!160 runc:modify patch for 1.1.8

From: @zhong-jiawei-1 Reviewed-by: @zhangsong234, @duguhaotian Signed-off-by: @duguhaotian
2023-07-28 02:38:35 +00:00 · 2023-07-28 02:38:35 +00:00 · 3b4936397d
commit 3b4936397d
parent d0142852e9 e6be706e79
48 changed files with 347 additions and 229831 deletions
--- a/16
+++ b/16
@ -14,14 +14,14 @@ if [ ! -d patch ];then
    tar -xzf patch.tar.gz
 fi
-# series=$cwd/series.conf
+series=$cwd/series.conf
-# while IPF= read -r line
+while IPF= read -r line
-# do
+do
-#     if [[ "$line" =~ ^patch* ]]; then
+    if [[ "$line" =~ ^patch* ]]; then
-#         echo patch -p1 $cwd/$line
+        echo patch -p1 $cwd/$line
-# 	cd $src && patch -p1 < $cwd/$line
+ 	cd $src && patch -p1 < $cwd/$line
-#     fi
+    fi
-# done <"$series"
+done <"$series"
 cd $cwd
 cp -rf $src/* .
--- a/2
+++ b/2
@ -1 +1 @@
-402545a2eb494c01126d61f5d478922b32e7e022
+90276301321bbf6ef9a2ea85b06d3e2cf0ccb7bd
--- a/patch/0001-runc-Add-spec-for-euleros.patch
+++ b/patch/0001-runc-Add-spec-for-euleros.patch
@ -1,69 +0,0 @@
 From ee228fa3991d1d0008416df61b4bae645adf8e1a Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
 Date: Thu, 5 Jan 2023 16:13:12 +0800
 Subject: [PATCH] runc: Add spec for euleros
 ---
 script/runc-euleros.spec | 50 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 script/runc-euleros.spec
 diff --git a/script/runc-euleros.spec b/script/runc-euleros.spec
 new file mode 100644
 index 0000000..db4e868
 --- /dev/null
 +++ b/script/runc-euleros.spec
@@ -0,0 +1,50 @@
 +%global _bindir /usr/local/bin
 +
 +Name: docker-runc
 +Version: 1.0.0.rc3
 +Release: 1%{?dist}
 +Summary: runc is a CLI tool for spawning and running containers according to the OCF specification
 +
 +License: ASL 2.0
 +Source: %{name}.tar.gz
 +
 +URL: https://www.opencontainers.org/
 +Vendor: OCI
 +Packager: OCI 
 +
 +BuildRequires: golang == 1.8.3
 +BuildRequires: glibc-static
 +BuildRequires: make
 +BuildRequires: libseccomp-devel 
 +BuildRequires: libselinux-devel
 +
 +BuildRequires: libseccomp-static
 +
 +%description
 +runc is a CLI tool for spawning and running containers according to the OCF specification
 +
 +%prep
 +%setup -c -n runc
 +
 +%install
 +
 +
 +mkdir -p .gopath/src/github.com/opencontainers
 +export GOPATH=`pwd`/.gopath
 +ln -sf `pwd` .gopath/src/github.com/opencontainers/runc
 +cd .gopath/src/github.com/opencontainers/runc
 +make BUILDTAGS="seccomp selinux" static 
 +rm -rf .gopath
 +
 +install -d $RPM_BUILD_ROOT/%{_bindir}
 +install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 +
 +
 +%clean
 +%{__rm} -rf %{_bindir}/runc
 +
 +%files
 +%{_bindir}/runc
 +
 +%changelog
 +
 -- 
 2.30.0
--- a/patch/0003-runc-add-timeout-for-syscall.Openat.patch
+++ b/patch/0003-runc-add-timeout-for-syscall.Openat.patch
@ -1,14 +1,14 @@
-From 1c953cdee5aa6c677bef7c7042dbec6fc9ddf172 Mon Sep 17 00:00:00 2001
+From 37103dc157e2946d688e8076b5b500ac11403863 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 5 Jan 2023 16:18:37 +0800
+Date: Mon, 24 Jul 2023 15:30:32 +0800
-Subject: [PATCH] runc:add timeout for syscall.Openat
+Subject: [PATCH] runc:add timeout for syscall.Exec
 ---
 libcontainer/standard_init_linux.go | 29 ++++++++++++++++++++++-------
 1 file changed, 22 insertions(+), 7 deletions(-)
 diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
-index 585a04f..ab553ef 100644
+index c09a7be..eaa73ba 100644
 --- a/libcontainer/standard_init_linux.go
 +++ b/libcontainer/standard_init_linux.go
@@ -6,6 +6,7 @@ import (
@ -19,7 +19,7 @@ index 585a04f..ab553ef 100644
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/selinux/go-selinux"
-@@ -227,14 +228,28 @@ func (l *linuxStandardInit) Init() error {
+@@ -235,14 +236,28 @@ func (l *linuxStandardInit) Init() error {
 	// was given to us was an O_PATH fd to the fifo itself. Linux allows us to
 	// re-open an O_PATH fd through /proc.
 	fifoPath := "/proc/self/fd/" + strconv.Itoa(l.fifoFd)
@ -56,5 +56,5 @@ index 585a04f..ab553ef 100644
 	// dumpable in the wrong order. This has been fixed in newer kernels, but
 	// we keep this to ensure CVE-2016-9962 doesn't re-emerge on older kernels.
 -- 
-2.30.0
+2.33.0
--- a/patch/0002-runc-fix-unittest-and-integration-test-error-caused.patch
+++ b/patch/0002-runc-fix-unittest-and-integration-test-error-caused.patch
@ -1,63 +0,0 @@
 From 992170fc8663968692d76db0710ca3fa64de5917 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
 Date: Thu, 5 Jan 2023 16:16:57 +0800
 Subject: [PATCH] runc:fix unittest and integration test error caused
 ---
 libcontainer/integration/execin_test.go | 8 +-------
 tests/integration/exec.bats             | 4 ++--
 2 files changed, 3 insertions(+), 9 deletions(-)
 diff --git a/libcontainer/integration/execin_test.go b/libcontainer/integration/execin_test.go
 index f8a6a9c..9669eca 100644
 --- a/libcontainer/integration/execin_test.go
 +++ b/libcontainer/integration/execin_test.go
@@ -62,9 +62,6 @@ func TestExecIn(t *testing.T) {
 	if !strings.Contains(out, "cat") || !strings.Contains(out, "ps") {
 		t.Fatalf("unexpected running process, output %q", out)
 	}
 -	if strings.Contains(out, "\r") {
 -		t.Fatalf("unexpected carriage-return in output %q", out)
 -	}
 }
 func TestExecInUsernsRlimit(t *testing.T) {
@@ -318,12 +315,9 @@ func TestExecInTTY(t *testing.T) {
 		_ = child.Close()
 		out := stdout.String()
 -		if !strings.Contains(out, "cat") || !strings.Contains(out, "ps") {
 +		if !strings.Contains(out, "cat") || !strings.Contains(string(out), "ps") {
 			t.Fatalf("unexpected running process, output %q", out)
 		}
 -		if strings.Contains(out, "\r") {
 -			t.Fatalf("unexpected carriage-return in output %q", out)
 -		}
 	}
 }
 diff --git a/tests/integration/exec.bats b/tests/integration/exec.bats
 index 140cd18..cd01f00 100644
 --- a/tests/integration/exec.bats
 +++ b/tests/integration/exec.bats
@@ -101,7 +101,7 @@ function teardown() {
 	runc exec --cwd /bin test_busybox pwd
 	[ "$status" -eq 0 ]
 -	[[ ${output} == "/bin"* ]]
 +	[[ $(echo "${output}" | tr -d '\r') == "/bin" ]]
 }
 @test "runc exec --env" {
@@ -126,7 +126,7 @@ function teardown() {
 	runc exec --user 1000:1000 test_busybox id
 	[ "$status" -eq 0 ]
 -	[[ "${output}" == "uid=1000 gid=1000"* ]]
 +	[[ $(echo "${output}" | tr -d '\r') == "uid=1000 gid=1000" ]
 }
 @test "runc exec --additional-gids" {
 -- 
 2.30.0
--- a/patch/0002-runc-update-state-eariler-to-avoid-cgroup-leak-when-.patch
+++ b/patch/0002-runc-update-state-eariler-to-avoid-cgroup-leak-when-.patch
@ -1,6 +1,6 @@
-From 88f50537a85aed278be136cd0b3d4664e8c71b5d Mon Sep 17 00:00:00 2001
+From 4af918d51e8cca1da7780b1fe7419f22077fb9fe Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 5 Jan 2023 16:19:48 +0800
+Date: Mon, 24 Jul 2023 15:55:56 +0800
 Subject: [PATCH] runc: update state eariler to avoid cgroup leak when process
 failed
@ -20,7 +20,8 @@ This patch perform state updating right after cgroup applying. so
 `runc delete` will do the cleaning job
 Change-Id: I7b247f501986e712a86da3958d1be573af4e84a6
-Signed-off-by: Deng Guangxing <dengguangxing@huawei.com
+Signed-off-by: Deng Guangxing <dengguangxing@huawei.com>
 ---
 libcontainer/process_linux.go | 5 +++++
 1 file changed, 5 insertions(+)
@ -42,5 +43,5 @@ index 446649a..29408d7 100644
 		if err := p.intelRdtManager.Apply(p.pid()); err != nil {
 			return fmt.Errorf("unable to apply Intel RDT configuration: %w", err)
 -- 
-2.30.0
+2.33.0
--- a/patch/0003-runc-print-cgroup-info-if-cpuset-missing-occurs.patch
+++ b/patch/0003-runc-print-cgroup-info-if-cpuset-missing-occurs.patch
@ -1,17 +1,33 @@
-From f2a2674f9883e6eb588ce9235161019d31bcedc6 Mon Sep 17 00:00:00 2001
+From 6cb95facf78e07863b671adf6f3073101babe896 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 5 Jan 2023 16:21:10 +0800
+Date: Mon, 24 Jul 2023 16:12:50 +0800
 Subject: [PATCH] runc: print cgroup info if cpuset missing occurs
 ---
- libcontainer/cgroups/fs/cpuset.go | 20 ++++++++++++++++++++
+ libcontainer/cgroups/fs/cpuset.go | 22 ++++++++++++++++++++++
- 1 file changed, 20 insertions(+)
+ 1 file changed, 22 insertions(+)
 diff --git a/libcontainer/cgroups/fs/cpuset.go b/libcontainer/cgroups/fs/cpuset.go
-index 550baa4..341d5dc 100644
+index 550baa4..c05a6f6 100644
 --- a/libcontainer/cgroups/fs/cpuset.go
 +++ b/libcontainer/cgroups/fs/cpuset.go
-@@ -172,6 +172,26 @@ func (s *CpusetGroup) ApplyDir(dir string, r *configs.Resources, pid int) error
+@@ -2,6 +2,7 @@ package fs
 import (
 	"errors"
 +	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -12,6 +13,7 @@ import (
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
 	"github.com/opencontainers/runc/libcontainer/configs"
 +	"github.com/sirupsen/logrus"
 )
 type CpusetGroup struct{}
@@ -172,6 +174,26 @@ func (s *CpusetGroup) ApplyDir(dir string, r *configs.Resources, pid int) error
 }
 func getCpusetSubsystemSettings(parent string) (cpus, mems string, err error) {
@ -39,5 +55,5 @@ index 550baa4..341d5dc 100644
 		return
 	}
 -- 
-2.30.0
+2.33.0
--- a/patch/0004-runc-add-more-specific-log-for-hooks.patch
+++ b/patch/0004-runc-add-more-specific-log-for-hooks.patch
@ -1,6 +1,6 @@
-From 7cc7be6f85400953208981415d9f46a4db12bbcc Mon Sep 17 00:00:00 2001
+From 2795e097bcd1842e750abf3af22a5ee69a702400 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 5 Jan 2023 16:22:53 +0800
+Date: Mon, 24 Jul 2023 16:16:50 +0800
 Subject: [PATCH] runc: add more specific log for hooks
 ---
@ -24,5 +24,5 @@ index c1b4a00..72910ff 100644
 	return nil
 -- 
-2.30.0
+2.33.0
--- a/patch/0005-runc-reduce-max-number-of-retries-to-10.patch
+++ b/patch/0005-runc-reduce-max-number-of-retries-to-10.patch
@ -0,0 +1,48 @@
 From d055603a252ab9cf6b36b5369045ebf4a384c5b8 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
 Date: Mon, 24 Jul 2023 16:27:44 +0800
 Subject: [PATCH] runc: reduce max number of retries to 10
 ---
 delete.go | 4 ++--
 init.go   | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)
 diff --git a/delete.go b/delete.go
 index 746b0df..799c2a7 100644
 --- a/delete.go
 +++ b/delete.go
@@ -14,8 +14,8 @@ import (
 )
 func killContainer(container libcontainer.Container) error {
 -	_ = container.Signal(unix.SIGKILL, false)
 -	for i := 0; i < 100; i++ {
 +	container.Signal(unix.SIGKILL, false)
 +	for i := 0; i < 10; i++ {
 		time.Sleep(100 * time.Millisecond)
 		if err := container.Signal(unix.Signal(0), false); err != nil {
 			destroy(container)
 diff --git a/init.go b/init.go
 index bddc237..a0520b5 100644
 --- a/init.go
 +++ b/init.go
@@ -1,6 +1,7 @@
 package main
 import (
 +	"fmt"
 	"os"
 	"runtime"
 	"strconv"
@@ -34,6 +35,7 @@ func init() {
 		factory, _ := libcontainer.New("")
 		if err := factory.StartInitialization(); err != nil {
 +			fmt.Fprintf(os.Stderr, "libcontainer: container start initialization failed: %s", err)
 			// as the error is sent back to the parent there is no need to log
 			// or write it to stderr because the parent process will handle this
 			os.Exit(1)
 -- 
 2.33.0
--- a/patch/0006-runc-ignore-exec.fifo-removing-not-exist-error.patch
+++ b/patch/0006-runc-ignore-exec.fifo-removing-not-exist-error.patch
@ -1,6 +1,6 @@
-From 4e44d5c41ff9d97fdae4e0951ef1d461e07e84ad Mon Sep 17 00:00:00 2001
+From 5516836a74e12756161cd3a6ef7e05c7e89c378c Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 5 Jan 2023 16:25:57 +0800
+Date: Mon, 24 Jul 2023 16:40:27 +0800
 Subject: [PATCH] runc: ignore exec.fifo removing not exist error
 ---
@ -8,10 +8,10 @@ Subject: [PATCH] runc: ignore exec.fifo removing not exist error
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
-index 9df830d..6b68a0e 100644
+index 5f1a494..f8ce1cc 100644
 --- a/libcontainer/container_linux.go
 +++ b/libcontainer/container_linux.go
-@@ -325,7 +325,10 @@ func handleFifoResult(result openResult) error {
+@@ -327,7 +327,10 @@ func handleFifoResult(result openResult) error {
 	if err := readFromExecFifo(f); err != nil {
 		return err
 	}
@ -24,5 +24,5 @@ index 9df830d..6b68a0e 100644
 type openResult struct {
 -- 
-2.30.0
+2.33.0
--- a/patch/0007-runc-Add-file-fds-limit.patch
+++ b/patch/0007-runc-Add-file-fds-limit.patch
@ -1,6 +1,6 @@
-From 75bed4f00f31595800cb30d176656b381bfa646b Mon Sep 17 00:00:00 2001
+From becb372e9a80ba49dd742f130478e93f17e27329 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 5 Jan 2023 16:27:05 +0800
+Date: Mon, 24 Jul 2023 16:48:05 +0800
 Subject: [PATCH] runc:Add file fds limit
 ---
@ -116,7 +116,7 @@ index 0000000..3315cda
 +	return nil
 +}
 diff --git a/libcontainer/cgroups/fs/fs.go b/libcontainer/cgroups/fs/fs.go
-index fb4fcc7..59b6dff 100644
+index 9e2f0ec..c85a1e2 100644
 --- a/libcontainer/cgroups/fs/fs.go
 +++ b/libcontainer/cgroups/fs/fs.go
@@ -20,6 +20,7 @@ var subsystems = []subsystem{
@ -154,7 +154,7 @@ index 40a81dd..8f1d4ce 100644
 	// the map is in the format "size of hugepage: stats of the hugepage"
 	HugetlbStats map[string]HugetlbStats `json:"hugetlb_stats,omitempty"`
 diff --git a/libcontainer/cgroups/systemd/v1.go b/libcontainer/cgroups/systemd/v1.go
-index a74a05a..19d1099 100644
+index a574552..c1e58c9 100644
 --- a/libcontainer/cgroups/systemd/v1.go
 +++ b/libcontainer/cgroups/systemd/v1.go
@@ -63,6 +63,7 @@ var legacySubsystems = []subsystem{
@ -180,10 +180,10 @@ index 2d4a898..8cbc154 100644
 	BlkioWeight uint16 `json:"blkio_weight"`
 diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
-index c7ca4c8..19dd947 100644
+index 1b358b2..7ee81ca 100644
 --- a/libcontainer/specconv/spec_linux.go
 +++ b/libcontainer/specconv/spec_linux.go
-@@ -747,6 +747,10 @@ func CreateCgroupConfig(opts *CreateOpts, defaultDevs []*devices.Device) (*confi
+@@ -748,6 +748,10 @@ func CreateCgroupConfig(opts *CreateOpts, defaultDevs []*devices.Device) (*confi
 			if r.Pids != nil {
 				c.Resources.PidsLimit = r.Pids.Limit
 			}
@ -245,5 +245,5 @@ index 6a7a91e..e8143b2 100644
 	BlockIO *LinuxBlockIO `json:"blockIO,omitempty"`
 	// Hugetlb limit (in bytes)
 -- 
-2.30.0
+2.33.0
--- a/patch/0007-runc-reduce-max-number-of-retries-to-10.patch
+++ b/patch/0007-runc-reduce-max-number-of-retries-to-10.patch
@ -1,30 +0,0 @@
 From 68d83f90cbca399aa4797b8d63eaa1fa35b1ad30 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
 Date: Thu, 5 Jan 2023 16:24:00 +0800
 Subject: [PATCH] runc: reduce max number of retries to 10
 [Changelog]:when killing containers in D state, now runc will do
 100 retries, which leads that containerd blocks for 10 seconds.
 [Author]:Ruilin Li
 ---
 delete.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/delete.go b/delete.go
 index 746b0df..799c2a7 100644
 --- a/delete.go
 +++ b/delete.go
@@ -14,8 +14,8 @@ import (
 )
 func killContainer(container libcontainer.Container) error {
 -	_ = container.Signal(unix.SIGKILL, false)
 -	for i := 0; i < 100; i++ {
 +	container.Signal(unix.SIGKILL, false)
 +	for i := 0; i < 10; i++ {
 		time.Sleep(100 * time.Millisecond)
 		if err := container.Signal(unix.Signal(0), false); err != nil {
 			destroy(container)
 -- 
 2.30.0
--- a/patch/0008-runc-print-error-message-during-start-into-container.patch
+++ b/patch/0008-runc-print-error-message-during-start-into-container.patch
@ -1,32 +0,0 @@
 From 8a337b8a40bf15bc25770cc5a853e962a96435c0 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
 Date: Thu, 5 Jan 2023 16:24:53 +0800
 Subject: [PATCH] runc: print error message during start into container log
 ---
 init.go | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/init.go b/init.go
 index bddc237..a0520b5 100644
 --- a/init.go
 +++ b/init.go
@@ -1,6 +1,7 @@
 package main
 import (
 +	"fmt"
 	"os"
 	"runtime"
 	"strconv"
@@ -34,6 +35,7 @@ func init() {
 		factory, _ := libcontainer.New("")
 		if err := factory.StartInitialization(); err != nil {
 +			fmt.Fprintf(os.Stderr, "libcontainer: container start initialization failed: %s", err)
 			// as the error is sent back to the parent there is no need to log
 			// or write it to stderr because the parent process will handle this
 			os.Exit(1)
 -- 
 2.30.0
--- a/patch/0008-runc-runc-logs-forwarding-to-syslog.patch
+++ b/patch/0008-runc-runc-logs-forwarding-to-syslog.patch
@ -1,6 +1,6 @@
-From 3cea048a118096974936bf35c793075eabe830df Mon Sep 17 00:00:00 2001
+From 10536f71def2026279285999779023d98f505e56 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 5 Jan 2023 16:28:12 +0800
+Date: Mon, 24 Jul 2023 17:20:38 +0800
 Subject: [PATCH] runc: runc logs forwarding to syslog
 ---
@ -63,7 +63,7 @@ index 72910ff..9076846 100644
 +)
 +
 +const (
-+	minHookTimeOut     = 1 * time.Second
+	minHookTimeOut     = 0
 +	defaultHookTimeOut = 5 * time.Second
 +	maxHookTimeOut     = 120 * time.Second
 +	//the runc default timeout is 120s, so set the defaultWarnTime to 80% of the default timeout.
@ -161,10 +161,10 @@ index 72910ff..9076846 100644
 	}
 }
 diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
-index 6b68a0e..425e44d 100644
+index f8ce1cc..8fbd04d 100644
 --- a/libcontainer/container_linux.go
 +++ b/libcontainer/container_linux.go
-@@ -368,7 +368,7 @@ func (c *linuxContainer) start(process *Process) (retErr error) {
+@@ -370,7 +370,7 @@ func (c *linuxContainer) start(process *Process) (retErr error) {
 			if err := c.config.Hooks[configs.Poststart].RunHooks(s); err != nil {
 				if err := ignoreTerminateErrors(parent.terminate()); err != nil {
@ -713,5 +713,5 @@ index 0000000..b6fa374
 +	}
 +}
 -- 
-2.30.0
+2.33.0
--- a/patch/0009-runc-support-namespaced-kernel-params-can-be-changed.patch
+++ b/patch/0009-runc-support-namespaced-kernel-params-can-be-changed.patch
@ -1,21 +1,20 @@
-From 0e2bc1f9d2dffe3cf2c678d88855faffc122b1c5 Mon Sep 17 00:00:00 2001
+From 0d04d291e8b9dcee0fcdf4b757e41d0e77b1491f Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 5 Jan 2023 16:29:06 +0800
+Date: Mon, 24 Jul 2023 17:25:43 +0800
 Subject: [PATCH] runc:support namespaced kernel params can be changed in
 system container
 Signed-off-by: zhongjiawei <zhongjiawei1@huawei.com>
 ---
 libcontainer/rootfs_linux.go        | 26 ++++++++++++++++++++++++++
 libcontainer/standard_init_linux.go |  7 +++++++
 2 files changed, 33 insertions(+)
 diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
-index 3cfd2bf..4dbe9f4 100644
+index 54520ad..e7de071 100644
 --- a/libcontainer/rootfs_linux.go
 +++ b/libcontainer/rootfs_linux.go
-@@ -417,6 +417,9 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
+@@ -435,6 +435,9 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
- 		} else if fi.Mode()&os.ModeDir == 0 {
+ 		} else if !fi.IsDir() {
 			return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device)
 		}
 +		if strings.HasPrefix(m.Destination, "/proc/sys/") {
@ -24,7 +23,7 @@ index 3cfd2bf..4dbe9f4 100644
 		if err := os.MkdirAll(dest, 0o755); err != nil {
 			return err
 		}
-@@ -1009,6 +1012,29 @@ func readonlyPath(path string) error {
+@@ -1033,6 +1036,29 @@ func readonlyPath(path string) error {
 	return nil
 }
@ -55,7 +54,7 @@ index 3cfd2bf..4dbe9f4 100644
 func remountReadonly(m *configs.Mount) error {
 	var (
 diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
-index ab553ef..0dd51b2 100644
+index eaa73ba..84883c2 100644
 --- a/libcontainer/standard_init_linux.go
 +++ b/libcontainer/standard_init_linux.go
@@ -141,6 +141,13 @@ func (l *linuxStandardInit) Init() error {
@ -73,5 +72,5 @@ index ab553ef..0dd51b2 100644
 		if err := maskPath(path, l.config.Config.MountLabel); err != nil {
 			return fmt.Errorf("can't mask path %s: %w", path, err)
 -- 
-2.30.0
+2.33.0
--- a/patch/0010-runc-make-hooks-log-more-userful-and-fix-syslog-hook.patch
+++ b/patch/0010-runc-make-hooks-log-more-userful-and-fix-syslog-hook.patch
@ -1,15 +1,15 @@
-From 8b5360bd401a33f5c637710fc5c545c8facb6b20 Mon Sep 17 00:00:00 2001
+From 8b9b5e2615b1952a062f09476c53ff0a536df1ac Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 5 Jan 2023 16:31:33 +0800
+Date: Mon, 24 Jul 2023 19:15:52 +0800
 Subject: [PATCH] runc:make hooks log more userful and fix syslog hook bug
 ---
 libcontainer/configs/config.go | 17 ++++++++++++++---
- main.go                        |  5 ++++-
+ main.go                        | 26 ++++++++++++++++++++++++--
- 2 files changed, 18 insertions(+), 4 deletions(-)
+ 2 files changed, 38 insertions(+), 5 deletions(-)
 diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
-index 540bcdb..cda79bf 100644
+index 9076846..7bf83b9 100644
 --- a/libcontainer/configs/config.go
 +++ b/libcontainer/configs/config.go
@@ -8,6 +8,7 @@ import (
@ -67,10 +67,14 @@ index 540bcdb..cda79bf 100644
 	b, err := json.Marshal(s)
 	if err != nil {
 diff --git a/main.go b/main.go
-index 9e14976..0a6f3b4 100644
+index 9e14976..6e9101a 100644
 --- a/main.go
 +++ b/main.go
-@@ -4,6 +4,7 @@ import (
+@@ -1,19 +1,23 @@
 package main
 import (
 +	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@ -78,7 +82,11 @@ index 9e14976..0a6f3b4 100644
 	"os"
 	"path/filepath"
 	"runtime"
-@@ -14,6 +15,7 @@ import (
+ 	"strconv"
 	"strings"
 +	"time"
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
@ -86,10 +94,12 @@ index 9e14976..0a6f3b4 100644
 	"github.com/urfave/cli"
 )
-@@ -218,8 +220,9 @@ func configLogrus(context *cli.Context) error {
+@@ -217,9 +221,10 @@ func configLogrus(context *cli.Context) error {
 		logrus.SetOutput(f)
 		hook, serr := logrus_syslog.NewSyslogHook("", "", syslog.LOG_INFO|syslog.LOG_USER, "docker-runc")
 		if serr != nil {
- 			fmt.Fprint(f, fmt.Sprintf("Leo: new syslog hook get %s", serr))
+-			fmt.Fprint(f, fmt.Sprintf("Leo: new syslog hook get %s", serr))
 +			logToFile(f, "error", fmt.Sprintf("Leo: new syslog hook get %s", serr))
 +		} else {
 +			logrus.AddHook(hook)
 		}
@ -97,6 +107,27 @@ index 9e14976..0a6f3b4 100644
 	}
 	if logLevel := context.GlobalString("log-level"); logLevel != "" {
 		lvl, err := logrus.ParseLevel(logLevel)
@@ -235,3 +240,20 @@ func configLogrus(context *cli.Context) error {
 	}
 	return nil
 }
 +
 +func logToFile(f io.Writer, level string, msg string) {
 +	var (
 +		log struct {
 +			Level string
 +			Msg   string
 +			Time  time.Time
 +		}
 +	)
 +	log.Level = level
 +	log.Msg = msg
 +	log.Time = time.Now()
 +	s, err := json.Marshal(log)
 +	if err != nil {
 +		fmt.Fprint(f, string(s))
 +	}
 +}
 -- 
-2.30.0
+2.33.0
--- a/patch/0011-runc-do-not-setup-sysctl-in-runc-when-userns-enable.patch
+++ b/patch/0011-runc-do-not-setup-sysctl-in-runc-when-userns-enable.patch
@ -1,6 +1,6 @@
-From 6b4045a28504aaefdb8c1e9abe6b4ad7c445684a Mon Sep 17 00:00:00 2001
+From 8094649c861a0b6ca408caa38611f3e235378206 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 5 Jan 2023 16:33:42 +0800
+Date: Mon, 24 Jul 2023 19:25:06 +0800
 Subject: [PATCH] runc:do not setup sysctl in runc when userns enable
 ---
@ -8,7 +8,7 @@ Subject: [PATCH] runc:do not setup sysctl in runc when userns enable
 1 file changed, 6 insertions(+), 4 deletions(-)
 diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
-index 0dd51b2..b202ba9 100644
+index 84883c2..542edba 100644
 --- a/libcontainer/standard_init_linux.go
 +++ b/libcontainer/standard_init_linux.go
@@ -130,10 +130,12 @@ func (l *linuxStandardInit) Init() error {
@ -29,5 +29,5 @@ index 0dd51b2..b202ba9 100644
 	}
 	for _, path := range l.config.Config.ReadonlyPaths {
 -- 
-2.30.0
+2.33.0
--- a/patch/0012-runc-support-set-seccomp-priority.patch
+++ b/patch/0012-runc-support-set-seccomp-priority.patch
@ -1,6 +1,6 @@
-From e9cf09ef6800b7740b2c9a7fe7efcf6af91fbc9f Mon Sep 17 00:00:00 2001
+From 3e1db51b4dc547a7c9bfd251357e2661dc773952 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 5 Jan 2023 16:34:57 +0800
+Date: Mon, 24 Jul 2023 19:39:28 +0800
 Subject: [PATCH] runc: support set seccomp priority
 ---
@ -11,7 +11,7 @@ Subject: [PATCH] runc: support set seccomp priority
 4 files changed, 4 insertions(+), 1 deletion(-)
 diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
-index cda79bf..f85ade3 100644
+index 7bf83b9..00bf5b0 100644
 --- a/libcontainer/configs/config.go
 +++ b/libcontainer/configs/config.go
@@ -88,6 +88,7 @@ type Syscall struct {
@ -36,10 +36,10 @@ index 8c12af7..e4b5750 100644
 // Version returns major, minor, and micro.
 diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
-index 19dd947..02a7439 100644
+index 7ee81ca..0c55cd6 100644
 --- a/libcontainer/specconv/spec_linux.go
 +++ b/libcontainer/specconv/spec_linux.go
-@@ -1061,6 +1061,7 @@ func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
+@@ -1062,6 +1062,7 @@ func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
 				Name:     name,
 				Action:   newAction,
 				ErrnoRet: call.ErrnoRet,
@ -60,5 +60,5 @@ index e8143b2..135f74a 100644
 }
 -- 
-2.30.0
+2.33.0
--- a/patch/0013-runc-do-not-kill-container-if-poststart-hooks-execut.patch
+++ b/patch/0013-runc-do-not-kill-container-if-poststart-hooks-execut.patch
@ -1,6 +1,6 @@
-From 7140cab44cd368e987089b66948cfc7f8a414b83 Mon Sep 17 00:00:00 2001
+From 0cbdce649f9086adc2e8c50734d37c2d31b45234 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 5 Jan 2023 16:35:55 +0800
+Date: Mon, 24 Jul 2023 20:31:00 +0800
 Subject: [PATCH] runc:do not kill container if poststart hooks execute failed
 ---
@ -8,10 +8,10 @@ Subject: [PATCH] runc:do not kill container if poststart hooks execute failed
 1 file changed, 1 insertion(+), 4 deletions(-)
 diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
-index 425e44d..10890c1 100644
+index 8fbd04d..e27cd7d 100644
 --- a/libcontainer/container_linux.go
 +++ b/libcontainer/container_linux.go
-@@ -367,10 +367,7 @@ func (c *linuxContainer) start(process *Process) (retErr error) {
+@@ -369,10 +369,7 @@ func (c *linuxContainer) start(process *Process) (retErr error) {
 			}
 			if err := c.config.Hooks[configs.Poststart].RunHooks(s); err != nil {
@ -24,5 +24,5 @@ index 425e44d..10890c1 100644
 		}
 	}
 -- 
-2.30.0
+2.33.0
--- a/patch/0013-runc-modify-minHookTimeOut.patch
+++ b/patch/0013-runc-modify-minHookTimeOut.patch
@ -1,25 +0,0 @@
 From 845b54fcaa8cd843034479b2019eaa9ee5faaf75 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
 Date: Thu, 5 Jan 2023 16:30:36 +0800
 Subject: [PATCH] runc: modify minHookTimeOut
 ---
 libcontainer/configs/config.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
 index 9076846..540bcdb 100644
 --- a/libcontainer/configs/config.go
 +++ b/libcontainer/configs/config.go
@@ -12,7 +12,7 @@ import (
 )
 const (
 -	minHookTimeOut     = 1 * time.Second
 +	minHookTimeOut     = 0
 	defaultHookTimeOut = 5 * time.Second
 	maxHookTimeOut     = 120 * time.Second
 	//the runc default timeout is 120s, so set the defaultWarnTime to 80% of the default timeout.
 -- 
 2.30.0
--- a/patch/0014-runc-add-sysctl-kernel.pid_max-to-whitelist.patch
+++ b/patch/0014-runc-add-sysctl-kernel.pid_max-to-whitelist.patch
@ -1,6 +1,6 @@
-From af158d403f0395ee93636a6a77b4d37adbef6ee1 Mon Sep 17 00:00:00 2001
+From 318779ab775bfe878cac0636c9e610b9951e1335 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 5 Jan 2023 16:37:39 +0800
+Date: Tue, 25 Jul 2023 19:53:00 +0800
 Subject: [PATCH] runc:add sysctl kernel.pid_max to whitelist
 ---
@ -8,10 +8,10 @@ Subject: [PATCH] runc:add sysctl kernel.pid_max to whitelist
 1 file changed, 1 insertion(+)
 diff --git a/libcontainer/configs/validate/validator.go b/libcontainer/configs/validate/validator.go
-index 627621a..3647aa2 100644
+index 4fbd308..5ef0e8d 100644
 --- a/libcontainer/configs/validate/validator.go
 +++ b/libcontainer/configs/validate/validator.go
-@@ -171,6 +171,7 @@ func (v *ConfigValidator) sysctl(config *configs.Config) error {
+@@ -170,6 +170,7 @@ func (v *ConfigValidator) sysctl(config *configs.Config) error {
 		"kernel.shmmax":          true,
 		"kernel.shmmni":          true,
 		"kernel.shm_rmid_forced": true,
@ -20,5 +20,5 @@ index 627621a..3647aa2 100644
 	var (
 -- 
-2.30.0
+2.33.0
--- a/patch/0015-runc-disable-core-dump-during-exec.patch
+++ b/patch/0015-runc-disable-core-dump-during-exec.patch
@ -1,6 +1,6 @@
-From c8bf02dafed3537cd295c0898804809744f02f1e Mon Sep 17 00:00:00 2001
+From d98901af66768560f0e352db72bb32d216aa9040 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 5 Jan 2023 16:38:29 +0800
+Date: Wed, 26 Jul 2023 11:04:05 +0800
 Subject: [PATCH] runc:disable core dump during exec
 ---
@ -21,5 +21,5 @@ index 29408d7..75d05b7 100644
 	// get the "before" value of oom kill count
 	oom, _ := p.manager.OOMKillCount()
 -- 
-2.30.0
+2.33.0
--- a/patch/0015-runc-fix-runc-log-decode-failed.patch
+++ b/patch/0015-runc-fix-runc-log-decode-failed.patch
@ -1,62 +0,0 @@
 From 5584140c9549c2c9c6a0b0c5afea0850d1e88926 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
 Date: Thu, 5 Jan 2023 16:32:43 +0800
 Subject: [PATCH] runc: fix runc log decode failed
 ---
 main.go | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)
 diff --git a/main.go b/main.go
 index 0a6f3b4..6e9101a 100644
 --- a/main.go
 +++ b/main.go
@@ -1,6 +1,7 @@
 package main
 import (
 +	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -10,6 +11,7 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
 +	"time"
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 	"github.com/opencontainers/runtime-spec/specs-go"
@@ -219,7 +221,7 @@ func configLogrus(context *cli.Context) error {
 		logrus.SetOutput(f)
 		hook, serr := logrus_syslog.NewSyslogHook("", "", syslog.LOG_INFO|syslog.LOG_USER, "docker-runc")
 		if serr != nil {
 -			fmt.Fprint(f, fmt.Sprintf("Leo: new syslog hook get %s", serr))
 +			logToFile(f, "error", fmt.Sprintf("Leo: new syslog hook get %s", serr))
 		} else {
 			logrus.AddHook(hook)
 		}
@@ -238,3 +240,20 @@ func configLogrus(context *cli.Context) error {
 	}
 	return nil
 }
 +
 +func logToFile(f io.Writer, level string, msg string) {
 +	var (
 +		log struct {
 +			Level string
 +			Msg   string
 +			Time  time.Time
 +		}
 +	)
 +	log.Level = level
 +	log.Msg = msg
 +	log.Time = time.Now()
 +	s, err := json.Marshal(log)
 +	if err != nil {
 +		fmt.Fprint(f, string(s))
 +	}
 +}
 -- 
 2.30.0
--- a/patch/0016-runc-fix-exec-problem-caused-by-libseccomp-updating.patch
+++ b/patch/0016-runc-fix-exec-problem-caused-by-libseccomp-updating.patch
@ -1,6 +1,6 @@
-From 62ccdfd5cd6572c8c2c5965b9ca85fc78f43bfb6 Mon Sep 17 00:00:00 2001
+From 92c51d606acb92a5fb58eed2d238ad3cb2c69291 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 5 Jan 2023 16:41:29 +0800
+Date: Wed, 26 Jul 2023 11:11:23 +0800
 Subject: [PATCH] runc:fix exec problem caused by libseccomp updating
 reason: libseccomp updating causes runc exec performance
@ -44,5 +44,5 @@ index e4b5750..a925be1 100644
 		return -1, errors.New("cannot initialize Seccomp - nil config passed")
 	}
 -- 
-2.30.0
+2.33.0
--- a/patch/0017-runc-add-log-message-for-cgroup-file-check.patch
+++ b/patch/0017-runc-add-log-message-for-cgroup-file-check.patch
@ -1,6 +1,6 @@
-From 71c298bc54c68714bde5f4aad293f2fa603ede3e Mon Sep 17 00:00:00 2001
+From 436b642d42680fd76903307748df0237e8cd0cd1 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 5 Jan 2023 16:43:03 +0800
+Date: Wed, 26 Jul 2023 11:21:06 +0800
 Subject: [PATCH] runc:add log message for cgroup file check
 ---
@ -27,10 +27,10 @@ index 0cdaf74..bc7f0a3 100644
 	return nil
 }
 diff --git a/libcontainer/cgroups/fs/cpuset.go b/libcontainer/cgroups/fs/cpuset.go
-index 341d5dc..ef1f633 100644
+index c05a6f6..939b72c 100644
 --- a/libcontainer/cgroups/fs/cpuset.go
 +++ b/libcontainer/cgroups/fs/cpuset.go
-@@ -25,14 +25,23 @@ func (s *CpusetGroup) Apply(path string, r *configs.Resources, pid int) error {
+@@ -27,14 +27,23 @@ func (s *CpusetGroup) Apply(path string, r *configs.Resources, pid int) error {
 }
 func (s *CpusetGroup) Set(path string, r *configs.Resources) error {
@ -56,7 +56,7 @@ index 341d5dc..ef1f633 100644
 		}
 	}
 	return nil
-@@ -231,13 +240,19 @@ func cpusetEnsureParent(current string) error {
+@@ -233,13 +242,19 @@ func cpusetEnsureParent(current string) error {
 // cpusetCopyIfNeeded copies the cpuset.cpus and cpuset.mems from the parent
 // directory to the current directory if the file's contents are 0
 func cpusetCopyIfNeeded(current, parent string) error {
@ -83,5 +83,5 @@ index 341d5dc..ef1f633 100644
 	if isEmptyCpuset(currentCpus) {
 -- 
-2.30.0
+2.33.0
--- a/patch/0019-runc-print-memory-info-when-syscall.Exec-failed.patch
+++ b/patch/0019-runc-print-memory-info-when-syscall.Exec-failed.patch
@ -1,76 +0,0 @@
 From 5159ecfcc9180dd47e843818844c59cb9284d662 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
 Date: Thu, 5 Jan 2023 16:36:48 +0800
 Subject: [PATCH] runc: print memory info when syscall.Exec failed
 ---
 libcontainer/container_linux.go     |  1 +
 libcontainer/standard_init_linux.go | 33 ++++++++++++++++++++++++++++-
 2 files changed, 33 insertions(+), 1 deletion(-)
 diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
 index 10890c1..5ef5a9a 100644
 --- a/libcontainer/container_linux.go
 +++ b/libcontainer/container_linux.go
@@ -355,6 +355,7 @@ func (c *linuxContainer) start(process *Process) (retErr error) {
 	}
 	if err := parent.start(); err != nil {
 +		printCgroupInfo(c.config.Cgroups.Path)
 		return fmt.Errorf("unable to start container process: %w", err)
 	}
 diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
 index b202ba9..8a60501 100644
 --- a/libcontainer/standard_init_linux.go
 +++ b/libcontainer/standard_init_linux.go
@@ -3,8 +3,10 @@ package libcontainer
 import (
 	"errors"
 	"fmt"
 +	"io/ioutil"
 	"os"
 	"os/exec"
 +	"path/filepath"
 	"strconv"
 	"time"
@@ -274,5 +276,34 @@ func (l *linuxStandardInit) Init() error {
 		return err
 	}
 -	return system.Exec(name, l.config.Args[0:], os.Environ())
 +	if err := system.Exec(name, l.config.Args[0:], os.Environ()); err != nil {
 +		printCgroupInfo("")
 +		return err
 +	}
 +	return nil
 }
 +
 +func printCgroupInfo(path string) {
 +	cgroupRoot := "/sys/fs/cgroup"
 +	infoFileList := []string{
 +		"/proc/meminfo",
 +		"/sys/fs/cgroup/memory/memory.stat",
 +		filepath.Join(cgroupRoot, "files", path, "files.limit"),
 +		filepath.Join(cgroupRoot, "files", path, "files.usage"),
 +		filepath.Join(cgroupRoot, "pids", path, "pids.max"),
 +		filepath.Join(cgroupRoot, "pids", path, "pids.current"),
 +		filepath.Join(cgroupRoot, "memory", path, "memory.usage_in_bytes"),
 +		filepath.Join(cgroupRoot, "memory", path, "memory.limit_in_bytes"),
 +		filepath.Join(cgroupRoot, "memory", path, "memory.stat"),
 +		filepath.Join(cgroupRoot, "cpu", path, "cpu.stat"),
 +	}
 +	for _, file := range infoFileList {
 +		printFileContent(file)
 +	}
 +}
 +
 +func printFileContent(path string) {
 +	output, err := ioutil.ReadFile(path)
 +	logrus.Infof("content read from %s: %s, err: %v", path, string(output), err)
 +}
 +
 -- 
 2.30.0
--- a/patch/0019-runc-support-set-cpuset.prefer_cpus-using-cpuset-cpu.patch
+++ b/patch/0019-runc-support-set-cpuset.prefer_cpus-using-cpuset-cpu.patch
@ -1,6 +1,6 @@
-From b22fdd593f463caea0c96c66b1fed442bccfeb8f Mon Sep 17 00:00:00 2001
+From da50f7d9ddf912a6e4ad8714e5aff01e85c09b21 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 5 Jan 2023 16:48:21 +0800
+Date: Wed, 26 Jul 2023 11:37:21 +0800
 Subject: [PATCH] runc:support set cpuset.prefer_cpus using --cpuset-cpus
 ---
@ -8,10 +8,10 @@ Subject: [PATCH] runc:support set cpuset.prefer_cpus using --cpuset-cpus
 1 file changed, 114 insertions(+), 4 deletions(-)
 diff --git a/libcontainer/cgroups/fs/cpuset.go b/libcontainer/cgroups/fs/cpuset.go
-index ef1f633..989f4ec 100644
+index 939b72c..ef9164b 100644
 --- a/libcontainer/cgroups/fs/cpuset.go
 +++ b/libcontainer/cgroups/fs/cpuset.go
-@@ -24,16 +24,126 @@ func (s *CpusetGroup) Apply(path string, r *configs.Resources, pid int) error {
+@@ -26,16 +26,126 @@ func (s *CpusetGroup) Apply(path string, r *configs.Resources, pid int) error {
 	return s.ApplyDir(path, r, pid)
 }
@ -100,7 +100,7 @@ index ef1f633..989f4ec 100644
 +}
 +
 +func (s *CpusetGroup) setCpuset(path, cpuset string) error {
-+	if _, err := os.Stat(filepath.Join(path, "cpuset.preferred_cpus")); err != nil {
+	if _, err := os.Stat("/proc/sys/kernel/sched_util_low_pct"); err != nil {
 +		var ret error
 +		if err := writeFile(path, "cpuset.cpus", cpuset); err != nil {
 			ret = fmt.Errorf("failed to set cpuset.cpus, %v", err)
@ -143,5 +143,5 @@ index ef1f633..989f4ec 100644
 	if r.CpusetMems != "" {
 		if err := cgroups.WriteFile(path, "cpuset.mems", r.CpusetMems); err != nil {
 -- 
-2.30.0
+2.33.0
--- a/patch/0020-runc-add-DT-for-cpuset.preferred_cpus-setting.patch
+++ b/patch/0020-runc-add-DT-for-cpuset.preferred_cpus-setting.patch
@ -1,6 +1,6 @@
-From 43dfa46b403166f4195803b7522bbc94a97d8e7c Mon Sep 17 00:00:00 2001
+From 8071a31f5fd66638bda75d371f62d6df9155b00b Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 5 Jan 2023 16:49:18 +0800
+Date: Wed, 26 Jul 2023 14:18:00 +0800
 Subject: [PATCH] runc:add DT for cpuset.preferred_cpus setting
 ---
@ -292,5 +292,5 @@ index 0000000..c80db24
 +echo "PASS"
 +exit 0
 -- 
-2.30.0
+2.33.0
--- a/patch/0021-runc-modify-runc-Makefile.patch
+++ b/patch/0021-runc-modify-runc-Makefile.patch
@ -1,40 +1,43 @@
-From 6ee9f98fdd90901a2f93b7b58244e543c4623dbe Mon Sep 17 00:00:00 2001
+From b8461e39d80a2323dca4cd831f4cb41dbd5a0006 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 5 Jan 2023 16:50:18 +0800
+Date: Wed, 26 Jul 2023 14:48:37 +0800
 Subject: [PATCH] runc:modify runc Makefile
 ---
- Makefile | 28 ++++++++++++++++++++++------
+ Makefile | 29 ++++++++++++++++++++++-------
- 1 file changed, 22 insertions(+), 6 deletions(-)
+ 1 file changed, 22 insertions(+), 7 deletions(-)
 diff --git a/Makefile b/Makefile
-index cf82c0c..34b5347 100644
+index e3af9bc..4475271 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -10,9 +10,12 @@ GIT_BRANCH_CLEAN := $(shell echo $(GIT_BRANCH) | sed -e "s/[^[:alnum:]]/-/g")
+@@ -11,10 +11,13 @@ RUNC_IMAGE := runc_dev$(if $(GIT_BRANCH_CLEAN),:$(GIT_BRANCH_CLEAN))
 RUNC_IMAGE := runc_dev$(if $(GIT_BRANCH_CLEAN),:$(GIT_BRANCH_CLEAN))
 PROJECT := github.com/opencontainers/runc
 BUILDTAGS ?= seccomp
 -COMMIT ?= $(shell git describe --dirty --long --always)
 +COMMIT ?= $(shell cat ./git-commit | head -c 40)
 VERSION := $(shell cat ./VERSION)
 LDFLAGS_COMMON := -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION)
 +BEP_DIR := "/tmp/runc-build-bep"
 +BEP_FLAG := "-tmpdir=${BEP_DIR}"
 +
- ifeq ($(shell $(GO) env GOOS),linux)
+ GOARCH := $(shell $(GO) env GOARCH)
- 	ifeq (,$(filter $(shell $(GO) env GOARCH),mips mipsle mips64 mips64le ppc64))
+ 
- 		ifeq (,$(findstring -race,$(EXTRA_FLAGS)))
+ GO_BUILDMODE :=
-@@ -22,23 +25,33 @@ ifeq ($(shell $(GO) env GOOS),linux)
+@@ -40,9 +43,7 @@ ifneq (,$(filter $(GOARCH),arm64 amd64))
 	endif
 endif
- GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
+ # Enable static PIE binaries on supported platforms.
- 	-ldflags "-X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
+-GO_BUILD_STATIC := $(GO) build -trimpath $(GO_BUILDMODE_STATIC) \
-GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \
+-	$(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \
-	-ldflags "-extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
+-	-ldflags "$(LDFLAGS_COMMON) $(LDFLAGS_STATIC) $(EXTRA_LDFLAGS)"
-+GO_BUILD_STATIC := $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) static_build cgo netgo osusergo"
+GO_BUILD_STATIC := $(GO) build -buildmode=pie -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) static_build cgo netgo osusergo"
 GPG_KEYID ?= asarai@suse.de
@@ -58,15 +59,26 @@ endif
 .DEFAULT: runc
 runc:
@ -49,8 +52,8 @@ index cf82c0c..34b5347 100644
 +	$(GO_BUILD) $(BEP_FLAG) -buildid=IdByIsula -o contrib/cmd/$@/$@ ./contrib/cmd/$@
 +
 +LD_FLAGS='-buildid=none -tmpdir=/tmp/bep-runc -linkmode=external -extldflags=-Wl,-z,relro,-z,now \
-+	 -extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS) \
+         -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS) \
-+	 '
+         '
 static:
 -	$(GO_BUILD_STATIC) -o runc .
@ -60,11 +63,11 @@ index cf82c0c..34b5347 100644
 +	CGO_CPPFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
 +	CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
 +	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
-+	$(GO_BUILD_STATIC) -buildmode=pie  -ldflags $(LD_FLAGS) -o runc .
+	$(GO_BUILD_STATIC) -ldflags '-extldflags=-static' -ldflags $(LD_FLAGS) -o runc .
- releaseall: RELEASE_ARGS := "-a arm64 -a armel -a armhf -a ppc64le -a s390x"
+ releaseall: RELEASE_ARGS := "-a arm64 -a armel -a armhf -a ppc64le -a riscv64 -a s390x"
 releaseall: release
-@@ -70,6 +83,9 @@ runcimage:
+@@ -98,6 +110,9 @@ runcimage:
 test: unittest integration rootlessintegration
@ -75,5 +78,5 @@ index cf82c0c..34b5347 100644
 unittest: runcimage
 -- 
-2.30.0
+2.33.0
--- a/patch/0022-runc-cgroup-apply-method-modify.patch
+++ b/patch/0022-runc-cgroup-apply-method-modify.patch
@ -1,41 +1,30 @@
-From 6ae765b2529fbfde33c3562834308add80bd34e2 Mon Sep 17 00:00:00 2001
+From 6477190927cec5e20393c303bf7a4049539273bf Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 5 Jan 2023 16:51:24 +0800
+Date: Wed, 26 Jul 2023 15:25:25 +0800
 Subject: [PATCH] runc:cgroup apply method modify
 ---
- libcontainer/cgroups/fs/cpuset.go   | 15 ++++-
+ libcontainer/cgroups/fs/cpuset.go   | 12 +++-
- libcontainer/cgroups/fs/files.go    | 23 +++----
+ libcontainer/cgroups/fs/files.go    | 27 +++-----
 libcontainer/cgroups/fs/utils.go    | 97 +++++++++++++++++++++++++++++
 libcontainer/rootfs_linux.go        |  1 +
- libcontainer/standard_init_linux.go |  4 +-
+ libcontainer/standard_init_linux.go |  6 +-
- main.go                             |  1 -
+ 5 files changed, 120 insertions(+), 23 deletions(-)
 6 files changed, 119 insertions(+), 22 deletions(-)
 create mode 100644 libcontainer/cgroups/fs/utils.go
 diff --git a/libcontainer/cgroups/fs/cpuset.go b/libcontainer/cgroups/fs/cpuset.go
-index 989f4ec..379407e 100644
+index ef9164b..01388f7 100644
 --- a/libcontainer/cgroups/fs/cpuset.go
 +++ b/libcontainer/cgroups/fs/cpuset.go
-@@ -1,7 +1,9 @@
+@@ -1,6 +1,7 @@
 package fs
 import (
 +	"fmt"
 	"errors"
-+	"io/ioutil"
+ 	"io/ioutil"
 	"os"
- 	"path/filepath"
+@@ -145,7 +146,7 @@ func (s *CpusetGroup) setCpuset(path, cpuset string) error {
 	"strconv"
@@ -9,6 +11,7 @@ import (
 	"golang.org/x/sys/unix"
 +	"github.com/sirupsen/logrus"
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
 	"github.com/opencontainers/runc/libcontainer/configs"
@@ -143,7 +146,7 @@ func (s *CpusetGroup) setCpuset(path, cpuset string) error {
 func (s *CpusetGroup) Set(path string, r *configs.Resources) error {
 	var ret error
 	if r.CpusetCpus != "" {
@ -44,7 +33,7 @@ index 989f4ec..379407e 100644
 	}
 	if r.CpusetMems != "" {
 		if err := cgroups.WriteFile(path, "cpuset.mems", r.CpusetMems); err != nil {
-@@ -350,14 +353,20 @@ func cpusetEnsureParent(current string) error {
+@@ -352,14 +353,19 @@ func cpusetEnsureParent(current string) error {
 // cpusetCopyIfNeeded copies the cpuset.cpus and cpuset.mems from the parent
 // directory to the current directory if the file's contents are 0
 func cpusetCopyIfNeeded(current, parent string) error {
@ -54,7 +43,6 @@ index 989f4ec..379407e 100644
 +		currentCpus, currentMems string
 +		parentCpus, parentMems   string
 +	)
 +
 +	if currentCpus, currentMems, err = getCpusetSubsystemSettings(current); err != nil {
 		ret := fmt.Errorf("failed copy current cgroup setting, %v", err)
 		if _, err := os.Stat(current); err != nil {
@ -68,16 +56,23 @@ index 989f4ec..379407e 100644
 		if _, err := os.Stat(parent); err != nil {
 			ret = fmt.Errorf("%v, %v", ret, err)
 diff --git a/libcontainer/cgroups/fs/files.go b/libcontainer/cgroups/fs/files.go
-index 3315cda..b02743c 100644
+index 3315cda..9dcc54b 100644
 --- a/libcontainer/cgroups/fs/files.go
 +++ b/libcontainer/cgroups/fs/files.go
-@@ -18,27 +18,22 @@ import (
+@@ -13,34 +13,29 @@ import (
- 	"path/filepath"
+ 	"fmt"
 	"strconv"
 +	"path/filepath"
 +
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/configs"
 -	"path/filepath"
 )
 -type FilesGroup struct {
 -}
-+type FilesGroup struct {}
+type FilesGroup struct{}
 func (s *FilesGroup) Name() string {
 	return "files"
@ -104,8 +99,10 @@ index 3315cda..b02743c 100644
 +		if r.FilesLimit > 0 {
 +			limit = strconv.FormatInt(r.FilesLimit, 10)
 		}
- 
+-
 		if err := writeFile(path, "files.limit", limit); err != nil {
 			return err
 		}
@@ -49,10 +44,6 @@ func (s *FilesGroup) Set(path string, cgroup *configs.Cgroup) error {
 	return nil
 }
@ -221,7 +218,7 @@ index 0000000..38820a8
 +}
 +
 diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
-index 4dbe9f4..0bf1729 100644
+index e7de071..499d753 100644
 --- a/libcontainer/rootfs_linux.go
 +++ b/libcontainer/rootfs_linux.go
@@ -10,6 +10,7 @@ import (
@ -233,35 +230,32 @@ index 4dbe9f4..0bf1729 100644
 	securejoin "github.com/cyphar/filepath-securejoin"
 diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
-index 99e7003..c288c88 100644
+index 542edba..cd962c8 100644
 --- a/libcontainer/standard_init_linux.go
 +++ b/libcontainer/standard_init_linux.go
-@@ -3,11 +3,11 @@ package libcontainer
+@@ -6,6 +6,8 @@ import (
 import (
 	"errors"
 	"fmt"
 -	"io/ioutil"
 	"os"
 	"os/exec"
 -	"path/filepath"
 	"strconv"
 +	"strings"
 +	"syscall"
 	"time"
 	"github.com/opencontainers/runtime-spec/specs-go"
-diff --git a/main.go b/main.go
+@@ -260,11 +262,11 @@ func (l *linuxStandardInit) Init() error {
-index e624347..e52a2ea 100644
+ 	}()
--- a/main.go
+ 
-+++ b/main.go
+ 	select {
-@@ -4,7 +4,6 @@ import (
+-	case chErr := <- ch:
- 	"errors"
+	case chErr := <-ch:
- 	"fmt"
+ 		if chErr != nil {
- 	"io"
+ 			return chErr
-	"log/syslog"
+ 		}
- 	"os"
+-	case <- time.After(120 * time.Second):
- 	"path/filepath"
+	case <-time.After(120 * time.Second):
- 	"runtime"
+ 		return fmt.Errorf("wait for the fifo to be opened on the other side timeout ")
 	}
 	// Close the O_PATH fifofd fd before exec because the kernel resets
 -- 
-2.30.0
+2.33.0
--- a/patch/0023-runc-support-specify-umask.patch
+++ b/patch/0023-runc-support-specify-umask.patch
@ -1,18 +1,19 @@
-From cb7c43347df720787be7457d4a991181ba608080 Mon Sep 17 00:00:00 2001
+From 7746fa7839dc6780379cb732c7122efaa07834f7 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Tue, 10 Jan 2023 11:52:14 +0800
+Date: Wed, 26 Jul 2023 15:37:48 +0800
 Subject: [PATCH] runc:support specify umask
 ---
- libcontainer/rootfs_linux.go     | 6 ++++++
+ libcontainer/rootfs_linux.go                             | 6 ++++++
- libcontainer/setns_init_linux.go | 7 +++++++
+ libcontainer/setns_init_linux.go                         | 7 +++++++
- 2 files changed, 13 insertions(+)
+ vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go | 2 +-
 3 files changed, 14 insertions(+), 1 deletion(-)
 diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
-index 0bf1729..280a633 100644
+index 499d753..c42e388 100644
 --- a/libcontainer/rootfs_linux.go
 +++ b/libcontainer/rootfs_linux.go
-@@ -190,6 +190,12 @@ func finalizeRootfs(config *configs.Config) (err error) {
+@@ -192,6 +192,12 @@ func finalizeRootfs(config *configs.Config) (err error) {
 	} else {
 		unix.Umask(0o022)
 	}
@ -50,6 +51,19 @@ index 09ab552..e9b8d62 100644
 	if l.config.NoNewPrivileges {
 		if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
 			return err
 diff --git a/vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go b/vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go
 index b6fa374..430f646 100644
 --- a/vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go
 +++ b/vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go
@@ -2,7 +2,7 @@ package logrus_syslog
 import (
 	"fmt"
 -	"github.com/Sirupsen/logrus"
 +	"github.com/sirupsen/logrus"
 	"log/syslog"
 	"os"
 )
 -- 
-2.30.0
+2.33.0
--- a/patch/0024-runc-modify-linuxcontainer-starttime-uint64-type-tob.patch
+++ b/patch/0024-runc-modify-linuxcontainer-starttime-uint64-type-tob.patch
@ -1,6 +1,6 @@
-From 3b2a80f599b6339f4823fc634a7f9096f7c2a5d8 Mon Sep 17 00:00:00 2001
+From a84f3ee6e929dc1d1899dfe8e0bcaafb43bf510d Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Tue, 17 Jan 2023 15:14:06 +0800
+Date: Wed, 26 Jul 2023 16:04:21 +0800
 Subject: [PATCH] runc:modify linuxcontainer starttime uint64 type tobe string
 ---
@ -26,7 +26,7 @@ index 300c952..1759e4c 100644
 	// Created is the unix timestamp for the creation time of the container in UTC
 	Created time.Time `json:"created"`
 diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
-index 10890c1..1fc8fec 100644
+index e27cd7d..7141001 100644
 --- a/libcontainer/container_linux.go
 +++ b/libcontainer/container_linux.go
@@ -44,7 +44,7 @@ type linuxContainer struct {
@ -38,7 +38,7 @@ index 10890c1..1fc8fec 100644
 	criuPath             string
 	newuidmapPath        string
 	newgidmapPath        string
-@@ -2000,7 +2000,7 @@ func (c *linuxContainer) isPaused() (bool, error) {
+@@ -2003,7 +2003,7 @@ func (c *linuxContainer) isPaused() (bool, error) {
 func (c *linuxContainer) currentState() (*State, error) {
 	var (
@ -201,5 +201,5 @@ index 774443e..768a16e 100644
 		return stat, fmt.Errorf("invalid stat data (bad start time): %w", err)
 	}
 -- 
-2.30.0
+2.33.0
--- a/patch/0024-runc-unified-use-of-logpipe.patch
+++ b/patch/0024-runc-unified-use-of-logpipe.patch
@ -1,125 +0,0 @@
 From c40ef2e5c3415c807172271936a06dfbf89747ee Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
 Date: Thu, 5 Jan 2023 16:43:54 +0800
 Subject: [PATCH] runc:add log message for cgroup file check
 ---
 libcontainer/container_linux.go     |  1 -
 libcontainer/standard_init_linux.go | 30 +----------------------------
 main.go                             | 25 ------------------------
 3 files changed, 1 insertion(+), 55 deletions(-)
 diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
 index 5ef5a9a..10890c1 100644
 --- a/libcontainer/container_linux.go
 +++ b/libcontainer/container_linux.go
@@ -355,7 +355,6 @@ func (c *linuxContainer) start(process *Process) (retErr error) {
 	}
 	if err := parent.start(); err != nil {
 -		printCgroupInfo(c.config.Cgroups.Path)
 		return fmt.Errorf("unable to start container process: %w", err)
 	}
 diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
 index 8a60501..99e7003 100644
 --- a/libcontainer/standard_init_linux.go
 +++ b/libcontainer/standard_init_linux.go
@@ -276,34 +276,6 @@ func (l *linuxStandardInit) Init() error {
 		return err
 	}
 -	if err := system.Exec(name, l.config.Args[0:], os.Environ()); err != nil {
 -		printCgroupInfo("")
 -		return err
 -	}
 -	return nil
 -}
 -
 -func printCgroupInfo(path string) {
 -	cgroupRoot := "/sys/fs/cgroup"
 -	infoFileList := []string{
 -		"/proc/meminfo",
 -		"/sys/fs/cgroup/memory/memory.stat",
 -		filepath.Join(cgroupRoot, "files", path, "files.limit"),
 -		filepath.Join(cgroupRoot, "files", path, "files.usage"),
 -		filepath.Join(cgroupRoot, "pids", path, "pids.max"),
 -		filepath.Join(cgroupRoot, "pids", path, "pids.current"),
 -		filepath.Join(cgroupRoot, "memory", path, "memory.usage_in_bytes"),
 -		filepath.Join(cgroupRoot, "memory", path, "memory.limit_in_bytes"),
 -		filepath.Join(cgroupRoot, "memory", path, "memory.stat"),
 -		filepath.Join(cgroupRoot, "cpu", path, "cpu.stat"),
 -	}
 -	for _, file := range infoFileList {
 -		printFileContent(file)
 -	}
 -}
 -
 -func printFileContent(path string) {
 -	output, err := ioutil.ReadFile(path)
 -	logrus.Infof("content read from %s: %s, err: %v", path, string(output), err)
 +	return system.Exec(name, l.config.Args[0:], os.Environ())
 }
 diff --git a/main.go b/main.go
 index 6e9101a..e624347 100644
 --- a/main.go
 +++ b/main.go
@@ -1,7 +1,6 @@
 package main
 import (
 -	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -11,13 +10,11 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
 -	"time"
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 -	logrus_syslog "github.com/sirupsen/logrus/hooks/syslog"
 	"github.com/urfave/cli"
 )
@@ -219,12 +216,6 @@ func configLogrus(context *cli.Context) error {
 			return err
 		}
 		logrus.SetOutput(f)
 -		hook, serr := logrus_syslog.NewSyslogHook("", "", syslog.LOG_INFO|syslog.LOG_USER, "docker-runc")
 -		if serr != nil {
 -			logToFile(f, "error", fmt.Sprintf("Leo: new syslog hook get %s", serr))
 -		} else {
 -			logrus.AddHook(hook)
 -		}
 	}
 	if logLevel := context.GlobalString("log-level"); logLevel != "" {
 		lvl, err := logrus.ParseLevel(logLevel)
@@ -241,19 +232,3 @@ func configLogrus(context *cli.Context) error {
 	return nil
 }
 -func logToFile(f io.Writer, level string, msg string) {
 -	var (
 -		log struct {
 -			Level string
 -			Msg   string
 -			Time  time.Time
 -		}
 -	)
 -	log.Level = level
 -	log.Msg = msg
 -	log.Time = time.Now()
 -	s, err := json.Marshal(log)
 -	if err != nil {
 -		fmt.Fprint(f, string(s))
 -	}
 -}
 -- 
 2.30.0
--- a/patch/0025-runc-make-runc-spec-compatible-1.0.0.rc3.patch
+++ b/patch/0025-runc-make-runc-spec-compatible-1.0.0.rc3.patch
@ -1,10 +1,8 @@
-From 437b5cda354b8e2572eb24377774396117b513d0 Mon Sep 17 00:00:00 2001
+From a6466792b4a78638871a8ed4af65f25555b24520 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 9 Feb 2023 16:41:35 +0800
+Date: Wed, 26 Jul 2023 16:34:51 +0800
 Subject: [PATCH] runc:make runc spec compatible 1.0.0.rc3
 1.adapt DisableOOMKiller, OOMScoreAdj position adjustment.
 2.adapt to BlackIO json parsing field change modification.
 ---
 spec.go | 181 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 180 insertions(+), 1 deletion(-)
--- a/patch/0026-runc-Fixed-init-state-error-variable.patch
+++ b/patch/0026-runc-Fixed-init-state-error-variable.patch
@ -1,18 +1,14 @@
-From ab18f1e6bf59d651889a9483f45f0e88368669c9 Mon Sep 17 00:00:00 2001
+From f9add2c83320bd04ac76120821802ad7e25991d5 Mon Sep 17 00:00:00 2001
-From: Vipul Newaskar <vipulnewaskar7@gmail.com>
+From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Sun, 13 Nov 2022 23:46:12 +0530
+Date: Wed, 26 Jul 2023 16:46:35 +0800
-Subject: [PATCH 2/2] Fixed init state error variable
+Subject: [PATCH] runc:Fixed init state error variable
 Init State Error message was using the err variable instead of uerr, which has been fixed now.
 The error message should not show "nil" now.
 Signed-off-by: Vipul Newaskar <vipulnewaskar7@gmail.com>
 ---
 libcontainer/process_linux.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
-index 1124cf54..3b453ccd 100644
+index 1124cf5..3b453cc 100644
 --- a/libcontainer/process_linux.go
 +++ b/libcontainer/process_linux.go
@@ -555,7 +555,7 @@ func (p *initProcess) start() (retErr error) {
--- a/patch/0027-runc-libct-fix-shared-pidns-detection.patch
+++ b/patch/0027-runc-libct-fix-shared-pidns-detection.patch
@ -1,6 +1,6 @@
-From acf196483ff8e2e5461a6c55ee64359863608b92 Mon Sep 17 00:00:00 2001
+From 43126d0dca0b76f8c07cff1d09c5fc013d5c3450 Mon Sep 17 00:00:00 2001
-From: Kir Kolyshkin <kolyshkin@gmail.com>
+From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Fri, 12 May 2023 16:04:11 -0700
+Date: Wed, 26 Jul 2023 16:52:56 +0800
 Subject: [PATCH] libct: fix shared pidns detection
 When someone is using libcontainer to start and kill containers from a
@ -23,7 +23,7 @@ Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
 3 files changed, 28 insertions(+), 7 deletions(-)
 diff --git a/libcontainer/configs/namespaces_syscall.go b/libcontainer/configs/namespaces_syscall.go
-index 0516dba8..543e059a 100644
+index 0516dba..543e059 100644
 --- a/libcontainer/configs/namespaces_syscall.go
 +++ b/libcontainer/configs/namespaces_syscall.go
@@ -31,3 +31,15 @@ func (n *Namespaces) CloneFlags() uintptr {
@ -43,10 +43,10 @@ index 0516dba8..543e059a 100644
 +	return false
 +}
 diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
-index 1fc8feca..1a210fa2 100644
+index 7141001..f56d73e 100644
 --- a/libcontainer/container_linux.go
 +++ b/libcontainer/container_linux.go
-@@ -555,7 +555,6 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, messageSockPa
+@@ -558,7 +558,6 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, messageSockPa
 			nsMaps[ns.Type] = ns.Path
 		}
 	}
@ -54,7 +54,7 @@ index 1fc8feca..1a210fa2 100644
 	data, err := c.bootstrapData(c.config.Namespaces.CloneFlags(), nsMaps, initStandard)
 	if err != nil {
 		return nil, err
-@@ -600,7 +599,7 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, messageSockPa
+@@ -603,7 +602,7 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, messageSockPa
 		container:       c,
 		process:         p,
 		bootstrapData:   data,
@ -64,10 +64,10 @@ index 1fc8feca..1a210fa2 100644
 	c.initProcess = init
 	return init, nil
 diff --git a/libcontainer/integration/exec_test.go b/libcontainer/integration/exec_test.go
-index 3da6d96c..1f19ced1 100644
+index 5c6272e..e999231 100644
 --- a/libcontainer/integration/exec_test.go
 +++ b/libcontainer/integration/exec_test.go
-@@ -1456,16 +1456,26 @@ func TestPIDHost(t *testing.T) {
+@@ -1404,16 +1404,26 @@ func TestPIDHost(t *testing.T) {
 	}
 }
--- a/patch/0029-runc-runc-log-forward-to-syslog.patch
+++ b/patch/0029-runc-runc-log-forward-to-syslog.patch
@ -1,88 +0,0 @@
 From 0013fb97dd10a75ae6f455d8c839315f13a39969 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
 Date: Thu, 5 Jan 2023 16:52:16 +0800
 Subject: [PATCH] runc:runc log forward to syslog
 ---
 main.go                                       | 27 ++++++++++++++++++-
 .../sirupsen/logrus/hooks/syslog/syslog.go    |  2 +-
 2 files changed, 27 insertions(+), 2 deletions(-)
 diff --git a/main.go b/main.go
 index e52a2ea..381681e 100644
 --- a/main.go
 +++ b/main.go
@@ -1,19 +1,23 @@
 package main
 import (
 +	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 +	"log/syslog"
 	"os"
 	"path/filepath"
 	"runtime"
 	"strconv"
 	"strings"
 +	"time"
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 +	logrus_syslog "github.com/sirupsen/logrus/hooks/syslog"
 	"github.com/urfave/cli"
 )
@@ -215,6 +219,12 @@ func configLogrus(context *cli.Context) error {
 			return err
 		}
 		logrus.SetOutput(f)
 +		hook, serr := logrus_syslog.NewSyslogHook("", "", syslog.LOG_INFO|syslog.LOG_USER, "docker-runc")
 +		if serr != nil {
 +			logToFile(f, "error", fmt.Sprintf("new syslog hook get %s", serr))
 +		} else {
 +			logrus.AddHook(hook)
 +		}
 	}
 	if logLevel := context.GlobalString("log-level"); logLevel != "" {
 		lvl, err := logrus.ParseLevel(logLevel)
@@ -230,4 +240,19 @@ func configLogrus(context *cli.Context) error {
 	}
 	return nil
 }
 -
 +func logToFile(f io.Writer, level string, msg string) {
 +	var (
 +		log struct {
 +			Level string
 +			Msg   string
 +			Time  time.Time
 +		}
 +	)
 +	log.Level = level
 +	log.Msg = msg
 +	log.Time = time.Now()
 +	s, err := json.Marshal(log)
 +	if err != nil {
 +		fmt.Fprint(f, string(s))
 +	}
 +}
 diff --git a/vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go b/vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go
 index b6fa374..430f646 100644
 --- a/vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go
 +++ b/vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go
@@ -2,7 +2,7 @@ package logrus_syslog
 import (
 	"fmt"
 -	"github.com/Sirupsen/logrus"
 +	"github.com/sirupsen/logrus"
 	"log/syslog"
 	"os"
 )
 -- 
 2.30.0
--- a/patch/0033-add-loongarch-support-for-libcontainer.patch
+++ b/patch/0033-add-loongarch-support-for-libcontainer.patch
@ -1,21 +0,0 @@
 From 21f915e95f260af0f716f0ffcea0362d6b38f665 Mon Sep 17 00:00:00 2001
 From: zhaozhen <zhaozhen@loongson.cn>
 Date: Wed, 9 Nov 2022 10:58:21 +0800
 Subject: [PATCH] add loongarch support for libcontainer
 ---
 libcontainer/system/syscall_linux_64.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/libcontainer/system/syscall_linux_64.go b/libcontainer/system/syscall_linux_64.go
 index 6e89196..77d011b 100644
 --- a/libcontainer/system/syscall_linux_64.go
 +++ b/libcontainer/system/syscall_linux_64.go
@@ -1,4 +1,4 @@
 -// +build linux,arm64 linux,amd64 linux,ppc linux,ppc64 linux,ppc64le linux,s390x linux,riscv64
 +// +build linux,arm64 linux,amd64 linux,ppc linux,ppc64 linux,ppc64le linux,s390x linux,riscv64 linux,loong64
 package system
 -- 
 2.33.0
--- a/patch/0034-SIGUNUSED-is-nolonger-support-for-loongarch.patch
+++ b/patch/0034-SIGUNUSED-is-nolonger-support-for-loongarch.patch
@ -1,24 +0,0 @@
 From 34adecd11a87b5995ce3a482987944d4d8644008 Mon Sep 17 00:00:00 2001
 From:  zhaozhen <zhaozhen@loongson.cn>
 Date: Wed, 9 Nov 2022 11:22:38 +0800
 Subject: [PATCH] SIGUNUSED is nolonger support for loongarch
 ---
 kill.go | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/kill.go b/kill.go
 index f80c4db..3d0e8b2 100644
 --- a/kill.go
 +++ b/kill.go
@@ -39,7 +39,6 @@ var signalMap = map[string]syscall.Signal{
 	"TSTP":   syscall.SIGTSTP,
 	"TTIN":   syscall.SIGTTIN,
 	"TTOU":   syscall.SIGTTOU,
 -	"UNUSED": syscall.SIGUNUSED,
 	"URG":    syscall.SIGURG,
 	"USR1":   syscall.SIGUSR1,
 	"USR2":   syscall.SIGUSR2,
 -- 
 2.33.0
--- a/patch/0035-update-sys-to-v0.4.0-to-support-loong64.patch
+++ b/patch/0035-update-sys-to-v0.4.0-to-support-loong64.patch
--- a/patch/0036-runc-libcontainer-skip-chown-of-dev-null-caused-by-fd-red.patch
+++ b/patch/0036-runc-libcontainer-skip-chown-of-dev-null-caused-by-fd-red.patch
@ -1,41 +0,0 @@
 From 52d2b0f2598c255f8fcc295e12a3ddfd4a89dd43 Mon Sep 17 00:00:00 2001
 From: Jaroslav Jindrak <dzejrou@gmail.com>
 Date: Fri, 20 Jan 2023 21:41:12 +0100
 Subject: [PATCH 1/2] libcontainer: skip chown of /dev/null caused by fd
 redirection
 In 18c4760a (libct: fixStdioPermissions: skip chown if not needed)
 the check whether the STDIO file descriptors point to /dev/null was
 removed which can cause /dev/null to change ownership e.g. when using
 docker exec on a running container:
 $ ls -l /dev/null
 crw-rw-rw- 1 root root 1, 3 Aug 1 14:12 /dev/null
 $ docker exec -u test 0ad6d3064e9d ls
 $ ls -l /dev/null
 crw-rw-rw- 1 test root 1, 3 Aug 1 14:12 /dev/null
 Signed-off-by: Jaroslav Jindrak <dzejrou@gmail.com>
 ---
 libcontainer/init_linux.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
 index 1e5c394c..2e4c5935 100644
 --- a/libcontainer/init_linux.go
 +++ b/libcontainer/init_linux.go
@@ -411,8 +411,9 @@ func fixStdioPermissions(u *user.ExecUser) error {
 			return &os.PathError{Op: "fstat", Path: file.Name(), Err: err}
 		}
 -		// Skip chown if uid is already the one we want.
 -		if int(s.Uid) == u.Uid {
 +		// Skip chown if uid is already the one we want or any of the STDIO descriptors
 +		// were redirected to /dev/null.
 +		if int(s.Uid) == u.Uid || s.Rdev == null.Rdev {
 			continue
 		}
 -- 
 2.33.0
--- a/patch/0038-runc-rootless-fix-sys-fs-cgroup-mounts.patch
+++ b/patch/0038-runc-rootless-fix-sys-fs-cgroup-mounts.patch
@ -1,121 +0,0 @@
 From fd61dbb032e526bd323702d954520669761647bb Mon Sep 17 00:00:00 2001
 From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 Date: Mon, 26 Dec 2022 12:04:26 +0900
 Subject: [PATCH] rootless: fix /sys/fs/cgroup mounts
 It was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons:
 1. when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared
   (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl)
 2. or, when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro`
   (e.g., `runc spec --rootless`; this condition is very rare)
 A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host.
 Other users's cgroup hierarchies are not affected.
 To fix the issue, this commit does:
 1. Remount `/sys/fs/cgroup` to apply `MS_RDONLY` when it is being bind-mounted
 2. Mask `/sys/fs/cgroup` when the bind source is unavailable
 Fix CVE-2023-25809 (GHSA-m8cg-xc2p-r3fc)
 Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 ---
 libcontainer/rootfs_linux.go  | 53 ++++++++++++++++++++++-------------
 tests/integration/mounts.bats | 17 +++++++++++
 2 files changed, 51 insertions(+), 19 deletions(-)
 diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
 index 280a6332..ec14f97e 100644
 --- a/libcontainer/rootfs_linux.go
 +++ b/libcontainer/rootfs_linux.go
@@ -334,26 +334,41 @@ func mountCgroupV2(m *configs.Mount, c *mountConfig) error {
 	if err := os.MkdirAll(dest, 0o755); err != nil {
 		return err
 	}
 -	return utils.WithProcfd(c.root, m.Destination, func(procfd string) error {
 -		if err := mount(m.Source, m.Destination, procfd, "cgroup2", uintptr(m.Flags), m.Data); err != nil {
 -			// when we are in UserNS but CgroupNS is not unshared, we cannot mount cgroup2 (#2158)
 -			if errors.Is(err, unix.EPERM) || errors.Is(err, unix.EBUSY) {
 -				src := fs2.UnifiedMountpoint
 -				if c.cgroupns && c.cgroup2Path != "" {
 -					// Emulate cgroupns by bind-mounting
 -					// the container cgroup path rather than
 -					// the whole /sys/fs/cgroup.
 -					src = c.cgroup2Path
 -				}
 -				err = mount(src, m.Destination, procfd, "", uintptr(m.Flags)|unix.MS_BIND, "")
 -				if c.rootlessCgroups && errors.Is(err, unix.ENOENT) {
 -					err = nil
 -				}
 -			}
 -			return err
 -		}
 -		return nil
 +	err = utils.WithProcfd(c.root, m.Destination, func(procfd string) error {
 +		return mount(m.Source, m.Destination, procfd, "cgroup2", uintptr(m.Flags), m.Data)
 	})
 +	if err == nil || !(errors.Is(err, unix.EPERM) || errors.Is(err, unix.EBUSY)) {
 +		return err
 +	}
 +
 +	// When we are in UserNS but CgroupNS is not unshared, we cannot mount
 +	// cgroup2 (#2158), so fall back to bind mount.
 +	bindM := &configs.Mount{
 +		Device:           "bind",
 +		Source:           fs2.UnifiedMountpoint,
 +		Destination:      m.Destination,
 +		Flags:            unix.MS_BIND | m.Flags,
 +		PropagationFlags: m.PropagationFlags,
 +	}
 +	if c.cgroupns && c.cgroup2Path != "" {
 +		// Emulate cgroupns by bind-mounting the container cgroup path
 +		// rather than the whole /sys/fs/cgroup.
 +		bindM.Source = c.cgroup2Path
 +	}
 +	// mountToRootfs() handles remounting for MS_RDONLY.
 +	// No need to set c.fd here, because mountToRootfs() calls utils.WithProcfd() by itself in mountPropagate().
 +	err = mountToRootfs(bindM, c)
 +	if c.rootlessCgroups && errors.Is(err, unix.ENOENT) {
 +		// ENOENT (for `src = c.cgroup2Path`) happens when rootless runc is being executed
 +		// outside the userns+mountns.
 +		//
 +		// Mask `/sys/fs/cgroup` to ensure it is read-only, even when `/sys` is mounted
 +		// with `rbind,ro` (`runc spec --rootless` produces `rbind,ro` for `/sys`).
 +		err = utils.WithProcfd(c.root, m.Destination, func(procfd string) error {
 +			return maskPath(procfd, c.label)
 +		})
 +	}
 +	return err
 }
 func doTmpfsCopyUp(m *configs.Mount, rootfs, mountLabel string) (Err error) {
 diff --git a/tests/integration/mounts.bats b/tests/integration/mounts.bats
 index 1ec675ac..1e72c5b1 100644
 --- a/tests/integration/mounts.bats
 +++ b/tests/integration/mounts.bats
@@ -63,3 +63,20 @@ function teardown() {
 	runc run test_busybox
 	[ "$status" -eq 0 ]
 }
 +
 +# https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc
 +@test "runc run [ro /sys/fs/cgroup mount]" {
 +	# With cgroup namespace
 +	update_config '.process.args |= ["sh", "-euc", "for f in `grep /sys/fs/cgroup /proc/mounts | awk \"{print \\\\$2}\"| uniq`; do grep -w $f /proc/mounts | tail -n1; done"]'
 +	runc run test_busybox
 +	[ "$status" -eq 0 ]
 +	[ "${#lines[@]}" -ne 0 ]
 +	for line in "${lines[@]}"; do [[ "${line}" == *'ro,'* ]]; done
 +
 +	# Without cgroup namespace
 +	update_config '.linux.namespaces -= [{"type": "cgroup"}]'
 +	runc run test_busybox
 +	[ "$status" -eq 0 ]
 +	[ "${#lines[@]}" -ne 0 ]
 +	for line in "${lines[@]}"; do [[ "${line}" == *'ro,'* ]]; done
 +}
 -- 
 2.33.0
--- a/patch/0039-runc-Prohibit-proc-and-sys-to-be-symlinks.patch
+++ b/patch/0039-runc-Prohibit-proc-and-sys-to-be-symlinks.patch
@ -1,113 +0,0 @@
 From 52559766c5298688a8302180bf50b002623776d9 Mon Sep 17 00:00:00 2001
 From: Kir Kolyshkin <kolyshkin@gmail.com>
 Date: Thu, 16 Mar 2023 14:35:50 -0700
 Subject: [PATCH] Prohibit /proc and /sys to be symlinks
 Commit 3291d66b9844 introduced a check for /proc and /sys, making sure
 the destination (dest) is a directory (and not e.g. a symlink).
 Later, a hunk from commit 0ca91f44f switched from using filepath.Join
 to SecureJoin for dest. As SecureJoin follows and resolves symlinks,
 the check whether dest is a symlink no longer works.
 To fix, do the check without/before using SecureJoin.
 Add integration tests to make sure we won't regress.
 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
 (cherry picked from commit 0d72adf96dda1b687815bf89bb245b937a2f603c)
 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 ---
 libcontainer/rootfs_linux.go | 29 ++++++++++++++++++++---------
 tests/integration/mask.bats  | 19 +++++++++++++++++++
 2 files changed, 39 insertions(+), 9 deletions(-)
 diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
 index ec14f97e..8ce09f6f 100644
 --- a/libcontainer/rootfs_linux.go
 +++ b/libcontainer/rootfs_linux.go
@@ -418,25 +418,26 @@ func doTmpfsCopyUp(m *configs.Mount, rootfs, mountLabel string) (Err error) {
 func mountToRootfs(m *configs.Mount, c *mountConfig) error {
 	rootfs := c.root
 -	mountLabel := c.label
 -	mountFd := c.fd
 -	dest, err := securejoin.SecureJoin(rootfs, m.Destination)
 -	if err != nil {
 -		return err
 -	}
 +	// procfs and sysfs are special because we need to ensure they are actually
 +	// mounted on a specific path in a container without any funny business.
 	switch m.Device {
 	case "proc", "sysfs":
 		// If the destination already exists and is not a directory, we bail
 -		// out This is to avoid mounting through a symlink or similar -- which
 +		// out. This is to avoid mounting through a symlink or similar -- which
 		// has been a "fun" attack scenario in the past.
 		// TODO: This won't be necessary once we switch to libpathrs and we can
 		//       stop all of these symlink-exchange attacks.
 +		dest := filepath.Clean(m.Destination)
 +		if !strings.HasPrefix(dest, rootfs) {
 +			// Do not use securejoin as it resolves symlinks.
 +			dest = filepath.Join(rootfs, dest)
 +		}
 		if fi, err := os.Lstat(dest); err != nil {
 			if !os.IsNotExist(err) {
 				return err
 			}
 -		} else if fi.Mode()&os.ModeDir == 0 {
 +		} else if !fi.IsDir() {
 			return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device)
 		}
 		if strings.HasPrefix(m.Destination, "/proc/sys/") {
@@ -445,8 +446,18 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
 		if err := os.MkdirAll(dest, 0o755); err != nil {
 			return err
 		}
 -		// Selinux kernels do not support labeling of /proc or /sys
 +		// Selinux kernels do not support labeling of /proc or /sys.
 		return mountPropagate(m, rootfs, "", nil)
 +	}
 +
 +	mountLabel := c.label
 +	mountFd := c.fd
 +	dest, err := securejoin.SecureJoin(rootfs, m.Destination)
 +	if err != nil {
 +		return err
 +	}
 +
 +	switch m.Device {
 	case "mqueue":
 		if err := os.MkdirAll(dest, 0o755); err != nil {
 			return err
 diff --git a/tests/integration/mask.bats b/tests/integration/mask.bats
 index b5f29675..272c879c 100644
 --- a/tests/integration/mask.bats
 +++ b/tests/integration/mask.bats
@@ -56,3 +56,22 @@ function teardown() {
 	[ "$status" -eq 1 ]
 	[[ "${output}" == *"Operation not permitted"* ]]
 }
 +
 +@test "mask paths [prohibit symlink /proc]" {
 +	ln -s /symlink rootfs/proc
 +	runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
 +	[ "$status" -eq 1 ]
 +	[[ "${output}" == *"must be mounted on ordinary directory"* ]]
 +}
 +
 +@test "mask paths [prohibit symlink /sys]" {
 +	# In rootless containers, /sys is a bind mount not a real sysfs.
 +	requires root
 +
 +	ln -s /symlink rootfs/sys
 +	runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
 +	[ "$status" -eq 1 ]
 +	# On cgroup v1, this may fail before checking if /sys is a symlink,
 +	# so we merely check that it fails, and do not check the exact error
 +	# message like for /proc above.
 +}
 -- 
 2.33.0
--- a/patch/0040-runc-modify-runc-make-command-to-satisfy-the-compile.patch
+++ b/patch/0040-runc-modify-runc-make-command-to-satisfy-the-compile.patch
@ -1,43 +0,0 @@
 From e6f2993d5dd72e20728512b8829b5e679b1a26a6 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
 Date: Thu, 8 Jun 2023 19:16:45 +0800
 Subject: [PATCH] runc:modify runc make command to satisfy the compile options
 ---
 Makefile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/Makefile b/Makefile
 index 34b5347d..564ad70a 100644
 --- a/Makefile
 +++ b/Makefile
@@ -25,7 +25,7 @@ ifeq ($(shell $(GO) env GOOS),linux)
 endif
 GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
 	-ldflags "-X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
 -GO_BUILD_STATIC := $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) static_build cgo netgo osusergo"
 +GO_BUILD_STATIC := $(GO) build -buildmode=pie -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) static_build cgo netgo osusergo"
 GPG_KEYID ?= asarai@suse.de
@@ -41,7 +41,7 @@ recvtty sd-helper seccompagent:
 	$(GO_BUILD) $(BEP_FLAG) -buildid=IdByIsula -o contrib/cmd/$@/$@ ./contrib/cmd/$@
 LD_FLAGS='-buildid=none -tmpdir=/tmp/bep-runc -linkmode=external -extldflags=-Wl,-z,relro,-z,now \
 -	 -extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS) \
 +	 -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS) \
 	 '
 static:
@@ -51,7 +51,7 @@ static:
 	CGO_CPPFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
 	CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
 -	$(GO_BUILD_STATIC) -buildmode=pie  -ldflags $(LD_FLAGS) -o runc .
 +	$(GO_BUILD_STATIC) -ldflags '-extldflags=-static' -ldflags $(LD_FLAGS) -o runc .
 releaseall: RELEASE_ARGS := "-a arm64 -a armel -a armhf -a ppc64le -a s390x"
 releaseall: release
 -- 
 2.33.0
--- a/patch/0042-runc-libct-fix-a-race-with-systemd-removal.patch
+++ b/patch/0042-runc-libct-fix-a-race-with-systemd-removal.patch
@ -1,97 +0,0 @@
 From 45abd12f084c62f3fbd24ab0fb0d3c1e3edf6ac7 Mon Sep 17 00:00:00 2001
 From: Kir Kolyshkin <kolyshkin@gmail.com>
 Date: Tue, 4 Apr 2023 16:59:43 -0700
 Subject: [PATCH] libct: fix a race with systemd removal
 For a previous attempt to fix that (and added test cases), see commit
 9087f2e827d971.
 Alas, it's not always working because of cgroup directory TOCTOU.
 To solve this and avoid the race, add an error _after_ the operation.
 Implement it as a method that ignores the error that should be ignored.
 Instead of currentStatus(), use faster runType(), since we are not
 interested in Paused status here.
 For Processes(), remove the pre-op check, and only use it after getting
 an error, making the non-error path more straightforward.
 For Signal(), add a second check after getting an error. The first check
 is left as is because signalAllProcesses might print a warning if the
 cgroup does not exist, and we'd like to avoid that.
 This should fix an occasional failure like this one:
 	not ok 84 kill detached busybox
 	# (in test file tests/integration/kill.bats, line 27)
 	#   `[ "$status" -eq 0 ]' failed
 	....
 	# runc kill test_busybox KILL (status=0):
 	# runc kill -a test_busybox 0 (status=1):
 	# time="2023-04-04T18:24:27Z" level=error msg="lstat /sys/fs/cgroup/devices/system.slice/runc-test_busybox.scope: no such file or directory"
 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
 ---
 libcontainer/container_linux.go | 33 +++++++++++++++++++++------------
 1 file changed, 21 insertions(+), 12 deletions(-)
 diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
 index 1a210fa2..1189e5af 100644
 --- a/libcontainer/container_linux.go
 +++ b/libcontainer/container_linux.go
@@ -146,19 +146,27 @@ func (c *linuxContainer) OCIState() (*specs.State, error) {
 	return c.currentOCIState()
 }
 -func (c *linuxContainer) Processes() ([]int, error) {
 -	var pids []int
 -	status, err := c.currentStatus()
 -	if err != nil {
 -		return pids, err
 +// ignoreCgroupError filters out cgroup-related errors that can be ignored,
 +// because the container is stopped and its cgroup is gone.
 +func (c *linuxContainer) ignoreCgroupError(err error) error {
 +	if err == nil {
 +		return nil
 	}
 -	// for systemd cgroup, the unit's cgroup path will be auto removed if container's all processes exited
 -	if status == Stopped && !c.cgroupManager.Exists() {
 -		return pids, nil
 +	if errors.Is(err, os.ErrNotExist) && c.runType() == Stopped && !c.cgroupManager.Exists() {
 +		return nil
 	}
 +	return err
 +}
 -	pids, err = c.cgroupManager.GetAllPids()
 -	if err != nil {
 +// Processes returns the PIDs inside this container. The PIDs are in the
 +// namespace of the calling process.
 +//
 +// Some of the returned PIDs may no longer refer to processes in the container,
 +// unless the container state is PAUSED in which case every PID in the slice is
 +// valid.
 +func (c *linuxContainer) Processes() ([]int, error) {
 +	pids, err := c.cgroupManager.GetAllPids()
 +	if err = c.ignoreCgroupError(err); err != nil {
 		return nil, fmt.Errorf("unable to get all container pids: %w", err)
 	}
 	return pids, nil
@@ -382,11 +390,12 @@ func (c *linuxContainer) Signal(s os.Signal, all bool) error {
 		return err
 	}
 	if all {
 -		// for systemd cgroup, the unit's cgroup path will be auto removed if container's all processes exited
 		if status == Stopped && !c.cgroupManager.Exists() {
 +			// Avoid calling signalAllProcesses which may print
 +			// a warning trying to freeze a non-existing cgroup.
 			return nil
 		}
 -		return signalAllProcesses(c.cgroupManager, s)
 +		return c.ignoreCgroupError(signalAllProcesses(c.cgroupManager, s))
 	}
 	// to avoid a PID reuse attack
 	if status == Running || status == Created || status == Paused {
 -- 
 2.33.0
--- a/patch/0043-runc-run-refuse-a-non-empty-cgroup.patch
+++ b/patch/0043-runc-run-refuse-a-non-empty-cgroup.patch
@ -1,38 +0,0 @@
 From 2132cc52fbf68f9bfaf5dd18a1a5a25ecdd37929 Mon Sep 17 00:00:00 2001
 From: Kir Kolyshkin <kolyshkin@gmail.com>
 Date: Thu, 23 Mar 2023 11:57:46 -0700
 Subject: [PATCH] runc run: refuse a non-empty cgroup
 Commit d08bc0c1b3bb2 ("runc run: warn on non-empty cgroup") introduced
 a warning when a container is started in a non-empty cgroup. Such
 configuration has lots of issues.
 In addition to that, such configuration is not possible at all when
 using the systemd cgroup driver.
 As planned, let's promote this warning to an error, and fix the test
 case accordingly.
 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
 ---
 libcontainer/factory_linux.go | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)
 diff --git a/libcontainer/factory_linux.go b/libcontainer/factory_linux.go
 index e6c71ac3..39fc3121 100644
 --- a/libcontainer/factory_linux.go
 +++ b/libcontainer/factory_linux.go
@@ -179,9 +179,7 @@ func (l *LinuxFactory) Create(id string, config *configs.Config) (Container, err
 			return nil, fmt.Errorf("unable to get cgroup PIDs: %w", err)
 		}
 		if len(pids) != 0 {
 -			// TODO: return an error.
 -			logrus.Warnf("container's cgroup is not empty: %d process(es) found", len(pids))
 -			logrus.Warn("DEPRECATED: running container in a non-empty cgroup won't be supported in runc 1.2; https://github.com/opencontainers/runc/issues/3132")
 +			return nil, fmt.Errorf("container's cgroup is not empty: %d process(es) found", len(pids))
 		}
 	}
 -- 
 2.33.0
--- a/runc.spec
+++ b/runc.spec
@ -3,7 +3,7 @@
 Name: docker-runc
 Version: 1.1.8
-Release: 1
+Release: 2
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
 License: ASL 2.0
@ -34,10 +34,6 @@ cp %{SOURCE5} .
 %install
 sh ./apply-patch
 %ifarch loongarch64
 patch -p1 < %{_builddir}/patch/0034-SIGUNUSED-is-nolonger-support-for-loongarch.patch
 patch -p1 < %{_builddir}/patch/0035-update-sys-to-v0.4.0-to-support-loong64.patch
 %endif
 mkdir -p .gopath/src/github.com/opencontainers
 export GO111MODULE=off
@ -58,6 +54,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc
 %changelog
 * Wed July 26 2023 vegbir<yangjiaqi16@huawei.com> - 1.1.8-2
 - Type:bugfix
 - ID:NA
 - SUG:NA
 - DESC:modify patch for 1.1.8
 * Fri July 21 2023 vegbir<yangjiaqi16@huawei.com> - 1.1.8-1
 - Type:bugfix
 - ID:NA
--- a/series.conf
+++ b/series.conf
@ -1,41 +1,26 @@
-patch/0001-runc-Add-spec-for-euleros.patch
+patch/0001-runc-add-timeout-for-syscall.Exec.patch
-patch/0002-runc-fix-unittest-and-integration-test-error-caused.patch
+patch/0002-runc-update-state-eariler-to-avoid-cgroup-leak-when-.patch
-patch/0003-runc-add-timeout-for-syscall.Openat.patch
+patch/0003-runc-print-cgroup-info-if-cpuset-missing-occurs.patch
-patch/0004-runc-update-state-eariler-to-avoid-cgroup-leak-when-.patch
+patch/0004-runc-add-more-specific-log-for-hooks.patch
-patch/0005-runc-print-cgroup-info-if-cpuset-missing-occurs.patch
+patch/0005-runc-reduce-max-number-of-retries-to-10.patch
-patch/0006-runc-add-more-specific-log-for-hooks.patch
+patch/0006-runc-ignore-exec.fifo-removing-not-exist-error.patch
-patch/0007-runc-reduce-max-number-of-retries-to-10.patch
+patch/0007-runc-Add-file-fds-limit.patch
-patch/0008-runc-print-error-message-during-start-into-container.patch
+patch/0008-runc-runc-logs-forwarding-to-syslog.patch
-patch/0009-runc-ignore-exec.fifo-removing-not-exist-error.patch
+patch/0009-runc-support-namespaced-kernel-params-can-be-changed.patch
-patch/0010-runc-Add-file-fds-limit.patch
+patch/0010-runc-make-hooks-log-more-userful-and-fix-syslog-hook.patch
-patch/0011-runc-logs-forwarding-to-syslog.patch
+patch/0011-runc-do-not-setup-sysctl-in-runc-when-userns-enable.patch
-patch/0012-runc-support-namespaced-kernel-params-can-be-changed.patch
+patch/0012-runc-support-set-seccomp-priority.patch
-patch/0013-runc-modify-minHookTimeOut.patch
+patch/0013-runc-do-not-kill-container-if-poststart-hooks-execut.patch
-patch/0014-runc-make-hooks-log-more-userful-and-fix-syslog-hook.patch
+patch/0014-runc-add-sysctl-kernel.pid_max-to-whitelist.patch
-patch/0015-runc-fix-runc-log-decode-failed.patch
+patch/0015-runc-disable-core-dump-during-exec.patch
-patch/0016-runc-do-not-setup-sysctl-in-runc-when-userns-enable.patch
+patch/0016-runc-fix-exec-problem-caused-by-libseccomp-updating.patch
-patch/0017-runc-support-set-seccomp-priority.patch
+patch/0017-runc-add-log-message-for-cgroup-file-check.patch
-patch/0018-runc-do-not-kill-container-if-poststart-hooks-execut.patch
+patch/0019-runc-support-set-cpuset.prefer_cpus-using-cpuset-cpu.patch
-patch/0019-runc-print-memory-info-when-syscall.Exec-failed.patch
+patch/0020-runc-add-DT-for-cpuset.preferred_cpus-setting.patch
-patch/0020-runc-add-sysctl-kernel.pid_max-to-whitelist.patch
+patch/0021-runc-modify-runc-Makefile.patch
-patch/0021-runc-disable-core-dump-during-exec.patch
+patch/0022-runc-cgroup-apply-method-modify.patch
-patch/0022-runc-fix-exec-problem-caused-by-libseccomp-updating.patch
+patch/0023-runc-support-specify-umask.patch
-patch/0023-runc-add-log-message-for-cgroup-file-check.patch
+patch/0024-runc-modify-linuxcontainer-starttime-uint64-type-tob.patch
-patch/0024-runc-unified-use-of-logpipe.patch
+patch/0025-runc-make-runc-spec-compatible-1.0.0.rc3.patch
-patch/0025-runc-support-set-cpuset.prefer_cpus-using-cpuset-cpu.patch
+patch/0026-runc-Fixed-init-state-error-variable.patch
-patch/0026-runc-add-DT-for-cpuset.preferred_cpus-setting.patch
+patch/0027-runc-libct-fix-shared-pidns-detection.patch
 patch/0027-runc-modify-runc-Makefile.patch
 patch/0028-runc-cgroup-apply-method-modify.patch
 patch/0029-runc-runc-log-forward-to-syslog.patch
 patch/0030-runc-support-specify-umask.patch
 patch/0031-runc-modify-linuxcontainer-starttime-uint64-type-tob.patch
 patch/0032-runc-make-runc-spec-compatible-1.0.0.rc3.patch
 patch/0033-add-loongarch-support-for-libcontainer.patch
 patch/0036-runc-libcontainer-skip-chown-of-dev-null-caused-by-fd-red.patch
 patch/0037-runc-Fixed-init-state-error-variable.patch
 patch/0038-runc-rootless-fix-sys-fs-cgroup-mounts.patch
 patch/0039-runc-Prohibit-proc-and-sys-to-be-symlinks.patch
 patch/0040-runc-modify-runc-make-command-to-satisfy-the-compile.patch
 patch/0041-runc-libct-fix-shared-pidns-detection.patch
 patch/0042-runc-libct-fix-a-race-with-systemd-removal.patch
 patch/0043-runc-run-refuse-a-non-empty-cgroup.patch
`@ -1 +1 @@`
	`402545a2eb494c01126d61f5d478922b32e7e022`	`90276301321bbf6ef9a2ea85b06d3e2cf0ccb7bd`