crun-0.15-1

Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
This commit is contained in:
Giuseppe Scrivano 2020-09-23 17:06:30 +02:00
parent f96e4628cd
commit 56f816f321
No known key found for this signature in database
GPG Key ID: 67E38F7A8BA21772
5 changed files with 7 additions and 148 deletions

1
.gitignore vendored
View File

@ -20,3 +20,4 @@ crun-0.1.1.tar.gz
/crun-0.13.tar.gz /crun-0.13.tar.gz
/crun-0.14.tar.gz /crun-0.14.tar.gz
/crun-0.14.1.tar.gz /crun-0.14.1.tar.gz
/crun-0.15.tar.gz

View File

@ -1,100 +0,0 @@
From 2dd22b2f1aa13edc704cf5a6e50793457076789e Mon Sep 17 00:00:00 2001
From: Ed Santiago <santiago@redhat.com>
Date: Mon, 31 Aug 2020 12:09:39 -0600
Subject: [PATCH] Capabilities: get last_cap dynamically
Determine the kernel capability set at run time, for
consistency with runc.
Signed-off-by: Ed Santiago <santiago@redhat.com>
(cherry picked from commit 4453af4c060e380051552ee589af5cad37f2ae82)
---
src/libcrun/container.c | 4 ++++
src/libcrun/linux.c | 29 +++++++++++++++++++++++++++--
src/libcrun/linux.h | 1 +
3 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/src/libcrun/container.c b/src/libcrun/container.c
index 3723300..0870cf2 100644
--- a/src/libcrun/container.c
+++ b/src/libcrun/container.c
@@ -480,6 +480,10 @@ initialize_security (runtime_spec_schema_config_schema_process *proc, libcrun_er
if (UNLIKELY (ret < 0))
return ret;
+ ret = libcrun_init_caps (err);
+ if (UNLIKELY (ret < 0))
+ return ret;
+
return 0;
}
diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
index fa87d82..316943d 100644
--- a/src/libcrun/linux.c
+++ b/src/libcrun/linux.c
@@ -2291,6 +2291,28 @@ has_cap_on (int cap, long unsigned *caps)
return (CAP_TO_MASK_1 (cap) & caps[1]);
}
+static unsigned long cap_last_cap;
+
+int
+libcrun_init_caps (libcrun_error_t *err)
+{
+ cleanup_close int fd = -1;
+ int ret;
+ char buffer[16];
+ fd = open ("/proc/sys/kernel/cap_last_cap", O_RDONLY);
+ if (fd < 0)
+ return crun_make_error (err, errno, "open /proc/sys/kernel/cap_last_cap");
+ ret = TEMP_FAILURE_RETRY (read (fd, buffer, sizeof (buffer)));
+ if (UNLIKELY (ret < 0))
+ return crun_make_error (err, errno, "read from /proc/sys/kernel/cap_last_cap");
+
+ errno = 0;
+ cap_last_cap = strtoul (buffer, NULL, 10);
+ if (errno != 0)
+ return crun_make_error (err, errno, "strtoul() from /proc/sys/kernel/cap_last_cap");
+ return 0;
+}
+
static int
set_required_caps (struct all_caps_s *caps, uid_t uid, gid_t gid, int no_new_privs, libcrun_error_t *err)
{
@@ -2299,7 +2321,10 @@ set_required_caps (struct all_caps_s *caps, uid_t uid, gid_t gid, int no_new_pri
struct __user_cap_header_struct hdr = { _LINUX_CAPABILITY_VERSION_3, 0 };
struct __user_cap_data_struct data[2] = { { 0 } };
- for (cap = 0; cap <= CAP_LAST_CAP; cap++)
+ if (cap_last_cap == 0)
+ return crun_make_error (err, 0, "internal error: max number of capabilities not initialized");
+
+ for (cap = 0; cap <= cap_last_cap; cap++)
if (! has_cap_on (cap, caps->bounding))
{
ret = prctl (PR_CAPBSET_DROP, cap, 0, 0, 0);
@@ -2335,7 +2360,7 @@ set_required_caps (struct all_caps_s *caps, uid_t uid, gid_t gid, int no_new_pri
if (UNLIKELY (ret < 0 && !(errno == EINVAL || errno == EPERM)))
return crun_make_error (err, errno, "prctl reset ambient");
- for (cap = 0; cap <= CAP_LAST_CAP; cap++)
+ for (cap = 0; cap <= cap_last_cap; cap++)
if (has_cap_on (cap, caps->ambient))
{
ret = prctl (PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0);
diff --git a/src/libcrun/linux.h b/src/libcrun/linux.h
index a92b5f1..fc70feb 100644
--- a/src/libcrun/linux.h
+++ b/src/libcrun/linux.h
@@ -38,6 +38,7 @@ pid_t libcrun_run_linux_container (libcrun_container_t *container,
libcrun_error_t *err);
int get_notify_fd (libcrun_context_t *context, libcrun_container_t *container, int *notify_socket_out, libcrun_error_t *err);
int libcrun_set_mounts (libcrun_container_t *container, const char *rootfs, libcrun_error_t *err);
+int libcrun_init_caps (libcrun_error_t *err);
int libcrun_do_pivot_root (libcrun_container_t *container, bool no_pivot, const char *rootfs, libcrun_error_t *err);
int libcrun_reopen_dev_null (libcrun_error_t *err);
int libcrun_set_usernamespace (libcrun_container_t *container, pid_t pid, libcrun_error_t *err);
--
2.26.2

View File

@ -1,42 +0,0 @@
From 1a71c82ea9fd3561b16e2730bea9673219c15843 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Thu, 27 Aug 2020 12:10:21 +0200
Subject: [PATCH] state: fix race condition when reading cgroup
by the time crun attempts to read from the cgroup, systemd might have
already cleaned it up. When using systemd, on ENOENT state reports
the container as "stopped" instead of an error.
Closes: https://github.com/containers/podman/issues/7148
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
src/libcrun/container.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/libcrun/container.c b/src/libcrun/container.c
index 3723300..289e551 100644
--- a/src/libcrun/container.c
+++ b/src/libcrun/container.c
@@ -2112,7 +2112,17 @@ libcrun_get_container_state_string (const char *id, libcrun_container_status_t *
ret = libcrun_cgroup_is_container_paused (status->cgroup_path, cgroup_mode, &paused, err);
if (UNLIKELY (ret < 0))
- return ret;
+ {
+ /* The cgroup might have been cleaned up by systemd by the time we try to read it, so ignore ENOENT. */
+ if (status->systemd_cgroup && crun_error_get_errno (err) == ENOENT)
+ {
+ crun_error_release (err);
+ *container_status = "stopped";
+ return 0;
+ }
+
+ return ret;
+ }
}
if (! *running)
--
2.26.2

View File

@ -1,7 +1,7 @@
Summary: OCI runtime written in C Summary: OCI runtime written in C
Name: crun Name: crun
Version: 0.14.1 Version: 0.15
Release: 5%{?dist} Release: 1%{?dist}
Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz
License: GPLv3+ License: GPLv3+
URL: https://github.com/containers/crun URL: https://github.com/containers/crun
@ -22,9 +22,6 @@ BuildRequires: libtool
BuildRequires: go-md2man BuildRequires: go-md2man
Provides: oci-runtime = 2 Provides: oci-runtime = 2
Patch0: 0001-state-fix-race-condition-when-reading-cgroup.patch
Patch1: 0001-Capabilities-get-last_cap-dynamically.patch
%description %description
crun is a runtime for running OCI containers crun is a runtime for running OCI containers
@ -47,6 +44,9 @@ rm -rf $RPM_BUILD_ROOT/usr/lib*
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Wed Sep 23 2020 Giuseppe Scrivano <gscrivan@redhat.com> - 0.15-1
- build version 0.15
* Mon Sep 14 2020 Giuseppe Scrivano <gscrivan@redhat.com> - 0.14.1-5 * Mon Sep 14 2020 Giuseppe Scrivano <gscrivan@redhat.com> - 0.14.1-5
- backport 4453af4c060e380051552ee589af5cad37f2ae82 - backport 4453af4c060e380051552ee589af5cad37f2ae82

View File

@ -1 +1 @@
SHA512 (crun-0.14.1.tar.gz) = 420f1713653cbd17df83b2a63d163aaa41baf78115b093877a2241305e10b2ceeaf08ea6700658eca894729ff8a20cbc66f868d18d27fba3fbedf1a9993b122e SHA512 (crun-0.15.tar.gz) = f9a9e94b6a9c5cff01fe93b1c3d5876a0794e6288b802cf579556e11411ca5d6e63cae3859aaa4df4bb600e2d27aa131872a93a92784b9b48f7885411d86f325