!120 runc:make runc spec compatible 1.0.0.rc3

From: @zhong-jiawei-1 Reviewed-by: @zhangsong234, @duguhaotian Signed-off-by: @duguhaotian
2023-02-09 09:18:39 +00:00 · 2023-02-09 09:18:39 +00:00 · 2548e734e7
commit 2548e734e7
parent 43e5b17e75 31b4d61040
4 changed files with 224 additions and 2 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-34166983fc5395fe07a5ff625c4f884e8efb98c8
+b17d05d6bfb1f6d087f5585e5236ffc04173af69
--- a/patch/0032-runc-make-runc-spec-compatible-1.0.0.rc3.patch
+++ b/patch/0032-runc-make-runc-spec-compatible-1.0.0.rc3.patch
@ -0,0 +1,215 @@
+From 437b5cda354b8e2572eb24377774396117b513d0 Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Thu, 9 Feb 2023 16:41:35 +0800
+Subject: [PATCH] runc:make runc spec compatible 1.0.0.rc3
+
+1.adapt DisableOOMKiller, OOMScoreAdj position adjustment.
+2.adapt to BlackIO json parsing field change modification.
+---
+ spec.go | 181 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 180 insertions(+), 1 deletion(-)
+
+diff --git a/spec.go b/spec.go
+index 806d2f1..7170648 100644
+--- a/spec.go
+++ b/spec.go
+@@ -112,8 +112,95 @@ created by an unprivileged user.
+ 	},
+ }
+ 
+type compatSpec struct {
+	specs.Spec
+	Linux *linux `json:"linux,omitempty" platform:"linux"`
+}
+
+type linux struct {
+	specs.Linux
+	Resources *linuxResources `json:"resources,omitempty"`
+}
+
+type linuxResources struct {
+	specs.LinuxResources
+	// DisableOOMKiller disables the OOM killer for out of memory conditions
+	DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"`
+	// Specify an oom_score_adj for the container.
+	OOMScoreAdj *int `json:"oomScoreAdj,omitempty"`
+	// BlockIO restriction configuration
+	BlockIO *LinuxBlockIO `json:"blockIO,omitempty"`
+}
+
+// LinuxBlockIO for Linux cgroup 'blkio' resource management
+type LinuxBlockIO struct {
+	// Specifies per cgroup weight, range is from 10 to 1000
+	Weight *uint16 `json:"blkioWeight,omitempty"`
+	// Specifies tasks' weight in the given cgroup while competing with the cgroup's child cgroups, range is from 10 to 1000, CFQ scheduler only
+	LeafWeight *uint16 `json:"blkioLeafWeight,omitempty"`
+	// Weight per cgroup per device, can override BlkioWeight
+	WeightDevice []LinuxWeightDevice `json:"blkioWeightDevice,omitempty"`
+	// IO read rate limit per cgroup per device, bytes per second
+	ThrottleReadBpsDevice []LinuxThrottleDevice `json:"blkioThrottleReadBpsDevice,omitempty"`
+	// IO write rate limit per cgroup per device, bytes per second
+	ThrottleWriteBpsDevice []LinuxThrottleDevice `json:"blkioThrottleWriteBpsDevice,omitempty"`
+	// IO read rate limit per cgroup per device, IO per second
+	ThrottleReadIOPSDevice []LinuxThrottleDevice `json:"blkioThrottleReadIOPSDevice,omitempty"`
+	// IO write rate limit per cgroup per device, IO per second
+	ThrottleWriteIOPSDevice []LinuxThrottleDevice `json:"blkioThrottleWriteIOPSDevice,omitempty"`
+}
+
+// linuxBlockIODevice holds major:minor format supported in blkio cgroup
+type linuxBlockIODevice struct {
+	// Major is the device's major number.
+	Major int64 `json:"major"`
+	// Minor is the device's minor number.
+	Minor int64 `json:"minor"`
+}
+
+// LinuxWeightDevice struct holds a `major:minor weight` pair for blkioWeightDevice
+type LinuxWeightDevice struct {
+	linuxBlockIODevice
+	// Weight is the bandwidth rate for the device, range is from 10 to 1000
+	Weight *uint16 `json:"weight,omitempty"`
+	// LeafWeight is the bandwidth rate for the device while competing with the cgroup's child cgroups, range is from 10 to 1000, CFQ scheduler only
+	LeafWeight *uint16 `json:"leafWeight,omitempty"`
+}
+
+// LinuxThrottleDevice struct holds a `major:minor rate_per_second` pair
+type LinuxThrottleDevice struct {
+	linuxBlockIODevice
+	// Rate is the IO rate limit per cgroup per device
+	Rate uint64 `json:"rate"`
+}
+
+func versionRc6Plus(ver string) bool {
+	if len(ver) < 5 { // version should be a.b.c[-rcn][x]
+		return false
+	}
+
+	// docker-18.09		1.0.1
+	if ver[:5] < "1.0.1" {
+		return true
+	}
+
+	// < 1.0.0-rc6: include 1.0.0-rc5xxx
+	return false
+}
+
+ // loadSpec loads the specification from the provided path.
+ func loadSpec(cPath string) (spec *specs.Spec, err error) {
+	spec, err = loadOriginSpec(cPath)
+	if err != nil || versionRc6Plus(spec.Version) {
+		return loadCompactSpec(cPath)
+	}
+
+	return spec, validateProcessSpec(spec.Process)
+
+}
+
+// loadSpec loads the specification from the provided path.
+func loadOriginSpec(cPath string) (spec *specs.Spec, err error) {
+ 	cf, err := os.Open(cPath)
+ 	if err != nil {
+ 		if os.IsNotExist(err) {
+@@ -126,7 +213,99 @@ func loadSpec(cPath string) (spec *specs.Spec, err error) {
+ 	if err = json.NewDecoder(cf).Decode(&spec); err != nil {
+ 		return nil, err
+ 	}
+-	return spec, validateProcessSpec(spec.Process)
+	return spec, nil
+}
+
+func loadCompactSpec(cPath string) (*specs.Spec, error) {
+	var compatSpec compatSpec
+	cf, err := os.Open(cPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, fmt.Errorf("JSON specification file %s not found", cPath)
+		}
+		return nil, err
+	}
+	defer cf.Close()
+
+	if err = json.NewDecoder(cf).Decode(&compatSpec); err != nil {
+		return nil, fmt.Errorf("config.json %q error :%v", cPath, err)
+	}
+
+	var spec *specs.Spec
+	if spec, err = updateCompactSpec(&compatSpec); err != nil {
+		return nil, err
+	}
+
+	return spec, nil
+}
+
+func updateCompactSpec(compatSpec *compatSpec) (*specs.Spec, error) {
+	compatjson, _ := json.Marshal(compatSpec)
+	var spec specs.Spec
+	err := json.Unmarshal(compatjson, &spec)
+	if err != nil {
+		return nil, fmt.Errorf("update config failed %v", err)
+	}
+
+	if compatSpec != nil && compatSpec.Linux != nil &&
+		compatSpec.Linux.Resources != nil &&
+		compatSpec.Linux.Resources.DisableOOMKiller != nil {
+		if spec.Linux.Resources.Memory == nil {
+			memory := &specs.LinuxMemory{
+				DisableOOMKiller: compatSpec.Linux.Resources.DisableOOMKiller,
+			}
+			spec.Linux.Resources.Memory = memory
+		} else {
+			spec.Linux.Resources.Memory.DisableOOMKiller = compatSpec.Linux.Resources.DisableOOMKiller
+		}
+	}
+
+	if compatSpec != nil && compatSpec.Linux != nil &&
+		compatSpec.Linux.Resources != nil &&
+		compatSpec.Linux.Resources.OOMScoreAdj != nil {
+		if spec.Process == nil {
+			process := &specs.Process{
+				OOMScoreAdj: compatSpec.Linux.Resources.OOMScoreAdj,
+			}
+			spec.Process = process
+		} else {
+			spec.Process.OOMScoreAdj = compatSpec.Linux.Resources.OOMScoreAdj
+		}
+	}
+
+	if compatSpec.Linux.Resources.BlockIO != nil {
+		spec.Linux.Resources.BlockIO.Weight = compatSpec.Linux.Resources.BlockIO.Weight
+		spec.Linux.Resources.BlockIO.LeafWeight = compatSpec.Linux.Resources.BlockIO.LeafWeight
+		if compatSpec.Linux.Resources.BlockIO.WeightDevice != nil {
+			for _, wd := range compatSpec.Linux.Resources.BlockIO.WeightDevice {
+				wdSpec := specs.LinuxWeightDevice{
+					Weight:     wd.Weight,
+					LeafWeight: wd.LeafWeight,
+				}
+				wdSpec.Major = wd.Major
+				wdSpec.Minor = wd.Minor
+				spec.Linux.Resources.BlockIO.WeightDevice = append(spec.Linux.Resources.BlockIO.WeightDevice, wdSpec)
+			}
+		}
+		procLinuxThrottleDevice := func(src []LinuxThrottleDevice, dest *[]specs.LinuxThrottleDevice) {
+			if src != nil {
+				for _, ltd := range src {
+					ltdSpec := specs.LinuxThrottleDevice{
+						Rate: ltd.Rate,
+					}
+					ltdSpec.Major = ltd.Major
+					ltdSpec.Minor = ltd.Minor
+					*dest = append(*dest, ltdSpec)
+				}
+			}
+		}
+		procLinuxThrottleDevice(compatSpec.Linux.Resources.BlockIO.ThrottleReadBpsDevice, &spec.Linux.Resources.BlockIO.ThrottleReadBpsDevice)
+		procLinuxThrottleDevice(compatSpec.Linux.Resources.BlockIO.ThrottleWriteBpsDevice, &spec.Linux.Resources.BlockIO.ThrottleWriteBpsDevice)
+		procLinuxThrottleDevice(compatSpec.Linux.Resources.BlockIO.ThrottleReadIOPSDevice, &spec.Linux.Resources.BlockIO.ThrottleReadIOPSDevice)
+		procLinuxThrottleDevice(compatSpec.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice, &spec.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice)
+	}
+
+	return &spec, nil
+ }
+ 
+ func createLibContainerRlimit(rlimit specs.POSIXRlimit) (configs.Rlimit, error) {
+-- 
+2.33.0
+
--- a/runc.spec
+++ b/runc.spec
@ -3,7 +3,7 @@

 Name: docker-runc
 Version: 1.1.3
-Release: 10
+Release: 11
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.

 License: ASL 2.0
@ -54,6 +54,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc

 %changelog
+* Thu Feb 9 2023 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.3-11
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:make runc spec compatible 1.0.0.rc3
+
 * Tue Jan 17 2023 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.3-10
 - Type:bugfix
 - CVE:NA
--- a/series.conf
+++ b/series.conf
@ -29,3 +29,4 @@ patch/0028-runc-cgroup-apply-method-modify.patch
 patch/0029-runc-runc-log-forward-to-syslog.patch
 patch/0030-runc-support-specify-umask.patch
 patch/0031-runc-modify-linuxcontainer-starttime-uint64-type-tob.patch
+patch/0032-runc-make-runc-spec-compatible-1.0.0.rc3.patch