changed, 77 insertions(+), 1 deletion(-)
diff --git a/src/common/constants.h b/src/common/constants.h
index d93bb464..c0417263 100644
--- a/src/common/constants.h
+++ b/src/common/constants.h
@@ -50,6 +50,8 @@ extern "C" {
#define TEMP_DIRECTORY_MODE 0700
+#define ISULAD_TEMP_DIRECTORY_MODE 0660
+
#define CONSOLE_FIFO_DIRECTORY_MODE 0770
#define SOCKET_GROUP_DIRECTORY_MODE 0660
diff --git a/src/daemon/modules/container/leftover_cleanup/cleanup.c b/src/daemon/modules/container/leftover_cleanup/cleanup.c
index 9a38ffc2..f24ec467 100644
--- a/src/daemon/modules/container/leftover_cleanup/cleanup.c
+++ b/src/daemon/modules/container/leftover_cleanup/cleanup.c
@@ -13,6 +13,8 @@
* Description: provide cleanup functions
*********************************************************************************/
#include <sys/mount.h>
+#include <sys/stat.h>
+#include <unistd.h>
#include "utils.h"
#include "utils_fs.h"
@@ -169,6 +171,67 @@ static bool walk_isulad_tmpdir_cb(const char *path_name, const struct dirent *su
return true;
}
+static int isulad_tmpdir_security_check(const char *tmpdir)
+{
+ struct stat st = { 0 };
+
+ if (lstat(tmpdir, &st) != 0) {
+ SYSERROR("Failed to lstat %s", tmpdir);
+ return -1;
+ }
+
+ if (!S_ISDIR(st.st_mode)) {
+ return -1;
+ }
+
+ if ((st.st_mode & 0777) != ISULAD_TEMP_DIRECTORY_MODE) {
+ return -1;
+ }
+
+ if (st.st_uid != 0) {
+ return -1;
+ }
+
+ if (S_ISLNK(st.st_mode)) {
+ return -1;
+ }
+
+ return 0;
+}
+
+static int recreate_tmpdir(const char *tmpdir)
+{
+ int ret;
+ struct stat st = { 0 };
+
+ if (util_recursive_rmdir(tmpdir, 0)) {
+ ERROR("Failed to remove directory %s", tmpdir);
+ return -1;
+ }
+
+ if (util_mkdir_p(tmpdir, ISULAD_TEMP_DIRECTORY_MODE)) {
+ ERROR("Failed to create directory %s", tmpdir);
+ return -1;
+ }
+
+ if (lstat(tmpdir, &st) != 0) {
+ SYSERROR("Failed to lstat %s", tmpdir);
+ return -1;
+ }
+
+ return ret;
+}
+
+static int ensure_isulad_tmpdir_security(const char *tmpdir)
+{
+ if (isulad_tmpdir_security_check(tmpdir) == 0) {
+ return 0;
+ }
+
+ INFO("iSulad tmpdir does not meet security requirements, recreate it");
+ return recreate_tmpdir(tmpdir);
+}
+
static void cleanup_path(char *dir)
{
int nret;
@@ -186,7 +249,8 @@ static void cleanup_path(char *dir)
return;
}
- if (!util_dir_exists(cleanpath)) {
+ // preventing the use of insecure isulad tmpdir directory
+ if (ensure_isulad_tmpdir_security(cleanpath) != 0) {
return;
}
diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c
index f8fd1e73..4342db5b 100644
--- a/src/daemon/modules/image/oci/utils_images.c
+++ b/src/daemon/modules/image/oci/utils_images.c
@@ -630,6 +630,16 @@ int makesure_isulad_tmpdir_perm_right(const char *root_dir)
goto out;
}
+ if ((st.st_mode & 0777) != TEMP_DIRECTORY_MODE) {
+ ret = -1;
+ goto out;
+ }
+
+ if (S_ISLNK(st.st_mode)) {
+ ret = -1;
+ goto out;
+ }
+
// chown to root
ret = lchown(isulad_tmpdir, 0, 0);
if (ret == 0 || (ret == EPERM && st.st_uid == 0 && st.st_gid == 0)) {
--
2.40.1

238
0025-2166-move-ensure_isulad_tmpdir_security-function-to-.patch
View File

@ -1,238 +0,0 @@
From c2af7f7d7f6b0f1aaa884204a037e8275092121a Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Sat, 2 Sep 2023 10:38:29 +0000
Subject: [PATCH 25/33] !2166 move ensure_isulad_tmpdir_security function to
main.c * move ensure_isulad_tmpdir_security function to main.c
---
src/cmd/isulad/main.c | 101 ++++++++++++++++++
.../container/leftover_cleanup/cleanup.c | 66 +-----------
src/utils/tar/util_archive.c | 2 +-
3 files changed, 103 insertions(+), 66 deletions(-)
diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c
index 4740f91a..e32fed6a 100644
--- a/src/cmd/isulad/main.c
+++ b/src/cmd/isulad/main.c
@@ -1222,6 +1222,101 @@ out:
return ret;
}
+static int isulad_tmpdir_security_check(const char *tmp_dir)
+{
+ struct stat st = { 0 };
+
+ if (lstat(tmp_dir, &st) != 0) {
+ SYSERROR("Failed to lstat %s", tmp_dir);
+ return -1;
+ }
+
+ if (!S_ISDIR(st.st_mode)) {
+ return -1;
+ }
+
+ if ((st.st_mode & 0777) != ISULAD_TEMP_DIRECTORY_MODE) {
+ return -1;
+ }
+
+ if (st.st_uid != 0) {
+ return -1;
+ }
+
+ if (S_ISLNK(st.st_mode)) {
+ return -1;
+ }
+
+ return 0;
+}
+
+static int recreate_tmpdir(const char *tmp_dir)
+{
+ if (util_recursive_rmdir(tmp_dir, 0) != 0) {
+ ERROR("Failed to remove directory %s", tmp_dir);
+ return -1;
+ }
+
+ if (util_mkdir_p(tmp_dir, ISULAD_TEMP_DIRECTORY_MODE) != 0) {
+ ERROR("Failed to create directory %s", tmp_dir);
+ return -1;
+ }
+
+ return 0;
+}
+
+static int do_ensure_isulad_tmpdir_security(const char *isulad_tmp_dir)
+{
+ int nret;
+ char tmp_dir[PATH_MAX] = { 0 };
+ char cleanpath[PATH_MAX] = { 0 };
+
+ nret = snprintf(tmp_dir, PATH_MAX, "%s/isulad_tmpdir", isulad_tmp_dir);
+ if (nret < 0 || (size_t)nret >= PATH_MAX) {
+ ERROR("Failed to snprintf");
+ return -1;
+ }
+
+ if (util_clean_path(tmp_dir, cleanpath, sizeof(cleanpath)) == NULL) {
+ ERROR("Failed to clean path for %s", tmp_dir);
+ return -1;
+ }
+
+ if (isulad_tmpdir_security_check(cleanpath) == 0) {
+ return 0;
+ }
+
+ INFO("iSulad tmpdir: %s does not meet security requirements, recreate it", isulad_tmp_dir);
+ return recreate_tmpdir(cleanpath);
+}
+
+static int ensure_isulad_tmpdir_security()
+{
+ char *isulad_tmp_dir = NULL;
+
+ isulad_tmp_dir = getenv("ISULAD_TMPDIR");
+ if (!util_valid_str(isulad_tmp_dir)) {
+ isulad_tmp_dir = "/tmp";
+ }
+
+ if (do_ensure_isulad_tmpdir_security(isulad_tmp_dir) != 0) {
+ ERROR("Failed to ensure the %s directory is a safe directory", isulad_tmp_dir);
+ return -1;
+ }
+
+ if (strcmp(isulad_tmp_dir, "/tmp") == 0) {
+ return 0;
+ }
+
+ // No matter whether ISULAD_TMPDIR is set or not,
+ // ensure the "/tmp" directory is a safe directory
+ if (do_ensure_isulad_tmpdir_security("/tmp") != 0) {
+ WARN("Failed to ensure the /tmp directory is a safe directory");
+ }
+
+ return 0;
+}
+
static int isulad_server_init_common()
{
int ret = -1;
@@ -1261,6 +1356,12 @@ static int isulad_server_init_common()
goto out;
}
+ // preventing the use of insecure isulad tmpdir directory
+ if (ensure_isulad_tmpdir_security() != 0) {
+ ERROR("Failed to ensure isulad tmpdir security");
+ goto out;
+ }
+
if (volume_init(args->json_confs->graph) != 0) {
ERROR("Failed to init volume");
goto out;
diff --git a/src/daemon/modules/container/leftover_cleanup/cleanup.c b/src/daemon/modules/container/leftover_cleanup/cleanup.c
index f24ec467..9a38ffc2 100644
--- a/src/daemon/modules/container/leftover_cleanup/cleanup.c
+++ b/src/daemon/modules/container/leftover_cleanup/cleanup.c
@@ -13,8 +13,6 @@
* Description: provide cleanup functions
*********************************************************************************/
#include <sys/mount.h>
-#include <sys/stat.h>
-#include <unistd.h>
#include "utils.h"
#include "utils_fs.h"
@@ -171,67 +169,6 @@ static bool walk_isulad_tmpdir_cb(const char *path_name, const struct dirent *su
return true;
}
-static int isulad_tmpdir_security_check(const char *tmpdir)
-{
- struct stat st = { 0 };
-
- if (lstat(tmpdir, &st) != 0) {
- SYSERROR("Failed to lstat %s", tmpdir);
- return -1;
- }
-
- if (!S_ISDIR(st.st_mode)) {
- return -1;
- }
-
- if ((st.st_mode & 0777) != ISULAD_TEMP_DIRECTORY_MODE) {
- return -1;
- }
-
- if (st.st_uid != 0) {
- return -1;
- }
-
- if (S_ISLNK(st.st_mode)) {
- return -1;
- }
-
- return 0;
-}
-
-static int recreate_tmpdir(const char *tmpdir)
-{
- int ret;
- struct stat st = { 0 };
-
- if (util_recursive_rmdir(tmpdir, 0)) {
- ERROR("Failed to remove directory %s", tmpdir);
- return -1;
- }
-
- if (util_mkdir_p(tmpdir, ISULAD_TEMP_DIRECTORY_MODE)) {
- ERROR("Failed to create directory %s", tmpdir);
- return -1;
- }
-
- if (lstat(tmpdir, &st) != 0) {
- SYSERROR("Failed to lstat %s", tmpdir);
- return -1;
- }
-
- return ret;
-}
-
-static int ensure_isulad_tmpdir_security(const char *tmpdir)
-{
- if (isulad_tmpdir_security_check(tmpdir) == 0) {
- return 0;
- }
-
- INFO("iSulad tmpdir does not meet security requirements, recreate it");
- return recreate_tmpdir(tmpdir);
-}
-
static void cleanup_path(char *dir)
{
int nret;
@@ -249,8 +186,7 @@ static void cleanup_path(char *dir)
return;
}
- // preventing the use of insecure isulad tmpdir directory
- if (ensure_isulad_tmpdir_security(cleanpath) != 0) {
+ if (!util_dir_exists(cleanpath)) {
return;
}
diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c
index 82194654..82e940a5 100644
--- a/src/utils/tar/util_archive.c
+++ b/src/utils/tar/util_archive.c
@@ -220,7 +220,7 @@ static int make_safedir_is_noexec(const char *flock_path, const char *dstdir, ch
}
// ensure parent dir is exist
- if (util_mkdir_p(cleanpath, buf.st_mode) != 0) {
+ if (util_mkdir_p(cleanpath, ISULAD_TEMP_DIRECTORY_MODE) != 0) {
return -1;
}
--
2.40.1

110
0026-2169-using-macros-to-isolate-isulad-s-enable_plugin-.patch
View File

@ -1,110 +0,0 @@
From 4e6473570e3a5cd59585818216218a7a512790a5 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Mon, 4 Sep 2023 08:45:55 +0000
Subject: [PATCH 26/33] !2169 using macros to isolate isulad's enable_plugin
configuration option * using macros to isolate isulad's enable_plugin
configuration option
---
src/cmd/isulad/isulad_commands.h | 15 +++++++++++----
src/common/constants.h | 2 ++
src/daemon/config/isulad_config.c | 4 ++++
src/daemon/config/isulad_config.h | 2 ++
4 files changed, 19 insertions(+), 4 deletions(-)
diff --git a/src/cmd/isulad/isulad_commands.h b/src/cmd/isulad/isulad_commands.h
index 6a8220cc..05d3551c 100644
--- a/src/cmd/isulad/isulad_commands.h
+++ b/src/cmd/isulad/isulad_commands.h
@@ -78,6 +78,16 @@ int command_default_ulimit_append(command_option_t *option, const char *arg);
#define USERNS_REMAP_OPT(cmdargs)
#endif
+#ifdef ENABLE_PLUGIN
+#define PLUGINS_OPT(cmdargs) \
+ { CMD_OPT_TYPE_STRING_DUP, \
+ false, "enable-plugins", 0, &(cmdargs)->json_confs->enable_plugins, \
+ "Enable plugins for all containers", NULL \
+ },
+#else
+#define PLUGINS_OPT(cmdargs)
+#endif
+
#ifdef ENABLE_GRPC_REMOTE_CONNECT
#define ISULAD_TLS_OPTIONS(cmdargs) \
{ CMD_OPT_TYPE_STRING_DUP, \
@@ -326,10 +336,7 @@ int command_default_ulimit_append(command_option_t *option, const char *arg);
false, "cpu-rt-runtime", 0, &(cmdargs)->json_confs->cpu_rt_runtime, \
"Limit CPU real-time runtime in microseconds for all containers", command_convert_llong \
}, \
- { CMD_OPT_TYPE_STRING_DUP, \
- false, "enable-plugins", 0, &(cmdargs)->json_confs->enable_plugins, \
- "Enable plugins for all containers", NULL \
- }, \
+ PLUGINS_OPT(cmdargs) \
{ CMD_OPT_TYPE_CALLBACK, \
false, "cri-runtime", 0, (cmdargs), \
"CRI runtime class transform", server_callback_cri_runtime \
diff --git a/src/common/constants.h b/src/common/constants.h
index c0417263..f98fb930 100644
--- a/src/common/constants.h
+++ b/src/common/constants.h
@@ -134,9 +134,11 @@ extern "C" {
#define AUTH_PLUGIN "authz-broker"
+#ifdef ENABLE_PLUGIN
#define ISULAD_ENABLE_PLUGINS "ISULAD_ENABLE_PLUGINS"
#define ISULAD_ENABLE_PLUGINS_SEPERATOR ","
#define ISULAD_ENABLE_PLUGINS_SEPERATOR_CHAR ','
+#endif
#ifdef ENABLE_NETWORK
#define ISULAD_CNI_NETWORK_CONF_FILE_PRE "isulacni-"
diff --git a/src/daemon/config/isulad_config.c b/src/daemon/config/isulad_config.c
index f600f0cf..72722c30 100644
--- a/src/daemon/config/isulad_config.c
+++ b/src/daemon/config/isulad_config.c
@@ -1253,6 +1253,7 @@ out:
return result;
}
+#ifdef ENABLE_PLUGIN
char *conf_get_enable_plugins(void)
{
struct service_arguments *conf = NULL;
@@ -1274,6 +1275,7 @@ out:
(void)isulad_server_conf_unlock();
return plugins;
}
+#endif
#ifdef ENABLE_USERNS_REMAP
char *conf_get_isulad_userns_remap(void)
@@ -1739,7 +1741,9 @@ int merge_json_confs_into_global(struct service_arguments *args)
override_string_value(&args->json_confs->pidfile, &tmp_json_confs->pidfile);
// iSulad runtime execution options
override_string_value(&args->json_confs->hook_spec, &tmp_json_confs->hook_spec);
+#ifdef ENABLE_PLUGIN
override_string_value(&args->json_confs->enable_plugins, &tmp_json_confs->enable_plugins);
+#endif
#ifdef ENABLE_USERNS_REMAP
override_string_value(&args->json_confs->userns_remap, &tmp_json_confs->userns_remap);
#endif
diff --git a/src/daemon/config/isulad_config.h b/src/daemon/config/isulad_config.h
index 4fe1acdc..459ea331 100644
--- a/src/daemon/config/isulad_config.h
+++ b/src/daemon/config/isulad_config.h
@@ -60,7 +60,9 @@ int conf_get_container_log_opts(isulad_daemon_configs_container_log **opts);
char *conf_get_isulad_log_file(void);
char *conf_get_engine_log_file(void);
+#ifdef ENABLE_PLUGIN
char *conf_get_enable_plugins(void);
+#endif
#ifdef ENABLE_USERNS_REMAP
char *conf_get_isulad_userns_remap(void);
#endif
--
2.40.1

87
0027-2178-clean-path-for-fpath-and-verify-chain-id.patch
View File

@ -1,87 +0,0 @@
From 6dcde807f5bba8ff1aa7d049856f3eddd4b0586f Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Sat, 9 Sep 2023 06:48:39 +0000
Subject: [PATCH 27/33] !2178 clean path for fpath and verify chain id Merge
pull request !2178 from zhongtao/image
---
src/daemon/modules/image/oci/oci_load.c | 30 +++++++++++++++++--
.../modules/image/oci/registry/registry.c | 2 +-
2 files changed, 28 insertions(+), 4 deletions(-)
diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c
index 569c5346..fd707330 100644
--- a/src/daemon/modules/image/oci/oci_load.c
+++ b/src/daemon/modules/image/oci/oci_load.c
@@ -27,8 +27,10 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <linux/limits.h>
#include "utils.h"
+#include "path.h"
#include "isula_libutils/log.h"
#include "util_archive.h"
#include "storage.h"
@@ -717,6 +719,9 @@ static int oci_load_set_layers_info(load_image_t *im, const image_manifest_items
}
for (; i < conf->rootfs->diff_ids_len; i++) {
+ char *fpath = NULL;
+ char cleanpath[PATH_MAX] = { 0 };
+
im->layers[i] = util_common_calloc_s(sizeof(load_layer_blob_t));
if (im->layers[i] == NULL) {
ERROR("Out of memory");
@@ -724,12 +729,31 @@ static int oci_load_set_layers_info(load_image_t *im, const image_manifest_items
goto out;
}
- im->layers[i]->fpath = util_path_join(dstdir, manifest->layers[i]);
- if (im->layers[i]->fpath == NULL) {
- ERROR("Path join failed");
+ fpath = util_path_join(dstdir, manifest->layers[i]);
+ if (fpath == NULL) {
+ ERROR("Failed to join path");
+ ret = -1;
+ goto out;
+ }
+
+ if (util_clean_path(fpath, cleanpath, sizeof(cleanpath)) == NULL) {
+ ERROR("Failed to clean path for %s", fpath);
+ free(fpath);
+ ret = -1;
+ goto out;
+ }
+
+ free(fpath);
+
+ // verify whether the prefix of the path is dstdir to prevent illegal directories
+ if (strncmp(cleanpath, dstdir, strlen(dstdir)) != 0) {
+ ERROR("Illegal directory: %s", cleanpath);
ret = -1;
goto out;
}
+
+ im->layers[i]->fpath = util_strdup_s(cleanpath);
+
// The format is sha256:xxx
im->layers[i]->chain_id = oci_load_calc_chain_id(parent_chain_id_sha256, conf->rootfs->diff_ids[i]);
if (im->layers[i]->chain_id == NULL) {
diff --git a/src/daemon/modules/image/oci/registry/registry.c b/src/daemon/modules/image/oci/registry/registry.c
index e0b46e2e..35753c79 100644
--- a/src/daemon/modules/image/oci/registry/registry.c
+++ b/src/daemon/modules/image/oci/registry/registry.c
@@ -600,7 +600,7 @@ static int register_layer(pull_descriptor *desc, size_t i)
return 0;
}
- id = util_without_sha256_prefix(desc->layers[i].chain_id);
+ id = oci_image_id_from_digest(desc->layers[i].chain_id);
if (id == NULL) {
ERROR("layer %zu have NULL digest for image %s", i, desc->image_name);
return -1;
--
2.40.1

35
0028-2179-modify-the-permissions-of-tmpdir-and-file-lock-.patch
View File

@ -1,35 +0,0 @@
From a291302fe12e21207c30ebffebf852cb37aface4 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Sat, 9 Sep 2023 08:11:06 +0000
Subject: [PATCH 28/33] !2179 modify the permissions of tmpdir and file lock to
600 Merge pull request !2179 from zhongtao/mode
---
src/common/constants.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/common/constants.h b/src/common/constants.h
index f98fb930..caf9b793 100644
--- a/src/common/constants.h
+++ b/src/common/constants.h
@@ -50,7 +50,7 @@ extern "C" {
#define TEMP_DIRECTORY_MODE 0700
-#define ISULAD_TEMP_DIRECTORY_MODE 0660
+#define ISULAD_TEMP_DIRECTORY_MODE 0600
#define CONSOLE_FIFO_DIRECTORY_MODE 0770
@@ -70,7 +70,7 @@ extern "C" {
#define DEFAULT_HIGHEST_DIRECTORY_MODE 0755
-#define MOUNT_FLOCK_FILE_MODE 0660
+#define MOUNT_FLOCK_FILE_MODE 0600
#define ISULAD_CONFIG SYSCONFDIR_PREFIX"/etc/isulad"
--
2.40.1

202
0029-image-ensure-id-of-loaded-and-pulled-image-is-valid.patch
View File

@ -1,202 +0,0 @@
From 460c943125d9eca7cb4259d42c6c008a709e9dbe Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Wed, 23 Aug 2023 15:42:42 +0800
Subject: [PATCH 29/33] [image] ensure id of loaded and pulled image is valid
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/daemon/modules/image/oci/oci_import.c | 14 ++++++++++---
src/daemon/modules/image/oci/oci_load.c | 21 ++++++-------------
.../modules/image/oci/registry/registry.c | 8 ++++++-
src/daemon/modules/image/oci/utils_images.c | 17 ++++++++++++++-
src/daemon/modules/image/oci/utils_images.h | 3 +++
src/utils/cutils/utils.h | 2 --
src/utils/sha256/sha256.c | 1 -
7 files changed, 43 insertions(+), 23 deletions(-)
diff --git a/src/daemon/modules/image/oci/oci_import.c b/src/daemon/modules/image/oci/oci_import.c
index 1e14a916..0568c23f 100644
--- a/src/daemon/modules/image/oci/oci_import.c
+++ b/src/daemon/modules/image/oci/oci_import.c
@@ -93,7 +93,7 @@ static int register_layer(import_desc *desc)
return -1;
}
- id = util_without_sha256_prefix(desc->uncompressed_digest);
+ id = oci_image_id_from_digest(desc->uncompressed_digest);
if (id == NULL) {
ERROR("Invalid NULL param");
return -1;
@@ -315,8 +315,16 @@ static int register_image(import_desc *desc)
opts.create_time = &desc->now_time;
opts.digest = desc->manifest_digest;
- image_id = util_without_sha256_prefix(desc->config_digest);
- top_layer_id = util_without_sha256_prefix(desc->uncompressed_digest);
+ image_id = oci_image_id_from_digest(desc->config_digest);
+ if (image_id == NULL) {
+ ret = -1;
+ goto out;
+ }
+ top_layer_id = oci_image_id_from_digest(desc->uncompressed_digest);
+ if (top_layer_id == NULL) {
+ ret = -1;
+ goto out;
+ }
ret = storage_img_create(image_id, top_layer_id, NULL, &opts);
if (ret != 0) {
pre_top_layer = storage_get_img_top_layer(image_id);
diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c
index fd707330..31ae3849 100644
--- a/src/daemon/modules/image/oci/oci_load.c
+++ b/src/daemon/modules/image/oci/oci_load.c
@@ -290,16 +290,6 @@ out:
return full_digest;
}
-static char *oci_load_without_sha256_prefix(char *digest)
-{
- if (digest == NULL) {
- ERROR("Invalid digest NULL when strip sha256 prefix");
- return NULL;
- }
-
- return digest + strlen(SHA256_PREFIX);
-}
-
static int registry_layer_from_tarball(const load_layer_blob_t *layer, const char *id, const char *parent)
{
int ret = 0;
@@ -345,7 +335,7 @@ static int oci_load_register_layers(load_image_t *desc)
}
for (i = 0; i < desc->layers_len; i++) {
- id = oci_load_without_sha256_prefix(desc->layers[i]->chain_id);
+ id = oci_image_id_from_digest(desc->layers[i]->chain_id);
if (id == NULL) {
ERROR("layer %zu have NULL digest for image %s", i, desc->im_id);
ret = -1;
@@ -457,7 +447,7 @@ static int oci_load_create_image(load_image_t *desc, const char *dst_tag)
top_layer_index = desc->layers_len - 1;
opts.create_time = &timestamp;
opts.digest = desc->manifest_digest;
- top_layer_id = oci_load_without_sha256_prefix(desc->layers[top_layer_index]->chain_id);
+ top_layer_id = oci_image_id_from_digest(desc->layers[top_layer_index]->chain_id);
if (top_layer_id == NULL) {
ERROR("NULL top layer id found for image %s", desc->im_id);
ret = -1;
@@ -764,7 +754,7 @@ static int oci_load_set_layers_info(load_image_t *im, const image_manifest_items
}
parent_chain_id_sha256 = im->layers[i]->chain_id;
- id = oci_load_without_sha256_prefix(im->layers[i]->chain_id);
+ id = oci_image_id_from_digest(im->layers[i]->chain_id);
if (id == NULL) {
ERROR("Wipe out sha256 prefix failed from layer with chain id : %s", im->layers[i]->chain_id);
ret = -1;
@@ -832,7 +822,8 @@ static load_image_t *oci_load_process_manifest(const image_manifest_items_elemen
goto out;
}
- image_id = oci_load_without_sha256_prefix(image_digest);
+ // call util_valid_digest to ensure digest is valid, so image id is valid
+ image_id = oci_image_id_from_digest(image_digest);
if (image_id == NULL) {
ret = -1;
ERROR("Remove sha256 prefix error from image digest %s", image_digest);
@@ -872,7 +863,7 @@ static int64_t get_layer_size_from_storage(char *chain_id_pre)
return -1;
}
- id = oci_load_without_sha256_prefix(chain_id_pre);
+ id = oci_image_id_from_digest(chain_id_pre);
if (id == NULL) {
ERROR("Get chain id failed from value:%s", chain_id_pre);
return -1;
diff --git a/src/daemon/modules/image/oci/registry/registry.c b/src/daemon/modules/image/oci/registry/registry.c
index 35753c79..4124281d 100644
--- a/src/daemon/modules/image/oci/registry/registry.c
+++ b/src/daemon/modules/image/oci/registry/registry.c
@@ -877,7 +877,13 @@ static int register_image(pull_descriptor *desc)
// lock when create image to make sure image content all exist
mutex_lock(&g_shared->image_mutex);
- image_id = util_without_sha256_prefix(desc->config.digest);
+ image_id = oci_image_id_from_digest(desc->config.digest);
+ if (image_id == NULL) {
+ ERROR("Invalid digest: %s", desc->config.digest);
+ isulad_try_set_error_message("invalid image digest: %s", desc->config.digest);
+ ret = -1;
+ goto out;
+ }
ret = create_image(desc, image_id, &reuse);
if (ret != 0) {
ERROR("create image %s failed", desc->image_name);
diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c
index 4342db5b..f92ee59a 100644
--- a/src/daemon/modules/image/oci/utils_images.c
+++ b/src/daemon/modules/image/oci/utils_images.c
@@ -691,4 +691,19 @@ int oci_split_search_name(const char *search_name, char **host, char **name)
return 0;
}
-#endif
\ No newline at end of file
+#endif
+
+char *oci_image_id_from_digest(char *digest)
+{
+ if (digest == NULL) {
+ ERROR("Empty digest");
+ return NULL;
+ }
+
+ if (!util_valid_digest(digest)) {
+ ERROR("Load image with invalid digest: %s", digest);
+ return NULL;
+ }
+
+ return digest + strlen(SHA256_PREFIX);
+}
diff --git a/src/daemon/modules/image/oci/utils_images.h b/src/daemon/modules/image/oci/utils_images.h
index 2238bb91..ea0fb20a 100644
--- a/src/daemon/modules/image/oci/utils_images.h
+++ b/src/daemon/modules/image/oci/utils_images.h
@@ -61,6 +61,9 @@ char *get_hostname_to_strip(void);
char *oci_image_digest_pos(const char *name);
+// return a pointer to digest string without 'sha256:' prefix
+char *oci_image_id_from_digest(char *digest);
+
#ifdef __cplusplus
}
#endif
diff --git a/src/utils/cutils/utils.h b/src/utils/cutils/utils.h
index 83b20e5e..3acf0698 100644
--- a/src/utils/cutils/utils.h
+++ b/src/utils/cutils/utils.h
@@ -388,8 +388,6 @@ int util_generate_random_str(char *id, size_t len);
int util_check_inherited_exclude_fds(bool closeall, int *fds_to_ignore, size_t len_fds);
-char *util_without_sha256_prefix(char *digest);
-
int util_normalized_host_os_arch(char **host_os, char **host_arch, char **host_variant);
int util_read_pid_ppid_info(uint32_t pid, pid_ppid_info_t *pid_info);
diff --git a/src/utils/sha256/sha256.c b/src/utils/sha256/sha256.c
index 54cc2862..4e692355 100644
--- a/src/utils/sha256/sha256.c
+++ b/src/utils/sha256/sha256.c
@@ -388,7 +388,6 @@ char *sha256_full_digest_str(char *str)
char *util_without_sha256_prefix(char *digest)
{
if (digest == NULL || !util_has_prefix(digest, SHA256_PREFIX)) {
- ERROR("Invalid digest when strip sha256 prefix");
return NULL;
}
--
2.40.1

123
0030-mask-proxy-informations.patch
View File

@ -1,123 +0,0 @@
From ff67cabc3e3839ef4b539805ed54b5c826b6f446 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Mon, 4 Sep 2023 15:19:36 +0800
Subject: [PATCH 30/33] mask proxy informations
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
.../container_cb/execution_information.c | 86 ++++++++++++++++---
1 file changed, 74 insertions(+), 12 deletions(-)
diff --git a/src/daemon/executor/container_cb/execution_information.c b/src/daemon/executor/container_cb/execution_information.c
index 2f3d3627..86bb2894 100644
--- a/src/daemon/executor/container_cb/execution_information.c
+++ b/src/daemon/executor/container_cb/execution_information.c
@@ -176,24 +176,83 @@ out:
static int get_proxy_env(char **proxy, const char *type)
{
int ret = 0;
- char *tmp = NULL;
-
- *proxy = getenv(type);
- if (*proxy == NULL) {
- tmp = util_strings_to_upper(type);
+ int nret;
+ char *tmp_proxy = NULL;
+ char *col_pos = NULL;
+ char *at_pos = NULL;
+ size_t proxy_len;
+ const char *mask_str = "//xxxx:xxxx";
+
+ tmp_proxy = getenv(type);
+ if (tmp_proxy == NULL) {
+ char *tmp = util_strings_to_upper(type);
if (tmp == NULL) {
ERROR("Failed to upper string!");
- ret = -1;
- goto out;
- }
- *proxy = getenv(tmp);
- if (*proxy == NULL) {
- *proxy = "";
+ return -1;
}
+ tmp_proxy = getenv(tmp);
+ free(tmp);
+ }
+
+ if (tmp_proxy == NULL) {
+ return 0;
+ }
+
+ if (strlen(tmp_proxy) >= PATH_MAX) {
+ ERROR("Too long proxy string.");
+ return -1;
+ }
+ tmp_proxy = util_strdup_s(tmp_proxy);
+
+ if (strcmp(NO_PROXY, type) == 0) {
+ *proxy = tmp_proxy;
+ return 0;
+ }
+
+ // mask username and password of proxy
+ col_pos = strchr(tmp_proxy, ':');
+ if (col_pos == NULL) {
+ ERROR("Invalid proxy.");
+ ret = -1;
+ goto out;
+ }
+ at_pos = strrchr(tmp_proxy, '@');
+ if (at_pos == NULL) {
+ // no '@', represent no user information in proxy,
+ // just return original proxy
+ *proxy = tmp_proxy;
+ return 0;
+ }
+
+ // first colon position must before than at position
+ if ((at_pos - col_pos) < 0) {
+ ret = -1;
+ goto out;
}
+ // proxy with userinfo format like: 'http://xxx:xxx@xxxx.com'
+ // so masked proxy length = len(proxy) - (pos(@) - pos(:) + 1) + len(mask-str) + '\0'
+ proxy_len = strlen(tmp_proxy);
+ proxy_len -= (at_pos - tmp_proxy);
+ proxy_len += (col_pos - tmp_proxy) + 1;
+ proxy_len += strlen(mask_str) + 1;
+ *proxy = util_common_calloc_s(proxy_len);
+ if (*proxy == NULL) {
+ ERROR("Out of memory");
+ ret = -1;
+ goto out;
+ }
+ *col_pos = '\0';
+ nret = snprintf(*proxy, proxy_len, "%s:%s%s", tmp_proxy, mask_str, at_pos);
+ if (nret < 0 || nret >= proxy_len) {
+ ret = -1;
+ free(*proxy);
+ *proxy = NULL;
+ goto out;
+ }
+
out:
- free(tmp);
+ util_free_sensitive_string(tmp_proxy);
return ret;
}
@@ -340,6 +399,9 @@ static int isulad_info_cb(const host_info_request *request, host_info_response *
#endif
pack_response:
+ free(http_proxy);
+ free(https_proxy);
+ free(no_proxy);
if (*response != NULL) {
(*response)->cc = cc;
}
--
2.40.1

115
0031-add-testcase-for-isula-info.patch
View File

@ -1,115 +0,0 @@
From e40f451f5b919ba4154cc6005439f6b4370a7ac3 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Mon, 4 Sep 2023 17:13:13 +0800
Subject: [PATCH 31/33] add testcase for isula info
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
CI/test_cases/container_cases/info.sh | 95 +++++++++++++++++++++++++++
1 file changed, 95 insertions(+)
create mode 100755 CI/test_cases/container_cases/info.sh
diff --git a/CI/test_cases/container_cases/info.sh b/CI/test_cases/container_cases/info.sh
new file mode 100755
index 00000000..e6c03a49
--- /dev/null
+++ b/CI/test_cases/container_cases/info.sh
@@ -0,0 +1,95 @@
+#!/bin/bash
+#
+# attributes: isula info operator
+# concurrent: YES
+# spend time: 1
+
+#######################################################################
+##- Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved.
+# - iSulad licensed under the Mulan PSL v2.
+# - You can use this software according to the terms and conditions of the Mulan PSL v2.
+# - You may obtain a copy of Mulan PSL v2 at:
+# - http://license.coscl.org.cn/MulanPSL2
+# - THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+# - IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+# - PURPOSE.
+# - See the Mulan PSL v2 for more details.
+##- @Description:CI
+##- @Author: haozi007
+##- @Create: 2023-09-04
+#######################################################################
+
+curr_path=$(dirname $(readlink -f "$0"))
+data_path=$(realpath $curr_path/../data)
+source ../helpers.sh
+
+function do_test_t()
+{
+ check_valgrind_log
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++))
+ export http_proxy="http://test:123456@testproxy.com"
+ export https_proxy="http://test:123456@testproxy.com"
+ export no_proxy="127.0.0.1"
+ start_isulad_with_valgrind
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++))
+ isula info | grep "Http Proxy" | grep "http://xxxx:xxxx@testproxy.com"
+ fn_check_eq "$?" "0" "check http proxy failed"
+ isula info | grep "Https Proxy" | grep "http://xxxx:xxxx@testproxy.com"
+ fn_check_eq "$?" "0" "check https proxy failed"
+ isula info | grep "No Proxy" | grep "127.0.0.1"
+ fn_check_eq "$?" "0" "check no proxy failed"
+
+ check_valgrind_log
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++))
+ export http_proxy="https://example.com"
+ export no_proxy="127.0.0.1"
+ start_isulad_with_valgrind
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++))
+ isula info | grep "Http Proxy" | grep "https://example.com"
+ fn_check_eq "$?" "0" "check http proxy failed"
+ isula info | grep "No Proxy" | grep "127.0.0.1"
+ fn_check_eq "$?" "0" "check no proxy failed"
+
+ check_valgrind_log
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++))
+ export http_proxy="http//abc.com"
+ export no_proxy="127.0.0.1:localhost"
+ start_isulad_with_valgrind
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++))
+ isula info | grep "Http Proxy"
+ fn_check_ne "$?" "0" "check http proxy failed"
+ isula info | grep "No Proxy"
+ fn_check_ne "$?" "0" "check no proxy failed"
+
+ check_valgrind_log
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++))
+ export http_proxy="http//xxxx@abc:abc.com"
+ export no_proxy="127.0.0.1"
+ start_isulad_with_valgrind
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++))
+ isula info | grep "Http Proxy"
+ fn_check_ne "$?" "0" "check http proxy failed"
+ isula info | grep "No Proxy"
+ fn_check_ne "$?" "0" "check no proxy failed"
+
+ check_valgrind_log
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++))
+ unset https_proxy http_proxy no_proxy
+ start_isulad_with_valgrind
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++))
+ isula info | grep "Http Proxy"
+ fn_check_ne "$?" "0" "check http proxy failed"
+ isula info | grep "No Proxy"
+ fn_check_ne "$?" "0" "check no proxy failed"
+
+ return $TC_RET_T
+}
+
+ret=0
+
+do_test_t
+if [ $? -ne 0 ];then
+ let "ret=$ret + 1"
+fi
+
+show_result $ret "basic info"
--
2.40.1

25
0032-fix-oci-import-compile-error.patch
View File

@ -1,25 +0,0 @@
From ff0bf5155c163c5230b3ac6d71e2dfc1ed6cfa01 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Tue, 12 Sep 2023 17:24:24 +0800
Subject: [PATCH 32/33] fix oci import compile error
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/daemon/modules/image/oci/oci_import.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/daemon/modules/image/oci/oci_import.c b/src/daemon/modules/image/oci/oci_import.c
index 0568c23f..058107a4 100644
--- a/src/daemon/modules/image/oci/oci_import.c
+++ b/src/daemon/modules/image/oci/oci_import.c
@@ -33,6 +33,7 @@
#include "utils_file.h"
#include "utils_timestamp.h"
#include "util_archive.h"
+#include "utils_images.h"
#define IMPORT_COMMENT "Imported from tarball"
#define ROOTFS_TYPE "layers"
--
2.40.1

60
0033-2188-Support-both-C-11-and-C-17.patch
View File

@ -1,60 +0,0 @@
From bfd1b325eb93083ce4478c28aa61101ac553b458 Mon Sep 17 00:00:00 2001
From: xuxuepeng <xuxuepeng1@huawei.com>
Date: Wed, 13 Sep 2023 02:16:12 +0000
Subject: [PATCH 33/33] !2188 Support both C++11 and C++17 * Support both C++11
and C++17
---
cmake/set_build_flags.cmake | 11 ++++++++++-
test/fuzz/CMakeLists.txt | 13 ++++++++++++-
2 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/cmake/set_build_flags.cmake b/cmake/set_build_flags.cmake
index 09c85c65..38069791 100644
--- a/cmake/set_build_flags.cmake
+++ b/cmake/set_build_flags.cmake
@@ -3,7 +3,16 @@ set(CMAKE_C_FLAGS "-fPIC -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall -fP
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D__FILENAME__='\"$(subst ${CMAKE_SOURCE_DIR}/,,$(abspath $<))\"'")
if (GRPC_CONNECTOR)
- set(CMAKE_CXX_FLAGS "-fPIC -std=c++17 -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall -Wno-error=deprecated-declarations")
+ include(CheckCXXCompilerFlag)
+ CHECK_CXX_COMPILER_FLAG("-std=c++17" COMPILER_SUPPORTS_CXX17)
+ if (COMPILER_SUPPORTS_CXX17)
+ message(STATUS "The compiler ${CMAKE_CXX_COMPILER} has C++17 support.")
+ set(CMAKE_CXX_VERSION "-std=c++17")
+ else()
+ message(STATUS "The compiler ${CMAKE_CXX_COMPILER} has no C++17 support. Use C++11.")
+ set(CMAKE_CXX_VERSION "-std=c++11")
+ endif()
+ set(CMAKE_CXX_FLAGS "-fPIC ${CMAKE_CXX_VERSION} -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall -Wno-error=deprecated-declarations")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -D__FILENAME__='\"$(subst ${CMAKE_SOURCE_DIR}/,,$(abspath $<))\"'")
endif()
set(CMAKE_SHARED_LINKER_FLAGS "-Wl,-E -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wtrampolines -shared -pthread")
diff --git a/test/fuzz/CMakeLists.txt b/test/fuzz/CMakeLists.txt
index 617a168f..0682ffa3 100644
--- a/test/fuzz/CMakeLists.txt
+++ b/test/fuzz/CMakeLists.txt
@@ -34,7 +34,18 @@ MESSAGE(STATUS "GCLANG_PP_BINARY is set to ${GCLANG_PP_BINARY}")
SET(CMAKE_C_COMPILER "${GCLANG_BINARY}")
SET(CMAKE_CXX_COMPILER "${GCLANG_PP_BINARY}")
SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O0 --coverage -fsanitize=fuzzer,address -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep")
-SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -g -O0 --coverage -std=c++17 -fsanitize=fuzzer,address -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep")
+
+include(CheckCXXCompilerFlag)
+CHECK_CXX_COMPILER_FLAG("-std=c++17" COMPILER_SUPPORTS_CXX17)
+if (COMPILER_SUPPORTS_CXX17)
+ message(STATUS "The compiler ${CMAKE_CXX_COMPILER} has C++17 support.")
+ set(CMAKE_CXX_VERSION "-std=c++17")
+else()
+ message(STATUS "The compiler ${CMAKE_CXX_COMPILER} has no C++17 support. Use C++11.")
+ set(CMAKE_CXX_VERSION "-std=c++11")
+endif()
+
+SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -g -O0 --coverage ${CMAKE_CXX_VERSION} -fsanitize=fuzzer,address -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep")
SET(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
SET(EXE0 test_volume_mount_spec_fuzz)
--
2.40.1

64
iSulad.spec
View File

@ -1,5 +1,5 @@
%global _version 2.1.3
%global _release 2
%global _version 2.1.4
%global _release 1
%global is_systemd 1
%global enable_criv1 1
%global enable_shimv2 1
@ -15,39 +15,23 @@ URL: https://gitee.com/openeuler/iSulad
Source: https://gitee.com/openeuler/iSulad/repository/archive/v%{version}.tar.gz
BuildRoot: {_tmppath}/iSulad-%{version}
Patch0001: 0001-2155-Use-reference-in-loop-in-listpodsandbox.patch
Patch0002: 0002-2156-Fix-sandbox-error-logging.patch
Patch0003: 0003-2158-Use-crictl-v1.22.0-for-ci.patch
Patch0004: 0004-2162-Fix-rename-issue-for-id-manager.patch
Patch0005: 0005-2163-add-bind-mount-file-lock.patch
Patch0006: 0006-2168-fix-code-bug.patch
Patch0007: 0007-2171-Fix-nullptr-in-src-daemon-entry.patch
Patch0008: 0008-Add-vsock-support-for-exec.patch
Patch0009: 0009-remove-unneccessary-strerror.patch
Patch0010: 0010-do-not-report-low-level-error-to-user.patch
Patch0011: 0011-remove-usage-of-strerror-with-user-defined-errno.patch
Patch0012: 0012-use-gmtime_r-to-replace-gmtime.patch
Patch0013: 0013-improve-report-error-message-of-client.patch
Patch0014: 0014-adapt-new-error-message-for-isula-cp.patch
Patch0015: 0015-2182-Add-mutex-for-container-list-in-sandbox.patch
Patch0016: 0016-2180-fix-execlp-not-enough-args.patch
Patch0017: 0017-2135-modify-incorrect-variable-type.patch
Patch0018: 0018-make-sure-the-input-parameter-is-not-empty-and-optim.patch
Patch0019: 0019-remove-password-in-url-module-and-clean-sensitive-in.patch
Patch0020: 0020-2153-fix-codecheck.patch
Patch0021: 0021-2157-bugfix-for-memset.patch
Patch0022: 0022-2159-use-macros-to-isolate-the-password-option-of-lo.patch
Patch0023: 0023-2161-bugfix-for-api-cmakelist.patch
Patch0024: 0024-2165-preventing-the-use-of-insecure-isulad-tmpdir-di.patch
Patch0025: 0025-2166-move-ensure_isulad_tmpdir_security-function-to-.patch
Patch0026: 0026-2169-using-macros-to-isolate-isulad-s-enable_plugin-.patch
Patch0027: 0027-2178-clean-path-for-fpath-and-verify-chain-id.patch
Patch0028: 0028-2179-modify-the-permissions-of-tmpdir-and-file-lock-.patch
Patch0029: 0029-image-ensure-id-of-loaded-and-pulled-image-is-valid.patch
Patch0030: 0030-mask-proxy-informations.patch
Patch0031: 0031-add-testcase-for-isula-info.patch
Patch0032: 0032-fix-oci-import-compile-error.patch
Patch0033: 0033-2188-Support-both-C-11-and-C-17.patch
Patch0001: 0001-sandbox-del-m_containers-and-m_containersMutex.patch
Patch0002: 0002-sandbox-adapt-UT-when-del-m_containers-and-m_contain.patch
Patch0003: 0003-Add-Readonly-Masked-Path-and-RunAsGroup-support-for-.patch
Patch0004: 0004-network-support-version-opt.patch
Patch0005: 0005-doc-support-version-opt.patch
Patch0006: 0006-2242-disable-grpc-remote-connect-by-default.patch
Patch0007: 0007-2244-Save-task-address-of-shim-v2.patch
Patch0008: 0008-2233-add-runc-append-function-design-doc.patch
Patch0009: 0009-2243-Refactor-capbilities-specs.patch
Patch0010: 0010-2245-fix-utils_verify_ut-failure-when-remote-grpc-fu.patch
Patch0011: 0011-add-runc-attach-implement.patch
Patch0012: 0012-add-runc-attach-implement-unit-test-and-ci-test.patch
Patch0013: 0013-support-gcov-of-CI.patch
Patch0014: 0014-compatibility-for-manage-pods-which-created-by-old-i.patch
Patch0015: 0015-2250-Remove-PERFMON-BPF-CHECKPOINT_RESTORE.patch
Patch0016: 0016-open-ENABLE_GRPC_REMOTE_CONNECT-in-CI.patch
Patch6001: 6001-modify-daemon-json-default-runtime-to-runc.patch
%ifarch x86_64 aarch64
@ -77,8 +61,8 @@ Requires: sqlite
BuildRequires: gtest-devel gmock-devel
%endif
%define lcrver_lower 2.1.2-0
%define lcrver_upper 2.1.3-0
%define lcrver_lower 2.1.3-0
%define lcrver_upper 2.1.4-0
BuildRequires: libisula-devel > %{lcrver_lower} libisula-devel < %{lcrver_upper}
BuildRequires: cmake gcc-c++ yajl-devel lxc lxc-devel
@ -303,6 +287,12 @@ fi
%endif
%changelog
* Tue Nov 14 2023 zhongtao <zhongtao17@huawei.com> - 2.1.4-1
- Type: update
- ID: NA
- SUG: NA
- DESC: update to v2.1.4
* Wed Sep 13 2023 xuxuepeng <xuxuepeng1@huawei.com> - 2.1.3-2
- Type: update
- ID: NA

BIN
v2.1.3.tar.gz → v2.1.4.tar.gz
View File

Binary file not shown.