packages/iSulad
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!391 sync patches from openeuler stable

Browse Source 
From: @chengzrz 
Reviewed-by: @duguhaotian 
Signed-off-by: @duguhaotian
This commit is contained in:
openeuler-ci-bot 2022-08-02 08:59:36 +00:00 committed by Gitee
commit aadb3ab253
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
7 changed files with 523 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
0001-do-not-use-tmpfile.patch Normal file
View File

@ -0,0 +1,49 @@
From 2e404b3aa5fcea87a905fbd7ff3465b6135b701e Mon Sep 17 00:00:00 2001
From: WangFengTu <wangfengtu@huawei.com>
Date: Wed, 20 Jul 2022 14:26:58 +0800
Subject: [PATCH 1/6] do not use tmpfile()
Signed-off-by: WangFengTu <wangfengtu@huawei.com>
---
.../image/oci/storage/layer_store/layer_store.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
index 7e95a52f..208bb3bc 100644
--- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
@@ -2115,7 +2115,9 @@ static void free_tar_split(tar_split *ts)
static tar_split *new_tar_split(layer_t *l, const char *tspath)
{
int ret = 0;
+ int nret = 0;
tar_split *ts = NULL;
+ char path[PATH_MAX] = {0};
ts = util_common_calloc_s(sizeof(tar_split));
if (ts == NULL) {
@@ -2124,12 +2126,20 @@ static tar_split *new_tar_split(layer_t *l, const char *tspath)
goto out;
}
- ts->tmp_file = tmpfile();
+ nret = snprintf(path, sizeof(path), ".%s.tmp", tspath);
+ if (nret < 0 || nret >= PATH_MAX) {
+ ERROR("sprintf .%s.tmp failed", tspath);
+ ret = -1;
+ goto out;
+ }
+
+ ts->tmp_file = fopen(path, "w+");
if (ts->tmp_file == NULL) {
ERROR("create tmpfile failed: %s", strerror(errno));
ret = -1;
goto out;
}
+ (void)unlink(path);
ret = util_gzip_d(tspath, ts->tmp_file);
if (ret != 0) {
--
2.25.1

31
0002-use-only-TLS-v1.2-or-later.patch Normal file
View File

@ -0,0 +1,31 @@
From 025d2c2dad2786eda40f2367cdd727a36b8249df Mon Sep 17 00:00:00 2001
From: WangFengTu <wangfengtu@huawei.com>
Date: Thu, 21 Jul 2022 15:37:07 +0800
Subject: [PATCH 2/6] use only TLS v1.2 or later
Signed-off-by: WangFengTu <wangfengtu@huawei.com>
---
src/utils/http/http.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/utils/http/http.c b/src/utils/http/http.c
index edd05f92..20131660 100644
--- a/src/utils/http/http.c
+++ b/src/utils/http/http.c
@@ -449,6 +449,13 @@ int http_request(const char *url, struct http_get_options *options, long *respon
curl_easy_setopt(curl_handle, CURLOPT_SUPPRESS_CONNECT_HEADERS, 1L);
#endif
+ /* libcurl support option CURL_SSLVERSION_TLSv1_2 when version >= 7.34.0
+ * #define CURL_VERSION_BITS(x,y,z) ((x)<<16|(y)<<8|(z))
+ * CURL_VERSION_BITS(7,34,0) = 0x072200 */
+#if (LIBCURL_VERSION_NUM >= 0x072200)
+ curl_easy_setopt(curl_handle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
+#endif
+
ret = http_custom_options(curl_handle, options);
if (ret) {
goto out;
--
2.25.1

122
0003-don-t-mount-shareable-dirs-if-user-set-mount-for-dev.patch Normal file
View File

@ -0,0 +1,122 @@
From a475d8da1122af712dbc79dc5d92f1cb95d519f9 Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Mon, 25 Jul 2022 20:31:15 +0800
Subject: [PATCH 3/6] don't mount shareable dirs if user set mount for dev shm
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
src/daemon/modules/spec/specs_mount.c | 51 +++++++++++++++------------
1 file changed, 28 insertions(+), 23 deletions(-)
diff --git a/src/daemon/modules/spec/specs_mount.c b/src/daemon/modules/spec/specs_mount.c
index 85623f79..8966293f 100644
--- a/src/daemon/modules/spec/specs_mount.c
+++ b/src/daemon/modules/spec/specs_mount.c
@@ -2699,7 +2699,12 @@ int setup_ipc_dirs(host_config *host_spec, container_config_v2_common_config *v2
int ret = -1;
int nret = 0;
bool has_mount = false;
- char *spath = NULL;
+ const char *spath = NULL;
+
+ if (host_spec == NULL || v2_spec == NULL) {
+ ERROR("Invalid args");
+ return -1;
+ }
// ignore shm of system container
if (host_spec->system_container) {
@@ -2709,16 +2714,20 @@ int setup_ipc_dirs(host_config *host_spec, container_config_v2_common_config *v2
if (host_spec->ipc_mode != NULL && !namespace_is_shareable(host_spec->ipc_mode)) {
return 0;
}
+ // has mount for /dev/shm
+ if (has_mount_shm(host_spec, v2_spec)) {
+ return 0;
+ }
- spath = get_prepare_share_shm_path(host_spec->runtime, v2_spec->id);
+ spath = v2_spec->shm_path;
if (spath == NULL) {
+ ERROR("No shm path");
return -1;
}
// container shm has been mounted
if (util_detect_mounted(spath)) {
DEBUG("shm path %s has been mounted", spath);
- free(spath);
return 0;
}
@@ -2757,7 +2766,6 @@ out:
if (ret != 0 && has_mount) {
(void)umount(spath);
}
- free(spath);
return ret;
}
@@ -2808,20 +2816,6 @@ out_free:
return ret;
}
-static int set_share_shm(const host_config *host_spec, container_config_v2_common_config *v2_spec)
-{
- char *spath = NULL;
-
- spath = get_prepare_share_shm_path(host_spec->runtime, v2_spec->id);
- if (spath == NULL) {
- return -1;
- }
-
- v2_spec->shm_path = spath;
-
- return 0;
-}
-
#define SHM_MOUNT_POINT "/dev/shm"
static int set_shm_path(host_config *host_spec, container_config_v2_common_config *v2_spec)
{
@@ -2836,7 +2830,18 @@ static int set_shm_path(host_config *host_spec, container_config_v2_common_confi
}
// setup shareable dirs
if (host_spec->ipc_mode == NULL || namespace_is_shareable(host_spec->ipc_mode)) {
- return set_share_shm(host_spec, v2_spec);
+ // has mount for /dev/shm
+ if (has_mount_shm(host_spec, v2_spec)) {
+ return 0;
+ }
+
+ v2_spec->shm_path = get_prepare_share_shm_path(host_spec->runtime, v2_spec->id);
+ if (v2_spec->shm_path == NULL) {
+ ERROR("Failed to get prepare share shm path");
+ return -1;
+ }
+
+ return 0;
}
if (namespace_is_container(host_spec->ipc_mode)) {
@@ -3373,14 +3378,14 @@ int merge_conf_mounts(oci_runtime_spec *oci_spec, host_config *host_spec, contai
host_spec->shm_size = DEFAULT_SHM_SIZE;
}
- /* setup ipc dir */
- if (setup_ipc_dirs(host_spec, v2_spec) != 0) {
+ if (set_shm_path(host_spec, v2_spec) != 0) {
+ ERROR("Failed to set shm path");
ret = -1;
goto out;
}
- if (set_shm_path(host_spec, v2_spec) != 0) {
- ERROR("Failed to set shm path");
+ /* setup ipc dir */
+ if (setup_ipc_dirs(host_spec, v2_spec) != 0) {
ret = -1;
goto out;
}
--
2.25.1

64
0004-tolerate-arch-unspecified-seccomp-profiles.patch Normal file
View File

@ -0,0 +1,64 @@
From 73e02e66102b3e066d5d6424624461c3024cabe4 Mon Sep 17 00:00:00 2001
From: chengzrz <czrzrichard@gmail.com>
Date: Fri, 29 Jul 2022 14:44:55 +0800
Subject: [PATCH 4/6] tolerate arch unspecified seccomp profiles
Signed-off-by: chengzrz <czrzrichard@gmail.com>
---
src/daemon/modules/spec/specs_security.c | 25 +++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/src/daemon/modules/spec/specs_security.c b/src/daemon/modules/spec/specs_security.c
index 643c2745..62f67082 100644
--- a/src/daemon/modules/spec/specs_security.c
+++ b/src/daemon/modules/spec/specs_security.c
@@ -42,11 +42,11 @@
static const char * const g_system_caps[] = { "SYS_BOOT", "SETPCAP", "NET_RAW", "NET_BIND_SERVICE",
#ifdef CAP_AUDIT_WRITE
- "AUDIT_WRITE",
+ "AUDIT_WRITE",
#endif
- "DAC_OVERRIDE", "SETFCAP", "SETGID", "SETUID", "MKNOD", "CHOWN",
- "FOWNER", "FSETID", "KILL", "SYS_CHROOT"
- };
+ "DAC_OVERRIDE", "SETFCAP", "SETGID", "SETUID", "MKNOD", "CHOWN",
+ "FOWNER", "FSETID", "KILL", "SYS_CHROOT"
+ };
static int append_capability(char ***dstcaps, size_t *dstcaps_len, const char *cap)
{
@@ -472,11 +472,6 @@ static size_t docker_seccomp_arches_count(const char *seccomp_architecture, cons
}
}
- if (count == 0) {
- ERROR("seccomp architecture not found");
- count = -1;
- }
-
return count;
}
@@ -498,6 +493,18 @@ static int dup_architectures_to_oci_spec(const char *seccomp_architecture, const
return -1;
}
+ if (arch_size == 0) {
+ WARN("arch map is not provided in specified seccomp profile");
+ oci_seccomp_spec->architectures = util_smart_calloc_s(sizeof(char *), 1);
+ if (oci_seccomp_spec->architectures == NULL) {
+ ERROR("Failed to allocate memory for architectures in seccomp spec");
+ return -1;
+ }
+ oci_seccomp_spec->architectures[oci_seccomp_spec->architectures_len++] =
+ util_strdup_s(seccomp_architecture);
+ return 0;
+ }
+
oci_seccomp_spec->architectures = util_smart_calloc_s(sizeof(char *), arch_size);
if (oci_seccomp_spec->architectures == NULL) {
ERROR("Failed to calloc memory for architectures in seccomp spec");
--
2.25.1

115
0005-add-a-CI-test-case-checking-seccomp-option.patch Normal file
View File

@ -0,0 +1,115 @@
From c9c2bb6bfbe2060bdc6af53ca0d752572b21594d Mon Sep 17 00:00:00 2001
From: chengzrz <czrzrichard@gmail.com>
Date: Fri, 29 Jul 2022 14:45:20 +0800
Subject: [PATCH 5/6] add a CI test case, checking seccomp option
Signed-off-by: chengzrz <czrzrichard@gmail.com>
---
CI/test_cases/container_cases/seccomp.sh | 76 +++++++++++++++++++
.../seccomp_profile_without_archmap.json | 11 +++
2 files changed, 87 insertions(+)
create mode 100755 CI/test_cases/container_cases/seccomp.sh
create mode 100644 CI/test_cases/container_cases/test_data/seccomp_profile_without_archmap.json
diff --git a/CI/test_cases/container_cases/seccomp.sh b/CI/test_cases/container_cases/seccomp.sh
new file mode 100755
index 00000000..9e886d10
--- /dev/null
+++ b/CI/test_cases/container_cases/seccomp.sh
@@ -0,0 +1,76 @@
+#!/bin/bash
+#
+# attributes: isulad seccomp run
+# concurrent: NO
+# spend time: 4
+
+#######################################################################
+##- Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved.
+# - iSulad licensed under the Mulan PSL v2.
+# - You can use this software according to the terms and conditions of the Mulan PSL v2.
+# - You may obtain a copy of Mulan PSL v2 at:
+# - http://license.coscl.org.cn/MulanPSL2
+# - THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+# - IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+# - PURPOSE.
+# - See the Mulan PSL v2 for more details.
+##- @Description:CI
+##- @Author: chengzeruizhi
+##- @Create: 2022-07-29
+#######################################################################
+
+curr_path=$(dirname $(readlink -f "$0"))
+test_data_path=$(realpath $curr_path/test_data)
+source ../helpers.sh
+
+function do_pre() {
+ local ret=0
+
+ isula rm -f $(isula ps -qa)
+
+ check_valgrind_log
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++))
+
+ start_isulad_with_valgrind
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++))
+
+ return $ret
+}
+
+function do_test() {
+ local ret=0
+
+ msg_info "this is $0 do_test"
+
+ cid1=$(isula run -tid --security-opt seccomp=/etc/isulad/seccomp_default.json busybox sh)
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - Failed to run container with the default seccomp profile" && ((ret++))
+
+ cid2=$(isula run -tid --security-opt seccomp=${test_data_path}/seccomp_profile_without_archmap.json busybox sh)
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - Failed to run container with a customized seccomp profile" && ((ret++))
+
+ cid3=$(isula run -tid --security-opt seccomp=/etc/isulad/seccomp_default.json \
+ --security-opt seccomp=${test_data_path}/seccomp_profile_without_archmap.json busybox sh)
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - Failed to run container with multiple seccomp profiles" && ((ret++))
+
+ isula stop "${cid1}" "${cid2}" "${cid3}"
+
+ isula rm -f $(isula ps -qa)
+
+ msg_info "${test} finished with return ${ret}..."
+ return ${ret}
+}
+
+function do_post() {
+ check_valgrind_log
+ start_isulad_with_valgrind
+}
+
+declare -i ans=0
+
+do_pre || ((ans++))
+
+do_test || ((ans++))
+
+do_post
+
+show_result ${ans} "${curr_path}/${0}"
diff --git a/CI/test_cases/container_cases/test_data/seccomp_profile_without_archmap.json b/CI/test_cases/container_cases/test_data/seccomp_profile_without_archmap.json
new file mode 100644
index 00000000..1fade163
--- /dev/null
+++ b/CI/test_cases/container_cases/test_data/seccomp_profile_without_archmap.json
@@ -0,0 +1,11 @@
+{
+ "defaultAction": "SCMP_ACT_ALLOW",
+ "syscalls": [
+ {
+ "names": ["getcwd"],
+ "action": "SCMP_ACT_ERRNO",
+ "args": null
+ }
+ ]
+
+}
--
2.25.1

129
0006-fix-cri-attach-when-stdout-and-stderr-are-false.patch Normal file
View File

@ -0,0 +1,129 @@
From 9498a8df59f69acbf75f9aa69fef465350288bb8 Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Mon, 1 Aug 2022 11:20:31 +0800
Subject: [PATCH 6/6] fix cri attach when stdout and stderr are false
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
.../cri/websocket/service/attach_serve.cc | 28 +++++++++++++------
.../entry/cri/websocket/service/ws_server.cc | 22 +++++++++++++++
.../entry/cri/websocket/service/ws_server.h | 2 ++
3 files changed, 44 insertions(+), 8 deletions(-)
diff --git a/src/daemon/entry/cri/websocket/service/attach_serve.cc b/src/daemon/entry/cri/websocket/service/attach_serve.cc
index abb08363..57711180 100644
--- a/src/daemon/entry/cri/websocket/service/attach_serve.cc
+++ b/src/daemon/entry/cri/websocket/service/attach_serve.cc
@@ -101,31 +101,40 @@ int AttachServe::ExecuteStreamCommand(SessionData *lwsCtx, void *request)
return -1;
}
+ // stdout
struct AttachContext stdoutContext = { 0 };
stdoutContext.lwsCtx = lwsCtx;
stdoutContext.sem = &attachSem;
- stdoutContext.attachWriter = WsWriteStdoutToClient;
+ // write stdout to client if attach stdout is true
+ stdoutContext.attachWriter = m_request->attach_stdout ? WsWriteStdoutToClient : WsDoNotWriteStdoutToClient;
struct io_write_wrapper stdoutstringWriter = { 0 };
stdoutstringWriter.context = static_cast<void *>(&stdoutContext);
stdoutstringWriter.write_func = AttachWriteToClient;
- // the close function of StderrstringWriter is preferred unless StderrstringWriter is nullptr
- stdoutstringWriter.close_func = m_request->attach_stderr ? nullptr : AttachConnectClosed;
+ stdoutstringWriter.close_func = AttachConnectClosed;
+ // stderr
struct AttachContext stderrContext = { 0 };
stderrContext.lwsCtx = lwsCtx;
- stderrContext.sem = &attachSem;
- stderrContext.attachWriter = WsWriteStderrToClient;
+ stderrContext.sem = nullptr;
+ // write stderr to client if attach stderr is true
+ stderrContext.attachWriter = m_request->attach_stderr ? WsWriteStderrToClient : WsDoNotWriteStderrToClient;
struct io_write_wrapper stderrstringWriter = { 0 };
stderrstringWriter.context = static_cast<void *>(&stderrContext);
stderrstringWriter.write_func = AttachWriteToClient;
- stderrstringWriter.close_func = m_request->attach_stderr ? AttachConnectClosed : nullptr;
+ stderrstringWriter.close_func = nullptr;
+
+ // Maybe attach stdout and stderr are both false.
+ // To make sure the close func sem_post, set attach stdout and stderr true.
+ bool record_attach_stdout = m_request->attach_stdout;
+ bool record_attach_stderr = m_request->attach_stderr;
+ m_request->attach_stdout=true;
+ m_request->attach_stderr=true;
container_attach_response *m_response { nullptr };
int ret = cb->container.attach(m_request, &m_response, m_request->attach_stdin ? lwsCtx->pipes.at(0) : -1,
- m_request->attach_stdout ? &stdoutstringWriter : nullptr,
- m_request->attach_stderr ? &stderrstringWriter : nullptr);
+ &stdoutstringWriter, &stderrstringWriter);
if (ret != 0) {
// join io copy thread in attach callback
@@ -139,11 +148,14 @@ int AttachServe::ExecuteStreamCommand(SessionData *lwsCtx, void *request)
}
WsWriteStdoutToClient(lwsCtx, message.c_str(), message.length());
} else {
+ // wait io copy thread complete
(void)sem_wait(&attachSem);
}
(void)sem_destroy(&attachSem);
free_container_attach_response(m_response);
+ m_request->attach_stdout = record_attach_stdout;
+ m_request->attach_stderr = record_attach_stderr;
return ret;
}
diff --git a/src/daemon/entry/cri/websocket/service/ws_server.cc b/src/daemon/entry/cri/websocket/service/ws_server.cc
index 98c0fee0..08f2cff0 100644
--- a/src/daemon/entry/cri/websocket/service/ws_server.cc
+++ b/src/daemon/entry/cri/websocket/service/ws_server.cc
@@ -703,6 +703,28 @@ ssize_t WsWriteStderrToClient(void *context, const void *data, size_t len)
return WsWriteToClient(context, data, len, STDERRCHANNEL);
}
+ssize_t WsDoNotWriteStdoutToClient(void *context, const void *data, size_t len)
+{
+ if (context == nullptr) {
+ ERROR("websocket session context empty");
+ return -1;
+ }
+
+ TRACE("Ws do not write stdout to client");
+ return len;
+}
+
+ssize_t WsDoNotWriteStderrToClient(void *context, const void *data, size_t len)
+{
+ if (context == nullptr) {
+ ERROR("websocket session context empty");
+ return -1;
+ }
+
+ TRACE("Ws do not write stderr to client");
+ return len;
+}
+
int closeWsConnect(void *context, char **err)
{
(void)err;
diff --git a/src/daemon/entry/cri/websocket/service/ws_server.h b/src/daemon/entry/cri/websocket/service/ws_server.h
index b871aabc..a2a180ec 100644
--- a/src/daemon/entry/cri/websocket/service/ws_server.h
+++ b/src/daemon/entry/cri/websocket/service/ws_server.h
@@ -113,6 +113,8 @@ private:
ssize_t WsWriteStdoutToClient(void *context, const void *data, size_t len);
ssize_t WsWriteStderrToClient(void *context, const void *data, size_t len);
+ssize_t WsDoNotWriteStdoutToClient(void *context, const void *data, size_t len);
+ssize_t WsDoNotWriteStderrToClient(void *context, const void *data, size_t len);
int closeWsConnect(void *context, char **err);
#endif // DAEMON_ENTRY_CRI_WEBSOCKET_SERVICE_WS_SERVER_H
--
2.25.1

14
iSulad.spec
View File

@ -1,5 +1,5 @@
%global _version 2.0.15
%global _release 1
%global _release 2
%global is_systemd 1
%global enable_shimv2 1
%global is_embedded 1
@ -13,6 +13,12 @@ URL: https://gitee.com/openeuler/iSulad
Source: https://gitee.com/openeuler/iSulad/repository/archive/v%{version}.tar.gz
BuildRoot: {_tmppath}/iSulad-%{version}
Patch6000: 0001-do-not-use-tmpfile.patch
Patch6001: 0002-use-only-TLS-v1.2-or-later.patch
Patch6002: 0003-don-t-mount-shareable-dirs-if-user-set-mount-for-dev.patch
Patch6003: 0004-tolerate-arch-unspecified-seccomp-profiles.patch
Patch6004: 0005-add-a-CI-test-case-checking-seccomp-option.patch
Patch6005: 0006-fix-cri-attach-when-stdout-and-stderr-are-false.patch
%ifarch x86_64 aarch64
Provides: libhttpclient.so()(64bit)
@ -240,6 +246,12 @@ fi
%endif
%changelog
* Mon Aug 1 2022 chengzeruizhi <chengzeruizhi@huawei.com> - 2.0.15-2
- Type: enhancement
- ID: NA
- SUG: NA
- DESC: sycn patches from openeuler branch
* Fri Jul 8 2022 haozi007 <liuhao27@huawei.com> - 2.0.15-1
- Type: enhancement
- ID: NA