crun-0.15-1
Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
This commit is contained in:
Giuseppe Scrivano
parent
f96e4628cd
commit
56f816f321
1
.gitignore
vendored
1
.gitignore
vendored
@ -20,3 +20,4 @@ crun-0.1.1.tar.gz
|
||||
/crun-0.13.tar.gz
|
||||
/crun-0.14.tar.gz
|
||||
/crun-0.14.1.tar.gz
|
||||
/crun-0.15.tar.gz
|
||||
|
||||
@ -1,100 +0,0 @@
|
||||
From 2dd22b2f1aa13edc704cf5a6e50793457076789e Mon Sep 17 00:00:00 2001
|
||||
From: Ed Santiago <santiago@redhat.com>
|
||||
Date: Mon, 31 Aug 2020 12:09:39 -0600
|
||||
Subject: [PATCH] Capabilities: get last_cap dynamically
|
||||
|
||||
Determine the kernel capability set at run time, for
|
||||
consistency with runc.
|
||||
|
||||
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
||||
(cherry picked from commit 4453af4c060e380051552ee589af5cad37f2ae82)
|
||||
---
|
||||
src/libcrun/container.c | 4 ++++
|
||||
src/libcrun/linux.c | 29 +++++++++++++++++++++++++++--
|
||||
src/libcrun/linux.h | 1 +
|
||||
3 files changed, 32 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/libcrun/container.c b/src/libcrun/container.c
|
||||
index 3723300..0870cf2 100644
|
||||
--- a/src/libcrun/container.c
|
||||
+++ b/src/libcrun/container.c
|
||||
@@ -480,6 +480,10 @@ initialize_security (runtime_spec_schema_config_schema_process *proc, libcrun_er
|
||||
if (UNLIKELY (ret < 0))
|
||||
return ret;
|
||||
|
||||
+ ret = libcrun_init_caps (err);
|
||||
+ if (UNLIKELY (ret < 0))
|
||||
+ return ret;
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
||||
diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
|
||||
index fa87d82..316943d 100644
|
||||
--- a/src/libcrun/linux.c
|
||||
+++ b/src/libcrun/linux.c
|
||||
@@ -2291,6 +2291,28 @@ has_cap_on (int cap, long unsigned *caps)
|
||||
return (CAP_TO_MASK_1 (cap) & caps[1]);
|
||||
}
|
||||
|
||||
+static unsigned long cap_last_cap;
|
||||
+
|
||||
+int
|
||||
+libcrun_init_caps (libcrun_error_t *err)
|
||||
+{
|
||||
+ cleanup_close int fd = -1;
|
||||
+ int ret;
|
||||
+ char buffer[16];
|
||||
+ fd = open ("/proc/sys/kernel/cap_last_cap", O_RDONLY);
|
||||
+ if (fd < 0)
|
||||
+ return crun_make_error (err, errno, "open /proc/sys/kernel/cap_last_cap");
|
||||
+ ret = TEMP_FAILURE_RETRY (read (fd, buffer, sizeof (buffer)));
|
||||
+ if (UNLIKELY (ret < 0))
|
||||
+ return crun_make_error (err, errno, "read from /proc/sys/kernel/cap_last_cap");
|
||||
+
|
||||
+ errno = 0;
|
||||
+ cap_last_cap = strtoul (buffer, NULL, 10);
|
||||
+ if (errno != 0)
|
||||
+ return crun_make_error (err, errno, "strtoul() from /proc/sys/kernel/cap_last_cap");
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static int
|
||||
set_required_caps (struct all_caps_s *caps, uid_t uid, gid_t gid, int no_new_privs, libcrun_error_t *err)
|
||||
{
|
||||
@@ -2299,7 +2321,10 @@ set_required_caps (struct all_caps_s *caps, uid_t uid, gid_t gid, int no_new_pri
|
||||
struct __user_cap_header_struct hdr = { _LINUX_CAPABILITY_VERSION_3, 0 };
|
||||
struct __user_cap_data_struct data[2] = { { 0 } };
|
||||
|
||||
- for (cap = 0; cap <= CAP_LAST_CAP; cap++)
|
||||
+ if (cap_last_cap == 0)
|
||||
+ return crun_make_error (err, 0, "internal error: max number of capabilities not initialized");
|
||||
+
|
||||
+ for (cap = 0; cap <= cap_last_cap; cap++)
|
||||
if (! has_cap_on (cap, caps->bounding))
|
||||
{
|
||||
ret = prctl (PR_CAPBSET_DROP, cap, 0, 0, 0);
|
||||
@@ -2335,7 +2360,7 @@ set_required_caps (struct all_caps_s *caps, uid_t uid, gid_t gid, int no_new_pri
|
||||
if (UNLIKELY (ret < 0 && !(errno == EINVAL || errno == EPERM)))
|
||||
return crun_make_error (err, errno, "prctl reset ambient");
|
||||
|
||||
- for (cap = 0; cap <= CAP_LAST_CAP; cap++)
|
||||
+ for (cap = 0; cap <= cap_last_cap; cap++)
|
||||
if (has_cap_on (cap, caps->ambient))
|
||||
{
|
||||
ret = prctl (PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0);
|
||||
diff --git a/src/libcrun/linux.h b/src/libcrun/linux.h
|
||||
index a92b5f1..fc70feb 100644
|
||||
--- a/src/libcrun/linux.h
|
||||
+++ b/src/libcrun/linux.h
|
||||
@@ -38,6 +38,7 @@ pid_t libcrun_run_linux_container (libcrun_container_t *container,
|
||||
libcrun_error_t *err);
|
||||
int get_notify_fd (libcrun_context_t *context, libcrun_container_t *container, int *notify_socket_out, libcrun_error_t *err);
|
||||
int libcrun_set_mounts (libcrun_container_t *container, const char *rootfs, libcrun_error_t *err);
|
||||
+int libcrun_init_caps (libcrun_error_t *err);
|
||||
int libcrun_do_pivot_root (libcrun_container_t *container, bool no_pivot, const char *rootfs, libcrun_error_t *err);
|
||||
int libcrun_reopen_dev_null (libcrun_error_t *err);
|
||||
int libcrun_set_usernamespace (libcrun_container_t *container, pid_t pid, libcrun_error_t *err);
|
||||
--
|
||||
2.26.2
|
||||
|
||||
@ -1,42 +0,0 @@
|
||||
From 1a71c82ea9fd3561b16e2730bea9673219c15843 Mon Sep 17 00:00:00 2001
|
||||
From: Giuseppe Scrivano <gscrivan@redhat.com>
|
||||
Date: Thu, 27 Aug 2020 12:10:21 +0200
|
||||
Subject: [PATCH] state: fix race condition when reading cgroup
|
||||
|
||||
by the time crun attempts to read from the cgroup, systemd might have
|
||||
already cleaned it up. When using systemd, on ENOENT state reports
|
||||
the container as "stopped" instead of an error.
|
||||
|
||||
Closes: https://github.com/containers/podman/issues/7148
|
||||
|
||||
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
||||
---
|
||||
src/libcrun/container.c | 12 +++++++++++-
|
||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/libcrun/container.c b/src/libcrun/container.c
|
||||
index 3723300..289e551 100644
|
||||
--- a/src/libcrun/container.c
|
||||
+++ b/src/libcrun/container.c
|
||||
@@ -2112,7 +2112,17 @@ libcrun_get_container_state_string (const char *id, libcrun_container_status_t *
|
||||
|
||||
ret = libcrun_cgroup_is_container_paused (status->cgroup_path, cgroup_mode, &paused, err);
|
||||
if (UNLIKELY (ret < 0))
|
||||
- return ret;
|
||||
+ {
|
||||
+ /* The cgroup might have been cleaned up by systemd by the time we try to read it, so ignore ENOENT. */
|
||||
+ if (status->systemd_cgroup && crun_error_get_errno (err) == ENOENT)
|
||||
+ {
|
||||
+ crun_error_release (err);
|
||||
+ *container_status = "stopped";
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ return ret;
|
||||
+ }
|
||||
}
|
||||
|
||||
if (! *running)
|
||||
--
|
||||
2.26.2
|
||||
|
||||
10
crun.spec
10
crun.spec
@ -1,7 +1,7 @@
|
||||
Summary: OCI runtime written in C
|
||||
Name: crun
|
||||
Version: 0.14.1
|
||||
Release: 5%{?dist}
|
||||
Version: 0.15
|
||||
Release: 1%{?dist}
|
||||
Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz
|
||||
License: GPLv3+
|
||||
URL: https://github.com/containers/crun
|
||||
@ -22,9 +22,6 @@ BuildRequires: libtool
|
||||
BuildRequires: go-md2man
|
||||
Provides: oci-runtime = 2
|
||||
|
||||
Patch0: 0001-state-fix-race-condition-when-reading-cgroup.patch
|
||||
Patch1: 0001-Capabilities-get-last_cap-dynamically.patch
|
||||
|
||||
%description
|
||||
crun is a runtime for running OCI containers
|
||||
|
||||
@ -47,6 +44,9 @@ rm -rf $RPM_BUILD_ROOT/usr/lib*
|
||||
%{_mandir}/man1/*
|
||||
|
||||
%changelog
|
||||
* Wed Sep 23 2020 Giuseppe Scrivano <gscrivan@redhat.com> - 0.15-1
|
||||
- build version 0.15
|
||||
|
||||
* Mon Sep 14 2020 Giuseppe Scrivano <gscrivan@redhat.com> - 0.14.1-5
|
||||
- backport 4453af4c060e380051552ee589af5cad37f2ae82
|
||||
|
||||
|
||||
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (crun-0.14.1.tar.gz) = 420f1713653cbd17df83b2a63d163aaa41baf78115b093877a2241305e10b2ceeaf08ea6700658eca894729ff8a20cbc66f868d18d27fba3fbedf1a9993b122e
|
||||
SHA512 (crun-0.15.tar.gz) = f9a9e94b6a9c5cff01fe93b1c3d5876a0794e6288b802cf579556e11411ca5d6e63cae3859aaa4df4bb600e2d27aa131872a93a92784b9b48f7885411d86f325
|
||||
|
||||
Loading…
Reference in New Issue
Block a user