packages/lxc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!307 refactor patch

Browse Source 
From: @zh_xiaoyu 
Reviewed-by: @duguhaotian 
Signed-off-by: @duguhaotian
This commit is contained in:
openeuler-ci-bot 2022-07-21 12:53:53 +00:00 committed by Gitee
commit dac758fcca
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
53 changed files with 17293 additions and 29206 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22319
0001-huawei-adapt-to-huawei-4.0.3.patch
View File

File diff suppressed because it is too large Load Diff

2368
0001-refactor-patch-code-of-utils-commands-and-so-on.patch Normal file
View File

File diff suppressed because it is too large Load Diff

1214
0002-add-mount-label-for-rootfs.patch
View File

File diff suppressed because it is too large Load Diff

2856
0002-refactor-patch-code-of-isulad-for-conf-exec-attach.patch Normal file
View File

File diff suppressed because it is too large Load Diff

423
0003-format-code-and-verify-mount-mode.patch
View File

@ -1,423 +0,0 @@
From c0f37e083c49cfcb9441743a409fdee44d32d7c5 Mon Sep 17 00:00:00 2001
From: wujing <wujing50@huawei.com>
Date: Thu, 16 Jul 2020 16:39:35 +0800
Subject: [PATCH 03/10] format code and verify mount mode
Signed-off-by: wujing <wujing50@huawei.com>
---
src/lxc/lsm/apparmor.c | 14 +++
src/lxc/lsm/nop.c | 14 +++
src/lxc/lsm/selinux.c | 242 +++++++++++++++++++++--------------------
src/lxc/utils.c | 30 ++++-
4 files changed, 182 insertions(+), 118 deletions(-)
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index f251e5e7e..591d37c27 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -1186,6 +1186,16 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
return 0;
}
+#ifdef HAVE_ISULAD
+static int apparmor_file_label_set(const char *path, const char *label) {
+ return 0;
+}
+
+static int apparmor_relabel(const char *path, const char *label, bool shared) {
+ return 0;
+}
+#endif
+
static struct lsm_drv apparmor_drv = {
.name = "AppArmor",
.enabled = apparmor_enabled,
@@ -1193,6 +1203,10 @@ static struct lsm_drv apparmor_drv = {
.process_label_set = apparmor_process_label_set,
.prepare = apparmor_prepare,
.cleanup = apparmor_cleanup,
+#ifdef HAVE_ISULAD
+ .file_label_set = apparmor_file_label_set,
+ .relabel = apparmor_relabel,
+#endif
};
struct lsm_drv *lsm_apparmor_drv_init(void)
diff --git a/src/lxc/lsm/nop.c b/src/lxc/lsm/nop.c
index 5b345b9a2..188945d51 100644
--- a/src/lxc/lsm/nop.c
+++ b/src/lxc/lsm/nop.c
@@ -24,11 +24,25 @@ static int nop_enabled(void)
return 0;
}
+#ifdef HAVE_ISULAD
+static int nop_file_label_set(const char *path, const char *label) {
+ return 0;
+}
+
+static int nop_relabel(const char *path, const char *label, bool shared) {
+ return 0;
+}
+#endif
+
static struct lsm_drv nop_drv = {
.name = "nop",
.enabled = nop_enabled,
.process_label_get = nop_process_label_get,
.process_label_set = nop_process_label_set,
+#ifdef HAVE_ISULAD
+ .file_label_set = nop_file_label_set,
+ .relabel = nop_relabel,
+#endif
};
struct lsm_drv *lsm_nop_drv_init(void)
diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
index 5bc9843e4..864b16be7 100644
--- a/src/lxc/lsm/selinux.c
+++ b/src/lxc/lsm/selinux.c
@@ -106,6 +106,10 @@ static int selinux_file_label_set(const char *path, const char *label)
return 0;
}
+ if (!is_selinux_enabled()) {
+ return 0;
+ }
+
ret = lsetfilecon(path, label);
if (ret != 0) {
SYSERROR("Failed to setSELinux context to \"%s\": %s", label, path);
@@ -125,16 +129,16 @@ static int selinux_file_label_set(const char *path, const char *label)
*/
static bool is_exclude_relabel_path(const char *path)
{
- const char *exclude_path[] = { "/", "/usr", "/etc", "/tmp", "/home", "/run", "/var", "/root" };
- size_t i;
+ const char *exclude_path[] = { "/", "/usr", "/etc", "/tmp", "/home", "/run", "/var", "/root" };
+ size_t i;
- for (i = 0; i < sizeof(exclude_path) / sizeof(char *); i++) {
- if (strcmp(path, exclude_path[i]) == 0) {
- return true;
- }
- }
+ for (i = 0; i < sizeof(exclude_path) / sizeof(char *); i++) {
+ if (strcmp(path, exclude_path[i]) == 0) {
+ return true;
+ }
+ }
- return false;
+ return false;
}
/*
@@ -146,19 +150,19 @@ static bool is_exclude_relabel_path(const char *path)
*/
static int bad_prefix(const char *fpath)
{
- const char *bad_prefixes = "/usr";
+ const char *bad_prefixes = "/usr";
- if (fpath == NULL) {
- ERROR("Empty file path");
- return -1;
- }
+ if (fpath == NULL) {
+ ERROR("Empty file path");
+ return -1;
+ }
- if (strncmp(fpath, bad_prefixes, strlen(bad_prefixes)) == 0) {
- ERROR("relabeling content in %s is not allowed", bad_prefixes);
- return -1;
- }
+ if (strncmp(fpath, bad_prefixes, strlen(bad_prefixes)) == 0) {
+ ERROR("relabeling content in %s is not allowed", bad_prefixes);
+ return -1;
+ }
- return 0;
+ return 0;
}
/*
@@ -171,51 +175,51 @@ static int bad_prefix(const char *fpath)
*/
static int recurse_set_file_label(const char *basePath, const char *label)
{
- int ret = 0;
- DIR *dir = NULL;
- struct dirent *ptr = NULL;
- char base[PATH_MAX] = { 0 };
-
- if ((dir = opendir(basePath)) == NULL) {
- ERROR("Failed to Open dir: %s", basePath);
- return -1;
- }
-
- ret = lsetfilecon(basePath, label);
- if (ret != 0) {
- ERROR("Failed to set file label");
- goto out;
- }
-
- while ((ptr = readdir(dir)) != NULL) {
- if (strcmp(ptr->d_name, ".") == 0 || strcmp(ptr->d_name, "..") == 0) {
- continue;
- } else {
- int nret = snprintf(base, sizeof(base), "%s/%s", basePath, ptr->d_name);
- if (nret < 0 || nret >= sizeof(base)) {
- ERROR("Failed to get path");
- ret = -1;
- goto out;
- }
- if (ptr->d_type == DT_DIR) {
- ret = recurse_set_file_label(base, label);
- if (ret != 0) {
- ERROR("Failed to set dir label");
- goto out;
- }
- } else {
- ret = lsetfilecon(base, label);
- if (ret != 0) {
- ERROR("Failed to set file label");
- goto out;
- }
- }
- }
- }
+ int ret = 0;
+ DIR *dir = NULL;
+ struct dirent *ptr = NULL;
+ char base[PATH_MAX] = { 0 };
+
+ if ((dir = opendir(basePath)) == NULL) {
+ ERROR("Failed to Open dir: %s", basePath);
+ return -1;
+ }
+
+ ret = lsetfilecon(basePath, label);
+ if (ret != 0) {
+ ERROR("Failed to set file label");
+ goto out;
+ }
+
+ while ((ptr = readdir(dir)) != NULL) {
+ if (strcmp(ptr->d_name, ".") == 0 || strcmp(ptr->d_name, "..") == 0) {
+ continue;
+ } else {
+ int nret = snprintf(base, sizeof(base), "%s/%s", basePath, ptr->d_name);
+ if (nret < 0 || nret >= sizeof(base)) {
+ ERROR("Failed to get path");
+ ret = -1;
+ goto out;
+ }
+ if (ptr->d_type == DT_DIR) {
+ ret = recurse_set_file_label(base, label);
+ if (ret != 0) {
+ ERROR("Failed to set dir label");
+ goto out;
+ }
+ } else {
+ ret = lsetfilecon(base, label);
+ if (ret != 0) {
+ ERROR("Failed to set file label");
+ goto out;
+ }
+ }
+ }
+ }
out:
- closedir(dir);
- return ret;
+ closedir(dir);
+ return ret;
}
/*
@@ -231,33 +235,33 @@ out:
*/
static int selinux_chcon(const char *fpath, const char *label, bool recurse)
{
- struct stat s_buf;
-
- if (fpath == NULL) {
- ERROR("Empty file path");
- return -1;
- }
-
- if (label == NULL) {
- return 0;
- }
-
- if (bad_prefix(fpath) != 0) {
- return -1;
- }
- if (stat(fpath, &s_buf) != 0) {
- return -1;
- }
- if (recurse && S_ISDIR(s_buf.st_mode)) {
- return recurse_set_file_label(fpath, label);
- }
-
- if (lsetfilecon(fpath, label) != 0) {
- ERROR("Failed to set file label");
- return -1;
- }
-
- return 0;
+ struct stat s_buf;
+
+ if (fpath == NULL) {
+ ERROR("Empty file path");
+ return -1;
+ }
+
+ if (label == NULL) {
+ return 0;
+ }
+
+ if (bad_prefix(fpath) != 0) {
+ return -1;
+ }
+ if (stat(fpath, &s_buf) != 0) {
+ return -1;
+ }
+ if (recurse && S_ISDIR(s_buf.st_mode)) {
+ return recurse_set_file_label(fpath, label);
+ }
+
+ if (lsetfilecon(fpath, label) != 0) {
+ ERROR("Failed to set file label");
+ return -1;
+ }
+
+ return 0;
}
/*
@@ -273,37 +277,41 @@ static int selinux_chcon(const char *fpath, const char *label, bool recurse)
*/
static int selinux_relabel(const char *path, const char *label, bool shared)
{
- int ret = 0;
- char *tmp_file_label = NULL;
-
- if (label == NULL) {
- return 0;
- }
-
- tmp_file_label = strdup(label);
- if (is_exclude_relabel_path(path)) {
- ERROR("SELinux relabeling of %s is not allowed", path);
- ret = -1;
- goto out;
- }
-
- if (shared) {
- context_t c = context_new(label);
- context_range_set(c, "s0");
- free(tmp_file_label);
- tmp_file_label = strdup(context_str(c));
- context_free(c);
- }
-
- if (selinux_chcon(path, tmp_file_label, true) != 0) {
- ERROR("Failed to modify %s's selinux context: %s", path, tmp_file_label);
- ret = -1;
- goto out;
- }
+ int ret = 0;
+ char *tmp_file_label = NULL;
+
+ if (label == NULL) {
+ return 0;
+ }
+
+ if (!is_selinux_enabled()) {
+ return 0;
+ }
+
+ tmp_file_label = strdup(label);
+ if (is_exclude_relabel_path(path)) {
+ ERROR("SELinux relabeling of %s is not allowed", path);
+ ret = -1;
+ goto out;
+ }
+
+ if (shared) {
+ context_t c = context_new(label);
+ context_range_set(c, "s0");
+ free(tmp_file_label);
+ tmp_file_label = strdup(context_str(c));
+ context_free(c);
+ }
+
+ if (selinux_chcon(path, tmp_file_label, true) != 0) {
+ ERROR("Failed to modify %s's selinux context: %s", path, tmp_file_label);
+ ret = -1;
+ goto out;
+ }
out:
- free(tmp_file_label);
- return ret;
+ free(tmp_file_label);
+ return ret;
}
#endif
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 032176b1b..5ec6117f7 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -1126,6 +1126,34 @@ static int receive_mount_options(const char *data, const char *mount_label,
return format_mount_label(data, mount_label, mnt_opts);
}
+
+static int relabel_bind_mount_source(const char *src, const char *fstype, const char *data, const char *mount_label)
+{
+ __do_free_string_list char **parts = NULL;
+ ssize_t parts_len;
+ ssize_t i;
+
+ if (data == NULL) {
+ return lsm_relabel(src, mount_label, false);
+ }
+
+ parts = lxc_string_split(data, ',');
+ if (parts == NULL) {
+ return -1;
+ }
+
+ parts_len = lxc_array_len((void **)parts);
+ for (i = 0; i < parts_len; i++) {
+ if (strcmp(parts[i], "z") == 0) {
+ return lsm_relabel(src, mount_label, true);
+ } else if (strcmp(parts[i], "Z") == 0) {
+ return lsm_relabel(src, mount_label, false);
+ }
+ }
+
+ return lsm_relabel(src, mount_label, false);
+}
+
#endif
/*
@@ -1227,7 +1255,7 @@ int safe_mount(const char *src, const char *dest, const char *fstype,
return -EINVAL;
}
- if (strcmp(fstype, "bind") == 0 && lsm_relabel(src, mount_label, false) != 0) {
+ if (strcmp(fstype, "bind") == 0 && relabel_bind_mount_source(src, fstype, (const char *)data, mount_label) != 0) {
ERROR("Failed to reabel %s with %s", src, mount_label);
return -EINVAL;
}
--
2.25.1

1243
0003-refactor-patch-code-of-isulad-for-selinux-attach.patch Normal file
View File

File diff suppressed because it is too large Load Diff

162
0004-Removes-the-definition-of-the-thread-attributes-obje.patch
View File

@ -1,162 +0,0 @@
From b1ef723b4f437aad3c0c0497174bc7d3444426cd Mon Sep 17 00:00:00 2001
From: wujing <wujing50@huawei.com>
Date: Mon, 20 Jul 2020 15:30:42 +0800
Subject: [PATCH 04/10] Removes the definition of the thread attributes object
Signed-off-by: wujing <wujing50@huawei.com>
---
src/lxc/attach.c | 1 +
src/lxc/conf.c | 1 +
src/lxc/lsm/selinux.c | 33 +++++++++++----------------------
src/lxc/start.c | 1 +
4 files changed, 14 insertions(+), 22 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 068cc5f8e..b33ff6325 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1188,6 +1188,7 @@ static int create_attach_timeout_thread(int64_t attach_timeout, pid_t pid)
pthread_attr_init(&attr);
pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
ret = pthread_create(&ptid, &attr, wait_attach_timeout, timeout_conf);
+ pthread_attr_destroy(&attr);
if (ret != 0) {
ERROR("Create attach wait timeout thread failed");
free(timeout_conf);
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 7e4af0a95..6a25b96ac 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -4660,6 +4660,7 @@ static int run_ocihook_buffer(struct oci_hook_conf *oconf, const char *inmsg)
pthread_attr_init(&attr);
pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
err = pthread_create(&ptid, &attr, wait_ocihook_timeout, conf);
+ pthread_attr_destroy(&attr);
if (err != 0) {
ERROR("Create wait timeout thread failed");
free(conf);
diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
index 864b16be7..ceac08891 100644
--- a/src/lxc/lsm/selinux.c
+++ b/src/lxc/lsm/selinux.c
@@ -100,8 +100,6 @@ static int selinux_process_label_set(const char *inlabel, struct lxc_conf *conf,
*/
static int selinux_file_label_set(const char *path, const char *label)
{
- int ret;
-
if (path == NULL || label == NULL || strcmp(label, "unconfined_t") == 0) {
return 0;
}
@@ -110,8 +108,7 @@ static int selinux_file_label_set(const char *path, const char *label)
return 0;
}
- ret = lsetfilecon(path, label);
- if (ret != 0) {
+ if (lsetfilecon(path, label) != 0) {
SYSERROR("Failed to setSELinux context to \"%s\": %s", label, path);
return -1;
}
@@ -176,7 +173,7 @@ static int bad_prefix(const char *fpath)
static int recurse_set_file_label(const char *basePath, const char *label)
{
int ret = 0;
- DIR *dir = NULL;
+ __do_closedir DIR *dir = NULL;
struct dirent *ptr = NULL;
char base[PATH_MAX] = { 0 };
@@ -188,7 +185,7 @@ static int recurse_set_file_label(const char *basePath, const char *label)
ret = lsetfilecon(basePath, label);
if (ret != 0) {
ERROR("Failed to set file label");
- goto out;
+ return ret;
}
while ((ptr = readdir(dir)) != NULL) {
@@ -198,28 +195,25 @@ static int recurse_set_file_label(const char *basePath, const char *label)
int nret = snprintf(base, sizeof(base), "%s/%s", basePath, ptr->d_name);
if (nret < 0 || nret >= sizeof(base)) {
ERROR("Failed to get path");
- ret = -1;
- goto out;
+ return -1;
}
if (ptr->d_type == DT_DIR) {
ret = recurse_set_file_label(base, label);
if (ret != 0) {
ERROR("Failed to set dir label");
- goto out;
+ return ret;
}
} else {
ret = lsetfilecon(base, label);
if (ret != 0) {
ERROR("Failed to set file label");
- goto out;
+ return ret;
}
}
}
}
-out:
- closedir(dir);
- return ret;
+ return 0;
}
/*
@@ -277,8 +271,7 @@ static int selinux_chcon(const char *fpath, const char *label, bool recurse)
*/
static int selinux_relabel(const char *path, const char *label, bool shared)
{
- int ret = 0;
- char *tmp_file_label = NULL;
+ __do_free char *tmp_file_label = NULL;
if (label == NULL) {
return 0;
@@ -291,8 +284,7 @@ static int selinux_relabel(const char *path, const char *label, bool shared)
tmp_file_label = strdup(label);
if (is_exclude_relabel_path(path)) {
ERROR("SELinux relabeling of %s is not allowed", path);
- ret = -1;
- goto out;
+ return -1;
}
if (shared) {
@@ -305,13 +297,10 @@ static int selinux_relabel(const char *path, const char *label, bool shared)
if (selinux_chcon(path, tmp_file_label, true) != 0) {
ERROR("Failed to modify %s's selinux context: %s", path, tmp_file_label);
- ret = -1;
- goto out;
+ return -1;
}
-out:
- free(tmp_file_label);
- return ret;
+ return 0;
}
#endif
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 51d13254b..ab47420f1 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -2484,6 +2484,7 @@ static int create_start_timeout_thread(struct lxc_conf *conf, unsigned int start
pthread_attr_init(&attr);
pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
ret = pthread_create(&ptid, &attr, wait_start_timeout, timeout_conf);
+ pthread_attr_destroy(&attr);
if (ret != 0) {
ERROR("Create start wait timeout thread failed");
free(timeout_conf);
--
2.25.1

2947
0004-refactor-patch-code-of-lxccontianer-and-so-on.patch Normal file
View File

File diff suppressed because it is too large Load Diff

1517
0005-refactor-patch-code-of-attach-and-seccomp.patch Normal file
View File

File diff suppressed because it is too large Load Diff

65
0005-solve-coredump-bug-caused-by-fstype-being-NULL-durin.patch
View File

@ -1,65 +0,0 @@
From 405b048dc82a8695b8a400524787243f3898cbd6 Mon Sep 17 00:00:00 2001
From: wujing <wujing50@huawei.com>
Date: Tue, 21 Jul 2020 17:30:17 +0800
Subject: [PATCH 05/10] solve coredump bug caused by fstype being NULL during
mount
Signed-off-by: wujing <wujing50@huawei.com>
---
src/lxc/lsm/selinux.c | 3 +--
src/lxc/utils.c | 7 ++++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
index ceac08891..837a3da3d 100644
--- a/src/lxc/lsm/selinux.c
+++ b/src/lxc/lsm/selinux.c
@@ -68,7 +68,6 @@ static int selinux_process_label_set(const char *inlabel, struct lxc_conf *conf,
label = inlabel ? inlabel : conf->lsm_se_context;
if (!label) {
-
label = DEFAULT_LABEL;
}
@@ -273,7 +272,7 @@ static int selinux_relabel(const char *path, const char *label, bool shared)
{
__do_free char *tmp_file_label = NULL;
- if (label == NULL) {
+ if (path == NULL || label == NULL) {
return 0;
}
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 5ec6117f7..95c00cfed 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -1230,7 +1230,7 @@ int safe_mount(const char *src, const char *dest, const char *fstype,
ret = mount(mntsrc, destbuf, fstype, flags, mnt_opts);
saved_errno = errno;
- if (ret < 0 && strcmp(fstype, "mqueue") == 0) {
+ if (ret < 0 && fstype != NULL && strcmp(fstype, "mqueue") == 0) {
INFO("older kernels don't support labeling of /dev/mqueue, retry without selinux context");
ret = mount(mntsrc, destbuf, fstype, flags, data);
saved_errno = errno;
@@ -1250,12 +1250,13 @@ int safe_mount(const char *src, const char *dest, const char *fstype,
}
#ifdef HAVE_ISULAD
- if (strcmp(fstype, "mqueue") == 0 && lsm_file_label_set(dest, mount_label) != 0) {
+ if (fstype != NULL && strcmp(fstype, "mqueue") == 0 && lsm_file_label_set(dest, mount_label) != 0) {
ERROR("Failed to set file label on %s", dest);
return -EINVAL;
}
- if (strcmp(fstype, "bind") == 0 && relabel_bind_mount_source(src, fstype, (const char *)data, mount_label) != 0) {
+ if (fstype != NULL && strcmp(fstype, "bind") == 0 &&
+ relabel_bind_mount_source(src, fstype, (const char *)data, mount_label) != 0) {
ERROR("Failed to reabel %s with %s", src, mount_label);
return -EINVAL;
}
--
2.25.1

40
0006-SIGTERM-do-not-catch-signal-SIGTERM-in-lxc-monitor.patch
View File

@ -1,40 +0,0 @@
From e21c6474901e3d12560eb389597e88b47fd46be5 Mon Sep 17 00:00:00 2001
From: lifeng68 <lifeng68@huawei.com>
Date: Fri, 11 Sep 2020 10:05:04 +0800
Subject: [PATCH 06/10] SIGTERM: do not catch signal SIGTERM in [lxc monitor]
Signed-off-by: lifeng68 <lifeng68@huawei.com>
---
src/lxc/attach.c | 2 +-
src/lxc/start.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index b33ff6325..72b3055c7 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1228,7 +1228,7 @@ static int isulad_setup_signal_fd(sigset_t *oldmask)
{
int ret;
sigset_t mask;
- const int signals[] = {SIGBUS, SIGILL, SIGSEGV, SIGWINCH};
+ const int signals[] = {SIGBUS, SIGILL, SIGSEGV, SIGWINCH, SIGTERM};
/* Block everything except serious error signals. */
ret = sigfillset(&mask);
diff --git a/src/lxc/start.c b/src/lxc/start.c
index ab47420f1..50a1a8203 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -294,7 +294,7 @@ static int setup_signal_fd(sigset_t *oldmask)
{
int ret;
sigset_t mask;
- const int signals[] = {SIGBUS, SIGILL, SIGSEGV, SIGWINCH};
+ const int signals[] = {SIGBUS, SIGILL, SIGSEGV, SIGWINCH, SIGTERM};
/* Block everything except serious error signals. */
ret = sigfillset(&mask);
--
2.25.1

1164
0006-refactor-patch-about-namespace-log-terminal.patch Normal file
View File

File diff suppressed because it is too large Load Diff

27
0007-Using-string-type-instead-of-security_context_t-beca.patch
View File

@ -1,27 +0,0 @@
From 5a8c9b52ad3291feb87c2281e074b2c85c766245 Mon Sep 17 00:00:00 2001
From: wujing <wujing50@huawei.com>
Date: Fri, 25 Sep 2020 10:21:37 +0800
Subject: [PATCH 07/10] Using string type instead of security_context_t because
it is deprecated
Signed-off-by: wujing <wujing50@huawei.com>
---
src/lxc/lsm/selinux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
index 837a3da3d..79697c583 100644
--- a/src/lxc/lsm/selinux.c
+++ b/src/lxc/lsm/selinux.c
@@ -36,7 +36,7 @@ lxc_log_define(selinux, lsm);
*/
static char *selinux_process_label_get(pid_t pid)
{
- security_context_t ctx;
+ char *ctx;
char *label;
if (getpidcon_raw(pid, &ctx) < 0) {
--
2.25.1

2726
0007-refactor-patches-on-terminal.c-start.c-and-so-on.patch Normal file
View File

File diff suppressed because it is too large Load Diff

26
0008-hook-pass-correct-mount-dir-as-root-to-hook.patch
View File

@ -1,26 +0,0 @@
From e8d9c6475eb42fdb1775a465353758f2c5418938 Mon Sep 17 00:00:00 2001
From: lifeng68 <lifeng68@huawei.com>
Date: Sat, 31 Oct 2020 17:38:04 +0800
Subject: [PATCH 08/10] hook: pass correct mount dir as root to hook
Signed-off-by: lifeng68 <lifeng68@huawei.com>
---
src/lxc/conf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 6a25b96ac..3d8713954 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -4785,7 +4785,7 @@ static int do_run_oci_hooks(const char *name, const char *lxcpath, struct lxc_co
return 0;
}
- rootpath = get_root_path(lc->rootfs.path, lc->rootfs.bdev_type);
+ rootpath = get_root_path(lc->rootfs.path ? lc->rootfs.mount : NULL, lc->rootfs.bdev_type);
if (!rootpath) {
ERROR("Get container %s rootpath failed.", name);
return -1;
--
2.25.1

3689
0009-cgroup-refact-cgroup-manager-to-single-file.patch → 0008-refactor-patch-code-of-json.patch
View File

File diff suppressed because it is too large Load Diff

76
0010-cgfsng-adjust-log-level-from-error-to-warn.patch
View File

@ -1,76 +0,0 @@
From 9fa92a4f8d0fd772a27e5c27d03b927c765c133c Mon Sep 17 00:00:00 2001
From: lifeng68 <lifeng68@huawei.com>
Date: Fri, 13 Nov 2020 14:11:07 +0800
Subject: [PATCH 10/10] cgfsng: adjust log level from error to warn
Signed-off-by: lifeng68 <lifeng68@huawei.com>
---
src/lxc/cgroups/cgfsng.c | 6 +++---
src/lxc/cgroups/isulad_cgfsng.c | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 9b9aaf6c3..3f81f5c41 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -654,7 +654,7 @@ static char **cg_hybrid_get_controllers(char **klist, char **nlist, char *line,
* verify /sys/fs/cgroup/ in this field.
*/
if (strncmp(p, DEFAULT_CGROUP_MOUNTPOINT "/", 15) != 0)
- return log_error(NULL, "Found hierarchy not under " DEFAULT_CGROUP_MOUNTPOINT ": \"%s\"", p);
+ return log_warn(NULL, "Found hierarchy not under " DEFAULT_CGROUP_MOUNTPOINT ": \"%s\"", p);
p += 15;
p2 = strchr(p, ' ');
@@ -3092,7 +3092,7 @@ static int cg_hybrid_init(struct cgroup_ops *ops, bool relative, bool unprivileg
mountpoint = cg_hybrid_get_mountpoint(line);
if (!mountpoint) {
- ERROR("Failed parsing mountpoint from \"%s\"", line);
+ WARN("Failed parsing mountpoint from \"%s\"", line);
continue;
}
@@ -3101,7 +3101,7 @@ static int cg_hybrid_init(struct cgroup_ops *ops, bool relative, bool unprivileg
else
base_cgroup = cg_hybrid_get_current_cgroup(basecginfo, NULL, CGROUP2_SUPER_MAGIC);
if (!base_cgroup) {
- ERROR("Failed to find current cgroup");
+ WARN("Failed to find current cgroup");
continue;
}
diff --git a/src/lxc/cgroups/isulad_cgfsng.c b/src/lxc/cgroups/isulad_cgfsng.c
index 82a4333f3..e16f8a198 100644
--- a/src/lxc/cgroups/isulad_cgfsng.c
+++ b/src/lxc/cgroups/isulad_cgfsng.c
@@ -317,7 +317,7 @@ static char **cg_hybrid_get_controllers(char **klist, char **nlist, char *line,
* verify /sys/fs/cgroup/ in this field.
*/
if (strncmp(p, DEFAULT_CGROUP_MOUNTPOINT "/", 15) != 0)
- return log_error(NULL, "Found hierarchy not under " DEFAULT_CGROUP_MOUNTPOINT ": \"%s\"", p);
+ return log_warn(NULL, "Found hierarchy not under " DEFAULT_CGROUP_MOUNTPOINT ": \"%s\"", p);
p += 15;
p2 = strchr(p, ' ');
@@ -2847,7 +2847,7 @@ static int cg_hybrid_init(struct cgroup_ops *ops, bool relative, bool unprivileg
mountpoint = cg_hybrid_get_mountpoint(line);
if (!mountpoint) {
- ERROR("Failed parsing mountpoint from \"%s\"", line);
+ WARN("Failed parsing mountpoint from \"%s\"", line);
continue;
}
@@ -2856,7 +2856,7 @@ static int cg_hybrid_init(struct cgroup_ops *ops, bool relative, bool unprivileg
else
base_cgroup = cg_hybrid_get_current_cgroup(basecginfo, NULL, CGROUP2_SUPER_MAGIC);
if (!base_cgroup) {
- ERROR("Failed to find current cgroup");
+ WARN("Failed to find current cgroup");
continue;
}
--
2.25.1

28
0011-rootfs-add-make-private-for-root.path-parent.patch
View File

@ -1,28 +0,0 @@
From e9214cfb2a247a78a07d2032956cde97e6d19e4a Mon Sep 17 00:00:00 2001
From: lifeng68 <lifeng68@huawei.com>
Date: Tue, 17 Nov 2020 18:37:56 +0800
Subject: [PATCH 11/11] rootfs: add make private for root.path parent
Signed-off-by: lifeng68 <lifeng68@huawei.com>
---
src/lxc/conf.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 3d8713954..ce5bab9c5 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -1434,6 +1434,10 @@ static int lxc_mount_rootfs(struct lxc_conf *conf)
* not propagate in other namespaces. Also it will help with kernel
* check pass in pivot_root. (IS_SHARED(new_mnt->mnt_parent))
*/
+ ret = rootfs_parent_mount_private(conf->rootfs.path);
+ if (ret != 0) {
+ return log_error(-1, "Failed to make parent of rootfs %s to private.", conf->rootfs.path);
+ }
ret = rootfs_parent_mount_private(conf->rootfs.mount);
if (ret != 0) {
return log_error(-1, "Failed to make parent of rootfs %s to private.", conf->rootfs.mount);
--
2.25.1

204
0012-mount-make-possible-to-bind-mount-proc-and-sys-fs.patch
View File

@ -1,204 +0,0 @@
From 53ca847c8d21b1e422745a221d49ddf61679d4dd Mon Sep 17 00:00:00 2001
From: lifeng68 <lifeng68@huawei.com>
Date: Fri, 27 Nov 2020 16:02:25 +0800
Subject: [PATCH] mount: make possible to bind mount /proc and /sys/fs
1. add check whether have /proc mounts entry, if has, skip the auto
mount proc
2. mount cgroup before do mount entrys
3. pass if the mount on top of /proc and the source of the mount is a proc filesystem
Signed-off-by: lifeng68 <lifeng68@huawei.com>
---
src/lxc/conf.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++---
src/lxc/path.c | 2 +-
2 files changed, 92 insertions(+), 5 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index ce5bab9c5..c3610ae33 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2581,7 +2581,7 @@ retry:
/* isulad: checkMountDestination checks to ensure that the mount destination is not over the top of /proc.
* dest is required to be an abs path and have any symlinks resolved before calling this function. */
-static int check_mount_destination(const char *rootfs, const char *dest)
+static int check_mount_destination(const char *rootfs, const char *dest, const char *src)
{
const char *invalid_destinations[] = {
"/proc",
@@ -2641,10 +2641,28 @@ static int check_mount_destination(const char *rootfs, const char *dest)
return -1;
}
relpath = path_relative(fullpath, dest);
+ DEBUG("dst path %s get relative path %s with full path %s,src:%s", dest, relpath, fullpath, src);
free(fullpath);
- if (!relpath)
+ if (!relpath) {
+ ERROR("Failed to get relpath for %s related to %s", dest, fullpath);
return -1;
- if (!strcmp(relpath, ".") || strncmp(relpath, "..", 2)) {
+ }
+ // pass if the mount path is outside of invalid proc
+ if (strncmp(relpath, "..", 2) == 0) {
+ free(relpath);
+ continue;
+ }
+ if (strcmp(relpath, ".") == 0) {
+ if (src == NULL) {
+ free(relpath);
+ continue;
+ }
+ // pass if the mount on top of /proc and the source of the mount is a proc filesystem
+ if (has_fs_type(src, PROC_SUPER_MAGIC)) {
+ WARN("src %s is proc allow mount on-top of %s", src, *invalid);
+ free(relpath);
+ continue;
+ }
ERROR("%s cannot be mounted because it is located inside %s", dest, *invalid);
free(relpath);
return -1;
@@ -2706,7 +2724,7 @@ static inline int mount_entry_on_generic(struct mntent *mntent,
}
dest = rpath;
- ret = check_mount_destination(rootfs_path, dest);
+ ret = check_mount_destination(rootfs_path, dest, mntent->mnt_fsname);
if (ret) {
ERROR("Mount destination is invalid: '%s'", dest);
lxc_write_error_message(rootfs->errfd, "%s:%d: mount destination is invalid: '%s'.",
@@ -3119,6 +3137,52 @@ static bool need_setup_dev(const struct lxc_conf *conf, struct lxc_list *mount)
return true;
}
}
+
+static bool have_proc_bind_mount_entry(FILE *file)
+{
+ bool have_bind_proc = false;
+ char buf[PATH_MAX] = { 0 };
+ struct mntent mntent;
+
+ while (getmntent_r(file, &mntent, buf, sizeof(buf))) {
+ mntent.mnt_dir = lxc_string_replace(SPACE_MAGIC_STR, " ", mntent.mnt_dir);
+ if(mntent.mnt_dir == NULL) {
+ SYSERROR("memory allocation error");
+ continue;
+ }
+
+ DEBUG("parsed mnt %s, %s, %s", mntent.mnt_fsname, mntent.mnt_dir, mntent.mnt_type);
+
+ if (strcmp(mntent.mnt_dir, "proc") == 0 && strcmp(mntent.mnt_type, "bind") == 0) {
+ have_bind_proc = true;
+ }
+
+ free(mntent.mnt_dir);
+ mntent.mnt_dir = NULL;
+
+ if (have_bind_proc)
+ return true;
+ }
+
+ return false;
+}
+
+// returns true if /proc needs to be set up.
+static bool need_setup_proc(const struct lxc_conf *conf, struct lxc_list *mount)
+{
+ __do_fclose FILE *f = NULL;
+
+ f = make_anonymous_mount_file(mount, conf->lsm_aa_allow_nesting);
+ if (f == NULL)
+ return true;
+
+ if (have_proc_bind_mount_entry(f)) {
+ return false;
+ } else {
+ return true;
+ }
+}
+
#endif
static int parse_cap(const char *cap)
@@ -4870,6 +4934,7 @@ int lxc_setup(struct lxc_handler *handler)
char *keyring_context = NULL;
#ifdef HAVE_ISULAD
bool setup_dev = true;
+ bool setup_proc = true;
#endif
ret = lxc_setup_rootfs_prepare_root(lxc_conf, name, lxcpath);
@@ -4930,6 +4995,17 @@ int lxc_setup(struct lxc_handler *handler)
ret = lxc_mount_auto_mounts(lxc_conf, lxc_conf->auto_mounts & ~LXC_AUTO_CGROUP_MASK, handler);
if (ret < 0)
return log_error(-1, "Failed to setup first automatic mounts");
+
+#ifdef HAVE_ISULAD
+ /* Now mount only cgroups, if wanted. Before, /sys could not have been
+ * mounted. It is guaranteed to be mounted now either through
+ * automatically or via fstab entries.
+ */
+ ret = lxc_mount_auto_mounts(lxc_conf, lxc_conf->auto_mounts & LXC_AUTO_CGROUP_MASK, handler);
+ if (ret < 0)
+ return log_error(-1, "Failed to setup remaining automatic mounts");
+#endif
+
#ifdef HAVE_ISULAD
ret = setup_mount(lxc_conf, &lxc_conf->rootfs, lxc_conf->fstab, name, lxcpath, lxc_conf->lsm_se_mount_context);
#else
@@ -4950,6 +5026,7 @@ int lxc_setup(struct lxc_handler *handler)
return log_error(-1, "Failed to setup mount entries");
#ifdef HAVE_ISULAD
setup_dev = need_setup_dev(lxc_conf, &lxc_conf->mount_list);
+ setup_proc = need_setup_proc(lxc_conf, &lxc_conf->mount_list);
#endif
}
@@ -4975,6 +5052,7 @@ int lxc_setup(struct lxc_handler *handler)
}
}
+#ifndef HAVE_ISULAD
/* Now mount only cgroups, if wanted. Before, /sys could not have been
* mounted. It is guaranteed to be mounted now either through
* automatically or via fstab entries.
@@ -4982,6 +5060,7 @@ int lxc_setup(struct lxc_handler *handler)
ret = lxc_mount_auto_mounts(lxc_conf, lxc_conf->auto_mounts & LXC_AUTO_CGROUP_MASK, handler);
if (ret < 0)
return log_error(-1, "Failed to setup remaining automatic mounts");
+#endif
ret = run_lxc_hooks(name, "mount", lxc_conf, NULL);
if (ret < 0)
@@ -5026,9 +5105,17 @@ int lxc_setup(struct lxc_handler *handler)
if (ret < 0)
return log_error(-1, "Failed to setup \"/dev\" symlinks");
+#ifdef HAVE_ISULAD
+ if (setup_proc) {
+ ret = lxc_create_tmp_proc_mount(lxc_conf);
+ if (ret < 0)
+ return log_error(-1, "Failed to \"/proc\" LSMs");
+ }
+#else
ret = lxc_create_tmp_proc_mount(lxc_conf);
if (ret < 0)
return log_error(-1, "Failed to \"/proc\" LSMs");
+#endif
#ifdef HAVE_ISULAD
/* Ask father to run oci prestart hooks and wait for him to finish. */
diff --git a/src/lxc/path.c b/src/lxc/path.c
index 65b8aadbf..46256cb26 100644
--- a/src/lxc/path.c
+++ b/src/lxc/path.c
@@ -652,4 +652,4 @@ char *path_relative(const char *basepath, const char *targpath)
}
return safe_strdup(targ + t0);
-}
+}
\ No newline at end of file
--
2.25.1

401
0013-use-path-based-unix-domain-sockets-instead-of-abstra.patch
View File

@ -1,401 +0,0 @@
From f0af10aef5b21b6bf19dce0d2657f645355a42ac Mon Sep 17 00:00:00 2001
From: wujing <wujing50@huawei.com>
Date: Fri, 4 Dec 2020 10:04:30 +0800
Subject: [PATCH] use path based unix domain sockets instead of abstract
namespace sockets to improve container security
Signed-off-by: wujing <wujing50@huawei.com>
---
src/lxc/af_unix.c | 50 ++++++++++++++++++++++++++++++++++--
src/lxc/af_unix.h | 4 ++-
src/lxc/attach.c | 4 +++
src/lxc/commands.c | 39 ++++++++++++++++++++++++++++
src/lxc/commands_utils.c | 51 +++++++++++++++++++++++++++++++++++++
src/lxc/commands_utils.h | 6 +++++
src/lxc/exec_commands.c | 55 ++++++++++++++++++++++++++++++++++++++++
src/lxc/exec_commands.h | 4 +++
src/lxc/lxccontainer.c | 18 +++++++++++++
9 files changed, 228 insertions(+), 3 deletions(-)
diff --git a/src/lxc/af_unix.c b/src/lxc/af_unix.c
index 9f268be6..090465b4 100644
--- a/src/lxc/af_unix.c
+++ b/src/lxc/af_unix.c
@@ -372,12 +372,58 @@ int lxc_unix_connect_type(struct sockaddr_un *addr, int type)
ret = connect(fd, (struct sockaddr *)addr,
offsetof(struct sockaddr_un, sun_path) + len);
if (ret < 0)
- return log_error_errno(-1, errno,
- "Failed to bind new AF_UNIX socket");
+ return log_warn_errno(-1, errno,
+ "Failed to connect new AF_UNIX socket");
+
+ return move_fd(fd);
+}
+
+#ifdef HAVE_ISULAD
+int lxc_named_unix_open(const char *path, int type, int flags)
+{
+ __do_close int fd = -EBADF;
+ int ret;
+ ssize_t len;
+ struct sockaddr_un addr;
+
+ fd = socket(PF_UNIX, type | SOCK_CLOEXEC, 0);
+ if (fd < 0)
+ return -1;
+
+ if (!path)
+ return move_fd(fd);
+
+ len = lxc_unix_sockaddr(&addr, path);
+ if (len < 0)
+ return -1;
+
+ ret = bind(fd, (struct sockaddr *)&addr, len);
+ if (ret < 0)
+ return -1;
+
+ if (chmod(path, 0600) < 0)
+ return -1;
+
+ if (type == SOCK_STREAM) {
+ ret = listen(fd, 100);
+ if (ret < 0)
+ return -1;
+ }
return move_fd(fd);
}
+int lxc_named_unix_connect(const char *path)
+{
+ struct sockaddr_un addr;
+
+ if (lxc_unix_sockaddr(&addr, path) < 0)
+ return -1;
+
+ return lxc_unix_connect_type(&addr, SOCK_STREAM);
+}
+#endif
+
int lxc_unix_connect(struct sockaddr_un *addr, int type)
{
return lxc_unix_connect_type(addr, SOCK_STREAM);
diff --git a/src/lxc/af_unix.h b/src/lxc/af_unix.h
index 6943a61e..a511330a 100644
--- a/src/lxc/af_unix.h
+++ b/src/lxc/af_unix.h
@@ -28,7 +28,9 @@ extern int lxc_unix_connect(struct sockaddr_un *addr);
extern int lxc_unix_connect_type(struct sockaddr_un *addr, int type);
extern int lxc_socket_set_timeout(int fd, int rcv_timeout, int snd_timeout);
#ifdef HAVE_ISULAD
-int lxc_abstract_unix_recv_fds_timeout(int fd, int *recvfds, int num_recvfds,
+extern int lxc_abstract_unix_recv_fds_timeout(int fd, int *recvfds, int num_recvfds,
void *data, size_t size, unsigned int timeout);
+extern int lxc_named_unix_open(const char *path, int type, int flags);
+extern int lxc_named_unix_connect(const char *path);
#endif
#endif /* __LXC_AF_UNIX_H */
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 72b3055c..87e23c22 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1474,6 +1474,7 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
if (exec_command.maincmd_fd != -1) {
close(exec_command.maincmd_fd);
}
+ lxc_exec_unix_sock_delete(name, suffix);
}
#endif
free(cwd);
@@ -1491,6 +1492,7 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
if (exec_command.maincmd_fd != -1) {
close(exec_command.maincmd_fd);
}
+ lxc_exec_unix_sock_delete(name, suffix);
}
close(ipc_sockets[0]);
close(ipc_sockets[1]);
@@ -1517,6 +1519,7 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
if (exec_command.maincmd_fd != -1) {
close(exec_command.maincmd_fd);
}
+ lxc_exec_unix_sock_delete(name, suffix);
}
close(ipc_sockets[0]);
close(ipc_sockets[1]);
@@ -1789,6 +1792,7 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
if (exec_command.maincmd_fd != -1) {
close(exec_command.maincmd_fd);
}
+ lxc_exec_unix_sock_delete(name, suffix);
#endif
}
diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index 37354e87..70c56579 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -1691,6 +1691,44 @@ static int lxc_cmd_accept(int fd, uint32_t events, void *data,
return ret;
}
+#ifdef HAVE_ISULAD
+int lxc_cmd_init(const char *name, const char *lxcpath, const char *suffix)
+{
+ __do_close int fd = -EBADF;
+ int ret;
+ char path[LXC_AUDS_ADDR_LEN] = {0};
+ __do_free char *runtime_sock_dir = NULL;
+
+ runtime_sock_dir = generate_named_unix_sock_dir(name);
+ if (runtime_sock_dir == NULL)
+ return -1;
+
+ if (mkdir_p(runtime_sock_dir, 0600) < 0)
+ return log_error_errno(-1, errno, "Failed to create container runtime unix sock directory %s", path);
+
+ if (generate_named_unix_sock_path(name, suffix, path, sizeof(path)) != 0)
+ return -1;
+
+ fd = lxc_named_unix_open(path, SOCK_STREAM, 0);
+ if (fd < 0) {
+ if (errno == EADDRINUSE) {
+ WARN("Container \"%s\" appears to be already running", name);
+ (void)unlink(path);
+
+ fd = lxc_named_unix_open(path, SOCK_STREAM, 0);
+ if (fd < 0)
+ return log_error_errno(-1, errno, "Failed to create command socket %s", path);
+ } else
+ return log_error_errno(-1, errno, "Failed to create command socket %s", path);
+ }
+
+ ret = fcntl(fd, F_SETFD, FD_CLOEXEC);
+ if (ret < 0)
+ return log_error_errno(-1, errno, "Failed to set FD_CLOEXEC on command socket file descriptor");
+
+ return log_trace(move_fd(fd), "Created unix socket \"%s\"", path);
+}
+#else
int lxc_cmd_init(const char *name, const char *lxcpath, const char *suffix)
{
__do_close int fd = -EBADF;
@@ -1715,6 +1753,7 @@ int lxc_cmd_init(const char *name, const char *lxcpath, const char *suffix)
return log_trace(move_fd(fd), "Created abstract unix socket \"%s\"", &path[1]);
}
+#endif
int lxc_cmd_mainloop_add(const char *name, struct lxc_epoll_descr *descr,
struct lxc_handler *handler)
diff --git a/src/lxc/commands_utils.c b/src/lxc/commands_utils.c
index 2f2670d7..7dfefa5c 100644
--- a/src/lxc/commands_utils.c
+++ b/src/lxc/commands_utils.c
@@ -137,12 +137,63 @@ int lxc_make_abstract_socket_name(char *path, size_t pathlen,
return 0;
}
+#ifdef HAVE_ISULAD
+char *generate_named_unix_sock_dir(const char *name)
+{
+ __do_free char *exec_sock_dir = NULL;
+
+ if (asprintf(&exec_sock_dir, "/var/run/lxc/%s", name) < 0)
+ return log_error_errno(NULL, errno, "Failed to allocate memory");
+
+ return move_ptr(exec_sock_dir);
+}
+
+int generate_named_unix_sock_path(const char *container_name, const char *sock_name,
+ char *out_path, size_t len)
+{
+#define MAX_SOCK_NAME_LENGTH 12
+ int ret;
+ __do_free char *sock_dir = NULL;
+ __do_free char *short_sock_name = NULL;
+
+ if (container_name == NULL || sock_name == NULL)
+ return -1;
+
+ sock_dir = generate_named_unix_sock_dir(container_name);
+ if (sock_dir == NULL)
+ return -1;
+
+ short_sock_name = strdup(sock_name);
+ if (strlen(short_sock_name) > MAX_SOCK_NAME_LENGTH)
+ short_sock_name[MAX_SOCK_NAME_LENGTH] = '\0';
+
+ ret = snprintf(out_path, len, "%s/%s.sock", sock_dir, short_sock_name);
+ if (ret < 0 || (size_t)ret >= len)
+ return log_error_errno(-1, errno, "Failed to allocate memory");
+
+ return 0;
+}
+#endif
+
int lxc_cmd_connect(const char *name, const char *lxcpath,
const char *hashed_sock_name, const char *suffix)
{
int ret, client_fd;
char path[LXC_AUDS_ADDR_LEN] = {0};
+#ifdef HAVE_ISULAD
+ if (generate_named_unix_sock_path(name, suffix, path, sizeof(path)) != 0)
+ return -1;
+
+ if (file_exists(path)) {
+ client_fd = lxc_named_unix_connect(path);
+ if (client_fd < 0)
+ return -1;
+
+ return client_fd;
+ }
+#endif
+
ret = lxc_make_abstract_socket_name(path, sizeof(path), name, lxcpath,
hashed_sock_name, suffix);
if (ret < 0)
diff --git a/src/lxc/commands_utils.h b/src/lxc/commands_utils.h
index 3ef7920c..c836ead8 100644
--- a/src/lxc/commands_utils.h
+++ b/src/lxc/commands_utils.h
@@ -65,4 +65,10 @@ extern int lxc_add_state_client(int state_client_fd,
extern int lxc_cmd_connect(const char *name, const char *lxcpath,
const char *hashed_sock_name, const char *suffix);
+#ifdef HAVE_ISULAD
+extern char *generate_named_unix_sock_dir(const char *name);
+extern int generate_named_unix_sock_path(const char *container_name,
+ const char *sock_name, char *out_path, size_t len);
+#endif
+
#endif /* __LXC_COMMANDS_UTILS_H */
diff --git a/src/lxc/exec_commands.c b/src/lxc/exec_commands.c
index 00129cb0..50246fa4 100644
--- a/src/lxc/exec_commands.c
+++ b/src/lxc/exec_commands.c
@@ -371,7 +371,61 @@ out_close:
close(connection);
goto out;
}
+#ifdef HAVE_ISULAD
+int lxc_exec_unix_sock_delete(const char *name, const char *suffix)
+{
+ char path[LXC_AUDS_ADDR_LEN] = {0};
+
+ if (name == NULL || suffix == NULL)
+ return -1;
+
+ if (generate_named_unix_sock_path(name, suffix, path, sizeof(path)) != 0)
+ return -1;
+
+ (void)unlink(path);
+
+ return 0;
+}
+
+int lxc_exec_cmd_init(const char *name, const char *lxcpath, const char *suffix)
+{
+ __do_close int fd = -EBADF;
+ int ret;
+ char path[LXC_AUDS_ADDR_LEN] = {0};
+ __do_free char *exec_sock_dir = NULL;
+ exec_sock_dir = generate_named_unix_sock_dir(name);
+ if (exec_sock_dir == NULL)
+ return -1;
+
+ if (mkdir_p(exec_sock_dir, 0600) < 0)
+ return log_error_errno(-1, errno, "Failed to create exec sock directory %s", path);
+
+ if (generate_named_unix_sock_path(name, suffix, path, sizeof(path)) != 0)
+ return -1;
+
+ TRACE("Creating unix socket \"%s\"", path);
+
+ fd = lxc_named_unix_open(path, SOCK_STREAM, 0);
+ if (fd < 0) {
+ if (errno == EADDRINUSE) {
+ WARN("Container \"%s\" exec unix sock is occupied", name);
+ (void)unlink(path);
+ fd = lxc_named_unix_open(path, SOCK_STREAM, 0);
+ if (fd < 0)
+ return log_error_errno(-1, errno, "Failed to create command socket %s", path);
+ } else {
+ return log_error_errno(-1, errno, "Failed to create command socket %s", path);
+ }
+ }
+
+ ret = fcntl(fd, F_SETFD, FD_CLOEXEC);
+ if (ret < 0)
+ return log_error_errno(-1, errno, "Failed to set FD_CLOEXEC on command socket file descriptor");
+
+ return log_trace(move_fd(fd), "Created unix socket \"%s\"", path);
+}
+#else
int lxc_exec_cmd_init(const char *name, const char *lxcpath, const char *suffix)
{
int fd, ret;
@@ -400,6 +454,7 @@ int lxc_exec_cmd_init(const char *name, const char *lxcpath, const char *suffix)
return fd;
}
+#endif
int lxc_exec_cmd_mainloop_add(struct lxc_epoll_descr *descr, struct lxc_exec_command_handler *handler)
{
diff --git a/src/lxc/exec_commands.h b/src/lxc/exec_commands.h
index 2581ee90..3ec2a226 100644
--- a/src/lxc/exec_commands.h
+++ b/src/lxc/exec_commands.h
@@ -70,4 +70,8 @@ extern int lxc_exec_cmd_init(const char *name, const char *lxcpath, const char *
extern int lxc_exec_cmd_mainloop_add(struct lxc_epoll_descr *descr, struct lxc_exec_command_handler *handler);
extern int lxc_exec_cmd_set_terminal_winch(const char *name, const char *lxcpath, const char *suffix, unsigned int height, unsigned int width);
+#ifdef HAVE_ISULAD
+extern int lxc_exec_unix_sock_delete(const char *name, const char *suffix);
+#endif
+
#endif /* __exec_commands_h */
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index eef98df6..cbb67f32 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -3189,6 +3189,21 @@ static int lxc_unlink_exec_wrapper(void *data)
return unlink(arg);
}
+#ifdef HAVE_ISULAD
+static void container_sock_dir_delete(const char *name)
+{
+ __do_free char *sock_dir = NULL;
+
+ sock_dir = generate_named_unix_sock_dir(name);
+ if (sock_dir == NULL) {
+ ERROR("Failed to generate exec unix sock dir");
+ return;
+ }
+
+ (void)lxc_rmdir_onedev(sock_dir, NULL);
+}
+#endif
+
static bool container_destroy(struct lxc_container *c,
struct lxc_storage *storage)
{
@@ -3342,6 +3357,9 @@ static bool container_destroy(struct lxc_container *c,
#endif
goto out;
}
+#ifdef HAVE_ISULAD
+ container_sock_dir_delete(c->name);
+#endif
INFO("Destroyed directory \"%s\" for \"%s\"", path, c->name);
on_success:
--
2.25.1

266
0014-api-add-get-container-metrics-api.patch
View File

@ -1,266 +0,0 @@
From d1f9a992190921783337b71103d3525c3381bedf Mon Sep 17 00:00:00 2001
From: lifeng68 <lifeng68@huawei.com>
Date: Tue, 15 Dec 2020 17:30:01 +0800
Subject: [PATCH 14/14] api: add get container metrics api
Signed-off-by: lifeng68 <lifeng68@huawei.com>
---
src/lxc/lxccontainer.c | 174 +++++++++++++++++++++++++++++++++++++++++
src/lxc/lxccontainer.h | 42 ++++++++++
2 files changed, 216 insertions(+)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index cbb67f321..9202b73ff 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -5752,6 +5752,179 @@ static bool do_lxcapi_set_start_timeout(struct lxc_container *c, unsigned int s
WRAP_API_1(bool, lxcapi_set_start_timeout, unsigned int)
+static uint64_t metrics_get_ull(struct lxc_container *c, struct cgroup_ops *cgroup_ops, const char *item)
+{
+ char buf[80] = {0};
+ int len = 0;
+ uint64_t val = 0;
+
+ len = cgroup_ops->get(cgroup_ops, item, buf, sizeof(buf), c->name, c->config_path);
+ if (len <= 0) {
+ DEBUG("unable to read cgroup item %s", item);
+ return 0;
+ }
+
+ val = strtoull(buf, NULL, 0);
+ return val;
+}
+
+static inline bool is_blk_metrics_read(const char *value)
+{
+ return strcmp(value, "Read") == 0;
+}
+
+static inline bool is_blk_metrics_write(const char *value)
+{
+ return strcmp(value, "Write") == 0;
+}
+
+static inline bool is_blk_metrics_total(const char *value)
+{
+ return strcmp(value, "Total") == 0;
+}
+
+static void metrics_get_blk_stats(struct lxc_container *c, struct cgroup_ops *cgroup_ops, const char *item, struct lxc_blkio_metrics *stats)
+{
+#define BUFSIZE 4096
+ char buf[BUFSIZE] = {0};
+ int i = 0;
+ int len = 0;
+ char **lines = NULL;
+ char **cols = NULL;
+
+ len = cgroup_ops->get(cgroup_ops, item, buf, sizeof(buf), c->name, c->config_path);
+ if (len <= 0) {
+ DEBUG("unable to read cgroup item %s", item);
+ return;
+ }
+
+ lines = lxc_string_split_and_trim(buf, '\n');
+ if (lines == NULL) {
+ return;
+ }
+
+ (void)memset(stats, 0, sizeof(struct lxc_blkio_metrics));
+
+ for (i = 0; lines[i]; i++) {
+ cols = lxc_string_split_and_trim(lines[i], ' ');
+ if (cols == NULL) {
+ goto err_out;
+ }
+ if (is_blk_metrics_read(cols[1])) {
+ stats->read += strtoull(cols[2], NULL, 0);
+ } else if (is_blk_metrics_write(cols[1])) {
+ stats->write += strtoull(cols[2], NULL, 0);
+ }
+ if (is_blk_metrics_total(cols[0])) {
+ stats->total = strtoull(cols[1], NULL, 0);
+ }
+
+ lxc_free_array((void **)cols, free);
+ }
+err_out:
+ lxc_free_array((void **)lines, free);
+ return;
+}
+
+static uint64_t metrics_match_get_ull(struct lxc_container *c, struct cgroup_ops *cgroup_ops, const char *item, const char *match, int column)
+{
+#define BUFSIZE 4096
+ char buf[BUFSIZE] = {0};
+ int i = 0;
+ int j = 0;
+ int len = 0;
+ uint64_t val = 0;
+ char **lines = NULL;
+ char **cols = NULL;
+ size_t matchlen = 0;
+
+ len = cgroup_ops->get(cgroup_ops, item, buf, sizeof(buf), c->name, c->config_path);
+ if (len <= 0) {
+ DEBUG("unable to read cgroup item %s", item);
+ goto err_out;
+ }
+
+ lines = lxc_string_split_and_trim(buf, '\n');
+ if (lines == NULL) {
+ goto err_out;
+ }
+
+ matchlen = strlen(match);
+ for (i = 0; lines[i]; i++) {
+ if (strncmp(lines[i], match, matchlen) != 0) {
+ continue;
+ }
+
+ cols = lxc_string_split_and_trim(lines[i], ' ');
+ if (cols == NULL) {
+ goto err1;
+ }
+ for (j = 0; cols[j]; j++) {
+ if (j == column) {
+ val = strtoull(cols[j], NULL, 0);
+ break;
+ }
+ }
+ lxc_free_array((void **)cols, free);
+ break;
+ }
+err1:
+ lxc_free_array((void **)lines, free);
+err_out:
+ return val;
+}
+
+/* isulad add get container metrics */
+static bool do_lxcapi_get_container_metrics(struct lxc_container *c, struct lxc_container_metrics *metrics)
+{
+ call_cleaner(cgroup_exit) struct cgroup_ops *cgroup_ops = NULL;
+ const char *state = NULL;
+ if (c == NULL || c->lxc_conf == NULL || metrics == NULL) {
+ return false;
+ }
+
+ state = c->state(c);
+ metrics->state = state;
+
+ if (!is_stopped(c)) {
+ metrics->init = c->init_pid(c);
+ } else {
+ metrics->init = -1;
+ }
+
+ cgroup_ops = cgroup_init(c->lxc_conf);
+ if (cgroup_ops == NULL) {
+ return false;
+ }
+
+ metrics->cpu_use_nanos = metrics_get_ull(c, cgroup_ops, "cpuacct.usage");
+ metrics->pids_current = metrics_get_ull(c, cgroup_ops, "pids.current");
+
+ metrics->cpu_use_user = metrics_match_get_ull(c, cgroup_ops, "cpuacct.stat", "user", 1);
+ metrics->cpu_use_sys = metrics_match_get_ull(c, cgroup_ops, "cpuacct.stat", "system", 1);
+
+ // Try to read CFQ stats available on all CFQ enabled kernels first
+ metrics_get_blk_stats(c, cgroup_ops, "blkio.io_serviced_recursive", &metrics->io_serviced);
+ if (metrics->io_serviced.read == 0 && metrics->io_serviced.write == 0 && metrics->io_serviced.total == 0) {
+ metrics_get_blk_stats(c, cgroup_ops, "blkio.throttle.io_service_bytes", &metrics->io_service_bytes);
+ metrics_get_blk_stats(c, cgroup_ops, "blkio.throttle.io_serviced", &metrics->io_serviced);
+ } else {
+ metrics_get_blk_stats(c, cgroup_ops, "blkio.io_service_bytes_recursive", &metrics->io_service_bytes);
+ }
+
+ metrics->mem_used = metrics_get_ull(c, cgroup_ops, "memory.usage_in_bytes");
+ metrics->mem_limit = metrics_get_ull(c, cgroup_ops, "memory.limit_in_bytes");
+ metrics->kmem_used = metrics_get_ull(c, cgroup_ops, "memory.kmem.usage_in_bytes");
+ metrics->kmem_limit = metrics_get_ull(c, cgroup_ops, "memory.kmem.limit_in_bytes");
+
+ metrics->cache = metrics_match_get_ull(c, cgroup_ops, "memory.stat", "cache", 1);
+ metrics->cache_total = metrics_match_get_ull(c, cgroup_ops, "memory.stat", "total_cache", 1);
+
+ return true;
+}
+
+WRAP_API_1(bool, lxcapi_get_container_metrics, struct lxc_container_metrics *)
+
#endif
#ifdef HAVE_ISULAD
@@ -5924,6 +6097,7 @@ struct lxc_container *lxc_container_new(const char *name, const char *configpath
c->clean_container_resource = lxcapi_clean_container_resource;
c->get_container_pids = lxcapi_get_container_pids;
c->set_start_timeout = lxcapi_set_start_timeout;
+ c->get_container_metrics = lxcapi_get_container_metrics;
#endif
return c;
diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h
index 2951ac7b4..e30bf6161 100644
--- a/src/lxc/lxccontainer.h
+++ b/src/lxc/lxccontainer.h
@@ -40,6 +40,37 @@ struct lxc_mount {
int version;
};
+struct lxc_blkio_metrics {
+ uint64_t read;
+ uint64_t write;
+ uint64_t total;
+};
+
+struct lxc_container_metrics {
+ /* State of container */
+ const char *state;
+ /* The process ID of the init container */
+ pid_t init;
+ /* Current pids */
+ uint64_t pids_current;
+ /* CPU usage */
+ uint64_t cpu_use_nanos;
+ uint64_t cpu_use_user;
+ uint64_t cpu_use_sys;
+ /* BlkIO usage */
+ struct lxc_blkio_metrics io_service_bytes;
+ struct lxc_blkio_metrics io_serviced;
+ /* Memory usage */
+ uint64_t mem_used;
+ uint64_t mem_limit;
+ /* Kernel Memory usage */
+ uint64_t kmem_used;
+ uint64_t kmem_limit;
+ /* Cache usage */
+ uint64_t cache;
+ uint64_t cache_total;
+};
+
/*!
* An LXC container.
*
@@ -976,6 +1007,17 @@ struct lxc_container {
* \return \c true on success, else \c false.
*/
bool (*set_start_timeout)(struct lxc_container *c, unsigned int start_timeout);
+
+ /*! isulad add
+ * \brief An API call to set start timeout
+ *
+ * \param c Container.
+ * \param start_timeout Value of start timeout.
+ *
+ * \return \c true on success, else \c false.
+ */
+ bool (*get_container_metrics)(struct lxc_container *c, struct lxc_container_metrics *metrics);
+
};
/*!
--
2.25.1

92
0015-Streaming-IO-solution-optimization-and-enhancement.patch
View File

@ -1,92 +0,0 @@
From d19376d8735651b23394cdeb560cbebe374c8bb9 Mon Sep 17 00:00:00 2001
From: wujing <wujing50@huawei.com>
Date: Wed, 21 Oct 2020 15:34:50 +0800
Subject: [PATCH 2/3] Streaming IO solution optimization and enhancement
Signed-off-by: wujing <wujing50@huawei.com>
---
src/lxc/file_utils.c | 27 +++++++++++++++++++++++++++
src/lxc/file_utils.h | 4 ++++
src/lxc/terminal.c | 14 ++++++++++----
3 files changed, 41 insertions(+), 4 deletions(-)
diff --git a/src/lxc/file_utils.c b/src/lxc/file_utils.c
index 1689cbaa..2dbbbd3b 100644
--- a/src/lxc/file_utils.c
+++ b/src/lxc/file_utils.c
@@ -122,6 +122,33 @@ int lxc_read_from_file(const char *filename, void *buf, size_t count)
return ret;
}
+#ifdef HAVE_ISULAD
+ssize_t lxc_write_nointr_for_fifo(int fd, const void *buf, size_t count)
+{
+ ssize_t nret = 0;
+ ssize_t nwritten;
+
+ if (buf == NULL) {
+ return -1;
+ }
+
+ for (nwritten = 0; nwritten < count;) {
+ nret = write(fd, buf + nwritten, count - nwritten);
+ if (nret < 0) {
+ if (errno == EINTR || errno == EAGAIN) {
+ continue;
+ } else {
+ return nret;
+ }
+ } else {
+ nwritten += nret;
+ }
+ }
+
+ return nwritten;
+}
+#endif
+
ssize_t lxc_write_nointr(int fd, const void *buf, size_t count)
{
ssize_t ret;
diff --git a/src/lxc/file_utils.h b/src/lxc/file_utils.h
index 6d5dbf68..29162b3f 100644
--- a/src/lxc/file_utils.h
+++ b/src/lxc/file_utils.h
@@ -58,4 +58,8 @@ extern FILE *fdopen_cached(int fd, const char *mode, void **caller_freed_buffer)
extern FILE *fopen_cached(const char *path, const char *mode,
void **caller_freed_buffer);
+#ifdef HAVE_ISULAD
+extern ssize_t lxc_write_nointr_for_fifo(int fd, const void *buf, size_t count);
+#endif
+
#endif /* __LXC_FILE_UTILS_H */
diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c
index 7441de79..a4c6ad0c 100644
--- a/src/lxc/terminal.c
+++ b/src/lxc/terminal.c
@@ -683,11 +683,17 @@ static void lxc_forward_data_to_fifo(struct lxc_list *list, bool is_err, const c
lxc_list_for_each_safe(it, list, next) {
elem = it->elem;
if (is_err) {
- if (elem->err_fd >= 0)
- lxc_write_nointr(elem->err_fd, buf, r);
+ if (elem->err_fd >= 0) {
+ if (lxc_write_nointr_for_fifo(elem->err_fd, buf, r) < 0) {
+ ERROR("Failed to write to fifo fd %d with error: %s", elem->err_fd, strerror(errno));
+ }
+ }
} else {
- if (elem->out_fd >= 0)
- lxc_write_nointr(elem->out_fd, buf, r);
+ if (elem->out_fd >= 0) {
+ if (lxc_write_nointr_for_fifo(elem->out_fd, buf, r) < 0) {
+ ERROR("Failed to write to fifo fd %d with error: %s", elem->out_fd, strerror(errno));
+ }
+ }
}
}
--
2.25.1

40
0016-avoid-using-void-pointers-in-caclulation.patch
View File

@ -1,40 +0,0 @@
From 1912d374c6fbabc9ac549011cd863c28ee1a55fa Mon Sep 17 00:00:00 2001
From: wujing <wujing50@huawei.com>
Date: Thu, 24 Dec 2020 11:23:01 +0800
Subject: [PATCH 3/3] avoid using void pointers in caclulation
Signed-off-by: wujing <wujing50@huawei.com>
---
src/lxc/file_utils.c | 2 +-
src/lxc/file_utils.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lxc/file_utils.c b/src/lxc/file_utils.c
index 2dbbbd3b..681207b2 100644
--- a/src/lxc/file_utils.c
+++ b/src/lxc/file_utils.c
@@ -123,7 +123,7 @@ int lxc_read_from_file(const char *filename, void *buf, size_t count)
}
#ifdef HAVE_ISULAD
-ssize_t lxc_write_nointr_for_fifo(int fd, const void *buf, size_t count)
+ssize_t lxc_write_nointr_for_fifo(int fd, const char *buf, size_t count)
{
ssize_t nret = 0;
ssize_t nwritten;
diff --git a/src/lxc/file_utils.h b/src/lxc/file_utils.h
index 29162b3f..cb959bfb 100644
--- a/src/lxc/file_utils.h
+++ b/src/lxc/file_utils.h
@@ -59,7 +59,7 @@ extern FILE *fopen_cached(const char *path, const char *mode,
void **caller_freed_buffer);
#ifdef HAVE_ISULAD
-extern ssize_t lxc_write_nointr_for_fifo(int fd, const void *buf, size_t count);
+extern ssize_t lxc_write_nointr_for_fifo(int fd, const char *buf, size_t count);
#endif
#endif /* __LXC_FILE_UTILS_H */
--
2.25.1

32
0017-fix-compilation-errors-without-libcap.patch
View File

@ -1,32 +0,0 @@
From 5a3bec3f80d59dfcc76e16cbab957f4072601816 Mon Sep 17 00:00:00 2001
From: wujing <wujing50@huawei.com>
Date: Tue, 5 Jan 2021 16:53:40 +0800
Subject: [PATCH] fix compilation errors without libcap
Signed-off-by: wujing <wujing50@huawei.com>
---
src/lxc/conf.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index c3610ae3..19e193dd 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -5301,11 +5301,12 @@ int lxc_drop_caps(struct lxc_conf *conf)
goto out;
}
-#endif
-
out:
free(caplist);
return ret;
+#else
+ return 0;
+#endif
}
#endif
--
2.27.0

132
0018-IO-fix-io-data-miss-when-exec-with-pipes.patch
View File

@ -1,132 +0,0 @@
From 9502363455188344dcfd7d1202cd48b7b554a5de Mon Sep 17 00:00:00 2001
From: Li Feng <lifeng2221dd1@zoho.com.cn>
Date: Wed, 20 Jan 2021 14:22:33 +0800
Subject: [PATCH 18/18] IO: fix io data miss when exec with pipes
Signed-off-by: Li Feng <lifeng2221dd1@zoho.com.cn>
---
src/lxc/attach.c | 4 ++--
src/lxc/mainloop.c | 14 ++++++++++++++
src/lxc/mainloop.h | 2 ++
src/lxc/start.c | 4 ++--
src/lxc/terminal.c | 12 ++++++++----
5 files changed, 28 insertions(+), 8 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 87e23c229..c5fc56150 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1754,7 +1754,7 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
}
#endif
if (options->attach_flags & LXC_ATTACH_TERMINAL) {
- ret = lxc_mainloop(&descr, -1);
+ ret = isulad_safe_mainloop(&descr, -1);
if (ret < 0) {
ret_parent = -1;
to_cleanup_pid = attached_pid;
@@ -1763,7 +1763,7 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
#ifdef HAVE_ISULAD
// do lxc_mainloop to make sure we do not lose any output
- (void)lxc_mainloop(&isulad_descr, 100);
+ (void)isulad_safe_mainloop(&isulad_descr, 100);
if (g_attach_timeout_state == ATTACH_TIMEOUT && err_msg != NULL && *err_msg == NULL) {
*err_msg = safe_strdup("Attach exceeded timeout");
}
diff --git a/src/lxc/mainloop.c b/src/lxc/mainloop.c
index 6d4c5935a..35186f4b5 100644
--- a/src/lxc/mainloop.c
+++ b/src/lxc/mainloop.c
@@ -141,3 +141,17 @@ void lxc_mainloop_close(struct lxc_epoll_descr *descr)
close_prot_errno_disarm(descr->epfd);
}
+
+int isulad_safe_mainloop(struct lxc_epoll_descr *descr, int timeout_ms)
+{
+ int ret;
+
+ ret = lxc_mainloop(descr, timeout_ms);
+
+ // There are stdout and stderr channels, and two epolls should be performed to prevent
+ // one of the channels from exiting first, causing the other channel to not receive data,
+ // resulting in data loss
+ (void)lxc_mainloop(descr, 100);
+
+ return ret;
+}
\ No newline at end of file
diff --git a/src/lxc/mainloop.h b/src/lxc/mainloop.h
index 8afac60d3..dad79188c 100644
--- a/src/lxc/mainloop.h
+++ b/src/lxc/mainloop.h
@@ -34,4 +34,6 @@ extern void lxc_mainloop_close(struct lxc_epoll_descr *descr);
define_cleanup_function(struct lxc_epoll_descr *, lxc_mainloop_close);
+extern int isulad_safe_mainloop(struct lxc_epoll_descr *descr, int timeout_ms);
+
#endif
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 50a1a8203..e6e217042 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -590,13 +590,13 @@ int lxc_poll(const char *name, struct lxc_handler *handler)
}
#endif
- ret = lxc_mainloop(&descr, -1);
+ ret = isulad_safe_mainloop(&descr, -1);
close_prot_errno_disarm(descr.epfd);
if (ret < 0 || !handler->init_died)
goto out_mainloop_console;
if (has_console)
- ret = lxc_mainloop(&descr_console, 100);
+ ret = isulad_safe_mainloop(&descr_console, 100);
out_mainloop_console:
if (has_console) {
diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c
index a4c6ad0c8..1e467f5a6 100644
--- a/src/lxc/terminal.c
+++ b/src/lxc/terminal.c
@@ -679,19 +679,22 @@ static void lxc_forward_data_to_fifo(struct lxc_list *list, bool is_err, const c
struct lxc_list *it = NULL;
struct lxc_list *next = NULL;
struct lxc_fifos_fd *elem = NULL;
+ ssize_t w = 0;
lxc_list_for_each_safe(it, list, next) {
elem = it->elem;
if (is_err) {
if (elem->err_fd >= 0) {
- if (lxc_write_nointr_for_fifo(elem->err_fd, buf, r) < 0) {
- ERROR("Failed to write to fifo fd %d with error: %s", elem->err_fd, strerror(errno));
+ w = lxc_write_nointr_for_fifo(elem->err_fd, buf, r);
+ if (w != r) {
+ WARN("Failed to write to fifo fd %d with error: %s", elem->err_fd, strerror(errno));
}
}
} else {
if (elem->out_fd >= 0) {
- if (lxc_write_nointr_for_fifo(elem->out_fd, buf, r) < 0) {
- ERROR("Failed to write to fifo fd %d with error: %s", elem->out_fd, strerror(errno));
+ w = lxc_write_nointr_for_fifo(elem->out_fd, buf, r);
+ if (w != r) {
+ WARN("Failed to write to fifo fd %d with error: %s", elem->out_fd, strerror(errno));
}
}
}
@@ -1673,6 +1676,7 @@ int lxc_terminal_create(struct lxc_terminal *terminal)
ERROR("Failed to create stdin pipe");
goto err;
}
+
/* for stdout */
if (pipe2(terminal->pipes[1], O_CLOEXEC)) {
ERROR("Failed to create stdout pipe");
--
2.25.1

39
0019-metrics-add-total_inactive_file-metric-for-memory.patch
View File

@ -1,39 +0,0 @@
From 15da6e1f057c70eee476730138788fd73de1b208 Mon Sep 17 00:00:00 2001
From: Li Feng <lifeng2221dd1@zoho.com.cn>
Date: Thu, 28 Jan 2021 16:05:18 +0800
Subject: [PATCH 19/19] metrics: add total_inactive_file metric for memory
Signed-off-by: Li Feng <lifeng2221dd1@zoho.com.cn>
---
src/lxc/lxccontainer.c | 1 +
src/lxc/lxccontainer.h | 2 ++
2 files changed, 3 insertions(+)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 9202b73ff..06552ce5c 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -5919,6 +5919,7 @@ static bool do_lxcapi_get_container_metrics(struct lxc_container *c, struct lxc
metrics->cache = metrics_match_get_ull(c, cgroup_ops, "memory.stat", "cache", 1);
metrics->cache_total = metrics_match_get_ull(c, cgroup_ops, "memory.stat", "total_cache", 1);
+ metrics->inactive_file_total = metrics_match_get_ull(c, cgroup_ops, "memory.stat", "total_inactive_file", 1);
return true;
}
diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h
index e30bf6161..9abbd09ed 100644
--- a/src/lxc/lxccontainer.h
+++ b/src/lxc/lxccontainer.h
@@ -69,6 +69,8 @@ struct lxc_container_metrics {
/* Cache usage */
uint64_t cache;
uint64_t cache_total;
+ /* total inactive file */
+ uint64_t inactive_file_total;
};
/*!
--
2.25.1

582
0020-support-cgroup-v2.patch
View File

@ -1,582 +0,0 @@
From 0eac597a6f853c4eb41d7ebe58398c117798542c Mon Sep 17 00:00:00 2001
From: WangFengTu <wangfengtu@huawei.com>
Date: Fri, 29 Jan 2021 16:55:13 +0800
Subject: [PATCH] support cgroup v2
Signed-off-by: WangFengTu <wangfengtu@huawei.com>
---
src/lxc/cgroups/cgroup2_devices.c | 126 +++++++++++++++++++----------
src/lxc/cgroups/isulad_cgfsng.c | 56 ++++++++++++-
src/lxc/lxccontainer.c | 129 ++++++++++++++++++++++++++++++
3 files changed, 269 insertions(+), 42 deletions(-)
diff --git a/src/lxc/cgroups/cgroup2_devices.c b/src/lxc/cgroups/cgroup2_devices.c
index 4efb28fb..05613c51 100644
--- a/src/lxc/cgroups/cgroup2_devices.c
+++ b/src/lxc/cgroups/cgroup2_devices.c
@@ -25,6 +25,19 @@
#include <linux/bpf.h>
#include <linux/filter.h>
+#define BPF_LOG_BUF_SIZE (1 << 23) /* 8MB */
+#ifndef BPF_LOG_LEVEL1
+#define BPF_LOG_LEVEL1 1
+#endif
+
+#ifndef BPF_LOG_LEVEL2
+#define BPF_LOG_LEVEL2 2
+#endif
+
+#ifndef BPF_LOG_LEVEL
+#define BPF_LOG_LEVEL (BPF_LOG_LEVEL1 | BPF_LOG_LEVEL2)
+#endif
+
lxc_log_define(cgroup2_devices, cgroup);
static int bpf_program_add_instructions(struct bpf_program *prog,
@@ -42,6 +55,8 @@ static int bpf_program_add_instructions(struct bpf_program *prog,
return log_error_errno(-1, ENOMEM, "Failed to reallocate bpf cgroup program");
prog->instructions = new_insn;
+ memset(prog->instructions + prog->n_instructions, 0,
+ sizeof(struct bpf_insn) * count);
memcpy(prog->instructions + prog->n_instructions, instructions,
sizeof(struct bpf_insn) * count);
prog->n_instructions += count;
@@ -118,29 +133,27 @@ void bpf_program_free(struct bpf_program *prog)
.off = 0, \
.imm = 0})
-static int bpf_access_mask(const char *acc)
+static int bpf_access_mask(const char *acc, __u32 *mask)
{
- int mask = 0;
-
if (!acc)
- return mask;
+ return 0;
for (; *acc; acc++)
switch (*acc) {
case 'r':
- mask |= BPF_DEVCG_ACC_READ;
+ *mask |= BPF_DEVCG_ACC_READ;
break;
case 'w':
- mask |= BPF_DEVCG_ACC_WRITE;
+ *mask |= BPF_DEVCG_ACC_WRITE;
break;
case 'm':
- mask |= BPF_DEVCG_ACC_MKNOD;
+ *mask |= BPF_DEVCG_ACC_MKNOD;
break;
default:
return -EINVAL;
}
- return mask;
+ return 0;
}
static int bpf_device_type(char type)
@@ -157,19 +170,18 @@ static int bpf_device_type(char type)
return -1;
}
-static inline bool bpf_device_all_access(int access_mask)
+static inline bool bpf_device_all_access(__u32 access_mask)
{
- return (access_mask == (BPF_DEVCG_ACC_READ | BPF_DEVCG_ACC_WRITE |
- BPF_DEVCG_ACC_MKNOD));
+ return access_mask == (BPF_DEVCG_ACC_READ | BPF_DEVCG_ACC_WRITE | BPF_DEVCG_ACC_MKNOD);
}
struct bpf_program *bpf_program_new(uint32_t prog_type)
{
__do_free struct bpf_program *prog = NULL;
- prog = calloc(1, sizeof(struct bpf_program));
+ prog = zalloc(sizeof(struct bpf_program));
if (!prog)
- return NULL;
+ return ret_set_errno(NULL, ENOMEM);
prog->prog_type = prog_type;
prog->kernel_fd = -EBADF;
@@ -209,12 +221,10 @@ int bpf_program_append_device(struct bpf_program *prog, struct device_item *devi
{
int ret;
int jump_nr = 1;
- struct bpf_insn bpf_access_decision[] = {
- BPF_MOV64_IMM(BPF_REG_0, device->allow),
- BPF_EXIT_INSN(),
- };
- int access_mask;
+ __u32 access_mask = 0;
int device_type;
+ struct bpf_insn bpf_access_decision[2];
+ bool add_exist = false;
if (!prog || !device)
return ret_set_errno(-1, EINVAL);
@@ -225,6 +235,13 @@ int bpf_program_append_device(struct bpf_program *prog, struct device_item *devi
return 0;
}
+ ret = bpf_access_mask(device->access, &access_mask);
+ if (ret < 0)
+ return log_error_errno(ret, -ret, "Invalid access mask specified %s", device->access);
+
+ if (!bpf_device_all_access(access_mask))
+ jump_nr += 3;
+
device_type = bpf_device_type(device->type);
if (device_type < 0)
return log_error_errno(-1, EINVAL, "Invalid bpf cgroup device type %c", device->type);
@@ -232,63 +249,67 @@ int bpf_program_append_device(struct bpf_program *prog, struct device_item *devi
if (device_type > 0)
jump_nr++;
- access_mask = bpf_access_mask(device->access);
- if (!bpf_device_all_access(access_mask))
- jump_nr += 3;
-
- if (device->major != -1)
+ if (device->major >= 0)
jump_nr++;
- if (device->minor != -1)
+ if (device->minor >= 0)
jump_nr++;
if (device_type > 0) {
struct bpf_insn ins[] = {
- BPF_JMP_IMM(BPF_JNE, BPF_REG_2, device_type, jump_nr--),
+ BPF_JMP_IMM(BPF_JNE, BPF_REG_2, device_type, jump_nr--),
};
ret = bpf_program_add_instructions(prog, ins, ARRAY_SIZE(ins));
if (ret)
return log_error_errno(-1, errno, "Failed to add instructions to bpf cgroup program");
+ add_exist = true;
}
if (!bpf_device_all_access(access_mask)) {
struct bpf_insn ins[] = {
- BPF_MOV32_REG(BPF_REG_1, BPF_REG_3),
- BPF_ALU32_IMM(BPF_AND, BPF_REG_1, access_mask),
- BPF_JMP_REG(BPF_JNE, BPF_REG_1, BPF_REG_3, jump_nr),
+ BPF_MOV32_REG(BPF_REG_1, BPF_REG_3),
+ BPF_ALU32_IMM(BPF_AND, BPF_REG_1, access_mask),
+ BPF_JMP_REG(BPF_JNE, BPF_REG_1, BPF_REG_3, jump_nr-2),
};
jump_nr -= 3;
ret = bpf_program_add_instructions(prog, ins, ARRAY_SIZE(ins));
if (ret)
return log_error_errno(-1, errno, "Failed to add instructions to bpf cgroup program");
+ add_exist = true;
}
if (device->major >= 0) {
struct bpf_insn ins[] = {
- BPF_JMP_IMM(BPF_JNE, BPF_REG_4, device->major, jump_nr--),
+ BPF_JMP_IMM(BPF_JNE, BPF_REG_4, device->major, jump_nr--),
};
ret = bpf_program_add_instructions(prog, ins, ARRAY_SIZE(ins));
if (ret)
return log_error_errno(-1, errno, "Failed to add instructions to bpf cgroup program");
+ add_exist = true;
}
if (device->minor >= 0) {
struct bpf_insn ins[] = {
- BPF_JMP_IMM(BPF_JNE, BPF_REG_5, device->minor, jump_nr--),
+ BPF_JMP_IMM(BPF_JNE, BPF_REG_5, device->minor, jump_nr--),
};
ret = bpf_program_add_instructions(prog, ins, ARRAY_SIZE(ins));
if (ret)
return log_error_errno(-1, errno, "Failed to add instructions to bpf cgroup program");
+ add_exist = true;
}
- ret = bpf_program_add_instructions(prog, bpf_access_decision,
- ARRAY_SIZE(bpf_access_decision));
- if (ret)
- return log_error_errno(-1, errno, "Failed to add instructions to bpf cgroup program");
+ if (add_exist) {
+ bpf_access_decision[0] = BPF_MOV64_IMM(BPF_REG_0, device->allow);
+ bpf_access_decision[1] = BPF_EXIT_INSN();
+ ret = bpf_program_add_instructions(prog, bpf_access_decision,
+ ARRAY_SIZE(bpf_access_decision));
+ if (ret)
+ return log_error_errno(-1, errno, "Failed to add instructions to bpf cgroup program");
+ }
return 0;
}
@@ -310,30 +331,49 @@ int bpf_program_finalize(struct bpf_program *prog)
return bpf_program_add_instructions(prog, ins, ARRAY_SIZE(ins));
}
-static int bpf_program_load_kernel(struct bpf_program *prog, char *log_buf,
- size_t log_size)
+static int bpf_program_load_kernel(struct bpf_program *prog)
{
+ __do_free char *log_buf = NULL;
+ __u32 log_level = 0;
+ __u32 log_size = 0;
union bpf_attr attr;
+ struct rlimit limit = {
+ .rlim_cur = RLIM_INFINITY,
+ .rlim_max = RLIM_INFINITY,
+ };
if (prog->kernel_fd >= 0) {
- memset(log_buf, 0, log_size);
return 0;
}
+ if (lxc_log_get_level() <= LXC_LOG_LEVEL_DEBUG) {
+ log_buf = zalloc(BPF_LOG_BUF_SIZE);
+ if (!log_buf) {
+ WARN("Failed to allocate bpf log buffer");
+ } else {
+ log_level = BPF_LOG_LEVEL;
+ log_size = BPF_LOG_BUF_SIZE;
+ }
+ }
+
+ if (setrlimit(RLIMIT_MEMLOCK, &limit) < 0)
+ return log_error_errno(-1, errno, "Failed to set rlimit memlock to unlimited");
+
attr = (union bpf_attr){
.prog_type = prog->prog_type,
.insns = PTR_TO_UINT64(prog->instructions),
.insn_cnt = prog->n_instructions,
.license = PTR_TO_UINT64("GPL"),
.log_buf = PTR_TO_UINT64(log_buf),
- .log_level = !!log_buf,
+ .log_level = log_level,
.log_size = log_size,
};
prog->kernel_fd = bpf(BPF_PROG_LOAD, &attr, sizeof(attr));
if (prog->kernel_fd < 0)
- return log_error_errno(-1, errno, "Failed to load bpf program");
+ return log_error_errno(-1, errno, "Failed to load bpf program: %s", log_buf);
+ TRACE("Loaded bpf program: %s", log_buf ?: "(null)");
return 0;
}
@@ -362,7 +402,7 @@ int bpf_program_cgroup_attach(struct bpf_program *prog, int type,
return true;
}
- ret = bpf_program_load_kernel(prog, NULL, 0);
+ ret = bpf_program_load_kernel(prog);
if (ret < 0)
return log_error_errno(-1, ret, "Failed to load bpf program");
@@ -518,11 +558,15 @@ bool bpf_devices_cgroup_supported(void)
if (prog < 0)
return log_trace(false, "Failed to allocate new bpf device cgroup program");
+ ret = bpf_program_init(prog);
+ if (ret)
+ return log_error_errno(false, ENOMEM, "Failed to initialize bpf program");
+
ret = bpf_program_add_instructions(prog, dummy, ARRAY_SIZE(dummy));
if (ret < 0)
return log_trace(false, "Failed to add new instructions to bpf device cgroup program");
- ret = bpf_program_load_kernel(prog, NULL, 0);
+ ret = bpf_program_load_kernel(prog);
if (ret < 0)
return log_trace(false, "Failed to load new bpf device cgroup program");
diff --git a/src/lxc/cgroups/isulad_cgfsng.c b/src/lxc/cgroups/isulad_cgfsng.c
index e16f8a19..c80527d5 100644
--- a/src/lxc/cgroups/isulad_cgfsng.c
+++ b/src/lxc/cgroups/isulad_cgfsng.c
@@ -823,6 +823,9 @@ static bool isulad_cg_legacy_handle_cpuset_hierarchy(struct hierarchy *h, char *
char *cgpath, *slash;
bool sub_mk_success = false;
+ if (is_unified_hierarchy(h))
+ return true;
+
if (!string_in_list(h->controllers, "cpuset"))
return true;
@@ -1288,6 +1291,20 @@ __cgfsng_ops static bool isulad_cgfsng_mount(struct cgroup_ops *ops,
ERROR("Failed to create directory: %s", tmpfspath);
goto on_error;
}
+
+ if (ops->cgroup_layout == CGROUP_LAYOUT_UNIFIED) {
+ if (has_cgns && wants_force_mount) {
+ /*
+ * If cgroup namespaces are supported but the container
+ * will not have CAP_SYS_ADMIN after it has started we
+ * need to mount the cgroups manually.
+ */
+ return cg_mount_in_cgroup_namespace(type, ops->unified, tmpfspath) == 0;
+ }
+
+ return cg_mount_cgroup_full(type, ops->unified, tmpfspath) == 0;
+ }
+
ret = safe_mount(NULL, tmpfspath, "tmpfs",
MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_RELATIME,
"size=10240k,mode=755", root, handler->conf->lsm_se_mount_context);
@@ -2196,8 +2213,16 @@ __cgfsng_ops static int isulad_cgfsng_set(struct cgroup_ops *ops,
h = get_hierarchy(ops, controller);
if (h) {
char *fullpath;
-
fullpath = build_full_cgpath_from_monitorpath(h, path, filename);
+
+ if (strcmp(filename, "io.weight") == 0 || strcmp(filename, "io.bfq.weight") == 0) {
+ if (!file_exists(fullpath)) {
+ free(path);
+ free(fullpath);
+ return 0;
+ }
+ }
+
ret = lxc_write_to_file(fullpath, value, strlen(value), false, 0666);
free(fullpath);
}
@@ -2428,6 +2453,9 @@ __cgfsng_ops static bool isulad_cgfsng_setup_limits_legacy(struct cgroup_ops *op
if (!ops->hierarchies)
return ret_set_errno(false, EINVAL);
+ if (pure_unified_layout(ops))
+ return true;
+
sorted_cgroup_settings = sort_cgroup_settings(cgroup_settings);
if (!sorted_cgroup_settings)
return false;
@@ -2528,6 +2556,7 @@ static int bpf_device_cgroup_prepare(struct cgroup_ops *ops,
__cgfsng_ops static bool isulad_cgfsng_setup_limits(struct cgroup_ops *ops,
struct lxc_handler *handler)
{
+ __do_free char *path = NULL;
struct lxc_list *cgroup_settings, *iterator;
struct hierarchy *h;
struct lxc_conf *conf;
@@ -2549,6 +2578,9 @@ __cgfsng_ops static bool isulad_cgfsng_setup_limits(struct cgroup_ops *ops,
return true;
cgroup_settings = &conf->cgroup2;
+ if (!pure_unified_layout(ops))
+ return true;
+
if (!ops->unified)
return false;
h = ops->unified;
@@ -2560,7 +2592,29 @@ __cgfsng_ops static bool isulad_cgfsng_setup_limits(struct cgroup_ops *ops,
if (strncmp("devices", cg->subsystem, 7) == 0) {
ret = bpf_device_cgroup_prepare(ops, conf, cg->subsystem,
cg->value);
+ } else if (strcmp(cg->subsystem, "files.limit") == 0) {
+ long long int setvalue = 0;
+ const char *cgvalue = cg->value;
+
+ if (lxc_safe_long_long(cgvalue, &setvalue) != 0)
+ return log_error(false, "Invalid integer value %s", cgvalue);
+
+ if (setvalue <= 0)
+ cgvalue = "max";
+
+ ret = lxc_write_openat(h->container_full_path,
+ cg->subsystem, cgvalue,
+ strlen(cgvalue));
+ if (ret < 0)
+ return log_error_errno(false, errno, "Failed to set \"%s\" to \"%s\"",
+ cg->subsystem, cgvalue);
} else {
+ if (strcmp(cg->subsystem, "io.weight") == 0 || strcmp(cg->subsystem, "io.bfq.weight") == 0) {
+ path = must_make_path(h->container_full_path, cg->subsystem, NULL);
+ if (!file_exists(path)) {
+ continue;
+ }
+ }
ret = lxc_write_openat(h->container_full_path,
cg->subsystem, cg->value,
strlen(cg->value));
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 06552ce5..5769b251 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -87,6 +87,9 @@
lxc_log_define(lxccontainer, lxc);
+typedef bool (*func_is_io_stat_read)(const char *value);
+typedef bool (*func_is_io_stat_write)(const char *value);
+
static bool do_lxcapi_destroy(struct lxc_container *c);
static const char *lxcapi_get_config_path(struct lxc_container *c);
#define do_lxcapi_get_config_path(c) lxcapi_get_config_path(c)
@@ -5768,6 +5771,26 @@ static uint64_t metrics_get_ull(struct lxc_container *c, struct cgroup_ops *cgro
return val;
}
+static uint64_t metrics_get_ull_with_max(struct lxc_container *c, struct cgroup_ops *cgroup_ops, const char *item)
+{
+ char buf[80] = {0};
+ int len = 0;
+ uint64_t val = 0;
+
+ len = cgroup_ops->get(cgroup_ops, item, buf, sizeof(buf), c->name, c->config_path);
+ if (len <= 0) {
+ DEBUG("unable to read cgroup item %s", item);
+ return 0;
+ }
+
+ if (strcmp(buf, "max") == 0) {
+ return ULONG_MAX;
+ }
+
+ val = strtoull(buf, NULL, 0);
+ return val;
+}
+
static inline bool is_blk_metrics_read(const char *value)
{
return strcmp(value, "Read") == 0;
@@ -5826,6 +5849,60 @@ err_out:
return;
}
+static void metrics_get_io_stats_v2(struct lxc_container *c, struct cgroup_ops *cgroup_ops, const char *item, struct lxc_blkio_metrics *stats, func_is_io_stat_read is_io_stat_read, func_is_io_stat_write is_io_stat_write)
+{
+#define BUFSIZE 4096
+ char buf[BUFSIZE] = {0};
+ int i = 0;
+ int j = 0;
+ int len = 0;
+ char **lines = NULL;
+ char **cols = NULL;
+ char **kv = NULL;
+
+ len = cgroup_ops->get(cgroup_ops, item, buf, sizeof(buf), c->name, c->config_path);
+ if (len <= 0) {
+ DEBUG("unable to read cgroup item %s", item);
+ return;
+ }
+
+ lines = lxc_string_split_and_trim(buf, '\n');
+ if (lines == NULL) {
+ return;
+ }
+
+ (void)memset(stats, 0, sizeof(struct lxc_blkio_metrics));
+ // line example:
+ // 259:0 rbytes=0 wbytes=12288 rios=0 wios=4 dbytes=0 dios=0
+ for (i = 0; lines[i]; i++) {
+ cols = lxc_string_split_and_trim(lines[i], ' ');
+ if (cols == NULL || lxc_array_len((void **)cols) < 2) {
+ goto err_out;
+ }
+ len = lxc_array_len((void **)cols);
+ for (j = 1; j < len; j++) {
+ kv = lxc_string_split(cols[j], '=');
+ if (kv == NULL || lxc_array_len((void **)kv) != 2) {
+ lxc_free_array((void **)kv, free);
+ continue;
+ }
+ if (is_io_stat_read(kv[0])) {
+ stats->read += strtoull(kv[1], NULL, 0);
+ } else if (is_io_stat_write(kv[0])) {
+ stats->write += strtoull(kv[1], NULL, 0);
+ }
+ lxc_free_array((void **)kv, free);
+ }
+ lxc_free_array((void **)cols, free);
+ }
+
+ stats->total = stats->read + stats->write;
+
+err_out:
+ lxc_free_array((void **)lines, free);
+ return;
+}
+
static uint64_t metrics_match_get_ull(struct lxc_container *c, struct cgroup_ops *cgroup_ops, const char *item, const char *match, int column)
{
#define BUFSIZE 4096
@@ -5874,6 +5951,54 @@ err_out:
return val;
}
+static bool is_io_stat_rbytes(const char *value)
+{
+ return strcmp(value, "rbytes") == 0;
+}
+
+static bool is_io_stat_wbytes(const char *value)
+{
+ return strcmp(value, "wbytes") == 0;
+}
+
+static bool is_io_stat_rios(const char *value)
+{
+ return strcmp(value, "rios") == 0;
+}
+
+static bool is_io_stat_wios(const char *value)
+{
+ return strcmp(value, "wios") == 0;
+}
+
+static bool unified_metrics_get(struct lxc_container *c, struct cgroup_ops *cgroup_ops, struct lxc_container_metrics *metrics)
+{
+ // cpu
+ metrics->cpu_use_nanos = metrics_match_get_ull(c, cgroup_ops, "cpu.stat", "usage_usec", 1) * 1000;
+ metrics->cpu_use_user = metrics_match_get_ull(c, cgroup_ops, "cpu.stat", "user_usec", 1) * 1000;
+ metrics->cpu_use_sys = metrics_match_get_ull(c, cgroup_ops, "cpu.stat", "system_usec", 1) * 1000;
+
+ // io
+ metrics_get_io_stats_v2(c, cgroup_ops, "io.stat", &metrics->io_service_bytes, is_io_stat_rbytes, is_io_stat_wbytes);
+ metrics_get_io_stats_v2(c, cgroup_ops, "io.stat", &metrics->io_serviced, is_io_stat_rios, is_io_stat_wios);
+
+ // memory
+ metrics->mem_used = metrics_get_ull(c, cgroup_ops, "memory.current");
+ metrics->mem_limit = metrics_get_ull_with_max(c, cgroup_ops, "memory.max");
+ metrics->inactive_file_total = metrics_match_get_ull(c, cgroup_ops, "memory.stat", "inactive_file", 1);
+ metrics->cache = metrics_match_get_ull(c, cgroup_ops, "memory.stat", "file", 1);
+ metrics->cache_total = metrics->cache;
+
+ // cgroup v2 does not support kernel memory
+ metrics->kmem_used = 0;
+ metrics->kmem_limit = 0;
+
+ // pids
+ metrics->pids_current = metrics_get_ull(c, cgroup_ops, "pids.current");
+
+ return true;
+}
+
/* isulad add get container metrics */
static bool do_lxcapi_get_container_metrics(struct lxc_container *c, struct lxc_container_metrics *metrics)
{
@@ -5897,6 +6022,10 @@ static bool do_lxcapi_get_container_metrics(struct lxc_container *c, struct lxc
return false;
}
+ if (cgroup_ops->cgroup_layout == CGROUP_LAYOUT_UNIFIED) {
+ return unified_metrics_get(c, cgroup_ops, metrics);
+ }
+
metrics->cpu_use_nanos = metrics_get_ull(c, cgroup_ops, "cpuacct.usage");
metrics->pids_current = metrics_get_ull(c, cgroup_ops, "pids.current");
--
2.20.1

90
0021-support-isula-exec-workdir.patch
View File

@ -1,90 +0,0 @@
From ccdbeeb8b502e06355c2e55c9f980e5142891b7c Mon Sep 17 00:00:00 2001
From: WangFengTu <wangfengtu@huawei.com>
Date: Thu, 11 Mar 2021 09:18:51 +0800
Subject: [PATCH] support isula exec --workdir
Signed-off-by: WangFengTu <wangfengtu@huawei.com>
---
src/lxc/attach.c | 4 ++--
src/lxc/tools/arguments.h | 1 +
src/lxc/tools/lxc_attach.c | 15 +++++++++++++--
3 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index c5fc561..2ed2329 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -791,9 +791,9 @@ static int attach_child_main(struct attach_clone_payload *payload)
#ifdef HAVE_ISULAD
/* isulad: set workdir */
- if (init_ctx->container->lxc_conf->init_cwd) {
+ if (options->initial_cwd || init_ctx->container->lxc_conf->init_cwd) {
char *init_cwd;
- init_cwd = init_ctx->container->lxc_conf->init_cwd;
+ init_cwd = options->initial_cwd ? options->initial_cwd : init_ctx->container->lxc_conf->init_cwd;
/* try to create workdir if not exist */
struct stat st;
if (stat(init_cwd, &st) < 0 && mkdir_p(init_cwd, 0750) < 0) {
diff --git a/src/lxc/tools/arguments.h b/src/lxc/tools/arguments.h
index 41ea109..c16d99f 100644
--- a/src/lxc/tools/arguments.h
+++ b/src/lxc/tools/arguments.h
@@ -41,6 +41,7 @@ struct lxc_arguments {
/* for lxc-start */
const char *share_ns[32]; /* size must be greater than LXC_NS_MAX */
#ifdef HAVE_ISULAD
+ char *workdir;
const char *container_info; /* isulad: file used to store pid and ppid info of container */
char *terminal_fifos[3]; /* isulad add, fifos used to redirct stdin/out/err */
const char *exit_monitor_fifo; /* isulad: fifo used to monitor state of monitor process */
diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c
index dbddc2a..3bfbe6a 100644
--- a/src/lxc/tools/lxc_attach.c
+++ b/src/lxc/tools/lxc_attach.c
@@ -76,6 +76,7 @@ static const struct option my_longopts[] = {
{"uid", required_argument, 0, 'u'},
{"gid", required_argument, 0, 'g'},
#else
+ {"workdir", required_argument, 0, 'w'},
{"user", required_argument, 0, 'u'},
{"in-fifo", required_argument, 0, OPT_INPUT_FIFO}, /* isulad add terminal fifos*/
{"out-fifo", required_argument, 0, OPT_OUTPUT_FIFO},
@@ -143,8 +144,9 @@ Options :\n\
"
#else
"\
- --user User ID (format: UID[:GID])\n\
- --timeout Timeout in seconds (default: 0)\n\
+ --user User ID (format: UID[:GID])\n\
+ -w, --workdir Working directory inside the container.\n\
+ --timeout Timeout in seconds (default: 0)\n\
"
#endif
,
@@ -295,6 +297,9 @@ static int my_parser(struct lxc_arguments *args, int c, char *arg)
return -1;
}
break;
+ case 'w':
+ args->workdir=arg;
+ break;
case OPT_INPUT_FIFO:
args->terminal_fifos[0] = arg;
break;
@@ -639,6 +644,12 @@ int main(int argc, char *argv[])
attach_options.open_stdin = true;
}
+#ifdef HAVE_ISULAD
+ if (my_args.workdir) {
+ attach_options.initial_cwd = my_args.workdir;
+ }
+#endif
+
/* isulad: add do attach background */
if (attach_options.attach_flags & LXC_ATTACH_TERMINAL)
wexit = do_attach_foreground(c, &command, &attach_options, &errmsg);
--
2.20.1

32
0022-print-error-message-if-process-workdir-failed.patch
View File

@ -1,32 +0,0 @@
From 540981ef79b921fea26e24456fbecc648eaf6e9e Mon Sep 17 00:00:00 2001
From: WangFengTu <wangfengtu@huawei.com>
Date: Sat, 8 May 2021 11:02:08 +0800
Subject: [PATCH] print error message if process workdir failed
Signed-off-by: WangFengTu <wangfengtu@huawei.com>
---
src/lxc/attach.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 2ed2329..68f4148 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -798,10 +798,14 @@ static int attach_child_main(struct attach_clone_payload *payload)
struct stat st;
if (stat(init_cwd, &st) < 0 && mkdir_p(init_cwd, 0750) < 0) {
SYSERROR("Try to create directory \"%s\" as workdir failed when attach", init_cwd);
+ lxc_write_error_message(msg_fd, "Try to create directory \"%s\" as workdir failed when attach: %s",
+ init_cwd, strerror(errno));
goto on_error;
}
if (chdir(init_cwd)) {
SYSERROR("Could not change directory to \"%s\" when attach", init_cwd);
+ lxc_write_error_message(msg_fd, "Could not change directory to \"%s\" when attach: %s",
+ init_cwd, strerror(errno));
goto on_error;
}
}
--
2.25.1

32
0023-log-support-long-syslog-tag.patch
View File

@ -1,32 +0,0 @@
From 17d87a933dd7e3744a68c61aaec21aedebce3440 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Thu, 21 Jan 2021 11:06:31 +0800
Subject: [PATCH] log: support long syslog tag
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/lxc/confile.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index f108b37b..e898e23b 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -6634,13 +6634,10 @@ static int set_config_console_log_driver(const char *key, const char *value,
static int set_config_console_syslog_tag(const char *key, const char *value,
struct lxc_conf *lxc_conf, void *data)
{
- char buf[16] = { 0 };
-
if (value == NULL) {
return -1;
}
- (void)strlcpy(buf, value, 16);
- return set_config_string_item(&lxc_conf->console.log_syslog_tag, buf);
+ return set_config_string_item(&lxc_conf->console.log_syslog_tag, value);
}
static int parse_facility(const char *facility)
--
2.25.1

68
0024-log-adjust-log-level-from-error-to-warn.patch
View File

@ -1,68 +0,0 @@
From 7e829529bfd45dfdb26f43d50c1296de3456695f Mon Sep 17 00:00:00 2001
From: Li Feng <lifeng2221dd1@zoho.com.cn>
Date: Thu, 13 May 2021 14:57:20 +0800
Subject: [PATCH] log: adjust log level from error to warn
Signed-off-by: Li Feng <lifeng2221dd1@zoho.com.cn>
---
src/lxc/attach.c | 2 +-
src/lxc/commands.c | 2 +-
src/lxc/terminal.c | 2 +-
src/lxc/tools/lxc_attach.c | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 68f414875..5225e9982 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1222,7 +1222,7 @@ static int attach_signal_handler(int fd, uint32_t events, void *data,
info.si_pid = 0;
ret = waitid(P_PID, *pid, &info, WEXITED | WNOWAIT | WNOHANG);
if (ret == 0 && info.si_pid == *pid) {
- return log_error(LXC_MAINLOOP_CLOSE, "Container attach init process %d exited", *pid);
+ return log_warn(LXC_MAINLOOP_CLOSE, "Container attach init process %d exited", *pid);
}
return LXC_MAINLOOP_CONTINUE;
diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index 70c56579e..b954453c0 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -1204,7 +1204,7 @@ int lxc_cmd_serve_state_clients(const char *name, const char *lxcpath,
ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
if (ret < 0)
- return log_error_errno(-1, errno, "Failed to serve state clients");
+ return log_warn_errno(-1, errno, "Failed to serve state clients");
return 0;
}
diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c
index 1e467f5a6..5d836916e 100644
--- a/src/lxc/terminal.c
+++ b/src/lxc/terminal.c
@@ -804,7 +804,7 @@ int lxc_terminal_io_cb(int fd, uint32_t events, void *data,
terminal->pipes[0][1] = -EBADF;
return LXC_MAINLOOP_CONTINUE;
} else {
- ERROR("Handler received unexpected file descriptor");
+ WARN("Handler received unexpected file descriptor");
}
close(fd);
return LXC_MAINLOOP_CLOSE;
diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c
index 3bfbe6a19..4d69e9448 100644
--- a/src/lxc/tools/lxc_attach.c
+++ b/src/lxc/tools/lxc_attach.c
@@ -428,7 +428,7 @@ static int do_attach_foreground(struct lxc_container *c, lxc_attach_command_t *c
wexit = EXIT_SIGNAL_OFFSET + signal;
}
- ERROR("Execd pid %d exit with %d", pid, wexit);
+ WARN("Execd pid %d exit with %d", pid, wexit);
out:
if (c->lxc_conf->errmsg) {
--
2.25.1

160
0025-get-cgroup-data-len-first-and-malloc-read-buff-by-le.patch
View File

@ -1,160 +0,0 @@
From 35b321354e3c5216b3fa6aed408e985273e0575e Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Mon, 31 May 2021 20:31:26 +0800
Subject: [PATCH 25/25] get cgroup data len first, and malloc read buff by len
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
src/lxc/lxccontainer.c | 56 ++++++++++++++++++++++++++++--------------
1 file changed, 38 insertions(+), 18 deletions(-)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 5769b251..01e6cbb6 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -5757,11 +5757,11 @@ WRAP_API_1(bool, lxcapi_set_start_timeout, unsigned int)
static uint64_t metrics_get_ull(struct lxc_container *c, struct cgroup_ops *cgroup_ops, const char *item)
{
- char buf[80] = {0};
+ char buf[81] = {0};
int len = 0;
uint64_t val = 0;
- len = cgroup_ops->get(cgroup_ops, item, buf, sizeof(buf), c->name, c->config_path);
+ len = cgroup_ops->get(cgroup_ops, item, buf, sizeof(buf) - 1, c->name, c->config_path);
if (len <= 0) {
DEBUG("unable to read cgroup item %s", item);
return 0;
@@ -5773,11 +5773,11 @@ static uint64_t metrics_get_ull(struct lxc_container *c, struct cgroup_ops *cgro
static uint64_t metrics_get_ull_with_max(struct lxc_container *c, struct cgroup_ops *cgroup_ops, const char *item)
{
- char buf[80] = {0};
+ char buf[81] = {0};
int len = 0;
uint64_t val = 0;
- len = cgroup_ops->get(cgroup_ops, item, buf, sizeof(buf), c->name, c->config_path);
+ len = cgroup_ops->get(cgroup_ops, item, buf, sizeof(buf) - 1, c->name, c->config_path);
if (len <= 0) {
DEBUG("unable to read cgroup item %s", item);
return 0;
@@ -5808,22 +5808,29 @@ static inline bool is_blk_metrics_total(const char *value)
static void metrics_get_blk_stats(struct lxc_container *c, struct cgroup_ops *cgroup_ops, const char *item, struct lxc_blkio_metrics *stats)
{
-#define BUFSIZE 4096
- char buf[BUFSIZE] = {0};
+ char *buf = NULL;
int i = 0;
int len = 0;
+ int ret = 0;
char **lines = NULL;
char **cols = NULL;
- len = cgroup_ops->get(cgroup_ops, item, buf, sizeof(buf), c->name, c->config_path);
+ len = cgroup_ops->get(cgroup_ops, item, NULL, 0, c->name, c->config_path);
if (len <= 0) {
DEBUG("unable to read cgroup item %s", item);
return;
}
+ buf = malloc(len + 1);
+ (void)memset(buf, 0, len + 1);
+ ret = cgroup_ops->get(cgroup_ops, item, buf, len, c->name, c->config_path);
+ if (ret != len) {
+ DEBUG("get cgroup item %s len %d has changed to %d", item, len, ret);
+ }
+
lines = lxc_string_split_and_trim(buf, '\n');
if (lines == NULL) {
- return;
+ goto out;
}
(void)memset(stats, 0, sizeof(struct lxc_blkio_metrics));
@@ -5833,12 +5840,14 @@ static void metrics_get_blk_stats(struct lxc_container *c, struct cgroup_ops *cg
if (cols == NULL) {
goto err_out;
}
- if (is_blk_metrics_read(cols[1])) {
- stats->read += strtoull(cols[2], NULL, 0);
- } else if (is_blk_metrics_write(cols[1])) {
- stats->write += strtoull(cols[2], NULL, 0);
+ if (lxc_array_len((void **)cols) == 3) {
+ if (is_blk_metrics_read(cols[1])) {
+ stats->read += strtoull(cols[2], NULL, 0);
+ } else if (is_blk_metrics_write(cols[1])) {
+ stats->write += strtoull(cols[2], NULL, 0);
+ }
}
- if (is_blk_metrics_total(cols[0])) {
+ if (lxc_array_len((void **)cols) == 2 && is_blk_metrics_total(cols[0])) {
stats->total = strtoull(cols[1], NULL, 0);
}
@@ -5846,29 +5855,38 @@ static void metrics_get_blk_stats(struct lxc_container *c, struct cgroup_ops *cg
}
err_out:
lxc_free_array((void **)lines, free);
+out:
+ free(buf);
return;
}
static void metrics_get_io_stats_v2(struct lxc_container *c, struct cgroup_ops *cgroup_ops, const char *item, struct lxc_blkio_metrics *stats, func_is_io_stat_read is_io_stat_read, func_is_io_stat_write is_io_stat_write)
{
-#define BUFSIZE 4096
- char buf[BUFSIZE] = {0};
+ char *buf = NULL;
int i = 0;
int j = 0;
int len = 0;
+ int ret = 0;
char **lines = NULL;
char **cols = NULL;
char **kv = NULL;
- len = cgroup_ops->get(cgroup_ops, item, buf, sizeof(buf), c->name, c->config_path);
+ len = cgroup_ops->get(cgroup_ops, item, NULL, 0, c->name, c->config_path);
if (len <= 0) {
DEBUG("unable to read cgroup item %s", item);
return;
}
+ buf = malloc(len + 1);
+ (void)memset(buf, 0, len + 1);
+ ret = cgroup_ops->get(cgroup_ops, item, buf, len, c->name, c->config_path);
+ if (ret != len) {
+ DEBUG("get cgroup item %s len %d change to %d", item, len, ret);
+ }
+
lines = lxc_string_split_and_trim(buf, '\n');
if (lines == NULL) {
- return;
+ goto out;
}
(void)memset(stats, 0, sizeof(struct lxc_blkio_metrics));
@@ -5900,6 +5918,8 @@ static void metrics_get_io_stats_v2(struct lxc_container *c, struct cgroup_ops *
err_out:
lxc_free_array((void **)lines, free);
+out:
+ free(buf);
return;
}
@@ -5915,7 +5935,7 @@ static uint64_t metrics_match_get_ull(struct lxc_container *c, struct cgroup_ops
char **cols = NULL;
size_t matchlen = 0;
- len = cgroup_ops->get(cgroup_ops, item, buf, sizeof(buf), c->name, c->config_path);
+ len = cgroup_ops->get(cgroup_ops, item, buf, sizeof(buf) - 1, c->name, c->config_path);
if (len <= 0) {
DEBUG("unable to read cgroup item %s", item);
goto err_out;
--
2.25.1

57
0026-coredump-fix-coredump-when-cgroup-get-return-error.patch
View File

@ -1,57 +0,0 @@
From aeb038c9f17ba6a82bb881ff6e84f0ac4c980723 Mon Sep 17 00:00:00 2001
From: LiFeng <lifeng68@huawei.com>
Date: Sat, 12 Jun 2021 13:54:25 +0800
Subject: [PATCH] coredump: fix coredump when cgroup get return error
Signed-off-by: LiFeng <lifeng68@huawei.com>
---
src/lxc/lxccontainer.c | 10 ++++++----
src/lxc/string_utils.c | 4 ++++
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 01e6cbb69..2d581911a 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -5824,8 +5824,9 @@ static void metrics_get_blk_stats(struct lxc_container *c, struct cgroup_ops *cg
buf = malloc(len + 1);
(void)memset(buf, 0, len + 1);
ret = cgroup_ops->get(cgroup_ops, item, buf, len, c->name, c->config_path);
- if (ret != len) {
- DEBUG("get cgroup item %s len %d has changed to %d", item, len, ret);
+ if (ret <= 0) {
+ DEBUG("unable to read cgroup item %s", item);
+ goto out;
}
lines = lxc_string_split_and_trim(buf, '\n');
@@ -5880,8 +5881,9 @@ static void metrics_get_io_stats_v2(struct lxc_container *c, struct cgroup_ops *
buf = malloc(len + 1);
(void)memset(buf, 0, len + 1);
ret = cgroup_ops->get(cgroup_ops, item, buf, len, c->name, c->config_path);
- if (ret != len) {
- DEBUG("get cgroup item %s len %d change to %d", item, len, ret);
+ if (ret <= 0) {
+ DEBUG("unable to read cgroup item %s", item);
+ goto out;
}
lines = lxc_string_split_and_trim(buf, '\n');
diff --git a/src/lxc/string_utils.c b/src/lxc/string_utils.c
index 9118add02..d3c60897c 100644
--- a/src/lxc/string_utils.c
+++ b/src/lxc/string_utils.c
@@ -473,6 +473,10 @@ char **lxc_string_split_and_trim(const char *string, char _sep)
result_count++;
}
+ if (result == NULL) {
+ return calloc(1, sizeof(char *));
+ }
+
/* if we allocated too much, reduce it */
return realloc(result, (result_count + 1) * sizeof(char *));
--
2.25.1

70
0027-add-help-for-new-arguments.patch
View File

@ -1,70 +0,0 @@
From 3d673da7da97058f6e4a200d924dbbdcfeb63678 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Thu, 26 Aug 2021 13:50:41 +0100
Subject: [PATCH] add help for new arguments
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/lxc/tools/lxc_attach.c | 10 ++++++++--
src/lxc/tools/lxc_start.c | 16 ++++++++++++++--
2 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c
index 4d69e944..9931b39f 100644
--- a/src/lxc/tools/lxc_attach.c
+++ b/src/lxc/tools/lxc_attach.c
@@ -144,9 +144,15 @@ Options :\n\
"
#else
"\
- --user User ID (format: UID[:GID])\n\
-w, --workdir Working directory inside the container.\n\
- --timeout Timeout in seconds (default: 0)\n\
+ -u, --user User ID (format: UID[:GID])\n\
+ --in-fifo Stdin fifo path\n\
+ --out-fifo Stdout fifo path\n\
+ --err-fifo Stderr fifo path\n\
+ --suffi ID for mutli-attach on one container\n\
+ --timeout Timeout in seconds (default: 0)\n\
+ --disable-pty Disable pty for attach\n\
+ --open-stdin Open stdin for attach\n\
"
#endif
,
diff --git a/src/lxc/tools/lxc_start.c b/src/lxc/tools/lxc_start.c
index 4f2c8afa..3ef59610 100644
--- a/src/lxc/tools/lxc_start.c
+++ b/src/lxc/tools/lxc_start.c
@@ -62,7 +62,6 @@ static const struct option my_longopts[] = {
{"start-timeout", required_argument, 0, OPT_START_TIMEOUT},
{"disable-pty", no_argument, 0, OPT_DISABLE_PTY},
{"open-stdin", no_argument, 0, OPT_OPEN_STDIN},
- {"start-timeout", required_argument, 0, OPT_START_TIMEOUT},
#endif
LXC_COMMON_OPTIONS
};
@@ -86,7 +85,20 @@ Options :\n\
Note: --daemon implies --close-all-fds\n\
-s, --define KEY=VAL Assign VAL to configuration variable KEY\n\
--share-[net|ipc|uts|pid]=NAME Share a namespace with another container or pid\n\
-",
+"
+#ifdef HAVE_ISULAD
+"\
+ --in-fifo Stdin fifo path\n\
+ --out-fifo Stdout fifo path\n\
+ --err-fifo Stderr fifo path\n\
+ --container-pidfile File path for container pid\n\
+ --exit-fifo Fifo path to save exit code\n\
+ --start-timeout Timeout for start container\n\
+ --disable-pty Disable pty for attach\n\
+ --open-stdin Open stdin for attach\n\
+"
+#endif
+,
.options = my_longopts,
.parser = my_parser,
.checker = NULL,
--
2.20.1

37
0028-seccomp-init-and-destroy-notifier.cookie.patch
View File

@ -1,37 +0,0 @@
From aca2dde947317d4e3c1a75ec7fdebf2ae70878a2 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Thu, 15 Apr 2021 07:09:10 +0000
Subject: [PATCH] seccomp: init and destroy notifier.cookie
It's a follow-up to 84cf6d259b24e4ad48e
Closes https://github.com/lxc/lxc/issues/3806
Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
---
src/lxc/seccomp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 4b9d23c55..ebbba80f7 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -1867,6 +1867,7 @@ void lxc_seccomp_free(struct lxc_seccomp *seccomp)
seccomp_notify_free(seccomp->notifier.req_buf, seccomp->notifier.rsp_buf);
seccomp->notifier.req_buf = NULL;
seccomp->notifier.rsp_buf = NULL;
+ free_disarm(seccomp->notifier.cookie);
#endif
}
@@ -2076,6 +2077,7 @@ void seccomp_conf_init(struct lxc_conf *conf)
sizeof(conf->seccomp.notifier.proxy_addr));
conf->seccomp.notifier.req_buf = NULL;
conf->seccomp.notifier.rsp_buf = NULL;
+ conf->seccomp.notifier.cookie = NULL;
#endif
}
--
2.25.1

26
0029-just-use-origin-loop-if-do-not-have-io.patch
View File

@ -1,26 +0,0 @@
From 21aba903a2e0d744eb54a7737bc11585c2be9aa3 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Fri, 17 Sep 2021 08:18:14 +0100
Subject: [PATCH] just use origin loop if do not have io
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/lxc/start.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/start.c b/src/lxc/start.c
index e6e2170..52ea561 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -590,7 +590,7 @@ int lxc_poll(const char *name, struct lxc_handler *handler)
}
#endif
- ret = isulad_safe_mainloop(&descr, -1);
+ ret = lxc_mainloop(&descr, -1);
close_prot_errno_disarm(descr.epfd);
if (ret < 0 || !handler->init_died)
goto out_mainloop_console;
--
2.20.1

48
0030-conf-fix-a-memory-leak.patch
View File

@ -1,48 +0,0 @@
From 1ce660ae03e85574b1fb8f899b78f13ab14faf46 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Thu, 25 Mar 2021 09:03:21 +0000
Subject: [PATCH 1/2] conf: fix a memory leak
It was triggered by passing "lxc.selinux.context.keyring=xroot" to the
fuzz target introduced in https://github.com/google/oss-fuzz/pull/5498
```
=================================================================
==22==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 6 byte(s) in 1 object(s) allocated from:
#0 0x538ca4 in __strdup /src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:468:3
#1 0x5c40e8 in set_config_string_item /src/lxc/src/lxc/confile_utils.c:635:14
#2 0x44394e in set_config_selinux_context_keyring /src/lxc/src/lxc/confile.c:1596:9
#3 0x5af955 in parse_line /src/lxc/src/lxc/confile.c:2953:9
#4 0x4475cd in lxc_file_for_each_line_mmap /src/lxc/src/lxc/parse.c:125:9
#5 0x5af24f in lxc_config_read /src/lxc/src/lxc/confile.c:3024:9
#6 0x580b04 in LLVMFuzzerTestOneInput /src/fuzz-lxc-config-read.c:36:2
#7 0x483643 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
#8 0x46d4a2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#9 0x4732ea in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
#10 0x49f022 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#11 0x7f16d09b883f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
```
This is a follow-up to https://github.com/lxc/lxc/commit/4fef78bc332a2d186dca6f
Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
---
src/lxc/conf.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 19e193dda..8b1d2d43d 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -5678,6 +5678,7 @@ void lxc_conf_free(struct lxc_conf *conf)
free(conf->lsm_aa_profile);
free(conf->lsm_aa_profile_computed);
free(conf->lsm_se_context);
+ free(conf->lsm_se_keyring_context);
lxc_seccomp_free(&conf->seccomp);
lxc_clear_config_caps(conf);
lxc_clear_config_keepcaps(conf);
--
2.25.1

25
0031-fix-lsm_se_mount_context-memory-leak.patch
View File

@ -1,25 +0,0 @@
From ecb05bff284f2f5364bcfd2196e7cb5e1d4fa512 Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Fri, 17 Sep 2021 19:45:30 +0800
Subject: [PATCH 2/2] fix lsm_se_mount_context memory leak
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
src/lxc/conf.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 8b1d2d43d..ce550e264 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -5718,6 +5718,7 @@ void lxc_conf_free(struct lxc_conf *conf)
if (conf->ocihooks) {
free_oci_runtime_spec_hooks(conf->ocihooks);
}
+ free(conf->lsm_se_mount_context);
#endif
free(conf);
}
--
2.25.1

169
0032-disable-lxc_keep-with-oci-image.patch
View File

@ -1,169 +0,0 @@
From dc08143bcaf8722492a70848124b8d48dfa099f7 Mon Sep 17 00:00:00 2001
From: gaohuatao <gaohuatao@huawei.com>
Date: Fri, 22 Oct 2021 14:43:13 +0800
Subject: [PATCH] disable lxc_keep with oci image
Signed-off-by: gaohuatao <gaohuatao@huawei.com>
---
src/lxc/confile.c | 6 ++++++
src/lxc/lxccontainer.c | 24 ++++++++++++++++++++++++
src/lxc/lxccontainer.h | 18 ++++++++++++++++++
src/lxc/start.c | 5 +++++
src/lxc/start.h | 1 +
5 files changed, 54 insertions(+)
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index e898e23..e298ce9 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -3018,6 +3018,12 @@ bool lxc_config_define_load(struct lxc_list *defines, struct lxc_container *c)
lxc_list_for_each(it, defines) {
struct new_config_item *new_item = it->elem;
+#ifdef HAVE_ISULAD
+ if (strcmp(new_item->key, LXC_IMAGE_OCI_KEY) == 0) {
+ c->set_oci_type(c, true);
+ continue;
+ }
+#endif
bret = c->set_config_item(c, new_item->key, new_item->val);
if (!bret)
break;
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 2d58191..69706a5 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -1061,6 +1061,10 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a
if (!argv) {
argv = init_cmd = use_init_args(conf->init_argv, conf->init_argc);
}
+
+ if (c->image_type_oci) {
+ handler->image_type_oci = true;
+ }
#endif
/* ... otherwise use default_args. */
@@ -5755,6 +5759,22 @@ static bool do_lxcapi_set_start_timeout(struct lxc_container *c, unsigned int s
WRAP_API_1(bool, lxcapi_set_start_timeout, unsigned int)
+/* isulad add set image type */
+static bool do_lxcapi_set_oci_type(struct lxc_container *c, bool image_type_oci)
+{
+ if (!c || !c->lxc_conf)
+ return false;
+ if (container_mem_lock(c)) {
+ ERROR("Error getting mem lock");
+ return false;
+ }
+ c->image_type_oci = image_type_oci;
+ container_mem_unlock(c);
+ return true;
+}
+
+WRAP_API_1(bool, lxcapi_set_oci_type, bool)
+
static uint64_t metrics_get_ull(struct lxc_container *c, struct cgroup_ops *cgroup_ops, const char *item)
{
char buf[81] = {0};
@@ -6177,6 +6197,9 @@ struct lxc_container *lxc_container_new(const char *name, const char *configpath
c->daemonize = true;
c->pidfile = NULL;
+#ifdef HAVE_ISULAD
+ c->image_type_oci = false;
+#endif
/* Assign the member functions. */
c->is_defined = lxcapi_is_defined;
@@ -6249,6 +6272,7 @@ struct lxc_container *lxc_container_new(const char *name, const char *configpath
c->clean_container_resource = lxcapi_clean_container_resource;
c->get_container_pids = lxcapi_get_container_pids;
c->set_start_timeout = lxcapi_set_start_timeout;
+ c->set_oci_type = lxcapi_set_oci_type;
c->get_container_metrics = lxcapi_get_container_metrics;
#endif
return c;
diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h
index 9abbd09..a5be3f8 100644
--- a/src/lxc/lxccontainer.h
+++ b/src/lxc/lxccontainer.h
@@ -26,6 +26,8 @@ extern "C" {
#define LXC_CREATE_MAXFLAGS (1 << 1) /*!< Number of \c LXC_CREATE* flags */
#define LXC_MOUNT_API_V1 1
+#define LXC_IMAGE_OCI_KEY "lxc.imagetype.oci"
+
struct bdev_specs;
struct lxc_snapshot;
@@ -164,6 +166,12 @@ struct lxc_container {
*/
unsigned int start_timeout;
+ /*! isulad:
+ * \private
+ * image_type_oci
+ */
+ bool image_type_oci;
+
/*!
* \brief Determine if \c /var/lib/lxc/$name/config exists.
*
@@ -1010,6 +1018,16 @@ struct lxc_container {
*/
bool (*set_start_timeout)(struct lxc_container *c, unsigned int start_timeout);
+ /*! isulad add
+ * \brief An API call to set oci type
+ *
+ * \param c Container.
+ * \param image_type_oci image oci type.
+ *
+ * \return \c true on success, else \c false.
+ */
+ bool (*set_oci_type)(struct lxc_container *c, bool image_type_oci);
+
/*! isulad add
* \brief An API call to set start timeout
*
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 52ea561..c1563e0 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -694,6 +694,7 @@ struct lxc_handler *lxc_init_handler(const char *name, struct lxc_conf *conf,
#ifdef HAVE_ISULAD
handler->exit_code = -1; /* isulad: record exit code of container */
+ handler->image_type_oci = false;
#endif
if (daemonize)
@@ -2080,7 +2081,11 @@ static int lxc_spawn(struct lxc_handler *handler)
* it readonly.
* If the container is unprivileged then skip rootfs pinning.
*/
+#ifdef HAVE_ISULAD
+ if (!wants_to_map_ids && !handler->image_type_oci) {
+#else
if (!wants_to_map_ids) {
+#endif
handler->pinfd = pin_rootfs(conf->rootfs.path);
if (handler->pinfd == -EBADF)
INFO("Failed to pin the rootfs for container \"%s\"", handler->name);
diff --git a/src/lxc/start.h b/src/lxc/start.h
index ebeeb72..98de103 100644
--- a/src/lxc/start.h
+++ b/src/lxc/start.h
@@ -129,6 +129,7 @@ struct lxc_handler {
bool disable_pty;
/* Indicates whether should we keep stdin active. */
bool open_stdin;
+ bool image_type_oci;
#endif
};
--
2.20.1

71
0033-conf-ensure-that-the-idmap-pointer-itself-is-freed.patch
View File

@ -1,71 +0,0 @@
From 8156691b97ac48763cf42c03aa3b92cfa37f1488 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Tue, 4 Aug 2020 00:05:05 +0200
Subject: [PATCH] conf: ensure that the idmap pointer itself is freed
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
(cherry-picked from https://github.com/lxc/lxc/pull/3504)
Conflicts:
src/lxc/conf.c
Signed-off-by: WangFengTu <wangfengtu@huawei.com>
---
src/lxc/conf.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 2a6e27aa4..7464e4a15 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -5362,7 +5362,15 @@ static int lxc_free_idmap(struct lxc_list *id_map)
return 0;
}
-define_cleanup_function(struct lxc_list *, lxc_free_idmap);
+
+static int __lxc_free_idmap(struct lxc_list *id_map)
+{
+ lxc_free_idmap(id_map);
+ free(id_map);
+ return 0;
+}
+
+define_cleanup_function(struct lxc_list *, __lxc_free_idmap);
int lxc_clear_idmaps(struct lxc_conf *c)
{
@@ -5939,7 +5947,7 @@ static struct lxc_list *get_minimal_idmap(const struct lxc_conf *conf,
int userns_exec_1(const struct lxc_conf *conf, int (*fn)(void *), void *data,
const char *fn_name)
{
- call_cleaner(lxc_free_idmap) struct lxc_list *idmap = NULL;
+ call_cleaner(__lxc_free_idmap) struct lxc_list *idmap = NULL;
int ret = -1, status = -1;
char c = '1';
pid_t pid;
@@ -6015,7 +6023,7 @@ int userns_exec_minimal(const struct lxc_conf *conf,
int (*fn_parent)(void *), void *fn_parent_data,
int (*fn_child)(void *), void *fn_child_data)
{
- call_cleaner(lxc_free_idmap) struct lxc_list *idmap = NULL;
+ call_cleaner(__lxc_free_idmap) struct lxc_list *idmap = NULL;
uid_t resuid = LXC_INVALID_UID;
gid_t resgid = LXC_INVALID_GID;
char c = '1';
@@ -6306,10 +6314,8 @@ on_error:
if (pid > 0)
ret = wait_for_pid(pid);
- if (idmap) {
- lxc_free_idmap(idmap);
- free(idmap);
- }
+ if (idmap)
+ __lxc_free_idmap(idmap);
if (host_uid_map && (host_uid_map != container_root_uid))
free(host_uid_map);
--
2.25.1

74
0034-cgfsng-fix-cgroup-attach-cgroup-creation.patch
View File

@ -1,74 +0,0 @@
From 2ab5069d8a04c12a28b523323cb51055b02c815c Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Thu, 25 Nov 2021 15:44:32 +0800
Subject: [PATCH] cgfsng: fix cgroup attach cgroup creation
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
(cherry-picked from https://github.com/lxc/lxc/pull/3526)
Signed-off-by: WangFengTu <wangfengtu@huawei.com>
Conflicts:
src/lxc/cgroups/isulad_cgfsng.c
---
src/lxc/cgroups/cgfsng.c | 10 +++++++++-
src/lxc/cgroups/isulad_cgfsng.c | 10 +++++++++-
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 3f81f5c..28ddf55 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -2090,13 +2090,21 @@ static int cgroup_attach_leaf(const struct lxc_conf *conf, int unified_fd, pid_t
do {
bool rm = false;
- char attach_cgroup[STRLITERALLEN(".lxc-1000/cgroup.procs") + 1];
+ char attach_cgroup[STRLITERALLEN(".lxc-/cgroup.procs") + INTTYPE_TO_STRLEN(int) + 1];
char *slash;
ret = snprintf(attach_cgroup, sizeof(attach_cgroup), ".lxc-%d/cgroup.procs", idx);
if (ret < 0 || (size_t)ret >= sizeof(attach_cgroup))
return ret_errno(EIO);
+ /*
+ * This shouldn't really happen but the compiler might complain
+ * that a short write would cause a buffer overrun. So be on
+ * the safe side.
+ */
+ if (ret < STRLITERALLEN(".lxc-/cgroup.procs"))
+ return log_error_errno(-EINVAL, EINVAL, "Unexpected short write would cause buffer-overrun");
+
slash = &attach_cgroup[ret] - STRLITERALLEN("/cgroup.procs");
*slash = '\0';
diff --git a/src/lxc/cgroups/isulad_cgfsng.c b/src/lxc/cgroups/isulad_cgfsng.c
index c80527d..576b424 100644
--- a/src/lxc/cgroups/isulad_cgfsng.c
+++ b/src/lxc/cgroups/isulad_cgfsng.c
@@ -1766,13 +1766,21 @@ static int cgroup_attach_leaf(const struct lxc_conf *conf, int unified_fd, pid_t
do {
bool rm = false;
- char attach_cgroup[STRLITERALLEN(".lxc-1000/cgroup.procs") + 1];
+ char attach_cgroup[STRLITERALLEN(".lxc-/cgroup.procs") + INTTYPE_TO_STRLEN(int) + 1];
char *slash;
ret = snprintf(attach_cgroup, sizeof(attach_cgroup), ".lxc-%d/cgroup.procs", idx);
if (ret < 0 || (size_t)ret >= sizeof(attach_cgroup))
return ret_errno(EIO);
+ /*
+ * This shouldn't really happen but the compiler might complain
+ * that a short write would cause a buffer overrun. So be on
+ * the safe side.
+ */
+ if (ret < STRLITERALLEN(".lxc-/cgroup.procs"))
+ return log_error_errno(-EINVAL, EINVAL, "Unexpected short write would cause buffer-overrun");
+
slash = &attach_cgroup[ret] - STRLITERALLEN("/cgroup.procs");
*slash = '\0';
--
2.25.1

29
0035-adapt-upstream-compiler-settings.patch
View File

@ -1,29 +0,0 @@
From d65cefcee3dce74a970239d38dcb4e491cb38b70 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Mon, 27 Dec 2021 09:23:44 +0000
Subject: [PATCH] adapt upstream compiler settings
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
configure.ac | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/configure.ac b/configure.ac
index 9eb6dcb..d1d793b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -761,6 +761,11 @@ AX_CHECK_COMPILE_FLAG([-Wnested-externs], [CFLAGS="$CFLAGS -Wnested-externs"],,[
AX_CHECK_COMPILE_FLAG([-fasynchronous-unwind-tables], [CFLAGS="$CFLAGS -fasynchronous-unwind-tables"],,[-Werror])
AX_CHECK_COMPILE_FLAG([-pipe], [CFLAGS="$CFLAGS -pipe"],,[-Werror])
AX_CHECK_COMPILE_FLAG([-fexceptions], [CFLAGS="$CFLAGS -fexceptions"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-g], [CFLAGS="$CFLAGS -g"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-Warray-bounds], [CFLAGS="$CFLAGS -Warray-bounds"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-Wrestrict], [CFLAGS="$CFLAGS -Wrestrict"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-Wreturn-local-addr], [CFLAGS="$CFLAGS -Wreturn-local-addr"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-Wstringop-overflow], [CFLAGS="$CFLAGS -Wstringop-overflow"],,[-Werror])
AX_CHECK_LINK_FLAG([-z relro], [LDFLAGS="$LDFLAGS -z relro"],,[])
AX_CHECK_LINK_FLAG([-z now], [LDFLAGS="$LDFLAGS -z now"],,[])
--
2.20.1

200
0036-compile-in-android-env.patch
View File

@ -1,200 +0,0 @@
From 2de0b4dddb98fa70874eb96a4a9dc33c12037db4 Mon Sep 17 00:00:00 2001
From: chegJH <hejunjie10@huawei.com>
Date: Tue, 15 Feb 2022 16:13:56 +0800
Subject: [PATCH] changes for compile in android env
Signed-off-by: chegJH <hejunjie10@huawei.com>
---
configure.ac | 3 ++-
src/lxc/Makefile.am | 3 ++-
src/lxc/commands_utils.c | 8 +++++++-
src/lxc/confile.c | 6 +++---
src/lxc/json/read-file.c | 2 +-
src/lxc/log.c | 2 +-
src/lxc/lxclock.c | 1 +
src/lxc/syscall_wrappers.h | 2 +-
src/lxc/utils.c | 21 +++++++--------------
9 files changed, 25 insertions(+), 23 deletions(-)
diff --git a/configure.ac b/configure.ac
index d1d793b..7766638 100644
--- a/configure.ac
+++ b/configure.ac
@@ -771,7 +771,8 @@ AX_CHECK_LINK_FLAG([-z relro], [LDFLAGS="$LDFLAGS -z relro"],,[])
AX_CHECK_LINK_FLAG([-z now], [LDFLAGS="$LDFLAGS -z now"],,[])
AX_CHECK_LINK_FLAG([-z noexecstack], [LDFLAGS="$LDFLAGS -z noexecstack"],,[])
-CFLAGS="$CFLAGS -Wvla -std=gnu11 -D_FORTIFY_SOURCE=2 -Wall -fPIC -fPIE -pie"
+CFLAGS="$CFLAGS -Wvla -std=gnu11 -D_FORTIFY_SOURCE=2 -Wall -fPIC -fPIE"
+LDFLAGS="$LDFLAGS -pie"
if test "x$enable_werror" = "xyes"; then
CFLAGS="$CFLAGS -Werror"
fi
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index dc49c7e..2686e24 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -361,7 +361,8 @@ LDADD = liblxc.la \
@OPENSSL_LIBS@ \
@SECCOMP_LIBS@ \
@SELINUX_LIBS@ \
- @DLOG_LIBS@
+ @DLOG_LIBS@ \
+ @YAJL_LIBS@
if ENABLE_TOOLS
lxc_attach_SOURCES = tools/lxc_attach.c \
diff --git a/src/lxc/commands_utils.c b/src/lxc/commands_utils.c
index 7dfefa5..54ba26e 100644
--- a/src/lxc/commands_utils.c
+++ b/src/lxc/commands_utils.c
@@ -141,9 +141,15 @@ int lxc_make_abstract_socket_name(char *path, size_t pathlen,
char *generate_named_unix_sock_dir(const char *name)
{
__do_free char *exec_sock_dir = NULL;
+ __do_free char *rundir = NULL;
- if (asprintf(&exec_sock_dir, "/var/run/lxc/%s", name) < 0)
+ rundir = get_rundir();
+ if (!rundir)
+ rundir = strdup("/var/run");
+
+ if (asprintf(&exec_sock_dir, "%s/lxc/%s", rundir, name) < 0) {
return log_error_errno(NULL, errno, "Failed to allocate memory");
+ }
return move_ptr(exec_sock_dir);
}
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index e298ce9..cc53148 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -6239,21 +6239,21 @@ static int set_config_init_args(const char *key, const char *value,
struct lxc_conf *lxc_conf, void *data)
{
int ret = 0;
- char *tmp = NULL;
+ char **tmp = NULL;
char *new_value = NULL;
ret = set_config_string_item(&new_value, value);
if (ret || !new_value)
return ret;
- tmp = realloc(lxc_conf->init_argv, (lxc_conf->init_argc + 1) * sizeof(char *));
+ tmp = (char **)realloc(lxc_conf->init_argv, (lxc_conf->init_argc + 1) * sizeof(char *));
if (!tmp) {
ERROR("Out of memory");
free(new_value);
return -1;
}
- lxc_conf->init_argv = (char **)tmp;
+ lxc_conf->init_argv = tmp;
lxc_conf->init_argv[lxc_conf->init_argc] = new_value;
lxc_conf->init_argc++;
diff --git a/src/lxc/json/read-file.c b/src/lxc/json/read-file.c
index 70e73e5..34ebeed 100644
--- a/src/lxc/json/read-file.c
+++ b/src/lxc/json/read-file.c
@@ -76,7 +76,7 @@ char *read_file(const char *path, size_t *length)
return NULL;
}
- fd = open(rpath, O_RDONLY | O_CLOEXEC, 0640);
+ fd = open(rpath, O_RDONLY | O_CLOEXEC);
if (fd < 0) {
return NULL;
}
diff --git a/src/lxc/log.c b/src/lxc/log.c
index 79caa2c..a04f78e 100644
--- a/src/lxc/log.c
+++ b/src/lxc/log.c
@@ -71,7 +71,7 @@ static int isulad_open_fifo(const char *file_path)
#define LOG_FIFO_SIZE (1024 * 1024)
int fd;
- fd = lxc_unpriv(open(file_path, O_RDWR | O_NONBLOCK | O_CLOEXEC, 0640));
+ fd = lxc_unpriv(open(file_path, O_RDWR | O_NONBLOCK | O_CLOEXEC));
if (fd == -1) {
fprintf(stderr, "Open fifo %s failed: %s\n", file_path, strerror(errno));
return -1;
diff --git a/src/lxc/lxclock.c b/src/lxc/lxclock.c
index bb0dca0..d65c614 100644
--- a/src/lxc/lxclock.c
+++ b/src/lxc/lxclock.c
@@ -179,6 +179,7 @@ struct lxc_lock *lxc_newlock(const char *lxcpath, const char *name)
l->u.f.fd = -1;
on_error:
+ fprintf(stderr, "Failed to create lock for %s, path %s\n", name, lxcpath);
return l;
}
diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h
index 1cef215..1c8e652 100644
--- a/src/lxc/syscall_wrappers.h
+++ b/src/lxc/syscall_wrappers.h
@@ -62,7 +62,7 @@ extern int memfd_create(const char *name, unsigned int flags);
#endif
#ifndef HAVE_PIVOT_ROOT
-static int pivot_root(const char *new_root, const char *put_old)
+static inline int pivot_root(const char *new_root, const char *put_old)
{
return syscall(__NR_pivot_root, new_root, put_old);
}
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 95c00cf..b39b6a8 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -2081,7 +2081,10 @@ void lxc_write_error_message(int errfd, const char *format, ...)
return;
va_start(argp, format);
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wformat-nonliteral"
ret = vsnprintf(errbuf, BUFSIZ, format, argp);
+#pragma GCC diagnostic pop
va_end(argp);
if (ret < 0 || ret >= BUFSIZ)
SYSERROR("Failed to call vsnprintf");
@@ -2210,30 +2213,20 @@ out:
// isulad: set env home in container
int lxc_setup_env_home(uid_t uid)
{
-#define __PASSWD_FILE__ "/etc/passwd"
char *homedir = "/"; // default home dir is /
- FILE *stream = NULL;
struct passwd pw, *pwbufp = NULL;
char buf[BUFSIZ];
+ int ret;
- stream = fopen_cloexec(__PASSWD_FILE__, "r");
- if (stream == NULL) {
- SYSWARN("Failed to open %s", __PASSWD_FILE__);
+ ret = getpwuid_r(uid, &pw, buf, sizeof(buf), &pwbufp);
+ if ((ret == 0) && (pwbufp != NULL) && (pwbufp->pw_uid == uid)) {
+ homedir = pwbufp->pw_dir;
goto set_env;
}
- while (fgetpwent_r(stream, &pw, buf, sizeof(buf), &pwbufp) == 0 && pwbufp != NULL) {
- if (pwbufp->pw_uid == uid) {
- homedir = pwbufp->pw_dir;
- goto set_env;
- }
- }
WARN("User invalid, can not find user '%u'", uid);
set_env:
- if (stream)
- fclose(stream);
-
// if we didn't configure HOME, set it based on uid
if (setenv("HOME", homedir, 0) < 0) {
SYSERROR("Unable to set env 'HOME'");
--
2.32.0 (Apple Git-132)

39
0037-fix-always-print-and-temp-len.patch
View File

@ -1,39 +0,0 @@
From 178d09524a346cab9ca1f9eb939e35945b7bfbb0 Mon Sep 17 00:00:00 2001
From: chegJH <hejunjie10@huawei.com>
Date: Mon, 21 Feb 2022 19:14:56 +0800
Subject: [PATCH] fix always print and temp len
Signed-off-by: chegJH <hejunjie10@huawei.com>
---
src/lxc/confile_utils.h | 2 +-
src/lxc/lxclock.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h
index 62990e9..3655ec4 100644
--- a/src/lxc/confile_utils.h
+++ b/src/lxc/confile_utils.h
@@ -13,7 +13,7 @@
if (str) \
len = snprintf(str, inlen, ##__VA_ARGS__); \
else \
- len = snprintf((char *){""}, 0, ##__VA_ARGS__); \
+ len = 0; \
if (len < 0) { \
SYSERROR("failed to create string"); \
return -1; \
diff --git a/src/lxc/lxclock.c b/src/lxc/lxclock.c
index d65c614..9c9b57c 100644
--- a/src/lxc/lxclock.c
+++ b/src/lxc/lxclock.c
@@ -177,6 +177,7 @@ struct lxc_lock *lxc_newlock(const char *lxcpath, const char *name)
}
l->u.f.fd = -1;
+ return l;
on_error:
fprintf(stderr, "Failed to create lock for %s, path %s\n", name, lxcpath);
--
2.32.0 (Apple Git-132)

30
0038-just-print-error-when-new-lock-failed.patch
View File

@ -1,30 +0,0 @@
From 456d154a6e0a34ac8e4474408ea02f2e0ec6e194 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Thu, 17 Mar 2022 02:39:46 +0000
Subject: [PATCH] just print error when new lock failed
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/lxc/lxclock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lxc/lxclock.c b/src/lxc/lxclock.c
index 9c9b57c..7114fc5 100644
--- a/src/lxc/lxclock.c
+++ b/src/lxc/lxclock.c
@@ -177,10 +177,10 @@ struct lxc_lock *lxc_newlock(const char *lxcpath, const char *name)
}
l->u.f.fd = -1;
- return l;
on_error:
- fprintf(stderr, "Failed to create lock for %s, path %s\n", name, lxcpath);
+ if (l == NULL)
+ fprintf(stderr, "Failed to create lock for %s, path %s\n", name, lxcpath);
return l;
}
--
2.20.1

98
0039-fix-bug-of-memory-free.patch
View File

@ -1,98 +0,0 @@
From b235b7526f452dab2db7f9de71ea27b3dfacde1a Mon Sep 17 00:00:00 2001
From: wujing <wujing50@huawei.com>
Date: Sat, 9 Apr 2022 15:15:02 +0800
Subject: [PATCH] fix bug of memory free
Signed-off-by: wujing <wujing50@huawei.com>
---
src/lxc/conf.c | 27 ++++++++++-----------------
1 file changed, 10 insertions(+), 17 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 19e193dd..4ef154e6 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2604,70 +2604,63 @@ static int check_mount_destination(const char *rootfs, const char *dest, const c
const char **invalid = NULL;
for(valid = valid_destinations; *valid != NULL; valid++) {
- char *fullpath = NULL;
- char *relpath = NULL;
+ __do_free char *fullpath = NULL;
+ __do_free char *relpath = NULL;
const char *parts[3] = {
rootfs,
*valid,
NULL
};
fullpath = lxc_string_join("/", parts, false);
- if (!fullpath) {
+ if (fullpath == NULL) {
ERROR("Out of memory");
return -1;
}
relpath = path_relative(fullpath, dest);
- free(fullpath);
- if (!relpath)
+ if (relpath == NULL) {
+ ERROR("Failed to get relpath for %s related to %s", dest, fullpath);
return -1;
+ }
if (!strcmp(relpath, ".")) {
- free(relpath);
return 0;
}
- free(relpath);
}
for(invalid = invalid_destinations; *invalid != NULL; invalid++) {
- char *fullpath = NULL;
- char *relpath = NULL;
+ __do_free char *fullpath = NULL;
+ __do_free char *relpath = NULL;
const char *parts[3] = {
rootfs,
*invalid,
NULL
};
fullpath = lxc_string_join("/", parts, false);
- if (!fullpath) {
+ if (fullpath == NULL) {
ERROR("Out of memory");
return -1;
}
relpath = path_relative(fullpath, dest);
DEBUG("dst path %s get relative path %s with full path %s,src:%s", dest, relpath, fullpath, src);
- free(fullpath);
- if (!relpath) {
+ if (relpath == NULL) {
ERROR("Failed to get relpath for %s related to %s", dest, fullpath);
return -1;
}
// pass if the mount path is outside of invalid proc
if (strncmp(relpath, "..", 2) == 0) {
- free(relpath);
continue;
}
if (strcmp(relpath, ".") == 0) {
if (src == NULL) {
- free(relpath);
continue;
}
// pass if the mount on top of /proc and the source of the mount is a proc filesystem
if (has_fs_type(src, PROC_SUPER_MAGIC)) {
WARN("src %s is proc allow mount on-top of %s", src, *invalid);
- free(relpath);
continue;
}
ERROR("%s cannot be mounted because it is located inside %s", dest, *invalid);
- free(relpath);
return -1;
}
- free(relpath);
}
return 0;
--
2.35.1

107
0040-refactor-the-way-to-convert-selinux-label-to-shared.path
View File

@ -1,107 +0,0 @@
From 70e7dd0da58071557c897fbce2f48c8169633a54 Mon Sep 17 00:00:00 2001
From: wujing <wujing50@huawei.com>
Date: Fri, 15 Apr 2022 11:11:38 +0800
Subject: [PATCH] Refactor the way to convert selinux label to shared mode
Signed-off-by: wujing <wujing50@huawei.com>
---
src/lxc/lsm/selinux.c | 58 ++++++++++++++++++++++++++++++++++---------
1 file changed, 46 insertions(+), 12 deletions(-)
diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
index 79697c5..0a1e205 100644
--- a/src/lxc/lsm/selinux.c
+++ b/src/lxc/lsm/selinux.c
@@ -230,15 +230,11 @@ static int selinux_chcon(const char *fpath, const char *label, bool recurse)
{
struct stat s_buf;
- if (fpath == NULL) {
- ERROR("Empty file path");
+ if (fpath == NULL || label == NULL) {
+ ERROR("Invalid parameters!");
return -1;
}
- if (label == NULL) {
- return 0;
- }
-
if (bad_prefix(fpath) != 0) {
return -1;
}
@@ -257,6 +253,42 @@ static int selinux_chcon(const char *fpath, const char *label, bool recurse)
return 0;
}
+/*
+ * convert_context_to_share_mode: set sensitivity to s0 and remove categories
+ * user:role:type:sensitivity[:categories] => user:role:type:s0
+ *
+ * @label : label string
+ *
+ * Returns label with share mode on success, NULL on failure
+ */
+static char *convert_context_to_share_mode(const char *label) {
+ __do_free char *converted_label = strdup(label);
+ char *s = converted_label;
+ const char *shared_level = "s0";
+ int cnt = 0;
+
+ // selinux label format: user:role:type:sensitivity[:categories]
+ // locates the ":" position in front of the sensitivity
+ while (cnt++ < 3 && (s = strchr(s, ':')) != NULL) {
+ s++;
+ }
+
+ // make sure sensitivity can set s0 value
+ if (s == NULL || strlen(s) < strlen(shared_level)) {
+ ERROR("Invalid selinux file context: %s", label);
+ return NULL;
+ }
+
+ if (strcmp(s, shared_level) == 0) {
+ return move_ptr(converted_label);
+ }
+
+ *s = '\0';
+ strcat(converted_label, shared_level);
+
+ return move_ptr(converted_label);
+}
+
/*
* selinux_relabel: Relabel changes the label of path to the filelabel string.
* It changes the MCS label to s0 if shared is true.
@@ -280,20 +312,22 @@ static int selinux_relabel(const char *path, const char *label, bool shared)
return 0;
}
- tmp_file_label = strdup(label);
if (is_exclude_relabel_path(path)) {
ERROR("SELinux relabeling of %s is not allowed", path);
return -1;
}
if (shared) {
- context_t c = context_new(label);
- context_range_set(c, "s0");
- free(tmp_file_label);
- tmp_file_label = strdup(context_str(c));
- context_free(c);
+ tmp_file_label = convert_context_to_share_mode(label);
+ if (tmp_file_label == NULL) {
+ ERROR("Failed to convert context to share mode: %s", label);
+ return -1;
+ }
+ } else {
+ tmp_file_label = strdup(label);
}
+
if (selinux_chcon(path, tmp_file_label, true) != 0) {
ERROR("Failed to modify %s's selinux context: %s", path, tmp_file_label);
return -1;
--
2.35.1

38
0041-do-not-free-the-pointer-returned-by-dirname.patch
View File

@ -1,38 +0,0 @@
From 11621ec06e911395c9bb3b5ae5d8f47cfc02ce3e Mon Sep 17 00:00:00 2001
From: WangFengTu <wangfengtu@huawei.com>
Date: Thu, 21 Apr 2022 15:59:11 +0800
Subject: [PATCH] do not free the pointer returned by dirname
Signed-off-by: WangFengTu <wangfengtu@huawei.com>
---
src/lxc/conf.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 7c2619c..cd9e818 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -4258,6 +4258,7 @@ static int setup_populate_devs(const struct lxc_rootfs *rootfs, struct lxc_list
INFO("Populating devices into container");
cur_mask = umask(0000);
lxc_list_for_each(it, devs) {
+ __do_free char *tmp_path = NULL;
ret = 0;
dev_elem = it->elem;
@@ -4268,10 +4269,9 @@ static int setup_populate_devs(const struct lxc_rootfs *rootfs, struct lxc_list
}
/* create any missing directories */
- pathdirname = safe_strdup(path);
- pathdirname = dirname(pathdirname);
+ tmp_path = safe_strdup(path);
+ pathdirname = dirname(tmp_path);
ret = mkdir_p(pathdirname, 0755);
- free(pathdirname);
if (ret < 0) {
WARN("Failed to create target directory");
ret = -1;
--
2.25.1

26
0042-add-x-permission-when-create-directory.patch
View File

@ -1,26 +0,0 @@
From 98d47f6ab07bbf28c6a053658628b47ef7a430ab Mon Sep 17 00:00:00 2001
From: WangFengTu <wangfengtu@huawei.com>
Date: Sat, 21 May 2022 16:21:38 +0800
Subject: [PATCH] add x permission when create directory
Signed-off-by: WangFengTu <wangfengtu@huawei.com>
---
src/lxc/commands.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index b954453..b79fc3d 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -1703,7 +1703,7 @@ int lxc_cmd_init(const char *name, const char *lxcpath, const char *suffix)
if (runtime_sock_dir == NULL)
return -1;
- if (mkdir_p(runtime_sock_dir, 0600) < 0)
+ if (mkdir_p(runtime_sock_dir, 0700) < 0)
return log_error_errno(-1, errno, "Failed to create container runtime unix sock directory %s", path);
if (generate_named_unix_sock_path(name, suffix, path, sizeof(path)) != 0)
--
2.25.1

128
0043-do-not-operate-playload-and-attach-cgroup-if-no-cont.patch
View File

@ -1,128 +0,0 @@
From c080da6dda7a47de8ccb5cc3eabec6e5b2e4c649 Mon Sep 17 00:00:00 2001
From: WangFengTu <wangfengtu@huawei.com>
Date: Mon, 23 May 2022 19:00:28 +0800
Subject: [PATCH] do not operate playload and attach cgroup if no controller
Signed-off-by: WangFengTu <wangfengtu@huawei.com>
---
src/lxc/cgroups/cgroup.h | 1 +
src/lxc/cgroups/isulad_cgfsng.c | 48 ++++++++++++++++++++++++++++++++-
2 files changed, 48 insertions(+), 1 deletion(-)
diff --git a/src/lxc/cgroups/cgroup.h b/src/lxc/cgroups/cgroup.h
index a9048c4..8b18c1e 100644
--- a/src/lxc/cgroups/cgroup.h
+++ b/src/lxc/cgroups/cgroup.h
@@ -104,6 +104,7 @@ struct cgroup_ops {
#ifdef HAVE_ISULAD
int errfd;
+ bool no_controller;
#endif
/* @hierarchies
diff --git a/src/lxc/cgroups/isulad_cgfsng.c b/src/lxc/cgroups/isulad_cgfsng.c
index 576b424..8a9656a 100644
--- a/src/lxc/cgroups/isulad_cgfsng.c
+++ b/src/lxc/cgroups/isulad_cgfsng.c
@@ -677,6 +677,13 @@ __cgfsng_ops static bool isulad_cgfsng_payload_destroy(struct cgroup_ops *ops,
return false;
}
+#ifdef HAVE_ISULAD
+ if (ops->no_controller) {
+ DEBUG("no controller found, isgnore isulad_cgfsng_payload_destroy");
+ return true;
+ }
+#endif
+
if (!ops->hierarchies) {
return false;
}
@@ -934,6 +941,13 @@ __cgfsng_ops static inline bool isulad_cgfsng_payload_create(struct cgroup_ops *
int i;
char *container_cgroup = ops->container_cgroup;
+#ifdef HAVE_ISULAD
+ if (ops->no_controller) {
+ DEBUG("no controller found, isgnore isulad_cgfsng_payload_create");
+ return true;
+ }
+#endif
+
if (!container_cgroup) {
ERROR("cgfsng_create container_cgroup is invalid");
return false;
@@ -964,6 +978,13 @@ __cgfsng_ops static bool isulad_cgfsng_payload_enter(struct cgroup_ops *ops,
if (!ops)
return ret_set_errno(false, ENOENT);
+#ifdef HAVE_ISULAD
+ if (ops->no_controller) {
+ DEBUG("no controller found, isgnore isulad_cgfsng_payload_enter");
+ return true;
+ }
+#endif
+
if (!ops->hierarchies)
return true;
@@ -1121,6 +1142,13 @@ __cgfsng_ops void isulad_cgfsng_payload_finalize(struct cgroup_ops *ops)
if (!ops)
return;
+#ifdef HAVE_ISULAD
+ if (ops->no_controller) {
+ DEBUG("no controller found, isgnore isulad_cgfsng_payload_finalize");
+ return;
+ }
+#endif
+
if (!ops->hierarchies)
return;
@@ -2010,6 +2038,13 @@ __cgfsng_ops static bool isulad_cgfsng_attach(struct cgroup_ops *ops,
if (!ops)
return ret_set_errno(false, ENOENT);
+#ifdef HAVE_ISULAD
+ if (ops->no_controller) {
+ DEBUG("no controller found, isgnore isulad_cgfsng_attach");
+ return true;
+ }
+#endif
+
if (!ops->hierarchies)
return true;
@@ -2781,6 +2816,13 @@ __cgfsng_ops bool isulad_cgfsng_payload_delegate_controllers(struct cgroup_ops *
if (!ops)
return ret_set_errno(false, ENOENT);
+#ifdef HAVE_ISULAD
+ if (ops->no_controller) {
+ DEBUG("no controller found, isgnore isulad_cgfsng_payload_delegate_controllers");
+ return true;
+ }
+#endif
+
return __cgfsng_delegate_controllers(ops, ops->container_cgroup);
}
@@ -3041,8 +3083,12 @@ static int cg_unified_init(struct cgroup_ops *ops, bool relative,
delegatable = cg_unified_get_controllers(subtree_path);
if (!delegatable)
delegatable = cg_unified_make_empty_controller();
- if (!delegatable[0])
+ if (!delegatable[0]) {
TRACE("No controllers are enabled for delegation");
+#ifdef HAVE_ISULAD
+ ops->no_controller = true;
+#endif
+ }
/* TODO: If the user requested specific controllers via lxc.cgroup.use
* we should verify here. The reason I'm not doing it right is that I'm
--
2.25.1

2
apply-patches
View File

@ -1,3 +1,4 @@
#!/bin/bash
#######################################################################
##- @Copyright (C) Huawei Technologies., Ltd. 2019. All rights reserved.
# - lcr licensed under the Mulan PSL v2.
@ -12,7 +13,6 @@
##- @Author: lifeng
##- @Create: 2019-04-25
#######################################################################
#!/bin/bash
set -ex

113
lxc.spec
View File

@ -1,4 +1,4 @@
%global _release 2022052501
%global _release 2022072104
Name: lxc
Version: 4.0.3
@ -8,49 +8,14 @@ License: LGPLv2+ and GPLv2 and GPLv3
URL: https://github.com/lxc/lxc
Source0: https://linuxcontainers.org/downloads/lxc/lxc-4.0.3.tar.gz
Patch0001: 0001-huawei-adapt-to-huawei-4.0.3.patch
Patch0002: 0002-add-mount-label-for-rootfs.patch
Patch0003: 0003-format-code-and-verify-mount-mode.patch
Patch0004: 0004-Removes-the-definition-of-the-thread-attributes-obje.patch
Patch0005: 0005-solve-coredump-bug-caused-by-fstype-being-NULL-durin.patch
Patch0006: 0006-SIGTERM-do-not-catch-signal-SIGTERM-in-lxc-monitor.patch
Patch0007: 0007-Using-string-type-instead-of-security_context_t-beca.patch
Patch0008: 0008-hook-pass-correct-mount-dir-as-root-to-hook.patch
Patch0009: 0009-cgroup-refact-cgroup-manager-to-single-file.patch
Patch0010: 0010-cgfsng-adjust-log-level-from-error-to-warn.patch
Patch0011: 0011-rootfs-add-make-private-for-root.path-parent.patch
Patch0012: 0012-mount-make-possible-to-bind-mount-proc-and-sys-fs.patch
Patch0013: 0013-use-path-based-unix-domain-sockets-instead-of-abstra.patch
Patch0014: 0014-api-add-get-container-metrics-api.patch
Patch0015: 0015-Streaming-IO-solution-optimization-and-enhancement.patch
Patch0016: 0016-avoid-using-void-pointers-in-caclulation.patch
Patch0017: 0017-fix-compilation-errors-without-libcap.patch
Patch0018: 0018-IO-fix-io-data-miss-when-exec-with-pipes.patch
Patch0019: 0019-metrics-add-total_inactive_file-metric-for-memory.patch
Patch0020: 0020-support-cgroup-v2.patch
Patch0021: 0021-support-isula-exec-workdir.patch
Patch0022: 0022-print-error-message-if-process-workdir-failed.patch
Patch0023: 0023-log-support-long-syslog-tag.patch
Patch0024: 0024-log-adjust-log-level-from-error-to-warn.patch
Patch0025: 0025-get-cgroup-data-len-first-and-malloc-read-buff-by-le.patch
Patch0026: 0026-coredump-fix-coredump-when-cgroup-get-return-error.patch
Patch0027: 0027-add-help-for-new-arguments.patch
Patch0028: 0028-seccomp-init-and-destroy-notifier.cookie.patch
Patch0029: 0029-just-use-origin-loop-if-do-not-have-io.patch
Patch0030: 0030-conf-fix-a-memory-leak.patch
Patch0031: 0031-fix-lsm_se_mount_context-memory-leak.patch
Patch0032: 0032-disable-lxc_keep-with-oci-image.patch
Patch0033: 0033-conf-ensure-that-the-idmap-pointer-itself-is-freed.patch
Patch0034: 0034-cgfsng-fix-cgroup-attach-cgroup-creation.patch
Patch0035: 0035-adapt-upstream-compiler-settings.patch
Patch0036: 0036-compile-in-android-env.patch
Patch0037: 0037-fix-always-print-and-temp-len.patch
Patch0038: 0038-just-print-error-when-new-lock-failed.patch
Patch0039: 0039-fix-bug-of-memory-free.patch
Patch0040: 0040-refactor-the-way-to-convert-selinux-label-to-shared.path
Patch0041: 0041-do-not-free-the-pointer-returned-by-dirname.patch
Patch0042: 0042-add-x-permission-when-create-directory.patch
Patch0043: 0043-do-not-operate-playload-and-attach-cgroup-if-no-cont.patch
Patch0001: 0001-refactor-patch-code-of-utils-commands-and-so-on.patch
Patch0002: 0002-refactor-patch-code-of-isulad-for-conf-exec-attach.patch
Patch0003: 0003-refactor-patch-code-of-isulad-for-selinux-attach.patch
Patch0004: 0004-refactor-patch-code-of-lxccontianer-and-so-on.patch
Patch0005: 0005-refactor-patch-code-of-attach-and-seccomp.patch
Patch0006: 0006-refactor-patch-about-namespace-log-terminal.patch
Patch0007: 0007-refactor-patches-on-terminal.c-start.c-and-so-on.patch
Patch0008: 0008-refactor-patch-code-of-json.patch
BuildRequires: systemd-units git libtool graphviz docbook2X doxygen chrpath
BuildRequires: pkgconfig(libseccomp)
@ -222,6 +187,66 @@ make check
%{_mandir}/*/man7/%{name}*
%changelog
* Thu Jul 21 2022 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022072104
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: add header to fix compile error with have isulad
* Thu Jul 21 2022 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022072103
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: fix compile error
* Thu Jul 21 2022 chengzeruizhi<chengzeruizhi@huawei.com> - 4.0.3-2022072102
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: refactor patch code of json
* Thu Jul 21 2022 chengzeruizhi<chengzeruizhi@huawei.com> - 4.0.3-2022072101
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: refactor patches on terminal.c, start.c and others
* Tue Jul 19 2022 wangrunze<wangrunze13@huawei.com> - 4.0.3-2022071904
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: refactor namespace terminal log
* Tue Jul 19 2022 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022071903
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: refactor patch code of attach and seccomp
* Tue Jul 19 2022 wangfengtu<wangfengtu@huawei.com> - 4.0.3-2022071902
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: refactor patch code of lxccontainer and so on
* Thu Jul 19 2022 haozi007<liuhao27@huawei.com> - 4.0.3-2022071901
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: refactor patch code of isulad for selinux/attach
* Mon Jul 18 2022 haozi007<liuhao27@huawei.com> - 4.0.3-2022071801
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: refactor patch code of isulad for conf/exec/attach and so on
* Fri Jul 15 2022 zhangxiaoyu<zhangxiaoyu58@huawei.com> - 4.0.3-2022071501
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: refactor patch code of utils commands and so on
* Wed May 25 2022 hejunjie<hejunjie10@huawei.com> - 4.0.3-2022052501
- Type:bugfix
- ID:NA

52
series.conf
View File

@ -1,43 +1,9 @@
0001-huawei-adapt-to-huawei-4.0.3.patch
0002-add-mount-label-for-rootfs.patch
0003-format-code-and-verify-mount-mode.patch
0004-Removes-the-definition-of-the-thread-attributes-obje.patch
0005-solve-coredump-bug-caused-by-fstype-being-NULL-durin.patch
0006-SIGTERM-do-not-catch-signal-SIGTERM-in-lxc-monitor.patch
0007-Using-string-type-instead-of-security_context_t-beca.patch
0008-hook-pass-correct-mount-dir-as-root-to-hook.patch
0009-cgroup-refact-cgroup-manager-to-single-file.patch
0010-cgfsng-adjust-log-level-from-error-to-warn.patch
0011-rootfs-add-make-private-for-root.path-parent.patch
0012-mount-make-possible-to-bind-mount-proc-and-sys-fs.patch
0013-use-path-based-unix-domain-sockets-instead-of-abstra.patch
0014-api-add-get-container-metrics-api.patch
0015-Streaming-IO-solution-optimization-and-enhancement.patch
0016-avoid-using-void-pointers-in-caclulation.patch
0017-fix-compilation-errors-without-libcap.patch
0018-IO-fix-io-data-miss-when-exec-with-pipes.patch
0019-metrics-add-total_inactive_file-metric-for-memory.patch
0020-support-cgroup-v2.patch
0021-support-isula-exec-workdir.patch
0022-print-error-message-if-process-workdir-failed.patch
0023-log-support-long-syslog-tag.patch
0024-log-adjust-log-level-from-error-to-warn.patch
0025-get-cgroup-data-len-first-and-malloc-read-buff-by-le.patch
0026-coredump-fix-coredump-when-cgroup-get-return-error.patch
0027-add-help-for-new-arguments.patch
0028-seccomp-init-and-destroy-notifier.cookie.patch
0029-just-use-origin-loop-if-do-not-have-io.patch
0030-conf-fix-a-memory-leak.patch
0031-fix-lsm_se_mount_context-memory-leak.patch
0032-disable-lxc_keep-with-oci-image.patch
0033-conf-ensure-that-the-idmap-pointer-itself-is-freed.patch
0034-cgfsng-fix-cgroup-attach-cgroup-creation.patch
0035-adapt-upstream-compiler-settings.patch
0036-compile-in-android-env.patch
0037-fix-always-print-and-temp-len.patch
0038-just-print-error-when-new-lock-failed.patch
0039-fix-bug-of-memory-free.patch
0040-refactor-the-way-to-convert-selinux-label-to-shared.path
0041-do-not-free-the-pointer-returned-by-dirname.patch
0042-add-x-permission-when-create-directory.patch
0043-do-not-operate-playload-and-attach-cgroup-if-no-cont.patch
0001-refactor-patch-code-of-utils-commands-and-so-on.patch
0002-refactor-patch-code-of-isulad-for-conf-exec-attach.patch
0003-refactor-patch-code-of-isulad-for-selinux-attach.patch
0004-refactor-patch-code-of-lxccontianer-and-so-on.patch
0005-refactor-patch-code-of-attach-and-seccomp.patch
0006-refactor-patch-about-namespace-log-terminal.patch
0007-refactor-patches-on-terminal.c-start.c-and-so-on.patch
0008-refactor-patch-code-of-json.patch