packages/runc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!160 runc:modify patch for 1.1.8

Browse Source 
From: @zhong-jiawei-1 
Reviewed-by: @zhangsong234, @duguhaotian 
Signed-off-by: @duguhaotian
This commit is contained in:
openeuler-ci-bot 2023-07-28 02:38:35 +00:00 committed by Gitee
commit 3b4936397d
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
48 changed files with 347 additions and 229831 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
apply-patch
View File

@ -14,14 +14,14 @@ if [ ! -d patch ];then
tar -xzf patch.tar.gz
fi
# series=$cwd/series.conf
# while IPF= read -r line
# do
# if [[ "$line" =~ ^patch* ]]; then
# echo patch -p1 $cwd/$line
# cd $src && patch -p1 < $cwd/$line
# fi
# done <"$series"
series=$cwd/series.conf
while IPF= read -r line
do
if [[ "$line" =~ ^patch* ]]; then
echo patch -p1 $cwd/$line
cd $src && patch -p1 < $cwd/$line
fi
done <"$series"
cd $cwd
cp -rf $src/* .

2
git-commit
View File

@ -1 +1 @@
402545a2eb494c01126d61f5d478922b32e7e022
90276301321bbf6ef9a2ea85b06d3e2cf0ccb7bd

69
patch/0001-runc-Add-spec-for-euleros.patch
View File

@ -1,69 +0,0 @@
From ee228fa3991d1d0008416df61b4bae645adf8e1a Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:13:12 +0800
Subject: [PATCH] runc: Add spec for euleros
---
script/runc-euleros.spec | 50 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
create mode 100644 script/runc-euleros.spec
diff --git a/script/runc-euleros.spec b/script/runc-euleros.spec
new file mode 100644
index 0000000..db4e868
--- /dev/null
+++ b/script/runc-euleros.spec
@@ -0,0 +1,50 @@
+%global _bindir /usr/local/bin
+
+Name: docker-runc
+Version: 1.0.0.rc3
+Release: 1%{?dist}
+Summary: runc is a CLI tool for spawning and running containers according to the OCF specification
+
+License: ASL 2.0
+Source: %{name}.tar.gz
+
+URL: https://www.opencontainers.org/
+Vendor: OCI
+Packager: OCI
+
+BuildRequires: golang == 1.8.3
+BuildRequires: glibc-static
+BuildRequires: make
+BuildRequires: libseccomp-devel
+BuildRequires: libselinux-devel
+
+BuildRequires: libseccomp-static
+
+%description
+runc is a CLI tool for spawning and running containers according to the OCF specification
+
+%prep
+%setup -c -n runc
+
+%install
+
+
+mkdir -p .gopath/src/github.com/opencontainers
+export GOPATH=`pwd`/.gopath
+ln -sf `pwd` .gopath/src/github.com/opencontainers/runc
+cd .gopath/src/github.com/opencontainers/runc
+make BUILDTAGS="seccomp selinux" static
+rm -rf .gopath
+
+install -d $RPM_BUILD_ROOT/%{_bindir}
+install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
+
+
+%clean
+%{__rm} -rf %{_bindir}/runc
+
+%files
+%{_bindir}/runc
+
+%changelog
+
--
2.30.0

12
patch/0003-runc-add-timeout-for-syscall.Openat.patch → patch/0001-runc-add-timeout-for-syscall.Exec.patch
View File

@ -1,14 +1,14 @@
From 1c953cdee5aa6c677bef7c7042dbec6fc9ddf172 Mon Sep 17 00:00:00 2001
From 37103dc157e2946d688e8076b5b500ac11403863 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:18:37 +0800
Subject: [PATCH] runc:add timeout for syscall.Openat
Date: Mon, 24 Jul 2023 15:30:32 +0800
Subject: [PATCH] runc:add timeout for syscall.Exec
---
libcontainer/standard_init_linux.go | 29 ++++++++++++++++++++++-------
1 file changed, 22 insertions(+), 7 deletions(-)
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
index 585a04f..ab553ef 100644
index c09a7be..eaa73ba 100644
--- a/libcontainer/standard_init_linux.go
+++ b/libcontainer/standard_init_linux.go
@@ -6,6 +6,7 @@ import (
@ -19,7 +19,7 @@ index 585a04f..ab553ef 100644
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux"
@@ -227,14 +228,28 @@ func (l *linuxStandardInit) Init() error {
@@ -235,14 +236,28 @@ func (l *linuxStandardInit) Init() error {
// was given to us was an O_PATH fd to the fifo itself. Linux allows us to
// re-open an O_PATH fd through /proc.
fifoPath := "/proc/self/fd/" + strconv.Itoa(l.fifoFd)
@ -56,5 +56,5 @@ index 585a04f..ab553ef 100644
// dumpable in the wrong order. This has been fixed in newer kernels, but
// we keep this to ensure CVE-2016-9962 doesn't re-emerge on older kernels.
--
2.30.0
2.33.0

63
patch/0002-runc-fix-unittest-and-integration-test-error-caused.patch
View File

@ -1,63 +0,0 @@
From 992170fc8663968692d76db0710ca3fa64de5917 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:16:57 +0800
Subject: [PATCH] runc:fix unittest and integration test error caused
---
libcontainer/integration/execin_test.go | 8 +-------
tests/integration/exec.bats | 4 ++--
2 files changed, 3 insertions(+), 9 deletions(-)
diff --git a/libcontainer/integration/execin_test.go b/libcontainer/integration/execin_test.go
index f8a6a9c..9669eca 100644
--- a/libcontainer/integration/execin_test.go
+++ b/libcontainer/integration/execin_test.go
@@ -62,9 +62,6 @@ func TestExecIn(t *testing.T) {
if !strings.Contains(out, "cat") || !strings.Contains(out, "ps") {
t.Fatalf("unexpected running process, output %q", out)
}
- if strings.Contains(out, "\r") {
- t.Fatalf("unexpected carriage-return in output %q", out)
- }
}
func TestExecInUsernsRlimit(t *testing.T) {
@@ -318,12 +315,9 @@ func TestExecInTTY(t *testing.T) {
_ = child.Close()
out := stdout.String()
- if !strings.Contains(out, "cat") || !strings.Contains(out, "ps") {
+ if !strings.Contains(out, "cat") || !strings.Contains(string(out), "ps") {
t.Fatalf("unexpected running process, output %q", out)
}
- if strings.Contains(out, "\r") {
- t.Fatalf("unexpected carriage-return in output %q", out)
- }
}
}
diff --git a/tests/integration/exec.bats b/tests/integration/exec.bats
index 140cd18..cd01f00 100644
--- a/tests/integration/exec.bats
+++ b/tests/integration/exec.bats
@@ -101,7 +101,7 @@ function teardown() {
runc exec --cwd /bin test_busybox pwd
[ "$status" -eq 0 ]
- [[ ${output} == "/bin"* ]]
+ [[ $(echo "${output}" | tr -d '\r') == "/bin" ]]
}
@test "runc exec --env" {
@@ -126,7 +126,7 @@ function teardown() {
runc exec --user 1000:1000 test_busybox id
[ "$status" -eq 0 ]
- [[ "${output}" == "uid=1000 gid=1000"* ]]
+ [[ $(echo "${output}" | tr -d '\r') == "uid=1000 gid=1000" ]
}
@test "runc exec --additional-gids" {
--
2.30.0

9
patch/0004-runc-update-state-eariler-to-avoid-cgroup-leak-when-.patch → patch/0002-runc-update-state-eariler-to-avoid-cgroup-leak-when-.patch
View File

@ -1,6 +1,6 @@
From 88f50537a85aed278be136cd0b3d4664e8c71b5d Mon Sep 17 00:00:00 2001
From 4af918d51e8cca1da7780b1fe7419f22077fb9fe Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:19:48 +0800
Date: Mon, 24 Jul 2023 15:55:56 +0800
Subject: [PATCH] runc: update state eariler to avoid cgroup leak when process
failed
@ -20,7 +20,8 @@ This patch perform state updating right after cgroup applying. so
`runc delete` will do the cleaning job
Change-Id: I7b247f501986e712a86da3958d1be573af4e84a6
Signed-off-by: Deng Guangxing <dengguangxing@huawei.com
Signed-off-by: Deng Guangxing <dengguangxing@huawei.com>
---
libcontainer/process_linux.go | 5 +++++
1 file changed, 5 insertions(+)
@ -42,5 +43,5 @@ index 446649a..29408d7 100644
if err := p.intelRdtManager.Apply(p.pid()); err != nil {
return fmt.Errorf("unable to apply Intel RDT configuration: %w", err)
--
2.30.0
2.33.0

30
patch/0005-runc-print-cgroup-info-if-cpuset-missing-occurs.patch → patch/0003-runc-print-cgroup-info-if-cpuset-missing-occurs.patch
View File

@ -1,17 +1,33 @@
From f2a2674f9883e6eb588ce9235161019d31bcedc6 Mon Sep 17 00:00:00 2001
From 6cb95facf78e07863b671adf6f3073101babe896 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:21:10 +0800
Date: Mon, 24 Jul 2023 16:12:50 +0800
Subject: [PATCH] runc: print cgroup info if cpuset missing occurs
---
libcontainer/cgroups/fs/cpuset.go | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
libcontainer/cgroups/fs/cpuset.go | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/libcontainer/cgroups/fs/cpuset.go b/libcontainer/cgroups/fs/cpuset.go
index 550baa4..341d5dc 100644
index 550baa4..c05a6f6 100644
--- a/libcontainer/cgroups/fs/cpuset.go
+++ b/libcontainer/cgroups/fs/cpuset.go
@@ -172,6 +172,26 @@ func (s *CpusetGroup) ApplyDir(dir string, r *configs.Resources, pid int) error
@@ -2,6 +2,7 @@ package fs
import (
"errors"
+ "io/ioutil"
"os"
"path/filepath"
"strconv"
@@ -12,6 +13,7 @@ import (
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
"github.com/opencontainers/runc/libcontainer/configs"
+ "github.com/sirupsen/logrus"
)
type CpusetGroup struct{}
@@ -172,6 +174,26 @@ func (s *CpusetGroup) ApplyDir(dir string, r *configs.Resources, pid int) error
}
func getCpusetSubsystemSettings(parent string) (cpus, mems string, err error) {
@ -39,5 +55,5 @@ index 550baa4..341d5dc 100644
return
}
--
2.30.0
2.33.0

6
patch/0006-runc-add-more-specific-log-for-hooks.patch → patch/0004-runc-add-more-specific-log-for-hooks.patch
View File

@ -1,6 +1,6 @@
From 7cc7be6f85400953208981415d9f46a4db12bbcc Mon Sep 17 00:00:00 2001
From 2795e097bcd1842e750abf3af22a5ee69a702400 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:22:53 +0800
Date: Mon, 24 Jul 2023 16:16:50 +0800
Subject: [PATCH] runc: add more specific log for hooks
---
@ -24,5 +24,5 @@ index c1b4a00..72910ff 100644
return nil
--
2.30.0
2.33.0

48
patch/0005-runc-reduce-max-number-of-retries-to-10.patch Normal file
View File

@ -0,0 +1,48 @@
From d055603a252ab9cf6b36b5369045ebf4a384c5b8 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Mon, 24 Jul 2023 16:27:44 +0800
Subject: [PATCH] runc: reduce max number of retries to 10
---
delete.go | 4 ++--
init.go | 2 ++
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/delete.go b/delete.go
index 746b0df..799c2a7 100644
--- a/delete.go
+++ b/delete.go
@@ -14,8 +14,8 @@ import (
)
func killContainer(container libcontainer.Container) error {
- _ = container.Signal(unix.SIGKILL, false)
- for i := 0; i < 100; i++ {
+ container.Signal(unix.SIGKILL, false)
+ for i := 0; i < 10; i++ {
time.Sleep(100 * time.Millisecond)
if err := container.Signal(unix.Signal(0), false); err != nil {
destroy(container)
diff --git a/init.go b/init.go
index bddc237..a0520b5 100644
--- a/init.go
+++ b/init.go
@@ -1,6 +1,7 @@
package main
import (
+ "fmt"
"os"
"runtime"
"strconv"
@@ -34,6 +35,7 @@ func init() {
factory, _ := libcontainer.New("")
if err := factory.StartInitialization(); err != nil {
+ fmt.Fprintf(os.Stderr, "libcontainer: container start initialization failed: %s", err)
// as the error is sent back to the parent there is no need to log
// or write it to stderr because the parent process will handle this
os.Exit(1)
--
2.33.0

10
patch/0009-runc-ignore-exec.fifo-removing-not-exist-error.patch → patch/0006-runc-ignore-exec.fifo-removing-not-exist-error.patch
View File

@ -1,6 +1,6 @@
From 4e44d5c41ff9d97fdae4e0951ef1d461e07e84ad Mon Sep 17 00:00:00 2001
From 5516836a74e12756161cd3a6ef7e05c7e89c378c Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:25:57 +0800
Date: Mon, 24 Jul 2023 16:40:27 +0800
Subject: [PATCH] runc: ignore exec.fifo removing not exist error
---
@ -8,10 +8,10 @@ Subject: [PATCH] runc: ignore exec.fifo removing not exist error
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 9df830d..6b68a0e 100644
index 5f1a494..f8ce1cc 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -325,7 +325,10 @@ func handleFifoResult(result openResult) error {
@@ -327,7 +327,10 @@ func handleFifoResult(result openResult) error {
if err := readFromExecFifo(f); err != nil {
return err
}
@ -24,5 +24,5 @@ index 9df830d..6b68a0e 100644
type openResult struct {
--
2.30.0
2.33.0

14
patch/0010-runc-Add-file-fds-limit.patch → patch/0007-runc-Add-file-fds-limit.patch
View File

@ -1,6 +1,6 @@
From 75bed4f00f31595800cb30d176656b381bfa646b Mon Sep 17 00:00:00 2001
From becb372e9a80ba49dd742f130478e93f17e27329 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:27:05 +0800
Date: Mon, 24 Jul 2023 16:48:05 +0800
Subject: [PATCH] runc:Add file fds limit
---
@ -116,7 +116,7 @@ index 0000000..3315cda
+ return nil
+}
diff --git a/libcontainer/cgroups/fs/fs.go b/libcontainer/cgroups/fs/fs.go
index fb4fcc7..59b6dff 100644
index 9e2f0ec..c85a1e2 100644
--- a/libcontainer/cgroups/fs/fs.go
+++ b/libcontainer/cgroups/fs/fs.go
@@ -20,6 +20,7 @@ var subsystems = []subsystem{
@ -154,7 +154,7 @@ index 40a81dd..8f1d4ce 100644
// the map is in the format "size of hugepage: stats of the hugepage"
HugetlbStats map[string]HugetlbStats `json:"hugetlb_stats,omitempty"`
diff --git a/libcontainer/cgroups/systemd/v1.go b/libcontainer/cgroups/systemd/v1.go
index a74a05a..19d1099 100644
index a574552..c1e58c9 100644
--- a/libcontainer/cgroups/systemd/v1.go
+++ b/libcontainer/cgroups/systemd/v1.go
@@ -63,6 +63,7 @@ var legacySubsystems = []subsystem{
@ -180,10 +180,10 @@ index 2d4a898..8cbc154 100644
BlkioWeight uint16 `json:"blkio_weight"`
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index c7ca4c8..19dd947 100644
index 1b358b2..7ee81ca 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -747,6 +747,10 @@ func CreateCgroupConfig(opts *CreateOpts, defaultDevs []*devices.Device) (*confi
@@ -748,6 +748,10 @@ func CreateCgroupConfig(opts *CreateOpts, defaultDevs []*devices.Device) (*confi
if r.Pids != nil {
c.Resources.PidsLimit = r.Pids.Limit
}
@ -245,5 +245,5 @@ index 6a7a91e..e8143b2 100644
BlockIO *LinuxBlockIO `json:"blockIO,omitempty"`
// Hugetlb limit (in bytes)
--
2.30.0
2.33.0

30
patch/0007-runc-reduce-max-number-of-retries-to-10.patch
View File

@ -1,30 +0,0 @@
From 68d83f90cbca399aa4797b8d63eaa1fa35b1ad30 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:24:00 +0800
Subject: [PATCH] runc: reduce max number of retries to 10
[Changelog]:when killing containers in D state, now runc will do
100 retries, which leads that containerd blocks for 10 seconds.
[Author]:Ruilin Li
---
delete.go | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/delete.go b/delete.go
index 746b0df..799c2a7 100644
--- a/delete.go
+++ b/delete.go
@@ -14,8 +14,8 @@ import (
)
func killContainer(container libcontainer.Container) error {
- _ = container.Signal(unix.SIGKILL, false)
- for i := 0; i < 100; i++ {
+ container.Signal(unix.SIGKILL, false)
+ for i := 0; i < 10; i++ {
time.Sleep(100 * time.Millisecond)
if err := container.Signal(unix.Signal(0), false); err != nil {
destroy(container)
--
2.30.0

32
patch/0008-runc-print-error-message-during-start-into-container.patch
View File

@ -1,32 +0,0 @@
From 8a337b8a40bf15bc25770cc5a853e962a96435c0 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:24:53 +0800
Subject: [PATCH] runc: print error message during start into container log
---
init.go | 2 ++
1 file changed, 2 insertions(+)
diff --git a/init.go b/init.go
index bddc237..a0520b5 100644
--- a/init.go
+++ b/init.go
@@ -1,6 +1,7 @@
package main
import (
+ "fmt"
"os"
"runtime"
"strconv"
@@ -34,6 +35,7 @@ func init() {
factory, _ := libcontainer.New("")
if err := factory.StartInitialization(); err != nil {
+ fmt.Fprintf(os.Stderr, "libcontainer: container start initialization failed: %s", err)
// as the error is sent back to the parent there is no need to log
// or write it to stderr because the parent process will handle this
os.Exit(1)
--
2.30.0

12
patch/0011-runc-logs-forwarding-to-syslog.patch → patch/0008-runc-runc-logs-forwarding-to-syslog.patch
View File

@ -1,6 +1,6 @@
From 3cea048a118096974936bf35c793075eabe830df Mon Sep 17 00:00:00 2001
From 10536f71def2026279285999779023d98f505e56 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:28:12 +0800
Date: Mon, 24 Jul 2023 17:20:38 +0800
Subject: [PATCH] runc: runc logs forwarding to syslog
---
@ -63,7 +63,7 @@ index 72910ff..9076846 100644
+)
+
+const (
+ minHookTimeOut = 1 * time.Second
+ minHookTimeOut = 0
+ defaultHookTimeOut = 5 * time.Second
+ maxHookTimeOut = 120 * time.Second
+ //the runc default timeout is 120s, so set the defaultWarnTime to 80% of the default timeout.
@ -161,10 +161,10 @@ index 72910ff..9076846 100644
}
}
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 6b68a0e..425e44d 100644
index f8ce1cc..8fbd04d 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -368,7 +368,7 @@ func (c *linuxContainer) start(process *Process) (retErr error) {
@@ -370,7 +370,7 @@ func (c *linuxContainer) start(process *Process) (retErr error) {
if err := c.config.Hooks[configs.Poststart].RunHooks(s); err != nil {
if err := ignoreTerminateErrors(parent.terminate()); err != nil {
@ -713,5 +713,5 @@ index 0000000..b6fa374
+ }
+}
--
2.30.0
2.33.0

17
patch/0012-runc-support-namespaced-kernel-params-can-be-changed.patch → patch/0009-runc-support-namespaced-kernel-params-can-be-changed.patch
View File

@ -1,21 +1,20 @@
From 0e2bc1f9d2dffe3cf2c678d88855faffc122b1c5 Mon Sep 17 00:00:00 2001
From 0d04d291e8b9dcee0fcdf4b757e41d0e77b1491f Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:29:06 +0800
Date: Mon, 24 Jul 2023 17:25:43 +0800
Subject: [PATCH] runc:support namespaced kernel params can be changed in
system container
Signed-off-by: zhongjiawei <zhongjiawei1@huawei.com>
---
libcontainer/rootfs_linux.go | 26 ++++++++++++++++++++++++++
libcontainer/standard_init_linux.go | 7 +++++++
2 files changed, 33 insertions(+)
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index 3cfd2bf..4dbe9f4 100644
index 54520ad..e7de071 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -417,6 +417,9 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
} else if fi.Mode()&os.ModeDir == 0 {
@@ -435,6 +435,9 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
} else if !fi.IsDir() {
return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device)
}
+ if strings.HasPrefix(m.Destination, "/proc/sys/") {
@ -24,7 +23,7 @@ index 3cfd2bf..4dbe9f4 100644
if err := os.MkdirAll(dest, 0o755); err != nil {
return err
}
@@ -1009,6 +1012,29 @@ func readonlyPath(path string) error {
@@ -1033,6 +1036,29 @@ func readonlyPath(path string) error {
return nil
}
@ -55,7 +54,7 @@ index 3cfd2bf..4dbe9f4 100644
func remountReadonly(m *configs.Mount) error {
var (
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
index ab553ef..0dd51b2 100644
index eaa73ba..84883c2 100644
--- a/libcontainer/standard_init_linux.go
+++ b/libcontainer/standard_init_linux.go
@@ -141,6 +141,13 @@ func (l *linuxStandardInit) Init() error {
@ -73,5 +72,5 @@ index ab553ef..0dd51b2 100644
if err := maskPath(path, l.config.Config.MountLabel); err != nil {
return fmt.Errorf("can't mask path %s: %w", path, err)
--
2.30.0
2.33.0

53
patch/0014-runc-make-hooks-log-more-userful-and-fix-syslog-hook.patch → patch/0010-runc-make-hooks-log-more-userful-and-fix-syslog-hook.patch
View File

@ -1,15 +1,15 @@
From 8b5360bd401a33f5c637710fc5c545c8facb6b20 Mon Sep 17 00:00:00 2001
From 8b9b5e2615b1952a062f09476c53ff0a536df1ac Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:31:33 +0800
Date: Mon, 24 Jul 2023 19:15:52 +0800
Subject: [PATCH] runc:make hooks log more userful and fix syslog hook bug
---
libcontainer/configs/config.go | 17 ++++++++++++++---
main.go | 5 ++++-
2 files changed, 18 insertions(+), 4 deletions(-)
main.go | 26 ++++++++++++++++++++++++--
2 files changed, 38 insertions(+), 5 deletions(-)
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
index 540bcdb..cda79bf 100644
index 9076846..7bf83b9 100644
--- a/libcontainer/configs/config.go
+++ b/libcontainer/configs/config.go
@@ -8,6 +8,7 @@ import (
@ -67,10 +67,14 @@ index 540bcdb..cda79bf 100644
b, err := json.Marshal(s)
if err != nil {
diff --git a/main.go b/main.go
index 9e14976..0a6f3b4 100644
index 9e14976..6e9101a 100644
--- a/main.go
+++ b/main.go
@@ -4,6 +4,7 @@ import (
@@ -1,19 +1,23 @@
package main
import (
+ "encoding/json"
"errors"
"fmt"
"io"
@ -78,7 +82,11 @@ index 9e14976..0a6f3b4 100644
"os"
"path/filepath"
"runtime"
@@ -14,6 +15,7 @@ import (
"strconv"
"strings"
+ "time"
"github.com/opencontainers/runc/libcontainer/seccomp"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
@ -86,10 +94,12 @@ index 9e14976..0a6f3b4 100644
"github.com/urfave/cli"
)
@@ -218,8 +220,9 @@ func configLogrus(context *cli.Context) error {
@@ -217,9 +221,10 @@ func configLogrus(context *cli.Context) error {
logrus.SetOutput(f)
hook, serr := logrus_syslog.NewSyslogHook("", "", syslog.LOG_INFO|syslog.LOG_USER, "docker-runc")
if serr != nil {
fmt.Fprint(f, fmt.Sprintf("Leo: new syslog hook get %s", serr))
- fmt.Fprint(f, fmt.Sprintf("Leo: new syslog hook get %s", serr))
+ logToFile(f, "error", fmt.Sprintf("Leo: new syslog hook get %s", serr))
+ } else {
+ logrus.AddHook(hook)
}
@ -97,6 +107,27 @@ index 9e14976..0a6f3b4 100644
}
if logLevel := context.GlobalString("log-level"); logLevel != "" {
lvl, err := logrus.ParseLevel(logLevel)
@@ -235,3 +240,20 @@ func configLogrus(context *cli.Context) error {
}
return nil
}
+
+func logToFile(f io.Writer, level string, msg string) {
+ var (
+ log struct {
+ Level string
+ Msg string
+ Time time.Time
+ }
+ )
+ log.Level = level
+ log.Msg = msg
+ log.Time = time.Now()
+ s, err := json.Marshal(log)
+ if err != nil {
+ fmt.Fprint(f, string(s))
+ }
+}
--
2.30.0
2.33.0

8
patch/0016-runc-do-not-setup-sysctl-in-runc-when-userns-enable.patch → patch/0011-runc-do-not-setup-sysctl-in-runc-when-userns-enable.patch
View File

@ -1,6 +1,6 @@
From 6b4045a28504aaefdb8c1e9abe6b4ad7c445684a Mon Sep 17 00:00:00 2001
From 8094649c861a0b6ca408caa38611f3e235378206 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:33:42 +0800
Date: Mon, 24 Jul 2023 19:25:06 +0800
Subject: [PATCH] runc:do not setup sysctl in runc when userns enable
---
@ -8,7 +8,7 @@ Subject: [PATCH] runc:do not setup sysctl in runc when userns enable
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
index 0dd51b2..b202ba9 100644
index 84883c2..542edba 100644
--- a/libcontainer/standard_init_linux.go
+++ b/libcontainer/standard_init_linux.go
@@ -130,10 +130,12 @@ func (l *linuxStandardInit) Init() error {
@ -29,5 +29,5 @@ index 0dd51b2..b202ba9 100644
}
for _, path := range l.config.Config.ReadonlyPaths {
--
2.30.0
2.33.0

12
patch/0017-runc-support-set-seccomp-priority.patch → patch/0012-runc-support-set-seccomp-priority.patch
View File

@ -1,6 +1,6 @@
From e9cf09ef6800b7740b2c9a7fe7efcf6af91fbc9f Mon Sep 17 00:00:00 2001
From 3e1db51b4dc547a7c9bfd251357e2661dc773952 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:34:57 +0800
Date: Mon, 24 Jul 2023 19:39:28 +0800
Subject: [PATCH] runc: support set seccomp priority
---
@ -11,7 +11,7 @@ Subject: [PATCH] runc: support set seccomp priority
4 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
index cda79bf..f85ade3 100644
index 7bf83b9..00bf5b0 100644
--- a/libcontainer/configs/config.go
+++ b/libcontainer/configs/config.go
@@ -88,6 +88,7 @@ type Syscall struct {
@ -36,10 +36,10 @@ index 8c12af7..e4b5750 100644
// Version returns major, minor, and micro.
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index 19dd947..02a7439 100644
index 7ee81ca..0c55cd6 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -1061,6 +1061,7 @@ func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
@@ -1062,6 +1062,7 @@ func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
Name: name,
Action: newAction,
ErrnoRet: call.ErrnoRet,
@ -60,5 +60,5 @@ index e8143b2..135f74a 100644
}
--
2.30.0
2.33.0

10
patch/0018-runc-do-not-kill-container-if-poststart-hooks-execut.patch → patch/0013-runc-do-not-kill-container-if-poststart-hooks-execut.patch
View File

@ -1,6 +1,6 @@
From 7140cab44cd368e987089b66948cfc7f8a414b83 Mon Sep 17 00:00:00 2001
From 0cbdce649f9086adc2e8c50734d37c2d31b45234 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:35:55 +0800
Date: Mon, 24 Jul 2023 20:31:00 +0800
Subject: [PATCH] runc:do not kill container if poststart hooks execute failed
---
@ -8,10 +8,10 @@ Subject: [PATCH] runc:do not kill container if poststart hooks execute failed
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 425e44d..10890c1 100644
index 8fbd04d..e27cd7d 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -367,10 +367,7 @@ func (c *linuxContainer) start(process *Process) (retErr error) {
@@ -369,10 +369,7 @@ func (c *linuxContainer) start(process *Process) (retErr error) {
}
if err := c.config.Hooks[configs.Poststart].RunHooks(s); err != nil {
@ -24,5 +24,5 @@ index 425e44d..10890c1 100644
}
}
--
2.30.0
2.33.0

25
patch/0013-runc-modify-minHookTimeOut.patch
View File

@ -1,25 +0,0 @@
From 845b54fcaa8cd843034479b2019eaa9ee5faaf75 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:30:36 +0800
Subject: [PATCH] runc: modify minHookTimeOut
---
libcontainer/configs/config.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
index 9076846..540bcdb 100644
--- a/libcontainer/configs/config.go
+++ b/libcontainer/configs/config.go
@@ -12,7 +12,7 @@ import (
)
const (
- minHookTimeOut = 1 * time.Second
+ minHookTimeOut = 0
defaultHookTimeOut = 5 * time.Second
maxHookTimeOut = 120 * time.Second
//the runc default timeout is 120s, so set the defaultWarnTime to 80% of the default timeout.
--
2.30.0

10
patch/0020-runc-add-sysctl-kernel.pid_max-to-whitelist.patch → patch/0014-runc-add-sysctl-kernel.pid_max-to-whitelist.patch
View File

@ -1,6 +1,6 @@
From af158d403f0395ee93636a6a77b4d37adbef6ee1 Mon Sep 17 00:00:00 2001
From 318779ab775bfe878cac0636c9e610b9951e1335 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:37:39 +0800
Date: Tue, 25 Jul 2023 19:53:00 +0800
Subject: [PATCH] runc:add sysctl kernel.pid_max to whitelist
---
@ -8,10 +8,10 @@ Subject: [PATCH] runc:add sysctl kernel.pid_max to whitelist
1 file changed, 1 insertion(+)
diff --git a/libcontainer/configs/validate/validator.go b/libcontainer/configs/validate/validator.go
index 627621a..3647aa2 100644
index 4fbd308..5ef0e8d 100644
--- a/libcontainer/configs/validate/validator.go
+++ b/libcontainer/configs/validate/validator.go
@@ -171,6 +171,7 @@ func (v *ConfigValidator) sysctl(config *configs.Config) error {
@@ -170,6 +170,7 @@ func (v *ConfigValidator) sysctl(config *configs.Config) error {
"kernel.shmmax": true,
"kernel.shmmni": true,
"kernel.shm_rmid_forced": true,
@ -20,5 +20,5 @@ index 627621a..3647aa2 100644
var (
--
2.30.0
2.33.0

6
patch/0021-runc-disable-core-dump-during-exec.patch → patch/0015-runc-disable-core-dump-during-exec.patch
View File

@ -1,6 +1,6 @@
From c8bf02dafed3537cd295c0898804809744f02f1e Mon Sep 17 00:00:00 2001
From d98901af66768560f0e352db72bb32d216aa9040 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:38:29 +0800
Date: Wed, 26 Jul 2023 11:04:05 +0800
Subject: [PATCH] runc:disable core dump during exec
---
@ -21,5 +21,5 @@ index 29408d7..75d05b7 100644
// get the "before" value of oom kill count
oom, _ := p.manager.OOMKillCount()
--
2.30.0
2.33.0

62
patch/0015-runc-fix-runc-log-decode-failed.patch
View File

@ -1,62 +0,0 @@
From 5584140c9549c2c9c6a0b0c5afea0850d1e88926 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:32:43 +0800
Subject: [PATCH] runc: fix runc log decode failed
---
main.go | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/main.go b/main.go
index 0a6f3b4..6e9101a 100644
--- a/main.go
+++ b/main.go
@@ -1,6 +1,7 @@
package main
import (
+ "encoding/json"
"errors"
"fmt"
"io"
@@ -10,6 +11,7 @@ import (
"runtime"
"strconv"
"strings"
+ "time"
"github.com/opencontainers/runc/libcontainer/seccomp"
"github.com/opencontainers/runtime-spec/specs-go"
@@ -219,7 +221,7 @@ func configLogrus(context *cli.Context) error {
logrus.SetOutput(f)
hook, serr := logrus_syslog.NewSyslogHook("", "", syslog.LOG_INFO|syslog.LOG_USER, "docker-runc")
if serr != nil {
- fmt.Fprint(f, fmt.Sprintf("Leo: new syslog hook get %s", serr))
+ logToFile(f, "error", fmt.Sprintf("Leo: new syslog hook get %s", serr))
} else {
logrus.AddHook(hook)
}
@@ -238,3 +240,20 @@ func configLogrus(context *cli.Context) error {
}
return nil
}
+
+func logToFile(f io.Writer, level string, msg string) {
+ var (
+ log struct {
+ Level string
+ Msg string
+ Time time.Time
+ }
+ )
+ log.Level = level
+ log.Msg = msg
+ log.Time = time.Now()
+ s, err := json.Marshal(log)
+ if err != nil {
+ fmt.Fprint(f, string(s))
+ }
+}
--
2.30.0

6
patch/0022-runc-fix-exec-problem-caused-by-libseccomp-updating.patch → patch/0016-runc-fix-exec-problem-caused-by-libseccomp-updating.patch
View File

@ -1,6 +1,6 @@
From 62ccdfd5cd6572c8c2c5965b9ca85fc78f43bfb6 Mon Sep 17 00:00:00 2001
From 92c51d606acb92a5fb58eed2d238ad3cb2c69291 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:41:29 +0800
Date: Wed, 26 Jul 2023 11:11:23 +0800
Subject: [PATCH] runc:fix exec problem caused by libseccomp updating
reason: libseccomp updating causes runc exec performance
@ -44,5 +44,5 @@ index e4b5750..a925be1 100644
return -1, errors.New("cannot initialize Seccomp - nil config passed")
}
--
2.30.0
2.33.0

12
patch/0023-runc-add-log-message-for-cgroup-file-check.patch → patch/0017-runc-add-log-message-for-cgroup-file-check.patch
View File

@ -1,6 +1,6 @@
From 71c298bc54c68714bde5f4aad293f2fa603ede3e Mon Sep 17 00:00:00 2001
From 436b642d42680fd76903307748df0237e8cd0cd1 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:43:03 +0800
Date: Wed, 26 Jul 2023 11:21:06 +0800
Subject: [PATCH] runc:add log message for cgroup file check
---
@ -27,10 +27,10 @@ index 0cdaf74..bc7f0a3 100644
return nil
}
diff --git a/libcontainer/cgroups/fs/cpuset.go b/libcontainer/cgroups/fs/cpuset.go
index 341d5dc..ef1f633 100644
index c05a6f6..939b72c 100644
--- a/libcontainer/cgroups/fs/cpuset.go
+++ b/libcontainer/cgroups/fs/cpuset.go
@@ -25,14 +25,23 @@ func (s *CpusetGroup) Apply(path string, r *configs.Resources, pid int) error {
@@ -27,14 +27,23 @@ func (s *CpusetGroup) Apply(path string, r *configs.Resources, pid int) error {
}
func (s *CpusetGroup) Set(path string, r *configs.Resources) error {
@ -56,7 +56,7 @@ index 341d5dc..ef1f633 100644
}
}
return nil
@@ -231,13 +240,19 @@ func cpusetEnsureParent(current string) error {
@@ -233,13 +242,19 @@ func cpusetEnsureParent(current string) error {
// cpusetCopyIfNeeded copies the cpuset.cpus and cpuset.mems from the parent
// directory to the current directory if the file's contents are 0
func cpusetCopyIfNeeded(current, parent string) error {
@ -83,5 +83,5 @@ index 341d5dc..ef1f633 100644
if isEmptyCpuset(currentCpus) {
--
2.30.0
2.33.0

76
patch/0019-runc-print-memory-info-when-syscall.Exec-failed.patch
View File

@ -1,76 +0,0 @@
From 5159ecfcc9180dd47e843818844c59cb9284d662 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:36:48 +0800
Subject: [PATCH] runc: print memory info when syscall.Exec failed
---
libcontainer/container_linux.go | 1 +
libcontainer/standard_init_linux.go | 33 ++++++++++++++++++++++++++++-
2 files changed, 33 insertions(+), 1 deletion(-)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 10890c1..5ef5a9a 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -355,6 +355,7 @@ func (c *linuxContainer) start(process *Process) (retErr error) {
}
if err := parent.start(); err != nil {
+ printCgroupInfo(c.config.Cgroups.Path)
return fmt.Errorf("unable to start container process: %w", err)
}
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
index b202ba9..8a60501 100644
--- a/libcontainer/standard_init_linux.go
+++ b/libcontainer/standard_init_linux.go
@@ -3,8 +3,10 @@ package libcontainer
import (
"errors"
"fmt"
+ "io/ioutil"
"os"
"os/exec"
+ "path/filepath"
"strconv"
"time"
@@ -274,5 +276,34 @@ func (l *linuxStandardInit) Init() error {
return err
}
- return system.Exec(name, l.config.Args[0:], os.Environ())
+ if err := system.Exec(name, l.config.Args[0:], os.Environ()); err != nil {
+ printCgroupInfo("")
+ return err
+ }
+ return nil
}
+
+func printCgroupInfo(path string) {
+ cgroupRoot := "/sys/fs/cgroup"
+ infoFileList := []string{
+ "/proc/meminfo",
+ "/sys/fs/cgroup/memory/memory.stat",
+ filepath.Join(cgroupRoot, "files", path, "files.limit"),
+ filepath.Join(cgroupRoot, "files", path, "files.usage"),
+ filepath.Join(cgroupRoot, "pids", path, "pids.max"),
+ filepath.Join(cgroupRoot, "pids", path, "pids.current"),
+ filepath.Join(cgroupRoot, "memory", path, "memory.usage_in_bytes"),
+ filepath.Join(cgroupRoot, "memory", path, "memory.limit_in_bytes"),
+ filepath.Join(cgroupRoot, "memory", path, "memory.stat"),
+ filepath.Join(cgroupRoot, "cpu", path, "cpu.stat"),
+ }
+ for _, file := range infoFileList {
+ printFileContent(file)
+ }
+}
+
+func printFileContent(path string) {
+ output, err := ioutil.ReadFile(path)
+ logrus.Infof("content read from %s: %s, err: %v", path, string(output), err)
+}
+
--
2.30.0

12
patch/0025-runc-support-set-cpuset.prefer_cpus-using-cpuset-cpu.patch → patch/0019-runc-support-set-cpuset.prefer_cpus-using-cpuset-cpu.patch
View File

@ -1,6 +1,6 @@
From b22fdd593f463caea0c96c66b1fed442bccfeb8f Mon Sep 17 00:00:00 2001
From da50f7d9ddf912a6e4ad8714e5aff01e85c09b21 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:48:21 +0800
Date: Wed, 26 Jul 2023 11:37:21 +0800
Subject: [PATCH] runc:support set cpuset.prefer_cpus using --cpuset-cpus
---
@ -8,10 +8,10 @@ Subject: [PATCH] runc:support set cpuset.prefer_cpus using --cpuset-cpus
1 file changed, 114 insertions(+), 4 deletions(-)
diff --git a/libcontainer/cgroups/fs/cpuset.go b/libcontainer/cgroups/fs/cpuset.go
index ef1f633..989f4ec 100644
index 939b72c..ef9164b 100644
--- a/libcontainer/cgroups/fs/cpuset.go
+++ b/libcontainer/cgroups/fs/cpuset.go
@@ -24,16 +24,126 @@ func (s *CpusetGroup) Apply(path string, r *configs.Resources, pid int) error {
@@ -26,16 +26,126 @@ func (s *CpusetGroup) Apply(path string, r *configs.Resources, pid int) error {
return s.ApplyDir(path, r, pid)
}
@ -100,7 +100,7 @@ index ef1f633..989f4ec 100644
+}
+
+func (s *CpusetGroup) setCpuset(path, cpuset string) error {
+ if _, err := os.Stat(filepath.Join(path, "cpuset.preferred_cpus")); err != nil {
+ if _, err := os.Stat("/proc/sys/kernel/sched_util_low_pct"); err != nil {
+ var ret error
+ if err := writeFile(path, "cpuset.cpus", cpuset); err != nil {
ret = fmt.Errorf("failed to set cpuset.cpus, %v", err)
@ -143,5 +143,5 @@ index ef1f633..989f4ec 100644
if r.CpusetMems != "" {
if err := cgroups.WriteFile(path, "cpuset.mems", r.CpusetMems); err != nil {
--
2.30.0
2.33.0

6
patch/0026-runc-add-DT-for-cpuset.preferred_cpus-setting.patch → patch/0020-runc-add-DT-for-cpuset.preferred_cpus-setting.patch
View File

@ -1,6 +1,6 @@
From 43dfa46b403166f4195803b7522bbc94a97d8e7c Mon Sep 17 00:00:00 2001
From 8071a31f5fd66638bda75d371f62d6df9155b00b Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:49:18 +0800
Date: Wed, 26 Jul 2023 14:18:00 +0800
Subject: [PATCH] runc:add DT for cpuset.preferred_cpus setting
---
@ -292,5 +292,5 @@ index 0000000..c80db24
+echo "PASS"
+exit 0
--
2.30.0
2.33.0

45
patch/0027-runc-modify-runc-Makefile.patch → patch/0021-runc-modify-runc-Makefile.patch
View File

@ -1,40 +1,43 @@
From 6ee9f98fdd90901a2f93b7b58244e543c4623dbe Mon Sep 17 00:00:00 2001
From b8461e39d80a2323dca4cd831f4cb41dbd5a0006 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:50:18 +0800
Date: Wed, 26 Jul 2023 14:48:37 +0800
Subject: [PATCH] runc:modify runc Makefile
---
Makefile | 28 ++++++++++++++++++++++------
1 file changed, 22 insertions(+), 6 deletions(-)
Makefile | 29 ++++++++++++++++++++++-------
1 file changed, 22 insertions(+), 7 deletions(-)
diff --git a/Makefile b/Makefile
index cf82c0c..34b5347 100644
index e3af9bc..4475271 100644
--- a/Makefile
+++ b/Makefile
@@ -10,9 +10,12 @@ GIT_BRANCH_CLEAN := $(shell echo $(GIT_BRANCH) | sed -e "s/[^[:alnum:]]/-/g")
RUNC_IMAGE := runc_dev$(if $(GIT_BRANCH_CLEAN),:$(GIT_BRANCH_CLEAN))
@@ -11,10 +11,13 @@ RUNC_IMAGE := runc_dev$(if $(GIT_BRANCH_CLEAN),:$(GIT_BRANCH_CLEAN))
PROJECT := github.com/opencontainers/runc
BUILDTAGS ?= seccomp
-COMMIT ?= $(shell git describe --dirty --long --always)
+COMMIT ?= $(shell cat ./git-commit | head -c 40)
VERSION := $(shell cat ./VERSION)
LDFLAGS_COMMON := -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION)
+BEP_DIR := "/tmp/runc-build-bep"
+BEP_FLAG := "-tmpdir=${BEP_DIR}"
+
ifeq ($(shell $(GO) env GOOS),linux)
ifeq (,$(filter $(shell $(GO) env GOARCH),mips mipsle mips64 mips64le ppc64))
ifeq (,$(findstring -race,$(EXTRA_FLAGS)))
@@ -22,23 +25,33 @@ ifeq ($(shell $(GO) env GOOS),linux)
GOARCH := $(shell $(GO) env GOARCH)
GO_BUILDMODE :=
@@ -40,9 +43,7 @@ ifneq (,$(filter $(GOARCH),arm64 amd64))
endif
GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
-ldflags "-X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
-GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \
- -ldflags "-extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
+GO_BUILD_STATIC := $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) static_build cgo netgo osusergo"
endif
# Enable static PIE binaries on supported platforms.
-GO_BUILD_STATIC := $(GO) build -trimpath $(GO_BUILDMODE_STATIC) \
- $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \
- -ldflags "$(LDFLAGS_COMMON) $(LDFLAGS_STATIC) $(EXTRA_LDFLAGS)"
+GO_BUILD_STATIC := $(GO) build -buildmode=pie -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) static_build cgo netgo osusergo"
GPG_KEYID ?= asarai@suse.de
@@ -58,15 +59,26 @@ endif
.DEFAULT: runc
runc:
@ -49,7 +52,7 @@ index cf82c0c..34b5347 100644
+ $(GO_BUILD) $(BEP_FLAG) -buildid=IdByIsula -o contrib/cmd/$@/$@ ./contrib/cmd/$@
+
+LD_FLAGS='-buildid=none -tmpdir=/tmp/bep-runc -linkmode=external -extldflags=-Wl,-z,relro,-z,now \
+ -extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS) \
+ -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS) \
+ '
static:
@ -60,11 +63,11 @@ index cf82c0c..34b5347 100644
+ CGO_CPPFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+ CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
+ CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ $(GO_BUILD_STATIC) -buildmode=pie -ldflags $(LD_FLAGS) -o runc .
+ $(GO_BUILD_STATIC) -ldflags '-extldflags=-static' -ldflags $(LD_FLAGS) -o runc .
releaseall: RELEASE_ARGS := "-a arm64 -a armel -a armhf -a ppc64le -a s390x"
releaseall: RELEASE_ARGS := "-a arm64 -a armel -a armhf -a ppc64le -a riscv64 -a s390x"
releaseall: release
@@ -70,6 +83,9 @@ runcimage:
@@ -98,6 +110,9 @@ runcimage:
test: unittest integration rootlessintegration
@ -75,5 +78,5 @@ index cf82c0c..34b5347 100644
unittest: runcimage
--
2.30.0
2.33.0

94
patch/0028-runc-cgroup-apply-method-modify.patch → patch/0022-runc-cgroup-apply-method-modify.patch
View File

@ -1,41 +1,30 @@
From 6ae765b2529fbfde33c3562834308add80bd34e2 Mon Sep 17 00:00:00 2001
From 6477190927cec5e20393c303bf7a4049539273bf Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:51:24 +0800
Date: Wed, 26 Jul 2023 15:25:25 +0800
Subject: [PATCH] runc:cgroup apply method modify
---
libcontainer/cgroups/fs/cpuset.go | 15 ++++-
libcontainer/cgroups/fs/files.go | 23 +++----
libcontainer/cgroups/fs/cpuset.go | 12 +++-
libcontainer/cgroups/fs/files.go | 27 +++-----
libcontainer/cgroups/fs/utils.go | 97 +++++++++++++++++++++++++++++
libcontainer/rootfs_linux.go | 1 +
libcontainer/standard_init_linux.go | 4 +-
main.go | 1 -
6 files changed, 119 insertions(+), 22 deletions(-)
libcontainer/standard_init_linux.go | 6 +-
5 files changed, 120 insertions(+), 23 deletions(-)
create mode 100644 libcontainer/cgroups/fs/utils.go
diff --git a/libcontainer/cgroups/fs/cpuset.go b/libcontainer/cgroups/fs/cpuset.go
index 989f4ec..379407e 100644
index ef9164b..01388f7 100644
--- a/libcontainer/cgroups/fs/cpuset.go
+++ b/libcontainer/cgroups/fs/cpuset.go
@@ -1,7 +1,9 @@
@@ -1,6 +1,7 @@
package fs
import (
+ "fmt"
"errors"
+ "io/ioutil"
"io/ioutil"
"os"
"path/filepath"
"strconv"
@@ -9,6 +11,7 @@ import (
"golang.org/x/sys/unix"
+ "github.com/sirupsen/logrus"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
"github.com/opencontainers/runc/libcontainer/configs"
@@ -143,7 +146,7 @@ func (s *CpusetGroup) setCpuset(path, cpuset string) error {
@@ -145,7 +146,7 @@ func (s *CpusetGroup) setCpuset(path, cpuset string) error {
func (s *CpusetGroup) Set(path string, r *configs.Resources) error {
var ret error
if r.CpusetCpus != "" {
@ -44,7 +33,7 @@ index 989f4ec..379407e 100644
}
if r.CpusetMems != "" {
if err := cgroups.WriteFile(path, "cpuset.mems", r.CpusetMems); err != nil {
@@ -350,14 +353,20 @@ func cpusetEnsureParent(current string) error {
@@ -352,14 +353,19 @@ func cpusetEnsureParent(current string) error {
// cpusetCopyIfNeeded copies the cpuset.cpus and cpuset.mems from the parent
// directory to the current directory if the file's contents are 0
func cpusetCopyIfNeeded(current, parent string) error {
@ -54,7 +43,6 @@ index 989f4ec..379407e 100644
+ currentCpus, currentMems string
+ parentCpus, parentMems string
+ )
+
+ if currentCpus, currentMems, err = getCpusetSubsystemSettings(current); err != nil {
ret := fmt.Errorf("failed copy current cgroup setting, %v", err)
if _, err := os.Stat(current); err != nil {
@ -68,16 +56,23 @@ index 989f4ec..379407e 100644
if _, err := os.Stat(parent); err != nil {
ret = fmt.Errorf("%v, %v", ret, err)
diff --git a/libcontainer/cgroups/fs/files.go b/libcontainer/cgroups/fs/files.go
index 3315cda..b02743c 100644
index 3315cda..9dcc54b 100644
--- a/libcontainer/cgroups/fs/files.go
+++ b/libcontainer/cgroups/fs/files.go
@@ -18,27 +18,22 @@ import (
"path/filepath"
@@ -13,34 +13,29 @@ import (
"fmt"
"strconv"
+ "path/filepath"
+
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
- "path/filepath"
)
-type FilesGroup struct {
-}
+type FilesGroup struct {}
+type FilesGroup struct{}
func (s *FilesGroup) Name() string {
return "files"
@ -104,8 +99,10 @@ index 3315cda..b02743c 100644
+ if r.FilesLimit > 0 {
+ limit = strconv.FormatInt(r.FilesLimit, 10)
}
-
if err := writeFile(path, "files.limit", limit); err != nil {
return err
}
@@ -49,10 +44,6 @@ func (s *FilesGroup) Set(path string, cgroup *configs.Cgroup) error {
return nil
}
@ -221,7 +218,7 @@ index 0000000..38820a8
+}
+
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index 4dbe9f4..0bf1729 100644
index e7de071..499d753 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -10,6 +10,7 @@ import (
@ -233,35 +230,32 @@ index 4dbe9f4..0bf1729 100644
securejoin "github.com/cyphar/filepath-securejoin"
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
index 99e7003..c288c88 100644
index 542edba..cd962c8 100644
--- a/libcontainer/standard_init_linux.go
+++ b/libcontainer/standard_init_linux.go
@@ -3,11 +3,11 @@ package libcontainer
import (
"errors"
"fmt"
- "io/ioutil"
@@ -6,6 +6,8 @@ import (
"os"
"os/exec"
- "path/filepath"
"strconv"
+ "strings"
+ "syscall"
"time"
"github.com/opencontainers/runtime-spec/specs-go"
diff --git a/main.go b/main.go
index e624347..e52a2ea 100644
--- a/main.go
+++ b/main.go
@@ -4,7 +4,6 @@ import (
"errors"
"fmt"
"io"
- "log/syslog"
"os"
"path/filepath"
"runtime"
--
2.30.0
@@ -260,11 +262,11 @@ func (l *linuxStandardInit) Init() error {
}()
select {
- case chErr := <- ch:
+ case chErr := <-ch:
if chErr != nil {
return chErr
}
- case <- time.After(120 * time.Second):
+ case <-time.After(120 * time.Second):
return fmt.Errorf("wait for the fifo to be opened on the other side timeout ")
}
// Close the O_PATH fifofd fd before exec because the kernel resets
--
2.33.0

28
patch/0030-runc-support-specify-umask.patch → patch/0023-runc-support-specify-umask.patch
View File

@ -1,18 +1,19 @@
From cb7c43347df720787be7457d4a991181ba608080 Mon Sep 17 00:00:00 2001
From 7746fa7839dc6780379cb732c7122efaa07834f7 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Tue, 10 Jan 2023 11:52:14 +0800
Date: Wed, 26 Jul 2023 15:37:48 +0800
Subject: [PATCH] runc:support specify umask
---
libcontainer/rootfs_linux.go | 6 ++++++
libcontainer/setns_init_linux.go | 7 +++++++
2 files changed, 13 insertions(+)
vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go | 2 +-
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index 0bf1729..280a633 100644
index 499d753..c42e388 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -190,6 +190,12 @@ func finalizeRootfs(config *configs.Config) (err error) {
@@ -192,6 +192,12 @@ func finalizeRootfs(config *configs.Config) (err error) {
} else {
unix.Umask(0o022)
}
@ -50,6 +51,19 @@ index 09ab552..e9b8d62 100644
if l.config.NoNewPrivileges {
if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
return err
--
2.30.0
diff --git a/vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go b/vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go
index b6fa374..430f646 100644
--- a/vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go
+++ b/vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go
@@ -2,7 +2,7 @@ package logrus_syslog
import (
"fmt"
- "github.com/Sirupsen/logrus"
+ "github.com/sirupsen/logrus"
"log/syslog"
"os"
)
--
2.33.0

10
patch/0031-runc-modify-linuxcontainer-starttime-uint64-type-tob.patch → patch/0024-runc-modify-linuxcontainer-starttime-uint64-type-tob.patch
View File

@ -1,6 +1,6 @@
From 3b2a80f599b6339f4823fc634a7f9096f7c2a5d8 Mon Sep 17 00:00:00 2001
From a84f3ee6e929dc1d1899dfe8e0bcaafb43bf510d Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Tue, 17 Jan 2023 15:14:06 +0800
Date: Wed, 26 Jul 2023 16:04:21 +0800
Subject: [PATCH] runc:modify linuxcontainer starttime uint64 type tobe string
---
@ -26,7 +26,7 @@ index 300c952..1759e4c 100644
// Created is the unix timestamp for the creation time of the container in UTC
Created time.Time `json:"created"`
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 10890c1..1fc8fec 100644
index e27cd7d..7141001 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -44,7 +44,7 @@ type linuxContainer struct {
@ -38,7 +38,7 @@ index 10890c1..1fc8fec 100644
criuPath string
newuidmapPath string
newgidmapPath string
@@ -2000,7 +2000,7 @@ func (c *linuxContainer) isPaused() (bool, error) {
@@ -2003,7 +2003,7 @@ func (c *linuxContainer) isPaused() (bool, error) {
func (c *linuxContainer) currentState() (*State, error) {
var (
@ -201,5 +201,5 @@ index 774443e..768a16e 100644
return stat, fmt.Errorf("invalid stat data (bad start time): %w", err)
}
--
2.30.0
2.33.0

125
patch/0024-runc-unified-use-of-logpipe.patch
View File

@ -1,125 +0,0 @@
From c40ef2e5c3415c807172271936a06dfbf89747ee Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:43:54 +0800
Subject: [PATCH] runc:add log message for cgroup file check
---
libcontainer/container_linux.go | 1 -
libcontainer/standard_init_linux.go | 30 +----------------------------
main.go | 25 ------------------------
3 files changed, 1 insertion(+), 55 deletions(-)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 5ef5a9a..10890c1 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -355,7 +355,6 @@ func (c *linuxContainer) start(process *Process) (retErr error) {
}
if err := parent.start(); err != nil {
- printCgroupInfo(c.config.Cgroups.Path)
return fmt.Errorf("unable to start container process: %w", err)
}
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
index 8a60501..99e7003 100644
--- a/libcontainer/standard_init_linux.go
+++ b/libcontainer/standard_init_linux.go
@@ -276,34 +276,6 @@ func (l *linuxStandardInit) Init() error {
return err
}
- if err := system.Exec(name, l.config.Args[0:], os.Environ()); err != nil {
- printCgroupInfo("")
- return err
- }
- return nil
-}
-
-func printCgroupInfo(path string) {
- cgroupRoot := "/sys/fs/cgroup"
- infoFileList := []string{
- "/proc/meminfo",
- "/sys/fs/cgroup/memory/memory.stat",
- filepath.Join(cgroupRoot, "files", path, "files.limit"),
- filepath.Join(cgroupRoot, "files", path, "files.usage"),
- filepath.Join(cgroupRoot, "pids", path, "pids.max"),
- filepath.Join(cgroupRoot, "pids", path, "pids.current"),
- filepath.Join(cgroupRoot, "memory", path, "memory.usage_in_bytes"),
- filepath.Join(cgroupRoot, "memory", path, "memory.limit_in_bytes"),
- filepath.Join(cgroupRoot, "memory", path, "memory.stat"),
- filepath.Join(cgroupRoot, "cpu", path, "cpu.stat"),
- }
- for _, file := range infoFileList {
- printFileContent(file)
- }
-}
-
-func printFileContent(path string) {
- output, err := ioutil.ReadFile(path)
- logrus.Infof("content read from %s: %s, err: %v", path, string(output), err)
+ return system.Exec(name, l.config.Args[0:], os.Environ())
}
diff --git a/main.go b/main.go
index 6e9101a..e624347 100644
--- a/main.go
+++ b/main.go
@@ -1,7 +1,6 @@
package main
import (
- "encoding/json"
"errors"
"fmt"
"io"
@@ -11,13 +10,11 @@ import (
"runtime"
"strconv"
"strings"
- "time"
"github.com/opencontainers/runc/libcontainer/seccomp"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
- logrus_syslog "github.com/sirupsen/logrus/hooks/syslog"
"github.com/urfave/cli"
)
@@ -219,12 +216,6 @@ func configLogrus(context *cli.Context) error {
return err
}
logrus.SetOutput(f)
- hook, serr := logrus_syslog.NewSyslogHook("", "", syslog.LOG_INFO|syslog.LOG_USER, "docker-runc")
- if serr != nil {
- logToFile(f, "error", fmt.Sprintf("Leo: new syslog hook get %s", serr))
- } else {
- logrus.AddHook(hook)
- }
}
if logLevel := context.GlobalString("log-level"); logLevel != "" {
lvl, err := logrus.ParseLevel(logLevel)
@@ -241,19 +232,3 @@ func configLogrus(context *cli.Context) error {
return nil
}
-func logToFile(f io.Writer, level string, msg string) {
- var (
- log struct {
- Level string
- Msg string
- Time time.Time
- }
- )
- log.Level = level
- log.Msg = msg
- log.Time = time.Now()
- s, err := json.Marshal(log)
- if err != nil {
- fmt.Fprint(f, string(s))
- }
-}
--
2.30.0

6
patch/0032-runc-make-runc-spec-compatible-1.0.0.rc3.patch → patch/0025-runc-make-runc-spec-compatible-1.0.0.rc3.patch
View File

@ -1,10 +1,8 @@
From 437b5cda354b8e2572eb24377774396117b513d0 Mon Sep 17 00:00:00 2001
From a6466792b4a78638871a8ed4af65f25555b24520 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 9 Feb 2023 16:41:35 +0800
Date: Wed, 26 Jul 2023 16:34:51 +0800
Subject: [PATCH] runc:make runc spec compatible 1.0.0.rc3
1.adapt DisableOOMKiller, OOMScoreAdj position adjustment.
2.adapt to BlackIO json parsing field change modification.
---
spec.go | 181 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 180 insertions(+), 1 deletion(-)

14
patch/0037-runc-Fixed-init-state-error-variable.patch → patch/0026-runc-Fixed-init-state-error-variable.patch
View File

@ -1,18 +1,14 @@
From ab18f1e6bf59d651889a9483f45f0e88368669c9 Mon Sep 17 00:00:00 2001
From: Vipul Newaskar <vipulnewaskar7@gmail.com>
Date: Sun, 13 Nov 2022 23:46:12 +0530
Subject: [PATCH 2/2] Fixed init state error variable
From f9add2c83320bd04ac76120821802ad7e25991d5 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Wed, 26 Jul 2023 16:46:35 +0800
Subject: [PATCH] runc:Fixed init state error variable
Init State Error message was using the err variable instead of uerr, which has been fixed now.
The error message should not show "nil" now.
Signed-off-by: Vipul Newaskar <vipulnewaskar7@gmail.com>
---
libcontainer/process_linux.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
index 1124cf54..3b453ccd 100644
index 1124cf5..3b453cc 100644
--- a/libcontainer/process_linux.go
+++ b/libcontainer/process_linux.go
@@ -555,7 +555,7 @@ func (p *initProcess) start() (retErr error) {

18
patch/0041-runc-libct-fix-shared-pidns-detection.patch → patch/0027-runc-libct-fix-shared-pidns-detection.patch
View File

@ -1,6 +1,6 @@
From acf196483ff8e2e5461a6c55ee64359863608b92 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Fri, 12 May 2023 16:04:11 -0700
From 43126d0dca0b76f8c07cff1d09c5fc013d5c3450 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Wed, 26 Jul 2023 16:52:56 +0800
Subject: [PATCH] libct: fix shared pidns detection
When someone is using libcontainer to start and kill containers from a
@ -23,7 +23,7 @@ Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
3 files changed, 28 insertions(+), 7 deletions(-)
diff --git a/libcontainer/configs/namespaces_syscall.go b/libcontainer/configs/namespaces_syscall.go
index 0516dba8..543e059a 100644
index 0516dba..543e059 100644
--- a/libcontainer/configs/namespaces_syscall.go
+++ b/libcontainer/configs/namespaces_syscall.go
@@ -31,3 +31,15 @@ func (n *Namespaces) CloneFlags() uintptr {
@ -43,10 +43,10 @@ index 0516dba8..543e059a 100644
+ return false
+}
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 1fc8feca..1a210fa2 100644
index 7141001..f56d73e 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -555,7 +555,6 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, messageSockPa
@@ -558,7 +558,6 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, messageSockPa
nsMaps[ns.Type] = ns.Path
}
}
@ -54,7 +54,7 @@ index 1fc8feca..1a210fa2 100644
data, err := c.bootstrapData(c.config.Namespaces.CloneFlags(), nsMaps, initStandard)
if err != nil {
return nil, err
@@ -600,7 +599,7 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, messageSockPa
@@ -603,7 +602,7 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, messageSockPa
container: c,
process: p,
bootstrapData: data,
@ -64,10 +64,10 @@ index 1fc8feca..1a210fa2 100644
c.initProcess = init
return init, nil
diff --git a/libcontainer/integration/exec_test.go b/libcontainer/integration/exec_test.go
index 3da6d96c..1f19ced1 100644
index 5c6272e..e999231 100644
--- a/libcontainer/integration/exec_test.go
+++ b/libcontainer/integration/exec_test.go
@@ -1456,16 +1456,26 @@ func TestPIDHost(t *testing.T) {
@@ -1404,16 +1404,26 @@ func TestPIDHost(t *testing.T) {
}
}

88
patch/0029-runc-runc-log-forward-to-syslog.patch
View File

@ -1,88 +0,0 @@
From 0013fb97dd10a75ae6f455d8c839315f13a39969 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 5 Jan 2023 16:52:16 +0800
Subject: [PATCH] runc:runc log forward to syslog
---
main.go | 27 ++++++++++++++++++-
.../sirupsen/logrus/hooks/syslog/syslog.go | 2 +-
2 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/main.go b/main.go
index e52a2ea..381681e 100644
--- a/main.go
+++ b/main.go
@@ -1,19 +1,23 @@
package main
import (
+ "encoding/json"
"errors"
"fmt"
"io"
+ "log/syslog"
"os"
"path/filepath"
"runtime"
"strconv"
"strings"
+ "time"
"github.com/opencontainers/runc/libcontainer/seccomp"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
+ logrus_syslog "github.com/sirupsen/logrus/hooks/syslog"
"github.com/urfave/cli"
)
@@ -215,6 +219,12 @@ func configLogrus(context *cli.Context) error {
return err
}
logrus.SetOutput(f)
+ hook, serr := logrus_syslog.NewSyslogHook("", "", syslog.LOG_INFO|syslog.LOG_USER, "docker-runc")
+ if serr != nil {
+ logToFile(f, "error", fmt.Sprintf("new syslog hook get %s", serr))
+ } else {
+ logrus.AddHook(hook)
+ }
}
if logLevel := context.GlobalString("log-level"); logLevel != "" {
lvl, err := logrus.ParseLevel(logLevel)
@@ -230,4 +240,19 @@ func configLogrus(context *cli.Context) error {
}
return nil
}
-
+func logToFile(f io.Writer, level string, msg string) {
+ var (
+ log struct {
+ Level string
+ Msg string
+ Time time.Time
+ }
+ )
+ log.Level = level
+ log.Msg = msg
+ log.Time = time.Now()
+ s, err := json.Marshal(log)
+ if err != nil {
+ fmt.Fprint(f, string(s))
+ }
+}
diff --git a/vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go b/vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go
index b6fa374..430f646 100644
--- a/vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go
+++ b/vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go
@@ -2,7 +2,7 @@ package logrus_syslog
import (
"fmt"
- "github.com/Sirupsen/logrus"
+ "github.com/sirupsen/logrus"
"log/syslog"
"os"
)
--
2.30.0

21
patch/0033-add-loongarch-support-for-libcontainer.patch
View File

@ -1,21 +0,0 @@
From 21f915e95f260af0f716f0ffcea0362d6b38f665 Mon Sep 17 00:00:00 2001
From: zhaozhen <zhaozhen@loongson.cn>
Date: Wed, 9 Nov 2022 10:58:21 +0800
Subject: [PATCH] add loongarch support for libcontainer
---
libcontainer/system/syscall_linux_64.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libcontainer/system/syscall_linux_64.go b/libcontainer/system/syscall_linux_64.go
index 6e89196..77d011b 100644
--- a/libcontainer/system/syscall_linux_64.go
+++ b/libcontainer/system/syscall_linux_64.go
@@ -1,4 +1,4 @@
-// +build linux,arm64 linux,amd64 linux,ppc linux,ppc64 linux,ppc64le linux,s390x linux,riscv64
+// +build linux,arm64 linux,amd64 linux,ppc linux,ppc64 linux,ppc64le linux,s390x linux,riscv64 linux,loong64
package system
--
2.33.0

24
patch/0034-SIGUNUSED-is-nolonger-support-for-loongarch.patch
View File

@ -1,24 +0,0 @@
From 34adecd11a87b5995ce3a482987944d4d8644008 Mon Sep 17 00:00:00 2001
From: zhaozhen <zhaozhen@loongson.cn>
Date: Wed, 9 Nov 2022 11:22:38 +0800
Subject: [PATCH] SIGUNUSED is nolonger support for loongarch
---
kill.go | 1 -
1 file changed, 1 deletion(-)
diff --git a/kill.go b/kill.go
index f80c4db..3d0e8b2 100644
--- a/kill.go
+++ b/kill.go
@@ -39,7 +39,6 @@ var signalMap = map[string]syscall.Signal{
"TSTP": syscall.SIGTSTP,
"TTIN": syscall.SIGTTIN,
"TTOU": syscall.SIGTTOU,
- "UNUSED": syscall.SIGUNUSED,
"URG": syscall.SIGURG,
"USR1": syscall.SIGUSR1,
"USR2": syscall.SIGUSR2,
--
2.33.0

228503
patch/0035-update-sys-to-v0.4.0-to-support-loong64.patch
View File

File diff suppressed because it is too large Load Diff

41
patch/0036-runc-libcontainer-skip-chown-of-dev-null-caused-by-fd-red.patch
View File

@ -1,41 +0,0 @@
From 52d2b0f2598c255f8fcc295e12a3ddfd4a89dd43 Mon Sep 17 00:00:00 2001
From: Jaroslav Jindrak <dzejrou@gmail.com>
Date: Fri, 20 Jan 2023 21:41:12 +0100
Subject: [PATCH 1/2] libcontainer: skip chown of /dev/null caused by fd
redirection
In 18c4760a (libct: fixStdioPermissions: skip chown if not needed)
the check whether the STDIO file descriptors point to /dev/null was
removed which can cause /dev/null to change ownership e.g. when using
docker exec on a running container:
$ ls -l /dev/null
crw-rw-rw- 1 root root 1, 3 Aug 1 14:12 /dev/null
$ docker exec -u test 0ad6d3064e9d ls
$ ls -l /dev/null
crw-rw-rw- 1 test root 1, 3 Aug 1 14:12 /dev/null
Signed-off-by: Jaroslav Jindrak <dzejrou@gmail.com>
---
libcontainer/init_linux.go | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
index 1e5c394c..2e4c5935 100644
--- a/libcontainer/init_linux.go
+++ b/libcontainer/init_linux.go
@@ -411,8 +411,9 @@ func fixStdioPermissions(u *user.ExecUser) error {
return &os.PathError{Op: "fstat", Path: file.Name(), Err: err}
}
- // Skip chown if uid is already the one we want.
- if int(s.Uid) == u.Uid {
+ // Skip chown if uid is already the one we want or any of the STDIO descriptors
+ // were redirected to /dev/null.
+ if int(s.Uid) == u.Uid || s.Rdev == null.Rdev {
continue
}
--
2.33.0

121
patch/0038-runc-rootless-fix-sys-fs-cgroup-mounts.patch
View File

@ -1,121 +0,0 @@
From fd61dbb032e526bd323702d954520669761647bb Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Mon, 26 Dec 2022 12:04:26 +0900
Subject: [PATCH] rootless: fix /sys/fs/cgroup mounts
It was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons:
1. when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared
(e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl)
2. or, when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro`
(e.g., `runc spec --rootless`; this condition is very rare)
A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host.
Other users's cgroup hierarchies are not affected.
To fix the issue, this commit does:
1. Remount `/sys/fs/cgroup` to apply `MS_RDONLY` when it is being bind-mounted
2. Mask `/sys/fs/cgroup` when the bind source is unavailable
Fix CVE-2023-25809 (GHSA-m8cg-xc2p-r3fc)
Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
libcontainer/rootfs_linux.go | 53 ++++++++++++++++++++++-------------
tests/integration/mounts.bats | 17 +++++++++++
2 files changed, 51 insertions(+), 19 deletions(-)
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index 280a6332..ec14f97e 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -334,26 +334,41 @@ func mountCgroupV2(m *configs.Mount, c *mountConfig) error {
if err := os.MkdirAll(dest, 0o755); err != nil {
return err
}
- return utils.WithProcfd(c.root, m.Destination, func(procfd string) error {
- if err := mount(m.Source, m.Destination, procfd, "cgroup2", uintptr(m.Flags), m.Data); err != nil {
- // when we are in UserNS but CgroupNS is not unshared, we cannot mount cgroup2 (#2158)
- if errors.Is(err, unix.EPERM) || errors.Is(err, unix.EBUSY) {
- src := fs2.UnifiedMountpoint
- if c.cgroupns && c.cgroup2Path != "" {
- // Emulate cgroupns by bind-mounting
- // the container cgroup path rather than
- // the whole /sys/fs/cgroup.
- src = c.cgroup2Path
- }
- err = mount(src, m.Destination, procfd, "", uintptr(m.Flags)|unix.MS_BIND, "")
- if c.rootlessCgroups && errors.Is(err, unix.ENOENT) {
- err = nil
- }
- }
- return err
- }
- return nil
+ err = utils.WithProcfd(c.root, m.Destination, func(procfd string) error {
+ return mount(m.Source, m.Destination, procfd, "cgroup2", uintptr(m.Flags), m.Data)
})
+ if err == nil || !(errors.Is(err, unix.EPERM) || errors.Is(err, unix.EBUSY)) {
+ return err
+ }
+
+ // When we are in UserNS but CgroupNS is not unshared, we cannot mount
+ // cgroup2 (#2158), so fall back to bind mount.
+ bindM := &configs.Mount{
+ Device: "bind",
+ Source: fs2.UnifiedMountpoint,
+ Destination: m.Destination,
+ Flags: unix.MS_BIND | m.Flags,
+ PropagationFlags: m.PropagationFlags,
+ }
+ if c.cgroupns && c.cgroup2Path != "" {
+ // Emulate cgroupns by bind-mounting the container cgroup path
+ // rather than the whole /sys/fs/cgroup.
+ bindM.Source = c.cgroup2Path
+ }
+ // mountToRootfs() handles remounting for MS_RDONLY.
+ // No need to set c.fd here, because mountToRootfs() calls utils.WithProcfd() by itself in mountPropagate().
+ err = mountToRootfs(bindM, c)
+ if c.rootlessCgroups && errors.Is(err, unix.ENOENT) {
+ // ENOENT (for `src = c.cgroup2Path`) happens when rootless runc is being executed
+ // outside the userns+mountns.
+ //
+ // Mask `/sys/fs/cgroup` to ensure it is read-only, even when `/sys` is mounted
+ // with `rbind,ro` (`runc spec --rootless` produces `rbind,ro` for `/sys`).
+ err = utils.WithProcfd(c.root, m.Destination, func(procfd string) error {
+ return maskPath(procfd, c.label)
+ })
+ }
+ return err
}
func doTmpfsCopyUp(m *configs.Mount, rootfs, mountLabel string) (Err error) {
diff --git a/tests/integration/mounts.bats b/tests/integration/mounts.bats
index 1ec675ac..1e72c5b1 100644
--- a/tests/integration/mounts.bats
+++ b/tests/integration/mounts.bats
@@ -63,3 +63,20 @@ function teardown() {
runc run test_busybox
[ "$status" -eq 0 ]
}
+
+# https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc
+@test "runc run [ro /sys/fs/cgroup mount]" {
+ # With cgroup namespace
+ update_config '.process.args |= ["sh", "-euc", "for f in `grep /sys/fs/cgroup /proc/mounts | awk \"{print \\\\$2}\"| uniq`; do grep -w $f /proc/mounts | tail -n1; done"]'
+ runc run test_busybox
+ [ "$status" -eq 0 ]
+ [ "${#lines[@]}" -ne 0 ]
+ for line in "${lines[@]}"; do [[ "${line}" == *'ro,'* ]]; done
+
+ # Without cgroup namespace
+ update_config '.linux.namespaces -= [{"type": "cgroup"}]'
+ runc run test_busybox
+ [ "$status" -eq 0 ]
+ [ "${#lines[@]}" -ne 0 ]
+ for line in "${lines[@]}"; do [[ "${line}" == *'ro,'* ]]; done
+}
--
2.33.0

113
patch/0039-runc-Prohibit-proc-and-sys-to-be-symlinks.patch
View File

@ -1,113 +0,0 @@
From 52559766c5298688a8302180bf50b002623776d9 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Thu, 16 Mar 2023 14:35:50 -0700
Subject: [PATCH] Prohibit /proc and /sys to be symlinks
Commit 3291d66b9844 introduced a check for /proc and /sys, making sure
the destination (dest) is a directory (and not e.g. a symlink).
Later, a hunk from commit 0ca91f44f switched from using filepath.Join
to SecureJoin for dest. As SecureJoin follows and resolves symlinks,
the check whether dest is a symlink no longer works.
To fix, do the check without/before using SecureJoin.
Add integration tests to make sure we won't regress.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 0d72adf96dda1b687815bf89bb245b937a2f603c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
libcontainer/rootfs_linux.go | 29 ++++++++++++++++++++---------
tests/integration/mask.bats | 19 +++++++++++++++++++
2 files changed, 39 insertions(+), 9 deletions(-)
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index ec14f97e..8ce09f6f 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -418,25 +418,26 @@ func doTmpfsCopyUp(m *configs.Mount, rootfs, mountLabel string) (Err error) {
func mountToRootfs(m *configs.Mount, c *mountConfig) error {
rootfs := c.root
- mountLabel := c.label
- mountFd := c.fd
- dest, err := securejoin.SecureJoin(rootfs, m.Destination)
- if err != nil {
- return err
- }
+ // procfs and sysfs are special because we need to ensure they are actually
+ // mounted on a specific path in a container without any funny business.
switch m.Device {
case "proc", "sysfs":
// If the destination already exists and is not a directory, we bail
- // out This is to avoid mounting through a symlink or similar -- which
+ // out. This is to avoid mounting through a symlink or similar -- which
// has been a "fun" attack scenario in the past.
// TODO: This won't be necessary once we switch to libpathrs and we can
// stop all of these symlink-exchange attacks.
+ dest := filepath.Clean(m.Destination)
+ if !strings.HasPrefix(dest, rootfs) {
+ // Do not use securejoin as it resolves symlinks.
+ dest = filepath.Join(rootfs, dest)
+ }
if fi, err := os.Lstat(dest); err != nil {
if !os.IsNotExist(err) {
return err
}
- } else if fi.Mode()&os.ModeDir == 0 {
+ } else if !fi.IsDir() {
return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device)
}
if strings.HasPrefix(m.Destination, "/proc/sys/") {
@@ -445,8 +446,18 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
if err := os.MkdirAll(dest, 0o755); err != nil {
return err
}
- // Selinux kernels do not support labeling of /proc or /sys
+ // Selinux kernels do not support labeling of /proc or /sys.
return mountPropagate(m, rootfs, "", nil)
+ }
+
+ mountLabel := c.label
+ mountFd := c.fd
+ dest, err := securejoin.SecureJoin(rootfs, m.Destination)
+ if err != nil {
+ return err
+ }
+
+ switch m.Device {
case "mqueue":
if err := os.MkdirAll(dest, 0o755); err != nil {
return err
diff --git a/tests/integration/mask.bats b/tests/integration/mask.bats
index b5f29675..272c879c 100644
--- a/tests/integration/mask.bats
+++ b/tests/integration/mask.bats
@@ -56,3 +56,22 @@ function teardown() {
[ "$status" -eq 1 ]
[[ "${output}" == *"Operation not permitted"* ]]
}
+
+@test "mask paths [prohibit symlink /proc]" {
+ ln -s /symlink rootfs/proc
+ runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
+ [ "$status" -eq 1 ]
+ [[ "${output}" == *"must be mounted on ordinary directory"* ]]
+}
+
+@test "mask paths [prohibit symlink /sys]" {
+ # In rootless containers, /sys is a bind mount not a real sysfs.
+ requires root
+
+ ln -s /symlink rootfs/sys
+ runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
+ [ "$status" -eq 1 ]
+ # On cgroup v1, this may fail before checking if /sys is a symlink,
+ # so we merely check that it fails, and do not check the exact error
+ # message like for /proc above.
+}
--
2.33.0

43
patch/0040-runc-modify-runc-make-command-to-satisfy-the-compile.patch
View File

@ -1,43 +0,0 @@
From e6f2993d5dd72e20728512b8829b5e679b1a26a6 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Thu, 8 Jun 2023 19:16:45 +0800
Subject: [PATCH] runc:modify runc make command to satisfy the compile options
---
Makefile | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/Makefile b/Makefile
index 34b5347d..564ad70a 100644
--- a/Makefile
+++ b/Makefile
@@ -25,7 +25,7 @@ ifeq ($(shell $(GO) env GOOS),linux)
endif
GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
-ldflags "-X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
-GO_BUILD_STATIC := $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) static_build cgo netgo osusergo"
+GO_BUILD_STATIC := $(GO) build -buildmode=pie -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) static_build cgo netgo osusergo"
GPG_KEYID ?= asarai@suse.de
@@ -41,7 +41,7 @@ recvtty sd-helper seccompagent:
$(GO_BUILD) $(BEP_FLAG) -buildid=IdByIsula -o contrib/cmd/$@/$@ ./contrib/cmd/$@
LD_FLAGS='-buildid=none -tmpdir=/tmp/bep-runc -linkmode=external -extldflags=-Wl,-z,relro,-z,now \
- -extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS) \
+ -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS) \
'
static:
@@ -51,7 +51,7 @@ static:
CGO_CPPFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
- $(GO_BUILD_STATIC) -buildmode=pie -ldflags $(LD_FLAGS) -o runc .
+ $(GO_BUILD_STATIC) -ldflags '-extldflags=-static' -ldflags $(LD_FLAGS) -o runc .
releaseall: RELEASE_ARGS := "-a arm64 -a armel -a armhf -a ppc64le -a s390x"
releaseall: release
--
2.33.0

97
patch/0042-runc-libct-fix-a-race-with-systemd-removal.patch
View File

@ -1,97 +0,0 @@
From 45abd12f084c62f3fbd24ab0fb0d3c1e3edf6ac7 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Tue, 4 Apr 2023 16:59:43 -0700
Subject: [PATCH] libct: fix a race with systemd removal
For a previous attempt to fix that (and added test cases), see commit
9087f2e827d971.
Alas, it's not always working because of cgroup directory TOCTOU.
To solve this and avoid the race, add an error _after_ the operation.
Implement it as a method that ignores the error that should be ignored.
Instead of currentStatus(), use faster runType(), since we are not
interested in Paused status here.
For Processes(), remove the pre-op check, and only use it after getting
an error, making the non-error path more straightforward.
For Signal(), add a second check after getting an error. The first check
is left as is because signalAllProcesses might print a warning if the
cgroup does not exist, and we'd like to avoid that.
This should fix an occasional failure like this one:
not ok 84 kill detached busybox
# (in test file tests/integration/kill.bats, line 27)
# `[ "$status" -eq 0 ]' failed
....
# runc kill test_busybox KILL (status=0):
# runc kill -a test_busybox 0 (status=1):
# time="2023-04-04T18:24:27Z" level=error msg="lstat /sys/fs/cgroup/devices/system.slice/runc-test_busybox.scope: no such file or directory"
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
libcontainer/container_linux.go | 33 +++++++++++++++++++++------------
1 file changed, 21 insertions(+), 12 deletions(-)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 1a210fa2..1189e5af 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -146,19 +146,27 @@ func (c *linuxContainer) OCIState() (*specs.State, error) {
return c.currentOCIState()
}
-func (c *linuxContainer) Processes() ([]int, error) {
- var pids []int
- status, err := c.currentStatus()
- if err != nil {
- return pids, err
+// ignoreCgroupError filters out cgroup-related errors that can be ignored,
+// because the container is stopped and its cgroup is gone.
+func (c *linuxContainer) ignoreCgroupError(err error) error {
+ if err == nil {
+ return nil
}
- // for systemd cgroup, the unit's cgroup path will be auto removed if container's all processes exited
- if status == Stopped && !c.cgroupManager.Exists() {
- return pids, nil
+ if errors.Is(err, os.ErrNotExist) && c.runType() == Stopped && !c.cgroupManager.Exists() {
+ return nil
}
+ return err
+}
- pids, err = c.cgroupManager.GetAllPids()
- if err != nil {
+// Processes returns the PIDs inside this container. The PIDs are in the
+// namespace of the calling process.
+//
+// Some of the returned PIDs may no longer refer to processes in the container,
+// unless the container state is PAUSED in which case every PID in the slice is
+// valid.
+func (c *linuxContainer) Processes() ([]int, error) {
+ pids, err := c.cgroupManager.GetAllPids()
+ if err = c.ignoreCgroupError(err); err != nil {
return nil, fmt.Errorf("unable to get all container pids: %w", err)
}
return pids, nil
@@ -382,11 +390,12 @@ func (c *linuxContainer) Signal(s os.Signal, all bool) error {
return err
}
if all {
- // for systemd cgroup, the unit's cgroup path will be auto removed if container's all processes exited
if status == Stopped && !c.cgroupManager.Exists() {
+ // Avoid calling signalAllProcesses which may print
+ // a warning trying to freeze a non-existing cgroup.
return nil
}
- return signalAllProcesses(c.cgroupManager, s)
+ return c.ignoreCgroupError(signalAllProcesses(c.cgroupManager, s))
}
// to avoid a PID reuse attack
if status == Running || status == Created || status == Paused {
--
2.33.0

38
patch/0043-runc-run-refuse-a-non-empty-cgroup.patch
View File

@ -1,38 +0,0 @@
From 2132cc52fbf68f9bfaf5dd18a1a5a25ecdd37929 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Thu, 23 Mar 2023 11:57:46 -0700
Subject: [PATCH] runc run: refuse a non-empty cgroup
Commit d08bc0c1b3bb2 ("runc run: warn on non-empty cgroup") introduced
a warning when a container is started in a non-empty cgroup. Such
configuration has lots of issues.
In addition to that, such configuration is not possible at all when
using the systemd cgroup driver.
As planned, let's promote this warning to an error, and fix the test
case accordingly.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
libcontainer/factory_linux.go | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/libcontainer/factory_linux.go b/libcontainer/factory_linux.go
index e6c71ac3..39fc3121 100644
--- a/libcontainer/factory_linux.go
+++ b/libcontainer/factory_linux.go
@@ -179,9 +179,7 @@ func (l *LinuxFactory) Create(id string, config *configs.Config) (Container, err
return nil, fmt.Errorf("unable to get cgroup PIDs: %w", err)
}
if len(pids) != 0 {
- // TODO: return an error.
- logrus.Warnf("container's cgroup is not empty: %d process(es) found", len(pids))
- logrus.Warn("DEPRECATED: running container in a non-empty cgroup won't be supported in runc 1.2; https://github.com/opencontainers/runc/issues/3132")
+ return nil, fmt.Errorf("container's cgroup is not empty: %d process(es) found", len(pids))
}
}
--
2.33.0

12
runc.spec
View File

@ -3,7 +3,7 @@
Name: docker-runc
Version: 1.1.8
Release: 1
Release: 2
Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
License: ASL 2.0
@ -34,10 +34,6 @@ cp %{SOURCE5} .
%install
sh ./apply-patch
%ifarch loongarch64
patch -p1 < %{_builddir}/patch/0034-SIGUNUSED-is-nolonger-support-for-loongarch.patch
patch -p1 < %{_builddir}/patch/0035-update-sys-to-v0.4.0-to-support-loong64.patch
%endif
mkdir -p .gopath/src/github.com/opencontainers
export GO111MODULE=off
@ -58,6 +54,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
%{_bindir}/runc
%changelog
* Wed July 26 2023 vegbir<yangjiaqi16@huawei.com> - 1.1.8-2
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:modify patch for 1.1.8
* Fri July 21 2023 vegbir<yangjiaqi16@huawei.com> - 1.1.8-1
- Type:bugfix
- ID:NA

67
series.conf
View File

@ -1,41 +1,26 @@
patch/0001-runc-Add-spec-for-euleros.patch
patch/0002-runc-fix-unittest-and-integration-test-error-caused.patch
patch/0003-runc-add-timeout-for-syscall.Openat.patch
patch/0004-runc-update-state-eariler-to-avoid-cgroup-leak-when-.patch
patch/0005-runc-print-cgroup-info-if-cpuset-missing-occurs.patch
patch/0006-runc-add-more-specific-log-for-hooks.patch
patch/0007-runc-reduce-max-number-of-retries-to-10.patch
patch/0008-runc-print-error-message-during-start-into-container.patch
patch/0009-runc-ignore-exec.fifo-removing-not-exist-error.patch
patch/0010-runc-Add-file-fds-limit.patch
patch/0011-runc-logs-forwarding-to-syslog.patch
patch/0012-runc-support-namespaced-kernel-params-can-be-changed.patch
patch/0013-runc-modify-minHookTimeOut.patch
patch/0014-runc-make-hooks-log-more-userful-and-fix-syslog-hook.patch
patch/0015-runc-fix-runc-log-decode-failed.patch
patch/0016-runc-do-not-setup-sysctl-in-runc-when-userns-enable.patch
patch/0017-runc-support-set-seccomp-priority.patch
patch/0018-runc-do-not-kill-container-if-poststart-hooks-execut.patch
patch/0019-runc-print-memory-info-when-syscall.Exec-failed.patch
patch/0020-runc-add-sysctl-kernel.pid_max-to-whitelist.patch
patch/0021-runc-disable-core-dump-during-exec.patch
patch/0022-runc-fix-exec-problem-caused-by-libseccomp-updating.patch
patch/0023-runc-add-log-message-for-cgroup-file-check.patch
patch/0024-runc-unified-use-of-logpipe.patch
patch/0025-runc-support-set-cpuset.prefer_cpus-using-cpuset-cpu.patch
patch/0026-runc-add-DT-for-cpuset.preferred_cpus-setting.patch
patch/0027-runc-modify-runc-Makefile.patch
patch/0028-runc-cgroup-apply-method-modify.patch
patch/0029-runc-runc-log-forward-to-syslog.patch
patch/0030-runc-support-specify-umask.patch
patch/0031-runc-modify-linuxcontainer-starttime-uint64-type-tob.patch
patch/0032-runc-make-runc-spec-compatible-1.0.0.rc3.patch
patch/0033-add-loongarch-support-for-libcontainer.patch
patch/0036-runc-libcontainer-skip-chown-of-dev-null-caused-by-fd-red.patch
patch/0037-runc-Fixed-init-state-error-variable.patch
patch/0038-runc-rootless-fix-sys-fs-cgroup-mounts.patch
patch/0039-runc-Prohibit-proc-and-sys-to-be-symlinks.patch
patch/0040-runc-modify-runc-make-command-to-satisfy-the-compile.patch
patch/0041-runc-libct-fix-shared-pidns-detection.patch
patch/0042-runc-libct-fix-a-race-with-systemd-removal.patch
patch/0043-runc-run-refuse-a-non-empty-cgroup.patch
patch/0001-runc-add-timeout-for-syscall.Exec.patch
patch/0002-runc-update-state-eariler-to-avoid-cgroup-leak-when-.patch
patch/0003-runc-print-cgroup-info-if-cpuset-missing-occurs.patch
patch/0004-runc-add-more-specific-log-for-hooks.patch
patch/0005-runc-reduce-max-number-of-retries-to-10.patch
patch/0006-runc-ignore-exec.fifo-removing-not-exist-error.patch
patch/0007-runc-Add-file-fds-limit.patch
patch/0008-runc-runc-logs-forwarding-to-syslog.patch
patch/0009-runc-support-namespaced-kernel-params-can-be-changed.patch
patch/0010-runc-make-hooks-log-more-userful-and-fix-syslog-hook.patch
patch/0011-runc-do-not-setup-sysctl-in-runc-when-userns-enable.patch
patch/0012-runc-support-set-seccomp-priority.patch
patch/0013-runc-do-not-kill-container-if-poststart-hooks-execut.patch
patch/0014-runc-add-sysctl-kernel.pid_max-to-whitelist.patch
patch/0015-runc-disable-core-dump-during-exec.patch
patch/0016-runc-fix-exec-problem-caused-by-libseccomp-updating.patch
patch/0017-runc-add-log-message-for-cgroup-file-check.patch
patch/0019-runc-support-set-cpuset.prefer_cpus-using-cpuset-cpu.patch
patch/0020-runc-add-DT-for-cpuset.preferred_cpus-setting.patch
patch/0021-runc-modify-runc-Makefile.patch
patch/0022-runc-cgroup-apply-method-modify.patch
patch/0023-runc-support-specify-umask.patch
patch/0024-runc-modify-linuxcontainer-starttime-uint64-type-tob.patch
patch/0025-runc-make-runc-spec-compatible-1.0.0.rc3.patch
patch/0026-runc-Fixed-init-state-error-variable.patch
patch/0027-runc-libct-fix-shared-pidns-detection.patch