!85 sync from openeuler

From: @duguhaotian Reviewed-by: @lifeng2221dd1 Signed-off-by: @lifeng2221dd1
2020-12-04 11:18:39 +08:00 · 2020-12-04 11:18:39 +08:00 · b6185c5f4e
commit b6185c5f4e
parent 48f598fdc7 112089d24b
18 changed files with 2203 additions and 22 deletions
--- a/0001-Add-a-solution-to-the-gpgkey-problem.patch
+++ b/0001-Add-a-solution-to-the-gpgkey-problem.patch
@ -2,7 +2,7 @@ From a46546cd6c9d3e085beac143eb3b7dcff7f118e5 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?=E5=A4=A7=E7=BD=97=E9=A9=AC=E7=9A=84=E5=A4=AA=E9=98=B3?=
 <weibaohui@yeah.net>
 Date: Mon, 23 Nov 2020 22:55:24 +0800
-Subject: [PATCH 1/7] Add a solution to the gpgkey problem
+Subject: [PATCH 01/17] Add a solution to the gpgkey problem

 ---
 README.md | 21 +++++++++++++++++++++
@ -41,5 +41,5 @@ index 08467ddc..9b34d615 100644
 We provide `systemd` service to start `iSulad`:
 ```sh
 -- 
-2.20.1
+2.25.1

--- a/0002-change-default-tmp-directory-from-var-tmp-to-var-lib.patch
+++ b/0002-change-default-tmp-directory-from-var-tmp-to-var-lib.patch
@ -1,7 +1,7 @@
 From e17d4ea9e2e6ec5555429cbc0363748e33170dea Mon Sep 17 00:00:00 2001
 From: WangFengTu <wangfengtu@huawei.com>
 Date: Mon, 23 Nov 2020 16:52:56 +0800
-Subject: [PATCH 2/7] change default tmp directory from /var/tmp to
+Subject: [PATCH 02/17] change default tmp directory from /var/tmp to
 /var/lib/isulad/tmp

 Signed-off-by: WangFengTu <wangfengtu@huawei.com>
@ -602,5 +602,5 @@ index fdf27cdb..03af3cc9 100644
 
 void MockIsuladConf_SetMock(MockIsuladConf *mock);
 -- 
-2.20.1
+2.25.1

--- a/0003-update-api.proto-to-v1.19.3-according-to-kubelet.patch
+++ b/0003-update-api.proto-to-v1.19.3-according-to-kubelet.patch
@ -1,7 +1,7 @@
 From 5720b90e9515a698b5f9cde21a99194848f2c66a Mon Sep 17 00:00:00 2001
 From: gaohuatao <gaohuatao@huawei.com>
 Date: Fri, 13 Nov 2020 03:21:16 -0500
-Subject: [PATCH 3/7] update api.proto to v1.19.3 according to kubelet
+Subject: [PATCH 03/17] update api.proto to v1.19.3 according to kubelet

 Signed-off-by: gaohuatao <gaohuatao@huawei.com>
 ---
@ -98,5 +98,5 @@ index 634e53ad..1d332261 100644
     ModifyCommonNamespaceOptions(nsOpts, hostConfig);
     /* modify host network option for container */
 -- 
-2.20.1
+2.25.1

--- a/0004-adapt-CI-ISULAD_TMPDIR-testcases.patch
+++ b/0004-adapt-CI-ISULAD_TMPDIR-testcases.patch
@ -1,7 +1,7 @@
 From 3a15d0174b16207915ab5736ee45f5018472b251 Mon Sep 17 00:00:00 2001
 From: WangFengTu <wangfengtu@huawei.com>
 Date: Tue, 24 Nov 2020 14:51:57 +0800
-Subject: [PATCH 4/7] adapt CI ISULAD_TMPDIR testcases
+Subject: [PATCH 04/17] adapt CI ISULAD_TMPDIR testcases

 Signed-off-by: WangFengTu <wangfengtu@huawei.com>
 ---
@ -46,5 +46,5 @@ index 22a6ad42..46849ae7 100644
     msg_info "${test} finished with return ${ret}..."
     return ${ret}
 -- 
-2.20.1
+2.25.1

--- a/0005-listening-127.0.0.1-port-in-cri-stream-websocket-ser.patch
+++ b/0005-listening-127.0.0.1-port-in-cri-stream-websocket-ser.patch
@ -1,7 +1,7 @@
 From f3f2765e074a489ceeb2364fbb941a40d3232ff5 Mon Sep 17 00:00:00 2001
 From: wujing <wujing50@huawei.com>
 Date: Tue, 24 Nov 2020 15:13:05 +0800
-Subject: [PATCH 5/7] listening 127.0.0.1:port in cri stream websocket server
+Subject: [PATCH 05/17] listening 127.0.0.1:port in cri stream websocket server

 Signed-off-by: wujing <wujing50@huawei.com>
 ---
@ -71,5 +71,5 @@ index 0f613dd2..af8573ad 100644
                 ERROR("Failed to append image to digest: %s", names[i]);
                 ret = -1;
 -- 
-2.20.1
+2.25.1

--- a/0006-using-64-bit-unique-token-in-CRI-websockets-server-R.patch
+++ b/0006-using-64-bit-unique-token-in-CRI-websockets-server-R.patch
@ -1,7 +1,7 @@
 From 7b59f3cead750d00bafe406ab2150f3abd189acb Mon Sep 17 00:00:00 2001
 From: wujing <wujing50@huawei.com>
 Date: Tue, 24 Nov 2020 17:09:08 +0800
-Subject: [PATCH 6/7] using 64 bit unique token in CRI websockets server
+Subject: [PATCH 06/17] using 64 bit unique token in CRI websockets server
 Request Cache

 Signed-off-by: wujing <wujing50@huawei.com>
@ -46,5 +46,5 @@ index b0b7f491..024f3ba7 100644
 
 #endif // DAEMON_ENTRY_CRI_REQUEST_CACHE_H
 -- 
-2.20.1
+2.25.1

--- a/0007-add-mock-conf_get_use_decrypted_key_flag-and-setup-a.patch
+++ b/0007-add-mock-conf_get_use_decrypted_key_flag-and-setup-a.patch
@ -1,7 +1,7 @@
 From c84953295a615da574aa1b42348a6f60105d5482 Mon Sep 17 00:00:00 2001
 From: WangFengTu <wangfengtu@huawei.com>
 Date: Tue, 24 Nov 2020 20:00:42 +0800
-Subject: [PATCH 7/7] add mock conf_get_use_decrypted_key_flag and setup all
+Subject: [PATCH 07/17] add mock conf_get_use_decrypted_key_flag and setup all
 common mocks

 Signed-off-by: WangFengTu <wangfengtu@huawei.com>
@ -52,5 +52,5 @@ index 25ddf694..4b264424 100644
 }
 
 -- 
-2.20.1
+2.25.1

--- a/0008-show-all-mutl-network-ips.patch
+++ b/0008-show-all-mutl-network-ips.patch
@ -1,7 +1,7 @@
 From cd9d3524c53ee2090f6d3c8f079ad7905ca4bd41 Mon Sep 17 00:00:00 2001
 From: haozi007 <liuhao27@huawei.com>
 Date: Thu, 26 Nov 2020 09:30:05 +0800
-Subject: [PATCH 08/10] show all mutl network ips
+Subject: [PATCH 08/17] show all mutl network ips

 Signed-off-by: haozi007 <liuhao27@huawei.com>
 ---
@ -9,7 +9,7 @@ Signed-off-by: haozi007 <liuhao27@huawei.com>
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/src/daemon/entry/cri/cri_sandbox.cc b/src/daemon/entry/cri/cri_sandbox.cc
-index b44c86c..772638a 100644
+index b44c86c1..772638a1 100644
 --- a/src/daemon/entry/cri/cri_sandbox.cc
 +++ b/src/daemon/entry/cri/cri_sandbox.cc
@@ -978,7 +978,7 @@ void CRIRuntimeServiceImpl::GetFormatIPsForMultNet(container_inspect *inspect, c
--- a/0009-iSulad-only-qsort-the-configed-mounts.patch
+++ b/0009-iSulad-only-qsort-the-configed-mounts.patch
@ -1,7 +1,7 @@
 From 25465336f77be1332c4536f90eb6ebd8edfd71de Mon Sep 17 00:00:00 2001
 From: lifeng68 <lifeng68@huawei.com>
 Date: Fri, 27 Nov 2020 11:29:58 +0800
-Subject: [PATCH 09/10] iSulad: only qsort the configed mounts
+Subject: [PATCH 09/17] iSulad: only qsort the configed mounts

 Signed-off-by: lifeng68 <lifeng68@huawei.com>
 ---
@ -10,7 +10,7 @@ Signed-off-by: lifeng68 <lifeng68@huawei.com>
 2 files changed, 114 insertions(+), 103 deletions(-)

 diff --git a/src/daemon/entry/cri/cri_security_context.cc b/src/daemon/entry/cri/cri_security_context.cc
-index 1d33226..cf5b300 100644
+index 1d332261..cf5b300e 100644
 --- a/src/daemon/entry/cri/cri_security_context.cc
 +++ b/src/daemon/entry/cri/cri_security_context.cc
@@ -179,7 +179,6 @@ static void ModifyContainerNamespaceOptions(const runtime::v1alpha2::NamespaceOp
@ -22,7 +22,7 @@ index 1d33226..cf5b300 100644
         std::string targetPidNsMode = "container:" + nsOpts.target_id();
         free(hostConfig->pid_mode);
 diff --git a/src/daemon/modules/spec/specs_mount.c b/src/daemon/modules/spec/specs_mount.c
-index db7e4fd..6099a91 100644
+index db7e4fd8..6099a918 100644
 --- a/src/daemon/modules/spec/specs_mount.c
 +++ b/src/daemon/modules/spec/specs_mount.c
@@ -372,7 +372,8 @@ static defs_mount *mount_point_to_defs_mnt(container_config_v2_common_config_mou
--- a/0010-CI-add-testcases-for-bind-proc-and-sys-fs.patch
+++ b/0010-CI-add-testcases-for-bind-proc-and-sys-fs.patch
@ -1,7 +1,7 @@
 From 9ad5a2da26efc2a1a15564ddbb72059a1142ec85 Mon Sep 17 00:00:00 2001
 From: lifeng68 <lifeng68@huawei.com>
 Date: Fri, 27 Nov 2020 16:57:00 +0800
-Subject: [PATCH 10/10] CI: add testcases for bind /proc and /sys/fs
+Subject: [PATCH 10/17] CI: add testcases for bind /proc and /sys/fs

 Signed-off-by: lifeng68 <lifeng68@huawei.com>
 ---
@ -11,7 +11,7 @@ Signed-off-by: lifeng68 <lifeng68@huawei.com>

 diff --git a/CI/test_cases/container_cases/bind_special_dir.sh b/CI/test_cases/container_cases/bind_special_dir.sh
 new file mode 100644
-index 0000000..0e61e34
+index 00000000..0e61e348
 --- /dev/null
 +++ b/CI/test_cases/container_cases/bind_special_dir.sh
@@ -0,0 +1,56 @@
--- a/0011-verify-peer-if-it-s-secure-registry.patch
+++ b/0011-verify-peer-if-it-s-secure-registry.patch
@ -0,0 +1,29 @@
+From 1f8f03ebc44a763a7686eda8cbf6341b9c057a6f Mon Sep 17 00:00:00 2001
+From: WangFengTu <wangfengtu@huawei.com>
+Date: Sat, 28 Nov 2020 10:45:59 +0800
+Subject: [PATCH 11/17] verify peer if it's secure registry
+
+we verify peer only when CA file is provided before,
+now we verify peer if it's secure registry
+
+Signed-off-by: WangFengTu <wangfengtu@huawei.com>
+---
+ src/daemon/modules/image/oci/registry/http_request.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/daemon/modules/image/oci/registry/http_request.c b/src/daemon/modules/image/oci/registry/http_request.c
+index 60644ed5..fb44a7b6 100644
+--- a/src/daemon/modules/image/oci/registry/http_request.c
+++ b/src/daemon/modules/image/oci/registry/http_request.c
+@@ -118,7 +118,7 @@ static int setup_ssl_config(pull_descriptor *desc, struct http_get_options *opti
+         }
+     }
+ 
+-    if (options->ca_file != NULL) {
+    if (!desc->insecure_registry) {
+         options->ssl_verify_peer = true;
+     }
+ 
+-- 
+2.25.1
+
--- a/0012-make-sure-all-certs-load-success-if-any-provided.patch
+++ b/0012-make-sure-all-certs-load-success-if-any-provided.patch
@ -0,0 +1,239 @@
+From a242455ecf86e4766ecb8989f8a5c62059c02e7c Mon Sep 17 00:00:00 2001
+From: WangFengTu <wangfengtu@huawei.com>
+Date: Sat, 28 Nov 2020 11:37:09 +0800
+Subject: [PATCH 12/17] make sure all certs load success if any provided
+
+Signed-off-by: WangFengTu <wangfengtu@huawei.com>
+---
+ src/daemon/modules/image/oci/registry/certs.c | 161 ++++++++++++++++--
+ 1 file changed, 149 insertions(+), 12 deletions(-)
+
+diff --git a/src/daemon/modules/image/oci/registry/certs.c b/src/daemon/modules/image/oci/registry/certs.c
+index 6574d2bf..f9ef63c9 100644
+--- a/src/daemon/modules/image/oci/registry/certs.c
+++ b/src/daemon/modules/image/oci/registry/certs.c
+@@ -26,9 +26,11 @@
+ #include "utils.h"
+ #include "utils_file.h"
+ #include "utils_string.h"
+#include "err_msg.h"
+ 
+ #define DEFAULT_ISULAD_CERTD "/etc/isulad/certs.d"
+ #define CLIENT_CERT_SUFFIX ".cert"
+#define CLIENT_KEY_SUFFIX ".key"
+ #define CA_SUFFIX ".crt"
+ 
+ static char *g_certs_dir = DEFAULT_ISULAD_CERTD;
+@@ -68,18 +70,117 @@ static char *corresponding_key_name(const char *cert_name)
+     return key_name;
+ }
+ 
+static char *corresponding_cert_name(const char *key_name)
+{
+    char cert_name[PATH_MAX] = {0};
+    char *tmp_key_name = NULL;
+    int sret = 0;
+
+    if (key_name == NULL) {
+        ERROR("Invalid NULL pointer");
+        return NULL;
+    }
+
+    if (strlen(key_name) <= strlen(CLIENT_KEY_SUFFIX)) {
+        ERROR("Invalid key name too short");
+        return NULL;
+    }
+
+    tmp_key_name = util_strdup_s(key_name);
+    tmp_key_name[strlen(tmp_key_name) - strlen(CLIENT_KEY_SUFFIX)] = 0; // strip suffix .key
+
+    sret = snprintf(cert_name, sizeof(cert_name), "%s.cert", tmp_key_name);
+    if (sret < 0 || (size_t)sret >= sizeof(cert_name)) {
+        ERROR("Failed to sprintf cert name");
+        free(tmp_key_name);
+        return NULL;
+    }
+
+    return util_strdup_s(cert_name);
+}
+
+static int get_path_by_cert_name(const char *path, const char *cert_name, char **cert_path, char **key_path)
+{
+    int ret = 0;
+    char *key_name = NULL;
+    char *tmp_key_path = NULL;
+    char *tmp_cert_path = NULL;
+
+    key_name = corresponding_key_name(cert_name);
+    if (key_name == NULL) {
+        ERROR("find corresponding key name for cert failed");
+        ret = -1;
+        goto out;
+    }
+    tmp_key_path = util_path_join(path, key_name);
+    tmp_cert_path = util_path_join(path, cert_name);
+    if (tmp_cert_path == NULL || tmp_key_path == NULL) {
+        ret = -1;
+        ERROR("error join path");
+        goto out;
+    }
+
+    *cert_path = util_strdup_s(tmp_cert_path);
+    *key_path = util_strdup_s(tmp_key_path);
+
+out:
+    free(key_name);
+    free(tmp_cert_path);
+    free(tmp_key_path);
+
+    return ret;
+}
+
+static int get_path_by_key_name(const char *path, const char *key_name, char **cert_path, char **key_path)
+{
+    int ret = 0;
+    char *cert_name = NULL;
+    char *tmp_key_path = NULL;
+    char *tmp_cert_path = NULL;
+
+    cert_name = corresponding_cert_name(key_name);
+    if (cert_name == NULL) {
+        ERROR("find corresponding key name for cert failed");
+        ret = -1;
+        goto out;
+    }
+    tmp_key_path = util_path_join(path, key_name);
+    tmp_cert_path = util_path_join(path, cert_name);
+    if (tmp_cert_path == NULL || tmp_key_path == NULL) {
+        ret = -1;
+        ERROR("error join path");
+        goto out;
+    }
+
+    *cert_path = util_strdup_s(tmp_cert_path);
+    *key_path = util_strdup_s(tmp_key_path);
+
+out:
+    free(cert_name);
+    free(tmp_cert_path);
+    free(tmp_key_path);
+
+    return ret;
+}
+
+ static int load_certs(const char *path, const char *name, bool use_decrypted_key, char **ca_file, char **cert_file,
+                       char **key_file)
+ {
+     int ret = 0;
+     char *key_name = NULL;
+    char *tmp_key_file = NULL;
+    char *tmp_cert_file = NULL;
+ 
+-    if (path == NULL || ca_file == NULL || cert_file == NULL || key_file == NULL) {
+    if (path == NULL || ca_file == NULL || cert_file == NULL || key_file == NULL || name == NULL) {
+         ERROR("Invalid NULL pointer");
+         return -1;
+     }
+ 
+-    if (*ca_file == NULL && util_has_suffix(name, CA_SUFFIX)) {
+    if (util_has_suffix(name, CA_SUFFIX)) {
+        if (*ca_file != NULL) {
+            ERROR("more than one ca file found, support only one ca file currently, continue to try");
+            goto out;
+        }
+         *ca_file = util_path_join(path, name);
+         if (*ca_file == NULL) {
+             ret = -1;
+@@ -87,20 +188,43 @@ static int load_certs(const char *path, const char *name, bool use_decrypted_key
+             goto out;
+         }
+         goto out;
+-    } else if (*cert_file == NULL && *key_file == NULL && util_has_suffix(name, CLIENT_CERT_SUFFIX)) {
+-        key_name = corresponding_key_name(name);
+-        if (key_name == NULL) {
+-            ERROR("find corresponding key name for cert failed");
+    } else if (util_has_suffix(name, CLIENT_CERT_SUFFIX)) {
+        ret = get_path_by_cert_name(path, name, &tmp_cert_file, &tmp_key_file);
+        if (ret != 0) {
+            ERROR("get path of cert and key by cert name failed");
+            isulad_try_set_error_message("get path of cert and key by cert name failed");
+            goto out;
+        }
+        if (!util_file_exists(tmp_key_file)) {
+             ret = -1;
+            ERROR("lack corresponding key file for tls cert");
+            isulad_try_set_error_message("lack corresponding key file for tls cert");
+             goto out;
+         }
+-        *key_file = util_path_join(path, key_name);
+-        *cert_file = util_path_join(path, name);
+-        if (*cert_file == NULL || *key_file == NULL) {
+        if (*cert_file != NULL) {
+            ERROR("more than one cert file found, support only one cert file currently, continue to try");
+            goto out;
+        }
+        *cert_file = util_strdup_s(tmp_cert_file);
+        goto out;
+    } else if (util_has_suffix(name, CLIENT_KEY_SUFFIX)) {
+        ret = get_path_by_key_name(path, name, &tmp_cert_file, &tmp_key_file);
+        if (ret != 0) {
+            ERROR("get path of cert and key by key name failed");
+            isulad_try_set_error_message("get path of cert and key by key name failed");
+            goto out;
+        }
+        if (!util_file_exists(tmp_cert_file)) {
+             ret = -1;
+-            ERROR("error join key name");
+            ERROR("lack corresponding cert file for tls key");
+            isulad_try_set_error_message("lack corresponding cert file for tls key");
+            goto out;
+        }
+        if (*key_file != NULL) {
+            ERROR("more than one key file found, support only one key file currently, continue to try");
+             goto out;
+         }
+        *key_file = util_strdup_s(tmp_key_file);
+         goto out;
+     } else {
+         goto out;
+@@ -109,6 +233,8 @@ static int load_certs(const char *path, const char *name, bool use_decrypted_key
+ out:
+     free(key_name);
+     key_name = NULL;
+    free(tmp_cert_file);
+    free(tmp_key_file);
+ 
+     if (ret != 0) {
+         free(*ca_file);
+@@ -122,6 +248,15 @@ out:
+     return ret;
+ }
+ 
+static bool valid_certs(char *ca_file, char *cert_file, char *key_file)
+{
+    if ((ca_file == NULL && cert_file == NULL && key_file == NULL) ||
+        (ca_file != NULL && cert_file != NULL && key_file != NULL)) {
+        return true;
+    }
+    return false;
+}
+
+ int certs_load(char *host, bool use_decrypted_key, char **ca_file, char **cert_file, char **key_file)
+ {
+     int ret = 0;
+@@ -170,8 +305,10 @@ int certs_load(char *host, bool use_decrypted_key, char **ca_file, char **cert_f
+         entry = readdir(dir);
+     }
+ 
+-    if (*ca_file == NULL || *cert_file == NULL || *key_file == NULL) {
+-        ERROR("Loaded only part of certs, continue to try");
+    if (!valid_certs(*ca_file, *cert_file, *key_file)) {
+        ERROR("failed to load all certs");
+        isulad_try_set_error_message("failed to load all certs");
+        ret = -1;
+     }
+ 
+ out:
+-- 
+2.25.1
+
--- a/0013-add-ch-docs-for-install-iSulad.patch
+++ b/0013-add-ch-docs-for-install-iSulad.patch
@ -0,0 +1,305 @@
+From da5ab167ebc5765c91630846cd0850acd6ce8814 Mon Sep 17 00:00:00 2001
+From: haozi007 <liuhao27@huawei.com>
+Date: Thu, 26 Nov 2020 14:58:05 +0800
+Subject: [PATCH 13/17] add ch docs for install iSulad
+
+Signed-off-by: haozi007 <liuhao27@huawei.com>
+---
+ README.md              |   7 ++
+ docs/build_guide.md    |  22 +++---
+ docs/build_guide_zh.md | 164 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 182 insertions(+), 11 deletions(-)
+ create mode 100644 docs/build_guide_zh.md
+
+diff --git a/README.md b/README.md
+index 9b34d615..1dd3cf1a 100644
+--- a/README.md
+++ b/README.md
+@@ -4,9 +4,16 @@
+ 
+ `iSulad` is a lightweight container runtime daemon which is designed for IOT and Cloud infrastructure.`iSulad` has the characteristics of light, fast and not limited by hardware specifications and architecture, and can be applied more widely.
+ 
+## Documentation
+
+- [en build guide](./docs/build_guide.md)
+- [cn build guide](./docs/build_guide_zh.md)
+- [more usage guide](https://openeuler.org/zh/docs/20.09/docs/Container/iSula%E5%AE%B9%E5%99%A8%E5%BC%95%E6%93%8E.html)
+
+ ## Getting Started
+ 
+ ### Installing
+
+ To install iSulad, you can use `rpm` or `yum` package manager command with `openEuler` repository.
+ 
+ Or write repository file by hand:
+diff --git a/docs/build_guide.md b/docs/build_guide.md
+index 912139fa..2ee12c39 100644
+--- a/docs/build_guide.md
+++ b/docs/build_guide.md
+@@ -7,12 +7,12 @@ If you intend to contribute on iSulad. Thanks for your effort. Every contributio
+ These dependencies are required for build:
+ 
+ ### install basic dependencies based on Centos distribution
+-```sh
+```bash
+ $ sudo yum --enablerepo='*' install -y automake autoconf libtool cmake make libcap libcap-devel libselinux libselinux-devel libseccomp libseccomp-devel yajl-devel git libcgroup tar python3 python3-pip device-mapper-devel libarchive libarchive-devel libcurl-devel zlib-devel glibc-headers openssl-devel gcc gcc-c++ systemd-devel systemd-libs golang libtar libtar-devel
+ ```
+ 
+ ### install basic dependencies based on Ubuntu distribution
+-```sh
+```bash
+ $ sudo apt install -y libtool automake autoconf cmake make pkg-config libyajl-dev zlib1g-dev libselinux-dev libseccomp-dev libcap-dev libsystemd-dev git libcurl4-gnutls-dev openssl libdevmapper-dev golang python3 libtar libtar-dev
+ ```
+ 
+@@ -24,13 +24,13 @@ Please use the protobuf and grpc came with your distribution, if not exists then
+ Note: grpc-1.22 can not support GCC 9+.
+ 
+ ### set ldconfig and pkgconfig
+-```
+```bash
+ $ export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH
+ $ export LD_LIBRARY_PATH=/usr/local/lib:/usr/lib:$LD_LIBRARY_PATH
+ $ sudo -E echo "/usr/local/lib" >> /etc/ld.so.conf
+ ```
+ ### build and install protobuf
+-```
+```bash
+ $ git clone https://gitee.com/src-openeuler/protobuf.git
+ $ cd protobuf
+ $ git checkout openEuler-20.03-LTS-tag
+@@ -44,7 +44,7 @@ $ sudo -E ldconfig
+ ```
+ 
+ ### build and install c-ares
+-```
+```bash
+ $ git clone https://gitee.com/src-openeuler/c-ares.git
+ $ cd c-ares
+ $ git checkout openEuler-20.03-LTS-tag
+@@ -58,7 +58,7 @@ $ sudo -E ldconfig
+ ```
+ 
+ ### build and install grpc
+-```
+```bash
+ $ git clone https://gitee.com/src-openeuler/grpc.git
+ $ cd grpc
+ $ git checkout openEuler-20.03-LTS-tag
+@@ -70,7 +70,7 @@ $ sudo -E ldconfig
+ ```
+ 
+ ### build and install http-parser
+-```
+```bash
+ $ git clone https://gitee.com/src-openeuler/http-parser.git
+ $ cd http-parser
+ $ git checkout openEuler-20.03-LTS-tag
+@@ -82,7 +82,7 @@ $ sudo -E ldconfig
+ ```
+ 
+ ### build and install libwebsockets
+-```
+```bash
+ $ git clone https://gitee.com/src-openeuler/libwebsockets.git
+ $ cd libwebsockets
+ $ git checkout openEuler-20.03-LTS-tag
+@@ -101,7 +101,7 @@ $ sudo -E ldconfig
+ iSulad depend on some specific versions dependencies.
+ 
+ ### build and install lxc
+-```
+```bash
+ $ git clone https://gitee.com/src-openeuler/lxc.git
+ $ cd lxc
+ $ tar -zxf lxc-4.0.3.tar.gz
+@@ -114,7 +114,7 @@ $ sudo -E make install
+ ```
+ 
+ ### build and install lcr
+-```
+```bash
+ $ git clone https://gitee.com/openeuler/lcr.git
+ $ cd lcr
+ $ mkdir build
+@@ -125,7 +125,7 @@ $ sudo -E make install
+ ```
+ 
+ ### build and install clibcni
+-```
+```bash
+ $ git clone https://gitee.com/openeuler/clibcni.git
+ $ cd clibcni
+ $ mkdir build
+diff --git a/docs/build_guide_zh.md b/docs/build_guide_zh.md
+new file mode 100644
+index 00000000..182d6fec
+--- /dev/null
+++ b/docs/build_guide_zh.md
+@@ -0,0 +1,164 @@
+# 源码编译iSulad
+
+我们感谢为iSulad做的任何贡献。
+
+## 各发行版本的基本依赖安装
+
+这些依赖是编译依赖的基础组件：
+
+### openEuler的安装命令
+
+openEuler可以直接通过编译依赖自动安装的方式（其他rpm的发行版本也可以参考，但是存在部分包名不一致的情况），具体如下：
+
+```bash
+dnf builddep iSulad.spec
+```
+
+注：iSulad.spec直接用源码中的文件即可。
+
+### Centos的安装命令
+
+```bash
+$ sudo yum --enablerepo='*' install -y automake autoconf libtool cmake make libcap libcap-devel libselinux libselinux-devel libseccomp libseccomp-devel yajl-devel git libcgroup tar python3 python3-pip device-mapper-devel libarchive libarchive-devel libcurl-devel zlib-devel glibc-headers openssl-devel gcc gcc-c++ systemd-devel systemd-libs libtar libtar-devel
+```
+
+### Ubuntu的安装命令
+```bash
+$ sudo apt install -y libtool automake autoconf cmake make pkg-config libyajl-dev zlib1g-dev libselinux-dev libseccomp-dev libcap-dev libsystemd-dev git libcurl4-gnutls-dev openssl libdevmapper-dev python3 libtar libtar-dev
+```
+
+## 从源码构建和安装关键依赖
+下面的依赖组件，你的包管理中可能不存在，或者版本不满足要求。因此，需要从源码编译安装。protobuf和grpc建议直接通过包管理安装，除非没有或者版本太老。
+
+***注意：grpc-1.22不支持GCC 9+。***
+
+### 设置ldconfig和pkgconfig的路径
+
+编译安装的默认路径为`/usr/local/lib/`，因此需要把该路径添加到`PKG_CONFIG_PATH`和`LD_LIBRARY_PATH`，从而系统能找到我们编译安装的软件包和lib库。如果安装的`/usr/lib/`，可以忽略这一步。
+
+```bash
+$ export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH
+$ export LD_LIBRARY_PATH=/usr/local/lib:/usr/lib:$LD_LIBRARY_PATH
+$ sudo -E echo "/usr/local/lib" >> /etc/ld.so.conf
+```
+### 编译安装protobuf
+```bash
+$ git clone https://gitee.com/src-openeuler/protobuf.git
+$ cd protobuf
+$ git checkout openEuler-20.03-LTS-tag
+$ tar -xzvf protobuf-all-3.9.0.tar.gz
+$ cd protobuf-3.9.0
+$ sudo -E ./autogen.sh
+$ sudo -E ./configure
+$ sudo -E make -j $(nproc)
+$ sudo -E make install
+$ sudo -E ldconfig
+```
+
+### 编译安装c-ares
+```bash
+$ git clone https://gitee.com/src-openeuler/c-ares.git
+$ cd c-ares
+$ git checkout openEuler-20.03-LTS-tag
+$ tar -xzvf c-ares-1.15.0.tar.gz
+$ cd c-ares-1.15.0
+$ sudo -E autoreconf -if
+$ sudo -E ./configure --enable-shared --disable-dependency-tracking
+$ sudo -E make -j $(nproc)
+$ sudo -E make install
+$ sudo -E ldconfig
+```
+
+### 编译安装grpc
+```bash
+$ git clone https://gitee.com/src-openeuler/grpc.git
+$ cd grpc
+$ git checkout openEuler-20.03-LTS-tag
+$ tar -xzvf grpc-1.22.0.tar.gz
+$ cd grpc-1.22.0
+$ sudo -E make -j $(nproc)
+$ sudo -E make install
+$ sudo -E ldconfig
+```
+
+### 编译安装http-parser
+```bash
+$ git clone https://gitee.com/src-openeuler/http-parser.git
+$ cd http-parser
+$ git checkout openEuler-20.03-LTS-tag
+$ tar -xzvf http-parser-2.9.2.tar.gz
+$ cd http-parser-2.9.2
+$ sudo -E make -j CFLAGS="-Wno-error"
+$ sudo -E make CFLAGS="-Wno-error" install
+$ sudo -E ldconfig
+```
+
+### 编译安装libwebsockets
+```bash
+$ git clone https://gitee.com/src-openeuler/libwebsockets.git
+$ cd libwebsockets
+$ git checkout openEuler-20.03-LTS-tag
+$ tar -xzvf libwebsockets-2.4.2.tar.gz
+$ cd libwebsockets-2.4.2
+$ patch -p1 -F1 -s < ../libwebsockets-fix-coredump.patch
+$ mkdir build
+$ cd build
+$ sudo -E cmake -DLWS_WITH_SSL=0 -DLWS_MAX_SMP=32 -DCMAKE_BUILD_TYPE=Debug ../
+$ sudo -E make -j $(nproc)
+$ sudo -E make install
+$ sudo -E ldconfig
+```
+
+## 编译安装特定依赖版本
+iSulad依赖一些特定版本的组件，由于各组件是通过函数接口使用，因此，**必须保证各组件版本一致**。例如：
+
+- 统一使用各组件的master分支的代码进行构建；
+- 后续的releases版本会增加依赖的组件的版本号；
+- 也统一可以从[openEuler](https://openeuler.org/zh/download/)的特定OS版本，通过包管理工具获取各组件的`src.rpm`包的方式获取源码；
+- 也可以到[src-openeuler](https://gitee.com/src-openeuler)社区获取各组件相同分支的代码；
+
+### 编译安装lxc
+```bash
+$ git clone https://gitee.com/src-openeuler/lxc.git
+$ cd lxc
+$ tar -zxf lxc-4.0.3.tar.gz
+$ ./apply-patches
+$ cd lxc-4.0.3
+$ sudo -E ./autogen.sh
+$ sudo -E ./configure
+$ sudo -E make -j $(nproc)
+$ sudo -E make install
+```
+
+### 编译安装lcr
+```bash
+$ git clone https://gitee.com/openeuler/lcr.git
+$ cd lcr
+$ mkdir build
+$ cd build
+$ sudo -E cmake ..
+$ sudo -E make -j $(nproc)
+$ sudo -E make install
+```
+
+### 编译安装clibcni
+```bash
+$ git clone https://gitee.com/openeuler/clibcni.git
+$ cd clibcni
+$ mkdir build
+$ cd build
+$ sudo -E cmake ..
+$ sudo -E make -j $(nproc)
+$ sudo -E make install
+```
+
+### 编译安装iSulad
+```bash
+$ git clone https://gitee.com/openeuler/iSulad.git
+$ cd iSulad
+$ mkdir build
+$ cd build
+$ sudo -E cmake ..
+$ sudo -E make -j $(nproc)
+$ sudo -E make install
+```
+-- 
+2.25.1
+
--- a/0014-error-out-if-unpack-layer-failed.patch
+++ b/0014-error-out-if-unpack-layer-failed.patch
@ -0,0 +1,34 @@
+From ff793d00c408810e2f434800fa3811f5ba2501a7 Mon Sep 17 00:00:00 2001
+From: WangFengTu <wangfengtu@huawei.com>
+Date: Thu, 3 Dec 2020 10:32:57 +0800
+Subject: [PATCH 14/17] error out if unpack layer failed
+
+Signed-off-by: WangFengTu <wangfengtu@huawei.com>
+---
+ .../modules/image/oci/storage/layer_store/layer_store.c      | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
+index 704dbd63..87e49d07 100644
+--- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
+++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c
+@@ -1061,14 +1061,13 @@ static int apply_diff(layer_t *l, const struct io_read_wrapper *diff)
+ {
+     int64_t size = 0;
+     int ret = 0;
+-    int nret = 0;
+ 
+     if (diff == NULL) {
+         return 0;
+     }
+ 
+-    nret = graphdriver_apply_diff(l->slayer->id, diff);
+-    if (nret != 0) {
+    ret = graphdriver_apply_diff(l->slayer->id, diff);
+    if (ret != 0) {
+         goto out;
+     }
+ 
+-- 
+2.25.1
+
--- a/0015-ignore-get-ip-error-for-mutlnetwork.patch
+++ b/0015-ignore-get-ip-error-for-mutlnetwork.patch
@ -0,0 +1,27 @@
+From b0b1bc36bf4672ce45c0dd2be877083894b62350 Mon Sep 17 00:00:00 2001
+From: haozi007 <liuhao27@huawei.com>
+Date: Thu, 3 Dec 2020 15:44:27 +0800
+Subject: [PATCH 15/17] ignore get ip error for mutlnetwork
+
+Signed-off-by: haozi007 <liuhao27@huawei.com>
+---
+ src/daemon/entry/cri/cri_sandbox.cc | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/daemon/entry/cri/cri_sandbox.cc b/src/daemon/entry/cri/cri_sandbox.cc
+index 772638a1..2d623097 100644
+--- a/src/daemon/entry/cri/cri_sandbox.cc
+++ b/src/daemon/entry/cri/cri_sandbox.cc
+@@ -985,7 +985,8 @@ void CRIRuntimeServiceImpl::GetFormatIPsForMultNet(container_inspect *inspect, c
+         m_pluginManager->GetPodNetworkStatus(metadata.namespace_(), metadata.name(), elems[i]->interface, inspect->id, status,
+                                              error);
+         if (error.NotEmpty()) {
+-            goto out;
+            WARN("get status for network: %s failed: %s", elems[i]->name, error.GetCMessage());
+            error.Clear();
+         }
+         // add a sentry to make ips of mutlnetwork store from position 2
+         if (result.size() < 2) {
+-- 
+2.25.1
+
--- a/0016-support-default-container-log-options.patch
+++ b/0016-support-default-container-log-options.patch
--- a/0017-add-testcase-for-default-container-log-configs.patch
+++ b/0017-add-testcase-for-default-container-log-configs.patch
@ -0,0 +1,231 @@
+From acbcd786e29a9d3764d69db02ad485d94da1315c Mon Sep 17 00:00:00 2001
+From: haozi007 <liuhao27@huawei.com>
+Date: Thu, 3 Dec 2020 10:36:07 +0800
+Subject: [PATCH 17/17] add testcase for default container log configs
+
+Signed-off-by: haozi007 <liuhao27@huawei.com>
+---
+ CI/test_cases/container_cases/log_test.sh     | 166 ++++++++++++++++++
+ .../container_cases/test_data/daemon.json     |  37 ++++
+ 2 files changed, 203 insertions(+)
+ create mode 100755 CI/test_cases/container_cases/log_test.sh
+ create mode 100644 CI/test_cases/container_cases/test_data/daemon.json
+
+diff --git a/CI/test_cases/container_cases/log_test.sh b/CI/test_cases/container_cases/log_test.sh
+new file mode 100755
+index 00000000..08abf212
+--- /dev/null
+++ b/CI/test_cases/container_cases/log_test.sh
+@@ -0,0 +1,166 @@
+#!/bin/bash
+#
+# attributes: isulad container log
+# concurrent: NA
+# spend time: 46
+
+curr_path=$(dirname $(readlink -f "$0"))
+data_path=$(realpath $curr_path/test_data)
+source ../helpers.sh
+
+function do_pre()
+{
+    mv /etc/isulad/daemon.json /etc/isulad/daemon.bak
+    cp ${data_path}/daemon.json /etc/isulad/daemon.json
+}
+
+function do_post()
+{
+    cp -f /etc/isulad/daemon.bak /etc/isulad/daemon.json
+    check_valgrind_log
+    start_isulad_with_valgrind
+}
+
+function do_check_item()
+{
+    cat ${ISULAD_ROOT_PATH}/engine/lcr/$1/config | grep console | grep "$2"
+    if [ $? -ne 0 ]; then
+        msg_err "expect $2"
+        TC_RET_T=$(($TC_RET_T+1))
+    fi
+}
+
+function do_test_syslog_helper()
+{
+    msg_info "this is $0 do_test"
+
+    crictl pull busybox
+    if [ $? -ne 0 ]; then
+        msg_err "Failed to pull busybox image"
+        TC_RET_T=$(($TC_RET_T+1))
+    fi
+
+    cid=`isula run -tid busybox sh`
+    if [ $? -ne 0 ]; then
+        msg_err "Failed to run container"
+        TC_RET_T=$(($TC_RET_T+1))
+    fi
+
+    do_check_item ${cid} "logdriver = syslog"
+
+    if [ "x$1" != "x" ]; then
+        do_check_item ${cid} "syslog_tag = $1"
+    fi
+
+    isula rm -f ${cid}
+    if [ $? -ne 0 ]; then
+        msg_err "Failed to remove container"
+        TC_RET_T=$(($TC_RET_T+1))
+    fi
+
+    return $TC_RET_T
+}
+
+function do_test_json_file_helper()
+{
+    msg_info "this is $0 do_test"
+    local file_cnt=7
+    local file_size=1MB
+
+    if [ "x$1" != "x" ]; then
+        file_cnt=$1
+    fi
+    if [ "x$2" != "x" ]; then
+        file_size=$2
+    fi
+
+    cid=`isula run -tid busybox sh`
+    if [ $? -ne 0 ]; then
+        msg_err "Failed to run container"
+        TC_RET_T=$(($TC_RET_T+1))
+    fi
+
+    do_check_item ${cid} "logdriver = json-file"
+    do_check_item ${cid} "rotate = $file_cnt"
+    do_check_item ${cid} "size = $file_size"
+
+    isula rm -f ${cid}
+    if [ $? -ne 0 ]; then
+        msg_err "Failed to remove container"
+        TC_RET_T=$(($TC_RET_T+1))
+    fi
+
+    return $TC_RET_T
+}
+
+function do_test_container_log()
+{
+    msg_info "this is $0 do_test"
+
+    cid=`isula run -tid --log-driver=json-file busybox sh`
+    if [ $? -ne 0 ]; then
+        msg_err "Failed to run container"
+        TC_RET_T=$(($TC_RET_T+1))
+    fi
+    do_check_item ${cid} "logdriver = json-file"
+    do_check_item ${cid} "rotate = 7"
+    do_check_item ${cid} "size = 1MB"
+
+    cid=`isula run -tid --log-driver=json-file --log-opt="max-file=8" busybox sh`
+    if [ $? -ne 0 ]; then
+        msg_err "Failed to run container"
+        TC_RET_T=$(($TC_RET_T+1))
+    fi
+    do_check_item ${cid} "logdriver = json-file"
+    do_check_item ${cid} "rotate = 8"
+    do_check_item ${cid} "size = 1MB"
+
+    cid=`isula run -tid --log-driver=json-file --log-opt="max-size=128KB" busybox sh`
+    if [ $? -ne 0 ]; then
+        msg_err "Failed to run container"
+        TC_RET_T=$(($TC_RET_T+1))
+    fi
+    do_check_item ${cid} "logdriver = json-file"
+    do_check_item ${cid} "rotate = 7"
+    do_check_item ${cid} "size = 128KB"
+
+    cid=`isula run -tid --log-driver=json-file --log-opt="disable-log=true" busybox sh`
+    if [ $? -ne 0 ]; then
+        msg_err "Failed to run container"
+        TC_RET_T=$(($TC_RET_T+1))
+    fi
+    cat ${ISULAD_ROOT_PATH}/engine/lcr/${cid}/config | grep console | grep "logfile ="
+    if [ $? -eq 0 ]; then
+        msg_err "Failed to disable log"
+        TC_RET_T=$(($TC_RET_T+1))
+    fi
+
+    isula rm -f `isula ps -aq`
+    return $TC_RET_T
+}
+
+function do_test() {
+    check_valgrind_log
+    start_isulad_with_valgrind --log-opts="syslog-tag=xxxx"
+
+    do_test_syslog_helper "xxxx"
+
+    check_valgrind_log
+    start_isulad_with_valgrind --log-driver=json-file --log-opts="max-size=10MB" --log-opts="max-file=3"
+    do_test_json_file_helper "3" "10MB"
+
+    check_valgrind_log
+    start_isulad_with_valgrind
+    do_test_container_log
+}
+
+ret=0
+
+do_pre
+if [ $? -ne 0 ];then
+    let "ret=$ret + 1"
+fi
+
+do_post
+
+show_result $ret "cni base test"
+diff --git a/CI/test_cases/container_cases/test_data/daemon.json b/CI/test_cases/container_cases/test_data/daemon.json
+new file mode 100644
+index 00000000..f8914ed4
+--- /dev/null
+++ b/CI/test_cases/container_cases/test_data/daemon.json
+@@ -0,0 +1,37 @@
+{
+    "group": "isula",
+    "default-runtime": "lcr",
+    "graph": "/var/lib/isulad",
+    "state": "/var/run/isulad",
+    "engine": "lcr",
+    "log-level": "ERROR",
+    "pidfile": "/var/run/isulad.pid",
+    "log-opts": {
+        "log-file-mode": "0600",
+        "log-path": "/var/lib/isulad",
+        "max-file": "1",
+        "max-size": "30KB"
+    },
+    "log-driver": "stdout",
+    "container-log": {
+        "driver": "syslog"
+    },
+    "hook-spec": "/etc/default/isulad/hooks/default.json",
+    "start-timeout": "2m",
+    "storage-driver": "overlay2",
+    "storage-opts": [
+        "overlay2.override_kernel_check=true"
+    ],
+    "registry-mirrors": [
+    ],
+    "insecure-registries": [
+    ],
+    "pod-sandbox-image": "",
+    "native.umask": "secure",
+    "network-plugin": "",
+    "cni-bin-dir": "",
+    "cni-conf-dir": "",
+    "image-layer-check": false,
+    "use-decrypted-key": true,
+    "insecure-skip-verify-enforce": false
+}
+-- 
+2.25.1
+
--- a/iSulad.spec
+++ b/iSulad.spec
@ -1,5 +1,5 @@
 %global _version 2.0.7
-%global _release 20201128.095506.git1e1623a5
+%global _release 20201203.190902.git48f598fd
 %global is_systemd 1

 Name:      iSulad
@ -22,6 +22,13 @@ Patch0007: 0007-add-mock-conf_get_use_decrypted_key_flag-and-setup-a.patch
 Patch0008: 0008-show-all-mutl-network-ips.patch
 Patch0009: 0009-iSulad-only-qsort-the-configed-mounts.patch
 Patch0010: 0010-CI-add-testcases-for-bind-proc-and-sys-fs.patch
+Patch0011: 0011-verify-peer-if-it-s-secure-registry.patch
+Patch0012: 0012-make-sure-all-certs-load-success-if-any-provided.patch
+Patch0013: 0013-add-ch-docs-for-install-iSulad.patch
+Patch0014: 0014-error-out-if-unpack-layer-failed.patch
+Patch0015: 0015-ignore-get-ip-error-for-mutlnetwork.patch
+Patch0016: 0016-support-default-container-log-options.patch
+Patch0017: 0017-add-testcase-for-default-container-log-configs.patch

 %ifarch x86_64 aarch64
 Provides:       libhttpclient.so()(64bit)
@ -224,6 +231,12 @@ fi
 %endif

 %changelog
+* Thu Dec 3 2020 haozi007 <liuhao27@huawei.com> - 2.0.7-20201203.190902.git48f598fd
+- Type:update from master
+- ID:NA
+- SUG:NA
+- DESC: update from master
+
 * Sat Nov 28 2020 lifeng<lifeng68@huawei.com> - 2.0.7-20201128.095506.git1e1623a5
 - Type: bugfix
 - ID:NA