packages/runc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!88 runc: patch round in runc1.1.3

Browse Source 
From: @zhong-jiawei-1 
Reviewed-by: @Vanient, @duguhaotian 
Signed-off-by: @duguhaotian
This commit is contained in:
openeuler-ci-bot 2022-11-04 06:25:32 +00:00 committed by Gitee
commit de58c7c44d
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
162 changed files with 2334 additions and 149134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apply-patch
View File

@ -19,7 +19,7 @@ while IPF= read -r line
do
if [[ "$line" =~ ^patch* ]]; then
echo patch -p1 $cwd/$line
cd $src && patch -p1 < $cwd/$line
patch -p1 < $cwd/$line
fi
done <"$series"

2
git-commit
View File

@ -1 +1 @@
9e829af4b75cbee163a3e444a4234a7d6f6a2127
43d228d300f9de4c4071f6e8adb7205271383185

40
patch/0001-.travis.yml-Don-t-require-FETCH_HEAD.patch
View File

@ -1,40 +0,0 @@
From 3eb678a633ddf3be06851a1b8c69a98650e9a367 Mon Sep 17 00:00:00 2001
From: "W. Trevor King" <wking@tremily.us>
Date: Tue, 21 Mar 2017 11:48:39 -0700
Subject: [PATCH 01/94] .travis.yml: Don't require FETCH_HEAD
Master builds only have a 'git clone ...' [1] so FETCH_HEAD isn't
defined and git-validation crashes [2]. We don't want to be
hard-coding a range here, and should update git-validation to handle
these cases automatically.
Also echo TRAVIS_* variables during testing to make debugging
git-validation easier.
[1]: https://travis-ci.org/opencontainers/runc/jobs/213508696#L243
[2]: https://travis-ci.org/opencontainers/runc/jobs/213508696#L347
Change-Id: I325ae392323133b123f0ef7577a4464ae10a54cb
Signed-off-by: W. Trevor King <wking@tremily.us>
---
.travis.yml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/.travis.yml b/.travis.yml
index 04f71f5..244c643 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -23,8 +23,9 @@ before_install:
- go get -u github.com/golang/lint/golint
- go get -u github.com/vbatts/git-validation
- go get -u github.com/mvdan/sh/cmd/shfmt
+ - env | grep TRAVIS_
script:
- - git-validation -run DCO,short-subject -v -range ${TRAVIS_BRANCH}..FETCH_HEAD
+ - git-validation -run DCO,short-subject -v
- make BUILDTAGS="${BUILDTAGS}"
- make BUILDTAGS="${BUILDTAGS}" clean validate test
--
2.7.4.3

27
patch/0031-Add-spec-for-euleros.patch → patch/0001-runc-Add-spec-for-euleros.patch
View File

@ -1,21 +1,19 @@
From 3a4b5e8752e2200d0b7967c0cf0fd8ab859b6d1a Mon Sep 17 00:00:00 2001
From: Lei Jitang <leijitang@huawei.com>
Date: Mon, 17 Jul 2017 02:39:37 -0400
Subject: [PATCH 31/94] Add spec for euleros
From 0aa433bd4f83b99ed1964d67abbb7fe833d8b78d Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Sat, 8 Oct 2022 15:49:27 +0800
Subject: [PATCH] runc:Add spec for euleros
Change-Id: I74128e7ba4aa7f2a15515ac753664c933432b149
Signed-off-by: Lei Jitang <leijitang@huawei.com>
---
script/runc-euleros.spec | 49 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 script/runc-euleros.spec
runc-1.1.3/script/runc-euleros.spec | 50 +++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
create mode 100644 runc-1.1.3/script/runc-euleros.spec
diff --git a/script/runc-euleros.spec b/script/runc-euleros.spec
diff --git a/runc-1.1.3/script/runc-euleros.spec b/runc-1.1.3/script/runc-euleros.spec
new file mode 100644
index 0000000..a925e02
index 0000000..db4e868
--- /dev/null
+++ b/script/runc-euleros.spec
@@ -0,0 +1,49 @@
+++ b/runc-1.1.3/script/runc-euleros.spec
@@ -0,0 +1,50 @@
+%global _bindir /usr/local/bin
+
+Name: docker-runc
@ -36,6 +34,7 @@ index 0000000..a925e02
+BuildRequires: libseccomp-devel
+BuildRequires: libselinux-devel
+
+BuildRequires: libseccomp-static
+
+%description
+runc is a CLI tool for spawning and running containers according to the OCF specification
@ -66,5 +65,5 @@ index 0000000..a925e02
+%changelog
+
--
2.7.4.3
2.30.0

43
patch/0002-Don-t-try-to-read-freezer.state-from-the-cu.patch
View File

@ -1,43 +0,0 @@
From 4ccbadc228c9e4fc0fd20690ca13517f02aab59d Mon Sep 17 00:00:00 2001
From: Andrei Vagin <avagin@virtuozzo.com>
Date: Thu, 23 Mar 2017 01:43:39 +0300
Subject: [PATCH 02/94] Don't try to read freezer.state from the
current directory
If we try to pause a container on the system without freezer cgroups,
we can found that runc tries to open ./freezer.state. It is obviously wrong.
$ ./runc pause test
no such directory for freezer.state
$ echo FROZEN > freezer.state
$ ./runc pause test
container not running or created: paused
Change-Id: Ia7eba3a300a7ca6f1e8e10e4b1cbb4360e083e33
Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
---
libcontainer/container_linux.go | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 28dff86..cd9235d 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -1284,7 +1284,12 @@ func (c *linuxContainer) runType() (Status, error) {
}
func (c *linuxContainer) isPaused() (bool, error) {
- data, err := ioutil.ReadFile(filepath.Join(c.cgroupManager.GetPaths()["freezer"], "freezer.state"))
+ fcg := c.cgroupManager.GetPaths()["freezer"]
+ if fcg == "" {
+ // A container doesn't have a freezer cgroup
+ return false, nil
+ }
+ data, err := ioutil.ReadFile(filepath.Join(fcg, "freezer.state"))
if err != nil {
// If freezer cgroup is not mounted, the container would just be not paused.
if os.IsNotExist(err) {
--
2.7.4.3

63
patch/0002-runc-fix-unittest-and-integration-test-error-caused.patch Normal file
View File

@ -0,0 +1,63 @@
From 3afc90db6eb945e2668b66b1613659bb28e306e1 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Sat, 8 Oct 2022 16:23:11 +0800
Subject: [PATCH] runc:fix unittest and integration test error caused
---
runc-1.1.3/libcontainer/integration/execin_test.go | 8 +-------
runc-1.1.3/tests/integration/exec.bats | 4 ++--
2 files changed, 3 insertions(+), 9 deletions(-)
diff --git a/runc-1.1.3/libcontainer/integration/execin_test.go b/runc-1.1.3/libcontainer/integration/execin_test.go
index f8a6a9c..9669eca 100644
--- a/runc-1.1.3/libcontainer/integration/execin_test.go
+++ b/runc-1.1.3/libcontainer/integration/execin_test.go
@@ -62,9 +62,6 @@ func TestExecIn(t *testing.T) {
if !strings.Contains(out, "cat") || !strings.Contains(out, "ps") {
t.Fatalf("unexpected running process, output %q", out)
}
- if strings.Contains(out, "\r") {
- t.Fatalf("unexpected carriage-return in output %q", out)
- }
}
func TestExecInUsernsRlimit(t *testing.T) {
@@ -318,12 +315,9 @@ func TestExecInTTY(t *testing.T) {
_ = child.Close()
out := stdout.String()
- if !strings.Contains(out, "cat") || !strings.Contains(out, "ps") {
+ if !strings.Contains(out, "cat") || !strings.Contains(string(out), "ps") {
t.Fatalf("unexpected running process, output %q", out)
}
- if strings.Contains(out, "\r") {
- t.Fatalf("unexpected carriage-return in output %q", out)
- }
}
}
diff --git a/runc-1.1.3/tests/integration/exec.bats b/runc-1.1.3/tests/integration/exec.bats
index 140cd18..cd01f00 100644
--- a/runc-1.1.3/tests/integration/exec.bats
+++ b/runc-1.1.3/tests/integration/exec.bats
@@ -101,7 +101,7 @@ function teardown() {
runc exec --cwd /bin test_busybox pwd
[ "$status" -eq 0 ]
- [[ ${output} == "/bin"* ]]
+ [[ $(echo "${output}" | tr -d '\r') == "/bin" ]]
}
@test "runc exec --env" {
@@ -126,7 +126,7 @@ function teardown() {
runc exec --user 1000:1000 test_busybox id
[ "$status" -eq 0 ]
- [[ "${output}" == "uid=1000 gid=1000"* ]]
+ [[ $(echo "${output}" | tr -d '\r') == "uid=1000 gid=1000" ]
}
@test "runc exec --additional-gids" {
--
2.30.0

2424
patch/0003-Use-opencontainers-selinux-package.patch
View File

File diff suppressed because it is too large Load Diff

62
patch/0003-runc-add-timeout-for-syscall.Openat.patch Normal file
View File

@ -0,0 +1,62 @@
From 1bc820d277edc05d145b8729e3a8e343b9d4b529 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Mon, 10 Oct 2022 14:49:30 +0800
Subject: [PATCH] runc:add timeout for syscall.Openat
Openat will be blocked until the fifo on the other side is opened, but in some
abnomal scenario(e.g. containerd is killed), Openat maybe be blocked all the time.
---
.../libcontainer/standard_init_linux.go | 29 ++++++++++++++-----
1 file changed, 22 insertions(+), 7 deletions(-)
diff --git a/runc-1.1.3/libcontainer/standard_init_linux.go b/runc-1.1.3/libcontainer/standard_init_linux.go
index 585a04f..ab553ef 100644
--- a/runc-1.1.3/libcontainer/standard_init_linux.go
+++ b/runc-1.1.3/libcontainer/standard_init_linux.go
@@ -6,6 +6,7 @@ import (
"os"
"os/exec"
"strconv"
+ "time"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux"
@@ -227,14 +228,28 @@ func (l *linuxStandardInit) Init() error {
// was given to us was an O_PATH fd to the fifo itself. Linux allows us to
// re-open an O_PATH fd through /proc.
fifoPath := "/proc/self/fd/" + strconv.Itoa(l.fifoFd)
- fd, err := unix.Open(fifoPath, unix.O_WRONLY|unix.O_CLOEXEC, 0)
- if err != nil {
- return &os.PathError{Op: "open exec fifo", Path: fifoPath, Err: err}
- }
- if _, err := unix.Write(fd, []byte("0")); err != nil {
- return &os.PathError{Op: "write exec fifo", Path: fifoPath, Err: err}
- }
+ ch := make(chan error, 1)
+ go func() {
+ fd, err := unix.Open(fifoPath, unix.O_WRONLY|unix.O_CLOEXEC, 0)
+ if err != nil {
+ ch <- &os.PathError{Op: "open exec fifo", Path: fifoPath, Err: err}
+ return
+ }
+ if _, err := unix.Write(fd, []byte("0")); err != nil {
+ ch <- &os.PathError{Op: "write exec fifo", Path: fifoPath, Err: err}
+ return
+ }
+ ch <- nil
+ }()
+ select {
+ case chErr := <- ch:
+ if chErr != nil {
+ return chErr
+ }
+ case <- time.After(120 * time.Second):
+ return fmt.Errorf("wait for the fifo to be opened on the other side timeout ")
+ }
// Close the O_PATH fifofd fd before exec because the kernel resets
// dumpable in the wrong order. This has been fixed in newer kernels, but
// we keep this to ensure CVE-2016-9962 doesn't re-emerge on older kernels.
--
2.30.0

272
patch/0004-handle-unprivileged-operations-and-dumpable.patch
View File

@ -1,272 +0,0 @@
From 511eb03806523b4f51cbde7daedd563a3b5810e4 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Tue, 17 Jan 2017 12:25:21 +1100
Subject: [PATCH 04/94] *: handle unprivileged operations and
!dumpable
Effectively, !dumpable makes implementing rootless containers quite
hard, due to a bunch of different operations on /proc/self no longer
being possible without reordering everything.
!dumpable only really makes sense when you are switching between
different security contexts, which is only the case when we are joining
namespaces. Unfortunately this means that !dumpable will still have
issues in this instance, and it should only be necessary to set
!dumpable if we are not joining USER namespaces (new kernels have
protections that make !dumpable no longer necessary). But that's a topic
for another time.
This also includes code to unset and then re-set dumpable when doing the
USER namespace mappings. This should also be safe because in principle
processes in a container can't see us until after we fork into the PID
namespace (which happens after the user mapping).
In rootless containers, it is not possible to set a non-dumpable
process's /proc/self/oom_score_adj (it's owned by root and thus not
writeable). Thus, it needs to be set inside nsexec before we set
ourselves as non-dumpable.
Change-Id: Iab9e2d9bf3997284253b4b33a504e8581fd787ae
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
libcontainer/container_linux.go | 6 ++++
libcontainer/init_linux.go | 8 ------
libcontainer/message_linux.go | 14 +++++----
libcontainer/nsenter/nsexec.c | 64 ++++++++++++++++++++++++++++++++++-------
libcontainer/process_linux.go | 8 ------
5 files changed, 68 insertions(+), 32 deletions(-)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index cd9235d..d2e0e2b 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -1460,5 +1460,11 @@ func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.Na
}
}
+ // write oom_score_adj
+ r.AddData(&Bytemsg{
+ Type: OomScoreAdjAttr,
+ Value: []byte(fmt.Sprintf("%d", c.config.OomScoreAdj)),
+ })
+
return bytes.NewReader(r.Serialize()), nil
}
diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
index 39b83a4..0f5d412 100644
--- a/libcontainer/init_linux.go
+++ b/libcontainer/init_linux.go
@@ -6,10 +6,8 @@ import (
"encoding/json"
"fmt"
"io"
- "io/ioutil"
"net"
"os"
- "strconv"
"strings"
"syscall"
"unsafe"
@@ -369,12 +367,6 @@ func setupRlimits(limits []configs.Rlimit, pid int) error {
return nil
}
-func setOomScoreAdj(oomScoreAdj int, pid int) error {
- path := fmt.Sprintf("/proc/%d/oom_score_adj", pid)
-
- return ioutil.WriteFile(path, []byte(strconv.Itoa(oomScoreAdj)), 0600)
-}
-
const _P_PID = 1
type siginfo struct {
diff --git a/libcontainer/message_linux.go b/libcontainer/message_linux.go
index a189c72..321d664 100644
--- a/libcontainer/message_linux.go
+++ b/libcontainer/message_linux.go
@@ -11,12 +11,14 @@ import (
// list of known message types we want to send to bootstrap program
// The number is randomly chosen to not conflict with known netlink types
const (
- InitMsg uint16 = 62000
- CloneFlagsAttr uint16 = 27281
- NsPathsAttr uint16 = 27282
- UidmapAttr uint16 = 27283
- GidmapAttr uint16 = 27284
- SetgroupAttr uint16 = 27285
+ InitMsg uint16 = 62000
+ CloneFlagsAttr uint16 = 27281
+ NsPathsAttr uint16 = 27282
+ UidmapAttr uint16 = 27283
+ GidmapAttr uint16 = 27284
+ SetgroupAttr uint16 = 27285
+ OomScoreAdjAttr uint16 = 27286
+
// When syscall.NLA_HDRLEN is in gccgo, take this out.
syscall_NLA_HDRLEN = (syscall.SizeofNlAttr + syscall.NLA_ALIGNTO - 1) & ^(syscall.NLA_ALIGNTO - 1)
)
diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
index 51bd1e3..9630206 100644
--- a/libcontainer/nsenter/nsexec.c
+++ b/libcontainer/nsenter/nsexec.c
@@ -72,18 +72,21 @@ struct nlconfig_t {
char *namespaces;
size_t namespaces_len;
uint8_t is_setgroup;
+ char *oom_score_adj;
+ size_t oom_score_adj_len;
};
/*
* List of netlink message types sent to us as part of bootstrapping the init.
* These constants are defined in libcontainer/message_linux.go.
*/
-#define INIT_MSG 62000
+#define INIT_MSG 62000
#define CLONE_FLAGS_ATTR 27281
#define NS_PATHS_ATTR 27282
-#define UIDMAP_ATTR 27283
-#define GIDMAP_ATTR 27284
+#define UIDMAP_ATTR 27283
+#define GIDMAP_ATTR 27284
#define SETGROUP_ATTR 27285
+#define OOM_SCORE_ADJ_ATTR 27286
/*
* Use the raw syscall for versions of glibc which don't include a function for
@@ -186,7 +189,7 @@ static void update_setgroups(int pid, enum policy_t setgroup)
}
}
-static void update_uidmap(int pid, char *map, int map_len)
+static void update_uidmap(int pid, char *map, size_t map_len)
{
if (map == NULL || map_len <= 0)
return;
@@ -195,7 +198,7 @@ static void update_uidmap(int pid, char *map, int map_len)
bail("failed to update /proc/%d/uid_map", pid);
}
-static void update_gidmap(int pid, char *map, int map_len)
+static void update_gidmap(int pid, char *map, size_t map_len)
{
if (map == NULL || map_len <= 0)
return;
@@ -204,6 +207,15 @@ static void update_gidmap(int pid, char *map, int map_len)
bail("failed to update /proc/%d/gid_map", pid);
}
+static void update_oom_score_adj(char *data, size_t len)
+{
+ if (data == NULL || len <= 0)
+ return;
+
+ if (write_file(data, len, "/proc/self/oom_score_adj") < 0)
+ bail("failed to update /proc/self/oom_score_adj");
+}
+
/* A dummy function that just jumps to the given jumpval. */
static int child_func(void *arg) __attribute__ ((noinline));
static int child_func(void *arg)
@@ -317,6 +329,10 @@ static void nl_parse(int fd, struct nlconfig_t *config)
case CLONE_FLAGS_ATTR:
config->cloneflags = readint32(current);
break;
+ case OOM_SCORE_ADJ_ATTR:
+ config->oom_score_adj = current;
+ config->oom_score_adj_len = payload_len;
+ break;
case NS_PATHS_ATTR:
config->namespaces = current;
config->namespaces_len = payload_len;
@@ -425,14 +441,32 @@ void nsexec(void)
if (pipenum == -1)
return;
- /* make the process non-dumpable */
- if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
- bail("failed to set process as non-dumpable");
- }
-
/* Parse all of the netlink configuration. */
nl_parse(pipenum, &config);
+ /* Set oom_score_adj. This has to be done before !dumpable because
+ * /proc/self/oom_score_adj is not writeable unless you're an privileged
+ * user (if !dumpable is set). All children inherit their parent's
+ * oom_score_adj value on fork(2) so this will always be propagated
+ * properly.
+ */
+ update_oom_score_adj(config.oom_score_adj, config.oom_score_adj_len);
+
+ /*
+ * Make the process non-dumpable, to avoid various race conditions that
+ * could cause processes in namespaces we're joining to access host
+ * resources (or potentially execute code).
+ *
+ * However, if the number of namespaces we are joining is 0, we are not
+ * going to be switching to a different security context. Thus setting
+ * ourselves to be non-dumpable only breaks things (like rootless
+ * containers), which is the recommendation from the kernel folks.
+ */
+ if (config.namespaces) {
+ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) < 0)
+ bail("failed to set process as non-dumpable");
+ }
+
/* Pipe so we can tell the child when we've finished setting up. */
if (socketpair(AF_LOCAL, SOCK_STREAM, 0, sync_child_pipe) < 0)
bail("failed to setup sync pipe between parent and child");
@@ -681,6 +715,11 @@ void nsexec(void)
* clone_parent rant). So signal our parent to hook us up.
*/
+ /* Switching is only necessary if we joined namespaces. */
+ if (config.namespaces) {
+ if (prctl(PR_SET_DUMPABLE, 1, 0, 0, 0) < 0)
+ bail("failed to set process as dumpable");
+ }
s = SYNC_USERMAP_PLS;
if (write(syncfd, &s, sizeof(s)) != sizeof(s))
bail("failed to sync with parent: write(SYNC_USERMAP_PLS)");
@@ -691,6 +730,11 @@ void nsexec(void)
bail("failed to sync with parent: read(SYNC_USERMAP_ACK)");
if (s != SYNC_USERMAP_ACK)
bail("failed to sync with parent: SYNC_USERMAP_ACK: got %u", s);
+ /* Switching is only necessary if we joined namespaces. */
+ if (config.namespaces) {
+ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) < 0)
+ bail("failed to set process as dumpable");
+ }
}
/*
diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
index 0f79a38..c60f473 100644
--- a/libcontainer/process_linux.go
+++ b/libcontainer/process_linux.go
@@ -85,10 +85,6 @@ func (p *setnsProcess) start() (err error) {
return newSystemErrorWithCausef(err, "adding pid %d to cgroups", p.pid())
}
}
- // set oom_score_adj
- if err := setOomScoreAdj(p.config.Config.OomScoreAdj, p.pid()); err != nil {
- return newSystemErrorWithCause(err, "setting oom score")
- }
// set rlimits, this has to be done here because we lose permissions
// to raise the limits once we enter a user-namespace
if err := setupRlimits(p.config.Rlimits, p.pid()); err != nil {
@@ -285,10 +281,6 @@ func (p *initProcess) start() error {
if err := p.manager.Set(p.config.Config); err != nil {
return newSystemErrorWithCause(err, "setting cgroup config for ready process")
}
- // set oom_score_adj
- if err := setOomScoreAdj(p.config.Config.OomScoreAdj, p.pid()); err != nil {
- return newSystemErrorWithCause(err, "setting oom score for ready process")
- }
// set rlimits, this has to be done here because we lose permissions
// to raise the limits once we enter a user-namespace
if err := setupRlimits(p.config.Rlimits, p.pid()); err != nil {
--
2.7.4.3

32
patch/0042-update-state-earlier-to-avoid-cgroup-leak-whe.patch → patch/0004-runc-update-state-eariler-to-avoid-cgroup-leak-when-.patch
View File

@ -1,8 +1,8 @@
From 3b61668af89b820482b0a58f5af5316e1529116b Mon Sep 17 00:00:00 2001
From: Deng Guangxing <dengguangxing@huawei.com>
Date: Wed, 6 Sep 2017 15:04:47 +0800
Subject: [PATCH 42/94] update state earlier to avoid cgroup leak when
process failed
From 1d9d98ffd7b452087e70d2e2bd62f8827af58a10 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Mon, 10 Oct 2022 15:20:13 +0800
Subject: [PATCH] runc: update state eariler to avoid cgroup leak when process
failed
if process stuck in somewhere. upper caller like containerd may
have a timeout for process launching.
@ -22,25 +22,25 @@ This patch perform state updating right after cgroup applying. so
Change-Id: I7b247f501986e712a86da3958d1be573af4e84a6
Signed-off-by: Deng Guangxing <dengguangxing@huawei.com>
---
libcontainer/process_linux.go | 5 +++++
runc-1.1.3/libcontainer/process_linux.go | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
index c9fb202..9373595 100644
--- a/libcontainer/process_linux.go
+++ b/libcontainer/process_linux.go
@@ -260,6 +260,11 @@ func (p *initProcess) start() error {
diff --git a/runc-1.1.3/libcontainer/process_linux.go b/runc-1.1.3/libcontainer/process_linux.go
index 446649a..29408d7 100644
--- a/runc-1.1.3/libcontainer/process_linux.go
+++ b/runc-1.1.3/libcontainer/process_linux.go
@@ -411,6 +411,11 @@ func (p *initProcess) start() (retErr error) {
if err := p.manager.Apply(p.pid()); err != nil {
return newSystemErrorWithCause(err, "applying cgroup configuration for process")
return fmt.Errorf("unable to apply cgroup configuration: %w", err)
}
+ // update state here, so we can retrieve process resource
+ // even it get killed by accident
+ if _, err := p.container.updateState(p); err != nil {
+ return err
+ }
defer func() {
if err != nil {
// TODO: should not be the responsibility to call here
if p.intelRdtManager != nil {
if err := p.intelRdtManager.Apply(p.pid()); err != nil {
return fmt.Errorf("unable to apply Intel RDT configuration: %w", err)
--
2.7.4.3
2.30.0

1490
patch/0005-runc-add-support-for-rootless-containers.patch
View File

File diff suppressed because it is too large Load Diff

43
patch/0005-runc-print-cgroup-info-if-cpuset-missing-occurs.patch Normal file
View File

@ -0,0 +1,43 @@
From d837fdf20465ffee55ff81efb3df8d010ecae765 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Mon, 17 Oct 2022 15:47:24 +0800
Subject: [PATCH] runc: print cgroup info if cpuset missing occurs
---
runc-1.1.3/libcontainer/cgroups/fs/cpuset.go | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/runc-1.1.3/libcontainer/cgroups/fs/cpuset.go b/runc-1.1.3/libcontainer/cgroups/fs/cpuset.go
index 550baa4..341d5dc 100644
--- a/runc-1.1.3/libcontainer/cgroups/fs/cpuset.go
+++ b/runc-1.1.3/libcontainer/cgroups/fs/cpuset.go
@@ -172,6 +172,26 @@ func (s *CpusetGroup) ApplyDir(dir string, r *configs.Resources, pid int) error
}
func getCpusetSubsystemSettings(parent string) (cpus, mems string, err error) {
+ defer func() {
+ if err != nil {
+ minfo, err1 := ioutil.ReadFile("/proc/self/mountinfo")
+ if err1 != nil {
+ logrus.Errorf("Failed to read mountinfo when getSubsystemSettings get an error")
+ }
+
+ dirInfo := ""
+ fs, err2 := ioutil.ReadDir(parent)
+ if err2 != nil {
+ logrus.Errorf("Failed to read mountinfo when getSubsystemSettings get an error")
+ }
+ for _, f := range fs {
+ dirInfo = dirInfo + " " + f.Name()
+ }
+
+ logrus.Errorf("Read cpuset cgroup failed, print mountinfo and cgroup info here"+
+ "path: %s, mountinfo: [%s], dirinfo: [%s]", parent, string(minfo), dirInfo)
+ }
+ }()
if cpus, err = cgroups.ReadFile(parent, "cpuset.cpus"); err != nil {
return
}
--
2.30.0

421
patch/0006-rootless-add-rootless-cgroup-manager.patch
View File

@ -1,421 +0,0 @@
From 6c69b3f5c8eb23eb47917371b4ae69a76912ec83 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Tue, 26 Apr 2016 02:19:39 +1000
Subject: [PATCH 06/94] rootless: add rootless cgroup manager
The rootless cgroup manager acts as a noop for all set and apply
operations. It is just used for rootless setups. Currently this is far
too simple (we need to add opportunistic cgroup management), but is good
enough as a first-pass at a noop cgroup manager.
Change-Id: Iae5668680e5e2896246792fe6f2ac1bb37eab1d5
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
libcontainer/cgroups/fs/apply_raw.go | 24 +----
libcontainer/cgroups/rootless/rootless.go | 128 ++++++++++++++++++++++++++
libcontainer/cgroups/systemd/apply_systemd.go | 2 +-
libcontainer/cgroups/utils.go | 41 ++++++++-
libcontainer/container_linux.go | 8 ++
libcontainer/factory_linux.go | 22 +++++
libcontainer/process_linux.go | 20 ++--
libcontainer/rootfs_linux.go | 2 +-
8 files changed, 210 insertions(+), 37 deletions(-)
create mode 100644 libcontainer/cgroups/rootless/rootless.go
diff --git a/libcontainer/cgroups/fs/apply_raw.go b/libcontainer/cgroups/fs/apply_raw.go
index d316313..22d82ac 100644
--- a/libcontainer/cgroups/fs/apply_raw.go
+++ b/libcontainer/cgroups/fs/apply_raw.go
@@ -267,25 +267,8 @@ func getCgroupData(c *configs.Cgroup, pid int) (*cgroupData, error) {
}, nil
}
-func (raw *cgroupData) parentPath(subsystem, mountpoint, root string) (string, error) {
- // Use GetThisCgroupDir instead of GetInitCgroupDir, because the creating
- // process could in container and shared pid namespace with host, and
- // /proc/1/cgroup could point to whole other world of cgroups.
- initPath, err := cgroups.GetThisCgroupDir(subsystem)
- if err != nil {
- return "", err
- }
- // This is needed for nested containers, because in /proc/self/cgroup we
- // see pathes from host, which don't exist in container.
- relDir, err := filepath.Rel(root, initPath)
- if err != nil {
- return "", err
- }
- return filepath.Join(mountpoint, relDir), nil
-}
-
func (raw *cgroupData) path(subsystem string) (string, error) {
- mnt, root, err := cgroups.FindCgroupMountpointAndRoot(subsystem)
+ mnt, err := cgroups.FindCgroupMountpoint(subsystem)
// If we didn't mount the subsystem, there is no point we make the path.
if err != nil {
return "", err
@@ -297,7 +280,10 @@ func (raw *cgroupData) path(subsystem string) (string, error) {
return filepath.Join(raw.root, filepath.Base(mnt), raw.innerPath), nil
}
- parentPath, err := raw.parentPath(subsystem, mnt, root)
+ // Use GetOwnCgroupPath instead of GetInitCgroupPath, because the creating
+ // process could in container and shared pid namespace with host, and
+ // /proc/1/cgroup could point to whole other world of cgroups.
+ parentPath, err := cgroups.GetOwnCgroupPath(subsystem)
if err != nil {
return "", err
}
diff --git a/libcontainer/cgroups/rootless/rootless.go b/libcontainer/cgroups/rootless/rootless.go
new file mode 100644
index 0000000..b1efbfd
--- /dev/null
+++ b/libcontainer/cgroups/rootless/rootless.go
@@ -0,0 +1,128 @@
+// +build linux
+
+package rootless
+
+import (
+ "fmt"
+
+ "github.com/opencontainers/runc/libcontainer/cgroups"
+ "github.com/opencontainers/runc/libcontainer/cgroups/fs"
+ "github.com/opencontainers/runc/libcontainer/configs"
+ "github.com/opencontainers/runc/libcontainer/configs/validate"
+)
+
+// TODO: This is copied from libcontainer/cgroups/fs, which duplicates this code
+// needlessly. We should probably export this list.
+
+var subsystems = []subsystem{
+ &fs.CpusetGroup{},
+ &fs.DevicesGroup{},
+ &fs.MemoryGroup{},
+ &fs.CpuGroup{},
+ &fs.CpuacctGroup{},
+ &fs.PidsGroup{},
+ &fs.BlkioGroup{},
+ &fs.HugetlbGroup{},
+ &fs.NetClsGroup{},
+ &fs.NetPrioGroup{},
+ &fs.PerfEventGroup{},
+ &fs.FreezerGroup{},
+ &fs.NameGroup{GroupName: "name=systemd"},
+}
+
+type subsystem interface {
+ // Name returns the name of the subsystem.
+ Name() string
+
+ // Returns the stats, as 'stats', corresponding to the cgroup under 'path'.
+ GetStats(path string, stats *cgroups.Stats) error
+}
+
+// The noop cgroup manager is used for rootless containers, because we currently
+// cannot manage cgroups if we are in a rootless setup. This manager is chosen
+// by factory if we are in rootless mode. We error out if any cgroup options are
+// set in the config -- this may change in the future with upcoming kernel features
+// like the cgroup namespace.
+
+type Manager struct {
+ Cgroups *configs.Cgroup
+ Paths map[string]string
+}
+
+func (m *Manager) Apply(pid int) error {
+ // If there are no cgroup settings, there's nothing to do.
+ if m.Cgroups == nil {
+ return nil
+ }
+
+ // We can't set paths.
+ // TODO(cyphar): Implement the case where the runner of a rootless container
+ // owns their own cgroup, which would allow us to set up a
+ // cgroup for each path.
+ if m.Cgroups.Paths != nil {
+ return fmt.Errorf("cannot change cgroup path in rootless container")
+ }
+
+ // We load the paths into the manager.
+ paths := make(map[string]string)
+ for _, sys := range subsystems {
+ name := sys.Name()
+
+ path, err := cgroups.GetOwnCgroupPath(name)
+ if err != nil {
+ // Ignore paths we couldn't resolve.
+ continue
+ }
+
+ paths[name] = path
+ }
+
+ m.Paths = paths
+ return nil
+}
+
+func (m *Manager) GetPaths() map[string]string {
+ return m.Paths
+}
+
+func (m *Manager) Set(container *configs.Config) error {
+ // We have to re-do the validation here, since someone might decide to
+ // update a rootless container.
+ return validate.New().Validate(container)
+}
+
+func (m *Manager) GetPids() ([]int, error) {
+ dir, err := cgroups.GetOwnCgroupPath("devices")
+ if err != nil {
+ return nil, err
+ }
+ return cgroups.GetPids(dir)
+}
+
+func (m *Manager) GetAllPids() ([]int, error) {
+ dir, err := cgroups.GetOwnCgroupPath("devices")
+ if err != nil {
+ return nil, err
+ }
+ return cgroups.GetAllPids(dir)
+}
+
+func (m *Manager) GetStats() (*cgroups.Stats, error) {
+ // TODO(cyphar): We can make this work if we figure out a way to allow usage
+ // of cgroups with a rootless container. While this doesn't
+ // actually require write access to a cgroup directory, the
+ // statistics are not useful if they can be affected by
+ // non-container processes.
+ return nil, fmt.Errorf("cannot get cgroup stats in rootless container")
+}
+
+func (m *Manager) Freeze(state configs.FreezerState) error {
+ // TODO(cyphar): We can make this work if we figure out a way to allow usage
+ // of cgroups with a rootless container.
+ return fmt.Errorf("cannot use freezer cgroup in rootless container")
+}
+
+func (m *Manager) Destroy() error {
+ // We don't have to do anything here because we didn't do any setup.
+ return nil
+}
diff --git a/libcontainer/cgroups/systemd/apply_systemd.go b/libcontainer/cgroups/systemd/apply_systemd.go
index 2872bfa..456c57d 100644
--- a/libcontainer/cgroups/systemd/apply_systemd.go
+++ b/libcontainer/cgroups/systemd/apply_systemd.go
@@ -426,7 +426,7 @@ func getSubsystemPath(c *configs.Cgroup, subsystem string) (string, error) {
return "", err
}
- initPath, err := cgroups.GetInitCgroupDir(subsystem)
+ initPath, err := cgroups.GetInitCgroup(subsystem)
if err != nil {
return "", err
}
diff --git a/libcontainer/cgroups/utils.go b/libcontainer/cgroups/utils.go
index 52fc87e..5db3734 100644
--- a/libcontainer/cgroups/utils.go
+++ b/libcontainer/cgroups/utils.go
@@ -109,7 +109,7 @@ type Mount struct {
Subsystems []string
}
-func (m Mount) GetThisCgroupDir(cgroups map[string]string) (string, error) {
+func (m Mount) GetOwnCgroup(cgroups map[string]string) (string, error) {
if len(m.Subsystems) == 0 {
return "", fmt.Errorf("no subsystem for mount")
}
@@ -203,8 +203,8 @@ func GetAllSubsystems() ([]string, error) {
return subsystems, nil
}
-// GetThisCgroupDir returns the relative path to the cgroup docker is running in.
-func GetThisCgroupDir(subsystem string) (string, error) {
+// GetOwnCgroup returns the relative path to the cgroup docker is running in.
+func GetOwnCgroup(subsystem string) (string, error) {
cgroups, err := ParseCgroupFile("/proc/self/cgroup")
if err != nil {
return "", err
@@ -213,8 +213,16 @@ func GetThisCgroupDir(subsystem string) (string, error) {
return getControllerPath(subsystem, cgroups)
}
-func GetInitCgroupDir(subsystem string) (string, error) {
+func GetOwnCgroupPath(subsystem string) (string, error) {
+ cgroup, err := GetOwnCgroup(subsystem)
+ if err != nil {
+ return "", err
+ }
+ return getCgroupPathHelper(subsystem, cgroup)
+}
+
+func GetInitCgroup(subsystem string) (string, error) {
cgroups, err := ParseCgroupFile("/proc/1/cgroup")
if err != nil {
return "", err
@@ -223,6 +231,31 @@ func GetInitCgroupDir(subsystem string) (string, error) {
return getControllerPath(subsystem, cgroups)
}
+func GetInitCgroupPath(subsystem string) (string, error) {
+ cgroup, err := GetInitCgroup(subsystem)
+ if err != nil {
+ return "", err
+ }
+
+ return getCgroupPathHelper(subsystem, cgroup)
+}
+
+func getCgroupPathHelper(subsystem, cgroup string) (string, error) {
+ mnt, root, err := FindCgroupMountpointAndRoot(subsystem)
+ if err != nil {
+ return "", err
+ }
+
+ // This is needed for nested containers, because in /proc/self/cgroup we
+ // see pathes from host, which don't exist in container.
+ relCgroup, err := filepath.Rel(root, cgroup)
+ if err != nil {
+ return "", err
+ }
+
+ return filepath.Join(mnt, relCgroup), nil
+}
+
func readProcsFile(dir string) ([]int, error) {
f, err := os.Open(filepath.Join(dir, CgroupProcesses))
if err != nil {
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 372763a..d847f18 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -520,10 +520,18 @@ func (c *linuxContainer) Resume() error {
}
func (c *linuxContainer) NotifyOOM() (<-chan struct{}, error) {
+ // XXX(cyphar): This requires cgroups.
+ if c.config.Rootless {
+ return nil, fmt.Errorf("cannot get OOM notifications from rootless container")
+ }
return notifyOnOOM(c.cgroupManager.GetPaths())
}
func (c *linuxContainer) NotifyMemoryPressure(level PressureLevel) (<-chan struct{}, error) {
+ // XXX(cyphar): This requires cgroups.
+ if c.config.Rootless {
+ return nil, fmt.Errorf("cannot get memory pressure notifications from rootless container")
+ }
return notifyMemoryPressure(c.cgroupManager.GetPaths(), level)
}
diff --git a/libcontainer/factory_linux.go b/libcontainer/factory_linux.go
index d553287..1f965e6 100644
--- a/libcontainer/factory_linux.go
+++ b/libcontainer/factory_linux.go
@@ -15,6 +15,7 @@ import (
"github.com/docker/docker/pkg/mount"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/cgroups/fs"
+ "github.com/opencontainers/runc/libcontainer/cgroups/rootless"
"github.com/opencontainers/runc/libcontainer/cgroups/systemd"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/configs/validate"
@@ -73,6 +74,20 @@ func Cgroupfs(l *LinuxFactory) error {
return nil
}
+// RootlessCgroups is an options func to configure a LinuxFactory to
+// return containers that use the "rootless" cgroup manager, which will
+// fail to do any operations not possible to do with an unprivileged user.
+// It should only be used in conjunction with rootless containers.
+func RootlessCgroups(l *LinuxFactory) error {
+ l.NewCgroupsManager = func(config *configs.Cgroup, paths map[string]string) cgroups.Manager {
+ return &rootless.Manager{
+ Cgroups: config,
+ Paths: paths,
+ }
+ }
+ return nil
+}
+
// TmpfsRoot is an option func to mount LinuxFactory.Root to tmpfs.
func TmpfsRoot(l *LinuxFactory) error {
mounted, err := mount.Mounted(l.Root)
@@ -169,6 +184,9 @@ func (l *LinuxFactory) Create(id string, config *configs.Config) (Container, err
if err := os.Chown(containerRoot, uid, gid); err != nil {
return nil, newGenericError(err, SystemError)
}
+ if config.Rootless {
+ RootlessCgroups(l)
+ }
c := &linuxContainer{
id: id,
root: containerRoot,
@@ -195,6 +213,10 @@ func (l *LinuxFactory) Load(id string) (Container, error) {
processStartTime: state.InitProcessStartTime,
fds: state.ExternalDescriptors,
}
+ // We have to use the RootlessManager.
+ if state.Rootless {
+ RootlessCgroups(l)
+ }
c := &linuxContainer{
initProcess: r,
initProcessStartTime: state.InitProcessStartTime,
diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
index e8b7506..bfe9955 100644
--- a/libcontainer/process_linux.go
+++ b/libcontainer/process_linux.go
@@ -254,15 +254,14 @@ func (p *initProcess) start() error {
return newSystemErrorWithCausef(err, "getting pipe fds for pid %d", p.pid())
}
p.setExternalDescriptors(fds)
- if !p.container.config.Rootless {
- // Do this before syncing with child so that no children can escape the
- // cgroup. We can't do this if we're not running as root.
- if err := p.manager.Apply(p.pid()); err != nil {
- return newSystemErrorWithCause(err, "applying cgroup configuration for process")
- }
+ // Do this before syncing with child so that no children can escape the
+ // cgroup. We don't need to worry about not doing this and not being root
+ // because we'd be using the rootless cgroup manager in that case.
+ if err := p.manager.Apply(p.pid()); err != nil {
+ return newSystemErrorWithCause(err, "applying cgroup configuration for process")
}
defer func() {
- if err != nil && !p.container.config.Rootless {
+ if err != nil {
// TODO: should not be the responsibility to call here
p.manager.Destroy()
}
@@ -281,11 +280,8 @@ func (p *initProcess) start() error {
ierr := parseSync(p.parentPipe, func(sync *syncT) error {
switch sync.Type {
case procReady:
- // We can't set cgroups if we're in a rootless container.
- if !p.container.config.Rootless {
- if err := p.manager.Set(p.config.Config); err != nil {
- return newSystemErrorWithCause(err, "setting cgroup config for ready process")
- }
+ if err := p.manager.Set(p.config.Config); err != nil {
+ return newSystemErrorWithCause(err, "setting cgroup config for ready process")
}
// set rlimits, this has to be done here because we lose permissions
// to raise the limits once we enter a user-namespace
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index 1045a45..d507373 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -348,7 +348,7 @@ func getCgroupMounts(m *configs.Mount) ([]*configs.Mount, error) {
var binds []*configs.Mount
for _, mm := range mounts {
- dir, err := mm.GetThisCgroupDir(cgroupPaths)
+ dir, err := mm.GetOwnCgroup(cgroupPaths)
if err != nil {
return nil, err
}
--
2.7.4.3

28
patch/0006-runc-add-more-specific-log-for-hooks.patch Normal file
View File

@ -0,0 +1,28 @@
From 2d6cea3500b37c854ead44cf557864968903ad21 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Mon, 17 Oct 2022 16:06:55 +0800
Subject: [PATCH] runc: add more specific log for hooks
---
runc-1.1.3/libcontainer/configs/config.go | 2 ++
1 file changed, 2 insertions(+)
diff --git a/runc-1.1.3/libcontainer/configs/config.go b/runc-1.1.3/libcontainer/configs/config.go
index c1b4a00..72910ff 100644
--- a/runc-1.1.3/libcontainer/configs/config.go
+++ b/runc-1.1.3/libcontainer/configs/config.go
@@ -279,9 +279,11 @@ type Capabilities struct {
func (hooks HookList) RunHooks(state *specs.State) error {
for i, h := range hooks {
+ logrus.Infof("run hooks %d:%T", i, h)
if err := h.Run(state); err != nil {
return fmt.Errorf("error running hook #%d: %w", i, err)
}
+ logrus.Infof("hooks %d:%T done", i, h)
}
return nil
--
2.30.0

256
patch/0007-libcontainer-configs-add-proper-HostUID-and.patch
View File

@ -1,256 +0,0 @@
From f139024bb220e087a20e8089b5dbd4fb4c06c4a8 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Sat, 18 Mar 2017 04:32:16 +1100
Subject: [PATCH 07/94] libcontainer: configs: add proper HostUID and
HostGID
Previously Host{U,G}ID only gave you the root mapping, which isn't very
useful if you are trying to do other things with the IDMaps.
Change-Id: Idceb42455e258e5514c966fe8363693adb9d0028
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
libcontainer/configs/config_unix.go | 40 ++++++++++++++++++++-----------
libcontainer/configs/config_unix_test.go | 16 ++++++-------
libcontainer/configs/validate/rootless.go | 4 ++--
libcontainer/container_linux.go | 4 ++--
libcontainer/factory_linux.go | 4 ++--
libcontainer/specconv/spec_linux.go | 4 ++--
utils_linux.go | 4 ++--
7 files changed, 44 insertions(+), 32 deletions(-)
diff --git a/libcontainer/configs/config_unix.go b/libcontainer/configs/config_unix.go
index a60554a..8446399 100644
--- a/libcontainer/configs/config_unix.go
+++ b/libcontainer/configs/config_unix.go
@@ -4,38 +4,50 @@ package configs
import "fmt"
-// HostUID gets the root uid for the process on host which could be non-zero
-// when user namespaces are enabled.
-func (c Config) HostUID() (int, error) {
+// HostUID gets the translated uid for the process on host which could be
+// different when user namespaces are enabled.
+func (c Config) HostUID(containerId int) (int, error) {
if c.Namespaces.Contains(NEWUSER) {
if c.UidMappings == nil {
- return -1, fmt.Errorf("User namespaces enabled, but no user mappings found.")
+ return -1, fmt.Errorf("User namespaces enabled, but no uid mappings found.")
}
- id, found := c.hostIDFromMapping(0, c.UidMappings)
+ id, found := c.hostIDFromMapping(containerId, c.UidMappings)
if !found {
- return -1, fmt.Errorf("User namespaces enabled, but no root user mapping found.")
+ return -1, fmt.Errorf("User namespaces enabled, but no user mapping found.")
}
return id, nil
}
- // Return default root uid 0
- return 0, nil
+ // Return unchanged id.
+ return containerId, nil
}
-// HostGID gets the root gid for the process on host which could be non-zero
+// HostRootUID gets the root uid for the process on host which could be non-zero
// when user namespaces are enabled.
-func (c Config) HostGID() (int, error) {
+func (c Config) HostRootUID() (int, error) {
+ return c.HostUID(0)
+}
+
+// HostGID gets the translated gid for the process on host which could be
+// different when user namespaces are enabled.
+func (c Config) HostGID(containerId int) (int, error) {
if c.Namespaces.Contains(NEWUSER) {
if c.GidMappings == nil {
return -1, fmt.Errorf("User namespaces enabled, but no gid mappings found.")
}
- id, found := c.hostIDFromMapping(0, c.GidMappings)
+ id, found := c.hostIDFromMapping(containerId, c.GidMappings)
if !found {
- return -1, fmt.Errorf("User namespaces enabled, but no root group mapping found.")
+ return -1, fmt.Errorf("User namespaces enabled, but no group mapping found.")
}
return id, nil
}
- // Return default root gid 0
- return 0, nil
+ // Return unchanged id.
+ return containerId, nil
+}
+
+// HostRootGID gets the root gid for the process on host which could be non-zero
+// when user namespaces are enabled.
+func (c Config) HostRootGID() (int, error) {
+ return c.HostGID(0)
}
// Utility function that gets a host ID for a container ID from user namespace map
diff --git a/libcontainer/configs/config_unix_test.go b/libcontainer/configs/config_unix_test.go
index dc01cd0..7f96615 100644
--- a/libcontainer/configs/config_unix_test.go
+++ b/libcontainer/configs/config_unix_test.go
@@ -65,11 +65,11 @@ func TestRemoveNamespace(t *testing.T) {
}
}
-func TestHostUIDNoUSERNS(t *testing.T) {
+func TestHostRootUIDNoUSERNS(t *testing.T) {
config := &Config{
Namespaces: Namespaces{},
}
- uid, err := config.HostUID()
+ uid, err := config.HostRootUID()
if err != nil {
t.Fatal(err)
}
@@ -78,7 +78,7 @@ func TestHostUIDNoUSERNS(t *testing.T) {
}
}
-func TestHostUIDWithUSERNS(t *testing.T) {
+func TestHostRootUIDWithUSERNS(t *testing.T) {
config := &Config{
Namespaces: Namespaces{{Type: NEWUSER}},
UidMappings: []IDMap{
@@ -89,7 +89,7 @@ func TestHostUIDWithUSERNS(t *testing.T) {
},
},
}
- uid, err := config.HostUID()
+ uid, err := config.HostRootUID()
if err != nil {
t.Fatal(err)
}
@@ -98,11 +98,11 @@ func TestHostUIDWithUSERNS(t *testing.T) {
}
}
-func TestHostGIDNoUSERNS(t *testing.T) {
+func TestHostRootGIDNoUSERNS(t *testing.T) {
config := &Config{
Namespaces: Namespaces{},
}
- uid, err := config.HostGID()
+ uid, err := config.HostRootGID()
if err != nil {
t.Fatal(err)
}
@@ -111,7 +111,7 @@ func TestHostGIDNoUSERNS(t *testing.T) {
}
}
-func TestHostGIDWithUSERNS(t *testing.T) {
+func TestHostRootGIDWithUSERNS(t *testing.T) {
config := &Config{
Namespaces: Namespaces{{Type: NEWUSER}},
GidMappings: []IDMap{
@@ -122,7 +122,7 @@ func TestHostGIDWithUSERNS(t *testing.T) {
},
},
}
- uid, err := config.HostGID()
+ uid, err := config.HostRootGID()
if err != nil {
t.Fatal(err)
}
diff --git a/libcontainer/configs/validate/rootless.go b/libcontainer/configs/validate/rootless.go
index 1e83ced..0cebfaf 100644
--- a/libcontainer/configs/validate/rootless.go
+++ b/libcontainer/configs/validate/rootless.go
@@ -37,7 +37,7 @@ func (v *ConfigValidator) rootless(config *configs.Config) error {
}
func rootlessMappings(config *configs.Config) error {
- rootuid, err := config.HostUID()
+ rootuid, err := config.HostRootUID()
if err != nil {
return fmt.Errorf("failed to get root uid from uidMappings: %v", err)
}
@@ -50,7 +50,7 @@ func rootlessMappings(config *configs.Config) error {
}
}
- rootgid, err := config.HostGID()
+ rootgid, err := config.HostRootGID()
if err != nil {
return fmt.Errorf("failed to get root gid from gidMappings: %v", err)
}
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index d847f18..71fa682 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -307,11 +307,11 @@ func (c *linuxContainer) Signal(s os.Signal, all bool) error {
}
func (c *linuxContainer) createExecFifo() error {
- rootuid, err := c.Config().HostUID()
+ rootuid, err := c.Config().HostRootUID()
if err != nil {
return err
}
- rootgid, err := c.Config().HostGID()
+ rootgid, err := c.Config().HostRootGID()
if err != nil {
return err
}
diff --git a/libcontainer/factory_linux.go b/libcontainer/factory_linux.go
index 1f965e6..6a0f855 100644
--- a/libcontainer/factory_linux.go
+++ b/libcontainer/factory_linux.go
@@ -164,11 +164,11 @@ func (l *LinuxFactory) Create(id string, config *configs.Config) (Container, err
if err := l.Validator.Validate(config); err != nil {
return nil, newGenericError(err, ConfigInvalid)
}
- uid, err := config.HostUID()
+ uid, err := config.HostRootUID()
if err != nil {
return nil, newGenericError(err, SystemError)
}
- gid, err := config.HostGID()
+ gid, err := config.HostRootGID()
if err != nil {
return nil, newGenericError(err, SystemError)
}
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index 346b268..1575ae0 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -610,11 +610,11 @@ func setupUserNamespace(spec *specs.Spec, config *configs.Config) error {
for _, m := range spec.Linux.GIDMappings {
config.GidMappings = append(config.GidMappings, create(m))
}
- rootUID, err := config.HostUID()
+ rootUID, err := config.HostRootUID()
if err != nil {
return err
}
- rootGID, err := config.HostGID()
+ rootGID, err := config.HostRootGID()
if err != nil {
return err
}
diff --git a/utils_linux.go b/utils_linux.go
index 767015e..c6a8c02 100644
--- a/utils_linux.go
+++ b/utils_linux.go
@@ -242,12 +242,12 @@ func (r *runner) run(config *specs.Process) (int, error) {
for i := baseFd; i < baseFd+r.preserveFDs; i++ {
process.ExtraFiles = append(process.ExtraFiles, os.NewFile(uintptr(i), "PreserveFD:"+strconv.Itoa(i)))
}
- rootuid, err := r.container.Config().HostUID()
+ rootuid, err := r.container.Config().HostRootUID()
if err != nil {
r.destroy()
return -1, err
}
- rootgid, err := r.container.Config().HostGID()
+ rootgid, err := r.container.Config().HostRootGID()
if err != nil {
r.destroy()
return -1, err
--
2.7.4.3

30
patch/0007-runc-reduce-max-number-of-retries-to-10.patch Normal file
View File

@ -0,0 +1,30 @@
From dfbe86042987a6f5c14c589668183f37d2ecac91 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Mon, 17 Oct 2022 16:21:01 +0800
Subject: [PATCH] runc: reduce max number of retries to 10
[Changelog]:when killing containers in D state, now runc will do
100 retries, which leads that containerd blocks for 10 seconds.
[Author]:Ruilin Li
---
runc-1.1.3/delete.go | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/runc-1.1.3/delete.go b/runc-1.1.3/delete.go
index 746b0df..799c2a7 100644
--- a/runc-1.1.3/delete.go
+++ b/runc-1.1.3/delete.go
@@ -14,8 +14,8 @@ import (
)
func killContainer(container libcontainer.Container) error {
- _ = container.Signal(unix.SIGKILL, false)
- for i := 0; i < 100; i++ {
+ container.Signal(unix.SIGKILL, false)
+ for i := 0; i < 10; i++ {
time.Sleep(100 * time.Millisecond)
if err := container.Signal(unix.Signal(0), false); err != nil {
destroy(container)
--
2.30.0

64
patch/0008-libcontainer-init-fix-unmapped-console-fcho.patch
View File

@ -1,64 +0,0 @@
From f4158e00cac1f576f61904a73530c373c15354e2 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Sat, 18 Mar 2017 04:33:14 +1100
Subject: [PATCH 08/94] libcontainer: init: fix unmapped console
fchown
If the stdio of the container is owned by a group which is not mapped in
the user namespace, attempting to fchown the file descriptor will result
in EINVAL. Counteract this by simply not doing an fchown if the group
owner of the file descriptor has no host mapping according to the
configured GIDMappings.
Change-Id: I7a7911f398a38b2d21e1bb6bc4b3131f6504ca8d
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
libcontainer/init_linux.go | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
index 1187835..99cc02c 100644
--- a/libcontainer/init_linux.go
+++ b/libcontainer/init_linux.go
@@ -277,7 +277,7 @@ func setupUser(config *initConfig) error {
// before we change to the container's user make sure that the processes STDIO
// is correctly owned by the user that we are switching to.
- if err := fixStdioPermissions(execUser); err != nil {
+ if err := fixStdioPermissions(config, execUser); err != nil {
return err
}
@@ -312,7 +312,7 @@ func setupUser(config *initConfig) error {
// fixStdioPermissions fixes the permissions of PID 1's STDIO within the container to the specified user.
// The ownership needs to match because it is created outside of the container and needs to be
// localized.
-func fixStdioPermissions(u *user.ExecUser) error {
+func fixStdioPermissions(config *initConfig, u *user.ExecUser) error {
var null syscall.Stat_t
if err := syscall.Stat("/dev/null", &null); err != nil {
return err
@@ -326,10 +326,20 @@ func fixStdioPermissions(u *user.ExecUser) error {
if err := syscall.Fstat(int(fd), &s); err != nil {
return err
}
+
// Skip chown of /dev/null if it was used as one of the STDIO fds.
if s.Rdev == null.Rdev {
continue
}
+
+ // Skip chown if s.Gid is actually an unmapped gid in the host. While
+ // this is a bit dodgy if it just so happens that the console _is_
+ // owned by overflow_gid, there's no way for us to disambiguate this as
+ // a userspace program.
+ if _, err := config.Config.HostGID(int(s.Gid)); err != nil {
+ continue
+ }
+
// We only change the uid owner (as it is possible for the mount to
// prefer a different gid, and there's no reason for us to change it).
// The reason why we don't just leave the default uid=X mount setup is
--
2.7.4.3

32
patch/0008-runc-print-error-message-during-start-into-container.patch Normal file
View File

@ -0,0 +1,32 @@
From 199c22b2e5188acee4b38a373ab3e4cf978c7f94 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Mon, 17 Oct 2022 16:26:48 +0800
Subject: [PATCH] runc: print error message during start into container log
---
runc-1.1.3/init.go | 2 ++
1 file changed, 2 insertions(+)
diff --git a/runc-1.1.3/init.go b/runc-1.1.3/init.go
index bddc237..a0520b5 100644
--- a/runc-1.1.3/init.go
+++ b/runc-1.1.3/init.go
@@ -1,6 +1,7 @@
package main
import (
+ "fmt"
"os"
"runtime"
"strconv"
@@ -34,6 +35,7 @@ func init() {
factory, _ := libcontainer.New("")
if err := factory.StartInitialization(); err != nil {
+ fmt.Fprintf(os.Stderr, "libcontainer: container start initialization failed: %s", err)
// as the error is sent back to the parent there is no need to log
// or write it to stderr because the parent process will handle this
os.Exit(1)
--
2.30.0

203
patch/0009-rootless-add-autogenerated-rootless-config-.patch
View File

@ -1,203 +0,0 @@
From bdc84a618b475cc21a39dfa2fe57eae68b6110b6 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Mon, 9 May 2016 21:26:11 +1000
Subject: [PATCH 09/94] rootless: add autogenerated rootless config
from `runc spec`
Since this is a runC-specific feature, this belongs here over in
opencontainers/ocitools (which is for generic OCI runtimes).
In addition, we don't create a new network namespace. This is because
currently if you want to set up a veth bridge you need CAP_NET_ADMIN in
both network namespaces' pinned user namespace to create the necessary
interfaces in each network namespace.
Change-Id: I682b9c82f75c04b58d523ddb084b6adbb543e3d1
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
libcontainer/specconv/example.go | 73 ++++++++++++++++++++++++++++++--
libcontainer/specconv/spec_linux_test.go | 30 +++----------
spec.go | 11 ++++-
3 files changed, 85 insertions(+), 29 deletions(-)
diff --git a/libcontainer/specconv/example.go b/libcontainer/specconv/example.go
index 44fad97..9a4460c 100644
--- a/libcontainer/specconv/example.go
+++ b/libcontainer/specconv/example.go
@@ -1,16 +1,18 @@
package specconv
import (
+ "os"
"runtime"
+ "strings"
"github.com/opencontainers/runtime-spec/specs-go"
)
func sPtr(s string) *string { return &s }
-// ExampleSpec returns an example spec file, with many options set so a user
-// can see what a standard spec file looks like.
-func ExampleSpec() *specs.Spec {
+// Example returns an example spec file, with many options set so a user can
+// see what a standard spec file looks like.
+func Example() *specs.Spec {
return &specs.Spec{
Version: specs.Version,
Platform: specs.Platform{
@@ -158,3 +160,68 @@ func ExampleSpec() *specs.Spec {
},
}
}
+
+// ExampleRootless returns an example spec file that works with rootless
+// containers. It's essentially a modified version of the specfile from
+// Example().
+func ToRootless(spec *specs.Spec) {
+ var namespaces []specs.LinuxNamespace
+
+ // Remove networkns from the spec.
+ for _, ns := range spec.Linux.Namespaces {
+ switch ns.Type {
+ case specs.NetworkNamespace, specs.UserNamespace:
+ // Do nothing.
+ default:
+ namespaces = append(namespaces, ns)
+ }
+ }
+ // Add userns to the spec.
+ namespaces = append(namespaces, specs.LinuxNamespace{
+ Type: specs.UserNamespace,
+ })
+ spec.Linux.Namespaces = namespaces
+
+ // Add mappings for the current user.
+ spec.Linux.UIDMappings = []specs.LinuxIDMapping{{
+ HostID: uint32(os.Geteuid()),
+ ContainerID: 0,
+ Size: 1,
+ }}
+ spec.Linux.GIDMappings = []specs.LinuxIDMapping{{
+ HostID: uint32(os.Getegid()),
+ ContainerID: 0,
+ Size: 1,
+ }}
+
+ // Fix up mounts.
+ var mounts []specs.Mount
+ for _, mount := range spec.Mounts {
+ // Ignore all mounts that are under /sys.
+ if strings.HasPrefix(mount.Destination, "/sys") {
+ continue
+ }
+
+ // Remove all gid= and uid= mappings.
+ var options []string
+ for _, option := range mount.Options {
+ if !strings.HasPrefix(option, "gid=") && !strings.HasPrefix(option, "uid=") {
+ options = append(options, option)
+ }
+ }
+
+ mount.Options = options
+ mounts = append(mounts, mount)
+ }
+ // Add the sysfs mount as an rbind.
+ mounts = append(mounts, specs.Mount{
+ Source: "/sys",
+ Destination: "/sys",
+ Type: "none",
+ Options: []string{"rbind", "nosuid", "noexec", "nodev", "ro"},
+ })
+ spec.Mounts = mounts
+
+ // Remove cgroup settings.
+ spec.Linux.Resources = nil
+}
diff --git a/libcontainer/specconv/spec_linux_test.go b/libcontainer/specconv/spec_linux_test.go
index 741fae6..f7292f3 100644
--- a/libcontainer/specconv/spec_linux_test.go
+++ b/libcontainer/specconv/spec_linux_test.go
@@ -3,7 +3,6 @@
package specconv
import (
- "os"
"testing"
"github.com/opencontainers/runc/libcontainer/configs/validate"
@@ -53,8 +52,9 @@ func TestLinuxCgroupsPathNotSpecified(t *testing.T) {
}
func TestSpecconvExampleValidate(t *testing.T) {
- spec := ExampleSpec()
+ spec := Example()
spec.Root.Path = "/"
+
opts := &CreateOpts{
CgroupName: "ContainerID",
UseSystemdCgroup: false,
@@ -97,29 +97,9 @@ func TestDupNamespaces(t *testing.T) {
}
func TestRootlessSpecconvValidate(t *testing.T) {
- spec := &specs.Spec{
- Linux: specs.Linux{
- Namespaces: []specs.Namespace{
- {
- Type: specs.UserNamespace,
- },
- },
- UIDMappings: []specs.IDMapping{
- {
- HostID: uint32(os.Geteuid()),
- ContainerID: 0,
- Size: 1,
- },
- },
- GIDMappings: []specs.IDMapping{
- {
- HostID: uint32(os.Getegid()),
- ContainerID: 0,
- Size: 1,
- },
- },
- },
- }
+ spec := Example()
+ spec.Root.Path = "/"
+ ToRootless(spec)
opts := &CreateOpts{
CgroupName: "ContainerID",
diff --git a/spec.go b/spec.go
index d7df312..9024ad4 100644
--- a/spec.go
+++ b/spec.go
@@ -64,12 +64,21 @@ container on your host.`,
Value: "",
Usage: "path to the root of the bundle directory",
},
+ cli.BoolFlag{
+ Name: "rootless",
+ Usage: "generate a configuration for a rootless container",
+ },
},
Action: func(context *cli.Context) error {
if err := checkArgs(context, 0, exactArgs); err != nil {
return err
}
- spec := specconv.ExampleSpec()
+ spec := specconv.Example()
+
+ rootless := context.Bool("rootless")
+ if rootless {
+ specconv.ToRootless(spec)
+ }
checkNoFile := func(name string) error {
_, err := os.Stat(name)
--
2.7.4.3

28
patch/0009-runc-ignore-exec.fifo-removing-not-exist-error.patch Normal file
View File

@ -0,0 +1,28 @@
From 13e4ce1748fbf311c01238e03f9314b2c2b4777e Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Mon, 17 Oct 2022 16:33:33 +0800
Subject: [PATCH] runc: ignore exec.fifo removing not exist error
---
runc-1.1.3/libcontainer/container_linux.go | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/runc-1.1.3/libcontainer/container_linux.go b/runc-1.1.3/libcontainer/container_linux.go
index 9df830d..6b68a0e 100644
--- a/runc-1.1.3/libcontainer/container_linux.go
+++ b/runc-1.1.3/libcontainer/container_linux.go
@@ -325,7 +325,10 @@ func handleFifoResult(result openResult) error {
if err := readFromExecFifo(f); err != nil {
return err
}
- return os.Remove(f.Name())
+ if err := os.Remove(f.Name()); !os.IsNotExist(err) {
+ return err
+ }
+ return nil
}
type openResult struct {
--
2.30.0

143
patch/0010-integration-added-root-requires.patch
View File

@ -1,143 +0,0 @@
From 7c81f032861f5654e9063e5af82c7794401682f4 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Tue, 10 May 2016 22:22:13 +1000
Subject: [PATCH 10/94] integration: added root requires
This is in preperation of allowing us to run the integration test suite
on rootless containers.
Change-Id: I38f7115df4f931857659892b07745c86507d14bf
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
tests/integration/cgroups.bats | 8 ++++++--
tests/integration/checkpoint.bats | 3 ++-
tests/integration/helpers.bash | 10 +++++++++-
tests/integration/kill.bats | 1 -
tests/integration/pause.bats | 6 ++++++
tests/integration/update.bats | 6 +++++-
6 files changed, 28 insertions(+), 6 deletions(-)
diff --git a/tests/integration/cgroups.bats b/tests/integration/cgroups.bats
index 9ab6f43..90095a7 100644
--- a/tests/integration/cgroups.bats
+++ b/tests/integration/cgroups.bats
@@ -28,7 +28,9 @@ function check_cgroup_value() {
}
@test "runc update --kernel-memory (initialized)" {
- requires cgroups_kmem
+ # XXX: currently cgroups require root containers.
+ requires cgroups_kmem root
+
# Add cgroup path
sed -i 's/\("linux": {\)/\1\n "cgroupsPath": "\/runc-cgroups-integration-test",/' ${BUSYBOX_BUNDLE}/config.json
@@ -56,7 +58,9 @@ EOF
}
@test "runc update --kernel-memory (uninitialized)" {
- requires cgroups_kmem
+ # XXX: currently cgroups require root containers.
+ requires cgroups_kmem root
+
# Add cgroup path
sed -i 's/\("linux": {\)/\1\n "cgroupsPath": "\/runc-cgroups-integration-test",/' ${BUSYBOX_BUNDLE}/config.json
diff --git a/tests/integration/checkpoint.bats b/tests/integration/checkpoint.bats
index 34d1b03..e91fd65 100644
--- a/tests/integration/checkpoint.bats
+++ b/tests/integration/checkpoint.bats
@@ -12,7 +12,8 @@ function teardown() {
}
@test "checkpoint and restore" {
- requires criu
+ # XXX: currently criu require root containers.
+ requires criu root
# criu does not work with external terminals so..
# setting terminal and root:readonly: to false
diff --git a/tests/integration/helpers.bash b/tests/integration/helpers.bash
index e4c2cb9..6548333 100644
--- a/tests/integration/helpers.bash
+++ b/tests/integration/helpers.bash
@@ -40,6 +40,9 @@ CGROUP_CPU_BASE_PATH=$(grep "cgroup" /proc/self/mountinfo | gawk 'toupper($NF) ~
KMEM="${CGROUP_MEMORY_BASE_PATH}/memory.kmem.limit_in_bytes"
RT_PERIOD="${CGROUP_CPU_BASE_PATH}/cpu.rt_period_us"
+# Check if we're in rootless mode.
+ROOTLESS=$(id -u)
+
# Wrapper for runc.
function runc() {
run __runc "$@"
@@ -68,7 +71,12 @@ function requires() {
case $var in
criu)
if [ ! -e "$CRIU" ]; then
- skip "Test requires ${var}."
+ skip "test requires ${var}"
+ fi
+ ;;
+ root)
+ if [ "$ROOTLESS" -ne 0 ]; then
+ skip "test requires ${var}"
fi
;;
cgroups_kmem)
diff --git a/tests/integration/kill.bats b/tests/integration/kill.bats
index a049de6..74246fa 100644
--- a/tests/integration/kill.bats
+++ b/tests/integration/kill.bats
@@ -13,7 +13,6 @@ function teardown() {
@test "kill detached busybox" {
-
# run busybox detached
runc run -d --console-socket $CONSOLE_SOCKET test_busybox
[ "$status" -eq 0 ]
diff --git a/tests/integration/pause.bats b/tests/integration/pause.bats
index 2f46a6c..30d98b5 100644
--- a/tests/integration/pause.bats
+++ b/tests/integration/pause.bats
@@ -12,6 +12,9 @@ function teardown() {
}
@test "runc pause and resume" {
+ # XXX: currently cgroups require root containers.
+ requires root
+
# run busybox detached
runc run -d --console-socket $CONSOLE_SOCKET test_busybox
[ "$status" -eq 0 ]
@@ -34,6 +37,9 @@ function teardown() {
}
@test "runc pause and resume with nonexist container" {
+ # XXX: currently cgroups require root containers.
+ requires root
+
# run test_busybox detached
runc run -d --console-socket $CONSOLE_SOCKET test_busybox
[ "$status" -eq 0 ]
diff --git a/tests/integration/update.bats b/tests/integration/update.bats
index 9aaf1b9..4a6bf7f 100644
--- a/tests/integration/update.bats
+++ b/tests/integration/update.bats
@@ -50,7 +50,11 @@ function check_cgroup_value() {
# TODO: test rt cgroup updating
@test "update" {
- requires cgroups_kmem
+ # XXX: currently cgroups require root containers.
+ # XXX: Also, this test should be split into separate sections so that we
+ # can skip kmem without skipping update tests overall.
+ requires cgroups_kmem root
+
# run a few busyboxes detached
runc run -d --console-socket $CONSOLE_SOCKET test_update
[ "$status" -eq 0 ]
--
2.7.4.3

249
patch/0010-runc-Add-file-fds-limit.patch Normal file
View File

@ -0,0 +1,249 @@
From ebee018ddc5b1d1d9d5484fb2db40123599eb4e8 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Mon, 17 Oct 2022 17:54:20 +0800
Subject: [PATCH] runc:Add file fds limit
---
runc-1.1.3/events.go | 3 +
runc-1.1.3/libcontainer/cgroups/fs/files.go | 79 +++++++++++++++++++
runc-1.1.3/libcontainer/cgroups/fs/fs.go | 1 +
runc-1.1.3/libcontainer/cgroups/stats.go | 8 ++
runc-1.1.3/libcontainer/cgroups/systemd/v1.go | 1 +
.../libcontainer/configs/cgroup_linux.go | 3 +
.../libcontainer/specconv/spec_linux.go | 4 +
runc-1.1.3/types/events.go | 6 ++
.../runtime-spec/specs-go/config.go | 8 ++
9 files changed, 113 insertions(+)
create mode 100644 runc-1.1.3/libcontainer/cgroups/fs/files.go
diff --git a/runc-1.1.3/events.go b/runc-1.1.3/events.go
index 6cdc01c..94712e3 100644
--- a/runc-1.1.3/events.go
+++ b/runc-1.1.3/events.go
@@ -120,6 +120,9 @@ func convertLibcontainerStats(ls *libcontainer.Stats) *types.Stats {
s.Pids.Current = cg.PidsStats.Current
s.Pids.Limit = cg.PidsStats.Limit
+ s.Files.Usage = cg.FilesStats.Usage
+ s.Files.Limit = cg.FilesStats.Limit
+
s.CPU.Usage.Kernel = cg.CpuStats.CpuUsage.UsageInKernelmode
s.CPU.Usage.User = cg.CpuStats.CpuUsage.UsageInUsermode
s.CPU.Usage.Total = cg.CpuStats.CpuUsage.TotalUsage
diff --git a/runc-1.1.3/libcontainer/cgroups/fs/files.go b/runc-1.1.3/libcontainer/cgroups/fs/files.go
new file mode 100644
index 0000000..3315cda
--- /dev/null
+++ b/runc-1.1.3/libcontainer/cgroups/fs/files.go
@@ -0,0 +1,79 @@
+/*
+Copyright (c) Huawei Technologies Co., Ltd. 2017-2019. All rights reserved.
+Use of this source code is governed by Apache-2.0
+license that can be found in the LICENSE file.
+Description: files cgroup common functions
+Author: yangshukui
+Create: 2017-09-18
+*/
+
+package fs
+
+import (
+ "fmt"
+ "strconv"
+
+ "github.com/opencontainers/runc/libcontainer/cgroups"
+ "github.com/opencontainers/runc/libcontainer/configs"
+ "path/filepath"
+)
+
+type FilesGroup struct {
+}
+
+func (s *FilesGroup) Name() string {
+ return "files"
+}
+
+func (s *FilesGroup) Apply(d *cgroupData) error {
+ _, err := d.join("files")
+ if err != nil && !cgroups.IsNotFound(err) {
+ return err
+ }
+ return nil
+}
+
+func (s *FilesGroup) Set(path string, cgroup *configs.Cgroup) error {
+ if cgroup.Resources.FilesLimit != 0 {
+ // "max" is the fallback value.
+ limit := "max"
+ if cgroup.Resources.FilesLimit > 0 {
+ limit = strconv.FormatInt(cgroup.Resources.FilesLimit, 10)
+ }
+
+ if err := writeFile(path, "files.limit", limit); err != nil {
+ return err
+ }
+ }
+
+ return nil
+}
+
+func (s *FilesGroup) Remove(d *cgroupData) error {
+ return removePath(d.path("files"))
+}
+
+func (s *FilesGroup) GetStats(path string, stats *cgroups.Stats) error {
+ usage, err := getCgroupParamUint(path, "files.usage")
+ if err != nil {
+ return fmt.Errorf("failed to parse files.usage - %s", err)
+ }
+
+ maxString, err := getCgroupParamString(path, "files.limit")
+ if err != nil {
+ return fmt.Errorf("failed to parse files.limit - %s", err)
+ }
+
+ // Default if files.limit == "max" is 0 -- which represents "no limit".
+ var max uint64
+ if maxString != "max" {
+ max, err = parseUint(maxString, 10, 64)
+ if err != nil {
+ return fmt.Errorf("failed to parse files.limit -- unable to parse %q as a uint from Cgroup file %q", maxString, filepath.Join(path, "file.limits"))
+ }
+ }
+
+ stats.FilesStats.Usage = usage
+ stats.FilesStats.Limit = max
+ return nil
+}
diff --git a/runc-1.1.3/libcontainer/cgroups/fs/fs.go b/runc-1.1.3/libcontainer/cgroups/fs/fs.go
index fb4fcc7..59b6dff 100644
--- a/runc-1.1.3/libcontainer/cgroups/fs/fs.go
+++ b/runc-1.1.3/libcontainer/cgroups/fs/fs.go
@@ -20,6 +20,7 @@ var subsystems = []subsystem{
&CpuGroup{},
&CpuacctGroup{},
&PidsGroup{},
+ &FilesGroup{},
&BlkioGroup{},
&HugetlbGroup{},
&NetClsGroup{},
diff --git a/runc-1.1.3/libcontainer/cgroups/stats.go b/runc-1.1.3/libcontainer/cgroups/stats.go
index 40a81dd..8f1d4ce 100644
--- a/runc-1.1.3/libcontainer/cgroups/stats.go
+++ b/runc-1.1.3/libcontainer/cgroups/stats.go
@@ -116,6 +116,13 @@ type PidsStats struct {
Limit uint64 `json:"limit,omitempty"`
}
+type FilesStats struct {
+ // number of pids in the cgroup
+ Usage uint64 `json:"usage,omitempty"`
+ // active pids hard limit
+ Limit uint64 `json:"limit,omitempty"`
+}
+
type BlkioStatEntry struct {
Major uint64 `json:"major,omitempty"`
Minor uint64 `json:"minor,omitempty"`
@@ -160,6 +167,7 @@ type Stats struct {
CPUSetStats CPUSetStats `json:"cpuset_stats,omitempty"`
MemoryStats MemoryStats `json:"memory_stats,omitempty"`
PidsStats PidsStats `json:"pids_stats,omitempty"`
+ FilesStats FilesStats `json:"files_stats,omitempty"`
BlkioStats BlkioStats `json:"blkio_stats,omitempty"`
// the map is in the format "size of hugepage: stats of the hugepage"
HugetlbStats map[string]HugetlbStats `json:"hugetlb_stats,omitempty"`
diff --git a/runc-1.1.3/libcontainer/cgroups/systemd/v1.go b/runc-1.1.3/libcontainer/cgroups/systemd/v1.go
index a74a05a..19d1099 100644
--- a/runc-1.1.3/libcontainer/cgroups/systemd/v1.go
+++ b/runc-1.1.3/libcontainer/cgroups/systemd/v1.go
@@ -63,6 +63,7 @@ var legacySubsystems = []subsystem{
&fs.CpuGroup{},
&fs.CpuacctGroup{},
&fs.PidsGroup{},
+ &fs.FilesGroup{},
&fs.BlkioGroup{},
&fs.HugetlbGroup{},
&fs.PerfEventGroup{},
diff --git a/runc-1.1.3/libcontainer/configs/cgroup_linux.go b/runc-1.1.3/libcontainer/configs/cgroup_linux.go
index 2d4a898..8cbc154 100644
--- a/runc-1.1.3/libcontainer/configs/cgroup_linux.go
+++ b/runc-1.1.3/libcontainer/configs/cgroup_linux.go
@@ -87,6 +87,9 @@ type Resources struct {
// Process limit; set <= `0' to disable limit.
PidsLimit int64 `json:"pids_limit"`
+ // Process open files limit.
+ FilesLimit int64 `json:"files_limit"`
+
// Specifies per cgroup weight, range is from 10 to 1000.
BlkioWeight uint16 `json:"blkio_weight"`
diff --git a/runc-1.1.3/libcontainer/specconv/spec_linux.go b/runc-1.1.3/libcontainer/specconv/spec_linux.go
index c7ca4c8..19dd947 100644
--- a/runc-1.1.3/libcontainer/specconv/spec_linux.go
+++ b/runc-1.1.3/libcontainer/specconv/spec_linux.go
@@ -747,6 +747,10 @@ func CreateCgroupConfig(opts *CreateOpts, defaultDevs []*devices.Device) (*confi
if r.Pids != nil {
c.Resources.PidsLimit = r.Pids.Limit
}
+ if r.Files != nil && r.Files.Limit != nil {
+ c.Resources.FilesLimit = *r.Files.Limit
+ }
+
if r.BlockIO != nil {
if r.BlockIO.Weight != nil {
c.Resources.BlkioWeight = *r.BlockIO.Weight
diff --git a/runc-1.1.3/types/events.go b/runc-1.1.3/types/events.go
index 81bde82..1fdff8f 100644
--- a/runc-1.1.3/types/events.go
+++ b/runc-1.1.3/types/events.go
@@ -15,6 +15,7 @@ type Stats struct {
CPUSet CPUSet `json:"cpuset"`
Memory Memory `json:"memory"`
Pids Pids `json:"pids"`
+ Files files `json:"files"`
Blkio Blkio `json:"blkio"`
Hugetlb map[string]Hugetlb `json:"hugetlb"`
IntelRdt IntelRdt `json:"intel_rdt"`
@@ -50,6 +51,11 @@ type Pids struct {
Limit uint64 `json:"limit,omitempty"`
}
+type files struct {
+ Usage uint64 `json:"usage,omitempty"`
+ Limit uint64 `json:"limit,omitempty"`
+}
+
type Throttling struct {
Periods uint64 `json:"periods,omitempty"`
ThrottledPeriods uint64 `json:"throttledPeriods,omitempty"`
diff --git a/runc-1.1.3/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/runc-1.1.3/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
index 6a7a91e..e8143b2 100644
--- a/runc-1.1.3/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+++ b/runc-1.1.3/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
@@ -336,6 +336,12 @@ type LinuxPids struct {
Limit int64 `json:"limit"`
}
+// Files for Linux cgroup 'files' resource management (https://lwn.net/Articles/604129/)
+type Files struct {
+ // Maximum number of open files".
+ Limit *int64 `json:"limit,omitempty"`
+}
+
// LinuxNetwork identification and priority configuration
type LinuxNetwork struct {
// Set class identifier for container's network packets
@@ -362,6 +368,8 @@ type LinuxResources struct {
CPU *LinuxCPU `json:"cpu,omitempty"`
// Task resource restriction configuration.
Pids *LinuxPids `json:"pids,omitempty"`
+ // Files resource restriction configuration.
+ Files *Files `json:"files,omitempty"`
// BlockIO restriction configuration
BlockIO *LinuxBlockIO `json:"blockIO,omitempty"`
// Hugetlb limit (in bytes)
--
2.30.0

440
patch/0060-runc-runc-logs-forwarding-to-syslog.patch → patch/0011-runc-logs-forwarding-to-syslog.patch
View File

@ -1,98 +1,104 @@
From c8d9a899d3425c342e83868540ca357bf9f7a661 Mon Sep 17 00:00:00 2001
From: panwenxiang <panwenxiang@huawei.com>
Date: Fri, 19 Oct 2018 15:00:34 +0800
Subject: [PATCH 60/94] runc: runc logs forwarding to syslog
From 658fb594136222061ad4653cbb540eeade7e5ddc Mon Sep 17 00:00:00 2001
From: zhong-jiawei-1 <zhongjiawei1@huawei.com>
Date: Tue, 18 Oct 2022 16:33:41 +0800
Subject: [PATCH] runc: runc logs forwarding to syslog
reason:runc logs forwarding to syslog and using the config "--log-level" to control the number of logs
Change-Id: Ia93f6f5c56131ea8558c4b7b7e5c4bec827a1bad
Conflicts:
libcontainer/container_linux.go
libcontainer/process_linux.go
libcontainer/state_linux.go
---
create.go | 3 +-
libcontainer/configs/config.go | 55 +++++++++---
libcontainer/container_linux.go | 16 ++--
libcontainer/process_linux.go | 19 ++--
libcontainer/state_linux.go | 4 +-
main.go | 33 +++++--
script/runc-euleros.spec | 2 +-
vendor/github.com/Sirupsen/logrus/Checklist | 1 +
.../Sirupsen/logrus/hooks/airbrake/airbrake.go | 54 +++++++++++
.../Sirupsen/logrus/hooks/bugsnag/bugsnag.go | 68 ++++++++++++++
.../Sirupsen/logrus/hooks/papertrail/README.md | 28 ++++++
.../Sirupsen/logrus/hooks/papertrail/papertrail.go | 55 ++++++++++++
.../Sirupsen/logrus/hooks/sentry/README.md | 61 +++++++++++++
.../Sirupsen/logrus/hooks/sentry/sentry.go | 100 +++++++++++++++++++++
.../Sirupsen/logrus/hooks/syslog/README.md | 20 +++++
.../Sirupsen/logrus/hooks/syslog/syslog.go | 59 ++++++++++++
16 files changed, 535 insertions(+), 43 deletions(-)
create mode 100644 vendor/github.com/Sirupsen/logrus/Checklist
create mode 100644 vendor/github.com/Sirupsen/logrus/hooks/airbrake/airbrake.go
create mode 100644 vendor/github.com/Sirupsen/logrus/hooks/bugsnag/bugsnag.go
create mode 100644 vendor/github.com/Sirupsen/logrus/hooks/papertrail/README.md
create mode 100644 vendor/github.com/Sirupsen/logrus/hooks/papertrail/papertrail.go
create mode 100644 vendor/github.com/Sirupsen/logrus/hooks/sentry/README.md
create mode 100644 vendor/github.com/Sirupsen/logrus/hooks/sentry/sentry.go
create mode 100644 vendor/github.com/Sirupsen/logrus/hooks/syslog/README.md
create mode 100644 vendor/github.com/Sirupsen/logrus/hooks/syslog/syslog.go
libcontainer/container_linux.go
libcontainer/process_linux.go
libcontainer/state_linux.go
diff --git a/create.go b/create.go
index 096e8e3..d0246ad 100644
--- a/create.go
+++ b/create.go
@@ -1,9 +1,8 @@
package main
---
runc-1.1.3/create.go | 2 +-
runc-1.1.3/libcontainer/configs/config.go | 70 +++++++++---
runc-1.1.3/libcontainer/container_linux.go | 2 +-
runc-1.1.3/main.go | 20 ++++
.../github.com/sirupsen/logrus/Checklist | 1 +
.../logrus/hooks/airbrake/airbrake.go | 54 ++++++++++
.../sirupsen/logrus/hooks/bugsnag/bugsnag.go | 68 ++++++++++++
.../logrus/hooks/papertrail/README.md | 28 +++++
.../logrus/hooks/papertrail/papertrail.go | 55 ++++++++++
.../sirupsen/logrus/hooks/sentry/README.md | 61 +++++++++++
.../sirupsen/logrus/hooks/sentry/sentry.go | 100 ++++++++++++++++++
.../sirupsen/logrus/hooks/syslog/README.md | 20 ++++
.../sirupsen/logrus/hooks/syslog/syslog.go | 59 +++++++++++
13 files changed, 523 insertions(+), 17 deletions(-)
create mode 100644 runc-1.1.3/vendor/github.com/sirupsen/logrus/Checklist
create mode 100644 runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/airbrake/airbrake.go
create mode 100644 runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/bugsnag/bugsnag.go
create mode 100644 runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/papertrail/README.md
create mode 100644 runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/papertrail/papertrail.go
create mode 100644 runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/sentry/README.md
create mode 100644 runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/sentry/sentry.go
create mode 100644 runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/syslog/README.md
create mode 100644 runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go
diff --git a/runc-1.1.3/create.go b/runc-1.1.3/create.go
index 97854b8..46ef1ef 100644
--- a/runc-1.1.3/create.go
+++ b/runc-1.1.3/create.go
@@ -2,9 +2,9 @@ package main
import (
"fmt"
- "os"
-
"github.com/urfave/cli"
+ "os"
)
var createCommand = cli.Command{
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
index 49bc7a3..d6bc603 100644
--- a/libcontainer/configs/config.go
+++ b/libcontainer/configs/config.go
@@ -4,12 +4,18 @@ import (
diff --git a/runc-1.1.3/libcontainer/configs/config.go b/runc-1.1.3/libcontainer/configs/config.go
index 72910ff..9076846 100644
--- a/runc-1.1.3/libcontainer/configs/config.go
+++ b/runc-1.1.3/libcontainer/configs/config.go
@@ -4,15 +4,22 @@ import (
"bytes"
"encoding/json"
"fmt"
+ "github.com/Sirupsen/logrus"
+ "github.com/opencontainers/runtime-spec/specs-go"
"os/exec"
"strings"
"time"
- "os/exec"
- "time"
-
"github.com/sirupsen/logrus"
-
"github.com/opencontainers/runc/libcontainer/devices"
"github.com/opencontainers/runtime-spec/specs-go"
+ "os/exec"
+ "time"
+)
- "github.com/Sirupsen/logrus"
- "github.com/opencontainers/runtime-spec/specs-go"
+
+const (
+ minHookTimeOut = 1 * time.Second
+ defaultHookTimeOut = 5 * time.Second
+ maxHookTimeOut = 120 * time.Second
+ //the runc default timeout is 120s, so set the defaultWarnTime to 80% of the default timeout.
+ defaultWarnTime = 96 * time.Second
)
+
type Rlimit struct {
@@ -195,9 +201,9 @@ type Config struct {
// about the type of the Capabilities field.
// Refer to: https://github.com/opencontainers/runtime-spec/commit/37391fb
type CompatConfig struct {
- Config
- Cgroups *CompatCgroup `json:"cgroups"`
- Capabilities interface{} `json:"capabilities,omitempty" platform:"linux"`
+ Config
+ Cgroups *CompatCgroup `json:"cgroups"`
+ Capabilities interface{} `json:"capabilities,omitempty" platform:"linux"`
}
Type int `json:"type"`
Hard uint64 `json:"hard"`
@@ -279,11 +286,11 @@ type Capabilities struct {
type Hooks struct {
@@ -342,29 +348,52 @@ func (c Command) Run(s HookState) error {
func (hooks HookList) RunHooks(state *specs.State) error {
for i, h := range hooks {
- logrus.Infof("run hooks %d:%T", i, h)
+ logrus.Infof("run hooks %d:%T, ContainerId: %s", i, h, state.ID)
if err := h.Run(state); err != nil {
- return fmt.Errorf("error running hook #%d: %w", i, err)
+ return fmt.Errorf("error running hook #%d: %w, ContainerId: %s", i, err, state.ID)
}
- logrus.Infof("hooks %d:%T done", i, h)
+ logrus.Infof("hooks %d:%T done, ContainerId: %s", i, h, state.ID)
}
return nil
@@ -388,29 +395,62 @@ func (c Command) Run(s *specs.State) error {
Stdout: &stdout,
Stderr: &stderr,
}
@ -100,8 +106,13 @@ index 49bc7a3..d6bc603 100644
if err := cmd.Start(); err != nil {
return err
}
+ if c.Timeout != nil && *c.Timeout < minHookTimeOut {
+ if c.Timeout != nil && *c.Timeout <= minHookTimeOut {
+ *c.Timeout = defaultHookTimeOut
+ logrus.Warnf("hook timeout should not be negative or zero, set hook timeout as 5s")
+ }
+ if c.Timeout != nil && *c.Timeout > maxHookTimeOut {
+ logrus.Warnf("hook timeout: %s is too long, use 120s as timeout. ContainerID: %s", *c.Timeout, s.ID)
+ *c.Timeout = maxHookTimeOut
+ }
errC := make(chan error, 1)
+ var (
@ -111,7 +122,7 @@ index 49bc7a3..d6bc603 100644
go func() {
err := cmd.Wait()
if err != nil {
err = fmt.Errorf("error running hook: %v, stdout: %s, stderr: %s", err, stdout.String(), stderr.String())
err = fmt.Errorf("error running hook: %w, stdout: %s, stderr: %s", err, stdout.String(), stderr.String())
}
+ elapsedTime := time.Since(startTime)
+ logrus.Infof("hook spends time %s, ContainerID: %s", elapsedTime, s.ID)
@ -131,15 +142,16 @@ index 49bc7a3..d6bc603 100644
timer := time.NewTimer(*c.Timeout)
defer timer.Stop()
timerCh = timer.C
+ warnTime = float64(*c.Timeout) * 0.8
+ warnTime = (*c.Timeout).Seconds() * 0.8
}
- select {
- case err := <-errC:
- return err
- case <-timerCh:
- cmd.Process.Kill()
- cmd.Wait()
- _ = cmd.Process.Kill()
- <-errC
- return fmt.Errorf("hook ran past specified timeout of %.1fs", c.Timeout.Seconds())
+ timeAfter := time.After(time.Duration(warnTime) * time.Second)
+ for {
+ select {
+ case err := <-errC:
@ -148,225 +160,79 @@ index 49bc7a3..d6bc603 100644
+ cmd.Process.Kill()
+ cmd.Wait()
+ return fmt.Errorf("hook ran past specified timeout of %.1fs", c.Timeout.Seconds())
+ case <-time.After(time.Duration(warnTime) * time.Second):
+ logrus.Warnf("hook ran more than 80%% of the default timeout, ContainerID: %s", s.ID)
+ case <-timeAfter:
+ if c.Timeout != nil {
+ logrus.Warnf("hook ran more than 80%% of the timeout %s, ContainerID: %s", *c.Timeout, s.ID)
+ } else {
+ logrus.Warnf("hook ran more than 80%% of the default timeout 120s, ContainerID: %s", s.ID)
+ }
+ }
}
}
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 502a274..ba5dcd6 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -68,9 +68,9 @@ type State struct {
}
diff --git a/runc-1.1.3/libcontainer/container_linux.go b/runc-1.1.3/libcontainer/container_linux.go
index 6b68a0e..425e44d 100644
--- a/runc-1.1.3/libcontainer/container_linux.go
+++ b/runc-1.1.3/libcontainer/container_linux.go
@@ -368,7 +368,7 @@ func (c *linuxContainer) start(process *Process) (retErr error) {
// CompatState
-type CompatState struct{
- State
- Config configs.CompatConfig `json:"config"`
+type CompatState struct {
+ State
+ Config configs.CompatConfig `json:"config"`
}
// Container is a libcontainer container object.
@@ -345,13 +345,13 @@ func (c *linuxContainer) start(process *Process, isInit bool) error {
Root: c.config.Rootfs,
}
for i, hook := range c.config.Hooks.Poststart {
- logrus.Infof("run poststart hook %d:%s", i, hook.Info())
+ logrus.Infof("run poststart hook %d:%s, ContainerID: %s", i, hook.Info(), s.ID)
if err := hook.Run(s); err != nil {
logrus.Errorf("running poststart hook(%d:%s) failed: %s", i, hook.Info(), err)
if err := parent.terminate(); err != nil {
- logrus.Warn(err)
+ logrus.Warnf("run poststart hook failed: %s, ContainerID: %s", err, s.ID)
}
- return newSystemErrorWithCausef(err, "running poststart hook %d:%s", i, hook.Info())
+ return newSystemErrorWithCausef(err, "running poststart hook %d:%s, ContainerID: %s", i, hook.Info(), s.ID)
if err := c.config.Hooks[configs.Poststart].RunHooks(s); err != nil {
if err := ignoreTerminateErrors(parent.terminate()); err != nil {
- logrus.Warn(fmt.Errorf("error running poststart hook: %w", err))
+ logrus.Warn(fmt.Errorf("error running poststart hook: %w, ContainerId: %s", err, s.ID))
}
logrus.Infof("poststart hook %d:%s done", i, hook.Info())
}
@@ -1319,9 +1319,9 @@ func (c *linuxContainer) criuNotifications(resp *criurpc.CriuResp, process *Proc
Root: c.config.Rootfs,
}
for i, hook := range c.config.Hooks.Prestart {
- logrus.Infof("run prestart hook: %d:%s", i, hook.Info())
+ logrus.Infof("run prestart hook: %d:%s, ContainerID: %s", i, hook.Info(), s.ID)
if err := hook.Run(s); err != nil {
- return newSystemErrorWithCausef(err, "running prestart hook %d", i)
+ return newSystemErrorWithCausef(err, "running prestart hook %d:%s, ContainerID: %s", i, hook.Info(), s.ID)
}
logrus.Infof("prestart hook: %d:%s done", i, hook.Info())
}
diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
index 70e93de..79b1c4e 100644
--- a/libcontainer/process_linux.go
+++ b/libcontainer/process_linux.go
@@ -6,18 +6,17 @@ import (
"encoding/json"
"errors"
"fmt"
+ "github.com/Sirupsen/logrus"
+ "github.com/opencontainers/runc/libcontainer/cgroups"
+ "github.com/opencontainers/runc/libcontainer/configs"
+ "github.com/opencontainers/runc/libcontainer/system"
+ "github.com/opencontainers/runc/libcontainer/utils"
"io"
"os"
"os/exec"
"path/filepath"
"strconv"
"syscall"
-
- "github.com/Sirupsen/logrus"
- "github.com/opencontainers/runc/libcontainer/cgroups"
- "github.com/opencontainers/runc/libcontainer/configs"
- "github.com/opencontainers/runc/libcontainer/system"
- "github.com/opencontainers/runc/libcontainer/utils"
)
type parentProcess interface {
@@ -309,9 +308,9 @@ func (p *initProcess) start() error {
Root: p.config.Config.Rootfs,
}
for i, hook := range p.config.Config.Hooks.Prestart {
- logrus.Infof("run prestart hook %d:%s", i, hook.Info())
+ logrus.Infof("run prestart hook %d:%s, ContainerID: %s", i, hook.Info(), s.ID)
if err := hook.Run(s); err != nil {
- return newSystemErrorWithCausef(err, "running prestart hook %d:%s", i, hook.Info())
+ return newSystemErrorWithCausef(err, "running prestart hook %d:%s, ContainerID: %s", i, hook.Info(), s.ID)
}
logrus.Infof("prestart hook %d:%s done", i, hook.Info())
}
@@ -338,9 +337,9 @@ func (p *initProcess) start() error {
Root: p.config.Config.Rootfs,
}
for i, hook := range p.config.Config.Hooks.Prestart {
- logrus.Infof("run prestart hook %d:%s", i, hook.Info())
+ logrus.Infof("run prestart hook %d:%s, ContainerID :%s", i, hook.Info(), s.ID)
if err := hook.Run(s); err != nil {
- return newSystemErrorWithCausef(err, "running prestart hook %d:%s", i, hook.Info())
+ return newSystemErrorWithCausef(err, "running prestart hook %d:%s, ContainerID: %s", i, hook.Info(), s.ID)
}
logrus.Infof("prestart hook %d:%s done", i, hook.Info())
}
diff --git a/libcontainer/state_linux.go b/libcontainer/state_linux.go
index b8d2a87..26e091b 100644
--- a/libcontainer/state_linux.go
+++ b/libcontainer/state_linux.go
@@ -66,10 +66,10 @@ func runPoststopHooks(c *linuxContainer) error {
Root: c.config.Rootfs,
}
for i, hook := range c.config.Hooks.Poststop {
- logrus.Infof("run poststop hook %d:%s", i, hook.Info())
+ logrus.Infof("run poststop hook %d:%s, ContainerID: %s", i, hook.Info(), s.ID)
if err := hook.Run(s); err != nil {
logrus.Errorf("running poststop hook %d: %s failed: %s", i, hook.Info(), err)
- return newSystemErrorWithCausef(err, "running poststop hook %d:%s", i, hook.Info())
+ return newSystemErrorWithCausef(err, "running poststop hook %d:%s, ContainerID: %s", i, hook.Info(), s.ID)
}
logrus.Infof("poststop hook %d:%s done", i, hook.Info())
}
diff --git a/main.go b/main.go
index 1cb8f4d..f15a4ac 100644
--- a/main.go
+++ b/main.go
@@ -2,13 +2,14 @@ package main
import (
"fmt"
- "io"
- "os"
- "strings"
-
"github.com/Sirupsen/logrus"
+ "github.com/Sirupsen/logrus/hooks/syslog"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/urfave/cli"
+ "io"
+ "log/syslog"
+ "os"
+ "strings"
)
// version will be populated by the Makefile, read from
@@ -76,6 +77,10 @@ func main() {
Usage: "set the format used by logs ('text' (default), or 'json')",
},
cli.StringFlag{
+ Name: "log-level",
+ Usage: "Set the logging level [debug, info, warn, error, fatal, panic]",
+ },
+ cli.StringFlag{
Name: "root",
Value: "/run/runc",
Usage: "root directory for storage of container state (this should be located in tmpfs)",
@@ -110,15 +115,17 @@ func main() {
updateCommand,
}
app.Before = func(context *cli.Context) error {
- if context.GlobalBool("debug") {
- logrus.SetLevel(logrus.DebugLevel)
- }
if path := context.GlobalString("log"); path != "" {
f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_APPEND|os.O_SYNC, 0666)
if err != nil {
return err
}
logrus.SetOutput(f)
+ hook, serr := logrus_syslog.NewSyslogHook("", "", syslog.LOG_INFO|syslog.LOG_USER, "docker-runc")
+ if serr != nil {
+ fmt.Fprint(f, fmt.Sprintf("Leo: new syslog hook get %s", serr))
+ }
+ logrus.AddHook(hook)
diff --git a/runc-1.1.3/main.go b/runc-1.1.3/main.go
index 4d66638..9e14976 100644
--- a/runc-1.1.3/main.go
+++ b/runc-1.1.3/main.go
@@ -100,6 +100,10 @@ func main() {
Value: root,
Usage: "root directory for storage of container state (this should be located in tmpfs)",
},
+ cli.StringFlag{
+ Name: "log-level",
+ Usage: "set the logging level [debug, info, warn, error, fatal, panic]",
+ },
cli.StringFlag{
Name: "criu",
Value: "criu",
@@ -211,7 +215,23 @@ func configLogrus(context *cli.Context) error {
return err
}
switch context.GlobalString("log-format") {
case "text":
@@ -128,6 +135,18 @@ func main() {
default:
return fmt.Errorf("unknown log-format %q", context.GlobalString("log-format"))
}
+ if logLevel := context.GlobalString("log-level"); logLevel != "" {
+ lvl, err := logrus.ParseLevel(logLevel)
+ if err != nil {
+ fmt.Fprintf(os.Stderr, "Unable to parse logging level: %s\n", logLevel)
+ os.Exit(1)
+ }
+ logrus.SetLevel(lvl)
logrus.SetOutput(f)
+ hook, serr := logrus_syslog.NewSyslogHook("", "", syslog.LOG_INFO|syslog.LOG_USER, "docker-runc")
+ if serr != nil {
+ fmt.Fprint(f, fmt.Sprintf("Leo: new syslog hook get %s", serr))
+ }
+
+ if context.GlobalBool("debug") {
+ logrus.SetLevel(logrus.DebugLevel)
+ logrus.AddHook(hook)
+ }
+ if logLevel := context.GlobalString("log-level"); logLevel != "" {
+ lvl, err := logrus.ParseLevel(logLevel)
+ if err != nil {
+ fmt.Fprintf(os.Stderr, "Unable to parse logging level: %s\n", logLevel)
+ os.Exit(1)
+ }
return nil
+ logrus.SetLevel(lvl)
}
// If the command returns an error, cli takes upon itself to print
diff --git a/script/runc-euleros.spec b/script/runc-euleros.spec
index c3db7c9..5318ec2 100644
--- a/script/runc-euleros.spec
+++ b/script/runc-euleros.spec
@@ -2,7 +2,7 @@
Name: docker-runc
Version: 1.0.0.rc3
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: runc is a CLI tool for spawning and running containers according to the OCF specification
License: ASL 2.0
diff --git a/vendor/github.com/Sirupsen/logrus/Checklist b/vendor/github.com/Sirupsen/logrus/Checklist
+ if context.GlobalBool("debug") {
+ logrus.SetLevel(logrus.DebugLevel)
+ }
return nil
}
diff --git a/runc-1.1.3/vendor/github.com/sirupsen/logrus/Checklist b/runc-1.1.3/vendor/github.com/sirupsen/logrus/Checklist
new file mode 100644
index 0000000..7117b24
--- /dev/null
+++ b/vendor/github.com/Sirupsen/logrus/Checklist
+++ b/runc-1.1.3/vendor/github.com/sirupsen/logrus/Checklist
@@ -0,0 +1 @@
+imported from runc v1.0.0-Release Candidate 2: Godeps/_workspace/src/github.com/Sirupsen/logrus/hooks
diff --git a/vendor/github.com/Sirupsen/logrus/hooks/airbrake/airbrake.go b/vendor/github.com/Sirupsen/logrus/hooks/airbrake/airbrake.go
diff --git a/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/airbrake/airbrake.go b/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/airbrake/airbrake.go
new file mode 100644
index 0000000..b0502c3
--- /dev/null
+++ b/vendor/github.com/Sirupsen/logrus/hooks/airbrake/airbrake.go
+++ b/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/airbrake/airbrake.go
@@ -0,0 +1,54 @@
+package airbrake
+
@ -422,11 +288,11 @@ index 0000000..b0502c3
+ logrus.PanicLevel,
+ }
+}
diff --git a/vendor/github.com/Sirupsen/logrus/hooks/bugsnag/bugsnag.go b/vendor/github.com/Sirupsen/logrus/hooks/bugsnag/bugsnag.go
diff --git a/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/bugsnag/bugsnag.go b/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/bugsnag/bugsnag.go
new file mode 100644
index 0000000..d20a0f5
--- /dev/null
+++ b/vendor/github.com/Sirupsen/logrus/hooks/bugsnag/bugsnag.go
+++ b/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/bugsnag/bugsnag.go
@@ -0,0 +1,68 @@
+package logrus_bugsnag
+
@ -496,11 +362,11 @@ index 0000000..d20a0f5
+ logrus.PanicLevel,
+ }
+}
diff --git a/vendor/github.com/Sirupsen/logrus/hooks/papertrail/README.md b/vendor/github.com/Sirupsen/logrus/hooks/papertrail/README.md
diff --git a/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/papertrail/README.md b/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/papertrail/README.md
new file mode 100644
index 0000000..ae61e92
--- /dev/null
+++ b/vendor/github.com/Sirupsen/logrus/hooks/papertrail/README.md
+++ b/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/papertrail/README.md
@@ -0,0 +1,28 @@
+# Papertrail Hook for Logrus <img src="http://i.imgur.com/hTeVwmJ.png" width="40" height="40" alt=":walrus:" class="emoji" title=":walrus:" />
+
@ -530,11 +396,11 @@ index 0000000..ae61e92
+ }
+}
+```
diff --git a/vendor/github.com/Sirupsen/logrus/hooks/papertrail/papertrail.go b/vendor/github.com/Sirupsen/logrus/hooks/papertrail/papertrail.go
diff --git a/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/papertrail/papertrail.go b/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/papertrail/papertrail.go
new file mode 100644
index 0000000..c0f10c1
--- /dev/null
+++ b/vendor/github.com/Sirupsen/logrus/hooks/papertrail/papertrail.go
+++ b/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/papertrail/papertrail.go
@@ -0,0 +1,55 @@
+package logrus_papertrail
+
@ -591,11 +457,11 @@ index 0000000..c0f10c1
+ logrus.DebugLevel,
+ }
+}
diff --git a/vendor/github.com/Sirupsen/logrus/hooks/sentry/README.md b/vendor/github.com/Sirupsen/logrus/hooks/sentry/README.md
diff --git a/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/sentry/README.md b/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/sentry/README.md
new file mode 100644
index 0000000..19e58bb
--- /dev/null
+++ b/vendor/github.com/Sirupsen/logrus/hooks/sentry/README.md
+++ b/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/sentry/README.md
@@ -0,0 +1,61 @@
+# Sentry Hook for Logrus <img src="http://i.imgur.com/hTeVwmJ.png" width="40" height="40" alt=":walrus:" class="emoji" title=":walrus:" />
+
@ -658,11 +524,11 @@ index 0000000..19e58bb
+hook, _ := logrus_sentry.NewSentryHook(...)
+hook.Timeout = 20*time.Second
+```
diff --git a/vendor/github.com/Sirupsen/logrus/hooks/sentry/sentry.go b/vendor/github.com/Sirupsen/logrus/hooks/sentry/sentry.go
diff --git a/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/sentry/sentry.go b/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/sentry/sentry.go
new file mode 100644
index 0000000..379f281
--- /dev/null
+++ b/vendor/github.com/Sirupsen/logrus/hooks/sentry/sentry.go
+++ b/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/sentry/sentry.go
@@ -0,0 +1,100 @@
+package logrus_sentry
+
@ -764,11 +630,11 @@ index 0000000..379f281
+func (hook *SentryHook) Levels() []logrus.Level {
+ return hook.levels
+}
diff --git a/vendor/github.com/Sirupsen/logrus/hooks/syslog/README.md b/vendor/github.com/Sirupsen/logrus/hooks/syslog/README.md
diff --git a/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/syslog/README.md b/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/syslog/README.md
new file mode 100644
index 0000000..4dbb8e7
--- /dev/null
+++ b/vendor/github.com/Sirupsen/logrus/hooks/syslog/README.md
+++ b/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/syslog/README.md
@@ -0,0 +1,20 @@
+# Syslog Hooks for Logrus <img src="http://i.imgur.com/hTeVwmJ.png" width="40" height="40" alt=":walrus:" class="emoji" title=":walrus:"/>
+
@ -790,11 +656,11 @@ index 0000000..4dbb8e7
+ }
+}
+```
diff --git a/vendor/github.com/Sirupsen/logrus/hooks/syslog/syslog.go b/vendor/github.com/Sirupsen/logrus/hooks/syslog/syslog.go
diff --git a/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go b/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go
new file mode 100644
index 0000000..b6fa374
--- /dev/null
+++ b/vendor/github.com/Sirupsen/logrus/hooks/syslog/syslog.go
+++ b/runc-1.1.3/vendor/github.com/sirupsen/logrus/hooks/syslog/syslog.go
@@ -0,0 +1,59 @@
+package logrus_syslog
+
@ -856,5 +722,5 @@ index 0000000..b6fa374
+ }
+}
--
2.7.4.3
2.30.0

449
patch/0011-tests-add-rootless-integration-tests.patch
View File

@ -1,449 +0,0 @@
From c62d731fc7e928e944e0290df318042c46e80526 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 11 May 2016 17:45:00 +1000
Subject: [PATCH 11/94] tests: add rootless integration tests
This adds targets for rootless integration tests, as well as all of the
required setup in order to get the tests to run. This includes quite a
few changes, because of a lot of assumptions about things running as
root within the bats scripts (which is not true when setting up rootless
containers).
Change-Id: I2fab9fd3ac984e06a7d3e1e1ac0cd888b1543801
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
Dockerfile | 7 ++++++
Makefile | 11 +++++++--
tests/integration/checkpoint.bats | 5 +++--
tests/integration/delete.bats | 2 ++
tests/integration/events.bats | 12 ++++++++++
tests/integration/exec.bats | 3 +++
tests/integration/help.bats | 1 +
tests/integration/helpers.bash | 23 ++++++++++++++-----
tests/integration/ps.bats | 11 ++++++++-
tests/integration/spec.bats | 4 ++--
tests/integration/start_detached.bats | 3 +++
tests/integration/start_hello.bats | 3 +++
tests/integration/state.bats | 42 ++++++++++++++++++++++++++---------
tests/integration/tty.bats | 14 ++++++++++++
14 files changed, 117 insertions(+), 24 deletions(-)
diff --git a/Dockerfile b/Dockerfile
index c971448..fd9be94 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,6 +6,7 @@ RUN echo 'deb http://httpredir.debian.org/debian jessie-backports main' > /etc/a
RUN apt-get update && apt-get install -y \
build-essential \
curl \
+ sudo \
gawk \
iptables \
jq \
@@ -22,6 +23,12 @@ RUN apt-get update && apt-get install -y \
--no-install-recommends \
&& apt-get clean
+# Add a dummy user for the rootless integration tests. While runC does
+# not require an entry in /etc/passwd to operate, one of the tests uses
+# `git clone` -- and `git clone` does not allow you to clone a
+# repository if the current uid does not have an entry in /etc/passwd.
+RUN useradd -u1000 -m -d/home/rootless -s/bin/bash rootless
+
# install bats
RUN cd /tmp \
&& git clone https://github.com/sstephenson/bats.git \
diff --git a/Makefile b/Makefile
index 5fff515..1cecca1 100644
--- a/Makefile
+++ b/Makefile
@@ -79,10 +79,10 @@ runcimage:
docker build -t $(RUNC_IMAGE) .
test:
- make unittest integration
+ make unittest integration rootlessintegration
localtest:
- make localunittest localintegration
+ make localunittest localintegration localrootlessintegration
unittest: runcimage
docker run -e TESTFLAGS -t --privileged --rm -v $(CURDIR):/go/src/$(PROJECT) $(RUNC_IMAGE) make localunittest
@@ -96,6 +96,13 @@ integration: runcimage
localintegration: all
bats -t tests/integration${TESTFLAGS}
+rootlessintegration: runcimage
+ docker run -e TESTFLAGS -t --privileged --rm -v $(CURDIR):/go/src/$(PROJECT) --cap-drop=ALL -u rootless $(RUNC_IMAGE) make localintegration
+
+# FIXME: This should not be separate from rootlessintegration's method of running.
+localrootlessintegration: all
+ sudo -u rootless -H PATH="${PATH}" bats -t tests/integration${TESTFLAGS}
+
shell: all
docker run -e TESTFLAGS -ti --privileged --rm -v $(CURDIR):/go/src/$(PROJECT) $(RUNC_IMAGE) bash
diff --git a/tests/integration/checkpoint.bats b/tests/integration/checkpoint.bats
index e91fd65..cd969a8 100644
--- a/tests/integration/checkpoint.bats
+++ b/tests/integration/checkpoint.bats
@@ -59,8 +59,9 @@ function teardown() {
[[ "${output}" == *"running"* ]]
}
-@test "checkpoint(pre-dump) and restore" {
- requires criu
+@test "checkpoint --pre-dump and restore" {
+ # XXX: currently criu require root containers.
+ requires criu root
# criu does not work with external terminals so..
# setting terminal and root:readonly: to false
diff --git a/tests/integration/delete.bats b/tests/integration/delete.bats
index cdadd7d..2c11e79 100644
--- a/tests/integration/delete.bats
+++ b/tests/integration/delete.bats
@@ -22,11 +22,13 @@ function teardown() {
testcontainer test_busybox running
runc kill test_busybox KILL
+ [ "$status" -eq 0 ]
# wait for busybox to be in the destroyed state
retry 10 1 eval "__runc state test_busybox | grep -q 'stopped'"
# delete test_busybox
runc delete test_busybox
+ [ "$status" -eq 0 ]
runc state test_busybox
[ "$status" -ne 0 ]
diff --git a/tests/integration/events.bats b/tests/integration/events.bats
index 182b721..2350073 100644
--- a/tests/integration/events.bats
+++ b/tests/integration/events.bats
@@ -12,6 +12,9 @@ function teardown() {
}
@test "events --stats" {
+ # XXX: currently cgroups require root containers.
+ requires root
+
# run busybox detached
runc run -d --console-socket $CONSOLE_SOCKET test_busybox
[ "$status" -eq 0 ]
@@ -27,6 +30,9 @@ function teardown() {
}
@test "events --interval default " {
+ # XXX: currently cgroups require root containers.
+ requires root
+
# run busybox detached
runc run -d --console-socket $CONSOLE_SOCKET test_busybox
[ "$status" -eq 0 ]
@@ -54,6 +60,9 @@ function teardown() {
}
@test "events --interval 1s " {
+ # XXX: currently cgroups require root containers.
+ requires root
+
# run busybox detached
runc run -d --console-socket $CONSOLE_SOCKET test_busybox
[ "$status" -eq 0 ]
@@ -80,6 +89,9 @@ function teardown() {
}
@test "events --interval 100ms " {
+ # XXX: currently cgroups require root containers.
+ requires root
+
# run busybox detached
runc run -d --console-socket $CONSOLE_SOCKET test_busybox
[ "$status" -eq 0 ]
diff --git a/tests/integration/exec.bats b/tests/integration/exec.bats
index ba60ea1..f172f9b 100644
--- a/tests/integration/exec.bats
+++ b/tests/integration/exec.bats
@@ -112,6 +112,9 @@ function teardown() {
}
@test "runc exec --user" {
+ # --user can't work in rootless containers
+ requires root
+
# run busybox detached
runc run -d --console-socket $CONSOLE_SOCKET test_busybox
[ "$status" -eq 0 ]
diff --git a/tests/integration/help.bats b/tests/integration/help.bats
index ca404f3..163de2d 100644
--- a/tests/integration/help.bats
+++ b/tests/integration/help.bats
@@ -57,6 +57,7 @@ load helpers
[ "$status" -eq 0 ]
[[ ${lines[1]} =~ runc\ resume+ ]]
+ # We don't use runc_spec here, because we're just testing the help page.
runc spec -h
[ "$status" -eq 0 ]
[[ ${lines[1]} =~ runc\ spec+ ]]
diff --git a/tests/integration/helpers.bash b/tests/integration/helpers.bash
index 6548333..fc8c290 100644
--- a/tests/integration/helpers.bash
+++ b/tests/integration/helpers.bash
@@ -4,7 +4,7 @@
INTEGRATION_ROOT=$(dirname "$(readlink -f "$BASH_SOURCE")")
RUNC="${INTEGRATION_ROOT}/../../runc"
RECVTTY="${INTEGRATION_ROOT}/../../contrib/cmd/recvtty/recvtty"
-GOPATH="${INTEGRATION_ROOT}/../../../.."
+GOPATH="$(mktemp -d --tmpdir runc-integration-gopath.XXXXXX)"
# Test data path.
TESTDATA="${INTEGRATION_ROOT}/testdata"
@@ -27,7 +27,7 @@ KERNEL_MINOR="${KERNEL_VERSION#$KERNEL_MAJOR.}"
KERNEL_MINOR="${KERNEL_MINOR%%.*}"
# Root state path.
-ROOT="$BATS_TMPDIR/runc"
+ROOT=$(mktemp -d "$BATS_TMPDIR/runc.XXXXXX")
# Path to console socket.
CONSOLE_SOCKET="$BATS_TMPDIR/console.sock"
@@ -58,6 +58,17 @@ function __runc() {
"$RUNC" --root "$ROOT" "$@"
}
+# Wrapper for runc spec.
+function runc_spec() {
+ local args=""
+
+ if [ "$ROOTLESS" -ne 0 ]; then
+ args+="--rootless"
+ fi
+
+ runc spec $args "$@"
+}
+
# Fails the current test, providing the error given.
function fail() {
echo "$@" >&2
@@ -187,18 +198,18 @@ function setup_busybox() {
if [ ! -e $BUSYBOX_IMAGE ]; then
curl -o $BUSYBOX_IMAGE -sSL 'https://github.com/docker-library/busybox/raw/a0558a9006ce0dd6f6ec5d56cfd3f32ebeeb815f/glibc/busybox.tar.xz'
fi
- tar -C "$BUSYBOX_BUNDLE"/rootfs -xf "$BUSYBOX_IMAGE"
+ tar --exclude './dev/*' -C "$BUSYBOX_BUNDLE"/rootfs -xf "$BUSYBOX_IMAGE"
cd "$BUSYBOX_BUNDLE"
- runc spec
+ runc_spec
}
function setup_hello() {
setup_recvtty
run mkdir "$HELLO_BUNDLE"
run mkdir "$HELLO_BUNDLE"/rootfs
- tar -C "$HELLO_BUNDLE"/rootfs -xf "$HELLO_IMAGE"
+ tar --exclude './dev/*' -C "$HELLO_BUNDLE"/rootfs -xf "$HELLO_IMAGE"
cd "$HELLO_BUNDLE"
- runc spec
+ runc_spec
sed -i 's;"sh";"/hello";' config.json
}
diff --git a/tests/integration/ps.bats b/tests/integration/ps.bats
index 7a20015..c000af6 100644
--- a/tests/integration/ps.bats
+++ b/tests/integration/ps.bats
@@ -12,6 +12,9 @@ function teardown() {
}
@test "ps" {
+ # ps is not supported, it requires cgroups
+ requires root
+
# start busybox detached
runc run -d --console-socket $CONSOLE_SOCKET test_busybox
[ "$status" -eq 0 ]
@@ -24,10 +27,13 @@ function teardown() {
runc ps test_busybox
[ "$status" -eq 0 ]
[[ ${lines[0]} =~ UID\ +PID\ +PPID\ +C\ +STIME\ +TTY\ +TIME\ +CMD+ ]]
- [[ "${lines[1]}" == *"root"*[0-9]* ]]
+ [[ "${lines[1]}" == *"$(id -un 2>/dev/null)"*[0-9]* ]]
}
@test "ps -f json" {
+ # ps is not supported, it requires cgroups
+ requires root
+
# start busybox detached
runc run -d --console-socket $CONSOLE_SOCKET test_busybox
[ "$status" -eq 0 ]
@@ -43,6 +49,9 @@ function teardown() {
}
@test "ps -e -x" {
+ # ps is not supported, it requires cgroups
+ requires root
+
# start busybox detached
runc run -d --console-socket $CONSOLE_SOCKET test_busybox
[ "$status" -eq 0 ]
diff --git a/tests/integration/spec.bats b/tests/integration/spec.bats
index 79bb690..e9f28fb 100644
--- a/tests/integration/spec.bats
+++ b/tests/integration/spec.bats
@@ -26,7 +26,7 @@ function teardown() {
[ ! -e config.json ]
# test generation of spec does not return an error
- runc spec
+ runc_spec
[ "$status" -eq 0 ]
# test generation of spec created our config.json (spec)
@@ -51,7 +51,7 @@ function teardown() {
[ ! -e "$HELLO_BUNDLE"/config.json ]
# test generation of spec does not return an error
- runc spec --bundle "$HELLO_BUNDLE"
+ runc_spec --bundle "$HELLO_BUNDLE"
[ "$status" -eq 0 ]
# test generation of spec created our config.json (spec)
diff --git a/tests/integration/start_detached.bats b/tests/integration/start_detached.bats
index 605fde2..08036dd 100644
--- a/tests/integration/start_detached.bats
+++ b/tests/integration/start_detached.bats
@@ -23,6 +23,9 @@ function teardown() {
}
@test "runc run detached ({u,g}id != 0)" {
+ # cannot start containers as another user in rootless setup
+ requires root
+
# replace "uid": 0 with "uid": 1000
# and do a similar thing for gid.
sed -i 's;"uid": 0;"uid": 1000;g' config.json
diff --git a/tests/integration/start_hello.bats b/tests/integration/start_hello.bats
index 6de65e0..2e93572 100644
--- a/tests/integration/start_hello.bats
+++ b/tests/integration/start_hello.bats
@@ -21,6 +21,9 @@ function teardown() {
}
@test "runc run ({u,g}id != 0)" {
+ # cannot start containers as another user in rootless setup
+ requires root
+
# replace "uid": 0 with "uid": 1000
# and do a similar thing for gid.
sed -i 's;"uid": 0;"uid": 1000;g' config.json
diff --git a/tests/integration/state.bats b/tests/integration/state.bats
index eed2eb3..3772c1e 100644
--- a/tests/integration/state.bats
+++ b/tests/integration/state.bats
@@ -11,7 +11,37 @@ function teardown() {
teardown_busybox
}
-@test "state" {
+@test "state (kill + delete)" {
+ runc state test_busybox
+ [ "$status" -ne 0 ]
+
+ # run busybox detached
+ runc run -d --console-socket $CONSOLE_SOCKET test_busybox
+ [ "$status" -eq 0 ]
+
+ # check state
+ wait_for_container 15 1 test_busybox
+
+ testcontainer test_busybox running
+
+ runc kill test_busybox KILL
+ [ "$status" -eq 0 ]
+
+ # wait for busybox to be in the destroyed state
+ retry 10 1 eval "__runc state test_busybox | grep -q 'stopped'"
+
+ # delete test_busybox
+ runc delete test_busybox
+ [ "$status" -eq 0 ]
+
+ runc state test_busybox
+ [ "$status" -ne 0 ]
+}
+
+@test "state (pause + resume)" {
+ # XXX: pause and resume require cgroups.
+ requires root
+
runc state test_busybox
[ "$status" -ne 0 ]
@@ -37,14 +67,4 @@ function teardown() {
# test state of busybox is back to running
testcontainer test_busybox running
-
- runc kill test_busybox KILL
- # wait for busybox to be in the destroyed state
- retry 10 1 eval "__runc state test_busybox | grep -q 'stopped'"
-
- # delete test_busybox
- runc delete test_busybox
-
- runc state test_busybox
- [ "$status" -ne 0 ]
}
diff --git a/tests/integration/tty.bats b/tests/integration/tty.bats
index b9a1f10..9e817db 100644
--- a/tests/integration/tty.bats
+++ b/tests/integration/tty.bats
@@ -24,6 +24,10 @@ function teardown() {
}
@test "runc run [tty owner]" {
+ # tty chmod is not doable in rootless containers.
+ # TODO: this can be made as a change to the gid test.
+ requires root
+
# Replace sh script with stat.
sed -i 's/"sh"/"sh", "-c", "stat -c %u:%g $(tty) | tr : \\\\\\\\n"/' config.json
@@ -36,6 +40,9 @@ function teardown() {
}
@test "runc run [tty owner] ({u,g}id != 0)" {
+ # tty chmod is not doable in rootless containers.
+ requires root
+
# replace "uid": 0 with "uid": 1000
# and do a similar thing for gid.
sed -i 's;"uid": 0;"uid": 1000;g' config.json
@@ -72,6 +79,10 @@ function teardown() {
}
@test "runc exec [tty owner]" {
+ # tty chmod is not doable in rootless containers.
+ # TODO: this can be made as a change to the gid test.
+ requires root
+
# run busybox detached
runc run -d --console-socket $CONSOLE_SOCKET test_busybox
[ "$status" -eq 0 ]
@@ -90,6 +101,9 @@ function teardown() {
}
@test "runc exec [tty owner] ({u,g}id != 0)" {
+ # tty chmod is not doable in rootless containers.
+ requires root
+
# replace "uid": 0 with "uid": 1000
# and do a similar thing for gid.
sed -i 's;"uid": 0;"uid": 1000;g' config.json
--
2.7.4.3

76
patch/0012-runc-support-namespaced-kernel-params-can-be-changed.patch Normal file
View File

@ -0,0 +1,76 @@
From eda4f5b5bcf9ca36a2ba3250b366ad1fb4bab28c Mon Sep 17 00:00:00 2001
From: zhong-jiawei-1 <zhongjiawei1@huawei.com>
Date: Tue, 18 Oct 2022 17:18:47 +0800
Subject: [PATCH] runc:support namespaced kernel params can be changed in
system container
---
runc-1.1.3/libcontainer/rootfs_linux.go | 26 +++++++++++++++++++
.../libcontainer/standard_init_linux.go | 7 +++++
2 files changed, 33 insertions(+)
diff --git a/runc-1.1.3/libcontainer/rootfs_linux.go b/runc-1.1.3/libcontainer/rootfs_linux.go
index 3cfd2bf..4dbe9f4 100644
--- a/runc-1.1.3/libcontainer/rootfs_linux.go
+++ b/runc-1.1.3/libcontainer/rootfs_linux.go
@@ -417,6 +417,9 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
} else if fi.Mode()&os.ModeDir == 0 {
return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device)
}
+ if strings.HasPrefix(m.Destination, "/proc/sys/") {
+ return nil
+ }
if err := os.MkdirAll(dest, 0o755); err != nil {
return err
}
@@ -1009,6 +1012,29 @@ func readonlyPath(path string) error {
return nil
}
+// remountReadWrite will bind over the top of an existing path and ensure that it is read-write.
+func remountReadWrite(path string) error {
+ for i := 0; i < 5; i++ {
+ if err := syscall.Mount("", path, "", syscall.MS_REMOUNT, ""); err != nil && !os.IsNotExist(err) {
+ switch err {
+ case syscall.EINVAL:
+ // Probably not a mountpoint, use bind-mount
+ if err := syscall.Mount(path, path, "", syscall.MS_BIND, ""); err != nil {
+ return err
+ }
+ return syscall.Mount(path, path, "", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_REC|defaultMountFlags, "")
+ case syscall.EBUSY:
+ time.Sleep(100 * time.Millisecond)
+ continue
+ default:
+ return err
+ }
+ }
+ return nil
+ }
+ return fmt.Errorf("unable to mount %s as readwrite max retries reached", path)
+}
+
// remountReadonly will remount an existing mount point and ensure that it is read-only.
func remountReadonly(m *configs.Mount) error {
var (
diff --git a/runc-1.1.3/libcontainer/standard_init_linux.go b/runc-1.1.3/libcontainer/standard_init_linux.go
index ab553ef..0dd51b2 100644
--- a/runc-1.1.3/libcontainer/standard_init_linux.go
+++ b/runc-1.1.3/libcontainer/standard_init_linux.go
@@ -141,6 +141,13 @@ func (l *linuxStandardInit) Init() error {
return fmt.Errorf("can't make %q read-only: %w", path, err)
}
}
+ for _, m := range l.config.Config.Mounts {
+ if m.Flags&syscall.MS_RDONLY == 0 && m.Device == "proc" && strings.HasPrefix(m.Destination, "/proc/sys/") {
+ if err := remountReadWrite(m.Destination); err != nil {
+ return err
+ }
+ }
+ }
for _, path := range l.config.Config.MaskPaths {
if err := maskPath(path, l.config.Config.MountLabel); err != nil {
return fmt.Errorf("can't mask path %s: %w", path, err)
--
2.30.0

123561
patch/0012-vendor-add-golang.org-x-sys-unix-9a7256cb28.patch
View File

File diff suppressed because it is too large Load Diff

327
patch/0013-libcontainer-rewrite-cmsg-to-use-sys-unix.patch
View File

@ -1,327 +0,0 @@
From c13a4de91dc2a3db4b9085015dbce2f8e050d7ca Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 29 Mar 2017 22:39:05 +1100
Subject: [PATCH 13/94] libcontainer: rewrite cmsg to use sys/unix
The original implementation is in C, which increases cognitive load and
possibly might cause us problems in the future. Since sys/unix is better
maintained than the syscall standard library switching makes more sense.
Change-Id: I8d91c2d7b28116d3d9be49e328f9383b9b7052d7
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
libcontainer/utils/cmsg.c | 148 ---------------------------------------------
libcontainer/utils/cmsg.go | 74 +++++++++++++++++------
libcontainer/utils/cmsg.h | 36 -----------
3 files changed, 56 insertions(+), 202 deletions(-)
delete mode 100644 libcontainer/utils/cmsg.c
delete mode 100644 libcontainer/utils/cmsg.h
diff --git a/libcontainer/utils/cmsg.c b/libcontainer/utils/cmsg.c
deleted file mode 100644
index 0ded494..0000000
--- a/libcontainer/utils/cmsg.c
+++ /dev/null
@@ -1,148 +0,0 @@
-/*
- * Copyright 2016 SUSE LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-#include "cmsg.h"
-
-#define error(fmt, ...) \
- ({ \
- fprintf(stderr, "nsenter: " fmt ": %m\n", ##__VA_ARGS__); \
- errno = ECOMM; \
- goto err; /* return value */ \
- })
-
-/*
- * Sends a file descriptor along the sockfd provided. Returns the return
- * value of sendmsg(2). Any synchronisation and preparation of state
- * should be done external to this (we expect the other side to be in
- * recvfd() in the code).
- */
-ssize_t sendfd(int sockfd, struct file_t file)
-{
- struct msghdr msg = {0};
- struct iovec iov[1] = {0};
- struct cmsghdr *cmsg;
- int *fdptr;
- int ret;
-
- union {
- char buf[CMSG_SPACE(sizeof(file.fd))];
- struct cmsghdr align;
- } u;
-
- /*
- * We need to send some other data along with the ancillary data,
- * otherwise the other side won't recieve any data. This is very
- * well-hidden in the documentation (and only applies to
- * SOCK_STREAM). See the bottom part of unix(7).
- */
- iov[0].iov_base = file.name;
- iov[0].iov_len = strlen(file.name) + 1;
-
- msg.msg_name = NULL;
- msg.msg_namelen = 0;
- msg.msg_iov = iov;
- msg.msg_iovlen = 1;
- msg.msg_control = u.buf;
- msg.msg_controllen = sizeof(u.buf);
-
- cmsg = CMSG_FIRSTHDR(&msg);
- cmsg->cmsg_level = SOL_SOCKET;
- cmsg->cmsg_type = SCM_RIGHTS;
- cmsg->cmsg_len = CMSG_LEN(sizeof(int));
-
- fdptr = (int *) CMSG_DATA(cmsg);
- memcpy(fdptr, &file.fd, sizeof(int));
-
- return sendmsg(sockfd, &msg, 0);
-}
-
-/*
- * Receives a file descriptor from the sockfd provided. Returns the file
- * descriptor as sent from sendfd(). It will return the file descriptor
- * or die (literally) trying. Any synchronisation and preparation of
- * state should be done external to this (we expect the other side to be
- * in sendfd() in the code).
- */
-struct file_t recvfd(int sockfd)
-{
- struct msghdr msg = {0};
- struct iovec iov[1] = {0};
- struct cmsghdr *cmsg;
- struct file_t file = {0};
- int *fdptr;
- int olderrno;
-
- union {
- char buf[CMSG_SPACE(sizeof(file.fd))];
- struct cmsghdr align;
- } u;
-
- /* Allocate a buffer. */
- /* TODO: Make this dynamic with MSG_PEEK. */
- file.name = malloc(TAG_BUFFER);
- if (!file.name)
- error("recvfd: failed to allocate file.tag buffer\n");
-
- /*
- * We need to "recieve" the non-ancillary data even though we don't
- * plan to use it at all. Otherwise, things won't work as expected.
- * See unix(7) and other well-hidden documentation.
- */
- iov[0].iov_base = file.name;
- iov[0].iov_len = TAG_BUFFER;
-
- msg.msg_name = NULL;
- msg.msg_namelen = 0;
- msg.msg_iov = iov;
- msg.msg_iovlen = 1;
- msg.msg_control = u.buf;
- msg.msg_controllen = sizeof(u.buf);
-
- ssize_t ret = recvmsg(sockfd, &msg, 0);
- if (ret < 0)
- goto err;
-
- cmsg = CMSG_FIRSTHDR(&msg);
- if (!cmsg)
- error("recvfd: got NULL from CMSG_FIRSTHDR");
- if (cmsg->cmsg_level != SOL_SOCKET)
- error("recvfd: expected SOL_SOCKET in cmsg: %d", cmsg->cmsg_level);
- if (cmsg->cmsg_type != SCM_RIGHTS)
- error("recvfd: expected SCM_RIGHTS in cmsg: %d", cmsg->cmsg_type);
- if (cmsg->cmsg_len != CMSG_LEN(sizeof(int)))
- error("recvfd: expected correct CMSG_LEN in cmsg: %lu", (unsigned long)cmsg->cmsg_len);
-
- fdptr = (int *) CMSG_DATA(cmsg);
- if (!fdptr || *fdptr < 0)
- error("recvfd: recieved invalid pointer");
-
- file.fd = *fdptr;
- return file;
-
-err:
- olderrno = errno;
- free(file.name);
- errno = olderrno;
- return (struct file_t){0};
-}
diff --git a/libcontainer/utils/cmsg.go b/libcontainer/utils/cmsg.go
index ee89374..2cbb649 100644
--- a/libcontainer/utils/cmsg.go
+++ b/libcontainer/utils/cmsg.go
@@ -3,7 +3,7 @@
package utils
/*
- * Copyright 2016 SUSE LLC
+ * Copyright 2016, 2017 SUSE LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -18,28 +18,66 @@ package utils
* limitations under the License.
*/
-/*
-#include <errno.h>
-#include <stdlib.h>
-#include "cmsg.h"
-*/
-import "C"
-
import (
+ "fmt"
"os"
- "unsafe"
+
+ "golang.org/x/sys/unix"
)
+// MaxSendfdLen is the maximum length of the name of a file descriptor being
+// sent using SendFd. The name of the file handle returned by RecvFd will never
+// be larger than this value.
+const MaxNameLen = 4096
+
+// oobSpace is the size of the oob slice required to store a single FD. Note
+// that unix.UnixRights appears to make the assumption that fd is always int32,
+// so sizeof(fd) = 4.
+var oobSpace = unix.CmsgSpace(4)
+
// RecvFd waits for a file descriptor to be sent over the given AF_UNIX
// socket. The file name of the remote file descriptor will be recreated
// locally (it is sent as non-auxiliary data in the same payload).
func RecvFd(socket *os.File) (*os.File, error) {
- file, err := C.recvfd(C.int(socket.Fd()))
+ // For some reason, unix.Recvmsg uses the length rather than the capacity
+ // when passing the msg_controllen and other attributes to recvmsg. So we
+ // have to actually set the length.
+ name := make([]byte, MaxNameLen)
+ oob := make([]byte, oobSpace)
+
+ sockfd := socket.Fd()
+ n, oobn, _, _, err := unix.Recvmsg(int(sockfd), name, oob, 0)
if err != nil {
return nil, err
}
- defer C.free(unsafe.Pointer(file.name))
- return os.NewFile(uintptr(file.fd), C.GoString(file.name)), nil
+
+ if n >= MaxNameLen || oobn != oobSpace {
+ return nil, fmt.Errorf("recvfd: incorrect number of bytes read (n=%d oobn=%d)", n, oobn)
+ }
+
+ // Truncate.
+ name = name[:n]
+ oob = oob[:oobn]
+
+ scms, err := unix.ParseSocketControlMessage(oob)
+ if err != nil {
+ return nil, err
+ }
+ if len(scms) != 1 {
+ return nil, fmt.Errorf("recvfd: number of SCMs is not 1: %d", len(scms))
+ }
+ scm := scms[0]
+
+ fds, err := unix.ParseUnixRights(&scm)
+ if err != nil {
+ return nil, err
+ }
+ if len(fds) != 1 {
+ return nil, fmt.Errorf("recvfd: number of fds is not 1: %d", len(fds))
+ }
+ fd := uintptr(fds[0])
+
+ return os.NewFile(fd, string(name)), nil
}
// SendFd sends a file descriptor over the given AF_UNIX socket. In
@@ -47,11 +85,11 @@ func RecvFd(socket *os.File) (*os.File, error) {
// non-auxiliary data in the same payload (allowing to send contextual
// information for a file descriptor).
func SendFd(socket, file *os.File) error {
- var cfile C.struct_file_t
- cfile.fd = C.int(file.Fd())
- cfile.name = C.CString(file.Name())
- defer C.free(unsafe.Pointer(cfile.name))
+ name := []byte(file.Name())
+ if len(name) >= MaxNameLen {
+ return fmt.Errorf("sendfd: filename too long: %s", file.Name())
+ }
+ oob := unix.UnixRights(int(file.Fd()))
- _, err := C.sendfd(C.int(socket.Fd()), cfile)
- return err
+ return unix.Sendmsg(int(socket.Fd()), name, oob, nil, 0)
}
diff --git a/libcontainer/utils/cmsg.h b/libcontainer/utils/cmsg.h
deleted file mode 100644
index 3fe7642..0000000
--- a/libcontainer/utils/cmsg.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * Copyright 2016 SUSE LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#pragma once
-
-#if !defined(CMSG_H)
-#define CMSG_H
-
-#include <sys/types.h>
-
-/* TODO: Implement this properly with MSG_PEEK. */
-#define TAG_BUFFER 4096
-
-/* This mirrors Go's (*os.File). */
-struct file_t {
- char *name;
- int fd;
-};
-
-struct file_t recvfd(int sockfd);
-ssize_t sendfd(int sockfd, struct file_t file);
-
-#endif /* !defined(CMSG_H) */
--
2.7.4.3

25
patch/0013-runc-modify-minHookTimeOut.patch Normal file
View File

@ -0,0 +1,25 @@
From b8495e4a88faa18a3851235b9b2431164826cc3f Mon Sep 17 00:00:00 2001
From: zhong-jiawei-1 <zhongjiawei1@huawei.com>
Date: Fri, 21 Oct 2022 15:37:47 +0800
Subject: [PATCH] runc: modify minHookTimeOut
---
runc-1.1.3/libcontainer/configs/config.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/runc-1.1.3/libcontainer/configs/config.go b/runc-1.1.3/libcontainer/configs/config.go
index 9076846..540bcdb 100644
--- a/runc-1.1.3/libcontainer/configs/config.go
+++ b/runc-1.1.3/libcontainer/configs/config.go
@@ -12,7 +12,7 @@ import (
)
const (
- minHookTimeOut = 1 * time.Second
+ minHookTimeOut = 0
defaultHookTimeOut = 5 * time.Second
maxHookTimeOut = 120 * time.Second
//the runc default timeout is 120s, so set the defaultWarnTime to 80% of the default timeout.
--
2.30.0

39
patch/0014-Set-container-state-only-once-during-start.patch
View File

@ -1,39 +0,0 @@
From b9b6667861bcc98579489aa6cec8012249fedbab Mon Sep 17 00:00:00 2001
From: Harshal Patil <harshal.patil@in.ibm.com>
Date: Tue, 4 Apr 2017 15:08:04 +0530
Subject: [PATCH 14/94] Set container state only once during start
Change-Id: Iae2bcd397cbc40c540e32807d946c3ec81783803
Signed-off-by: Harshal Patil <harshal.patil@in.ibm.com>
---
libcontainer/container_linux.go | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 71fa682..26e51ae 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -263,9 +263,6 @@ func (c *linuxContainer) start(process *Process, isInit bool) error {
}
// generate a timestamp indicating when the container was started
c.created = time.Now().UTC()
- c.state = &runningState{
- c: c,
- }
if isInit {
c.state = &createdState{
c: c,
@@ -292,6 +289,10 @@ func (c *linuxContainer) start(process *Process, isInit bool) error {
}
}
}
+ } else {
+ c.state = &runningState{
+ c: c,
+ }
}
return nil
}
--
2.7.4.3

102
patch/0014-runc-make-hooks-log-more-userful-and-fix-syslog-hook.patch Normal file
View File

@ -0,0 +1,102 @@
From 60b8eb8bd890a96c671f31cc9cda9e5cb9d487f1 Mon Sep 17 00:00:00 2001
From: zhong-jiawei-1 <zhongjiawei1@huawei.com>
Date: Fri, 21 Oct 2022 16:30:02 +0800
Subject: [PATCH] runc:make hooks log more userful and fix syslog hook bug
---
runc-1.1.3/libcontainer/configs/config.go | 17 ++++++++++++++---
runc-1.1.3/main.go | 5 ++++-
2 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/runc-1.1.3/libcontainer/configs/config.go b/runc-1.1.3/libcontainer/configs/config.go
index 540bcdb..cda79bf 100644
--- a/runc-1.1.3/libcontainer/configs/config.go
+++ b/runc-1.1.3/libcontainer/configs/config.go
@@ -8,6 +8,7 @@ import (
"github.com/opencontainers/runc/libcontainer/devices"
"github.com/opencontainers/runtime-spec/specs-go"
"os/exec"
+ "strings"
"time"
)
@@ -286,11 +287,11 @@ type Capabilities struct {
func (hooks HookList) RunHooks(state *specs.State) error {
for i, h := range hooks {
- logrus.Infof("run hooks %d:%T, ContainerId: %s", i, h, state.ID)
+ logrus.Infof("run hooks %d:%s, ContainerId: %s", i, h.Info(), state.ID)
if err := h.Run(state); err != nil {
- return fmt.Errorf("error running hook #%d: %w, ContainerId: %s", i, err, state.ID)
+ return fmt.Errorf("error running hook %d:%s err: %w, ContainerId: %s", i, h.Info(), err, state.ID)
}
- logrus.Infof("hooks %d:%T done, ContainerId: %s", i, h, state.ID)
+ logrus.Infof("hooks %d:%s done, ContainerId: %s", i, h.Info(), state.ID)
}
return nil
@@ -345,6 +346,7 @@ func (hooks *Hooks) MarshalJSON() ([]byte, error) {
type Hook interface {
// Run executes the hook with the provided state.
Run(*specs.State) error
+ Info() string
}
// NewFunctionHook will call the provided function when the hook is run.
@@ -362,6 +364,11 @@ func (f FuncHook) Run(s *specs.State) error {
return f.run(s)
}
+func (f FuncHook) Info() string {
+ return "hook function"
+}
+
+
type Command struct {
Path string `json:"path"`
Args []string `json:"args"`
@@ -381,6 +388,10 @@ type CommandHook struct {
Command
}
+func (c Command) Info() string {
+ return c.Path + "," + strings.Join(c.Args, ",")
+}
+
func (c Command) Run(s *specs.State) error {
b, err := json.Marshal(s)
if err != nil {
diff --git a/runc-1.1.3/main.go b/runc-1.1.3/main.go
index 9e14976..0a6f3b4 100644
--- a/runc-1.1.3/main.go
+++ b/runc-1.1.3/main.go
@@ -4,6 +4,7 @@ import (
"errors"
"fmt"
"io"
+ "log/syslog"
"os"
"path/filepath"
"runtime"
@@ -14,6 +15,7 @@ import (
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
+ logrus_syslog "github.com/sirupsen/logrus/hooks/syslog"
"github.com/urfave/cli"
)
@@ -218,8 +220,9 @@ func configLogrus(context *cli.Context) error {
hook, serr := logrus_syslog.NewSyslogHook("", "", syslog.LOG_INFO|syslog.LOG_USER, "docker-runc")
if serr != nil {
fmt.Fprint(f, fmt.Sprintf("Leo: new syslog hook get %s", serr))
+ } else {
+ logrus.AddHook(hook)
}
- logrus.AddHook(hook)
}
if logLevel := context.GlobalString("log-level"); logLevel != "" {
lvl, err := logrus.ParseLevel(logLevel)
--
2.30.0

161
patch/0015-checkpoint-check-if-system-supports-pre-dum.patch
View File

@ -1,161 +0,0 @@
From 6397990e4ee68389c05fa2a0c89d1c4d4e5e5677 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Tue, 14 Mar 2017 20:21:58 +0000
Subject: [PATCH 15/94] checkpoint: check if system supports
pre-dumping
Instead of relying on version numbers it is possible to check if CRIU
actually supports certain features. This introduces an initial
implementation to check if CRIU and the underlying kernel actually
support dirty memory tracking for memory pre-dumping.
Upstream CRIU also supports the lazy-page migration feature check and
additional feature checks can be included in CRIU to reduce the version
number parsing. There are also certain CRIU features which depend on one
side on the CRIU version but also require certain kernel versions to
actually work. CRIU knows if it can do certain things on the kernel it
is running on and using the feature check RPC interface makes it easier
for runc to decide if the criu+kernel combination will support that
feature.
Feature checking was introduced with CRIU 1.8. Running with older CRIU
versions will ignore the feature check functionality and behave just
like it used to.
v2:
- Do not use reflection to compare requested and responded
features. Checking which feature is available is now hardcoded
and needs to be adapted for every new feature check. The code
is now much more readable and simpler.
v3:
- Move the variable criuFeat out of the linuxContainer struct,
as it is not container specific. Now it is a global variable.
Change-Id: Ide44007d031d1bc4572dab1e88d78762944b379b
Signed-off-by: Adrian Reber <areber@redhat.com>
---
libcontainer/container_linux.go | 85 ++++++++++++++++++++++++++++++++++++-----
1 file changed, 76 insertions(+), 9 deletions(-)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 26e51ae..705472a 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -536,6 +536,56 @@ func (c *linuxContainer) NotifyMemoryPressure(level PressureLevel) (<-chan struc
return notifyMemoryPressure(c.cgroupManager.GetPaths(), level)
}
+var criuFeatures *criurpc.CriuFeatures
+
+func (c *linuxContainer) checkCriuFeatures(criuOpts *CriuOpts, rpcOpts *criurpc.CriuOpts, criuFeat *criurpc.CriuFeatures) error {
+
+ var t criurpc.CriuReqType
+ t = criurpc.CriuReqType_FEATURE_CHECK
+
+ if err := c.checkCriuVersion("1.8"); err != nil {
+ // Feature checking was introduced with CRIU 1.8.
+ // Ignore the feature check if an older CRIU version is used
+ // and just act as before.
+ // As all automated PR testing is done using CRIU 1.7 this
+ // code will not be tested by automated PR testing.
+ return nil
+ }
+
+ // make sure the features we are looking for are really not from
+ // some previous check
+ criuFeatures = nil
+
+ req := &criurpc.CriuReq{
+ Type: &t,
+ // Theoretically this should not be necessary but CRIU
+ // segfaults if Opts is empty.
+ // Fixed in CRIU 2.12
+ Opts: rpcOpts,
+ Features: criuFeat,
+ }
+
+ err := c.criuSwrk(nil, req, criuOpts, false)
+ if err != nil {
+ logrus.Debugf("%s", err)
+ return fmt.Errorf("CRIU feature check failed")
+ }
+
+ logrus.Debugf("Feature check says: %s", criuFeatures)
+ missingFeatures := false
+
+ if *criuFeat.MemTrack && !*criuFeatures.MemTrack {
+ missingFeatures = true
+ logrus.Debugf("CRIU does not support MemTrack")
+ }
+
+ if missingFeatures {
+ return fmt.Errorf("CRIU is missing features")
+ }
+
+ return nil
+}
+
// checkCriuVersion checks Criu version greater than or equal to minVersion
func (c *linuxContainer) checkCriuVersion(minVersion string) error {
var x, y, z, versionReq int
@@ -718,6 +768,14 @@ func (c *linuxContainer) Checkpoint(criuOpts *CriuOpts) error {
var t criurpc.CriuReqType
if criuOpts.PreDump {
+ feat := criurpc.CriuFeatures{
+ MemTrack: proto.Bool(true),
+ }
+
+ if err := c.checkCriuFeatures(criuOpts, &rpcOpts, &feat); err != nil {
+ return err
+ }
+
t = criurpc.CriuReqType_PRE_DUMP
} else {
t = criurpc.CriuReqType_DUMP
@@ -1019,16 +1077,21 @@ func (c *linuxContainer) criuSwrk(process *Process, req *criurpc.CriuReq, opts *
}
logrus.Debugf("Using CRIU in %s mode", req.GetType().String())
- val := reflect.ValueOf(req.GetOpts())
- v := reflect.Indirect(val)
- for i := 0; i < v.NumField(); i++ {
- st := v.Type()
- name := st.Field(i).Name
- if strings.HasPrefix(name, "XXX_") {
- continue
+ // In the case of criurpc.CriuReqType_FEATURE_CHECK req.GetOpts()
+ // should be empty. For older CRIU versions it still will be
+ // available but empty.
+ if req.GetType() != criurpc.CriuReqType_FEATURE_CHECK {
+ val := reflect.ValueOf(req.GetOpts())
+ v := reflect.Indirect(val)
+ for i := 0; i < v.NumField(); i++ {
+ st := v.Type()
+ name := st.Field(i).Name
+ if strings.HasPrefix(name, "XXX_") {
+ continue
+ }
+ value := val.MethodByName("Get" + name).Call([]reflect.Value{})
+ logrus.Debugf("CRIU option %s with value %v", name, value[0])
}
- value := val.MethodByName("Get" + name).Call([]reflect.Value{})
- logrus.Debugf("CRIU option %s with value %v", name, value[0])
}
data, err := proto.Marshal(req)
if err != nil {
@@ -1064,6 +1127,10 @@ func (c *linuxContainer) criuSwrk(process *Process, req *criurpc.CriuReq, opts *
t := resp.GetType()
switch {
+ case t == criurpc.CriuReqType_FEATURE_CHECK:
+ logrus.Debugf("Feature check says: %s", resp)
+ criuFeatures = resp.GetFeatures()
+ break
case t == criurpc.CriuReqType_NOTIFY:
if err := c.criuNotifications(resp, process, opts, extFds); err != nil {
return err
--
2.7.4.3

62
patch/0015-runc-fix-runc-log-decode-failed.patch Normal file
View File

@ -0,0 +1,62 @@
From c940ccbc26322c4dae9b3c7caa82d5e2eefcf7b1 Mon Sep 17 00:00:00 2001
From: zhong-jiawei-1 <zhongjiawei1@huawei.com>
Date: Fri, 21 Oct 2022 16:40:34 +0800
Subject: [PATCH] runc: fix runc log decode failed
---
runc-1.1.3/main.go | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/runc-1.1.3/main.go b/runc-1.1.3/main.go
index 0a6f3b4..6e9101a 100644
--- a/runc-1.1.3/main.go
+++ b/runc-1.1.3/main.go
@@ -1,6 +1,7 @@
package main
import (
+ "encoding/json"
"errors"
"fmt"
"io"
@@ -10,6 +11,7 @@ import (
"runtime"
"strconv"
"strings"
+ "time"
"github.com/opencontainers/runc/libcontainer/seccomp"
"github.com/opencontainers/runtime-spec/specs-go"
@@ -219,7 +221,7 @@ func configLogrus(context *cli.Context) error {
logrus.SetOutput(f)
hook, serr := logrus_syslog.NewSyslogHook("", "", syslog.LOG_INFO|syslog.LOG_USER, "docker-runc")
if serr != nil {
- fmt.Fprint(f, fmt.Sprintf("Leo: new syslog hook get %s", serr))
+ logToFile(f, "error", fmt.Sprintf("Leo: new syslog hook get %s", serr))
} else {
logrus.AddHook(hook)
}
@@ -238,3 +240,20 @@ func configLogrus(context *cli.Context) error {
}
return nil
}
+
+func logToFile(f io.Writer, level string, msg string) {
+ var (
+ log struct {
+ Level string
+ Msg string
+ Time time.Time
+ }
+ )
+ log.Level = level
+ log.Msg = msg
+ log.Time = time.Now()
+ s, err := json.Marshal(log)
+ if err != nil {
+ fmt.Fprint(f, string(s))
+ }
+}
--
2.30.0

129
patch/0016-Fix-console-syscalls.patch
View File

@ -1,129 +0,0 @@
From 17199cf842a86765a21e2054e10e0c64f28353c8 Mon Sep 17 00:00:00 2001
From: Christy Perez <christy@linux.vnet.ibm.com>
Date: Mon, 27 Mar 2017 16:46:57 -0500
Subject: [PATCH 16/94] Fix console syscalls
Fixes opencontainers/runc/issues/1364
Change-Id: Ic12237e2ce327f4d9eab3145d0c4c2cff9fb641a
Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>
---
libcontainer/console_linux.go | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/libcontainer/console_linux.go b/libcontainer/console_linux.go
index e431766..5e364a8 100644
--- a/libcontainer/console_linux.go
+++ b/libcontainer/console_linux.go
@@ -3,8 +3,9 @@ package libcontainer
import (
"fmt"
"os"
- "syscall"
"unsafe"
+
+ "golang.org/x/sys/unix"
)
func ConsoleFromFile(f *os.File) Console {
@@ -16,7 +17,7 @@ func ConsoleFromFile(f *os.File) Console {
// newConsole returns an initialized console that can be used within a container by copying bytes
// from the master side to the slave that is attached as the tty for the container's init process.
func newConsole() (Console, error) {
- master, err := os.OpenFile("/dev/ptmx", syscall.O_RDWR|syscall.O_NOCTTY|syscall.O_CLOEXEC, 0)
+ master, err := os.OpenFile("/dev/ptmx", unix.O_RDWR|unix.O_NOCTTY|unix.O_CLOEXEC, 0)
if err != nil {
return nil, err
}
@@ -68,8 +69,8 @@ func (c *linuxConsole) Close() error {
// mount initializes the console inside the rootfs mounting with the specified mount label
// and applying the correct ownership of the console.
func (c *linuxConsole) mount() error {
- oldMask := syscall.Umask(0000)
- defer syscall.Umask(oldMask)
+ oldMask := unix.Umask(0000)
+ defer unix.Umask(oldMask)
f, err := os.Create("/dev/console")
if err != nil && !os.IsExist(err) {
return err
@@ -77,19 +78,19 @@ func (c *linuxConsole) mount() error {
if f != nil {
f.Close()
}
- return syscall.Mount(c.slavePath, "/dev/console", "bind", syscall.MS_BIND, "")
+ return unix.Mount(c.slavePath, "/dev/console", "bind", unix.MS_BIND, "")
}
// dupStdio opens the slavePath for the console and dups the fds to the current
// processes stdio, fd 0,1,2.
func (c *linuxConsole) dupStdio() error {
- slave, err := c.open(syscall.O_RDWR)
+ slave, err := c.open(unix.O_RDWR)
if err != nil {
return err
}
fd := int(slave.Fd())
for _, i := range []int{0, 1, 2} {
- if err := syscall.Dup3(fd, i, 0); err != nil {
+ if err := unix.Dup3(fd, i, 0); err != nil {
return err
}
}
@@ -98,7 +99,7 @@ func (c *linuxConsole) dupStdio() error {
// open is a clone of os.OpenFile without the O_CLOEXEC used to open the pty slave.
func (c *linuxConsole) open(flag int) (*os.File, error) {
- r, e := syscall.Open(c.slavePath, flag, 0)
+ r, e := unix.Open(c.slavePath, flag, 0)
if e != nil {
return nil, &os.PathError{
Op: "open",
@@ -110,7 +111,7 @@ func (c *linuxConsole) open(flag int) (*os.File, error) {
}
func ioctl(fd uintptr, flag, data uintptr) error {
- if _, _, err := syscall.Syscall(syscall.SYS_IOCTL, fd, flag, data); err != 0 {
+ if _, _, err := unix.Syscall(unix.SYS_IOCTL, fd, flag, data); err != 0 {
return err
}
return nil
@@ -120,13 +121,13 @@ func ioctl(fd uintptr, flag, data uintptr) error {
// unlockpt should be called before opening the slave side of a pty.
func unlockpt(f *os.File) error {
var u int32
- return ioctl(f.Fd(), syscall.TIOCSPTLCK, uintptr(unsafe.Pointer(&u)))
+ return ioctl(f.Fd(), unix.TIOCSPTLCK, uintptr(unsafe.Pointer(&u)))
}
// ptsname retrieves the name of the first available pts for the given master.
func ptsname(f *os.File) (string, error) {
var n int32
- if err := ioctl(f.Fd(), syscall.TIOCGPTN, uintptr(unsafe.Pointer(&n))); err != nil {
+ if err := ioctl(f.Fd(), unix.TIOCGPTN, uintptr(unsafe.Pointer(&n))); err != nil {
return "", err
}
return fmt.Sprintf("/dev/pts/%d", n), nil
@@ -139,16 +140,16 @@ func ptsname(f *os.File) (string, error) {
// also relay that funky line discipline.
func saneTerminal(terminal *os.File) error {
// Go doesn't have a wrapper for any of the termios ioctls.
- var termios syscall.Termios
+ var termios unix.Termios
- if err := ioctl(terminal.Fd(), syscall.TCGETS, uintptr(unsafe.Pointer(&termios))); err != nil {
+ if err := ioctl(terminal.Fd(), unix.TCGETS, uintptr(unsafe.Pointer(&termios))); err != nil {
return fmt.Errorf("ioctl(tty, tcgets): %s", err.Error())
}
// Set -onlcr so we don't have to deal with \r.
- termios.Oflag &^= syscall.ONLCR
+ termios.Oflag &^= unix.ONLCR
- if err := ioctl(terminal.Fd(), syscall.TCSETS, uintptr(unsafe.Pointer(&termios))); err != nil {
+ if err := ioctl(terminal.Fd(), unix.TCSETS, uintptr(unsafe.Pointer(&termios))); err != nil {
return fmt.Errorf("ioctl(tty, tcsets): %s", err.Error())
}
--
2.7.4.3

33
patch/0016-runc-do-not-setup-sysctl-in-runc-when-userns-enable.patch Normal file
View File

@ -0,0 +1,33 @@
From 4d52919666e6cfc75c87908a2fe62c180684c4cd Mon Sep 17 00:00:00 2001
From: zhong-jiawei-1 <zhongjiawei1@huawei.com>
Date: Fri, 21 Oct 2022 16:56:15 +0800
Subject: [PATCH] runc:do not setup sysctl in runc when userns enable
---
runc-1.1.3/libcontainer/standard_init_linux.go | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/runc-1.1.3/libcontainer/standard_init_linux.go b/runc-1.1.3/libcontainer/standard_init_linux.go
index 0dd51b2..b202ba9 100644
--- a/runc-1.1.3/libcontainer/standard_init_linux.go
+++ b/runc-1.1.3/libcontainer/standard_init_linux.go
@@ -130,10 +130,12 @@ func (l *linuxStandardInit) Init() error {
if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {
return fmt.Errorf("unable to apply apparmor profile: %w", err)
}
-
- for key, value := range l.config.Config.Sysctl {
- if err := writeSystemProperty(key, value); err != nil {
- return err
+ // when userns enabled, write to sysctl will fail, let docker-hooks do this job
+ if len(l.config.Config.UidMappings) == 0 && len(l.config.Config.GidMappings) == 0 {
+ for key, value := range l.config.Config.Sysctl {
+ if err := writeSystemProperty(key, value); err != nil {
+ return err
+ }
}
}
for _, path := range l.config.Config.ReadonlyPaths {
--
2.30.0

34
patch/0017-restore-apply-resource-limits.patch
View File

@ -1,34 +0,0 @@
From 7b92e178267794e026f5c38e632d82a00f038e96 Mon Sep 17 00:00:00 2001
From: Andrei Vagin <avagin@virtuozzo.com>
Date: Fri, 7 Apr 2017 02:34:41 +0300
Subject: [PATCH 17/94] restore: apply resource limits
When C/R was implemented, it was enough to call manager.Set to apply
limits and to move a task. Now .Set() and .Apply() have to be called
separately.
Change-Id: I4786732a1779a65eeb902fc1ef42b194ba8dd3b4
Fixes: 8a740d5391a7 ("libcontainer: cgroups: don't Set in Apply")
Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
---
libcontainer/container_linux.go | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 705472a..b5563d6 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -1008,6 +1008,10 @@ func (c *linuxContainer) criuApplyCgroups(pid int, req *criurpc.CriuReq) error {
return err
}
+ if err := c.cgroupManager.Set(c.config); err != nil {
+ return newSystemError(err)
+ }
+
path := fmt.Sprintf("/proc/%d/cgroup", pid)
cgroupsPaths, err := cgroups.ParseCgroupFile(path)
if err != nil {
--
2.7.4.3

64
patch/0017-runc-support-set-seccomp-priority.patch Normal file
View File

@ -0,0 +1,64 @@
From cbb187aee3a309a38a973dee1c1f6d66c1256cf5 Mon Sep 17 00:00:00 2001
From: zhong-jiawei-1 <zhongjiawei1@huawei.com>
Date: Fri, 21 Oct 2022 17:09:33 +0800
Subject: [PATCH] runc: support set seccomp priority
---
runc-1.1.3/libcontainer/configs/config.go | 1 +
runc-1.1.3/libcontainer/seccomp/seccomp_linux.go | 2 +-
runc-1.1.3/libcontainer/specconv/spec_linux.go | 1 +
.../github.com/opencontainers/runtime-spec/specs-go/config.go | 1 +
4 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/runc-1.1.3/libcontainer/configs/config.go b/runc-1.1.3/libcontainer/configs/config.go
index cda79bf..f85ade3 100644
--- a/runc-1.1.3/libcontainer/configs/config.go
+++ b/runc-1.1.3/libcontainer/configs/config.go
@@ -88,6 +88,7 @@ type Syscall struct {
Name string `json:"name"`
Action Action `json:"action"`
ErrnoRet *uint `json:"errnoRet"`
+ Priority uint8 `json:"priority,omitempty"`
Args []*Arg `json:"args"`
}
diff --git a/runc-1.1.3/libcontainer/seccomp/seccomp_linux.go b/runc-1.1.3/libcontainer/seccomp/seccomp_linux.go
index 8c12af7..e4b5750 100644
--- a/runc-1.1.3/libcontainer/seccomp/seccomp_linux.go
+++ b/runc-1.1.3/libcontainer/seccomp/seccomp_linux.go
@@ -256,7 +256,7 @@ func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall, defAct libs
}
}
- return nil
+ return filter.SetSyscallPriority(callNum, call.Priority)
}
// Version returns major, minor, and micro.
diff --git a/runc-1.1.3/libcontainer/specconv/spec_linux.go b/runc-1.1.3/libcontainer/specconv/spec_linux.go
index 19dd947..02a7439 100644
--- a/runc-1.1.3/libcontainer/specconv/spec_linux.go
+++ b/runc-1.1.3/libcontainer/specconv/spec_linux.go
@@ -1061,6 +1061,7 @@ func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
Name: name,
Action: newAction,
ErrnoRet: call.ErrnoRet,
+ Priority: call.Priority,
Args: []*configs.Arg{},
}
// Loop through all the arguments of the syscall and convert them
diff --git a/runc-1.1.3/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/runc-1.1.3/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
index e8143b2..135f74a 100644
--- a/runc-1.1.3/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+++ b/runc-1.1.3/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
@@ -688,6 +688,7 @@ type LinuxSyscall struct {
Names []string `json:"names"`
Action LinuxSeccompAction `json:"action"`
ErrnoRet *uint `json:"errnoRet,omitempty"`
+ Priority uint8 `json:"priority,omitempty"`
Args []LinuxSeccompArg `json:"args,omitempty"`
}
--
2.30.0

35
patch/0018-could-load-a-stopped-container.patch
View File

@ -1,35 +0,0 @@
From d8ea288801363d61c46a5eecfe7e1a9001767bc7 Mon Sep 17 00:00:00 2001
From: CuiHaozhi <cuihz@wise2c.com>
Date: Fri, 7 Apr 2017 07:39:41 -0400
Subject: [PATCH 18/94] could load a stopped container.
Change-Id: Ieabdef66ad7e9488a44b718093acf23f8aa947c4
Signed-off-by: CuiHaozhi <cuihz@wise2c.com>
---
libcontainer/factory.go | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libcontainer/factory.go b/libcontainer/factory.go
index f0ccb52..0986cd7 100644
--- a/libcontainer/factory.go
+++ b/libcontainer/factory.go
@@ -10,7 +10,7 @@ type Factory interface {
// between 1 and 1024 characters, inclusive.
//
// The id must not already be in use by an existing container. Containers created using
- // a factory with the same path (and file system) must have distinct ids.
+ // a factory with the same path (and filesystem) must have distinct ids.
//
// Returns the new container with a running process.
//
@@ -28,7 +28,6 @@ type Factory interface {
//
// errors:
// Path does not exist
- // Container is stopped
// System error
Load(id string) (Container, error)
--
2.7.4.3

28
patch/0018-runc-do-not-kill-container-if-poststart-hooks-execut.patch Normal file
View File

@ -0,0 +1,28 @@
From ac414a8ac967e0fbbf27ea6364f0b134fe9ce9e2 Mon Sep 17 00:00:00 2001
From: zhong-jiawei-1 <zhongjiawei1@huawei.com>
Date: Mon, 24 Oct 2022 11:34:15 +0800
Subject: [PATCH] runc:do not kill container if poststart hooks execute failed
---
runc-1.1.3/libcontainer/container_linux.go | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/runc-1.1.3/libcontainer/container_linux.go b/runc-1.1.3/libcontainer/container_linux.go
index 425e44d..10890c1 100644
--- a/runc-1.1.3/libcontainer/container_linux.go
+++ b/runc-1.1.3/libcontainer/container_linux.go
@@ -367,10 +367,7 @@ func (c *linuxContainer) start(process *Process) (retErr error) {
}
if err := c.config.Hooks[configs.Poststart].RunHooks(s); err != nil {
- if err := ignoreTerminateErrors(parent.terminate()); err != nil {
- logrus.Warn(fmt.Errorf("error running poststart hook: %w, ContainerId: %s", err, s.ID))
- }
- return err
+ logrus.Warn(fmt.Errorf("error running poststart hook: %w, ContainerId: %s", err, s.ID))
}
}
}
--
2.30.0

32
patch/0019-Revert-back-to-using-sbin.patch
View File

@ -1,32 +0,0 @@
From a90e91c5fc8e6fb016d26666361e6d1bfd3f56c8 Mon Sep 17 00:00:00 2001
From: Michael Crosby <crosbymichael@gmail.com>
Date: Fri, 14 Apr 2017 10:15:33 -0700
Subject: [PATCH 19/94] Revert back to using /sbin
This was changed in
https://github.com/opencontainers/runc/commit/d2f49696#diff-b67911656ef5d18c4ae36cb6741b7965R7
and is causing install problems for people building runc and having it
installed in /bin and /sbin.
Change-Id: Ibaef1dd279894342c48da5e6e8e7f1a7212003b8
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 1cecca1..d6d337d 100644
--- a/Makefile
+++ b/Makefile
@@ -4,7 +4,7 @@
SOURCES := $(shell find . 2>&1 | grep -E '.*\.(c|h|go)$$')
PREFIX := $(DESTDIR)/usr/local
-BINDIR := $(PREFIX)/bin
+BINDIR := $(PREFIX)/sbin
GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
GIT_BRANCH_CLEAN := $(shell echo $(GIT_BRANCH) | sed -e "s/[^[:alnum:]]/-/g")
RUNC_IMAGE := runc_dev$(if $(GIT_BRANCH_CLEAN),:$(GIT_BRANCH_CLEAN))
--
2.7.4.3

76
patch/0019-runc-print-memory-info-when-syscall.Exec-failed.patch Normal file
View File

@ -0,0 +1,76 @@
From cb55699bd5f0de2bcf38b343194fd08779fb0317 Mon Sep 17 00:00:00 2001
From: zhong-jiawei-1 <zhongjiawei1@huawei.com>
Date: Mon, 24 Oct 2022 15:18:35 +0800
Subject: [PATCH] runc: print memory info when syscall.Exec failed
---
runc-1.1.3/libcontainer/container_linux.go | 1 +
.../libcontainer/standard_init_linux.go | 33 ++++++++++++++++++-
2 files changed, 33 insertions(+), 1 deletion(-)
diff --git a/runc-1.1.3/libcontainer/container_linux.go b/runc-1.1.3/libcontainer/container_linux.go
index 10890c1..5ef5a9a 100644
--- a/runc-1.1.3/libcontainer/container_linux.go
+++ b/runc-1.1.3/libcontainer/container_linux.go
@@ -355,6 +355,7 @@ func (c *linuxContainer) start(process *Process) (retErr error) {
}
if err := parent.start(); err != nil {
+ printCgroupInfo(c.config.Cgroups.Path)
return fmt.Errorf("unable to start container process: %w", err)
}
diff --git a/runc-1.1.3/libcontainer/standard_init_linux.go b/runc-1.1.3/libcontainer/standard_init_linux.go
index b202ba9..8a60501 100644
--- a/runc-1.1.3/libcontainer/standard_init_linux.go
+++ b/runc-1.1.3/libcontainer/standard_init_linux.go
@@ -3,8 +3,10 @@ package libcontainer
import (
"errors"
"fmt"
+ "io/ioutil"
"os"
"os/exec"
+ "path/filepath"
"strconv"
"time"
@@ -274,5 +276,34 @@ func (l *linuxStandardInit) Init() error {
return err
}
- return system.Exec(name, l.config.Args[0:], os.Environ())
+ if err := system.Exec(name, l.config.Args[0:], os.Environ()); err != nil {
+ printCgroupInfo("")
+ return err
+ }
+ return nil
}
+
+func printCgroupInfo(path string) {
+ cgroupRoot := "/sys/fs/cgroup"
+ infoFileList := []string{
+ "/proc/meminfo",
+ "/sys/fs/cgroup/memory/memory.stat",
+ filepath.Join(cgroupRoot, "files", path, "files.limit"),
+ filepath.Join(cgroupRoot, "files", path, "files.usage"),
+ filepath.Join(cgroupRoot, "pids", path, "pids.max"),
+ filepath.Join(cgroupRoot, "pids", path, "pids.current"),
+ filepath.Join(cgroupRoot, "memory", path, "memory.usage_in_bytes"),
+ filepath.Join(cgroupRoot, "memory", path, "memory.limit_in_bytes"),
+ filepath.Join(cgroupRoot, "memory", path, "memory.stat"),
+ filepath.Join(cgroupRoot, "cpu", path, "cpu.stat"),
+ }
+ for _, file := range infoFileList {
+ printFileContent(file)
+ }
+}
+
+func printFileContent(path string) {
+ output, err := ioutil.ReadFile(path)
+ logrus.Infof("content read from %s: %s, err: %v", path, string(output), err)
+}
+
--
2.30.0

57
patch/0020-add-testcase-in-generic_error_test.go.patch
View File

@ -1,57 +0,0 @@
From 9d30f4580c68c7d16a94d0df04b61571b212e55f Mon Sep 17 00:00:00 2001
From: chchliang <chen.chuanliang@zte.com.cn>
Date: Wed, 12 Apr 2017 16:26:30 +0800
Subject: [PATCH 20/94] add testcase in generic_error_test.go
Change-Id: Id0e21750ea9724d48423ab16f70786a1f62ea81c
Signed-off-by: chchliang <chen.chuanliang@zte.com.cn>
---
libcontainer/generic_error_test.go | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/libcontainer/generic_error_test.go b/libcontainer/generic_error_test.go
index 292d2a3..8fbdd4d 100644
--- a/libcontainer/generic_error_test.go
+++ b/libcontainer/generic_error_test.go
@@ -12,3 +12,38 @@ func TestErrorDetail(t *testing.T) {
t.Fatal(derr)
}
}
+
+func TestErrorWithCode(t *testing.T) {
+ err := newGenericError(fmt.Errorf("test error"), SystemError)
+ if code := err.Code(); code != SystemError {
+ t.Fatalf("expected err code %q but %q", SystemError, code)
+ }
+}
+
+func TestErrorWithError(t *testing.T) {
+ cc := []struct {
+ errmsg string
+ cause string
+ }{
+ {
+ errmsg: "test error",
+ },
+ {
+ errmsg: "test error",
+ cause: "test",
+ },
+ }
+
+ for _, v := range cc {
+ err := newSystemErrorWithCause(fmt.Errorf(v.errmsg), v.cause)
+
+ msg := err.Error()
+ if v.cause == "" && msg != v.errmsg {
+ t.Fatalf("expected err(%q) equal errmsg(%q)", msg, v.errmsg)
+ }
+ if v.cause != "" && msg == v.errmsg {
+ t.Fatalf("unexpected err(%q) equal errmsg(%q)", msg, v.errmsg)
+ }
+
+ }
+}
--
2.7.4.3

24
patch/0020-runc-add-sysctl-kernel.pid_max-to-whitelist.patch Normal file
View File

@ -0,0 +1,24 @@
From 76914fe3613afd7b7adb5a43e3dd7ba1ef33e654 Mon Sep 17 00:00:00 2001
From: zhong-jiawei-1 <zhongjiawei1@huawei.com>
Date: Mon, 24 Oct 2022 15:21:45 +0800
Subject: [PATCH] runc:add sysctl kernel.pid_max to whitelist
---
runc-1.1.3/libcontainer/configs/validate/validator.go | 1 +
1 file changed, 1 insertion(+)
diff --git a/runc-1.1.3/libcontainer/configs/validate/validator.go b/runc-1.1.3/libcontainer/configs/validate/validator.go
index 627621a..3647aa2 100644
--- a/runc-1.1.3/libcontainer/configs/validate/validator.go
+++ b/runc-1.1.3/libcontainer/configs/validate/validator.go
@@ -171,6 +171,7 @@ func (v *ConfigValidator) sysctl(config *configs.Config) error {
"kernel.shmmax": true,
"kernel.shmmni": true,
"kernel.shm_rmid_forced": true,
+ "kernel.pid_max": true,
}
var (
--
2.30.0

53
patch/0021-Fix-misspelling-of-properties-in-various-pl.patch
View File

@ -1,53 +0,0 @@
From fe398ce943f5da085507be6a164568544fc0d1c4 Mon Sep 17 00:00:00 2001
From: Tim Potter <tpot@hpe.com>
Date: Fri, 21 Apr 2017 12:41:02 +1000
Subject: [PATCH 21/94] Fix misspelling of "properties" in various
places
Change-Id: I69229a0ba2472b52edd4c444ac7820ade837726d
Signed-off-by: Tim Potter <tpot@hpe.com>
---
checkpoint.go | 2 +-
man/runc-checkpoint.8.md | 2 +-
restore.go | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/checkpoint.go b/checkpoint.go
index 78977d7..9b5663f 100644
--- a/checkpoint.go
+++ b/checkpoint.go
@@ -33,7 +33,7 @@ checkpointed.`,
cli.BoolFlag{Name: "file-locks", Usage: "handle file locks, for safety"},
cli.BoolFlag{Name: "pre-dump", Usage: "dump container's memory information only, leave the container running after this"},
cli.StringFlag{Name: "manage-cgroups-mode", Value: "", Usage: "cgroups mode: 'soft' (default), 'full' and 'strict'"},
- cli.StringSliceFlag{Name: "empty-ns", Usage: "create a namespace, but don't restore its properies"},
+ cli.StringSliceFlag{Name: "empty-ns", Usage: "create a namespace, but don't restore its properties"},
},
Action: func(context *cli.Context) error {
if err := checkArgs(context, 1, exactArgs); err != nil {
diff --git a/man/runc-checkpoint.8.md b/man/runc-checkpoint.8.md
index b0ce2f3..4c81fd4 100644
--- a/man/runc-checkpoint.8.md
+++ b/man/runc-checkpoint.8.md
@@ -22,4 +22,4 @@ checkpointed.
--file-locks handle file locks, for safety
--pre-dump dump container's memory information only, leave the container running after this
--manage-cgroups-mode value cgroups mode: 'soft' (default), 'full' and 'strict'
- --empty-ns value create a namespace, but don't restore its properies
+ --empty-ns value create a namespace, but don't restore its properties
diff --git a/restore.go b/restore.go
index 06f635f..7ddc337 100644
--- a/restore.go
+++ b/restore.go
@@ -80,7 +80,7 @@ using the runc checkpoint command.`,
},
cli.StringSliceFlag{
Name: "empty-ns",
- Usage: "create a namespace, but don't restore its properies",
+ Usage: "create a namespace, but don't restore its properties",
},
},
Action: func(context *cli.Context) error {
--
2.7.4.3

25
patch/0021-runc-disable-core-dump-during-exec.patch Normal file
View File

@ -0,0 +1,25 @@
From 486d2a4b0756b0fe266f8ff79e5ecdb7ae5d680c Mon Sep 17 00:00:00 2001
From: zhong-jiawei-1 <zhongjiawei1@huawei.com>
Date: Mon, 24 Oct 2022 15:29:29 +0800
Subject: [PATCH] runc:disable core dump during exec
---
runc-1.1.3/libcontainer/process_linux.go | 2 ++
1 file changed, 2 insertions(+)
diff --git a/runc-1.1.3/libcontainer/process_linux.go b/runc-1.1.3/libcontainer/process_linux.go
index 29408d7..75d05b7 100644
--- a/runc-1.1.3/libcontainer/process_linux.go
+++ b/runc-1.1.3/libcontainer/process_linux.go
@@ -79,6 +79,8 @@ func (p *setnsProcess) signal(sig os.Signal) error {
}
func (p *setnsProcess) start() (retErr error) {
+ unix.Prctl(unix.PR_SET_DUMPABLE, 0, 0, 0, 0)
+ defer unix.Prctl(unix.PR_SET_DUMPABLE, 1, 0, 0, 0)
defer p.messageSockPair.parent.Close()
// get the "before" value of oom kill count
oom, _ := p.manager.OOMKillCount()
--
2.30.0

63
patch/0022-Add-a-rootless-containers-section-on-README.patch
View File

@ -1,63 +0,0 @@
From e287eae0ba5cb39df6f09b3ce8436af3810986f3 Mon Sep 17 00:00:00 2001
From: Jonh Wendell <jonh.wendell@redhat.com>
Date: Fri, 21 Apr 2017 20:43:56 -0300
Subject: [PATCH 22/94] Add a rootless containers section on README
Closes #1413.
Change-Id: I9058fea54d9f25c2fc0f07ca74a83300eed40b73
Signed-off-by: Jonh Wendell <jonh.wendell@redhat.com>
---
README.md | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index ae1ab28..a951f0d 100644
--- a/README.md
+++ b/README.md
@@ -117,8 +117,8 @@ Assuming you have an OCI bundle from the previous step you can execute the conta
The first way is to use the convenience command `run` that will handle creating, starting, and deleting the container after it exits.
```bash
+# run as root
cd /mycontainer
-
runc run mycontainerid
```
@@ -165,8 +165,8 @@ Now we can go though the lifecycle operations in your shell.
```bash
+# run as root
cd /mycontainer
-
runc create mycontainerid
# view the container is created and in the "created" state
@@ -185,6 +185,22 @@ runc delete mycontainerid
This adds more complexity but allows higher level systems to manage runc and provides points in the containers creation to setup various settings after the container has created and/or before it is deleted.
This is commonly used to setup the container's network stack after `create` but before `start` where the user's defined process will be running.
+#### Rootless containers
+`runc` has the ability to run containers without root privileges. This is called `rootless`. You need to pass some parameters to `runc` in order to run rootless containers. See below and compare with the previous version. Run the following commands as an ordinary user:
+```bash
+# Same as the first example
+mkdir ~/mycontainer
+cd ~/mycontainer
+mkdir rootfs
+docker export $(docker create busybox) | tar -C rootfs -xvf -
+
+# The --rootless parameter instructs runc spec to generate a configuration for a rootless container, which will allow you to run the container as a non-root user.
+runc spec --rootless
+
+# The --root parameter tells runc where to store the container state. It must be writable by the user.
+runc --root /tmp/runc run mycontainerid
+```
+
#### Supervisors
`runc` can be used with process supervisors and init systems to ensure that containers are restarted when they exit.
--
2.7.4.3

49
patch/0022-runc-fix-exec-problem-caused-by-libseccomp-updating.patch Normal file
View File

@ -0,0 +1,49 @@
From ca9d0d09ae435785482f21d2c49b4131a74c4382 Mon Sep 17 00:00:00 2001
From: zhong-jiawei-1 <zhongjiawei1@huawei.com>
Date: Mon, 24 Oct 2022 15:35:51 +0800
Subject: [PATCH] runc:fix exec problem caused by libseccomp updating
reason: libseccomp updating causes runc exec performance
degradation, which causes container health check failed and container
is killed. So we add an environmental variable to skip this unnecessary
seccomp step.
related test data:
before fixing, exec "runc exec" 20 times,
start time: 1566210117.193673318 end time: 1566210125.493181368
takes about 8s
after fixing, exec "runc exec" 20 times,
start time: 1566210059.708669785 end time: 1566210060.879416932
takes about 1s
Change-Id: I751ac8354394bd15a420ad8410b12ef3f75622a1
Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
runc-1.1.3/libcontainer/seccomp/seccomp_linux.go | 3 +++
1 file changed, 3 insertions(+)
diff --git a/runc-1.1.3/libcontainer/seccomp/seccomp_linux.go b/runc-1.1.3/libcontainer/seccomp/seccomp_linux.go
index e4b5750..a925be1 100644
--- a/runc-1.1.3/libcontainer/seccomp/seccomp_linux.go
+++ b/runc-1.1.3/libcontainer/seccomp/seccomp_linux.go
@@ -6,6 +6,7 @@ package seccomp
import (
"errors"
"fmt"
+ "os"
libseccomp "github.com/seccomp/libseccomp-golang"
"github.com/sirupsen/logrus"
@@ -30,6 +31,8 @@ const (
// Returns the seccomp file descriptor if any of the filters include a
// SCMP_ACT_NOTIFY action, otherwise returns -1.
func InitSeccomp(config *configs.Seccomp) (int, error) {
+ os.Setenv("LIBSECCOMP_TRANSACTION_DISABLE", "1")
+ defer os.Unsetenv("LIBSECCOMP_TRANSACTION_DISABLE")
if config == nil {
return -1, errors.New("cannot initialize Seccomp - nil config passed")
}
--
2.30.0

87
patch/0023-runc-add-log-message-for-cgroup-file-check.patch Normal file
View File

@ -0,0 +1,87 @@
From fe0237c3d86a278561d14ead9254b8e68699f1eb Mon Sep 17 00:00:00 2001
From: zhong-jiawei-1 <zhongjiawei1@huawei.com>
Date: Mon, 24 Oct 2022 17:01:39 +0800
Subject: [PATCH] runc:add log message for cgroup file check
---
runc-1.1.3/libcontainer/cgroups/file.go | 7 ++++-
runc-1.1.3/libcontainer/cgroups/fs/cpuset.go | 31 +++++++++++++++-----
2 files changed, 29 insertions(+), 9 deletions(-)
diff --git a/runc-1.1.3/libcontainer/cgroups/file.go b/runc-1.1.3/libcontainer/cgroups/file.go
index 0cdaf74..bc7f0a3 100644
--- a/runc-1.1.3/libcontainer/cgroups/file.go
+++ b/runc-1.1.3/libcontainer/cgroups/file.go
@@ -51,7 +51,12 @@ func WriteFile(dir, file, data string) error {
defer fd.Close()
if err := retryingWriteFile(fd, data); err != nil {
// Having data in the error message helps in debugging.
- return fmt.Errorf("failed to write %q: %w", data, err)
+ ret := fmt.Errorf("failed to write %v to %v: %v", data, file, err)
+ if _, err = os.Stat(dir); err != nil {
+ ret = fmt.Errorf("%v, failed to stat %v, %v", ret, dir, err)
+ }
+
+ return ret
}
return nil
}
diff --git a/runc-1.1.3/libcontainer/cgroups/fs/cpuset.go b/runc-1.1.3/libcontainer/cgroups/fs/cpuset.go
index 341d5dc..ef1f633 100644
--- a/runc-1.1.3/libcontainer/cgroups/fs/cpuset.go
+++ b/runc-1.1.3/libcontainer/cgroups/fs/cpuset.go
@@ -25,14 +25,23 @@ func (s *CpusetGroup) Apply(path string, r *configs.Resources, pid int) error {
}
func (s *CpusetGroup) Set(path string, r *configs.Resources) error {
+ var ret error
if r.CpusetCpus != "" {
if err := cgroups.WriteFile(path, "cpuset.cpus", r.CpusetCpus); err != nil {
- return err
+ ret = fmt.Errorf("failed to set cpuset.cpus, %v", err)
+ if _, err := os.Stat(path); err != nil {
+ ret = fmt.Errorf("%v, failed to stat %v, %v", ret, path, err)
+ }
+ return ret
}
}
if r.CpusetMems != "" {
if err := cgroups.WriteFile(path, "cpuset.mems", r.CpusetMems); err != nil {
- return err
+ ret = fmt.Errorf("failed to set cpuset.mems, %v", err)
+ if _, err := os.Stat(path); err != nil {
+ ret = fmt.Errorf("%v, failed to stat %v, %v", ret, path, err)
+ }
+ return ret
}
}
return nil
@@ -231,13 +240,19 @@ func cpusetEnsureParent(current string) error {
// cpusetCopyIfNeeded copies the cpuset.cpus and cpuset.mems from the parent
// directory to the current directory if the file's contents are 0
func cpusetCopyIfNeeded(current, parent string) error {
- currentCpus, currentMems, err := getCpusetSubsystemSettings(current)
- if err != nil {
- return err
+ if currentCpus, currentMems, err := getCpusetSubsystemSettings(current); err != nil {
+ ret := fmt.Errorf("failed copy current cgroup setting, %v", err)
+ if _, err := os.Stat(current); err != nil {
+ ret = fmt.Errorf("%v, %v", ret, err)
+ }
+ return ret
}
- parentCpus, parentMems, err := getCpusetSubsystemSettings(parent)
- if err != nil {
- return err
+ if parentCpus, parentMems, err := getCpusetSubsystemSettings(parent); err != nil {
+ ret := fmt.Errorf("failed copy parent cgroup setting, %v", err)
+ if _, err := os.Stat(parent); err != nil {
+ ret = fmt.Errorf("%v, %v", ret, err)
+ }
+ return ret
}
if isEmptyCpuset(currentCpus) {
--
2.30.0

69
patch/0023-vendor-clean-up-to-be-better-written.patch
View File

@ -1,69 +0,0 @@
From d6c62e91d7763bb88287a052f6f5a3dc7bee5284 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Sat, 15 Apr 2017 17:31:39 +1000
Subject: [PATCH 23/94] vendor: clean up to be better written
vndr doesn't support non-top-level imports, and in addition we really
should be using tagged releases far more than we currently are
(*especially* when it come to the OCI specs).
Change-Id: Ifb997a6d9edf2d89d6b2d440ea4fa305b1b4df18
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
tests/integration/spec.bats | 2 +-
vendor.conf | 28 +++++++++++++++++-----------
2 files changed, 18 insertions(+), 12 deletions(-)
diff --git a/tests/integration/spec.bats b/tests/integration/spec.bats
index e9f28fb..6061706 100644
--- a/tests/integration/spec.bats
+++ b/tests/integration/spec.bats
@@ -72,7 +72,7 @@ function teardown() {
run git clone https://github.com/opencontainers/runtime-spec.git src/runtime-spec
[ "$status" -eq 0 ]
- SPEC_COMMIT=$(grep runtime-spec ${TESTDIR}/../../vendor.conf | cut -d ' ' -f 2)
+ SPEC_COMMIT=$(grep '^github.com/opencontainers/runtime-spec' ${TESTDIR}/../../vendor.conf | cut -d ' ' -f 2)
run git -C src/runtime-spec reset --hard "${SPEC_COMMIT}"
[ "$status" -eq 0 ]
diff --git a/vendor.conf b/vendor.conf
index 17a546e..6ab9bf8 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -1,15 +1,21 @@
-github.com/Sirupsen/logrus 26709e2714106fb8ad40b773b711ebce25b78914
-github.com/coreos/go-systemd 48702e0da86bd25e76cfef347e2adeb434a0d0a6
-github.com/coreos/pkg/dlopen 3ac0863d7acf3bc44daf49afef8919af12f704ef
-github.com/docker/docker 0f5c9d301b9b1cca66b3ea0f9dec3b5317d3686d
-github.com/docker/go-units 9b001659dd36225e356b4467c465d732e745f53d
-github.com/godbus/dbus c7fdd8b5cd55e87b4e1f4e372cdb1db61dd6c66f
-github.com/golang/protobuf/proto f7137ae6b19afbfd61a94b746fda3b3fe0491874
+# OCI runtime-spec. When updating this, make sure you use a version tag rather
+# than a commit ID so it's much more obvious what version of the spec we are
+# using.
+github.com/opencontainers/runtime-spec v1.0.0-rc5
+# Core libcontainer functionality.
github.com/mrunalp/fileutils ed869b029674c0e9ce4c0dfa781405c2d9946d08
-github.com/opencontainers/runtime-spec/specs-go 035da1dca3dfbb00d752eb58b0b158d6129f3776
-github.com/opencontainers/selinux ba1aefe8057f1d0cfb8e88d0ec1dc85925ef987d
+github.com/opencontainers/selinux v1.0.0-rc1
github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0
-github.com/syndtr/gocapability/capability e7cb7fa329f456b3855136a2642b197bad7366ba
-github.com/urfave/cli d53eb991652b1d438abdd34ce4bfa3ef1539108e
+github.com/Sirupsen/logrus 26709e2714106fb8ad40b773b711ebce25b78914
+github.com/syndtr/gocapability e7cb7fa329f456b3855136a2642b197bad7366ba
github.com/vishvananda/netlink 1e2e08e8a2dcdacaae3f14ac44c5cfa31361f270
+# systemd integration.
+github.com/coreos/go-systemd v14
+github.com/coreos/pkg v3
+github.com/godbus/dbus v3
+github.com/golang/protobuf f7137ae6b19afbfd61a94b746fda3b3fe0491874
+# Command-line interface.
+github.com/docker/docker 0f5c9d301b9b1cca66b3ea0f9dec3b5317d3686d
+github.com/docker/go-units v0.2.0
+github.com/urfave/cli d53eb991652b1d438abdd34ce4bfa3ef1539108e
golang.org/x/sys 9a7256cb28ed514b4e1e5f68959914c4c28a92e0 https://github.com/golang/sys
--
2.7.4.3

58
patch/0024-Optimizing-looping-over-namespaces.patch
View File

@ -1,58 +0,0 @@
From 6108649ff1f4f270bfeb5f2aec1de8917d9b7609 Mon Sep 17 00:00:00 2001
From: Harshal Patil <harshal.patil@in.ibm.com>
Date: Tue, 25 Apr 2017 15:56:40 +0530
Subject: [PATCH 24/94] Optimizing looping over namespaces
Change-Id: I82612d1f8161b4656011ba45b619dcd9150a3c2f
Signed-off-by: Harshal Patil <harshal.patil@in.ibm.com>
---
libcontainer/container_linux.go | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index b5563d6..aeaf583 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -1454,18 +1454,17 @@ func (c *linuxContainer) orderNamespacePaths(namespaces map[configs.NamespaceTyp
configs.NEWNS,
}
- // Remove namespaces that we don't need to join.
- var nsTypes []configs.NamespaceType
for _, ns := range order {
- if c.config.Namespaces.Contains(ns) {
- nsTypes = append(nsTypes, ns)
+
+ // Remove namespaces that we don't need to join.
+ if !c.config.Namespaces.Contains(ns) {
+ continue
}
- }
- for _, nsType := range nsTypes {
- if p, ok := namespaces[nsType]; ok && p != "" {
+
+ if p, ok := namespaces[ns]; ok && p != "" {
// check if the requested namespace is supported
- if !configs.IsNamespaceSupported(nsType) {
- return nil, newSystemError(fmt.Errorf("namespace %s is not supported", nsType))
+ if !configs.IsNamespaceSupported(ns) {
+ return nil, newSystemError(fmt.Errorf("namespace %s is not supported", ns))
}
// only set to join this namespace if it exists
if _, err := os.Lstat(p); err != nil {
@@ -1476,9 +1475,11 @@ func (c *linuxContainer) orderNamespacePaths(namespaces map[configs.NamespaceTyp
if strings.ContainsRune(p, ',') {
return nil, newSystemError(fmt.Errorf("invalid path %s", p))
}
- paths = append(paths, fmt.Sprintf("%s:%s", configs.NsName(nsType), p))
+ paths = append(paths, fmt.Sprintf("%s:%s", configs.NsName(ns), p))
}
+
}
+
return paths, nil
}
--
2.7.4.3

125
patch/0024-runc-unified-use-of-logpipe.patch Normal file
View File

@ -0,0 +1,125 @@
From 6d50719513bcd5994526232facf4f289b9e0e75a Mon Sep 17 00:00:00 2001
From: zhong-jiawei-1 <zhongjiawei1@huawei.com>
Date: Mon, 24 Oct 2022 20:44:25 +0800
Subject: [PATCH] runc:unified use of logpipe
---
runc-1.1.3/libcontainer/container_linux.go | 1 -
.../libcontainer/standard_init_linux.go | 30 +------------------
runc-1.1.3/main.go | 25 ----------------
3 files changed, 1 insertion(+), 55 deletions(-)
diff --git a/runc-1.1.3/libcontainer/container_linux.go b/runc-1.1.3/libcontainer/container_linux.go
index 5ef5a9a..10890c1 100644
--- a/runc-1.1.3/libcontainer/container_linux.go
+++ b/runc-1.1.3/libcontainer/container_linux.go
@@ -355,7 +355,6 @@ func (c *linuxContainer) start(process *Process) (retErr error) {
}
if err := parent.start(); err != nil {
- printCgroupInfo(c.config.Cgroups.Path)
return fmt.Errorf("unable to start container process: %w", err)
}
diff --git a/runc-1.1.3/libcontainer/standard_init_linux.go b/runc-1.1.3/libcontainer/standard_init_linux.go
index 8a60501..99e7003 100644
--- a/runc-1.1.3/libcontainer/standard_init_linux.go
+++ b/runc-1.1.3/libcontainer/standard_init_linux.go
@@ -276,34 +276,6 @@ func (l *linuxStandardInit) Init() error {
return err
}
- if err := system.Exec(name, l.config.Args[0:], os.Environ()); err != nil {
- printCgroupInfo("")
- return err
- }
- return nil
-}
-
-func printCgroupInfo(path string) {
- cgroupRoot := "/sys/fs/cgroup"
- infoFileList := []string{
- "/proc/meminfo",
- "/sys/fs/cgroup/memory/memory.stat",
- filepath.Join(cgroupRoot, "files", path, "files.limit"),
- filepath.Join(cgroupRoot, "files", path, "files.usage"),
- filepath.Join(cgroupRoot, "pids", path, "pids.max"),
- filepath.Join(cgroupRoot, "pids", path, "pids.current"),
- filepath.Join(cgroupRoot, "memory", path, "memory.usage_in_bytes"),
- filepath.Join(cgroupRoot, "memory", path, "memory.limit_in_bytes"),
- filepath.Join(cgroupRoot, "memory", path, "memory.stat"),
- filepath.Join(cgroupRoot, "cpu", path, "cpu.stat"),
- }
- for _, file := range infoFileList {
- printFileContent(file)
- }
-}
-
-func printFileContent(path string) {
- output, err := ioutil.ReadFile(path)
- logrus.Infof("content read from %s: %s, err: %v", path, string(output), err)
+ return system.Exec(name, l.config.Args[0:], os.Environ())
}
diff --git a/runc-1.1.3/main.go b/runc-1.1.3/main.go
index 6e9101a..e624347 100644
--- a/runc-1.1.3/main.go
+++ b/runc-1.1.3/main.go
@@ -1,7 +1,6 @@
package main
import (
- "encoding/json"
"errors"
"fmt"
"io"
@@ -11,13 +10,11 @@ import (
"runtime"
"strconv"
"strings"
- "time"
"github.com/opencontainers/runc/libcontainer/seccomp"
"github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
- logrus_syslog "github.com/sirupsen/logrus/hooks/syslog"
"github.com/urfave/cli"
)
@@ -219,12 +216,6 @@ func configLogrus(context *cli.Context) error {
return err
}
logrus.SetOutput(f)
- hook, serr := logrus_syslog.NewSyslogHook("", "", syslog.LOG_INFO|syslog.LOG_USER, "docker-runc")
- if serr != nil {
- logToFile(f, "error", fmt.Sprintf("Leo: new syslog hook get %s", serr))
- } else {
- logrus.AddHook(hook)
- }
}
if logLevel := context.GlobalString("log-level"); logLevel != "" {
lvl, err := logrus.ParseLevel(logLevel)
@@ -241,19 +232,3 @@ func configLogrus(context *cli.Context) error {
return nil
}
-func logToFile(f io.Writer, level string, msg string) {
- var (
- log struct {
- Level string
- Msg string
- Time time.Time
- }
- )
- log.Level = level
- log.Msg = msg
- log.Time = time.Now()
- s, err := json.Marshal(log)
- if err != nil {
- fmt.Fprint(f, string(s))
- }
-}
--
2.30.0

54
patch/0025-Add-a-rootless-section-to-spec-man-page-and.patch
View File

@ -1,54 +0,0 @@
From 06f6824badbdc3a8c89d106abe5337c869a7d95f Mon Sep 17 00:00:00 2001
From: Jonh Wendell <jonh.wendell@redhat.com>
Date: Thu, 27 Apr 2017 10:52:31 -0300
Subject: [PATCH 25/94] Add a rootless section to "spec" man page and
command help
Change-Id: I6211c1adf2f6428652c75cd7cb76b86d782e7237
Signed-off-by: Jonh Wendell <jonh.wendell@redhat.com>
---
man/runc-spec.8.md | 3 +++
spec.go | 9 +++++++--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/man/runc-spec.8.md b/man/runc-spec.8.md
index 3c69e23..4f8e9bb 100644
--- a/man/runc-spec.8.md
+++ b/man/runc-spec.8.md
@@ -45,5 +45,8 @@ already running as root, you can use sudo to give runc root privilege. For
example: "sudo runc start container1" will give runc root privilege to start the
container on your host.
+Alternatively, you can start a rootless container, which has the ability to run without root privileges. For this to work, the specification file needs to be adjusted accordingly. You can pass the parameter --rootless to this command to generate a proper rootless spec file.
+
# OPTIONS
--bundle value, -b value path to the root of the bundle directory
+ --rootless generate a configuration for a rootless container
diff --git a/spec.go b/spec.go
index 9024ad4..a15c84e 100644
--- a/spec.go
+++ b/spec.go
@@ -51,13 +51,18 @@ must be unique on your host.
An alternative for generating a customized spec config is to use "oci-runtime-tool", the
sub-command "oci-runtime-tool generate" has lots of options that can be used to do any
-customizations as you want, see [runtime-tools](https://github.com/opencontainers/runtime-tools)
+customizations as you want, see runtime-tools (https://github.com/opencontainers/runtime-tools)
to get more information.
When starting a container through runc, runc needs root privilege. If not
already running as root, you can use sudo to give runc root privilege. For
example: "sudo runc start container1" will give runc root privilege to start the
-container on your host.`,
+container on your host.
+
+Alternatively, you can start a rootless container, which has the ability to run
+without root privileges. For this to work, the specification file needs to be
+adjusted accordingly. You can pass the parameter --rootless to this command to
+generate a proper rootless spec file.`,
Flags: []cli.Flag{
cli.StringFlag{
Name: "bundle, b",
--
2.7.4.3

147
patch/0025-runc-support-set-cpuset.prefer_cpus-using-cpuset-cpu.patch Normal file
View File

@ -0,0 +1,147 @@
From 2c786d0cb9f93c52c8929822cdfd0f795bcf64be Mon Sep 17 00:00:00 2001
From: zhong-jiawei-1 <zhongjiawei1@huawei.com>
Date: Tue, 25 Oct 2022 10:58:03 +0800
Subject: [PATCH] runc:support set cpuset.prefer_cpus using --cpuset-cpus
---
runc-1.1.3/libcontainer/cgroups/fs/cpuset.go | 118 ++++++++++++++++++-
1 file changed, 114 insertions(+), 4 deletions(-)
diff --git a/runc-1.1.3/libcontainer/cgroups/fs/cpuset.go b/runc-1.1.3/libcontainer/cgroups/fs/cpuset.go
index ef1f633..989f4ec 100644
--- a/runc-1.1.3/libcontainer/cgroups/fs/cpuset.go
+++ b/runc-1.1.3/libcontainer/cgroups/fs/cpuset.go
@@ -24,16 +24,126 @@ func (s *CpusetGroup) Apply(path string, r *configs.Resources, pid int) error {
return s.ApplyDir(path, r, pid)
}
-func (s *CpusetGroup) Set(path string, r *configs.Resources) error {
- var ret error
- if r.CpusetCpus != "" {
- if err := cgroups.WriteFile(path, "cpuset.cpus", r.CpusetCpus); err != nil {
+func parseCpus(cpus string) (map[int]bool, error) {
+ persedCpus := make(map[int]bool)
+ for _, cpu := range strings.Split(cpus, ",") {
+ invalidFormatError := fmt.Errorf("invalid cpuset format: %s", cpu)
+ if cpuInt, err := strconv.Atoi(cpu); err == nil {
+ if cpuInt < 0 {
+ return nil, invalidFormatError
+ }
+ persedCpus[cpuInt] = true
+ continue
+ }
+
+ ranges := strings.Split(cpu, "-")
+ if len(ranges) != 2 {
+ return nil, invalidFormatError
+ }
+ lower, err1 := strconv.Atoi(ranges[0])
+ upper, err2 := strconv.Atoi(ranges[1])
+ if err1 != nil || err2 != nil {
+ return nil, invalidFormatError
+ }
+ if lower < 0 || upper < 0 {
+ return nil, invalidFormatError
+ }
+ if lower > upper {
+ return nil, invalidFormatError
+ }
+ const max = 8192
+ if upper > max {
+ return nil, fmt.Errorf("value of out range, maximum is %d", max)
+ }
+ for i := lower; i <= upper; i++ {
+ persedCpus[i] = true
+ }
+ }
+
+ return persedCpus, nil
+}
+
+func checkInCpuset(cpuset, prefer map[int]bool) bool {
+ for k := range prefer {
+ if _, ok := cpuset[k]; !ok {
+ return false
+ }
+ }
+ return true
+}
+
+func parseCpuset(cpuset string) (string, string, error) {
+ var cpusetStr, preferCpusStr string
+ invalidFormatError := fmt.Errorf("invalid cpuset format: %s", cpuset)
+
+ splits := strings.Split(cpuset, "+")
+ if len(splits) == 1 {
+ cpusetStr = cpuset
+ } else if len(splits) == 2 {
+ if !strings.HasSuffix(splits[0], ",") {
+ return "", "", invalidFormatError
+ }
+ cpusetStr = strings.TrimSuffix(splits[0], ",")
+ preferCpusStr = splits[1]
+
+ cpusetMap, err := parseCpus(cpusetStr)
+ if err != nil {
+ return "", "", err
+ }
+ preferCpusMap, err := parseCpus(preferCpusStr)
+ if err != nil {
+ return "", "", err
+ }
+ if !checkInCpuset(cpusetMap, preferCpusMap) {
+ return "", "", fmt.Errorf("invalid preferred_cpus: %s not in cpuset: %s", preferCpusStr, cpusetStr)
+ }
+ } else {
+ return "", "", invalidFormatError
+ }
+
+ return cpusetStr, preferCpusStr, nil
+}
+
+func (s *CpusetGroup) setCpuset(path, cpuset string) error {
+ if _, err := os.Stat(filepath.Join(path, "cpuset.preferred_cpus")); err != nil {
+ var ret error
+ if err := writeFile(path, "cpuset.cpus", cpuset); err != nil {
ret = fmt.Errorf("failed to set cpuset.cpus, %v", err)
if _, err := os.Stat(path); err != nil {
ret = fmt.Errorf("%v, failed to stat %v, %v", ret, path, err)
}
return ret
}
+ return nil
+ }
+
+ cpusetStr, preferCpusStr, err := parseCpuset(cpuset)
+ if err != nil {
+ return err
+ }
+
+ if _, err := os.Stat(path); err != nil {
+ return fmt.Errorf("failed to stat %v, %v", path, err)
+ }
+ if err := writeFile(path, "cpuset.preferred_cpus", ""); err != nil {
+ return fmt.Errorf("failed to set cpuset.preferred_cpus to nil, %v", err)
+ }
+ if err := writeFile(path, "cpuset.cpus", cpusetStr); err != nil {
+ return fmt.Errorf("failed to set cpuset.cpus, %v", err)
+ }
+ if preferCpusStr != "" {
+ if err := writeFile(path, "cpuset.preferred_cpus", preferCpusStr); err != nil {
+ return fmt.Errorf("failed to set cpuset.preferred_cpus, %v", err)
+ }
+ }
+
+ return nil
+}
+
+func (s *CpusetGroup) Set(path string, r *configs.Resources) error {
+ var ret error
+ if r.CpusetCpus != "" {
+ return s.setCpuset(path, cgroup.Resources.CpusetCpus)
}
if r.CpusetMems != "" {
if err := cgroups.WriteFile(path, "cpuset.mems", r.CpusetMems); err != nil {
--
2.30.0

150
patch/0026-Allow-updating-container-pids-limit.patch
View File

@ -1,150 +0,0 @@
From 01218c77284209117e40350419fb60f76896a369 Mon Sep 17 00:00:00 2001
From: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Date: Wed, 26 Apr 2017 09:53:20 -0700
Subject: [PATCH 26/94] Allow updating container pids limit
Change-Id: I5cc0d8804b1de3da943e4651806d0041eb33d7f2
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
---
tests/integration/update.bats | 23 +++++++++++++++++++++--
update.go | 9 +++++++++
2 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/tests/integration/update.bats b/tests/integration/update.bats
index 4a6bf7f..a3f3782 100644
--- a/tests/integration/update.bats
+++ b/tests/integration/update.bats
@@ -33,6 +33,9 @@ function setup() {
"blockio": {
"blkioWeight": 1000
},
+ "pids": {
+ "limit": 20
+ },
EOF
)
DATA=$(echo ${DATA} | sed 's/\n/\\n/g')
@@ -61,7 +64,7 @@ function check_cgroup_value() {
wait_for_container 15 1 test_update
# get the cgroup paths
- for g in MEMORY CPUSET CPU BLKIO; do
+ for g in MEMORY CPUSET CPU BLKIO PIDS; do
base_path=$(grep "cgroup" /proc/self/mountinfo | gawk 'toupper($NF) ~ /\<'${g}'\>/ { print $5; exit }')
eval CGROUP_${g}="${base_path}/runc-update-integration-test"
done
@@ -78,6 +81,7 @@ function check_cgroup_value() {
check_cgroup_value $CGROUP_MEMORY "memory.kmem.tcp.limit_in_bytes" 11534336
check_cgroup_value $CGROUP_MEMORY "memory.limit_in_bytes" 33554432
check_cgroup_value $CGROUP_MEMORY "memory.soft_limit_in_bytes" 25165824
+ check_cgroup_value $CGROUP_PIDS "pids.max" 20
# update blkio-weight
runc update test_update --blkio-weight 500
@@ -160,6 +164,11 @@ function check_cgroup_value() {
[ "$status" -eq 0 ]
check_cgroup_value $CGROUP_MEMORY "memory.kmem.tcp.limit_in_bytes" 41943040
+ # update pids limit
+ runc update test_update --pids-limit 10
+ [ "$status" -eq 0 ]
+ check_cgroup_value $CGROUP_PIDS "pids.max" 10
+
# Revert to the test initial value via json on stding
runc update -r - test_update <<EOF
{
@@ -177,6 +186,9 @@ function check_cgroup_value() {
},
"blockIO": {
"blkioWeight": 1000
+ },
+ "pids": {
+ "limit": 20
}
}
EOF
@@ -190,11 +202,13 @@ EOF
check_cgroup_value $CGROUP_MEMORY "memory.kmem.tcp.limit_in_bytes" 11534336
check_cgroup_value $CGROUP_MEMORY "memory.limit_in_bytes" 33554432
check_cgroup_value $CGROUP_MEMORY "memory.soft_limit_in_bytes" 25165824
+ check_cgroup_value $CGROUP_PIDS "pids.max" 20
# redo all the changes at once
runc update test_update --blkio-weight 500 \
--cpu-period 900000 --cpu-quota 600000 --cpu-share 200 --memory 67108864 \
- --memory-reservation 33554432 --kernel-memory 50331648 --kernel-memory-tcp 41943040
+ --memory-reservation 33554432 --kernel-memory 50331648 --kernel-memory-tcp 41943040 \
+ --pids-limit 10
[ "$status" -eq 0 ]
check_cgroup_value $CGROUP_BLKIO "blkio.weight" 500
check_cgroup_value $CGROUP_CPU "cpu.cfs_period_us" 900000
@@ -204,6 +218,7 @@ EOF
check_cgroup_value $CGROUP_MEMORY "memory.kmem.tcp.limit_in_bytes" 41943040
check_cgroup_value $CGROUP_MEMORY "memory.limit_in_bytes" 67108864
check_cgroup_value $CGROUP_MEMORY "memory.soft_limit_in_bytes" 33554432
+ check_cgroup_value $CGROUP_PIDS "pids.max" 10
# reset to initial test value via json file
DATA=$(cat <<"EOF"
@@ -222,6 +237,9 @@ EOF
},
"blockIO": {
"blkioWeight": 1000
+ },
+ "pids": {
+ "limit": 20
}
}
EOF
@@ -239,6 +257,7 @@ EOF
check_cgroup_value $CGROUP_MEMORY "memory.kmem.tcp.limit_in_bytes" 11534336
check_cgroup_value $CGROUP_MEMORY "memory.limit_in_bytes" 33554432
check_cgroup_value $CGROUP_MEMORY "memory.soft_limit_in_bytes" 25165824
+ check_cgroup_value $CGROUP_PIDS "pids.max" 20
}
@test "update rt period and runtime" {
diff --git a/update.go b/update.go
index 7af3a9c..5520681 100644
--- a/update.go
+++ b/update.go
@@ -108,6 +108,10 @@ other options are ignored.
Name: "memory-swap",
Usage: "Total memory usage (memory + swap); set '-1' to enable unlimited swap",
},
+ cli.IntFlag{
+ Name: "pids-limit",
+ Usage: "Maximum number of pids allowed in the container",
+ },
},
Action: func(context *cli.Context) error {
if err := checkArgs(context, 1, exactArgs); err != nil {
@@ -138,6 +142,9 @@ other options are ignored.
BlockIO: &specs.LinuxBlockIO{
Weight: u16Ptr(0),
},
+ Pids: &specs.LinuxPids{
+ Limit: 0,
+ },
}
config := container.Config()
@@ -228,6 +235,7 @@ other options are ignored.
*pair.dest = uint64(v)
}
}
+ r.Pids.Limit = int64(context.Int("pids-limit"))
}
// Update the value
@@ -244,6 +252,7 @@ other options are ignored.
config.Cgroups.Resources.Memory = *r.Memory.Limit
config.Cgroups.Resources.MemoryReservation = *r.Memory.Reservation
config.Cgroups.Resources.MemorySwap = *r.Memory.Swap
+ config.Cgroups.Resources.PidsLimit = r.Pids.Limit
return container.Set(config)
},
--
2.7.4.3

296
patch/0026-runc-add-DT-for-cpuset.preferred_cpus-setting.patch Normal file
View File

@ -0,0 +1,296 @@
From 905cb9a78f13d321860ee921990d60447c148605 Mon Sep 17 00:00:00 2001
From: zhong-jiawei-1 <zhongjiawei1@huawei.com>
Date: Tue, 25 Oct 2022 11:18:42 +0800
Subject: [PATCH] runc:add DT for cpuset.preferred_cpus setting
---
.../libcontainer/cgroups/fs/cpuset_test.go | 217 ++++++++++++++++++
.../tests/test_docker_cpuset_preferred.sh | 41 ++++
2 files changed, 258 insertions(+)
create mode 100755 runc-1.1.3/tests/test_docker_cpuset_preferred.sh
diff --git a/runc-1.1.3/libcontainer/cgroups/fs/cpuset_test.go b/runc-1.1.3/libcontainer/cgroups/fs/cpuset_test.go
index 8933b3c..0c72c7d 100644
--- a/runc-1.1.3/libcontainer/cgroups/fs/cpuset_test.go
+++ b/runc-1.1.3/libcontainer/cgroups/fs/cpuset_test.go
@@ -1,6 +1,9 @@
package fs
import (
+ "os"
+ "path/filepath"
+ "strings"
"reflect"
"testing"
@@ -66,6 +69,220 @@ func TestCPUSetSetCpus(t *testing.T) {
}
}
+type cpusetTestCase struct {
+ name string
+ dir string
+ cpuset string
+ wantPrefer string
+ wantCpuset string
+ errorStr string
+ wantErr bool
+}
+
+func getCpusetTestcaes() []cpusetTestCase {
+ testDir := "/sys/fs/cgroup/cpuset/runc-test"
+ errStr1 := "failed to set"
+ errStr2 := "invalid cpuset format"
+ errStr3 := "invalid preferred_cpus"
+ return []cpusetTestCase{
+ {
+ name: "Test1",
+ cpuset: "0,1,2,+1,2",
+ dir: testDir,
+ wantPrefer: "1-2",
+ wantCpuset: "0-2",
+ wantErr: false,
+ },
+ {
+ name: "Test2",
+ cpuset: "0-3,+1,2",
+ dir: testDir,
+ wantPrefer: "1-2",
+ wantCpuset: "0-3",
+ wantErr: false,
+ },
+ {
+ name: "Test3",
+ cpuset: "0,1,2,+1,2",
+ dir: "/aaa/bbb/invalid",
+ wantErr: true,
+ errorStr: errStr1,
+ },
+ {
+ name: "Test4",
+ cpuset: "0,1,2,+1,2",
+ dir: "",
+ wantErr: true,
+ errorStr: errStr1,
+ },
+ {
+ name: "Test5",
+ cpuset: "0,1,2,+1,2",
+ dir: "/" + strings.Repeat("a", 4097),
+ wantErr: true,
+ errorStr: errStr1,
+ },
+ {
+ name: "Test6",
+ cpuset: "0,1,2,a,+1",
+ dir: testDir,
+ wantErr: true,
+ errorStr: errStr2,
+ },
+ {
+ name: "Test7",
+ cpuset: "0,1,2,+1,+2",
+ dir: testDir,
+ wantErr: true,
+ errorStr: errStr2,
+ },
+ {
+ name: "Test8",
+ cpuset: "0,1,1.2,+1,2",
+ dir: testDir,
+ wantErr: true,
+ errorStr: errStr2,
+ },
+ {
+ name: "Test9",
+ cpuset: "0,-1,2,+1,2",
+ dir: testDir,
+ wantErr: true,
+ errorStr: errStr2,
+ },
+ {
+ name: "Test10",
+ cpuset: "012+1,2",
+ dir: testDir,
+ wantErr: true,
+ errorStr: errStr2,
+ },
+ {
+ name: "Test11",
+ cpuset: "0,1,2,+3-1",
+ dir: testDir,
+ wantErr: true,
+ errorStr: errStr2,
+ },
+ {
+ name: "Test12",
+ cpuset: "0,1,2,+4",
+ dir: testDir,
+ wantErr: true,
+ errorStr: errStr3,
+ },
+ {
+ name: "Test13",
+ cpuset: "1-3+1-2",
+ dir: testDir,
+ wantErr: true,
+ errorStr: errStr2,
+ },
+ {
+ name: "Test14",
+ cpuset: "1-3,+1,2",
+ dir: testDir,
+ wantPrefer: "1-2",
+ wantCpuset: "1-3",
+ wantErr: false,
+ },
+ {
+ name: "Test15",
+ cpuset: "1-3,+1-2",
+ dir: testDir,
+ wantPrefer: "1-2",
+ wantCpuset: "1-3",
+ wantErr: false,
+ },
+ {
+ name: "Test16",
+ cpuset: "1-3,+1,4",
+ dir: testDir,
+ wantErr: true,
+ errorStr: errStr3,
+ },
+ {
+ name: "Test17",
+ cpuset: "1-3,+1-2-3",
+ dir: testDir,
+ wantErr: true,
+ errorStr: errStr2,
+ },
+ {
+ name: "Test18",
+ cpuset: "1-3,+a-2",
+ dir: testDir,
+ wantErr: true,
+ errorStr: errStr2,
+ },
+ {
+ name: "Test19",
+ cpuset: "1-3,+3-2",
+ dir: testDir,
+ wantErr: true,
+ errorStr: errStr2,
+ },
+ {
+ name: "Test20",
+ cpuset: "1-3,+2-10000",
+ dir: testDir,
+ wantErr: true,
+ errorStr: "value of out range",
+ },
+ }
+}
+
+func TestCpusetSetCpusetCpus(t *testing.T) {
+ cgroupRoot := "/sys/fs/cgroup"
+ testDir := filepath.Join(cgroupRoot, "cpuset", "runc-test")
+ err := os.MkdirAll(testDir, 0600)
+ if err != nil {
+ t.Fatal(err)
+ }
+ defer func() {
+ err := os.RemoveAll(testDir)
+ if err != nil {
+ t.Fatal(err)
+ }
+ }()
+
+ cpuset := &CpusetGroup{}
+ tests := getCpusetTestcaes()
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ err := cpuset.setCpuset(tt.dir, tt.cpuset)
+ if (err != nil) != tt.wantErr {
+ t.Fatal(err)
+ }
+
+ if err != nil {
+ if !strings.Contains(err.Error(), tt.errorStr) {
+ t.Fatalf("Get the wrong error, want %v, get %v", tt.errorStr, err.Error())
+ }
+ return
+ }
+
+ value, err := getCgroupParamString(tt.dir, "cpuset.cpus")
+ if err != nil {
+ t.Fatalf("Failed to parse cpuset.cpus - %s", err)
+ }
+
+ if value != tt.wantCpuset {
+ t.Fatal("Got the wrong value, set cpuset.cpus failed.")
+ }
+
+ value, err = getCgroupParamString(tt.dir, "cpuset.preferred_cpus")
+ if err != nil {
+ t.Fatalf("Failed to parse cpuset.cpus - %s", err)
+ }
+
+ if value != tt.wantPrefer {
+ t.Fatal("Got the wrong value, set cpuset.cpus failed.")
+ }
+ })
+ }
+}
+
func TestCPUSetSetMems(t *testing.T) {
path := tempDir(t, "cpuset")
diff --git a/runc-1.1.3/tests/test_docker_cpuset_preferred.sh b/runc-1.1.3/tests/test_docker_cpuset_preferred.sh
new file mode 100755
index 0000000..c80db24
--- /dev/null
+++ b/runc-1.1.3/tests/test_docker_cpuset_preferred.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+# Copyright (c) Huawei Technologies Co., Ltd. 2022. All rights reserved.
+# rubik licensed under the Mulan PSL v2.
+# You can use this software according to the terms and conditions of the Mulan PSL v2.
+# You may obtain a copy of Mulan PSL v2 at:
+# http://license.coscl.org.cn/MulanPSL2
+# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
+# PURPOSE.
+# See the Mulan PSL v2 for more details.
+# Create: 2022-05-09
+# Description:set preferred cpuset
+
+which docker > /dev/null
+if [ $? -ne 0 ]; then
+ echo "environment not supported, skip test"
+ exit 0
+fi
+
+image="rnd-dockerhub.huawei.com/official/euleros:latest"
+containerID=$(docker run -itd --cpuset-cpus 0,1,+1 $image sh)
+if [ $? -ne 0 ]; then
+ echo "FAILED: start container failed"
+ exit 1
+fi
+
+cpuset=$(cat /sys/fs/cgroup/cpuset/docker/"$containerID"/cpuset.cpus)
+preferred_cpuset=$(cat /sys/fs/cgroup/cpuset/docker/"$containerID"/cpuset.preferred_cpus)
+if [ "$cpuset" != "0-1" ]; then
+ echo "FAILED: get wrong cpuset value"
+ exit 1
+fi
+if [ "$preferred_cpuset" != "1" ]; then
+ echo "FAILED: get wrong preferred_cpuset value"
+ exit 1
+fi
+
+docker rm -f "$containerID" > /dev/null
+echo "PASS"
+exit 0
--
2.30.0

59
patch/0027-Remove-redundant-declaraion-of-namespace-sl.patch
View File

@ -1,59 +0,0 @@
From e35db3fff6d86c31ca0203ef02ffa1cf2b05bf89 Mon Sep 17 00:00:00 2001
From: Harshal Patil <harshal.patil@in.ibm.com>
Date: Fri, 28 Apr 2017 10:12:56 +0530
Subject: [PATCH 27/94] Remove redundant declaraion of namespace
slice
Change-Id: I7e7e45cec65264a91ef3dec804953a1285b23b96
Signed-off-by: Harshal Patil <harshal.patil@in.ibm.com>
---
libcontainer/configs/namespaces_unix.go | 6 +++---
libcontainer/container_linux.go | 11 +----------
2 files changed, 4 insertions(+), 13 deletions(-)
diff --git a/libcontainer/configs/namespaces_unix.go b/libcontainer/configs/namespaces_unix.go
index 8beba9d..1f0b3ee 100644
--- a/libcontainer/configs/namespaces_unix.go
+++ b/libcontainer/configs/namespaces_unix.go
@@ -64,12 +64,12 @@ func IsNamespaceSupported(ns NamespaceType) bool {
func NamespaceTypes() []NamespaceType {
return []NamespaceType{
+ NEWUSER, // Keep user NS always first, don't move it.
+ NEWIPC,
+ NEWUTS,
NEWNET,
NEWPID,
NEWNS,
- NEWUTS,
- NEWIPC,
- NEWUSER,
}
}
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index aeaf583..173a3f0 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -1444,17 +1444,8 @@ func (c *linuxContainer) currentState() (*State, error) {
// can setns in order.
func (c *linuxContainer) orderNamespacePaths(namespaces map[configs.NamespaceType]string) ([]string, error) {
paths := []string{}
- order := []configs.NamespaceType{
- // The user namespace *must* be done first.
- configs.NEWUSER,
- configs.NEWIPC,
- configs.NEWUTS,
- configs.NEWNET,
- configs.NEWPID,
- configs.NEWNS,
- }
- for _, ns := range order {
+ for _, ns := range configs.NamespaceTypes() {
// Remove namespaces that we don't need to join.
if !c.config.Namespaces.Contains(ns) {
--
2.7.4.3

79
patch/0027-runc-modify-runc-Makefile.patch Normal file
View File

@ -0,0 +1,79 @@
From c102651a124775ec8c92b774086c46f76407e9d8 Mon Sep 17 00:00:00 2001
From: zhong-jiawei-1 <zhongjiawei1@huawei.com>
Date: Wed, 26 Oct 2022 15:34:29 +0800
Subject: [PATCH] runc:modify runc Makefile
---
runc-1.1.3/Makefile | 28 ++++++++++++++++++++++------
1 file changed, 22 insertions(+), 6 deletions(-)
diff --git a/runc-1.1.3/Makefile b/runc-1.1.3/Makefile
index cf82c0c..34b5347 100644
--- a/runc-1.1.3/Makefile
+++ b/runc-1.1.3/Makefile
@@ -10,9 +10,12 @@ GIT_BRANCH_CLEAN := $(shell echo $(GIT_BRANCH) | sed -e "s/[^[:alnum:]]/-/g")
RUNC_IMAGE := runc_dev$(if $(GIT_BRANCH_CLEAN),:$(GIT_BRANCH_CLEAN))
PROJECT := github.com/opencontainers/runc
BUILDTAGS ?= seccomp
-COMMIT ?= $(shell git describe --dirty --long --always)
+COMMIT ?= $(shell cat ./git-commit | head -c 40)
VERSION := $(shell cat ./VERSION)
+BEP_DIR := "/tmp/runc-build-bep"
+BEP_FLAG := "-tmpdir=${BEP_DIR}"
+
ifeq ($(shell $(GO) env GOOS),linux)
ifeq (,$(filter $(shell $(GO) env GOARCH),mips mipsle mips64 mips64le ppc64))
ifeq (,$(findstring -race,$(EXTRA_FLAGS)))
@@ -22,23 +25,33 @@ ifeq ($(shell $(GO) env GOOS),linux)
endif
GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \
-ldflags "-X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
-GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \
- -ldflags "-extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)"
+GO_BUILD_STATIC := $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) static_build cgo netgo osusergo"
GPG_KEYID ?= asarai@suse.de
.DEFAULT: runc
runc:
- $(GO_BUILD) -o runc .
+ mkdir -p ${BEP_DIR}
+ $(GO_BUILD) $(BEP_FLAG) -buildid=IdByIsula -o runc .
all: runc recvtty sd-helper seccompagent
recvtty sd-helper seccompagent:
- $(GO_BUILD) -o contrib/cmd/$@/$@ ./contrib/cmd/$@
+ $(GO_BUILD) $(BEP_FLAG) -buildid=IdByIsula -o contrib/cmd/$@/$@ ./contrib/cmd/$@
+
+LD_FLAGS='-buildid=none -tmpdir=/tmp/bep-runc -linkmode=external -extldflags=-Wl,-z,relro,-z,now \
+ -extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS) \
+ '
static:
- $(GO_BUILD_STATIC) -o runc .
+ rm -rf /tmp/bep-runc && mkdir /tmp/bep-runc
+ CGO_ENABLED=1 \
+ CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+ CGO_CPPFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+ CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
+ CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ $(GO_BUILD_STATIC) -buildmode=pie -ldflags $(LD_FLAGS) -o runc .
releaseall: RELEASE_ARGS := "-a arm64 -a armel -a armhf -a ppc64le -a s390x"
releaseall: release
@@ -70,6 +83,9 @@ runcimage:
test: unittest integration rootlessintegration
+check:
+ go test -v ./libcontainer
+
localtest: localunittest localintegration localrootlessintegration
unittest: runcimage
--
2.30.0

31
patch/0028-Revert-saneTerminal.patch
View File

@ -1,31 +0,0 @@
From 34dc868ee8515be89835bc98ccbf01f22bd6b1b9 Mon Sep 17 00:00:00 2001
From: Michael Crosby <crosbymichael@gmail.com>
Date: Wed, 7 Jun 2017 10:51:42 -0700
Subject: [PATCH 28/94] Revert saneTerminal
Keep the ONCLR for the terminal created by runc for backwards compat
support of older clients.
Change-Id: Ibdf33687262f13ef98c882328d55c9c4212ce0b6
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
---
libcontainer/console_linux.go | 3 ---
1 file changed, 3 deletions(-)
diff --git a/libcontainer/console_linux.go b/libcontainer/console_linux.go
index 5e364a8..5927bdc 100644
--- a/libcontainer/console_linux.go
+++ b/libcontainer/console_linux.go
@@ -21,9 +21,6 @@ func newConsole() (Console, error) {
if err != nil {
return nil, err
}
- if err := saneTerminal(master); err != nil {
- return nil, err
- }
console, err := ptsname(master)
if err != nil {
return nil, err
--
2.7.4.3

267
patch/0028-runc-cgroup-apply-method-modify.patch Normal file
View File

@ -0,0 +1,267 @@
From acf803b2e77f2d6f9a9868c5ca25e27ada413f30 Mon Sep 17 00:00:00 2001
From: zhong-jiawei-1 <zhongjiawei1@huawei.com>
Date: Thu, 27 Oct 2022 10:05:29 +0800
Subject: [PATCH] runc:cgroup apply method modify
---
runc-1.1.3/libcontainer/cgroups/fs/cpuset.go | 15 ++-
runc-1.1.3/libcontainer/cgroups/fs/files.go | 23 ++---
runc-1.1.3/libcontainer/cgroups/fs/utils.go | 97 +++++++++++++++++++
runc-1.1.3/libcontainer/rootfs_linux.go | 1 +
.../libcontainer/standard_init_linux.go | 4 +-
runc-1.1.3/main.go | 1 -
6 files changed, 119 insertions(+), 22 deletions(-)
create mode 100644 runc-1.1.3/libcontainer/cgroups/fs/utils.go
diff --git a/runc-1.1.3/libcontainer/cgroups/fs/cpuset.go b/runc-1.1.3/libcontainer/cgroups/fs/cpuset.go
index 989f4ec..379407e 100644
--- a/runc-1.1.3/libcontainer/cgroups/fs/cpuset.go
+++ b/runc-1.1.3/libcontainer/cgroups/fs/cpuset.go
@@ -1,7 +1,9 @@
package fs
import (
+ "fmt"
"errors"
+ "io/ioutil"
"os"
"path/filepath"
"strconv"
@@ -9,6 +11,7 @@ import (
"golang.org/x/sys/unix"
+ "github.com/sirupsen/logrus"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
"github.com/opencontainers/runc/libcontainer/configs"
@@ -143,7 +146,7 @@ func (s *CpusetGroup) setCpuset(path, cpuset string) error {
func (s *CpusetGroup) Set(path string, r *configs.Resources) error {
var ret error
if r.CpusetCpus != "" {
- return s.setCpuset(path, cgroup.Resources.CpusetCpus)
+ return s.setCpuset(path, r.CpusetCpus)
}
if r.CpusetMems != "" {
if err := cgroups.WriteFile(path, "cpuset.mems", r.CpusetMems); err != nil {
@@ -350,14 +353,20 @@ func cpusetEnsureParent(current string) error {
// cpusetCopyIfNeeded copies the cpuset.cpus and cpuset.mems from the parent
// directory to the current directory if the file's contents are 0
func cpusetCopyIfNeeded(current, parent string) error {
- if currentCpus, currentMems, err := getCpusetSubsystemSettings(current); err != nil {
+ var (
+ err error
+ currentCpus, currentMems string
+ parentCpus, parentMems string
+ )
+
+ if currentCpus, currentMems, err = getCpusetSubsystemSettings(current); err != nil {
ret := fmt.Errorf("failed copy current cgroup setting, %v", err)
if _, err := os.Stat(current); err != nil {
ret = fmt.Errorf("%v, %v", ret, err)
}
return ret
}
- if parentCpus, parentMems, err := getCpusetSubsystemSettings(parent); err != nil {
+ if parentCpus, parentMems, err = getCpusetSubsystemSettings(parent); err != nil {
ret := fmt.Errorf("failed copy parent cgroup setting, %v", err)
if _, err := os.Stat(parent); err != nil {
ret = fmt.Errorf("%v, %v", ret, err)
diff --git a/runc-1.1.3/libcontainer/cgroups/fs/files.go b/runc-1.1.3/libcontainer/cgroups/fs/files.go
index 3315cda..b02743c 100644
--- a/runc-1.1.3/libcontainer/cgroups/fs/files.go
+++ b/runc-1.1.3/libcontainer/cgroups/fs/files.go
@@ -18,27 +18,22 @@ import (
"path/filepath"
)
-type FilesGroup struct {
-}
+type FilesGroup struct {}
func (s *FilesGroup) Name() string {
return "files"
}
-func (s *FilesGroup) Apply(d *cgroupData) error {
- _, err := d.join("files")
- if err != nil && !cgroups.IsNotFound(err) {
- return err
- }
- return nil
+func (s *FilesGroup) Apply(path string, _ *configs.Resources, pid int) error {
+ return apply(path, pid)
}
-func (s *FilesGroup) Set(path string, cgroup *configs.Cgroup) error {
- if cgroup.Resources.FilesLimit != 0 {
+func (s *FilesGroup) Set(path string, r *configs.Resources) error {
+ if r.FilesLimit != 0 {
// "max" is the fallback value.
limit := "max"
- if cgroup.Resources.FilesLimit > 0 {
- limit = strconv.FormatInt(cgroup.Resources.FilesLimit, 10)
+ if r.FilesLimit > 0 {
+ limit = strconv.FormatInt(r.FilesLimit, 10)
}
if err := writeFile(path, "files.limit", limit); err != nil {
@@ -49,10 +44,6 @@ func (s *FilesGroup) Set(path string, cgroup *configs.Cgroup) error {
return nil
}
-func (s *FilesGroup) Remove(d *cgroupData) error {
- return removePath(d.path("files"))
-}
-
func (s *FilesGroup) GetStats(path string, stats *cgroups.Stats) error {
usage, err := getCgroupParamUint(path, "files.usage")
if err != nil {
diff --git a/runc-1.1.3/libcontainer/cgroups/fs/utils.go b/runc-1.1.3/libcontainer/cgroups/fs/utils.go
new file mode 100644
index 0000000..38820a8
--- /dev/null
+++ b/runc-1.1.3/libcontainer/cgroups/fs/utils.go
@@ -0,0 +1,97 @@
+// +build linux
+
+package fs
+
+import (
+ "errors"
+ "os"
+ "fmt"
+ "io/ioutil"
+ "path/filepath"
+ "strconv"
+ "strings"
+)
+
+var (
+ ErrNotValidFormat = errors.New("line is not a valid key value format")
+)
+
+// Saturates negative values at zero and returns a uint64.
+// Due to kernel bugs, some of the memory cgroup stats can be negative.
+func parseUint(s string, base, bitSize int) (uint64, error) {
+ value, err := strconv.ParseUint(s, base, bitSize)
+ if err != nil {
+ intValue, intErr := strconv.ParseInt(s, base, bitSize)
+ // 1. Handle negative values greater than MinInt64 (and)
+ // 2. Handle negative values lesser than MinInt64
+ if intErr == nil && intValue < 0 {
+ return 0, nil
+ } else if intErr != nil && intErr.(*strconv.NumError).Err == strconv.ErrRange && intValue < 0 {
+ return 0, nil
+ }
+
+ return value, err
+ }
+
+ return value, nil
+}
+
+// Parses a cgroup param and returns as name, value
+// i.e. "io_service_bytes 1234" will return as io_service_bytes, 1234
+func getCgroupParamKeyValue(t string) (string, uint64, error) {
+ parts := strings.Fields(t)
+ switch len(parts) {
+ case 2:
+ value, err := parseUint(parts[1], 10, 64)
+ if err != nil {
+ return "", 0, fmt.Errorf("unable to convert param value (%q) to uint64: %v", parts[1], err)
+ }
+
+ return parts[0], value, nil
+ default:
+ return "", 0, ErrNotValidFormat
+ }
+}
+
+// Gets a single uint64 value from the specified cgroup file.
+func getCgroupParamUint(cgroupPath, cgroupFile string) (uint64, error) {
+ fileName := filepath.Join(cgroupPath, cgroupFile)
+ contents, err := ioutil.ReadFile(fileName)
+ if err != nil {
+ return 0, err
+ }
+
+ res, err := parseUint(strings.TrimSpace(string(contents)), 10, 64)
+ if err != nil {
+ return res, fmt.Errorf("unable to parse %q as a uint from Cgroup file %q", string(contents), fileName)
+ }
+ return res, nil
+}
+
+// Gets a string value from the specified cgroup file
+func getCgroupParamString(cgroupPath, cgroupFile string) (string, error) {
+ contents, err := ioutil.ReadFile(filepath.Join(cgroupPath, cgroupFile))
+ if err != nil {
+ return "", err
+ }
+
+ return strings.TrimSpace(string(contents)), nil
+}
+
+func writeFile(dir, file, data string) error {
+ // Normally dir should not be empty, one case is that cgroup subsystem
+ // is not mounted, we will get empty dir, and we want it fail here.
+ if dir == "" {
+ return fmt.Errorf("no such directory for %s", file)
+ }
+ if err := ioutil.WriteFile(filepath.Join(dir, file), []byte(data), 0700); err != nil {
+ ret := fmt.Errorf("failed to write %v to %v: %v", data, file, err)
+ if _, err = os.Stat(dir); err != nil {
+ ret = fmt.Errorf("%v, failed to stat %v, %v", ret, dir, err)
+ }
+
+ return ret
+ }
+ return nil
+}
+
diff --git a/runc-1.1.3/libcontainer/rootfs_linux.go b/runc-1.1.3/libcontainer/rootfs_linux.go
index 4dbe9f4..0bf1729 100644
--- a/runc-1.1.3/libcontainer/rootfs_linux.go
+++ b/runc-1.1.3/libcontainer/rootfs_linux.go
@@ -10,6 +10,7 @@ import (
"path/filepath"
"strconv"
"strings"
+ "syscall"
"time"
securejoin "github.com/cyphar/filepath-securejoin"
diff --git a/runc-1.1.3/libcontainer/standard_init_linux.go b/runc-1.1.3/libcontainer/standard_init_linux.go
index 99e7003..c288c88 100644
--- a/runc-1.1.3/libcontainer/standard_init_linux.go
+++ b/runc-1.1.3/libcontainer/standard_init_linux.go
@@ -3,11 +3,11 @@ package libcontainer
import (
"errors"
"fmt"
- "io/ioutil"
"os"
"os/exec"
- "path/filepath"
"strconv"
+ "strings"
+ "syscall"
"time"
"github.com/opencontainers/runtime-spec/specs-go"
diff --git a/runc-1.1.3/main.go b/runc-1.1.3/main.go
index e624347..e52a2ea 100644
--- a/runc-1.1.3/main.go
+++ b/runc-1.1.3/main.go
@@ -4,7 +4,6 @@ import (
"errors"
"fmt"
"io"
- "log/syslog"
"os"
"path/filepath"
"runtime"
--
2.30.0

59
patch/0029-vendor-runtime-spec-fork-docker-runtime-spe.patch
View File

@ -1,59 +0,0 @@
From c9d66ffed85529579f4247581d0d387fc21d92fa Mon Sep 17 00:00:00 2001
From: Tibor Vass <tibor@docker.com>
Date: Thu, 6 Jul 2017 10:28:14 -0700
Subject: [PATCH 29/94] vendor runtime-spec fork
docker/runtime-spec@a45ba0989fc26c695fe166a49c45bb8b7618ab36
This vendoring brings in the change from uint64 to int64 in the Memory
structs.
Change-Id: Ic928ff9cde8055a24ad039ccff64b8ceff917142
Signed-off-by: Tibor Vass <tibor@docker.com>
---
vendor.conf | 2 +-
.../opencontainers/runtime-spec/specs-go/config.go | 12 ++++++------
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/vendor.conf b/vendor.conf
index 6ab9bf8..b961707 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -1,7 +1,7 @@
# OCI runtime-spec. When updating this, make sure you use a version tag rather
# than a commit ID so it's much more obvious what version of the spec we are
# using.
-github.com/opencontainers/runtime-spec v1.0.0-rc5
+github.com/opencontainers/runtime-spec a45ba0989fc26c695fe166a49c45bb8b7618ab36 https://github.com/docker/runtime-spec
# Core libcontainer functionality.
github.com/mrunalp/fileutils ed869b029674c0e9ce4c0dfa781405c2d9946d08
github.com/opencontainers/selinux v1.0.0-rc1
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
index bd8e96a..6d2a026 100644
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
@@ -281,16 +281,16 @@ type LinuxBlockIO struct {
// LinuxMemory for Linux cgroup 'memory' resource management
type LinuxMemory struct {
// Memory limit (in bytes).
- Limit *uint64 `json:"limit,omitempty"`
+ Limit *int64 `json:"limit,omitempty"`
// Memory reservation or soft_limit (in bytes).
- Reservation *uint64 `json:"reservation,omitempty"`
+ Reservation *int64 `json:"reservation,omitempty"`
// Total memory limit (memory + swap).
- Swap *uint64 `json:"swap,omitempty"`
+ Swap *int64 `json:"swap,omitempty"`
// Kernel memory limit (in bytes).
- Kernel *uint64 `json:"kernel,omitempty"`
+ Kernel *int64 `json:"kernel,omitempty"`
// Kernel memory limit for tcp (in bytes)
- KernelTCP *uint64 `json:"kernelTCP,omitempty"`
- // How aggressive the kernel will swap memory pages. Range from 0 to 100.
+ KernelTCP *int64 `json:"kernelTCP,omitempty"`
+ // How aggressive the kernel will swap memory pages.
Swappiness *uint64 `json:"swappiness,omitempty"`
}
--
2.7.4.3

198
patch/0030-Update-memory-specs-to-use-int64-not-uint64.patch
View File

@ -1,198 +0,0 @@
From 8ffbf2a8b8ae7119ae31bb15a30cb41711b809e2 Mon Sep 17 00:00:00 2001
From: Justin Cormack <justin.cormack@docker.com>
Date: Fri, 23 Jun 2017 17:17:00 -0700
Subject: [PATCH 30/94] Update memory specs to use int64 not uint64
replace #1492 #1494
fix #1422
Since https://github.com/opencontainers/runtime-spec/pull/876 the memory
specifications are now `int64`, as that better matches the visible interface where
`-1` is a valid value. Otherwise finding the correct value was difficult as it
was kernel dependent.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit 3d9074ead33a5c27dc20bb49457c69c6d2ae6b57)
Signed-off-by: Tibor Vass <tibor@docker.com>
Change-Id: I07ec53368c5058076d3bd35e122f32259bf69854
---
libcontainer/cgroups/fs/memory.go | 36 +++++++++++++++++-------------------
libcontainer/configs/cgroup_unix.go | 10 +++++-----
update.go | 14 +++++++-------
3 files changed, 29 insertions(+), 31 deletions(-)
diff --git a/libcontainer/cgroups/fs/memory.go b/libcontainer/cgroups/fs/memory.go
index 0981cfb..c993839 100644
--- a/libcontainer/cgroups/fs/memory.go
+++ b/libcontainer/cgroups/fs/memory.go
@@ -71,14 +71,14 @@ func EnableKernelMemoryAccounting(path string) error {
// until a limit is set on the cgroup and limit cannot be set once the
// cgroup has children, or if there are already tasks in the cgroup.
for _, i := range []int64{1, -1} {
- if err := setKernelMemory(path, uint64(i)); err != nil {
+ if err := setKernelMemory(path, i); err != nil {
return err
}
}
return nil
}
-func setKernelMemory(path string, kernelMemoryLimit uint64) error {
+func setKernelMemory(path string, kernelMemoryLimit int64) error {
if path == "" {
return fmt.Errorf("no such directory for %s", cgroupKernelMemoryLimit)
}
@@ -86,7 +86,7 @@ func setKernelMemory(path string, kernelMemoryLimit uint64) error {
// kernel memory is not enabled on the system so we should do nothing
return nil
}
- if err := ioutil.WriteFile(filepath.Join(path, cgroupKernelMemoryLimit), []byte(strconv.FormatUint(kernelMemoryLimit, 10)), 0700); err != nil {
+ if err := ioutil.WriteFile(filepath.Join(path, cgroupKernelMemoryLimit), []byte(strconv.FormatInt(kernelMemoryLimit, 10)), 0700); err != nil {
// Check if the error number returned by the syscall is "EBUSY"
// The EBUSY signal is returned on attempts to write to the
// memory.kmem.limit_in_bytes file if the cgroup has children or
@@ -104,14 +104,12 @@ func setKernelMemory(path string, kernelMemoryLimit uint64) error {
}
func setMemoryAndSwap(path string, cgroup *configs.Cgroup) error {
- ulimited := -1
-
- // If the memory update is set to uint64(-1) we should also
- // set swap to uint64(-1), it means unlimited memory.
- if cgroup.Resources.Memory == uint64(ulimited) {
- // Only set swap if it's enbled in kernel
+ // If the memory update is set to -1 we should also
+ // set swap to -1, it means unlimited memory.
+ if cgroup.Resources.Memory == -1 {
+ // Only set swap if it's enabled in kernel
if cgroups.PathExists(filepath.Join(path, cgroupMemorySwapLimit)) {
- cgroup.Resources.MemorySwap = uint64(ulimited)
+ cgroup.Resources.MemorySwap = -1
}
}
@@ -126,29 +124,29 @@ func setMemoryAndSwap(path string, cgroup *configs.Cgroup) error {
// When update memory limit, we should adapt the write sequence
// for memory and swap memory, so it won't fail because the new
// value and the old value don't fit kernel's validation.
- if cgroup.Resources.MemorySwap == uint64(ulimited) || memoryUsage.Limit < cgroup.Resources.MemorySwap {
- if err := writeFile(path, cgroupMemorySwapLimit, strconv.FormatUint(cgroup.Resources.MemorySwap, 10)); err != nil {
+ if cgroup.Resources.MemorySwap == -1 || memoryUsage.Limit < uint64(cgroup.Resources.MemorySwap) {
+ if err := writeFile(path, cgroupMemorySwapLimit, strconv.FormatInt(cgroup.Resources.MemorySwap, 10)); err != nil {
return err
}
- if err := writeFile(path, cgroupMemoryLimit, strconv.FormatUint(cgroup.Resources.Memory, 10)); err != nil {
+ if err := writeFile(path, cgroupMemoryLimit, strconv.FormatInt(cgroup.Resources.Memory, 10)); err != nil {
return err
}
} else {
- if err := writeFile(path, cgroupMemoryLimit, strconv.FormatUint(cgroup.Resources.Memory, 10)); err != nil {
+ if err := writeFile(path, cgroupMemoryLimit, strconv.FormatInt(cgroup.Resources.Memory, 10)); err != nil {
return err
}
- if err := writeFile(path, cgroupMemorySwapLimit, strconv.FormatUint(cgroup.Resources.MemorySwap, 10)); err != nil {
+ if err := writeFile(path, cgroupMemorySwapLimit, strconv.FormatInt(cgroup.Resources.MemorySwap, 10)); err != nil {
return err
}
}
} else {
if cgroup.Resources.Memory != 0 {
- if err := writeFile(path, cgroupMemoryLimit, strconv.FormatUint(cgroup.Resources.Memory, 10)); err != nil {
+ if err := writeFile(path, cgroupMemoryLimit, strconv.FormatInt(cgroup.Resources.Memory, 10)); err != nil {
return err
}
}
if cgroup.Resources.MemorySwap != 0 {
- if err := writeFile(path, cgroupMemorySwapLimit, strconv.FormatUint(cgroup.Resources.MemorySwap, 10)); err != nil {
+ if err := writeFile(path, cgroupMemorySwapLimit, strconv.FormatInt(cgroup.Resources.MemorySwap, 10)); err != nil {
return err
}
}
@@ -169,13 +167,13 @@ func (s *MemoryGroup) Set(path string, cgroup *configs.Cgroup) error {
}
if cgroup.Resources.MemoryReservation != 0 {
- if err := writeFile(path, "memory.soft_limit_in_bytes", strconv.FormatUint(cgroup.Resources.MemoryReservation, 10)); err != nil {
+ if err := writeFile(path, "memory.soft_limit_in_bytes", strconv.FormatInt(cgroup.Resources.MemoryReservation, 10)); err != nil {
return err
}
}
if cgroup.Resources.KernelMemoryTCP != 0 {
- if err := writeFile(path, "memory.kmem.tcp.limit_in_bytes", strconv.FormatUint(cgroup.Resources.KernelMemoryTCP, 10)); err != nil {
+ if err := writeFile(path, "memory.kmem.tcp.limit_in_bytes", strconv.FormatInt(cgroup.Resources.KernelMemoryTCP, 10)); err != nil {
return err
}
}
diff --git a/libcontainer/configs/cgroup_unix.go b/libcontainer/configs/cgroup_unix.go
index 7572289..e654960 100644
--- a/libcontainer/configs/cgroup_unix.go
+++ b/libcontainer/configs/cgroup_unix.go
@@ -45,19 +45,19 @@ type Resources struct {
Devices []*Device `json:"devices"`
// Memory limit (in bytes)
- Memory uint64 `json:"memory"`
+ Memory int64 `json:"memory"`
// Memory reservation or soft_limit (in bytes)
- MemoryReservation uint64 `json:"memory_reservation"`
+ MemoryReservation int64 `json:"memory_reservation"`
// Total memory usage (memory + swap); set `-1` to enable unlimited swap
- MemorySwap uint64 `json:"memory_swap"`
+ MemorySwap int64 `json:"memory_swap"`
// Kernel memory limit (in bytes)
- KernelMemory uint64 `json:"kernel_memory"`
+ KernelMemory int64 `json:"kernel_memory"`
// Kernel memory limit for TCP use (in bytes)
- KernelMemoryTCP uint64 `json:"kernel_memory_tcp"`
+ KernelMemoryTCP int64 `json:"kernel_memory_tcp"`
// CPU shares (relative weight vs. other containers)
CpuShares uint64 `json:"cpu_shares"`
diff --git a/update.go b/update.go
index 5520681..226a18a 100644
--- a/update.go
+++ b/update.go
@@ -124,11 +124,11 @@ other options are ignored.
r := specs.LinuxResources{
Memory: &specs.LinuxMemory{
- Limit: u64Ptr(0),
- Reservation: u64Ptr(0),
- Swap: u64Ptr(0),
- Kernel: u64Ptr(0),
- KernelTCP: u64Ptr(0),
+ Limit: i64Ptr(0),
+ Reservation: i64Ptr(0),
+ Swap: i64Ptr(0),
+ Kernel: i64Ptr(0),
+ KernelTCP: i64Ptr(0),
},
CPU: &specs.LinuxCPU{
Shares: u64Ptr(0),
@@ -213,7 +213,7 @@ other options are ignored.
}
for _, pair := range []struct {
opt string
- dest *uint64
+ dest *int64
}{
{"memory", r.Memory.Limit},
{"memory-swap", r.Memory.Swap},
@@ -232,7 +232,7 @@ other options are ignored.
} else {
v = -1
}
- *pair.dest = uint64(v)
+ *pair.dest = v
}
}
r.Pids.Limit = int64(context.Int("pids-limit"))
--
2.7.4.3

84
patch/0032-runc-17-Always-save-own-namespace-paths.patch
View File

@ -1,84 +0,0 @@
From 59a5c027ef71cbad624c7547f3031dc87fc6220d Mon Sep 17 00:00:00 2001
From: Yuanhong Peng <pengyuanhong@huawei.com>
Date: Thu, 13 Jul 2017 16:57:00 +0800
Subject: [PATCH 32/94] runc-17: Always save own namespace paths
[Changelog]: Always save own namespace paths
fix https://github.com/opencontainers/runc/issues/1476
If containerA shares namespace, say ipc namespace, with containerB, then
its ipc namespace path would be the same as containerB and be stored in
`state.json`. Exec into containerA will just read the namespace paths
stored in this file and join these namespaces. So, if containerB has
already been stopped, `docker exec containerA` will fail.
To address this issue, we should always save own namespace paths no
matter if we share namespaces with other containers.
**before:**
```
# docker run -tid --name 111 ubuntu
b123d1a43786523996a52f88c0484b77f778ff59435e257b901926366ba9e046
# docker run -tid --name 222 --net container:111 ubuntu
4685ca6a5e9fd03c634a88f6a07009738729f6210b13d32ea8fc46a058b1f004
# docker restart 111
111
# docker exec -ti 222 bash
rpc error: code = 2 desc = oci runtime error: exec failed: container_linux.go:240:
creating new parent process caused "container_linux.go:1266: running lstat on namespace
path \"/proc/14575/ns/net\" caused \"lstat /proc/14575/ns/net: no such file or directory\""
```
**after:**
```
# docker run -tid --name 111 ubuntu
e00dbfe3bf56272d7bdec232135f707b4a715cb0d39cdc4d3e90b05075497175
# docker run -tid --name 222 --net container:111 ubuntu
0806efe28080392f5a3ef416c363be0d82c3bc64d069f227d57ab34170b6fb16
# docker restart 111
111
# docker exec -ti 222 bash
root@e00dbfe3bf56:/#
```
related upstream PR: https://github.com/opencontainers/runc/pull/1477
Change-Id: I4278f64704c4b0ab0c2e5b44ec9ecdd34735144d
Signed-off-by: Yuanhong Peng <pengyuanhong@huawei.com>
Signed-off-by: yangshukui <yangshukui@huawei.com>
---
libcontainer/configs/namespaces_unix.go | 3 ---
libcontainer/container_linux_test.go | 2 +-
2 files changed, 1 insertion(+), 4 deletions(-)
diff --git a/libcontainer/configs/namespaces_unix.go b/libcontainer/configs/namespaces_unix.go
index 1f0b3ee..12470a0 100644
--- a/libcontainer/configs/namespaces_unix.go
+++ b/libcontainer/configs/namespaces_unix.go
@@ -81,9 +81,6 @@ type Namespace struct {
}
func (n *Namespace) GetPath(pid int) string {
- if n.Path != "" {
- return n.Path
- }
return fmt.Sprintf("/proc/%d/ns/%s", pid, NsName(n.Type))
}
diff --git a/libcontainer/container_linux_test.go b/libcontainer/container_linux_test.go
index b7ce552..b69e344 100644
--- a/libcontainer/container_linux_test.go
+++ b/libcontainer/container_linux_test.go
@@ -134,7 +134,7 @@ func TestGetContainerState(t *testing.T) {
var (
pid = os.Getpid()
expectedMemoryPath = "/sys/fs/cgroup/memory/myid"
- expectedNetworkPath = "/networks/fd"
+ expectedNetworkPath = fmt.Sprintf("/proc/%d/ns/net", pid)
)
container := &linuxContainer{
id: "myid",
--
2.7.4.3

52
patch/0033-runc-change-runc-default-umask-to-027.patch
View File

@ -1,52 +0,0 @@
From 49ff7be84939cf93b8bf4861ddc783704fb3f50b Mon Sep 17 00:00:00 2001
From: dengguangxing <dengguangxing@huawei.com>
Date: Mon, 8 Jan 2018 10:35:34 +0800
Subject: [PATCH 33/94] runc: change runc default umask to 027
[Changelog]:change runc default umask to 027
change exec process default umask to 0027
Change-Id: Ia7ff0216adc17d61586954de83031be21ab88338
Signed-off-by: dengguangxing <dengguangxing@huawei.com>
---
libcontainer/rootfs_linux.go | 2 +-
libcontainer/setns_init_linux.go | 3 +++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index d507373..1c93903 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -136,7 +136,7 @@ func finalizeRootfs(config *configs.Config) (err error) {
}
}
- syscall.Umask(0022)
+ syscall.Umask(0027)
return nil
}
diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
index 48cc0ae..e8e969a 100644
--- a/libcontainer/setns_init_linux.go
+++ b/libcontainer/setns_init_linux.go
@@ -5,6 +5,7 @@ package libcontainer
import (
"fmt"
"os"
+ "syscall"
"github.com/opencontainers/runc/libcontainer/apparmor"
"github.com/opencontainers/runc/libcontainer/keys"
@@ -40,6 +41,8 @@ func (l *linuxSetnsInit) Init() error {
return err
}
}
+ // set exec process umask to 0027 according to secure policy
+ syscall.Umask(0027)
if l.config.NoNewPrivileges {
if err := system.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
return err
--
2.7.4.3

50
patch/0034-runc-17-Add-some-compatibility-code-to-surpor.patch
View File

@ -1,50 +0,0 @@
From 661a5bf6a414ded19e8722e81ea20f6218d9b7de Mon Sep 17 00:00:00 2001
From: yangshukui <yangshukui@huawei.com>
Date: Fri, 20 Apr 2018 22:38:32 +0800
Subject: [PATCH 34/94] runc-17: Add some compatibility code to surport
docker's liverestore from docker-1.11.2 to docker-17.06
[Changelog]: Add some compatibility code to surport docker's liverestore from docker-1.11.2 to docker-17.06
[Author]:Shukui Yang <yangshukui@huawei.com>
Change-Id: I376cc81f781727ea8d0bc61bc0c6e72ca485d880
Signed-off-by: yangshukui <yangshukui@huawei.com>
---
libcontainer/factory_linux.go | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/libcontainer/factory_linux.go b/libcontainer/factory_linux.go
index 6a0f855..8bf448a 100644
--- a/libcontainer/factory_linux.go
+++ b/libcontainer/factory_linux.go
@@ -10,6 +10,7 @@ import (
"regexp"
"runtime/debug"
"strconv"
+ "strings"
"syscall"
"github.com/docker/docker/pkg/mount"
@@ -321,7 +322,17 @@ func (l *LinuxFactory) loadState(root, id string) (*State, error) {
defer f.Close()
var state *State
if err := json.NewDecoder(f).Decode(&state); err != nil {
- return nil, newGenericError(err, SystemError)
+ if !strings.Contains(err.Error(), "memory_swappiness") {
+ return nil, newGenericError(err, SystemError)
+ }
+
+ if state.BaseState.Config.Cgroups != nil &&
+ state.BaseState.Config.Cgroups.Resources != nil &&
+ state.BaseState.Config.Cgroups.Resources.MemorySwappiness != nil {
+ memorySwappiness := int64(-1)
+ *state.BaseState.Config.Cgroups.Resources.MemorySwappiness = uint64(memorySwappiness)
+ }
+
}
return state, nil
}
--
2.7.4.3

141
patch/0035-runc-17-Add-root-to-HookState-for-compatibili.patch
View File

@ -1,141 +0,0 @@
From 35c1ee336b5714b077c0007ed6c37149bd965260 Mon Sep 17 00:00:00 2001
From: yangshukui <yangshukui@huawei.com>
Date: Fri, 27 Apr 2018 20:24:42 +0800
Subject: [PATCH 35/94] runc-17: Add root to HookState for
compatibility.
[Changelog]:refactor HookState for backward compatibility.
[Author]:Shukui Yang
Change-Id: I471a748005fe5a7be69d5a857944bf8599408c3b
Signed-off-by: yangshukui <yangshukui@huawei.com>
---
libcontainer/configs/config.go | 8 +++++++-
libcontainer/container_linux.go | 22 ++++++++++++++--------
libcontainer/process_linux.go | 22 ++++++++++++++--------
libcontainer/state_linux.go | 9 ++++++---
4 files changed, 41 insertions(+), 20 deletions(-)
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
index 98f4b85..af25972 100644
--- a/libcontainer/configs/config.go
+++ b/libcontainer/configs/config.go
@@ -259,8 +259,14 @@ func (hooks Hooks) MarshalJSON() ([]byte, error) {
})
}
+// Alias of specs.State
+type SpecState specs.State
+
// HookState is the payload provided to a hook on execution.
-type HookState specs.State
+type HookState struct {
+ SpecState
+ Root string `json:"root"`
+}
type Hook interface {
// Run executes the hook with the provided state.
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 173a3f0..ea6ef4c 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -275,10 +275,13 @@ func (c *linuxContainer) start(process *Process, isInit bool) error {
if c.config.Hooks != nil {
s := configs.HookState{
- Version: c.config.Version,
- ID: c.id,
- Pid: parent.pid(),
- Bundle: utils.SearchLabels(c.config.Labels, "bundle"),
+ SpecState: configs.SpecState{
+ Version: c.config.Version,
+ ID: c.id,
+ Pid: parent.pid(),
+ Bundle: utils.SearchLabels(c.config.Labels, "bundle"),
+ },
+ Root: c.config.Rootfs,
}
for i, hook := range c.config.Hooks.Poststart {
if err := hook.Run(s); err != nil {
@@ -1243,10 +1246,13 @@ func (c *linuxContainer) criuNotifications(resp *criurpc.CriuResp, process *Proc
case notify.GetScript() == "setup-namespaces":
if c.config.Hooks != nil {
s := configs.HookState{
- Version: c.config.Version,
- ID: c.id,
- Pid: int(notify.GetPid()),
- Bundle: utils.SearchLabels(c.config.Labels, "bundle"),
+ SpecState: configs.SpecState{
+ Version: c.config.Version,
+ ID: c.id,
+ Pid: int(notify.GetPid()),
+ Bundle: utils.SearchLabels(c.config.Labels, "bundle"),
+ },
+ Root: c.config.Rootfs,
}
for i, hook := range c.config.Hooks.Prestart {
if err := hook.Run(s); err != nil {
diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
index bfe9955..c9fb202 100644
--- a/libcontainer/process_linux.go
+++ b/libcontainer/process_linux.go
@@ -292,10 +292,13 @@ func (p *initProcess) start() error {
if !p.config.Config.Namespaces.Contains(configs.NEWNS) {
if p.config.Config.Hooks != nil {
s := configs.HookState{
- Version: p.container.config.Version,
- ID: p.container.id,
- Pid: p.pid(),
- Bundle: utils.SearchLabels(p.config.Config.Labels, "bundle"),
+ SpecState: configs.SpecState{
+ Version: p.container.config.Version,
+ ID: p.container.id,
+ Pid: p.pid(),
+ Bundle: utils.SearchLabels(p.config.Config.Labels, "bundle"),
+ },
+ Root: p.config.Config.Rootfs,
}
for i, hook := range p.config.Config.Hooks.Prestart {
if err := hook.Run(s); err != nil {
@@ -312,10 +315,13 @@ func (p *initProcess) start() error {
case procHooks:
if p.config.Config.Hooks != nil {
s := configs.HookState{
- Version: p.container.config.Version,
- ID: p.container.id,
- Pid: p.pid(),
- Bundle: utils.SearchLabels(p.config.Config.Labels, "bundle"),
+ SpecState: configs.SpecState{
+ Version: p.container.config.Version,
+ ID: p.container.id,
+ Pid: p.pid(),
+ Bundle: utils.SearchLabels(p.config.Config.Labels, "bundle"),
+ },
+ Root: p.config.Config.Rootfs,
}
for i, hook := range p.config.Config.Hooks.Prestart {
if err := hook.Run(s); err != nil {
diff --git a/libcontainer/state_linux.go b/libcontainer/state_linux.go
index 62878ac..9f8def2 100644
--- a/libcontainer/state_linux.go
+++ b/libcontainer/state_linux.go
@@ -58,9 +58,12 @@ func destroy(c *linuxContainer) error {
func runPoststopHooks(c *linuxContainer) error {
if c.config.Hooks != nil {
s := configs.HookState{
- Version: c.config.Version,
- ID: c.id,
- Bundle: utils.SearchLabels(c.config.Labels, "bundle"),
+ SpecState: configs.SpecState{
+ Version: c.config.Version,
+ ID: c.id,
+ Bundle: utils.SearchLabels(c.config.Labels, "bundle"),
+ },
+ Root: c.config.Rootfs,
}
for _, hook := range c.config.Hooks.Poststop {
if err := hook.Run(s); err != nil {
--
2.7.4.3

208
patch/0036-runc-17-add-compatibility-for-docker-1.11.2.patch
View File

@ -1,208 +0,0 @@
From 988554ab5c12971383bc717cda615ca672953cd5 Mon Sep 17 00:00:00 2001
From: yangshukui <yangshukui@huawei.com>
Date: Fri, 18 May 2018 11:03:48 +0800
Subject: [PATCH 36/94] runc-17: add compatibility for docker-1.11.2
[Changelog]: add compatibility for docker-1.11.2
[Author]: Shukui Yang
Change-Id: I188db47db8f4bcd744ac8218bfe966de48e97c22
Signed-off-by: yangshukui <yangshukui@huawei.com>
---
libcontainer/configs/cgroup_unix.go | 6 +++
libcontainer/configs/config.go | 11 ++++
libcontainer/container_linux.go | 6 +++
libcontainer/factory_linux.go | 102 +++++++++++++++++++++++++++++++-----
4 files changed, 113 insertions(+), 12 deletions(-)
diff --git a/libcontainer/configs/cgroup_unix.go b/libcontainer/configs/cgroup_unix.go
index e654960..75a3db0 100644
--- a/libcontainer/configs/cgroup_unix.go
+++ b/libcontainer/configs/cgroup_unix.go
@@ -33,6 +33,12 @@ type Cgroup struct {
*Resources
}
+// CompatCgroup
+type CompatCgroup struct {
+ Cgroup
+ MemorySwappiness interface{} `json:"memory_swappiness"`
+}
+
type Resources struct {
// If this is true allow access to any kind of device within the container. If false, allow access only to devices explicitly listed in the allowed_devices list.
// Deprecated
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
index af25972..3a2e824 100644
--- a/libcontainer/configs/config.go
+++ b/libcontainer/configs/config.go
@@ -188,6 +188,17 @@ type Config struct {
Rootless bool `json:"rootless"`
}
+// CompatConfig is a structure inheriting from spec.Process defined
+// in runtime-spec/specs-go package. The goal is to be compatible with
+// both v1.0.0-rc4 and v1.0.0-rc5 since the latter introduced a change
+// about the type of the Capabilities field.
+// Refer to: https://github.com/opencontainers/runtime-spec/commit/37391fb
+type CompatConfig struct {
+ Config
+ Cgroups *CompatCgroup `json:"cgroups"`
+ Capabilities interface{} `json:"capabilities,omitempty" platform:"linux"`
+}
+
type Hooks struct {
// Prestart commands are executed after the container namespaces are created,
// but before the user supplied command is executed from init.
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index ea6ef4c..f4eec7e 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -66,6 +66,12 @@ type State struct {
ExternalDescriptors []string `json:"external_descriptors,omitempty"`
}
+// CompatState
+type CompatState struct{
+ State
+ Config configs.CompatConfig `json:"config"`
+}
+
// Container is a libcontainer container object.
//
// Each container is thread-safe within the same process. Since a container can
diff --git a/libcontainer/factory_linux.go b/libcontainer/factory_linux.go
index 8bf448a..b533346 100644
--- a/libcontainer/factory_linux.go
+++ b/libcontainer/factory_linux.go
@@ -10,8 +10,9 @@ import (
"regexp"
"runtime/debug"
"strconv"
- "strings"
"syscall"
+ "io/ioutil"
+ "errors"
"github.com/docker/docker/pkg/mount"
"github.com/opencontainers/runc/libcontainer/cgroups"
@@ -311,28 +312,105 @@ func (l *LinuxFactory) StartInitialization() (err error) {
return i.Init()
}
-func (l *LinuxFactory) loadState(root, id string) (*State, error) {
- f, err := os.Open(filepath.Join(root, stateFilename))
+func (l *LinuxFactory) updateStateCapabilites(compatState *CompatState, configPath string) error {
+ needUpdate := false
+
+ // In spec v1.0.0-rc4, capabilities was a list of strings. This was changed
+ // to an object with v1.0.0-rc5.
+ // Check for the interface type to support both the versions.
+ capabilities := compatState.Config.Capabilities
+ switch caps := capabilities.(type) {
+ case []interface{}:
+ var list []string
+ for _, str := range caps {
+ list = append(list, str.(string))
+ }
+
+ c := configs.Capabilities{
+ Bounding: list,
+ Effective: list,
+ Inheritable: list,
+ Ambient: list,
+ Permitted: list,
+ }
+ compatState.Config.Capabilities = c
+ needUpdate = true
+ }
+
+ //In spec v1.0.0-rc4, MemorySwappiness was a *int64. This was changed
+ // to an *uint64 with v1.0.0-rc5.
+ if compatState.Config.Cgroups != nil &&
+ compatState.Config.Cgroups.MemorySwappiness != nil {
+ memorySwappiness, ok := compatState.Config.Cgroups.MemorySwappiness.(float64)
+ if ok {
+ var memSize int64 = int64(memorySwappiness)
+ if memSize < 0 {
+ memSize = 0
+ var memUSize uint64 = uint64(memSize-1)
+ compatState.Config.Cgroups.MemorySwappiness = &memUSize
+ needUpdate = true
+ }
+ }
+ }
+
+ if needUpdate {
+ f, err := os.Create(configPath)
+ if err != nil {
+ return err
+ }
+ defer f.Close()
+ if err := json.NewEncoder(f).Encode(&compatState); err != nil {
+ return err
+ }
+ return nil
+ }
+
+ return errors.New("updateStateCapabilites unexpected format for capabilities")
+}
+
+func (l *LinuxFactory) loadOriginState(configPath string) (*State, error) {
+ f, err := os.Open(configPath)
if err != nil {
if os.IsNotExist(err) {
- return nil, newGenericError(fmt.Errorf("container %q does not exist", id), ContainerNotExists)
+ return nil, newGenericError(err, ContainerNotExists)
}
return nil, newGenericError(err, SystemError)
}
defer f.Close()
var state *State
if err := json.NewDecoder(f).Decode(&state); err != nil {
- if !strings.Contains(err.Error(), "memory_swappiness") {
- return nil, newGenericError(err, SystemError)
- }
+ return nil, newGenericError(err, SystemError)
+ }
+ return state, nil
+}
- if state.BaseState.Config.Cgroups != nil &&
- state.BaseState.Config.Cgroups.Resources != nil &&
- state.BaseState.Config.Cgroups.Resources.MemorySwappiness != nil {
- memorySwappiness := int64(-1)
- *state.BaseState.Config.Cgroups.Resources.MemorySwappiness = uint64(memorySwappiness)
+func (l *LinuxFactory) loadCompatState(configPath string) (*State, error) {
+ dt, err := ioutil.ReadFile(configPath)
+ if err != nil {
+ if os.IsNotExist(err) {
+ return nil, newGenericError(err, ContainerNotExists)
}
+ return nil, newGenericError(err, SystemError)
+ }
+ var state *CompatState
+ if err := json.Unmarshal(dt, &state); err != nil {
+ return nil, newGenericError(err, SystemError)
+ }
+
+ err = l.updateStateCapabilites(state, configPath)
+ if err != nil {
+ return nil, newGenericError(err, SystemError)
+ }
+
+ return l.loadOriginState(configPath)
+}
+
+func (l *LinuxFactory) loadState(root, id string) (*State, error) {
+ configPath := filepath.Join(root, stateFilename)
+ state, err := l.loadOriginState(configPath)
+ if err != nil {
+ return l.loadCompatState(configPath)
}
return state, nil
}
--
2.7.4.3

61
patch/0037-docker-Don-t-enalbe-kmem-accounting-by-defa.patch
View File

@ -1,61 +0,0 @@
From 093594c58411b6a25844650b40463449e1af11ce Mon Sep 17 00:00:00 2001
From: lujingxiao <lujingxiao@huawei.com>
Date: Thu, 23 Aug 2018 15:03:50 +0800
Subject: [PATCH 37/94] docker: Don't enalbe kmem accounting by
default
reason:In kernel 3.10, kmem cgroup is unstable,
we should not enable kmem accounting by default.
Revert part of
https://github.com/hqhq/runc/commit/fe898e7862f945fa3632580139602c627dcb9be0
Change-Id: I546d1da875b1df7d525fd5c96a89c439ed6642f2
Signed-off-by: lujingxiao <lujingxiao@huawei.com>
---
libcontainer/cgroups/fs/memory.go | 6 ++----
script/runc-euleros.spec | 8 ++++++--
2 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/libcontainer/cgroups/fs/memory.go b/libcontainer/cgroups/fs/memory.go
index c993839..118cce8 100644
--- a/libcontainer/cgroups/fs/memory.go
+++ b/libcontainer/cgroups/fs/memory.go
@@ -41,10 +41,8 @@ func (s *MemoryGroup) Apply(d *cgroupData) (err error) {
if err := os.MkdirAll(path, 0755); err != nil {
return err
}
- // Only enable kernel memory accouting when this cgroup
- // is created by libcontainer, otherwise we might get
- // error when people use `cgroupsPath` to join an existed
- // cgroup whose kernel memory is not initialized.
+ }
+ if d.config.KernelMemory != 0 {
if err := EnableKernelMemoryAccounting(path); err != nil {
return err
}
diff --git a/script/runc-euleros.spec b/script/runc-euleros.spec
index a925e02..c3db7c9 100644
--- a/script/runc-euleros.spec
+++ b/script/runc-euleros.spec
@@ -2,7 +2,7 @@
Name: docker-runc
Version: 1.0.0.rc3
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: runc is a CLI tool for spawning and running containers according to the OCF specification
License: ASL 2.0
@@ -46,4 +46,8 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
%{_bindir}/runc
%changelog
-
+* Thu Aug 23 2018 lujingxiao<lujingxiao@huawei.com> - 1.0.0.rc3-2
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:Don't enalbe kmem accounting by default
--
2.7.4.3

64
patch/0039-Fix-unittest-and-integration-test-error-cause.patch
View File

@ -1,64 +0,0 @@
From 423ffe00c5c0cdb999bf9a193ad43ed5b6473a2d Mon Sep 17 00:00:00 2001
From: Wang Long <long.wanglong@huawei.com>
Date: Tue, 24 Jan 2017 18:51:22 +0800
Subject: [PATCH 39/94] Fix unittest and integration test error caused
by tty
Change-Id: Iae44f5a598e60b9e026ced99ca9e92aa90771fcc
Signed-off-by: Wang Long <long.wanglong@huawei.com>
---
libcontainer/integration/execin_test.go | 8 +-------
tests/integration/exec.bats | 4 ++--
2 files changed, 3 insertions(+), 9 deletions(-)
diff --git a/libcontainer/integration/execin_test.go b/libcontainer/integration/execin_test.go
index 019757f..f06075e 100644
--- a/libcontainer/integration/execin_test.go
+++ b/libcontainer/integration/execin_test.go
@@ -62,9 +62,6 @@ func TestExecIn(t *testing.T) {
if !strings.Contains(out, "cat") || !strings.Contains(out, "ps") {
t.Fatalf("unexpected running process, output %q", out)
}
- if strings.Contains(out, "\r") {
- t.Fatalf("unexpected carriage-return in output")
- }
}
func TestExecInUsernsRlimit(t *testing.T) {
@@ -327,12 +324,9 @@ func TestExecInTTY(t *testing.T) {
waitProcess(process, t)
out := stdout.String()
- if !strings.Contains(out, "cat") || !strings.Contains(out, "ps") {
+ if !strings.Contains(out, "cat") || !strings.Contains(string(out), "ps") {
t.Fatalf("unexpected running process, output %q", out)
}
- if strings.Contains(out, "\r") {
- t.Fatalf("unexpected carriage-return in output")
- }
}
func TestExecInEnvironment(t *testing.T) {
diff --git a/tests/integration/exec.bats b/tests/integration/exec.bats
index f172f9b..268a7e1 100644
--- a/tests/integration/exec.bats
+++ b/tests/integration/exec.bats
@@ -95,7 +95,7 @@ function teardown() {
runc exec --cwd /bin test_busybox pwd
[ "$status" -eq 0 ]
- [[ ${output} == "/bin" ]]
+ [[ $(echo "${output}" | tr -d '\r') == "/bin" ]]
}
@test "runc exec --env" {
@@ -124,5 +124,5 @@ function teardown() {
runc exec --user 1000:1000 test_busybox id
[ "$status" -eq 0 ]
- [[ ${output} == "uid=1000 gid=1000" ]]
+ [[ $(echo "${output}" | tr -d '\r') == "uid=1000 gid=1000" ]]
}
--
2.7.4.3

68
patch/0041-Add-timeout-for-syscall.Openat.patch
View File

@ -1,68 +0,0 @@
From a2f81f8b740b371e710b63b8c81c704842140ace Mon Sep 17 00:00:00 2001
From: yangshukui <yangshukui@huawei.com>
Date: Tue, 18 Apr 2017 19:35:30 +0800
Subject: [PATCH 41/94] Add timeout for syscall.Openat
Openat will be blocked until the fifo on the other side is opened, but in some
abnomal scenario(e.g. containerd is killed), Openat maybe be blocked all the time.
Change-Id: If1d514408b522c8bdf5f1c1cb0d3c625f0ef4a6d
Signed-off-by: yangshukui <yangshukui@huawei.com>
---
libcontainer/standard_init_linux.go | 30 ++++++++++++++++++++++++------
1 file changed, 24 insertions(+), 6 deletions(-)
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
index ee6f19a..484ba42 100644
--- a/libcontainer/standard_init_linux.go
+++ b/libcontainer/standard_init_linux.go
@@ -7,6 +7,7 @@ import (
"os"
"os/exec"
"syscall"
+ "time"
"github.com/opencontainers/runc/libcontainer/apparmor"
"github.com/opencontainers/runc/libcontainer/configs"
@@ -166,15 +167,32 @@ func (l *linuxStandardInit) Init() error {
}
// close the pipe to signal that we have completed our init.
l.pipe.Close()
+
// wait for the fifo to be opened on the other side before
// exec'ing the users process.
- fd, err := syscall.Openat(l.stateDirFD, execFifoFilename, os.O_WRONLY|syscall.O_CLOEXEC, 0)
- if err != nil {
- return newSystemErrorWithCause(err, "openat exec fifo")
- }
- if _, err := syscall.Write(fd, []byte("0")); err != nil {
- return newSystemErrorWithCause(err, "write 0 exec fifo")
+ ch := make(chan Error, 1)
+ go func() {
+ fd, err := syscall.Openat(l.stateDirFD, execFifoFilename, os.O_WRONLY|syscall.O_CLOEXEC, 0)
+ if err != nil {
+ ch <- newSystemErrorWithCause(err, "openat exec fifo")
+ return
+ }
+ if _, err := syscall.Write(fd, []byte("0")); err != nil {
+ ch <- newSystemErrorWithCause(err, "write 0 exec fifo")
+ return
+ }
+ ch <- nil
+ }()
+
+ select {
+ case chErr := <-ch:
+ if chErr != nil {
+ return chErr
+ }
+ case <-time.After(120 * time.Second):
+ return newSystemErrorWithCause(fmt.Errorf("timeout"), "wait for the fifo to be opened on the other side ")
}
+
if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges {
if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
return newSystemErrorWithCause(err, "init seccomp")
--
2.7.4.3

43
patch/0043-runc-Use-rslave-instead-of-rprivate-in-chro.patch
View File

@ -1,43 +0,0 @@
From 321679149dad13cdfd40831cc288495d4a5caf75 Mon Sep 17 00:00:00 2001
From: caihaomin <caihaomin@huawei.com>
Date: Fri, 15 Dec 2017 17:37:41 +0800
Subject: [PATCH 43/94] runc: Use rslave instead of rprivate in
chrootarchive
[Changelog]:With rprivate there exists a race where a reference to a mount has
propagated to the new namespace, when rprivate is set the parent
namespace is not able to remove the mount due to that reference.
With rslave unmounts will propagate correctly into the namespace and
prevent the sort of transient errors that are possible with rprivate.
https://github.com/moby/moby/pull/35217
[Author]git
Change-Id: I7a69a5b0c03e896b9cb1722eb676b7b84ea7dd77
Signed-off-by: caihaomin <caihaomin@huawei.com>
---
libcontainer/rootfs_linux.go | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index 1c93903..7cf5edd 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -668,9 +668,12 @@ func pivotRoot(rootfs string) error {
return err
}
- // Make oldroot rprivate to make sure our unmounts don't propagate to the
- // host (and thus bork the machine).
- if err := syscall.Mount("", ".", "", syscall.MS_PRIVATE|syscall.MS_REC, ""); err != nil {
+ // Make oldroot rslave to make sure our unmounts don't propagate to the
+ // host (and thus bork the machine). We don't use rprivate because this is
+ // known to cause issues due to races where we still have a reference to a
+ // mount while a process in the host namespace are trying to operate on
+ // something they think has no mounts (devicemapper in particular).
+ if err := syscall.Mount("", ".", "", syscall.MS_SLAVE|syscall.MS_REC, ""); err != nil {
return err
}
// Preform the unmount. MNT_DETACH allows us to unmount /proc/self/cwd.
--
2.7.4.3

43
patch/0044-runc-default-mount-propagation-correctly.patch
View File

@ -1,43 +0,0 @@
From 06109d15b267af73d523817e6dcf501fa071a815 Mon Sep 17 00:00:00 2001
From: caihaomin <caihaomin@huawei.com>
Date: Fri, 15 Dec 2017 17:42:03 +0800
Subject: [PATCH 44/94] runc: default mount propagation correctly
[Changelog]:The code in prepareRoot
attempts to default the rootfs mount to `rslave`. However, since the spec
conversion has already defaulted it to `rprivate`, that code doesn't
actually ever do anything.
This changes the spec conversion code to accept "" and treat it as 0.
Implicitly, this makes rootfs propagation default to `rslave`, which is
a part of fixing the moby bug moby/moby#34672
Alternate implementatoins include changing this defaulting to be
`rslave` and removing the defaulting code in prepareRoot, or skipping
the mapping entirely for "", but I think this change is the cleanest of
those options.
[Author]git
Change-Id: I35954e2c8a71c1d3713753669044b5bf9d6c57fa
Signed-off-by: caihaomin <caihaomin@huawei.com>
---
libcontainer/specconv/spec_linux.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index 1575ae0..8a2947f 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -36,7 +36,7 @@ var mountPropagationMapping = map[string]int{
"slave": syscall.MS_SLAVE,
"rshared": syscall.MS_SHARED | syscall.MS_REC,
"shared": syscall.MS_SHARED,
- "": syscall.MS_PRIVATE | syscall.MS_REC,
+ "": 0,
}
var allowedDevices = []*configs.Device{
--
2.7.4.3

128
patch/0045-runc-add-hook-specific-info-when-error-occurr.patch
View File

@ -1,128 +0,0 @@
From eed1c5ec5166a151da33b7b9cfd6535f4556c015 Mon Sep 17 00:00:00 2001
From: dengguangxing <dengguangxing@huawei.com>
Date: Tue, 16 Jan 2018 18:00:56 +0800
Subject: [PATCH 45/94] runc: add hook specific info when error
occurred
[Changelog]: print hook path and args when hook failed to make debug
easier
[Author]:Shukui Yang
Change-Id: Idf704706b73f1cfa5f7f02b01b2ec58caadca79d
Signed-off-by: dengguangxing <dengguangxing@huawei.com>
---
libcontainer/configs/config.go | 10 ++++++++++
libcontainer/container_linux.go | 2 +-
libcontainer/factory_linux_test.go | 4 ++++
libcontainer/process_linux.go | 4 ++--
libcontainer/state_linux.go | 4 ++--
5 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
index 3a2e824..49bc7a3 100644
--- a/libcontainer/configs/config.go
+++ b/libcontainer/configs/config.go
@@ -5,6 +5,7 @@ import (
"encoding/json"
"fmt"
"os/exec"
+ "strings"
"time"
"github.com/Sirupsen/logrus"
@@ -282,6 +283,7 @@ type HookState struct {
type Hook interface {
// Run executes the hook with the provided state.
Run(HookState) error
+ Info() string
}
// NewFunctionHook will call the provided function when the hook is run.
@@ -299,6 +301,10 @@ func (f FuncHook) Run(s HookState) error {
return f.run(s)
}
+func (f FuncHook) Info() string {
+ return "hook function"
+}
+
type Command struct {
Path string `json:"path"`
Args []string `json:"args"`
@@ -318,6 +324,10 @@ type CommandHook struct {
Command
}
+func (c Command) Info() string {
+ return c.Path + "," + strings.Join(c.Args, ",")
+}
+
func (c Command) Run(s HookState) error {
b, err := json.Marshal(s)
if err != nil {
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index f4eec7e..9fabadc 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -294,7 +294,7 @@ func (c *linuxContainer) start(process *Process, isInit bool) error {
if err := parent.terminate(); err != nil {
logrus.Warn(err)
}
- return newSystemErrorWithCausef(err, "running poststart hook %d", i)
+ return newSystemErrorWithCausef(err, "running poststart hook %d:%s", i, hook.Info())
}
}
}
diff --git a/libcontainer/factory_linux_test.go b/libcontainer/factory_linux_test.go
index ea3b513..0a84a7d 100644
--- a/libcontainer/factory_linux_test.go
+++ b/libcontainer/factory_linux_test.go
@@ -205,3 +205,7 @@ type unserializableHook struct{}
func (unserializableHook) Run(configs.HookState) error {
return nil
}
+
+func (unserializableHook) Info() string {
+ return ""
+}
diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
index 9373595..1b478d7 100644
--- a/libcontainer/process_linux.go
+++ b/libcontainer/process_linux.go
@@ -307,7 +307,7 @@ func (p *initProcess) start() error {
}
for i, hook := range p.config.Config.Hooks.Prestart {
if err := hook.Run(s); err != nil {
- return newSystemErrorWithCausef(err, "running prestart hook %d", i)
+ return newSystemErrorWithCausef(err, "running prestart hook %d:%s", i, hook.Info())
}
}
}
@@ -330,7 +330,7 @@ func (p *initProcess) start() error {
}
for i, hook := range p.config.Config.Hooks.Prestart {
if err := hook.Run(s); err != nil {
- return newSystemErrorWithCausef(err, "running prestart hook %d", i)
+ return newSystemErrorWithCausef(err, "running prestart hook %d:%s", i, hook.Info())
}
}
}
diff --git a/libcontainer/state_linux.go b/libcontainer/state_linux.go
index 9f8def2..c4f0dfc 100644
--- a/libcontainer/state_linux.go
+++ b/libcontainer/state_linux.go
@@ -65,9 +65,9 @@ func runPoststopHooks(c *linuxContainer) error {
},
Root: c.config.Rootfs,
}
- for _, hook := range c.config.Hooks.Poststop {
+ for i, hook := range c.config.Hooks.Poststop {
if err := hook.Run(s); err != nil {
- return err
+ return newSystemErrorWithCausef(err, "running poststop hook %d:%s", i, hook.Info())
}
}
}
--
2.7.4.3

57
patch/0046-runc-print-cgroup-info-if-cpuset-missing-occu.patch
View File

@ -1,57 +0,0 @@
From a410e6a2f9adeb46813a5016812ad334c6560b2d Mon Sep 17 00:00:00 2001
From: dengguangxing <dengguangxing@huawei.com>
Date: Thu, 18 Jan 2018 11:47:04 +0800
Subject: [PATCH 46/94] runc: print cgroup info if cpuset missing
occurs
[Changelog]: print cgroup info if cpuset missing occurs
[Author]:Shukui Yang
Change-Id: I3f8af2b57b441f5f2b4d38cb89d6826a7f24e24b
Signed-off-by: dengguangxing <dengguangxing@huawei.com>
---
libcontainer/cgroups/fs/cpuset.go | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/libcontainer/cgroups/fs/cpuset.go b/libcontainer/cgroups/fs/cpuset.go
index 918b9a3..069c491 100644
--- a/libcontainer/cgroups/fs/cpuset.go
+++ b/libcontainer/cgroups/fs/cpuset.go
@@ -9,6 +9,7 @@ import (
"os"
"path/filepath"
+ "github.com/Sirupsen/logrus"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
@@ -91,6 +92,26 @@ func (s *CpusetGroup) ApplyDir(dir string, cgroup *configs.Cgroup, pid int) erro
}
func (s *CpusetGroup) getSubsystemSettings(parent string) (cpus []byte, mems []byte, err error) {
+ defer func() {
+ if err != nil {
+ minfo, err1 := ioutil.ReadFile("/proc/self/mountinfo")
+ if err1 != nil {
+ logrus.Errorf("Failed to read mountinfo when getSubsystemSettings get an error")
+ }
+
+ dirInfo := ""
+ fs, err2 := ioutil.ReadDir(parent)
+ if err2 != nil {
+ logrus.Errorf("Failed to read mountinfo when getSubsystemSettings get an error")
+ }
+ for _, f := range fs {
+ dirInfo = dirInfo + " " + f.Name()
+ }
+
+ logrus.Errorf("Read cpuset cgroup failed, print mountinfo and cgroup info here"+
+ "path: %s, mountinfo: [%s], dirinfo: [%s]", parent, string(minfo), dirInfo)
+ }
+ }()
if cpus, err = ioutil.ReadFile(filepath.Join(parent, "cpuset.cpus")); err != nil {
return
}
--
2.7.4.3

104
patch/0047-runc-add-more-specific-log-for-hooks.patch
View File

@ -1,104 +0,0 @@
From f5399113b70807b57ed557bfecf932e5448016c2 Mon Sep 17 00:00:00 2001
From: dengguangxing <dengguangxing@huawei.com>
Date: Mon, 22 Jan 2018 20:27:37 +0800
Subject: [PATCH 47/94] runc: add more specific log for hooks
[Changelog]: add more specific log for hooks
[Author]:Shukui Yang
Change-Id: I317232b42a5fd6bc16773fe4aa0a376d8b9b6806
Signed-off-by: dengguangxing <dengguangxing@huawei.com>
---
libcontainer/container_linux.go | 5 +++++
libcontainer/process_linux.go | 5 +++++
libcontainer/state_linux.go | 3 +++
3 files changed, 13 insertions(+)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 9fabadc..74b82c5 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -290,12 +290,15 @@ func (c *linuxContainer) start(process *Process, isInit bool) error {
Root: c.config.Rootfs,
}
for i, hook := range c.config.Hooks.Poststart {
+ logrus.Infof("run poststart hook %d:%s", i, hook.Info())
if err := hook.Run(s); err != nil {
+ logrus.Errorf("running poststart hook(%d:%s) failed: %s", i, hook.Info(), err)
if err := parent.terminate(); err != nil {
logrus.Warn(err)
}
return newSystemErrorWithCausef(err, "running poststart hook %d:%s", i, hook.Info())
}
+ logrus.Infof("poststart hook %d:%s done", i, hook.Info())
}
}
} else {
@@ -1261,9 +1264,11 @@ func (c *linuxContainer) criuNotifications(resp *criurpc.CriuResp, process *Proc
Root: c.config.Rootfs,
}
for i, hook := range c.config.Hooks.Prestart {
+ logrus.Infof("run prestart hook: %d:%s", i, hook.Info())
if err := hook.Run(s); err != nil {
return newSystemErrorWithCausef(err, "running prestart hook %d", i)
}
+ logrus.Infof("prestart hook: %d:%s done", i, hook.Info())
}
}
case notify.GetScript() == "post-restore":
diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
index 1b478d7..9064c0e 100644
--- a/libcontainer/process_linux.go
+++ b/libcontainer/process_linux.go
@@ -13,6 +13,7 @@ import (
"strconv"
"syscall"
+ "github.com/Sirupsen/logrus"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/system"
@@ -306,9 +307,11 @@ func (p *initProcess) start() error {
Root: p.config.Config.Rootfs,
}
for i, hook := range p.config.Config.Hooks.Prestart {
+ logrus.Infof("run prestart hook %d:%s", i, hook.Info())
if err := hook.Run(s); err != nil {
return newSystemErrorWithCausef(err, "running prestart hook %d:%s", i, hook.Info())
}
+ logrus.Infof("prestart hook %d:%s done", i, hook.Info())
}
}
}
@@ -329,9 +332,11 @@ func (p *initProcess) start() error {
Root: p.config.Config.Rootfs,
}
for i, hook := range p.config.Config.Hooks.Prestart {
+ logrus.Infof("run prestart hook %d:%s", i, hook.Info())
if err := hook.Run(s); err != nil {
return newSystemErrorWithCausef(err, "running prestart hook %d:%s", i, hook.Info())
}
+ logrus.Infof("prestart hook %d:%s done", i, hook.Info())
}
}
// Sync with child.
diff --git a/libcontainer/state_linux.go b/libcontainer/state_linux.go
index c4f0dfc..b8d2a87 100644
--- a/libcontainer/state_linux.go
+++ b/libcontainer/state_linux.go
@@ -66,9 +66,12 @@ func runPoststopHooks(c *linuxContainer) error {
Root: c.config.Rootfs,
}
for i, hook := range c.config.Hooks.Poststop {
+ logrus.Infof("run poststop hook %d:%s", i, hook.Info())
if err := hook.Run(s); err != nil {
+ logrus.Errorf("running poststop hook %d: %s failed: %s", i, hook.Info(), err)
return newSystemErrorWithCausef(err, "running poststop hook %d:%s", i, hook.Info())
}
+ logrus.Infof("poststop hook %d:%s done", i, hook.Info())
}
}
return nil
--
2.7.4.3

40
patch/0048-runc-Only-configure-networking.patch
View File

@ -1,40 +0,0 @@
From caeb202a8a95863a44fa8f45e0515437239b173c Mon Sep 17 00:00:00 2001
From: dengguangxing <dengguangxing@huawei.com>
Date: Wed, 16 May 2018 15:16:51 +0800
Subject: [PATCH 48/94] runc: Only configure networking
[Changelog]: Only configure networking when creating a net ns
When joining an existing namespace, don't default to configuring a
loopback interface in that namespace.
Its creator should have done that, and we don't want to fail to create
the container when we don't have sufficient privileges to configure the
network namespace.
This is cherry-picked from runc upstream:
https://github.com/opencontainers/runc/pull/1777
[Author]:Shukui Yang
Change-Id: I1f181f18e23c621db6718a185e35b50531d27c09
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: dengguangxing <dengguangxing@huawei.com>
---
libcontainer/specconv/spec_linux.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index 8a2947f..a968313 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -194,7 +194,7 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
}
config.Namespaces.Add(t, ns.Path)
}
- if config.Namespaces.Contains(configs.NEWNET) {
+ if config.Namespaces.Contains(configs.NEWNET) && config.Namespaces.PathOf(configs.NEWNET) == "" {
config.Networks = []*configs.Network{
{
Type: "loopback",
--
2.7.4.3

37
patch/0049-cgroups-fs-fix-NPE-on-Destroy-than-no-cgrou.patch
View File

@ -1,37 +0,0 @@
From ee3660e477b70d73812390ad96d82681f82f2e9b Mon Sep 17 00:00:00 2001
From: Denys Smirnov <denys@sourced.tech>
Date: Tue, 6 Mar 2018 23:31:31 +0100
Subject: [PATCH 49/94] cgroups/fs: fix NPE on Destroy than no
cgroups are set
[Changelog]: Currently Manager accepts nil cgroups when calling Apply, but
it will panic then trying to call Destroy with the same config.
This is cherry-picked from runc upstream:
https://github.com/opencontainers/runc/pull/1752
[Author]:Shukui Yang
Change-Id: Ie7aba1d1b7086a82a1d186038fb5e6c09b617f75
Signed-off-by: Denys Smirnov <denys@sourced.tech>
Signed-off-by: dengguangxing <dengguangxing@huawei.com>
---
libcontainer/cgroups/fs/apply_raw.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libcontainer/cgroups/fs/apply_raw.go b/libcontainer/cgroups/fs/apply_raw.go
index 22d82ac..66debae 100644
--- a/libcontainer/cgroups/fs/apply_raw.go
+++ b/libcontainer/cgroups/fs/apply_raw.go
@@ -152,7 +152,7 @@ func (m *Manager) Apply(pid int) (err error) {
}
func (m *Manager) Destroy() error {
- if m.Cgroups.Paths != nil {
+ if m.Cgroups == nil || m.Cgroups.Paths != nil {
return nil
}
m.mu.Lock()
--
2.7.4.3

214
patch/0050-runc-Avoid-race-when-opening-exec-fifo.patch
View File

@ -1,214 +0,0 @@
From 7e65e11136e81a834effe40a9f926416fb1eea78 Mon Sep 17 00:00:00 2001
From: Will Martin <wmartin@pivotal.io>
Date: Mon, 22 Jan 2018 17:03:02 +0000
Subject: [PATCH 50/94] runc: Avoid race when opening exec fifo
[Changelog]: Avoid race when opening exec fifo
When starting a container with `runc start` or `runc run`, the stub
process (runc[2:INIT]) opens a fifo for writing. Its parent runc process
will open the same fifo for reading. In this way, they synchronize.
If the stub process exits at the wrong time, the parent runc process
will block forever.
This can happen when racing 2 runc operations against each other: `runc
run/start`, and `runc delete`. It could also happen for other reasons,
e.g. the kernel's OOM killer may select the stub process.
This commit resolves this race by racing the opening of the exec fifo
from the runc parent process against the stub process exiting. If the
stub process exits before we open the fifo, we return an error.
Another solution is to wait on the stub process. However, it seems it
would require more refactoring to avoid calling wait multiple times on
the same process, which is an error.
This is cherry-picked from runc upstream:
https://github.com/opencontainers/runc/pull/1698
[Author]:Shukui Yang
Change-Id: Id0ba756349b59463f7ee19ad63a6f243bee4a729
Signed-off-by: Craig Furman <cfurman@pivotal.io>
Signed-off-by: dengguangxing <dengguangxing@huawei.com>
---
libcontainer/container_linux.go | 69 +++++++++++++++++++++++++++++++++++------
libcontainer/system/proc.go | 59 +++++++++++++++++++++++++++++++++++
2 files changed, 119 insertions(+), 9 deletions(-)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 74b82c5..278f597 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -5,6 +5,7 @@ package libcontainer
import (
"bytes"
"encoding/json"
+ "errors"
"fmt"
"io"
"io/ioutil"
@@ -239,20 +240,70 @@ func (c *linuxContainer) Exec() error {
func (c *linuxContainer) exec() error {
path := filepath.Join(c.root, execFifoFilename)
- f, err := os.OpenFile(path, os.O_RDONLY, 0)
- if err != nil {
- return newSystemErrorWithCause(err, "open exec fifo for reading")
+
+ fifoOpen := make(chan struct{})
+ select {
+ case <-awaitProcessExit(c.initProcess.pid(), fifoOpen):
+ return errors.New("container process is already dead")
+ case result := <-awaitFifoOpen(path):
+ close(fifoOpen)
+ if result.err != nil {
+ return result.err
+ }
+ f := result.file
+ defer f.Close()
+ if err := readFromExecFifo(f); err != nil {
+ return err
+ }
+ return os.Remove(path)
}
- defer f.Close()
- data, err := ioutil.ReadAll(f)
+}
+
+func readFromExecFifo(execFifo io.Reader) error {
+ data, err := ioutil.ReadAll(execFifo)
if err != nil {
return err
}
- if len(data) > 0 {
- os.Remove(path)
- return nil
+ if len(data) <= 0 {
+ return fmt.Errorf("cannot start an already running container")
}
- return fmt.Errorf("cannot start an already running container")
+ return nil
+}
+
+func awaitProcessExit(pid int, exit <-chan struct{}) <-chan struct{} {
+ isDead := make(chan struct{})
+ go func() {
+ for {
+ select {
+ case <-exit:
+ return
+ case <-time.After(time.Millisecond * 100):
+ stat, err := system.GetProcessState(pid)
+ if err != nil || stat == system.Zombie {
+ close(isDead)
+ return
+ }
+ }
+ }
+ }()
+ return isDead
+}
+
+func awaitFifoOpen(path string) <-chan openResult {
+ fifoOpened := make(chan openResult)
+ go func() {
+ f, err := os.OpenFile(path, os.O_RDONLY, 0)
+ if err != nil {
+ fifoOpened <- openResult{err: newSystemErrorWithCause(err, "open exec fifo for reading")}
+ }
+ fifoOpened <- openResult{file: f}
+ }()
+ return fifoOpened
+}
+
+type openResult struct {
+ file *os.File
+ err error
}
func (c *linuxContainer) start(process *Process, isInit bool) error {
diff --git a/libcontainer/system/proc.go b/libcontainer/system/proc.go
index a0e9637..03fd940 100644
--- a/libcontainer/system/proc.go
+++ b/libcontainer/system/proc.go
@@ -1,12 +1,48 @@
package system
import (
+ "fmt"
"io/ioutil"
"path/filepath"
"strconv"
"strings"
)
+type State rune
+
+const ( // Only values for Linux 3.14 and later are listed here
+ Dead State = 'X'
+ DiskSleep State = 'D'
+ Running State = 'R'
+ Sleeping State = 'S'
+ Stopped State = 'T'
+ TracingStop State = 't'
+ Zombie State = 'Z'
+)
+
+// String forms of the state from proc(5)'s documentation for
+// /proc/[pid]/status' "State" field.
+func (s State) String() string {
+ switch s {
+ case Dead:
+ return "dead"
+ case DiskSleep:
+ return "disk sleep"
+ case Running:
+ return "running"
+ case Sleeping:
+ return "sleeping"
+ case Stopped:
+ return "stopped"
+ case TracingStop:
+ return "tracing stop"
+ case Zombie:
+ return "zombie"
+ default:
+ return fmt.Sprintf("unknown (%c)", s)
+ }
+}
+
// look in /proc to find the process start time so that we can verify
// that this pid has started after ourself
func GetProcessStartTime(pid int) (string, error) {
@@ -41,3 +77,26 @@ func parseStartTime(stat string) (string, error) {
parts := strings.Split(strings.TrimSpace(s[len(s)-1]), " ")
return parts[22-3], nil // starts at 3 (after the filename pos `2`)
}
+
+func GetProcessState(pid int) (State, error) {
+ data, err := ioutil.ReadFile(filepath.Join("/proc", strconv.Itoa(pid), "stat"))
+ if err != nil {
+ return State(0), err
+ }
+ return parseState(string(data))
+
+}
+
+func parseState(data string) (State, error) {
+ i := strings.LastIndex(data, ")")
+ if i <= 2 || i >= len(data)-3 {
+ return State(0), fmt.Errorf("invalid stat data: %q", data)
+ }
+
+ parts := strings.Split(data[i+2:], " ")
+
+ var state int
+ fmt.Sscanf(parts[3-3], "%c", &state)
+ stateStr := State(state)
+ return stateStr, nil
+}
--
2.7.4.3

33
patch/0051-runc-Return-from-goroutine-when-it-should-t.patch
View File

@ -1,33 +0,0 @@
From df24ec79d3a69e9deab962eacc8ecbd46b0aefd9 Mon Sep 17 00:00:00 2001
From: Ed King <eking@pivotal.io>
Date: Tue, 23 Jan 2018 10:46:31 +0000
Subject: [PATCH 51/94] runc: Return from goroutine when it should
terminate
[Changelog]: This is cherry-picked from runc upstream:
https://github.com/opencontainers/runc/pull/1698
[Author]:Shukui Yang
Change-Id: Ie99f80c1fb5912d99dd7426b47f93e9f5a6efb23
Signed-off-by: Craig Furman <cfurman@pivotal.io>
Signed-off-by: dengguangxing <dengguangxing@huawei.com>
---
libcontainer/container_linux.go | 1 +
1 file changed, 1 insertion(+)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 278f597..50fe657 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -295,6 +295,7 @@ func awaitFifoOpen(path string) <-chan openResult {
f, err := os.OpenFile(path, os.O_RDONLY, 0)
if err != nil {
fifoOpened <- openResult{err: newSystemErrorWithCause(err, "open exec fifo for reading")}
+ return
}
fifoOpened <- openResult{file: f}
}()
--
2.7.4.3

32
patch/0052-runc-reduce-max-number-of-retries-to-10.patch
View File

@ -1,32 +0,0 @@
From c8b74f1b809d8fbf1ba2dc74c069e03d9e95be71 Mon Sep 17 00:00:00 2001
From: liruilin4 <liruilin4@huawei.com>
Date: Mon, 9 Jul 2018 12:02:33 +0800
Subject: [PATCH 52/94] runc: reduce max number of retries to 10
[Changelog]:when killing containers in D state, now runc will do
100 retries, which leads that containerd blocks for 10 seconds.
[Author]:Ruilin Li
Change-Id: I1e08ef23ad065f5e3b88506726530187d2ccc797
---
delete.go | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/delete.go b/delete.go
index b43dcaa..a2b14f3 100644
--- a/delete.go
+++ b/delete.go
@@ -14,8 +14,8 @@ import (
)
func killContainer(container libcontainer.Container) error {
- _ = container.Signal(syscall.SIGKILL, false)
- for i := 0; i < 100; i++ {
+ container.Signal(syscall.SIGKILL, false)
+ for i := 0; i < 10; i++ {
time.Sleep(100 * time.Millisecond)
if err := container.Signal(syscall.Signal(0), false); err != nil {
destroy(container)
--
2.7.4.3

36
patch/0053-runc-print-error-message-during-start-into-co.patch
View File

@ -1,36 +0,0 @@
From 165870fb442ca29a208a3d17f8ece6b8e74da2de Mon Sep 17 00:00:00 2001
From: panwenxiang <panwenxiang@huawei.com>
Date: Wed, 22 Aug 2018 17:04:19 +0800
Subject: [PATCH 53/94] runc: print error message during start into
container log
[Changelog]:cherry-pick from vtwrse <75eba7a697edde39e25e39c870a33f3dc5fb327a>
Change-Id: Id23f14690d77a4f79611e82f4e2ece41d9b19edf
Signed-off-by: jiangpengfei9 <jiangpengfei9@huawei.com>
---
main_unix.go | 2 ++
1 file changed, 2 insertions(+)
diff --git a/main_unix.go b/main_unix.go
index b601abc..56904e0 100644
--- a/main_unix.go
+++ b/main_unix.go
@@ -3,6 +3,7 @@
package main
import (
+ "fmt"
"os"
"runtime"
@@ -24,6 +25,7 @@ var initCommand = cli.Command{
Action: func(context *cli.Context) error {
factory, _ := libcontainer.New("")
if err := factory.StartInitialization(); err != nil {
+ fmt.Fprintf(os.Stderr, "libcontainer: container start initialization failed: %s", err)
// as the error is sent back to the parent there is no need to log
// or write it to stderr because the parent process will handle this
os.Exit(1)
--
2.7.4.3

31
patch/0054-runc-ignore-exec.fifo-removing-not-exist-erro.patch
View File

@ -1,31 +0,0 @@
From a119a29bc908bfd1385cbdcee4cc800e2b022b09 Mon Sep 17 00:00:00 2001
From: panwenxiang <panwenxiang@huawei.com>
Date: Wed, 22 Aug 2018 17:06:01 +0800
Subject: [PATCH 54/94] runc: ignore exec.fifo removing not exist error
[Changelog]:cherry-pick from vtwrse <4af7ee1635962fe3bd86ac87064fdcd7e60c1135>
Change-Id: I34a30672fb92c974965b3a53cfb8ccc75932e6d8
Signed-off-by: jiangpengfei9 <jiangpengfei9@huawei.com>
---
libcontainer/container_linux.go | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 50fe657..502a274 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -255,7 +255,10 @@ func (c *linuxContainer) exec() error {
if err := readFromExecFifo(f); err != nil {
return err
}
- return os.Remove(path)
+ if err := os.Remove(path); !os.IsNotExist(err) {
+ return err
+ }
+ return nil
}
}
--
2.7.4.3

246
patch/0055-Add-file-fds-limit.patch
View File

@ -1,246 +0,0 @@
From fdf82f9b9bac43cac5672226750c826e742559ce Mon Sep 17 00:00:00 2001
From: yangshukui <yangshukui@huawei.com>
Date: Mon, 18 Sep 2017 17:25:30 +0800
Subject: [PATCH 55/94] Add file fds limit
With the patch(https://lwn.net/Articles/604129/),we can limit the
num of open files in container.
Conflicts:
events.go
vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
Change-Id: I8264c0dd398227ebbd95b7dd9dae4688d76dee9b
Signed-off-by: yangshukui <yangshukui@huawei.com>
---
events.go | 9 +++
libcontainer/cgroups/fs/apply_raw.go | 1 +
libcontainer/cgroups/fs/files.go | 74 ++++++++++++++++++++++
libcontainer/cgroups/stats.go | 8 +++
libcontainer/cgroups/systemd/apply_systemd.go | 1 +
libcontainer/configs/cgroup_unix.go | 3 +
libcontainer/specconv/spec_linux.go | 3 +
.../opencontainers/runtime-spec/specs-go/config.go | 8 +++
8 files changed, 107 insertions(+)
create mode 100644 libcontainer/cgroups/fs/files.go
diff --git a/events.go b/events.go
index 6c21e52..79a72bf 100644
--- a/events.go
+++ b/events.go
@@ -27,6 +27,7 @@ type stats struct {
CPU cpu `json:"cpu"`
Memory memory `json:"memory"`
Pids pids `json:"pids"`
+ Files files `json:"files"`
Blkio blkio `json:"blkio"`
Hugetlb map[string]hugetlb `json:"hugetlb"`
}
@@ -60,6 +61,11 @@ type pids struct {
Limit uint64 `json:"limit,omitempty"`
}
+type files struct {
+ Usage uint64 `json:"usage,omitempty"`
+ Limit uint64 `json:"limit,omitempty"`
+}
+
type throttling struct {
Periods uint64 `json:"periods,omitempty"`
ThrottledPeriods uint64 `json:"throttledPeriods,omitempty"`
@@ -198,6 +204,9 @@ func convertLibcontainerStats(ls *libcontainer.Stats) *stats {
s.Pids.Current = cg.PidsStats.Current
s.Pids.Limit = cg.PidsStats.Limit
+ s.Files.Usage = cg.FilesStats.Usage
+ s.Files.Limit = cg.FilesStats.Limit
+
s.CPU.Usage.Kernel = cg.CpuStats.CpuUsage.UsageInKernelmode
s.CPU.Usage.User = cg.CpuStats.CpuUsage.UsageInUsermode
s.CPU.Usage.Total = cg.CpuStats.CpuUsage.TotalUsage
diff --git a/libcontainer/cgroups/fs/apply_raw.go b/libcontainer/cgroups/fs/apply_raw.go
index 66debae..1bf59a4 100644
--- a/libcontainer/cgroups/fs/apply_raw.go
+++ b/libcontainer/cgroups/fs/apply_raw.go
@@ -24,6 +24,7 @@ var (
&CpuGroup{},
&CpuacctGroup{},
&PidsGroup{},
+ &FilesGroup{},
&BlkioGroup{},
&HugetlbGroup{},
&NetClsGroup{},
diff --git a/libcontainer/cgroups/fs/files.go b/libcontainer/cgroups/fs/files.go
new file mode 100644
index 0000000..f2e253a
--- /dev/null
+++ b/libcontainer/cgroups/fs/files.go
@@ -0,0 +1,74 @@
+// +build linux
+
+package fs
+
+import (
+ "fmt"
+ "io/ioutil"
+ "strconv"
+
+ "github.com/opencontainers/runc/libcontainer/cgroups"
+ "github.com/opencontainers/runc/libcontainer/configs"
+)
+
+var (
+ defaultFilesMax = "8192"
+)
+
+type FilesGroup struct {
+}
+
+func init() {
+ contents, err := ioutil.ReadFile("/proc/sys/fs/file-max")
+ if err != nil {
+ return
+ }
+ defaultFilesMax = string(contents)
+}
+
+func (s *FilesGroup) Name() string {
+ return "files"
+}
+
+func (s *FilesGroup) Apply(d *cgroupData) error {
+ _, err := d.join("files")
+ if err != nil && !cgroups.IsNotFound(err) {
+ return err
+ }
+ return nil
+}
+
+func (s *FilesGroup) Set(path string, cgroup *configs.Cgroup) error {
+ if cgroup.Resources.FilesLimit != 0 {
+ limit := defaultFilesMax
+ if cgroup.Resources.FilesLimit > 0 {
+ limit = strconv.FormatInt(cgroup.Resources.FilesLimit, 10)
+ }
+
+ if err := writeFile(path, "files.limit", limit); err != nil {
+ return err
+ }
+ }
+
+ return nil
+}
+
+func (s *FilesGroup) Remove(d *cgroupData) error {
+ return removePath(d.path("files"))
+}
+
+func (s *FilesGroup) GetStats(path string, stats *cgroups.Stats) error {
+ usage, err := getCgroupParamUint(path, "files.usage")
+ if err != nil {
+ return fmt.Errorf("failed to parse files.usage - %s", err)
+ }
+
+ limit, err := getCgroupParamUint(path, "files.limit")
+ if err != nil {
+ return fmt.Errorf("failed to parse files.limit - %s", err)
+ }
+
+ stats.FilesStats.Usage = usage
+ stats.FilesStats.Limit = limit
+ return nil
+}
diff --git a/libcontainer/cgroups/stats.go b/libcontainer/cgroups/stats.go
index b483f1b..5079410 100644
--- a/libcontainer/cgroups/stats.go
+++ b/libcontainer/cgroups/stats.go
@@ -62,6 +62,13 @@ type PidsStats struct {
Limit uint64 `json:"limit,omitempty"`
}
+type FilesStats struct {
+ // number of pids in the cgroup
+ Usage uint64 `json:"usage,omitempty"`
+ // active pids hard limit
+ Limit uint64 `json:"limit,omitempty"`
+}
+
type BlkioStatEntry struct {
Major uint64 `json:"major,omitempty"`
Minor uint64 `json:"minor,omitempty"`
@@ -94,6 +101,7 @@ type Stats struct {
CpuStats CpuStats `json:"cpu_stats,omitempty"`
MemoryStats MemoryStats `json:"memory_stats,omitempty"`
PidsStats PidsStats `json:"pids_stats,omitempty"`
+ FilesStats FilesStats `json:"files_stats,omitempty"`
BlkioStats BlkioStats `json:"blkio_stats,omitempty"`
// the map is in the format "size of hugepage: stats of the hugepage"
HugetlbStats map[string]HugetlbStats `json:"hugetlb_stats,omitempty"`
diff --git a/libcontainer/cgroups/systemd/apply_systemd.go b/libcontainer/cgroups/systemd/apply_systemd.go
index 456c57d..0411b72 100644
--- a/libcontainer/cgroups/systemd/apply_systemd.go
+++ b/libcontainer/cgroups/systemd/apply_systemd.go
@@ -54,6 +54,7 @@ var subsystems = subsystemSet{
&fs.CpuGroup{},
&fs.CpuacctGroup{},
&fs.PidsGroup{},
+ &fs.FilesGroup{},
&fs.BlkioGroup{},
&fs.HugetlbGroup{},
&fs.PerfEventGroup{},
diff --git a/libcontainer/configs/cgroup_unix.go b/libcontainer/configs/cgroup_unix.go
index 75a3db0..acf0562 100644
--- a/libcontainer/configs/cgroup_unix.go
+++ b/libcontainer/configs/cgroup_unix.go
@@ -89,6 +89,9 @@ type Resources struct {
// Process limit; set <= `0' to disable limit.
PidsLimit int64 `json:"pids_limit"`
+ // Process open files limit.
+ FilesLimit int64 `json:"files_limit"`
+
// Specifies per cgroup weight, range is from 10 to 1000.
BlkioWeight uint16 `json:"blkio_weight"`
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index a968313..b82082e 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -403,6 +403,9 @@ func createCgroupConfig(opts *CreateOpts) (*configs.Cgroup, error) {
if r.Pids != nil {
c.Resources.PidsLimit = r.Pids.Limit
}
+ if r.Files != nil && r.Files.Limit != nil {
+ c.Resources.FilesLimit = *r.Files.Limit
+ }
if r.BlockIO != nil {
if r.BlockIO.Weight != nil {
c.Resources.BlkioWeight = *r.BlockIO.Weight
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
index 6d2a026..603ecf4 100644
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
@@ -318,6 +318,12 @@ type LinuxPids struct {
Limit int64 `json:"limit"`
}
+// Files for Linux cgroup 'files' resource management (https://lwn.net/Articles/604129/)
+type Files struct {
+ // Maximum number of open files".
+ Limit *int64 `json:"limit,omitempty"`
+}
+
// LinuxNetwork identification and priority configuration
type LinuxNetwork struct {
// Set class identifier for container's network packets
@@ -340,6 +346,8 @@ type LinuxResources struct {
CPU *LinuxCPU `json:"cpu,omitempty"`
// Task resource restriction configuration.
Pids *LinuxPids `json:"pids,omitempty"`
+ // Files resource restriction configuration.
+ Files *Files `json:"files,omitempty"`
// BlockIO restriction configuration
BlockIO *LinuxBlockIO `json:"blockIO,omitempty"`
// Hugetlb limit (in bytes)
--
2.7.4.3

61
patch/0056-runc-Modify-max-files.limit-to-max-because-of.patch
View File

@ -1,61 +0,0 @@
From 0a5b23584d79bba18429905c43774bc50a117b4b Mon Sep 17 00:00:00 2001
From: yangshukui <yangshukui@huawei.com>
Date: Sat, 4 Nov 2017 14:55:40 +0800
Subject: [PATCH 56/94] runc: Modify max files.limit to max because of
the change of kernel.
[Changelog]: Kernel has change max files.limit to max,So docker need
change too.
Change-Id: Iea6e5eb1dddf0f8d2d55ee3182ed78957cb09a75
Signed-off-by: yangshukui <yangshukui@huawei.com>
---
libcontainer/cgroups/fs/files.go | 16 ++--------------
1 file changed, 2 insertions(+), 14 deletions(-)
diff --git a/libcontainer/cgroups/fs/files.go b/libcontainer/cgroups/fs/files.go
index f2e253a..3214a82 100644
--- a/libcontainer/cgroups/fs/files.go
+++ b/libcontainer/cgroups/fs/files.go
@@ -4,28 +4,15 @@ package fs
import (
"fmt"
- "io/ioutil"
"strconv"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
)
-var (
- defaultFilesMax = "8192"
-)
-
type FilesGroup struct {
}
-func init() {
- contents, err := ioutil.ReadFile("/proc/sys/fs/file-max")
- if err != nil {
- return
- }
- defaultFilesMax = string(contents)
-}
-
func (s *FilesGroup) Name() string {
return "files"
}
@@ -40,7 +27,8 @@ func (s *FilesGroup) Apply(d *cgroupData) error {
func (s *FilesGroup) Set(path string, cgroup *configs.Cgroup) error {
if cgroup.Resources.FilesLimit != 0 {
- limit := defaultFilesMax
+ // "max" is the fallback value.
+ limit := "max"
if cgroup.Resources.FilesLimit > 0 {
limit = strconv.FormatInt(cgroup.Resources.FilesLimit, 10)
}
--
2.7.4.3

55
patch/0057-runc-change-read-value-of-cgroup-files.limit-.patch
View File

@ -1,55 +0,0 @@
From aff98c05dbaf30fec52a0afed19ebf4a03303d63 Mon Sep 17 00:00:00 2001
From: caihaomin <caihaomin@huawei.com>
Date: Mon, 6 Nov 2017 01:43:45 +0000
Subject: [PATCH 57/94] runc: change read value of cgroup files.limit
into string
[Changelog]:change read value of cgroup files.limit from int to string.
For avoiding of value `max`
[Author]git
Change-Id: Iec6197528b1aebb13a0ea64ba919a7b4c6f31d61
Signed-off-by: caihaomin <caihaomin@huawei.com>
---
libcontainer/cgroups/fs/files.go | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/libcontainer/cgroups/fs/files.go b/libcontainer/cgroups/fs/files.go
index 3214a82..70e9524 100644
--- a/libcontainer/cgroups/fs/files.go
+++ b/libcontainer/cgroups/fs/files.go
@@ -8,6 +8,7 @@ import (
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
+ "path/filepath"
)
type FilesGroup struct {
@@ -51,12 +52,21 @@ func (s *FilesGroup) GetStats(path string, stats *cgroups.Stats) error {
return fmt.Errorf("failed to parse files.usage - %s", err)
}
- limit, err := getCgroupParamUint(path, "files.limit")
+ maxString, err := getCgroupParamString(path, "files.limit")
if err != nil {
return fmt.Errorf("failed to parse files.limit - %s", err)
}
+ // Default if files.limit == "max" is 0 -- which represents "no limit".
+ var max uint64
+ if maxString != "max" {
+ max, err = parseUint(maxString, 10, 64)
+ if err != nil {
+ return fmt.Errorf("failed to parse files.limit -- unable to parse %q as a uint from Cgroup file %q", maxString, filepath.Join(path, "file.limits"))
+ }
+ }
+
stats.FilesStats.Usage = usage
- stats.FilesStats.Limit = limit
+ stats.FilesStats.Limit = max
return nil
}
--
2.7.4.3

194
patch/0058-runc-fix-panic-when-Linux-is-nil.patch
View File

@ -1,194 +0,0 @@
From 20e119ab64e02e627671957bbfa445b988cc8687 Mon Sep 17 00:00:00 2001
From: dengguangxing <dengguangxing@huawei.com>
Date: Wed, 16 May 2018 15:50:27 +0800
Subject: [PATCH 58/94] runc: fix panic when Linux is nil
[Changelog]: Linux is not always not nil.
If Linux is nil, panic will occur.
This is cherry-picked from runc upstream:
https://github.com/opencontainers/runc/pull/1551
[Author]:Shukui Yang
Conflicts:
libcontainer/specconv/spec_linux.go
Change-Id: Ib3bf9e80852dc079ab2d42a8234297397f3c56d9
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Signed-off-by: dengguangxing <dengguangxing@huawei.com>
---
libcontainer/specconv/spec_linux.go | 121 +++++++++++++++++++-----------------
1 file changed, 65 insertions(+), 56 deletions(-)
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index b82082e..a8cf114 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -180,20 +180,6 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
}
exists := false
- if config.RootPropagation, exists = mountPropagationMapping[spec.Linux.RootfsPropagation]; !exists {
- return nil, fmt.Errorf("rootfsPropagation=%v is not supported", spec.Linux.RootfsPropagation)
- }
-
- for _, ns := range spec.Linux.Namespaces {
- t, exists := namespaceMapping[ns.Type]
- if !exists {
- return nil, fmt.Errorf("namespace %q does not exist", ns)
- }
- if config.Namespaces.Contains(t) {
- return nil, fmt.Errorf("malformed spec file: duplicated ns %q", ns)
- }
- config.Namespaces.Add(t, ns.Path)
- }
if config.Namespaces.Contains(configs.NEWNET) && config.Namespaces.PathOf(configs.NEWNET) == "" {
config.Networks = []*configs.Network{
{
@@ -215,15 +201,35 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
return nil, err
}
config.Cgroups = c
- // set extra path masking for libcontainer for the various unsafe places in proc
- config.MaskPaths = spec.Linux.MaskedPaths
- config.ReadonlyPaths = spec.Linux.ReadonlyPaths
- if spec.Linux.Seccomp != nil {
- seccomp, err := setupSeccomp(spec.Linux.Seccomp)
- if err != nil {
- return nil, err
+ // set linux-specific config
+ if spec.Linux != nil {
+ if config.RootPropagation, exists = mountPropagationMapping[spec.Linux.RootfsPropagation]; !exists {
+ return nil, fmt.Errorf("rootfsPropagation=%v is not supported", spec.Linux.RootfsPropagation)
+ }
+
+ for _, ns := range spec.Linux.Namespaces {
+ t, exists := namespaceMapping[ns.Type]
+ if !exists {
+ return nil, fmt.Errorf("namespace %q does not exist", ns)
+ }
+ if config.Namespaces.Contains(t) {
+ return nil, fmt.Errorf("malformed spec file: duplicated ns %q", ns)
+ }
+ config.Namespaces.Add(t, ns.Path)
+ }
+
+ // set extra path masking for libcontainer for the various unsafe places in proc
+ config.MaskPaths = spec.Linux.MaskedPaths
+ config.ReadonlyPaths = spec.Linux.ReadonlyPaths
+ config.MountLabel = spec.Linux.MountLabel
+ config.Sysctl = spec.Linux.Sysctl
+ if spec.Linux.Seccomp != nil {
+ seccomp, err := setupSeccomp(spec.Linux.Seccomp)
+ if err != nil {
+ return nil, err
+ }
+ config.Seccomp = seccomp
}
- config.Seccomp = seccomp
}
if spec.Process.SelinuxLabel != "" {
config.ProcessLabel = spec.Process.SelinuxLabel
@@ -242,7 +248,6 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
}
}
createHooks(spec, config)
- config.MountLabel = spec.Linux.MountLabel
config.Version = specs.Version
return config, nil
}
@@ -565,41 +570,40 @@ func createDevices(spec *specs.Spec, config *configs.Config) error {
},
}
// merge in additional devices from the spec
- for _, d := range spec.Linux.Devices {
- var uid, gid uint32
- var filemode os.FileMode = 0666
+ if spec.Linux != nil {
+ for _, d := range spec.Linux.Devices {
+ var uid, gid uint32
+ var filemode os.FileMode = 0666
- if d.UID != nil {
- uid = *d.UID
- }
- if d.GID != nil {
- gid = *d.GID
- }
- dt, err := stringToDeviceRune(d.Type)
- if err != nil {
- return err
- }
- if d.FileMode != nil {
- filemode = *d.FileMode
- }
- device := &configs.Device{
- Type: dt,
- Path: d.Path,
- Major: d.Major,
- Minor: d.Minor,
- FileMode: filemode,
- Uid: uid,
- Gid: gid,
+ if d.UID != nil {
+ uid = *d.UID
+ }
+ if d.GID != nil {
+ gid = *d.GID
+ }
+ dt, err := stringToDeviceRune(d.Type)
+ if err != nil {
+ return err
+ }
+ if d.FileMode != nil {
+ filemode = *d.FileMode
+ }
+ device := &configs.Device{
+ Type: dt,
+ Path: d.Path,
+ Major: d.Major,
+ Minor: d.Minor,
+ FileMode: filemode,
+ Uid: uid,
+ Gid: gid,
+ }
+ config.Devices = append(config.Devices, device)
}
- config.Devices = append(config.Devices, device)
}
return nil
}
func setupUserNamespace(spec *specs.Spec, config *configs.Config) error {
- if len(spec.Linux.UIDMappings) == 0 {
- return nil
- }
create := func(m specs.LinuxIDMapping) configs.IDMap {
return configs.IDMap{
HostID: int(m.HostID),
@@ -607,11 +611,16 @@ func setupUserNamespace(spec *specs.Spec, config *configs.Config) error {
Size: int(m.Size),
}
}
- for _, m := range spec.Linux.UIDMappings {
- config.UidMappings = append(config.UidMappings, create(m))
- }
- for _, m := range spec.Linux.GIDMappings {
- config.GidMappings = append(config.GidMappings, create(m))
+ if spec.Linux != nil {
+ if len(spec.Linux.UIDMappings) == 0 {
+ return nil
+ }
+ for _, m := range spec.Linux.UIDMappings {
+ config.UidMappings = append(config.UidMappings, create(m))
+ }
+ for _, m := range spec.Linux.GIDMappings {
+ config.GidMappings = append(config.GidMappings, create(m))
+ }
}
rootUID, err := config.HostRootUID()
if err != nil {
--
2.7.4.3

59
patch/0059-Fix-setup-cgroup-before-prestart-hook.patch
View File

@ -1,59 +0,0 @@
From 394c8695f22731938994fdc5d7db678762119481 Mon Sep 17 00:00:00 2001
From: Wentao Zhang <zhangwentao234@huawei.com>
Date: Tue, 20 Dec 2016 06:21:10 -0500
Subject: [PATCH 59/94] Fix setup cgroup before prestart hook
* User Case:
User could use prestart hook to add block devices to container. so the
hook should have a way to set the permissions of the devices.
Just move cgroup config operation before prestart hook will work.
Conflicts:
libcontainer/process_linux.go
Change-Id: I991138f4e686c4268e0629204ce1eae6452fdecf
Signed-off-by: Wentao Zhang <zhangwentao234@huawei.com>
---
libcontainer/process_linux.go | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
index 9064c0e..70e93de 100644
--- a/libcontainer/process_linux.go
+++ b/libcontainer/process_linux.go
@@ -286,9 +286,6 @@ func (p *initProcess) start() error {
ierr := parseSync(p.parentPipe, func(sync *syncT) error {
switch sync.Type {
case procReady:
- if err := p.manager.Set(p.config.Config); err != nil {
- return newSystemErrorWithCause(err, "setting cgroup config for ready process")
- }
// set rlimits, this has to be done here because we lose permissions
// to raise the limits once we enter a user-namespace
if err := setupRlimits(p.config.Rlimits, p.pid()); err != nil {
@@ -296,6 +293,11 @@ func (p *initProcess) start() error {
}
// call prestart hooks
if !p.config.Config.Namespaces.Contains(configs.NEWNS) {
+ // Setup cgroup before prestart hook, so that the prestart hook could apply cgroup permissions.
+ if err := p.manager.Set(p.config.Config); err != nil {
+ return newSystemErrorWithCause(err, "setting cgroup config for ready process")
+ }
+
if p.config.Config.Hooks != nil {
s := configs.HookState{
SpecState: configs.SpecState{
@@ -321,6 +323,10 @@ func (p *initProcess) start() error {
}
sentRun = true
case procHooks:
+ // Setup cgroup before prestart hook, so that the prestart hook could apply cgroup permissions.
+ if err := p.manager.Set(p.config.Config); err != nil {
+ return newSystemErrorWithCause(err, "setting cgroup config for ready process")
+ }
if p.config.Config.Hooks != nil {
s := configs.HookState{
SpecState: configs.SpecState{
--
2.7.4.3

39
patch/0061-runc-17-change-golang-build-version-to-make-o.patch
View File

@ -1,39 +0,0 @@
From 6e457e14dcf0960926109c2f89766e893f79b5da Mon Sep 17 00:00:00 2001
From: caihaomin <caihaomin@huawei.com>
Date: Wed, 24 Oct 2018 14:56:01 +0800
Subject: [PATCH 61/94] runc-17: change golang build version to make
obs happy
reason:change golang build version to make obs happy
Change-Id: Ie4b210056b34611bfb37aa6ea8510540f2c79305
Signed-off-by: caihaomin <caihaomin@huawei.com>
---
script/runc-euleros.spec | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/script/runc-euleros.spec b/script/runc-euleros.spec
index 5318ec2..048ea86 100644
--- a/script/runc-euleros.spec
+++ b/script/runc-euleros.spec
@@ -2,7 +2,7 @@
Name: docker-runc
Version: 1.0.0.rc3
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: runc is a CLI tool for spawning and running containers according to the OCF specification
License: ASL 2.0
@@ -12,7 +12,7 @@ URL: https://www.opencontainers.org/
Vendor: OCI
Packager: OCI
-BuildRequires: golang == 1.8.3
+BuildRequires: golang >= 1.8.3
BuildRequires: glibc-static
BuildRequires: make
BuildRequires: libseccomp-devel
--
2.7.4.3

47
patch/0062-runc-Check-the-hook-timeout-in-case-overflow.patch
View File

@ -1,47 +0,0 @@
From ccd2660d85f36695032ed075f8f669ccad17bfc3 Mon Sep 17 00:00:00 2001
From: panwenxiang <panwenxiang@huawei.com>
Date: Tue, 23 Oct 2018 16:43:20 +0800
Subject: [PATCH 62/94] runc: Check the hook timeout in case overflow
reason:the hook timeout is meaningless when more than 120s
Change-Id: Ibabf059bd9ba5e68b10189ae4e813d47dcec7ec5
---
libcontainer/configs/config.go | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
index d6bc603..9049924 100644
--- a/libcontainer/configs/config.go
+++ b/libcontainer/configs/config.go
@@ -14,6 +14,7 @@ import (
const (
minHookTimeOut = 1 * time.Second
defaultHookTimeOut = 5 * time.Second
+ maxHookTimeOut = 120 * time.Second
//the runc default timeout is 120s, so set the defaultWarnTime to 80% of the default timeout.
defaultWarnTime = 96 * time.Second
)
@@ -355,6 +356,10 @@ func (c Command) Run(s HookState) error {
if c.Timeout != nil && *c.Timeout < minHookTimeOut {
*c.Timeout = defaultHookTimeOut
}
+ if c.Timeout != nil && *c.Timeout > maxHookTimeOut {
+ logrus.Warnf("hook timeout: %s is too long, ContainerID: %s", *c.Timeout, s.ID)
+ *c.Timeout = maxHookTimeOut
+ }
errC := make(chan error, 1)
var (
timerCh <-chan time.Time
@@ -382,7 +387,7 @@ func (c Command) Run(s HookState) error {
timer := time.NewTimer(*c.Timeout)
defer timer.Stop()
timerCh = timer.C
- warnTime = float64(*c.Timeout) * 0.8
+ warnTime = (*c.Timeout).Seconds() * 0.8
}
for {
select {
--
2.7.4.3

58
patch/0063-docker-close-openchan-immediately-to-avoid-er.patch
View File

@ -1,58 +0,0 @@
From 256b247e9fa9844c8e0760679411427d43b661c9 Mon Sep 17 00:00:00 2001
From: wangfengtu <wangfengtu@huawei.com>
Date: Wed, 5 Sep 2018 15:16:28 +0800
Subject: [PATCH 63/94] docker: close openchan immediately to avoid
error
reason: close openchan immediately to avoid error
Change-Id: I20664570518ea424088a4eb6a5aac3d38ac08449
Signed-off-by: wangfengtu <wangfengtu@huawei.com>
---
libcontainer/container_linux.go | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index ba5dcd6..61ffb76 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -245,8 +245,7 @@ func (c *linuxContainer) exec() error {
select {
case <-awaitProcessExit(c.initProcess.pid(), fifoOpen):
return errors.New("container process is already dead")
- case result := <-awaitFifoOpen(path):
- close(fifoOpen)
+ case result := <-awaitFifoOpen(path, fifoOpen):
if result.err != nil {
return result.err
}
@@ -283,7 +282,12 @@ func awaitProcessExit(pid int, exit <-chan struct{}) <-chan struct{} {
case <-time.After(time.Millisecond * 100):
stat, err := system.GetProcessState(pid)
if err != nil || stat == system.Zombie {
- close(isDead)
+ select {
+ case <-exit:
+ return
+ default:
+ close(isDead)
+ }
return
}
}
@@ -292,10 +296,11 @@ func awaitProcessExit(pid int, exit <-chan struct{}) <-chan struct{} {
return isDead
}
-func awaitFifoOpen(path string) <-chan openResult {
+func awaitFifoOpen(path string, fifoOpen chan struct{}) <-chan openResult {
fifoOpened := make(chan openResult)
go func() {
f, err := os.OpenFile(path, os.O_RDONLY, 0)
+ close(fifoOpen)
if err != nil {
fifoOpened <- openResult{err: newSystemErrorWithCause(err, "open exec fifo for reading")}
return
--
2.7.4.3

30
patch/0064-runc-bump-to-v1.0.0.rc3.4-after-normalization.patch
View File

@ -1,30 +0,0 @@
From f7c4eae61c9d532ff9ea77aba147976d05235dba Mon Sep 17 00:00:00 2001
From: lujingxiao <lujingxiao@huawei.com>
Date: Tue, 30 Oct 2018 15:24:47 +0800
Subject: [PATCH 64/94] runc: bump to v1.0.0.rc3.4 after normalization
reason:bump version to v1.0.0.rc3.4 after making runc and
runc-17 into one project
Change-Id: I9045945c81f9b21aff53659dac98b4461dea4199
Signed-off-by: lujingxiao <lujingxiao@huawei.com>
---
script/runc-euleros.spec | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/script/runc-euleros.spec b/script/runc-euleros.spec
index 048ea86..0ba07be 100644
--- a/script/runc-euleros.spec
+++ b/script/runc-euleros.spec
@@ -2,7 +2,7 @@
Name: docker-runc
Version: 1.0.0.rc3
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: runc is a CLI tool for spawning and running containers according to the OCF specification
License: ASL 2.0
--
2.7.4.3

94
patch/0065-runc-support-namespaced-kernel-params-can-be-.patch
View File

@ -1,94 +0,0 @@
From c5f152a9dc851e0297f63a73c3e59890da135352 Mon Sep 17 00:00:00 2001
From: zhangsong34 <zhangsong34@huawei.com>
Date: Fri, 19 Oct 2018 10:53:33 +0800
Subject: [PATCH 65/94] runc: support namespaced kernel params can be
changed in system container
reason:support namespaced kernel files can be written in container,
when docker run a system container specify '--ns-change-opt' param,
net or ipc namespaced kernel params can be changed in this container.
Conflicts:
libcontainer/rootfs_linux.go
script/runc-euleros.spec
Change-Id: I051b274117abd9745a27577e14a23c906ff7cca3
Signed-off-by: jingrui <jingrui@huawei.com>
---
libcontainer/rootfs_linux.go | 26 ++++++++++++++++++++++++++
libcontainer/standard_init_linux.go | 8 ++++++++
2 files changed, 34 insertions(+)
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index 7cf5edd..38bdd1b 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -160,6 +160,9 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {
switch m.Device {
case "proc", "sysfs":
+ if strings.HasPrefix(m.Destination, "/proc/sys/") {
+ return nil
+ }
if err := os.MkdirAll(dest, 0755); err != nil {
return err
}
@@ -729,6 +732,29 @@ func readonlyPath(path string) error {
return syscall.Mount(path, path, "", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_RDONLY|syscall.MS_REC, "")
}
+// remountReadWrite will bind over the top of an existing path and ensure that it is read-write.
+func remountReadWrite(path string) error {
+ for i := 0; i < 5; i++ {
+ if err := syscall.Mount("", path, "", syscall.MS_REMOUNT, ""); err != nil && !os.IsNotExist(err) {
+ switch err {
+ case syscall.EINVAL:
+ // Probably not a mountpoint, use bind-mount
+ if err := syscall.Mount(path, path, "", syscall.MS_BIND, ""); err != nil {
+ return err
+ }
+ return syscall.Mount(path, path, "", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_REC|defaultMountFlags, "")
+ case syscall.EBUSY:
+ time.Sleep(100 * time.Millisecond)
+ continue
+ default:
+ return err
+ }
+ }
+ return nil
+ }
+ return fmt.Errorf("unable to mount %s as readwrite max retries reached", path)
+}
+
// remountReadonly will remount an existing mount point and ensure that it is read-only.
func remountReadonly(m *configs.Mount) error {
var (
diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
index 484ba42..18506af 100644
--- a/libcontainer/standard_init_linux.go
+++ b/libcontainer/standard_init_linux.go
@@ -6,6 +6,7 @@ import (
"fmt"
"os"
"os/exec"
+ "strings"
"syscall"
"time"
@@ -117,6 +118,13 @@ func (l *linuxStandardInit) Init() error {
return err
}
}
+ for _, m := range l.config.Config.Mounts {
+ if m.Flags&syscall.MS_RDONLY == 0 && m.Device == "proc" && strings.HasPrefix(m.Destination, "/proc/sys/") {
+ if err := remountReadWrite(m.Destination); err != nil {
+ return err
+ }
+ }
+ }
for _, path := range l.config.Config.MaskPaths {
if err := maskPath(path); err != nil {
return err
--
2.7.4.3

29
patch/0066-runc-bump-to-v1.0.0.rc3.6.patch
View File

@ -1,29 +0,0 @@
From c8e1e988fa6509070411c7dbab50edb40092aaf9 Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Sat, 23 Feb 2019 14:13:49 +0800
Subject: [PATCH 66/94] runc: bump to v1.0.0.rc3.6
reason:bump version to v1.0.0.rc3.6
Change-Id: I79890c41c7934f96ee6e1d676450d7832cc90f73
Signed-off-by: jingrui <jingrui@huawei.com>
---
script/runc-euleros.spec | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/script/runc-euleros.spec b/script/runc-euleros.spec
index 0ba07be..08fceee 100644
--- a/script/runc-euleros.spec
+++ b/script/runc-euleros.spec
@@ -2,7 +2,7 @@
Name: docker-runc
Version: 1.0.0.rc3
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: runc is a CLI tool for spawning and running containers according to the OCF specification
License: ASL 2.0
--
2.7.4.3

137
patch/0067-runc-make-the-runc-log-more-useful.patch
View File

@ -1,137 +0,0 @@
From 6bc094ef27ebb55f22c5a1b63ab40a66bf73cc35 Mon Sep 17 00:00:00 2001
From: panwenxiang <panwenxiang@huawei.com>
Date: Sat, 3 Nov 2018 12:42:49 +0800
Subject: [PATCH 67/94] runc: make the runc log more useful.
reason:changed some log infomation.
Change-Id: Ib6cda4b8a0ef3a441c45f6c435fe11430f8eada8
Signed-off-by: panwenxiang <panwenxiang@huawei.com>
---
libcontainer/configs/config.go | 13 +++++++++----
libcontainer/container_linux.go | 1 -
libcontainer/process_linux.go | 4 +---
libcontainer/state_linux.go | 1 -
main.go | 2 +-
script/runc-euleros.spec | 2 +-
6 files changed, 12 insertions(+), 11 deletions(-)
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
index 9049924..f8f9d05 100644
--- a/libcontainer/configs/config.go
+++ b/libcontainer/configs/config.go
@@ -12,7 +12,7 @@ import (
)
const (
- minHookTimeOut = 1 * time.Second
+ minHookTimeOut = 0
defaultHookTimeOut = 5 * time.Second
maxHookTimeOut = 120 * time.Second
//the runc default timeout is 120s, so set the defaultWarnTime to 80% of the default timeout.
@@ -353,11 +353,12 @@ func (c Command) Run(s HookState) error {
if err := cmd.Start(); err != nil {
return err
}
- if c.Timeout != nil && *c.Timeout < minHookTimeOut {
+ if c.Timeout != nil && *c.Timeout <= minHookTimeOut {
*c.Timeout = defaultHookTimeOut
+ logrus.Warnf("hook timeout should not be negative or zero, set hook timeout as 5s")
}
if c.Timeout != nil && *c.Timeout > maxHookTimeOut {
- logrus.Warnf("hook timeout: %s is too long, ContainerID: %s", *c.Timeout, s.ID)
+ logrus.Warnf("hook timeout: %s is too long, use 120s as timeout. ContainerID: %s", *c.Timeout, s.ID)
*c.Timeout = maxHookTimeOut
}
errC := make(chan error, 1)
@@ -398,7 +399,11 @@ func (c Command) Run(s HookState) error {
cmd.Wait()
return fmt.Errorf("hook ran past specified timeout of %.1fs", c.Timeout.Seconds())
case <-time.After(time.Duration(warnTime) * time.Second):
- logrus.Warnf("hook ran more than 80%% of the default timeout, ContainerID: %s", s.ID)
+ if c.Timeout != nil {
+ logrus.Warnf("hook ran more than 80%% of the timeout %s, ContainerID: %s", *c.Timeout, s.ID)
+ } else {
+ logrus.Warnf("hook ran more than 80%% of the default timeout 120s, ContainerID: %s", s.ID)
+ }
}
}
}
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 61ffb76..8e0ad12 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -358,7 +358,6 @@ func (c *linuxContainer) start(process *Process, isInit bool) error {
}
return newSystemErrorWithCausef(err, "running poststart hook %d:%s, ContainerID: %s", i, hook.Info(), s.ID)
}
- logrus.Infof("poststart hook %d:%s done", i, hook.Info())
}
}
} else {
diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
index 79b1c4e..4a7321c 100644
--- a/libcontainer/process_linux.go
+++ b/libcontainer/process_linux.go
@@ -312,7 +312,6 @@ func (p *initProcess) start() error {
if err := hook.Run(s); err != nil {
return newSystemErrorWithCausef(err, "running prestart hook %d:%s, ContainerID: %s", i, hook.Info(), s.ID)
}
- logrus.Infof("prestart hook %d:%s done", i, hook.Info())
}
}
}
@@ -337,11 +336,10 @@ func (p *initProcess) start() error {
Root: p.config.Config.Rootfs,
}
for i, hook := range p.config.Config.Hooks.Prestart {
- logrus.Infof("run prestart hook %d:%s, ContainerID :%s", i, hook.Info(), s.ID)
+ logrus.Infof("run prestart hook %d:%s, ContainerID: %s", i, hook.Info(), s.ID)
if err := hook.Run(s); err != nil {
return newSystemErrorWithCausef(err, "running prestart hook %d:%s, ContainerID: %s", i, hook.Info(), s.ID)
}
- logrus.Infof("prestart hook %d:%s done", i, hook.Info())
}
}
// Sync with child.
diff --git a/libcontainer/state_linux.go b/libcontainer/state_linux.go
index 26e091b..6fa62c0 100644
--- a/libcontainer/state_linux.go
+++ b/libcontainer/state_linux.go
@@ -71,7 +71,6 @@ func runPoststopHooks(c *linuxContainer) error {
logrus.Errorf("running poststop hook %d: %s failed: %s", i, hook.Info(), err)
return newSystemErrorWithCausef(err, "running poststop hook %d:%s, ContainerID: %s", i, hook.Info(), s.ID)
}
- logrus.Infof("poststop hook %d:%s done", i, hook.Info())
}
}
return nil
diff --git a/main.go b/main.go
index f15a4ac..e55ff82 100644
--- a/main.go
+++ b/main.go
@@ -78,7 +78,7 @@ func main() {
},
cli.StringFlag{
Name: "log-level",
- Usage: "Set the logging level [debug, info, warn, error, fatal, panic]",
+ Usage: "set the logging level [debug, info, warn, error, fatal, panic]",
},
cli.StringFlag{
Name: "root",
diff --git a/script/runc-euleros.spec b/script/runc-euleros.spec
index 08fceee..e829cb9 100644
--- a/script/runc-euleros.spec
+++ b/script/runc-euleros.spec
@@ -2,7 +2,7 @@
Name: docker-runc
Version: 1.0.0.rc3
-Release: 6%{?dist}
+Release: 7%{?dist}
Summary: runc is a CLI tool for spawning and running containers according to the OCF specification
License: ASL 2.0
--
2.7.4.3

52
patch/0068-runc-reduced-the-same-log-when-the-hook-exect.patch
View File

@ -1,52 +0,0 @@
From 940d7088701fbfe6c2d636251490a1d28f90dbdc Mon Sep 17 00:00:00 2001
From: panwenxiang <panwenxiang@huawei.com>
Date: Thu, 8 Nov 2018 10:19:23 +0800
Subject: [PATCH 68/94] runc: reduced the same log when the hook
exected long time.
reason:runc would print a lot of same logs when the hook executed long time
Change-Id: I7d0b07cca68590c560580967f8d70143764f53d9
Signed-off-by: panwenxiang <panwenxiang@huawei.com>
---
libcontainer/configs/config.go | 3 ++-
script/runc-euleros.spec | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
index f8f9d05..78a7d1d 100644
--- a/libcontainer/configs/config.go
+++ b/libcontainer/configs/config.go
@@ -390,6 +390,7 @@ func (c Command) Run(s HookState) error {
timerCh = timer.C
warnTime = (*c.Timeout).Seconds() * 0.8
}
+ timeAfter := time.After(time.Duration(warnTime) * time.Second)
for {
select {
case err := <-errC:
@@ -398,7 +399,7 @@ func (c Command) Run(s HookState) error {
cmd.Process.Kill()
cmd.Wait()
return fmt.Errorf("hook ran past specified timeout of %.1fs", c.Timeout.Seconds())
- case <-time.After(time.Duration(warnTime) * time.Second):
+ case <-timeAfter:
if c.Timeout != nil {
logrus.Warnf("hook ran more than 80%% of the timeout %s, ContainerID: %s", *c.Timeout, s.ID)
} else {
diff --git a/script/runc-euleros.spec b/script/runc-euleros.spec
index e829cb9..025b621 100644
--- a/script/runc-euleros.spec
+++ b/script/runc-euleros.spec
@@ -2,7 +2,7 @@
Name: docker-runc
Version: 1.0.0.rc3
-Release: 7%{?dist}
+Release: 8%{?dist}
Summary: runc is a CLI tool for spawning and running containers according to the OCF specification
License: ASL 2.0
--
2.7.4.3

92
patch/0069-runc-Change-Files-to-LinuxFiles-for-file-limi.patch
View File

@ -1,92 +0,0 @@
From 4b8a7b69792c22c1ee3abf3bee88af3590b144cb Mon Sep 17 00:00:00 2001
From: lujingxiao <lujingxiao@huawei.com>
Date: Thu, 8 Nov 2018 11:14:01 +0800
Subject: [PATCH 69/94] runc: Change Files to LinuxFiles for
--file-limit
reason: after runc-1.0.0.rc3, struct Files should be renamed
to LinuxFiles.
--file-limit related commits:
- 0c540de runc: change read value of cgroup files.limit into string
- fb2de87 runc: Modify max files.limit to max because of the
change of kernel.
- 5fc9474 Add file fds limit
all are already merged.
Change-Id: Ida75dd6a7ccd225f6ac851bf4a28ef77d5a3944f
Signed-off-by: lujingxiao <lujingxiao@huawei.com>
---
libcontainer/specconv/spec_linux.go | 4 ++--
script/runc-euleros.spec | 2 +-
vendor/github.com/opencontainers/runtime-spec/Checklist | 1 +
.../github.com/opencontainers/runtime-spec/specs-go/config.go | 10 +++++-----
4 files changed, 9 insertions(+), 8 deletions(-)
create mode 100644 vendor/github.com/opencontainers/runtime-spec/Checklist
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index a8cf114..8ef9574 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -408,8 +408,8 @@ func createCgroupConfig(opts *CreateOpts) (*configs.Cgroup, error) {
if r.Pids != nil {
c.Resources.PidsLimit = r.Pids.Limit
}
- if r.Files != nil && r.Files.Limit != nil {
- c.Resources.FilesLimit = *r.Files.Limit
+ if r.Files != nil {
+ c.Resources.FilesLimit = r.Files.Limit
}
if r.BlockIO != nil {
if r.BlockIO.Weight != nil {
diff --git a/script/runc-euleros.spec b/script/runc-euleros.spec
index 025b621..19cdc42 100644
--- a/script/runc-euleros.spec
+++ b/script/runc-euleros.spec
@@ -2,7 +2,7 @@
Name: docker-runc
Version: 1.0.0.rc3
-Release: 8%{?dist}
+Release: 9%{?dist}
Summary: runc is a CLI tool for spawning and running containers according to the OCF specification
License: ASL 2.0
diff --git a/vendor/github.com/opencontainers/runtime-spec/Checklist b/vendor/github.com/opencontainers/runtime-spec/Checklist
new file mode 100644
index 0000000..be85bc8
--- /dev/null
+++ b/vendor/github.com/opencontainers/runtime-spec/Checklist
@@ -0,0 +1 @@
+Add struct LinuxFiles to vendor/src/github.com/opencontainers/runtime-spec/specs-go/config.go for supporting --files-limit
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
index 603ecf4..fe3c5b6 100644
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
@@ -318,10 +318,10 @@ type LinuxPids struct {
Limit int64 `json:"limit"`
}
-// Files for Linux cgroup 'files' resource management (https://lwn.net/Articles/604129/)
-type Files struct {
- // Maximum number of open files".
- Limit *int64 `json:"limit,omitempty"`
+// LinuxFiles for Linux cgroup 'files' resource management (https://lwn.net/Articles/604129/)
+type LinuxFiles struct {
+ // Maximum number of open files. Default is "no limit".
+ Limit int64 `json:"limit,omitempty"`
}
// LinuxNetwork identification and priority configuration
@@ -347,7 +347,7 @@ type LinuxResources struct {
// Task resource restriction configuration.
Pids *LinuxPids `json:"pids,omitempty"`
// Files resource restriction configuration.
- Files *Files `json:"files,omitempty"`
+ Files *LinuxFiles `json:"files,omitempty"`
// BlockIO restriction configuration
BlockIO *LinuxBlockIO `json:"blockIO,omitempty"`
// Hugetlb limit (in bytes)
--
2.7.4.3

48
patch/0070-runc-not-print-no-such-file-when-cli-err.patch
View File

@ -1,48 +0,0 @@
From e0f78c86d05f7af62aef49c8c495f417d1bf7beb Mon Sep 17 00:00:00 2001
From: lujingxiao <lujingxiao@huawei.com>
Date: Fri, 9 Nov 2018 15:01:27 +0800
Subject: [PATCH 70/94] runc: not print "no such file" when cli err
reason: when container does not exists, runc will cannot find
state.json, so "state.json: no such file or directory" is expected.
but user may call runc command anytime, so we should not print such
log to syslog. Just return it with stderr is ok.
Change-Id: Ia26824d0339f69d8db3ef86c0f8344f60963a177
Signed-off-by: lujingxiao <lujingxiao@huawei.com>
---
main.go | 5 ++++-
script/runc-euleros.spec | 2 +-
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/main.go b/main.go
index e55ff82..be3fba6 100644
--- a/main.go
+++ b/main.go
@@ -163,6 +163,9 @@ type FatalWriter struct {
}
func (f *FatalWriter) Write(p []byte) (n int, err error) {
- logrus.Error(string(p))
+ errStr := string(p)
+ if !strings.Contains(errStr, "state.json: no such file or directory") {
+ logrus.Error(errStr)
+ }
return f.cliErrWriter.Write(p)
}
diff --git a/script/runc-euleros.spec b/script/runc-euleros.spec
index 19cdc42..acadd9e 100644
--- a/script/runc-euleros.spec
+++ b/script/runc-euleros.spec
@@ -2,7 +2,7 @@
Name: docker-runc
Version: 1.0.0.rc3
-Release: 9%{?dist}
+Release: 10%{?dist}
Summary: runc is a CLI tool for spawning and running containers according to the OCF specification
License: ASL 2.0
--
2.7.4.3

88
patch/0071-runc-revert-Change-Files-to-LinuxFiles-for-fi.patch
View File

@ -1,88 +0,0 @@
From a667acd5325633858ae671f27075d58345b12619 Mon Sep 17 00:00:00 2001
From: leizhongkai <leizhongkai@huawei.com>
Date: Fri, 9 Nov 2018 20:06:31 +0800
Subject: [PATCH 71/94] runc: [revert]Change Files to LinuxFiles for
--file-limit
reason:This reverts commit 1695b25310c490fe5038cf5a49e4c17ffc85af0e.
Signed-off-by: leizhongkai <leizhongkai@huawei.com>
Conflicts:
script/runc-euleros.spec
Change-Id: Iddbcc7eca095b4b8e5d062e06f2f332a2c07caf8
---
libcontainer/specconv/spec_linux.go | 4 ++--
script/runc-euleros.spec | 2 +-
vendor/github.com/opencontainers/runtime-spec/Checklist | 1 -
.../github.com/opencontainers/runtime-spec/specs-go/config.go | 10 +++++-----
4 files changed, 8 insertions(+), 9 deletions(-)
delete mode 100644 vendor/github.com/opencontainers/runtime-spec/Checklist
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index 8ef9574..a8cf114 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -408,8 +408,8 @@ func createCgroupConfig(opts *CreateOpts) (*configs.Cgroup, error) {
if r.Pids != nil {
c.Resources.PidsLimit = r.Pids.Limit
}
- if r.Files != nil {
- c.Resources.FilesLimit = r.Files.Limit
+ if r.Files != nil && r.Files.Limit != nil {
+ c.Resources.FilesLimit = *r.Files.Limit
}
if r.BlockIO != nil {
if r.BlockIO.Weight != nil {
diff --git a/script/runc-euleros.spec b/script/runc-euleros.spec
index acadd9e..16fb43c 100644
--- a/script/runc-euleros.spec
+++ b/script/runc-euleros.spec
@@ -2,7 +2,7 @@
Name: docker-runc
Version: 1.0.0.rc3
-Release: 10%{?dist}
+Release: 11%{?dist}
Summary: runc is a CLI tool for spawning and running containers according to the OCF specification
License: ASL 2.0
diff --git a/vendor/github.com/opencontainers/runtime-spec/Checklist b/vendor/github.com/opencontainers/runtime-spec/Checklist
deleted file mode 100644
index be85bc8..0000000
--- a/vendor/github.com/opencontainers/runtime-spec/Checklist
+++ /dev/null
@@ -1 +0,0 @@
-Add struct LinuxFiles to vendor/src/github.com/opencontainers/runtime-spec/specs-go/config.go for supporting --files-limit
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
index fe3c5b6..603ecf4 100644
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
@@ -318,10 +318,10 @@ type LinuxPids struct {
Limit int64 `json:"limit"`
}
-// LinuxFiles for Linux cgroup 'files' resource management (https://lwn.net/Articles/604129/)
-type LinuxFiles struct {
- // Maximum number of open files. Default is "no limit".
- Limit int64 `json:"limit,omitempty"`
+// Files for Linux cgroup 'files' resource management (https://lwn.net/Articles/604129/)
+type Files struct {
+ // Maximum number of open files".
+ Limit *int64 `json:"limit,omitempty"`
}
// LinuxNetwork identification and priority configuration
@@ -347,7 +347,7 @@ type LinuxResources struct {
// Task resource restriction configuration.
Pids *LinuxPids `json:"pids,omitempty"`
// Files resource restriction configuration.
- Files *LinuxFiles `json:"files,omitempty"`
+ Files *Files `json:"files,omitempty"`
// BlockIO restriction configuration
BlockIO *LinuxBlockIO `json:"blockIO,omitempty"`
// Hugetlb limit (in bytes)
--
2.7.4.3

32
patch/0072-Revert-runc-not-print-no-such-file-when-cli-e.patch
View File

@ -1,32 +0,0 @@
From b736c8d450f52150db3b8f7a6a247338028b57bf Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Tue, 13 Nov 2018 17:21:19 +0800
Subject: [PATCH 72/94] Revert "runc: not print "no such file" when cli
err"
reason: This reverts commit 21c62a431c2795f59a82312dd9b8a437a1b2ca28.
Change-Id: Ice19acd48ef916a3d992d9f4d06cf056361565e5
Signed-off-by: jingrui <jingrui@huawei.com>
---
main.go | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/main.go b/main.go
index be3fba6..e55ff82 100644
--- a/main.go
+++ b/main.go
@@ -163,9 +163,6 @@ type FatalWriter struct {
}
func (f *FatalWriter) Write(p []byte) (n int, err error) {
- errStr := string(p)
- if !strings.Contains(errStr, "state.json: no such file or directory") {
- logrus.Error(errStr)
- }
+ logrus.Error(string(p))
return f.cliErrWriter.Write(p)
}
--
2.7.4.3

80
patch/0073-runc-fix-state.json-no-such-file-or-directory.patch
View File

@ -1,80 +0,0 @@
From 3c0c0adf121e44ee00b7191a2693575676eb90be Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Tue, 13 Nov 2018 15:38:05 +0800
Subject: [PATCH 73/94] runc: fix state.json: no such file or directory
reason: fix 8c14d652 * runc-17: add compatibility for docker-1.11.2
Change-Id: I8ff0b3ae90611dfb6e1f5fbd1b8170c460d9ea2d
Signed-off-by: jingrui <jingrui@huawei.com>
---
libcontainer/factory_linux.go | 14 +++++++-------
script/runc-euleros.spec | 2 +-
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/libcontainer/factory_linux.go b/libcontainer/factory_linux.go
index b533346..fe9ce24 100644
--- a/libcontainer/factory_linux.go
+++ b/libcontainer/factory_linux.go
@@ -368,11 +368,11 @@ func (l *LinuxFactory) updateStateCapabilites(compatState *CompatState, configPa
return errors.New("updateStateCapabilites unexpected format for capabilities")
}
-func (l *LinuxFactory) loadOriginState(configPath string) (*State, error) {
+func (l *LinuxFactory) loadOriginState(configPath, id string) (*State, error) {
f, err := os.Open(configPath)
if err != nil {
if os.IsNotExist(err) {
- return nil, newGenericError(err, ContainerNotExists)
+ return nil, newGenericError(fmt.Errorf("container %q does not exist", id), ContainerNotExists)
}
return nil, newGenericError(err, SystemError)
}
@@ -384,11 +384,11 @@ func (l *LinuxFactory) loadOriginState(configPath string) (*State, error) {
return state, nil
}
-func (l *LinuxFactory) loadCompatState(configPath string) (*State, error) {
+func (l *LinuxFactory) loadCompatState(configPath, id string) (*State, error) {
dt, err := ioutil.ReadFile(configPath)
if err != nil {
if os.IsNotExist(err) {
- return nil, newGenericError(err, ContainerNotExists)
+ return nil, newGenericError(fmt.Errorf("container %q does not exist", id), ContainerNotExists)
}
return nil, newGenericError(err, SystemError)
}
@@ -403,14 +403,14 @@ func (l *LinuxFactory) loadCompatState(configPath string) (*State, error) {
return nil, newGenericError(err, SystemError)
}
- return l.loadOriginState(configPath)
+ return l.loadOriginState(configPath, id)
}
func (l *LinuxFactory) loadState(root, id string) (*State, error) {
configPath := filepath.Join(root, stateFilename)
- state, err := l.loadOriginState(configPath)
+ state, err := l.loadOriginState(configPath, id)
if err != nil {
- return l.loadCompatState(configPath)
+ return l.loadCompatState(configPath, id)
}
return state, nil
}
diff --git a/script/runc-euleros.spec b/script/runc-euleros.spec
index 16fb43c..536678d 100644
--- a/script/runc-euleros.spec
+++ b/script/runc-euleros.spec
@@ -2,7 +2,7 @@
Name: docker-runc
Version: 1.0.0.rc3
-Release: 11%{?dist}
+Release: 12%{?dist}
Summary: runc is a CLI tool for spawning and running containers according to the OCF specification
License: ASL 2.0
--
2.7.4.3

78
patch/0074-runc-fix-check-sysctl-in-host-network-mode.patch
View File

@ -1,78 +0,0 @@
From 0a760e4753e743a0fe874471584d378b81a02d07 Mon Sep 17 00:00:00 2001
From: zhangyuyun <zhangyuyun@huawei.com>
Date: Thu, 15 Nov 2018 01:10:44 -0500
Subject: [PATCH 74/94] runc: fix check sysctl in host network mode
reason:it's found failed in runc to check if the container is in
the host namespace,which introduced by
https://github.com/opencontainers/runc/pull/1138
https://github.com/opencontainers/runc/pull/1221
Change-Id: If1374c081cea93c700d627b40d2ca1ad58b5fb83
---
libcontainer/configs/validate/validator.go | 27 ++++++++++++++++++---------
script/runc-euleros.spec | 2 +-
2 files changed, 19 insertions(+), 10 deletions(-)
diff --git a/libcontainer/configs/validate/validator.go b/libcontainer/configs/validate/validator.go
index 8284345..5cb50fb 100644
--- a/libcontainer/configs/validate/validator.go
+++ b/libcontainer/configs/validate/validator.go
@@ -5,6 +5,7 @@ import (
"os"
"path/filepath"
"strings"
+ "syscall"
"github.com/opencontainers/runc/libcontainer/configs"
selinux "github.com/opencontainers/selinux/go-selinux"
@@ -177,16 +178,24 @@ func checkHostNs(sysctlConfig string, path string) error {
return fmt.Errorf("could not check that %q is a symlink: %v", path, err)
}
+ var destOfContainer string
if symLink == false {
- // The provided namespace is not a symbolic link,
- // it is not the host namespace.
- return nil
- }
-
- // readlink on the path provided in the struct
- destOfContainer, err := os.Readlink(path)
- if err != nil {
- return fmt.Errorf("read soft link %q error", path)
+ // try getting inode number for comparsion
+ f, err := os.Stat(path)
+ if err != nil {
+ return err
+ }
+ stat, ok := f.Sys().(*syscall.Stat_t)
+ if !ok {
+ return fmt.Errorf("cannot convert stat value of %q to syscall.Stat_t", path)
+ }
+ destOfContainer = fmt.Sprintf("net:[%d]", stat.Ino)
+ } else {
+ // readlink on the path provided in the struct
+ destOfContainer, err = os.Readlink(path)
+ if err != nil {
+ return fmt.Errorf("read soft link %q error", path)
+ }
}
if destOfContainer == destOfCurrentProcess {
return fmt.Errorf("sysctl %q is not allowed in the hosts network namespace", sysctlConfig)
diff --git a/script/runc-euleros.spec b/script/runc-euleros.spec
index 536678d..0e92bf0 100644
--- a/script/runc-euleros.spec
+++ b/script/runc-euleros.spec
@@ -2,7 +2,7 @@
Name: docker-runc
Version: 1.0.0.rc3
-Release: 12%{?dist}
+Release: 13%{?dist}
Summary: runc is a CLI tool for spawning and running containers according to the OCF specification
License: ASL 2.0
--
2.7.4.3

62
patch/0075-runc-Fix-systemd-journald-service-dependency.patch
View File

@ -1,62 +0,0 @@
From b35de14c25e51f98c3e61636ed79ba91e6259596 Mon Sep 17 00:00:00 2001
From: zhangsong34 <zhangsong34@huawei.com>
Date: Thu, 6 Dec 2018 19:44:58 +0800
Subject: [PATCH 75/94] runc: Fix systemd-journald service dependency
reason:runc logs forwarding to syslog only when systemd-journald service
status is active and running.
Change-Id: Ib95f0269c6905642050be1c4d195e95919245159
Signed-off-by: zhangsong34 <zhangsong34@huawei.com>
---
main.go | 12 ++++++++----
script/runc-euleros.spec | 2 +-
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/main.go b/main.go
index e55ff82..dcc2925 100644
--- a/main.go
+++ b/main.go
@@ -8,6 +8,7 @@ import (
"github.com/urfave/cli"
"io"
"log/syslog"
+ "net"
"os"
"strings"
)
@@ -121,11 +122,14 @@ func main() {
return err
}
logrus.SetOutput(f)
- hook, serr := logrus_syslog.NewSyslogHook("", "", syslog.LOG_INFO|syslog.LOG_USER, "docker-runc")
- if serr != nil {
- fmt.Fprint(f, fmt.Sprintf("Leo: new syslog hook get %s", serr))
+ if conn, err := net.Dial("unixgram", "/run/systemd/journal/socket"); err == nil {
+ defer conn.Close()
+ hook, serr := logrus_syslog.NewSyslogHook("", "", syslog.LOG_INFO|syslog.LOG_USER, "docker-runc")
+ if serr != nil {
+ fmt.Fprint(f, fmt.Sprintf("new syslog hook get %s", serr))
+ }
+ logrus.AddHook(hook)
}
- logrus.AddHook(hook)
}
switch context.GlobalString("log-format") {
case "text":
diff --git a/script/runc-euleros.spec b/script/runc-euleros.spec
index 0e92bf0..354bb24 100644
--- a/script/runc-euleros.spec
+++ b/script/runc-euleros.spec
@@ -2,7 +2,7 @@
Name: docker-runc
Version: 1.0.0.rc3
-Release: 13%{?dist}
+Release: 14%{?dist}
Summary: runc is a CLI tool for spawning and running containers according to the OCF specification
License: ASL 2.0
--
2.7.4.3

Some files were not shown because too many files have changed in this diff Show More