diff --git a/0001-do-not-use-tmpfile.patch b/0001-do-not-use-tmpfile.patch new file mode 100644 index 0000000..4a35bc9 --- /dev/null +++ b/0001-do-not-use-tmpfile.patch @@ -0,0 +1,49 @@ +From 2e404b3aa5fcea87a905fbd7ff3465b6135b701e Mon Sep 17 00:00:00 2001 +From: WangFengTu +Date: Wed, 20 Jul 2022 14:26:58 +0800 +Subject: [PATCH 1/6] do not use tmpfile() + +Signed-off-by: WangFengTu +--- + .../image/oci/storage/layer_store/layer_store.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c +index 7e95a52f..208bb3bc 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c +@@ -2115,7 +2115,9 @@ static void free_tar_split(tar_split *ts) + static tar_split *new_tar_split(layer_t *l, const char *tspath) + { + int ret = 0; ++ int nret = 0; + tar_split *ts = NULL; ++ char path[PATH_MAX] = {0}; + + ts = util_common_calloc_s(sizeof(tar_split)); + if (ts == NULL) { +@@ -2124,12 +2126,20 @@ static tar_split *new_tar_split(layer_t *l, const char *tspath) + goto out; + } + +- ts->tmp_file = tmpfile(); ++ nret = snprintf(path, sizeof(path), ".%s.tmp", tspath); ++ if (nret < 0 || nret >= PATH_MAX) { ++ ERROR("sprintf .%s.tmp failed", tspath); ++ ret = -1; ++ goto out; ++ } ++ ++ ts->tmp_file = fopen(path, "w+"); + if (ts->tmp_file == NULL) { + ERROR("create tmpfile failed: %s", strerror(errno)); + ret = -1; + goto out; + } ++ (void)unlink(path); + + ret = util_gzip_d(tspath, ts->tmp_file); + if (ret != 0) { +-- +2.25.1 + diff --git a/0002-use-only-TLS-v1.2-or-later.patch b/0002-use-only-TLS-v1.2-or-later.patch new file mode 100644 index 0000000..85eb719 --- /dev/null +++ b/0002-use-only-TLS-v1.2-or-later.patch @@ -0,0 +1,31 @@ +From 025d2c2dad2786eda40f2367cdd727a36b8249df Mon Sep 17 00:00:00 2001 +From: WangFengTu +Date: Thu, 21 Jul 2022 15:37:07 +0800 +Subject: [PATCH 2/6] use only TLS v1.2 or later + +Signed-off-by: WangFengTu +--- + src/utils/http/http.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/utils/http/http.c b/src/utils/http/http.c +index edd05f92..20131660 100644 +--- a/src/utils/http/http.c ++++ b/src/utils/http/http.c +@@ -449,6 +449,13 @@ int http_request(const char *url, struct http_get_options *options, long *respon + curl_easy_setopt(curl_handle, CURLOPT_SUPPRESS_CONNECT_HEADERS, 1L); + #endif + ++ /* libcurl support option CURL_SSLVERSION_TLSv1_2 when version >= 7.34.0 ++ * #define CURL_VERSION_BITS(x,y,z) ((x)<<16|(y)<<8|(z)) ++ * CURL_VERSION_BITS(7,34,0) = 0x072200 */ ++#if (LIBCURL_VERSION_NUM >= 0x072200) ++ curl_easy_setopt(curl_handle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); ++#endif ++ + ret = http_custom_options(curl_handle, options); + if (ret) { + goto out; +-- +2.25.1 + diff --git a/0003-don-t-mount-shareable-dirs-if-user-set-mount-for-dev.patch b/0003-don-t-mount-shareable-dirs-if-user-set-mount-for-dev.patch new file mode 100644 index 0000000..9452843 --- /dev/null +++ b/0003-don-t-mount-shareable-dirs-if-user-set-mount-for-dev.patch @@ -0,0 +1,122 @@ +From a475d8da1122af712dbc79dc5d92f1cb95d519f9 Mon Sep 17 00:00:00 2001 +From: zhangxiaoyu +Date: Mon, 25 Jul 2022 20:31:15 +0800 +Subject: [PATCH 3/6] don't mount shareable dirs if user set mount for dev shm + +Signed-off-by: zhangxiaoyu +--- + src/daemon/modules/spec/specs_mount.c | 51 +++++++++++++++------------ + 1 file changed, 28 insertions(+), 23 deletions(-) + +diff --git a/src/daemon/modules/spec/specs_mount.c b/src/daemon/modules/spec/specs_mount.c +index 85623f79..8966293f 100644 +--- a/src/daemon/modules/spec/specs_mount.c ++++ b/src/daemon/modules/spec/specs_mount.c +@@ -2699,7 +2699,12 @@ int setup_ipc_dirs(host_config *host_spec, container_config_v2_common_config *v2 + int ret = -1; + int nret = 0; + bool has_mount = false; +- char *spath = NULL; ++ const char *spath = NULL; ++ ++ if (host_spec == NULL || v2_spec == NULL) { ++ ERROR("Invalid args"); ++ return -1; ++ } + + // ignore shm of system container + if (host_spec->system_container) { +@@ -2709,16 +2714,20 @@ int setup_ipc_dirs(host_config *host_spec, container_config_v2_common_config *v2 + if (host_spec->ipc_mode != NULL && !namespace_is_shareable(host_spec->ipc_mode)) { + return 0; + } ++ // has mount for /dev/shm ++ if (has_mount_shm(host_spec, v2_spec)) { ++ return 0; ++ } + +- spath = get_prepare_share_shm_path(host_spec->runtime, v2_spec->id); ++ spath = v2_spec->shm_path; + if (spath == NULL) { ++ ERROR("No shm path"); + return -1; + } + + // container shm has been mounted + if (util_detect_mounted(spath)) { + DEBUG("shm path %s has been mounted", spath); +- free(spath); + return 0; + } + +@@ -2757,7 +2766,6 @@ out: + if (ret != 0 && has_mount) { + (void)umount(spath); + } +- free(spath); + return ret; + } + +@@ -2808,20 +2816,6 @@ out_free: + return ret; + } + +-static int set_share_shm(const host_config *host_spec, container_config_v2_common_config *v2_spec) +-{ +- char *spath = NULL; +- +- spath = get_prepare_share_shm_path(host_spec->runtime, v2_spec->id); +- if (spath == NULL) { +- return -1; +- } +- +- v2_spec->shm_path = spath; +- +- return 0; +-} +- + #define SHM_MOUNT_POINT "/dev/shm" + static int set_shm_path(host_config *host_spec, container_config_v2_common_config *v2_spec) + { +@@ -2836,7 +2830,18 @@ static int set_shm_path(host_config *host_spec, container_config_v2_common_confi + } + // setup shareable dirs + if (host_spec->ipc_mode == NULL || namespace_is_shareable(host_spec->ipc_mode)) { +- return set_share_shm(host_spec, v2_spec); ++ // has mount for /dev/shm ++ if (has_mount_shm(host_spec, v2_spec)) { ++ return 0; ++ } ++ ++ v2_spec->shm_path = get_prepare_share_shm_path(host_spec->runtime, v2_spec->id); ++ if (v2_spec->shm_path == NULL) { ++ ERROR("Failed to get prepare share shm path"); ++ return -1; ++ } ++ ++ return 0; + } + + if (namespace_is_container(host_spec->ipc_mode)) { +@@ -3373,14 +3378,14 @@ int merge_conf_mounts(oci_runtime_spec *oci_spec, host_config *host_spec, contai + host_spec->shm_size = DEFAULT_SHM_SIZE; + } + +- /* setup ipc dir */ +- if (setup_ipc_dirs(host_spec, v2_spec) != 0) { ++ if (set_shm_path(host_spec, v2_spec) != 0) { ++ ERROR("Failed to set shm path"); + ret = -1; + goto out; + } + +- if (set_shm_path(host_spec, v2_spec) != 0) { +- ERROR("Failed to set shm path"); ++ /* setup ipc dir */ ++ if (setup_ipc_dirs(host_spec, v2_spec) != 0) { + ret = -1; + goto out; + } +-- +2.25.1 + diff --git a/0004-tolerate-arch-unspecified-seccomp-profiles.patch b/0004-tolerate-arch-unspecified-seccomp-profiles.patch new file mode 100644 index 0000000..27dfced --- /dev/null +++ b/0004-tolerate-arch-unspecified-seccomp-profiles.patch @@ -0,0 +1,64 @@ +From 73e02e66102b3e066d5d6424624461c3024cabe4 Mon Sep 17 00:00:00 2001 +From: chengzrz +Date: Fri, 29 Jul 2022 14:44:55 +0800 +Subject: [PATCH 4/6] tolerate arch unspecified seccomp profiles + +Signed-off-by: chengzrz +--- + src/daemon/modules/spec/specs_security.c | 25 +++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +diff --git a/src/daemon/modules/spec/specs_security.c b/src/daemon/modules/spec/specs_security.c +index 643c2745..62f67082 100644 +--- a/src/daemon/modules/spec/specs_security.c ++++ b/src/daemon/modules/spec/specs_security.c +@@ -42,11 +42,11 @@ + + static const char * const g_system_caps[] = { "SYS_BOOT", "SETPCAP", "NET_RAW", "NET_BIND_SERVICE", + #ifdef CAP_AUDIT_WRITE +- "AUDIT_WRITE", ++ "AUDIT_WRITE", + #endif +- "DAC_OVERRIDE", "SETFCAP", "SETGID", "SETUID", "MKNOD", "CHOWN", +- "FOWNER", "FSETID", "KILL", "SYS_CHROOT" +- }; ++ "DAC_OVERRIDE", "SETFCAP", "SETGID", "SETUID", "MKNOD", "CHOWN", ++ "FOWNER", "FSETID", "KILL", "SYS_CHROOT" ++ }; + + static int append_capability(char ***dstcaps, size_t *dstcaps_len, const char *cap) + { +@@ -472,11 +472,6 @@ static size_t docker_seccomp_arches_count(const char *seccomp_architecture, cons + } + } + +- if (count == 0) { +- ERROR("seccomp architecture not found"); +- count = -1; +- } +- + return count; + } + +@@ -498,6 +493,18 @@ static int dup_architectures_to_oci_spec(const char *seccomp_architecture, const + return -1; + } + ++ if (arch_size == 0) { ++ WARN("arch map is not provided in specified seccomp profile"); ++ oci_seccomp_spec->architectures = util_smart_calloc_s(sizeof(char *), 1); ++ if (oci_seccomp_spec->architectures == NULL) { ++ ERROR("Failed to allocate memory for architectures in seccomp spec"); ++ return -1; ++ } ++ oci_seccomp_spec->architectures[oci_seccomp_spec->architectures_len++] = ++ util_strdup_s(seccomp_architecture); ++ return 0; ++ } ++ + oci_seccomp_spec->architectures = util_smart_calloc_s(sizeof(char *), arch_size); + if (oci_seccomp_spec->architectures == NULL) { + ERROR("Failed to calloc memory for architectures in seccomp spec"); +-- +2.25.1 + diff --git a/0005-add-a-CI-test-case-checking-seccomp-option.patch b/0005-add-a-CI-test-case-checking-seccomp-option.patch new file mode 100644 index 0000000..82f3d65 --- /dev/null +++ b/0005-add-a-CI-test-case-checking-seccomp-option.patch @@ -0,0 +1,115 @@ +From c9c2bb6bfbe2060bdc6af53ca0d752572b21594d Mon Sep 17 00:00:00 2001 +From: chengzrz +Date: Fri, 29 Jul 2022 14:45:20 +0800 +Subject: [PATCH 5/6] add a CI test case, checking seccomp option + +Signed-off-by: chengzrz +--- + CI/test_cases/container_cases/seccomp.sh | 76 +++++++++++++++++++ + .../seccomp_profile_without_archmap.json | 11 +++ + 2 files changed, 87 insertions(+) + create mode 100755 CI/test_cases/container_cases/seccomp.sh + create mode 100644 CI/test_cases/container_cases/test_data/seccomp_profile_without_archmap.json + +diff --git a/CI/test_cases/container_cases/seccomp.sh b/CI/test_cases/container_cases/seccomp.sh +new file mode 100755 +index 00000000..9e886d10 +--- /dev/null ++++ b/CI/test_cases/container_cases/seccomp.sh +@@ -0,0 +1,76 @@ ++#!/bin/bash ++# ++# attributes: isulad seccomp run ++# concurrent: NO ++# spend time: 4 ++ ++####################################################################### ++##- Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. ++# - iSulad licensed under the Mulan PSL v2. ++# - You can use this software according to the terms and conditions of the Mulan PSL v2. ++# - You may obtain a copy of Mulan PSL v2 at: ++# - http://license.coscl.org.cn/MulanPSL2 ++# - THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++# - IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++# - PURPOSE. ++# - See the Mulan PSL v2 for more details. ++##- @Description:CI ++##- @Author: chengzeruizhi ++##- @Create: 2022-07-29 ++####################################################################### ++ ++curr_path=$(dirname $(readlink -f "$0")) ++test_data_path=$(realpath $curr_path/test_data) ++source ../helpers.sh ++ ++function do_pre() { ++ local ret=0 ++ ++ isula rm -f $(isula ps -qa) ++ ++ check_valgrind_log ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++)) ++ ++ start_isulad_with_valgrind ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++)) ++ ++ return $ret ++} ++ ++function do_test() { ++ local ret=0 ++ ++ msg_info "this is $0 do_test" ++ ++ cid1=$(isula run -tid --security-opt seccomp=/etc/isulad/seccomp_default.json busybox sh) ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - Failed to run container with the default seccomp profile" && ((ret++)) ++ ++ cid2=$(isula run -tid --security-opt seccomp=${test_data_path}/seccomp_profile_without_archmap.json busybox sh) ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - Failed to run container with a customized seccomp profile" && ((ret++)) ++ ++ cid3=$(isula run -tid --security-opt seccomp=/etc/isulad/seccomp_default.json \ ++ --security-opt seccomp=${test_data_path}/seccomp_profile_without_archmap.json busybox sh) ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - Failed to run container with multiple seccomp profiles" && ((ret++)) ++ ++ isula stop "${cid1}" "${cid2}" "${cid3}" ++ ++ isula rm -f $(isula ps -qa) ++ ++ msg_info "${test} finished with return ${ret}..." ++ return ${ret} ++} ++ ++function do_post() { ++ check_valgrind_log ++ start_isulad_with_valgrind ++} ++ ++declare -i ans=0 ++ ++do_pre || ((ans++)) ++ ++do_test || ((ans++)) ++ ++do_post ++ ++show_result ${ans} "${curr_path}/${0}" +diff --git a/CI/test_cases/container_cases/test_data/seccomp_profile_without_archmap.json b/CI/test_cases/container_cases/test_data/seccomp_profile_without_archmap.json +new file mode 100644 +index 00000000..1fade163 +--- /dev/null ++++ b/CI/test_cases/container_cases/test_data/seccomp_profile_without_archmap.json +@@ -0,0 +1,11 @@ ++{ ++ "defaultAction": "SCMP_ACT_ALLOW", ++ "syscalls": [ ++ { ++ "names": ["getcwd"], ++ "action": "SCMP_ACT_ERRNO", ++ "args": null ++ } ++ ] ++ ++} +-- +2.25.1 + diff --git a/0006-fix-cri-attach-when-stdout-and-stderr-are-false.patch b/0006-fix-cri-attach-when-stdout-and-stderr-are-false.patch new file mode 100644 index 0000000..e5447be --- /dev/null +++ b/0006-fix-cri-attach-when-stdout-and-stderr-are-false.patch @@ -0,0 +1,129 @@ +From 9498a8df59f69acbf75f9aa69fef465350288bb8 Mon Sep 17 00:00:00 2001 +From: zhangxiaoyu +Date: Mon, 1 Aug 2022 11:20:31 +0800 +Subject: [PATCH 6/6] fix cri attach when stdout and stderr are false + +Signed-off-by: zhangxiaoyu +--- + .../cri/websocket/service/attach_serve.cc | 28 +++++++++++++------ + .../entry/cri/websocket/service/ws_server.cc | 22 +++++++++++++++ + .../entry/cri/websocket/service/ws_server.h | 2 ++ + 3 files changed, 44 insertions(+), 8 deletions(-) + +diff --git a/src/daemon/entry/cri/websocket/service/attach_serve.cc b/src/daemon/entry/cri/websocket/service/attach_serve.cc +index abb08363..57711180 100644 +--- a/src/daemon/entry/cri/websocket/service/attach_serve.cc ++++ b/src/daemon/entry/cri/websocket/service/attach_serve.cc +@@ -101,31 +101,40 @@ int AttachServe::ExecuteStreamCommand(SessionData *lwsCtx, void *request) + return -1; + } + ++ // stdout + struct AttachContext stdoutContext = { 0 }; + stdoutContext.lwsCtx = lwsCtx; + stdoutContext.sem = &attachSem; +- stdoutContext.attachWriter = WsWriteStdoutToClient; ++ // write stdout to client if attach stdout is true ++ stdoutContext.attachWriter = m_request->attach_stdout ? WsWriteStdoutToClient : WsDoNotWriteStdoutToClient; + + struct io_write_wrapper stdoutstringWriter = { 0 }; + stdoutstringWriter.context = static_cast(&stdoutContext); + stdoutstringWriter.write_func = AttachWriteToClient; +- // the close function of StderrstringWriter is preferred unless StderrstringWriter is nullptr +- stdoutstringWriter.close_func = m_request->attach_stderr ? nullptr : AttachConnectClosed; ++ stdoutstringWriter.close_func = AttachConnectClosed; + ++ // stderr + struct AttachContext stderrContext = { 0 }; + stderrContext.lwsCtx = lwsCtx; +- stderrContext.sem = &attachSem; +- stderrContext.attachWriter = WsWriteStderrToClient; ++ stderrContext.sem = nullptr; ++ // write stderr to client if attach stderr is true ++ stderrContext.attachWriter = m_request->attach_stderr ? WsWriteStderrToClient : WsDoNotWriteStderrToClient; + + struct io_write_wrapper stderrstringWriter = { 0 }; + stderrstringWriter.context = static_cast(&stderrContext); + stderrstringWriter.write_func = AttachWriteToClient; +- stderrstringWriter.close_func = m_request->attach_stderr ? AttachConnectClosed : nullptr; ++ stderrstringWriter.close_func = nullptr; ++ ++ // Maybe attach stdout and stderr are both false. ++ // To make sure the close func sem_post, set attach stdout and stderr true. ++ bool record_attach_stdout = m_request->attach_stdout; ++ bool record_attach_stderr = m_request->attach_stderr; ++ m_request->attach_stdout=true; ++ m_request->attach_stderr=true; + + container_attach_response *m_response { nullptr }; + int ret = cb->container.attach(m_request, &m_response, m_request->attach_stdin ? lwsCtx->pipes.at(0) : -1, +- m_request->attach_stdout ? &stdoutstringWriter : nullptr, +- m_request->attach_stderr ? &stderrstringWriter : nullptr); ++ &stdoutstringWriter, &stderrstringWriter); + + if (ret != 0) { + // join io copy thread in attach callback +@@ -139,11 +148,14 @@ int AttachServe::ExecuteStreamCommand(SessionData *lwsCtx, void *request) + } + WsWriteStdoutToClient(lwsCtx, message.c_str(), message.length()); + } else { ++ // wait io copy thread complete + (void)sem_wait(&attachSem); + } + + (void)sem_destroy(&attachSem); + free_container_attach_response(m_response); ++ m_request->attach_stdout = record_attach_stdout; ++ m_request->attach_stderr = record_attach_stderr; + return ret; + } + +diff --git a/src/daemon/entry/cri/websocket/service/ws_server.cc b/src/daemon/entry/cri/websocket/service/ws_server.cc +index 98c0fee0..08f2cff0 100644 +--- a/src/daemon/entry/cri/websocket/service/ws_server.cc ++++ b/src/daemon/entry/cri/websocket/service/ws_server.cc +@@ -703,6 +703,28 @@ ssize_t WsWriteStderrToClient(void *context, const void *data, size_t len) + return WsWriteToClient(context, data, len, STDERRCHANNEL); + } + ++ssize_t WsDoNotWriteStdoutToClient(void *context, const void *data, size_t len) ++{ ++ if (context == nullptr) { ++ ERROR("websocket session context empty"); ++ return -1; ++ } ++ ++ TRACE("Ws do not write stdout to client"); ++ return len; ++} ++ ++ssize_t WsDoNotWriteStderrToClient(void *context, const void *data, size_t len) ++{ ++ if (context == nullptr) { ++ ERROR("websocket session context empty"); ++ return -1; ++ } ++ ++ TRACE("Ws do not write stderr to client"); ++ return len; ++} ++ + int closeWsConnect(void *context, char **err) + { + (void)err; +diff --git a/src/daemon/entry/cri/websocket/service/ws_server.h b/src/daemon/entry/cri/websocket/service/ws_server.h +index b871aabc..a2a180ec 100644 +--- a/src/daemon/entry/cri/websocket/service/ws_server.h ++++ b/src/daemon/entry/cri/websocket/service/ws_server.h +@@ -113,6 +113,8 @@ private: + + ssize_t WsWriteStdoutToClient(void *context, const void *data, size_t len); + ssize_t WsWriteStderrToClient(void *context, const void *data, size_t len); ++ssize_t WsDoNotWriteStdoutToClient(void *context, const void *data, size_t len); ++ssize_t WsDoNotWriteStderrToClient(void *context, const void *data, size_t len); + int closeWsConnect(void *context, char **err); + + #endif // DAEMON_ENTRY_CRI_WEBSOCKET_SERVICE_WS_SERVER_H +-- +2.25.1 + diff --git a/iSulad.spec b/iSulad.spec index 24c8959..f0706b3 100644 --- a/iSulad.spec +++ b/iSulad.spec @@ -1,5 +1,5 @@ %global _version 2.0.15 -%global _release 1 +%global _release 2 %global is_systemd 1 %global enable_shimv2 1 %global is_embedded 1 @@ -13,6 +13,12 @@ URL: https://gitee.com/openeuler/iSulad Source: https://gitee.com/openeuler/iSulad/repository/archive/v%{version}.tar.gz BuildRoot: {_tmppath}/iSulad-%{version} +Patch6000: 0001-do-not-use-tmpfile.patch +Patch6001: 0002-use-only-TLS-v1.2-or-later.patch +Patch6002: 0003-don-t-mount-shareable-dirs-if-user-set-mount-for-dev.patch +Patch6003: 0004-tolerate-arch-unspecified-seccomp-profiles.patch +Patch6004: 0005-add-a-CI-test-case-checking-seccomp-option.patch +Patch6005: 0006-fix-cri-attach-when-stdout-and-stderr-are-false.patch %ifarch x86_64 aarch64 Provides: libhttpclient.so()(64bit) @@ -240,6 +246,12 @@ fi %endif %changelog +* Mon Aug 1 2022 chengzeruizhi - 2.0.15-2 +- Type: enhancement +- ID: NA +- SUG: NA +- DESC: sycn patches from openeuler branch + * Fri Jul 8 2022 haozi007 - 2.0.15-1 - Type: enhancement - ID: NA