packages/lcr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!265 sync from upstream

Browse Source 
* sync from upstream
This commit is contained in:
jake 2023-11-15 02:33:37 +00:00 committed by haozi007
parent 26787717d8
commit acc393551b
17 changed files with 547 additions and 3009 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
0001-280-Add-masked-and-readonly-path-in-host-config.patch Normal file
View File

@ -0,0 +1,36 @@
From dcdc428e0e48333405966e6c1188e77f8d2f550b Mon Sep 17 00:00:00 2001
From: jake <jikai11@huawei.com>
Date: Wed, 8 Nov 2023 01:09:36 +0000
Subject: [PATCH 1/6] !280 Add masked and readonly path in host config * Add
masked and readonly path in host config
---
src/json/schema/host-config.json | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/json/schema/host-config.json b/src/json/schema/host-config.json
index 302a537..30f1bdc 100644
--- a/src/json/schema/host-config.json
+++ b/src/json/schema/host-config.json
@@ -293,6 +293,18 @@
},
"CgroupParent": {
"type": "string"
+ },
+ "MaskedPaths": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
+ "ReadonlyPaths": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
}
}
}
--
2.33.0

37
0001-support-check-symbols-and-compile-code-in-cmake.patch
View File

@ -1,37 +0,0 @@
From 6646d4020ba6e1ea2bf4a129cd7188368e18d3bc Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Sat, 26 Aug 2023 10:54:02 +0800
Subject: [PATCH 1/8] support check symbols and compile code in cmake
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
cmake/checker.cmake | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/cmake/checker.cmake b/cmake/checker.cmake
index 13c1cdb..27a83d1 100644
--- a/cmake/checker.cmake
+++ b/cmake/checker.cmake
@@ -20,6 +20,9 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
#
+include(CheckFunctionExists)
+include(CheckCSourceCompiles)
+
# check depends library and headers
find_package(PkgConfig REQUIRED)
@@ -91,3 +94,9 @@ if (ENABLE_GCOV)
_CHECK(CMD_GENHTML "CMD_GENHTML-NOTFOUND" "genhtml")
endif()
+check_function_exists(strerror_r HAVE_STRERROR_R)
+
+check_c_source_compiles(
+ "#define _GNU_SOURCE\n#include <string.h>\nint main() { char err_str[128]; char *ptr = strerror_r(-2, err_str, 128); return ptr != (void *)0L; }"
+ STRERROR_R_CHAR_P
+)
--
2.34.1

27
0002-279-sanbox-del-containers-in-metadata.patch Normal file
View File

@ -0,0 +1,27 @@
From 0372a70a82a39b69e07b0953a9e7f1d25aa84ad0 Mon Sep 17 00:00:00 2001
From: liuxu <liuxu156@huawei.com>
Date: Wed, 8 Nov 2023 01:10:05 +0000
Subject: [PATCH 2/6] !279 sanbox:del containers in metadata * sanbox:del
containers in metadata
---
src/json/schema/sandbox/metadata.json | 3 ---
1 file changed, 3 deletions(-)
diff --git a/src/json/schema/sandbox/metadata.json b/src/json/schema/sandbox/metadata.json
index 56cc9e0..b3b6886 100644
--- a/src/json/schema/sandbox/metadata.json
+++ b/src/json/schema/sandbox/metadata.json
@@ -34,9 +34,6 @@
"networkReady": {
"type": "boolean"
},
- "containers": {
- "type": "ArrayOfStrings"
- },
"sandboxConfigJson": {
"type": "string"
}
--
2.33.0

97
0002-remove-unnecessary-strerror.patch
View File

@ -1,97 +0,0 @@
From 24579633671fca855dd1c66a4d7614ccf2e7e388 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Tue, 5 Sep 2023 19:35:37 +0800
Subject: [PATCH 2/8] remove unnecessary strerror
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/runtime/lcrcontainer_execute.c | 3 +--
src/runtime/lcrcontainer_extend.c | 16 ++++++++--------
2 files changed, 9 insertions(+), 10 deletions(-)
diff --git a/src/runtime/lcrcontainer_execute.c b/src/runtime/lcrcontainer_execute.c
index 864c097..f2bb944 100644
--- a/src/runtime/lcrcontainer_execute.c
+++ b/src/runtime/lcrcontainer_execute.c
@@ -71,8 +71,7 @@
do \
{ \
SYSERROR("Error updating cgroup %s to %s", (item), (value)); \
- lcr_set_error_message(LCR_ERR_RUNTIME, "Error updating cgroup %s to %s: %s", (item), (value), \
- strerror(errno)); \
+ lcr_set_error_message(LCR_ERR_RUNTIME, "Error updating cgroup %s to %s.", (item), (value)); \
} while (0)
static inline void add_array_elem(char **array, size_t total, size_t *pos, const char *elem)
diff --git a/src/runtime/lcrcontainer_extend.c b/src/runtime/lcrcontainer_extend.c
index 2f3ae9f..8b5a85c 100644
--- a/src/runtime/lcrcontainer_extend.c
+++ b/src/runtime/lcrcontainer_extend.c
@@ -153,7 +153,7 @@ static int make_annotations(oci_runtime_spec *container, const struct lxc_contai
goto out;
}
if (lcr_util_ensure_path(&realpath, anno->values[fpos])) {
- ERROR("Invalid log path: %s, error: %s.", anno->values[fpos], strerror(errno));
+ SYSERROR("Invalid log path: %s.", anno->values[fpos]);
goto out;
}
ret = 0;
@@ -378,7 +378,7 @@ static int lcr_spec_write_seccomp_line(FILE *fp, const char *seccomp)
line[nret] = '\n';
if (fwrite(line, 1, len ,fp) != len) {
- ERROR("Write file failed: %s", strerror(errno));
+ SYSERROR("Write file failed");
goto cleanup;
}
@@ -743,8 +743,8 @@ static FILE *lcr_open_config_file(const char *bundle)
fd = lcr_util_open(real_config, O_CREAT | O_TRUNC | O_CLOEXEC | O_WRONLY, CONFIG_FILE_MODE);
if (fd == -1) {
- ERROR("Create file %s failed, %s", real_config, strerror(errno));
- lcr_set_error_message(LCR_ERR_RUNTIME, "Create file %s failed, %s", real_config, strerror(errno));
+ SYSERROR("Create file %s failed", real_config);
+ lcr_set_error_message(LCR_ERR_RUNTIME, "Create file %s failed", real_config);
goto out;
}
@@ -856,7 +856,7 @@ static int lcr_spec_write_config(FILE *fp, const struct lcr_list *lcr_conf)
line_encode[len] = '\n';
if (fwrite(line_encode, 1, len + 1, fp) != len + 1) {
- ERROR("Write file failed: %s", strerror(errno));
+ SYSERROR("Write file failed");
goto cleanup;
}
@@ -908,7 +908,7 @@ char *lcr_get_bundle(const char *lcrpath, const char *name)
ERROR("Bundle %s does not exist", bundle);
break;
default:
- ERROR("Access %s failed: %s\n", bundle, strerror(errno));
+ SYSERROR("Access %s failed", bundle);
}
goto cleanup;
}
@@ -995,7 +995,7 @@ static int lcr_write_file(const char *path, const char *data, size_t len)
}
if (write(fd, data, len) == -1) {
- ERROR("write data to %s failed: %s", real_path, strerror(errno));
+ SYSERROR("write data to %s failed", real_path);
goto out_free;
}
@@ -1023,7 +1023,7 @@ static bool lcr_write_ocihooks(const char *path, const oci_runtime_spec_hooks *h
}
if (lcr_write_file(path, json_hooks, strlen(json_hooks)) == -1) {
- ERROR("write json hooks failed: %s", strerror(errno));
+ SYSERROR("write json hooks failed");
goto out_free;
}
--
2.34.1

112
0003-add-function-to-transfer-of-ownership.patch Normal file
View File

@ -0,0 +1,112 @@
From fd369e066c94ba19e4233dc36030441754220553 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Wed, 8 Nov 2023 10:32:43 +0800
Subject: [PATCH 3/6] add function to transfer of ownership
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/auto_cleanup.h | 18 ++++++++++++++++++
tests/auto_cleanup_ut.cpp | 30 +++++++++++++++++++++++++++++-
2 files changed, 47 insertions(+), 1 deletion(-)
diff --git a/src/auto_cleanup.h b/src/auto_cleanup.h
index 2fa9f41..6d04372 100644
--- a/src/auto_cleanup.h
+++ b/src/auto_cleanup.h
@@ -24,6 +24,10 @@
#ifndef __ISULA_AUTO_CLEANUP_H
#define __ISULA_AUTO_CLEANUP_H
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE 1
+#endif
+
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
@@ -36,6 +40,20 @@
extern "C" {
#endif
+#define isula_transfer_fd(fd) \
+ ({ \
+ int __tmp_fd = (fd); \
+ (fd) = -EBADF; \
+ __tmp_fd; \
+ })
+
+#define isula_transfer_ptr(ptr) \
+ ({ \
+ __typeof__(ptr) __tmp_ptr = (ptr); \
+ (ptr) = NULL; \
+ __tmp_ptr; \
+ })
+
#define auto_cleanup_tag(name) __attribute__((__cleanup__(name##_cb)))
// define all used auto tags
diff --git a/tests/auto_cleanup_ut.cpp b/tests/auto_cleanup_ut.cpp
index b167bcb..2600d56 100644
--- a/tests/auto_cleanup_ut.cpp
+++ b/tests/auto_cleanup_ut.cpp
@@ -122,6 +122,17 @@ size_t do_auto_free()
#endif
}
+int *do_auto_free_and_transfer()
+{
+ __isula_auto_free int *test = nullptr;
+
+ // use 1024 * 1024 to ensure memory allo from mmap
+ test = static_cast<int *>(malloc(sizeof(int)));
+ *test = 8;
+
+ return isula_transfer_ptr(test);
+}
+
TEST(autocleanup_testcase, test__isula_auto_free)
{
#if defined(__GLIBC__) && ((__GLIBC__ > 2) || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 33))
@@ -145,6 +156,10 @@ TEST(autocleanup_testcase, test__isula_auto_free)
ASSERT_NE(used, after.hblks);
ASSERT_NE(used, before.hblks);
ASSERT_EQ(before.hblks, after.hblks);
+
+ __isula_auto_free int *transfer_ptr = do_auto_free_and_transfer();
+ ASSERT_NE(nullptr, transfer_ptr);
+ ASSERT_EQ(8, *transfer_ptr);
}
int do_auto_file()
@@ -198,14 +213,27 @@ int do_auto_close()
return fd;
}
+int do_auto_close_and_transfer()
+{
+ __isula_auto_close int fd = -1;
+
+ fd = open("/proc/self/cmdline", 0444);
+
+ return isula_transfer_fd(fd);
+}
+
TEST(autocleanup_testcase, test__isula_auto_close)
{
int openfd, ret;
size_t i;
struct stat sbuf = { 0 };
+ __isula_auto_close int transfer_fd = -1;
- openfd = do_auto_close();
+ transfer_fd = do_auto_close_and_transfer();
+ ret = fstat(transfer_fd, &sbuf);
+ ASSERT_EQ(0, ret);
+ openfd = do_auto_close();
ret = fstat(openfd, &sbuf);
ASSERT_NE(0, ret);
ASSERT_EQ(EBADF, errno);
--
2.33.0

82
0003-improve-code-of-function-in-log.patch
View File

@ -1,82 +0,0 @@
From 19810333a97614619a1e2c945c253c964ef02d3b Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Wed, 6 Sep 2023 14:22:21 +0800
Subject: [PATCH 3/8] improve code of function in log
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/runtime/lcrcontainer_execute.c | 4 ++--
src/third_party/log.c | 6 +++---
src/third_party/log.h | 4 ++--
3 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/runtime/lcrcontainer_execute.c b/src/runtime/lcrcontainer_execute.c
index f2bb944..e91ff27 100644
--- a/src/runtime/lcrcontainer_execute.c
+++ b/src/runtime/lcrcontainer_execute.c
@@ -883,7 +883,7 @@ static void execute_lxc_attach(const char *name, const char *path, const struct
execvp("lxc-attach", params);
- COMMAND_ERROR("Failed to exec lxc-attach: %s", strerror(errno));
+ CMD_SYSERROR("Failed to exec lxc-attach");
free(params);
exit(EXIT_FAILURE);
}
@@ -1027,6 +1027,6 @@ void execute_lxc_start(const char *name, const char *path, const struct lcr_star
execvp("lxc-start", params);
- COMMAND_ERROR("Failed to exec lxc-start: %s.", strerror(errno));
+ CMD_SYSERROR("Failed to exec lxc-start.");
exit(EXIT_FAILURE);
}
diff --git a/src/third_party/log.c b/src/third_party/log.c
index 5ba638b..5097eb8 100644
--- a/src/third_party/log.c
+++ b/src/third_party/log.c
@@ -309,18 +309,18 @@ static int open_fifo(const char *fifo_path)
nret = mknod(fifo_path, S_IFIFO | S_IRUSR | S_IWUSR, (dev_t)0);
if (nret && errno != EEXIST) {
- COMMAND_ERROR("Mknod failed: %s", strerror(errno));
+ CMD_SYSERROR("Mknod failed");
return nret;
}
fifo_fd = lcr_util_open(fifo_path, O_RDWR | O_NONBLOCK, 0);
if (fifo_fd == -1) {
- COMMAND_ERROR("Open fifo %s failed: %s", fifo_path, strerror(errno));
+ CMD_SYSERROR("Open fifo %s failed", fifo_path);
return -1;
}
if (fcntl(fifo_fd, F_SETPIPE_SZ, LOG_FIFO_SIZE) == -1) {
- COMMAND_ERROR("Set fifo buffer size failed: %s", strerror(errno));
+ CMD_SYSERROR("Set fifo buffer size failed");
close(fifo_fd);
return -1;
}
diff --git a/src/third_party/log.h b/src/third_party/log.h
index 3462b17..d0e5fa8 100644
--- a/src/third_party/log.h
+++ b/src/third_party/log.h
@@ -417,13 +417,13 @@ lxc_log_priority_define(&g_lxc_log_category_lxc, FATAL);
#define CMD_SYSERROR(format, ...) \
do { \
lxc_log_strerror_r; \
- fprintf(stderr, "%s - " format, ptr, ##__VA_ARGS__); \
+ fprintf(stderr, "%s - " format "\n", ptr, ##__VA_ARGS__); \
} while (0)
#define CMD_SYSINFO(format, ...) \
do { \
lxc_log_strerror_r; \
- printf("%s - " format, ptr, ##__VA_ARGS__); \
+ printf("%s - " format "\n", ptr, ##__VA_ARGS__); \
} while (0)
#define COMMAND_ERROR(fmt, args...) \
--
2.34.1

31
0004-283-network-support-version-opt-result.patch Normal file
View File

@ -0,0 +1,31 @@
From 73ed2ec4771fd79912f1683ce094fc6d1becbf58 Mon Sep 17 00:00:00 2001
From: liuxu <liuxu156@huawei.com>
Date: Fri, 10 Nov 2023 09:20:41 +0000
Subject: [PATCH 4/6] !283 network:support version opt result * network:support
version opt result
---
src/json/schema/cni/{version.json => version_info.json} | 3 +++
1 file changed, 3 insertions(+)
rename src/json/schema/cni/{version.json => version_info.json} (72%)
diff --git a/src/json/schema/cni/version.json b/src/json/schema/cni/version_info.json
similarity index 72%
rename from src/json/schema/cni/version.json
rename to src/json/schema/cni/version_info.json
index 3831508..9f93d33 100644
--- a/src/json/schema/cni/version.json
+++ b/src/json/schema/cni/version_info.json
@@ -4,6 +4,9 @@
"properties": {
"cniVersion": {
"type": "string"
+ },
+ "supportedVersions": {
+ "$ref": "array_of_strings.json"
}
},
"required": [
--
2.33.0

338
0004-support-visibility-of-compiler.patch
View File

@ -1,338 +0,0 @@
From ed36936f30525704f71e3b7444c1d25ffe50ab2f Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Tue, 12 Sep 2023 10:27:05 +0800
Subject: [PATCH 4/8] support visibility of compiler
use visibility for liblcr
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
CMakeLists.txt | 4 +--
src/CMakeLists.txt | 1 +
src/runtime/lcrcontainer.h | 68 ++++++++++++++++++++------------------
src/utils/utils_compile.h | 50 ++++++++++++++++++++++++++++
4 files changed, 88 insertions(+), 35 deletions(-)
create mode 100644 src/utils/utils_compile.h
diff --git a/CMakeLists.txt b/CMakeLists.txt
index a51ac7d..e00dc96 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -117,8 +117,8 @@ install(FILES ${CMAKE_BINARY_DIR}/conf/lcr.pc
DESTINATION ${LIB_INSTALL_DIR_DEFAULT}/pkgconfig PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ GROUP_WRITE WORLD_READ WORLD_EXECUTE)
install(FILES ${CMAKE_BINARY_DIR}/conf/libisula.pc
DESTINATION ${LIB_INSTALL_DIR_DEFAULT}/pkgconfig PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ GROUP_WRITE WORLD_READ WORLD_EXECUTE)
-install(FILES src/runtime/lcrcontainer.h
- DESTINATION include/lcr)
+install(FILES src/runtime/lcrcontainer.h DESTINATION include/lcr)
+install(FILES src/utils/utils_compile.h DESTINATION include/lcr)
install(FILES src/third_party/log.h DESTINATION include/isula_libutils)
install(FILES src/third_party/go_crc64.h DESTINATION include/isula_libutils)
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 2bf468f..c423dd7 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -124,6 +124,7 @@ target_include_directories(liblcr
# set liblcr compile flags
set_target_properties(liblcr PROPERTIES PREFIX "")
target_link_libraries(liblcr ${check_libs} isula_libutils)
+target_compile_options(liblcr PRIVATE -fvisibility=hidden)
if (CMAKE_TOOLCHAIN_FILE)
target_link_directories(liblcr PUBLIC ${CMAKE_LIBRARY_PATH})
diff --git a/src/runtime/lcrcontainer.h b/src/runtime/lcrcontainer.h
index edfc869..6add8c4 100644
--- a/src/runtime/lcrcontainer.h
+++ b/src/runtime/lcrcontainer.h
@@ -32,13 +32,15 @@
#include <stdbool.h>
#include <sys/types.h>
+#include "utils_compile.h"
+
#ifdef __cplusplus
extern "C" {
#endif
/* define console log config */
-struct lcr_console_config {
+__EXPORT__ struct lcr_console_config {
char *log_path;
unsigned int log_rotate;
char *log_file_size;
@@ -47,7 +49,7 @@ struct lcr_console_config {
/*
* Store lcr container info
*/
-struct lcr_container_info {
+__EXPORT__ struct lcr_container_info {
/* Name of container. */
char *name;
/* State of container. */
@@ -62,7 +64,7 @@ struct lcr_container_info {
bool running;
};
-struct blkio_stats {
+__EXPORT__ struct blkio_stats {
uint64_t read;
uint64_t write;
uint64_t total;
@@ -71,7 +73,7 @@ struct blkio_stats {
/*
* Store lcr container state
*/
-struct lcr_container_state {
+__EXPORT__ struct lcr_container_state {
/* Name of container */
char *name;
/* State of container */
@@ -108,14 +110,14 @@ typedef enum {
lcr_msg_exit_code,
} lcr_msg_type_t;
-struct lcr_msg {
+__EXPORT__ struct lcr_msg {
lcr_msg_type_t type;
char name[NAME_MAX + 1];
int value;
int pid;
};
-struct lcr_cgroup_resources {
+__EXPORT__ struct lcr_cgroup_resources {
uint64_t blkio_weight;
uint64_t cpu_shares;
uint64_t cpu_period;
@@ -134,23 +136,23 @@ struct lcr_cgroup_resources {
* Get one container info for a given lcrpath.
* return struct of container info, or NULL on error.
*/
-struct lcr_container_info *lcr_container_info_get(const char *name, const char *lcrpath);
+__EXPORT__ struct lcr_container_info *lcr_container_info_get(const char *name, const char *lcrpath);
/*
* Free lcr_container_info returned lcr_container_info_get
*/
-void lcr_container_info_free(struct lcr_container_info *info);
+__EXPORT__ void lcr_container_info_free(struct lcr_container_info *info);
/*
* Get a complete list of all containers for a given lcrpath.
* return Number of containers, or -1 on error.
*/
-int lcr_list_all_containers(const char *lcrpath, struct lcr_container_info **info_arr);
+__EXPORT__ int lcr_list_all_containers(const char *lcrpath, struct lcr_container_info **info_arr);
/*
* Free lcr_container_info array returned by lcr_list_{active,all}_containers
*/
-void lcr_containers_info_free(struct lcr_container_info **info_arr, size_t size);
+__EXPORT__ void lcr_containers_info_free(struct lcr_container_info **info_arr, size_t size);
/*
* Create a container
@@ -158,7 +160,7 @@ void lcr_containers_info_free(struct lcr_container_info **info_arr, size_t size)
* param lcrpath : container path
* param oci_json_data : json string of oci config data
*/
-bool lcr_create_from_ocidata(const char *name, const char *lcrpath, const void *oci_json_data);
+__EXPORT__ bool lcr_create_from_ocidata(const char *name, const char *lcrpath, const void *oci_json_data);
/*
* Create a container
@@ -166,7 +168,7 @@ bool lcr_create_from_ocidata(const char *name, const char *lcrpath, const void *
* param lcrpath : container path
* param oci_config : pointer of struct oci config
*/
-bool lcr_create(const char *name, const char *lcrpath, void *oci_config);
+__EXPORT__ bool lcr_create(const char *name, const char *lcrpath, void *oci_config);
/*
* Start a container
@@ -188,7 +190,7 @@ bool lcr_create(const char *name, const char *lcrpath, void *oci_config);
* gid : user in which group
* additional_gids : Add additional groups to join
*/
-struct lcr_start_request {
+__EXPORT__ struct lcr_start_request {
const char *name;
const char *lcrpath;
@@ -204,7 +206,7 @@ struct lcr_start_request {
const char *exit_fifo;
bool image_type_oci;
};
-bool lcr_start(const struct lcr_start_request *request);
+__EXPORT__ bool lcr_start(const struct lcr_start_request *request);
/*
* Stop a container
@@ -212,7 +214,7 @@ bool lcr_start(const struct lcr_start_request *request);
* param lcrpath : container path, set to NULL if you want use default lcrpath.
* param signal : signal to send to the container.
*/
-bool lcr_kill(const char *name, const char *lcrpath, uint32_t signal);
+__EXPORT__ bool lcr_kill(const char *name, const char *lcrpath, uint32_t signal);
/*
* Delete a container
@@ -220,9 +222,9 @@ bool lcr_kill(const char *name, const char *lcrpath, uint32_t signal);
* param lcrpath : container path, set to NULL if you want use default lcrpath.
* param force : force to delete container
*/
-bool lcr_delete(const char *name, const char *lcrpath);
+__EXPORT__ bool lcr_delete(const char *name, const char *lcrpath);
-bool lcr_clean(const char *name, const char *lcrpath, const char *logpath, const char *loglevel, pid_t pid);
+__EXPORT__ bool lcr_clean(const char *name, const char *lcrpath, const char *logpath, const char *loglevel, pid_t pid);
/*
* Get state of the container
@@ -230,26 +232,26 @@ bool lcr_clean(const char *name, const char *lcrpath, const char *logpath, const
* param lcrpath : container path, set to NULL if you want use default lcrpath.
* param lcs : returned contaiener state
*/
-bool lcr_state(const char *name, const char *lcrpath, struct lcr_container_state *lcs);
+__EXPORT__ bool lcr_state(const char *name, const char *lcrpath, struct lcr_container_state *lcs);
/*
* Pause a container
* param name : container name, required.
* param lcrpath : container path, set to NULL if you want use default lcrpath.
*/
-bool lcr_pause(const char *name, const char *lcrpath);
+__EXPORT__ bool lcr_pause(const char *name, const char *lcrpath);
/*
* Resume a container
* param name : container name, required.
* param lcrpath : container path, set to NULL if you want use default lcrpath.
*/
-bool lcr_resume(const char *name, const char *lcrpath);
+__EXPORT__ bool lcr_resume(const char *name, const char *lcrpath);
/*
* Free lcr_container_state returned by lcr_state
*/
-void lcr_container_state_free(struct lcr_container_state *lcs);
+__EXPORT__ void lcr_container_state_free(struct lcr_container_state *lcs);
/*
* console function
@@ -259,7 +261,7 @@ void lcr_container_state_free(struct lcr_container_state *lcs);
* param out_fifo : fifo names of output FIFO
* Returns false if the console FIFOs add failed, true if success
*/
-bool lcr_console(const char *name, const char *lcrpath, const char *in_fifo, const char *out_fifo,
+__EXPORT__ bool lcr_console(const char *name, const char *lcrpath, const char *in_fifo, const char *out_fifo,
const char *err_fifo);
/*
@@ -268,14 +270,14 @@ bool lcr_console(const char *name, const char *lcrpath, const char *in_fifo, con
* param lcrpath : container path, set to NULL if you want use default lcrpath.
* param config : use to store container console configs, cannot be NULL
*/
-bool lcr_get_console_config(const char *name, const char *lcrpath, struct lcr_console_config *config);
+__EXPORT__ bool lcr_get_console_config(const char *name, const char *lcrpath, struct lcr_console_config *config);
-void lcr_free_console_config(struct lcr_console_config *config);
+__EXPORT__ void lcr_free_console_config(struct lcr_console_config *config);
-int lcr_log_init(const char *name, const char *file, const char *priority,
+__EXPORT__ int lcr_log_init(const char *name, const char *file, const char *priority,
const char *prefix, int quiet, const char *lcrpath);
-struct lcr_exec_request {
+__EXPORT__ struct lcr_exec_request {
const char *name;
const char *lcrpath;
@@ -303,18 +305,18 @@ struct lcr_exec_request {
/*
* Execute process inside a container
*/
-bool lcr_exec(const struct lcr_exec_request *request, int *exit_code);
+__EXPORT__ bool lcr_exec(const struct lcr_exec_request *request, int *exit_code);
-bool lcr_update(const char *name, const char *lcrpath, const struct lcr_cgroup_resources *cr);
+__EXPORT__ bool lcr_update(const char *name, const char *lcrpath, const struct lcr_cgroup_resources *cr);
-const char *lcr_get_errmsg();
+__EXPORT__ const char *lcr_get_errmsg();
-void lcr_free_errmsg();
+__EXPORT__ void lcr_free_errmsg();
-bool lcr_get_container_pids(const char *name, const char *lcrpath, pid_t **pids, size_t *pids_len);
+__EXPORT__ bool lcr_get_container_pids(const char *name, const char *lcrpath, pid_t **pids, size_t *pids_len);
-bool lcr_resize(const char *name, const char *lcrpath, unsigned int height, unsigned int width);
-bool lcr_exec_resize(const char *name, const char *lcrpath, const char *suffix, unsigned int height,
+__EXPORT__ bool lcr_resize(const char *name, const char *lcrpath, unsigned int height, unsigned int width);
+__EXPORT__ bool lcr_exec_resize(const char *name, const char *lcrpath, const char *suffix, unsigned int height,
unsigned int width);
#ifdef __cplusplus
}
diff --git a/src/utils/utils_compile.h b/src/utils/utils_compile.h
new file mode 100644
index 0000000..3bdb24e
--- /dev/null
+++ b/src/utils/utils_compile.h
@@ -0,0 +1,50 @@
+/******************************************************************************
+ * isula: compile utils
+ *
+ * Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved.
+ *
+ * Authors:
+ * Haozi007 <liuhao27@huawei.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ ********************************************************************************/
+#ifndef _ISULA_UTILS_UTILS_COMPILE_H
+#define _ISULA_UTILS_UTILS_COMPILE_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(__GNUC__) && (__GNUC__ >= 4)
+#ifndef __HIDDEN__
+#define __HIDDEN__ __attribute__((visibility("hidden")))
+#endif
+
+#ifndef __EXPORT__
+#define __EXPORT__ __attribute__((visibility("default")))
+#endif
+
+#else
+#define __HIDDEN__
+#ifndef __EXPORT__
+#endif
+
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _ISULA_UTILS_UTILS_COMPILE_H */
\ No newline at end of file
--
2.34.1

218
0005-add-attach-fd-for-process-state-and-add-needed-util-.patch Normal file
View File

@ -0,0 +1,218 @@
From d8a706eb0e0ba937d8b99dadbbad2771469eef97 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Wed, 8 Nov 2023 15:40:01 +0800
Subject: [PATCH 5/6] add attach fd for process state and add needed util
function
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
.../schema/shim/client/process-state.json | 3 ++
src/utils/utils.c | 48 +++++++++++++++++++
src/utils/utils.h | 2 +
src/utils/utils_file.c | 41 ++++++++++++++++
src/utils/utils_file.h | 4 ++
src/utils/utils_string.c | 17 +++++++
src/utils/utils_string.h | 2 +
7 files changed, 117 insertions(+)
diff --git a/src/json/schema/shim/client/process-state.json b/src/json/schema/shim/client/process-state.json
index f07d14f..2383b43 100644
--- a/src/json/schema/shim/client/process-state.json
+++ b/src/json/schema/shim/client/process-state.json
@@ -151,6 +151,9 @@
"exit_fifo": {
"type": "string"
},
+ "attach_socket": {
+ "type": "string"
+ },
"control_fifo": {
"type": "string"
},
diff --git a/src/utils/utils.c b/src/utils/utils.c
index cd0934f..fabdf71 100644
--- a/src/utils/utils.c
+++ b/src/utils/utils.c
@@ -25,6 +25,9 @@
#include <sys/wait.h>
#include <errno.h>
#include <time.h>
+#include <regex.h>
+
+#include "log.h"
int isula_wait_pid_ret_status(pid_t pid)
{
@@ -81,4 +84,49 @@ void isula_usleep_nointerupt(unsigned long usec)
ret = nanosleep(&request, &remain);
request = remain;
} while (ret == -1 && errno == EINTR);
+}
+
+/*
+ * do not support greedy matching, like: '(:?xx)'
+ * return value:
+ * -1 failed
+ * 0 match
+ * 1 no match
+ */
+int isula_reg_match(const char *patten, const char *str)
+{
+#define EVENT_ARGS_MAX 255
+ int nret = 0;
+ char buffer[EVENT_ARGS_MAX] = { 0 };
+ regex_t reg;
+
+ if (patten == NULL || str == NULL) {
+ ERROR("invalid NULL param");
+ return -1;
+ }
+
+ nret = regcomp(&reg, patten, REG_EXTENDED | REG_NOSUB);
+ if (nret != 0) {
+ regerror(nret, &reg, buffer, EVENT_ARGS_MAX);
+ ERROR("regcomp %s failed: %s", patten, buffer);
+ return -1;
+ }
+
+ nret = regexec(&reg, str, 0, NULL, 0);
+ if (nret == 0) {
+ nret = 0;
+ goto free_out;
+ } else if (nret == REG_NOMATCH) {
+ nret = 1;
+ goto free_out;
+ } else {
+ nret = -1;
+ ERROR("reg match failed");
+ goto free_out;
+ }
+
+free_out:
+ regfree(&reg);
+
+ return nret;
}
\ No newline at end of file
diff --git a/src/utils/utils.h b/src/utils/utils.h
index dabaee2..b4ab9d0 100644
--- a/src/utils/utils.h
+++ b/src/utils/utils.h
@@ -46,6 +46,8 @@ int isula_wait_pid(pid_t pid);
void isula_usleep_nointerupt(unsigned long usec);
+int isula_reg_match(const char *patten, const char *str);
+
#ifdef __cplusplus
}
#endif
diff --git a/src/utils/utils_file.c b/src/utils/utils_file.c
index fb55cf8..067715c 100644
--- a/src/utils/utils_file.c
+++ b/src/utils/utils_file.c
@@ -656,4 +656,45 @@ int isula_path_remove(const char *path)
errno = saved_errno;
}
return -1;
+}
+
+int isula_set_non_block(const int fd)
+{
+ int flag = -1;
+ int ret = -1;
+
+ if (fd < 0) {
+ ERROR("Invalid fd: %d.", fd);
+ return -1;
+ }
+
+ flag = fcntl(fd, F_GETFL, 0);
+ if (flag < 0) {
+ SYSERROR("Failed to get flags for fd: %d", fd);
+ return -1;
+ }
+
+ ret = fcntl(fd, F_SETFL, flag | O_NONBLOCK);
+ if (ret != 0) {
+ SYSERROR("Failed to set flags for fd: %d", fd);
+ return -1;
+ }
+
+ return 0;
+}
+
+int isula_validate_absolute_path(const char *path)
+{
+#define PATTEN_STR "^(/[^/ ]*)+/?$"
+ int nret = 0;
+
+ if (path == NULL) {
+ return -1;
+ }
+
+ if (isula_reg_match(PATTEN_STR, path) != 0) {
+ nret = -1;
+ }
+
+ return nret;
}
\ No newline at end of file
diff --git a/src/utils/utils_file.h b/src/utils/utils_file.h
index 83d0a5d..23c4700 100644
--- a/src/utils/utils_file.h
+++ b/src/utils/utils_file.h
@@ -67,6 +67,10 @@ int isula_file_atomic_write(const char *filepath, const char *content);
int isula_close_inherited_fds(bool closeall, int fd_to_ignore);
+int isula_set_non_block(const int fd);
+
+int isula_validate_absolute_path(const char *path);
+
#ifdef __cplusplus
}
#endif
diff --git a/src/utils/utils_string.c b/src/utils/utils_string.c
index 7b0cbef..863bebe 100644
--- a/src/utils/utils_string.c
+++ b/src/utils/utils_string.c
@@ -375,4 +375,21 @@ isula_string_array *isula_string_array_new(size_t req_init_cap)
ptr->append_arr = isula_string_array_append_array;
return ptr;
+}
+
+bool isula_has_prefix(const char *str, const char *prefix)
+{
+ if (str == NULL || prefix == NULL) {
+ return false;
+ }
+
+ if (strlen(str) < strlen(prefix)) {
+ return false;
+ }
+
+ if (strncmp(str, prefix, strlen(prefix)) != 0) {
+ return false;
+ }
+
+ return true;
}
\ No newline at end of file
diff --git a/src/utils/utils_string.h b/src/utils/utils_string.h
index f403fd9..5a25531 100644
--- a/src/utils/utils_string.h
+++ b/src/utils/utils_string.h
@@ -102,6 +102,8 @@ void isula_string_array_free(isula_string_array *ptr);
isula_string_array *isula_string_split_to_multi(const char *src_str, char delim);
+bool isula_has_prefix(const char *str, const char *prefix);
+
#ifdef __cplusplus
}
#endif
--
2.33.0

1098
0005-refactor-util-buffer-and-add-ut.patch
View File

File diff suppressed because it is too large Load Diff

34
0006-264-Support-both-C-11-and-C-17.patch
View File

@ -1,34 +0,0 @@
From 2d3f4ef95a3c4d4e87ce71c5ced43f3d8e81cc9e Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Thu, 14 Sep 2023 09:00:05 +0000
Subject: [PATCH 6/8] !264 Support both C++11 and C++17 * Support both C++11
and C++17
---
cmake/set_build_flags.cmake | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/cmake/set_build_flags.cmake b/cmake/set_build_flags.cmake
index 3b6842a..7d4c9fc 100644
--- a/cmake/set_build_flags.cmake
+++ b/cmake/set_build_flags.cmake
@@ -24,8 +24,15 @@
set(CMAKE_C_FLAGS "-fPIC -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall -fPIE")
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D__FILENAME__='\"$(subst ${CMAKE_SOURCE_DIR}/,,$(abspath $<))\"'")
+include(CheckCXXCompilerFlag)
+CHECK_CXX_COMPILER_FLAG("-std=c++17" COMPILER_SUPPORTS_CXX17)
if (ENABLE_UT)
- set(CMAKE_CXX_FLAGS "-fPIC -std=c++11 -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall")
+ set(CMAKE_CXX_VERSION "-std=c++11")
+ if (COMPILER_SUPPORTS_CXX17)
+ message(STATUS "The compiler ${CMAKE_CXX_COMPILER} has C++17 support.")
+ set(CMAKE_CXX_VERSION "-std=c++17")
+ endif()
+ set(CMAKE_CXX_FLAGS "-fPIC ${CMAKE_CXX_VERSION} -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -D__FILENAME__='\"$(subst ${CMAKE_SOURCE_DIR}/,,$(abspath $<))\"'")
endif()
set(CMAKE_SHARED_LINKER_FLAGS "-Wl,-E -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wtrampolines -shared -pthread")
--
2.34.1

109
0006-add-unit-test-for-util-function.patch Normal file
View File

@ -0,0 +1,109 @@
From e072071325b04d362b1eee69aed5c75199799fa5 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Mon, 13 Nov 2023 15:20:05 +0800
Subject: [PATCH 6/6] add unit test for util function
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
tests/utils_file_ut.cpp | 30 ++++++++++++++++++++++++++++++
tests/utils_string_ut.cpp | 21 +++++++++++++++++++++
tests/utils_utils_ut.cpp | 13 +++++++++++++
3 files changed, 64 insertions(+)
diff --git a/tests/utils_file_ut.cpp b/tests/utils_file_ut.cpp
index d9bd252..7e98bd8 100644
--- a/tests/utils_file_ut.cpp
+++ b/tests/utils_file_ut.cpp
@@ -210,4 +210,34 @@ TEST(utils_file_testcase, test_isula_read_write_nointr)
ASSERT_EQ(nread, 5);
isula_path_remove(test_file.c_str());
+}
+
+TEST(utils_file_testcase, test_isula_set_non_block)
+{
+ ASSERT_EQ(isula_set_non_block(-1), -1);
+
+ int pipefd[2];
+ ASSERT_EQ(0, pipe(pipefd));
+ ASSERT_EQ(0, isula_set_non_block(pipefd[0]));
+ int flag = fcntl(pipefd[0], F_GETFL, 0);
+ ASSERT_NE(-1, flag);
+ EXPECT_TRUE(flag & O_NONBLOCK);
+ close(pipefd[0]);
+ close(pipefd[1]);
+
+ int pipefd2[2];
+ ASSERT_EQ(0, pipe(pipefd2));
+ close(pipefd2[1]);
+ ASSERT_EQ(-1, isula_set_non_block(pipefd2[1]));
+ close(pipefd2[0]);
+}
+
+TEST(utils_file_testcase, test_util_validate_absolute_path)
+{
+ ASSERT_EQ(isula_validate_absolute_path("/etc/isulad"), 0);
+ ASSERT_EQ(isula_validate_absolute_path("/isulad/"), 0);
+
+ ASSERT_EQ(isula_validate_absolute_path(nullptr), -1);
+ ASSERT_EQ(isula_validate_absolute_path("./isulad"), -1);
+ ASSERT_EQ(isula_validate_absolute_path("isulad"), -1);
}
\ No newline at end of file
diff --git a/tests/utils_string_ut.cpp b/tests/utils_string_ut.cpp
index 5b93723..20fd619 100644
--- a/tests/utils_string_ut.cpp
+++ b/tests/utils_string_ut.cpp
@@ -286,4 +286,25 @@ TEST(utils_string_testcase, test_isula_string_split_to_multi)
ASSERT_STREQ(ret->items[2], "c");
ASSERT_STREQ(ret->items[3], "d");
isula_string_array_free(ret);
+}
+
+TEST(utils_string_testcase, test_isula_has_prefix)
+{
+ const char* prefix = "prefix";
+ EXPECT_FALSE(isula_has_prefix(NULL, prefix));
+
+ const char* str = "string";
+ EXPECT_FALSE(isula_has_prefix(str, NULL));
+
+ const char* str2 = "short";
+ const char* prefix2 = "longer";
+ EXPECT_FALSE(isula_has_prefix(str2, prefix2));
+
+ const char* str3 = "string";
+ const char* prefix3 = "prefix";
+ EXPECT_FALSE(isula_has_prefix(str3, prefix3));
+
+ const char* str4 = "prefix_string";
+ const char* prefix4 = "prefix";
+ EXPECT_TRUE(isula_has_prefix(str4, prefix4));
}
\ No newline at end of file
diff --git a/tests/utils_utils_ut.cpp b/tests/utils_utils_ut.cpp
index 843bcf4..7085f23 100644
--- a/tests/utils_utils_ut.cpp
+++ b/tests/utils_utils_ut.cpp
@@ -47,4 +47,17 @@ TEST(utils_utils_testcase, test_isula_usleep_nointerupt)
elapsed_time = std::chrono::duration_cast<std::chrono::microseconds>(end_time - start_time);
ASSERT_GT(elapsed_time.count(), 800);
ASSERT_LT(elapsed_time.count(), 1200);
+}
+
+TEST(utils_utils_testcase, test_isula_reg_match)
+{
+ const char *pattern = "^[a-f0-9]{64}$";
+ const char *valid = "c8da28a6cea7443b648ec70a1c947b6cb920ee0ef3c4a691d4252ff6e1888036";
+ const char *invalid = "g8da28a6cea7443b648ec70a1c947b6cb920ee0ef3c4a691d4252ff6e1888036";
+
+ ASSERT_EQ(isula_reg_match(pattern, valid), 0);
+ ASSERT_EQ(isula_reg_match(pattern, invalid), 1);
+
+ ASSERT_EQ(isula_reg_match(pattern, nullptr), -1);
+ ASSERT_EQ(isula_reg_match(nullptr, pattern), -1);
}
\ No newline at end of file
--
2.33.0

1283
0007-262-Fix-empty-pointer-and-overflow.patch
View File

File diff suppressed because it is too large Load Diff

30
0008-266-set-env-to-avoid-invoke-lxc-binary-directly.patch
View File

@ -1,30 +0,0 @@
From ac0e25d39dc0eaaf492ea626e1c1bbf3b5f2999f Mon Sep 17 00:00:00 2001
From: jake <jikai11@huawei.com>
Date: Mon, 18 Sep 2023 11:08:22 +0000
Subject: [PATCH 8/8] !266 set env to avoid invoke lxc binary directly * set
env to avoid invoke lxc binary directly
---
src/runtime/lcrcontainer.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/runtime/lcrcontainer.c b/src/runtime/lcrcontainer.c
index 4270902..ad6dc66 100644
--- a/src/runtime/lcrcontainer.c
+++ b/src/runtime/lcrcontainer.c
@@ -289,6 +289,12 @@ bool lcr_start(const struct lcr_start_request *request)
close(pipefd[0]);
dup2(pipefd[1], 2);
+ // should set LXC_MEMFD_REXEC=1 before lxc_start
+ // to improve the security of launching containers
+ if (setenv("LXC_MEMFD_REXEC", "1", true) != 0) {
+ exit(1);
+ }
+
execute_lxc_start(request->name, path, request);
}
--
2.34.1

24
lcr.spec
View File

@ -1,5 +1,5 @@
%global _version 2.1.2
%global _release 3
%global _version 2.1.3
%global _release 1
%global _inner_name isula_libutils
%global enable_lxc 0
@ -13,14 +13,12 @@ Group: Applications/System
License: LGPLv2.1+
BuildRoot: %{_tmppath}/lcr-%{version}
Patch0001: 0001-support-check-symbols-and-compile-code-in-cmake.patch
Patch0002: 0002-remove-unnecessary-strerror.patch
Patch0003: 0003-improve-code-of-function-in-log.patch
Patch0004: 0004-support-visibility-of-compiler.patch
Patch0005: 0005-refactor-util-buffer-and-add-ut.patch
Patch0006: 0006-264-Support-both-C-11-and-C-17.patch
Patch0007: 0007-262-Fix-empty-pointer-and-overflow.patch
Patch0008: 0008-266-set-env-to-avoid-invoke-lxc-binary-directly.patch
Patch0001: 0001-280-Add-masked-and-readonly-path-in-host-config.patch
Patch0002: 0002-279-sanbox-del-containers-in-metadata.patch
Patch0003: 0003-add-function-to-transfer-of-ownership.patch
Patch0004: 0004-283-network-support-version-opt-result.patch
Patch0005: 0005-add-attach-fd-for-process-state-and-add-needed-util-.patch
Patch0006: 0006-add-unit-test-for-util-function.patch
%define lxcver_lower 4.0.3-2022102400
%define lxcver_upper 5.0.3
@ -130,6 +128,12 @@ rm -rf %{buildroot}
%{_includedir}/lcr/utils_compile.h
%changelog
* Tue Nov 14 2023 jikai<jikai11@huawei.com> - 2.1.3-1
- Type:enhancement
- CVE:NA
- SUG:NA
- DESC:sync from upstream
* Tue Sep 19 2023 jikai<jikai11@huawei.com> - 2.1.2-3
- Type:bugfix
- CVE:NA

BIN
v2.1.2.tar.gz
View File

Binary file not shown.

BIN
v2.1.3.tar.gz Normal file
View File

Binary file not shown.