!2 runc: add patches

Merge pull request !2 from Grooooot/master
2020-03-06 17:28:36 +08:00 · 2020-03-06 17:28:36 +08:00 · 8f8796634d
commit 8f8796634d
parent 33edf12965 ba3d1f2aa6
9 changed files with 245 additions and 76 deletions
--- a/README.en.md
+++ b/README.en.md
@ -1,36 +0,0 @@
 # runc
 #### Description
 {**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**}
 #### Software Architecture
 Software architecture description
 #### Installation
 1.  xxxx
 2.  xxxx
 3.  xxxx
 #### Instructions
 1.  xxxx
 2.  xxxx
 3.  xxxx
 #### Contribution
 1.  Fork the repository
 2.  Create Feat_xxx branch
 3.  Commit your code
 4.  Create Pull Request
 #### Gitee Feature
 1.  You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md
 2.  Gitee blog [blog.gitee.com](https://blog.gitee.com)
 3.  Explore open source project [https://gitee.com/explore](https://gitee.com/explore)
 4.  The most valuable open source project [GVP](https://gitee.com/gvp)
 5.  The manual of Gitee [https://gitee.com/help](https://gitee.com/help)
 6.  The most popular members  [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)
--- a/README.md
+++ b/README.md
@ -1,39 +0,0 @@
 # runc
 #### 介绍
 {**以下是码云平台说明，您可以替换此简介**
 码云是 OSCHINA 推出的基于 Git 的代码托管平台（同时支持 SVN）。专为开发者提供稳定、高效、安全的云端软件开发协作平台
 无论是个人、团队、或是企业，都能够用码云实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)}
 #### 软件架构
 软件架构说明
 #### 安装教程
 1.  xxxx
 2.  xxxx
 3.  xxxx
 #### 使用说明
 1.  xxxx
 2.  xxxx
 3.  xxxx
 #### 参与贡献
 1.  Fork 本仓库
 2.  新建 Feat_xxx 分支
 3.  提交代码
 4.  新建 Pull Request
 #### 码云特技
 1.  使用 Readme\_XXX.md 来支持不同的语言，例如 Readme\_en.md, Readme\_zh.md
 2.  码云官方博客 [blog.gitee.com](https://blog.gitee.com)
 3.  你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目
 4.  [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目，是码云综合评定出的优秀开源项目
 5.  码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help)
 6.  码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)
--- a/patch/0112-runc-Fixes-1585-config.Namespaces-is-empty-.patch
+++ b/patch/0112-runc-Fixes-1585-config.Namespaces-is-empty-.patch
@ -0,0 +1,50 @@
 From 38b4e1c3faeb7dfb3001dbd34fb2fe904a642367 Mon Sep 17 00:00:00 2001
 From: xiadanni1 <xiadanni1@huawei.com>
 Date: Fri, 13 Dec 2019 03:40:47 +0800
 Subject: [PATCH 1/5] runc: Fixes #1585 config.Namespaces is empty
 when accessed
 reason:Fixes #1585 config.Namespaces is empty when accessed
 Change-Id: I734db7320eee233a1b5a3c6f569506b7304e764e
 Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
 ---
 libcontainer/specconv/spec_linux.go | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)
 diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
 index 8c4567c..0cbc66f 100644
 --- a/libcontainer/specconv/spec_linux.go
 +++ b/libcontainer/specconv/spec_linux.go
@@ -180,13 +180,6 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
 	}
 	exists := false
 -	if config.Namespaces.Contains(configs.NEWNET) && config.Namespaces.PathOf(configs.NEWNET) == "" {
 -		config.Networks = []*configs.Network{
 -			{
 -				Type: "loopback",
 -			},
 -		}
 -	}
 	for _, m := range spec.Mounts {
 		config.Mounts = append(config.Mounts, createLibcontainerMount(cwd, m))
 	}
@@ -217,7 +210,13 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
 			}
 			config.Namespaces.Add(t, ns.Path)
 		}
 -
 +		if config.Namespaces.Contains(configs.NEWNET) && config.Namespaces.PathOf(configs.NEWNET) == "" {
 +			config.Networks = []*configs.Network{
 +				{
 +					Type: "loopback",
 +				},
 +			}
 +		}
 		// set extra path masking for libcontainer for the various unsafe places in proc
 		config.MaskPaths = spec.Linux.MaskedPaths
 		config.ReadonlyPaths = spec.Linux.ReadonlyPaths
 -- 
 1.8.3.1
--- a/patch/0113-runc-Write-freezer-state-after-every-state-.patch
+++ b/patch/0113-runc-Write-freezer-state-after-every-state-.patch
@ -0,0 +1,46 @@
 From caea676dbff1834f7c22c0ebe20a1d2c8c18b762 Mon Sep 17 00:00:00 2001
 From: xiadanni1 <xiadanni1@huawei.com>
 Date: Fri, 13 Dec 2019 06:50:44 +0800
 Subject: [PATCH 2/5] runc:Write freezer state after every state
 check
 reason:This commit ensures we write the expected freezer cgroup state
 after every state check, in case the state check does not give the expected
 result. This can happen when a new task is created and prevents the
 whole cgroup to be FROZEN, leaving the state into FREEZING instead.
 This patch prevents the case of an infinite loop to happen.
 Fixes https://github.com/opencontainers/runc/issues/1609
 Change-Id: I8243eba847357715b13fd4e291bee9782ee50360
 Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
 ---
 libcontainer/cgroups/fs/freezer.go | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)
 diff --git a/libcontainer/cgroups/fs/freezer.go b/libcontainer/cgroups/fs/freezer.go
 index e70dfe3..5ab3c02 100644
 --- a/libcontainer/cgroups/fs/freezer.go
 +++ b/libcontainer/cgroups/fs/freezer.go
@@ -29,11 +29,14 @@ func (s *FreezerGroup) Apply(d *cgroupData) error {
 func (s *FreezerGroup) Set(path string, cgroup *configs.Cgroup) error {
 	switch cgroup.Resources.Freezer {
 	case configs.Frozen, configs.Thawed:
 -		if err := writeFile(path, "freezer.state", string(cgroup.Resources.Freezer)); err != nil {
 -			return err
 -		}
 -
 		for {
 +			// In case this loop does not exit because it doesn't get the expected
 +			// state, let's write again this state, hoping it's going to be properly
 +			// set this time. Otherwise, this loop could run infinitely, waiting for
 +			// a state change that would never happen.
 +			if err := writeFile(path, "freezer.state", string(cgroup.Resources.Freezer)); err != nil {
 +				return err
 +			}
 			state, err := readFile(path, "freezer.state")
 			if err != nil {
 				return err
 -- 
 1.8.3.1
--- a/patch/0114-runc-may-kill-other-process-when-container-.patch
+++ b/patch/0114-runc-may-kill-other-process-when-container-.patch
@ -0,0 +1,43 @@
 From b39f29f48456ae7e9b85ff7584adeb7e68fda460 Mon Sep 17 00:00:00 2001
 From: xiadanni1 <xiadanni1@huawei.com>
 Date: Thu, 19 Dec 2019 02:35:01 +0800
 Subject: [PATCH 3/5] runc: may kill other process when container
 has been stopped
 reason:may kill other process when container has been stopped
 Change-Id: Iaa1af6f44dec5d7eac3518ff1dbdfedc68eb7219
 Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
 ---
 libcontainer/container_linux.go | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)
 diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
 index e7c178b..9b25183 100644
 --- a/libcontainer/container_linux.go
 +++ b/libcontainer/container_linux.go
@@ -358,10 +358,18 @@ func (c *linuxContainer) Signal(s os.Signal, all bool) error {
 	if all {
 		return signalAllProcesses(c.cgroupManager, s)
 	}
 -	if err := c.initProcess.signal(s); err != nil {
 -		return newSystemErrorWithCause(err, "signaling init process")
 +	status, err := c.currentStatus()
 +	if err != nil {
 +		return err
 	}
 -	return nil
 +	// to avoid a PID reuse attack
 +	if status == Running || status == Created {
 +		if err := c.initProcess.signal(s); err != nil {
 +			return newSystemErrorWithCause(err, "signaling init process")
 +		}
 +		return nil
 +	}
 +	return newGenericError(fmt.Errorf("container not running"), ContainerNotRunning)
 }
 func (c *linuxContainer) createExecFifo() error {
 -- 
 1.8.3.1
--- a/patch/0115-runc-Fix-cgroup-hugetlb-size-prefix-for-kB.patch
+++ b/patch/0115-runc-Fix-cgroup-hugetlb-size-prefix-for-kB.patch
@ -0,0 +1,54 @@
 From d46d29ea24d8fb4fc03c739e619d7d241dc5556c Mon Sep 17 00:00:00 2001
 From: xiadanni1 <xiadanni1@huawei.com>
 Date: Thu, 19 Dec 2019 02:37:54 +0800
 Subject: [PATCH 4/5] runc: Fix cgroup hugetlb size prefix for kB
 reason:The hugetlb cgroup control files (introduced here in 2012:
 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=abb8206cb0773)
 use "KB" and not "kB"
 (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/mm/hugetlb_cgroup.c?h=v5.0#n349).
 The behavior in the kernel has not changed since the introduction, and
 the current code using "kB" will therefore fail on devices with small
 amounts of ram (see
 https://github.com/kubernetes/kubernetes/issues/77169) running a kernel
 with config flag CONFIG_HUGETLBFS=y
 As seen from the code in "mem_fmt" inside hugetlb_cgroup.c, only "KB",
 "MB" and "GB" are used, so the others may be removed as well.
 Here is a real world example of the files inside the
 "/sys/kernel/mm/hugepages/" directory:
 - "hugepages-64kB"
 - "hugepages-2048kB"
 - "hugepages-32768kB"
 - "hugepages-1048576kB"
 And the corresponding cgroup files:
 - "hugetlb.64KB._____"
 - "hugetlb.2MB._____"
 - "hugetlb.32MB._____"
 - "hugetlb.1GB._____"
 Change-Id: If35e44e4b6846f8ed2870aedb9fed5dd3a38e91f
 Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
 ---
 libcontainer/cgroups/utils.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/libcontainer/cgroups/utils.go b/libcontainer/cgroups/utils.go
 index c9411ee..5155e14 100644
 --- a/libcontainer/cgroups/utils.go
 +++ b/libcontainer/cgroups/utils.go
@@ -384,7 +384,7 @@ func RemovePaths(paths map[string]string) (err error) {
 func GetHugePageSize() ([]string, error) {
 	var pageSizes []string
 -	sizeList := []string{"B", "kB", "MB", "GB", "TB", "PB"}
 +	sizeList := []string{"B", "KB", "MB", "GB", "TB", "PB"}
 	files, err := ioutil.ReadDir("/sys/kernel/mm/hugepages")
 	if err != nil {
 		return pageSizes, err
 -- 
 1.8.3.1
--- a/patch/0116-runc-check-nil-pointers-in-cgroup-manager.patch
+++ b/patch/0116-runc-check-nil-pointers-in-cgroup-manager.patch
@ -0,0 +1,46 @@
 From 1b9ff04a3f6e7bc9b8bce087ccacf894c21adc97 Mon Sep 17 00:00:00 2001
 From: xiadanni1 <xiadanni1@huawei.com>
 Date: Thu, 19 Dec 2019 02:41:08 +0800
 Subject: [PATCH 5/5] runc: check nil pointers in cgroup manager
 reason:check nil pointers in cgroup manager
 Change-Id: I94bda4b4ca4031ee93d54885603e60e64d3683a0
 Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
 ---
 libcontainer/cgroups/fs/apply_raw.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)
 diff --git a/libcontainer/cgroups/fs/apply_raw.go b/libcontainer/cgroups/fs/apply_raw.go
 index 7677f33..73c733a 100644
 --- a/libcontainer/cgroups/fs/apply_raw.go
 +++ b/libcontainer/cgroups/fs/apply_raw.go
@@ -189,9 +189,13 @@ func (m *Manager) GetStats() (*cgroups.Stats, error) {
 }
 func (m *Manager) Set(container *configs.Config) error {
 +	if container.Cgroups == nil {
 +		return nil
 +	}
 +
 	// If Paths are set, then we are just joining cgroups paths
 	// and there is no need to set any values.
 -	if m.Cgroups.Paths != nil {
 +	if m.Cgroups != nil && m.Cgroups.Paths != nil {
 		return nil
 	}
@@ -214,6 +218,10 @@ func (m *Manager) Set(container *configs.Config) error {
 // Freeze toggles the container's freezer cgroup depending on the state
 // provided
 func (m *Manager) Freeze(state configs.FreezerState) error {
 +	if m.Cgroups == nil {
 +		return errors.New("cannot toggle freezer: cgroups not configured for container")
 +	}
 +
 	paths := m.GetPaths()
 	dir := paths["freezer"]
 	prevState := m.Cgroups.Resources.Freezer
 -- 
 1.8.3.1
--- a/runc-openeuler.spec
+++ b/runc-openeuler.spec
@ -2,7 +2,7 @@
 Name: docker-runc
 Version: 1.0.0.rc3
-Release: 101
+Release: 102
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
 License: ASL 2.0
--- a/series.conf
+++ b/series.conf
@ -108,3 +108,8 @@
 0111-runc-add-log-message-for-cgroup-file-check.patch
 0112-runc-add-log-message-for-cgroup-file-check.patch
 0113-runc-modify-files-cgroup-info-reading-path.patch
 0112-runc-Fixes-1585-config.Namespaces-is-empty-.patch
 0113-runc-Write-freezer-state-after-every-state-.patch
 0114-runc-may-kill-other-process-when-container-.patch
 0115-runc-Fix-cgroup-hugetlb-size-prefix-for-kB.patch
 0116-runc-check-nil-pointers-in-cgroup-manager.patch