runc-1.1.4-2.el8

- update to https://github.com/opencontainers/runc/releases/tag/v1.1.4 - Related: #2176055 Signed-off-by: Jindrich Novy <jnovy@redhat.com>
2023-03-09 11:50:29 +01:00 · 2023-03-09 11:50:29 +01:00 · 065faa6369
commit 065faa6369
parent 257317647f
5 changed files with 6 additions and 159 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1 @@
-SOURCES/v1.1.4.tar.gz
-/v1.1.4.tar.gz
+/*.tar.gz
--- a/3468.patch
+++ b/3468.patch
@ -1,84 +0,0 @@
-From 2ce40b6ad72b4bd4391380cafc5ef1bad1fa0b31 Mon Sep 17 00:00:00 2001
-From: Kir Kolyshkin <kolyshkin@gmail.com>
-Date: Wed, 4 May 2022 14:56:16 -0700
-Subject: [PATCH] Remove tun/tap from the default device rules
-
-Looking through git blame, this was added by commit 9fac18329
-aka "Initial commit of runc binary", most probably by mistake.
-
-Obviously, a container should not have access to tun/tap device, unless
-it is explicitly specified in configuration.
-
-Now, removing this might create a compatibility issue, but I see no
-other choice.
-
-Aside from the obvious misconfiguration, this should also fix the
-annoying
-
-> Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory
-
-messages from systemd on every container start, when runc uses systemd
-cgroup driver, and the system runs an old (< v240) version of systemd
-(the message was presumably eliminated by [1]).
-
-[1] https://github.com/systemd/systemd/pull/10996/commits/d5aecba6e0b7c73657c4cf544ce57289115098e7
-
-Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
- .../ebpf/devicefilter/devicefilter_test.go    | 19 ++++++-------------
- libcontainer/specconv/spec_linux.go           | 10 ----------
- 2 files changed, 6 insertions(+), 23 deletions(-)
-
-diff --git a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
-index d279335821..25703be5ad 100644
--- a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
-+++ b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
-@@ -120,21 +120,14 @@ block-8:
-         51: Mov32Imm dst: r0 imm: 1
-         52: Exit
- block-9:
-// tuntap (c, 10, 200, rwm, allow)
-+// /dev/pts (c, 136, wildcard, rwm, true)
-         53: JNEImm dst: r2 off: -1 imm: 2 <block-10>
-        54: JNEImm dst: r4 off: -1 imm: 10 <block-10>
-        55: JNEImm dst: r5 off: -1 imm: 200 <block-10>
-        56: Mov32Imm dst: r0 imm: 1
-        57: Exit
-+        54: JNEImm dst: r4 off: -1 imm: 136 <block-10>
-+        55: Mov32Imm dst: r0 imm: 1
-+        56: Exit
- block-10:
-// /dev/pts (c, 136, wildcard, rwm, true)
-        58: JNEImm dst: r2 off: -1 imm: 2 <block-11>
-        59: JNEImm dst: r4 off: -1 imm: 136 <block-11>
-        60: Mov32Imm dst: r0 imm: 1
-        61: Exit
-block-11:
-        62: Mov32Imm dst: r0 imm: 0
-        63: Exit
-+        57: Mov32Imm dst: r0 imm: 0
-+        58: Exit
- `
- 	var devices []*devices.Rule
- 	for _, device := range specconv.AllowedDevices {
-diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
-index 5ae95c6c18..83c7a2c348 100644
--- a/libcontainer/specconv/spec_linux.go
-+++ b/libcontainer/specconv/spec_linux.go
-@@ -302,16 +302,6 @@ var AllowedDevices = []*devices.Device{
- 			Allow:       true,
- 		},
- 	},
-	// tuntap
-	{
-		Rule: devices.Rule{
-			Type:        devices.CharDevice,
-			Major:       10,
-			Minor:       200,
-			Permissions: "rwm",
-			Allow:       true,
-		},
-	},
- }
- 
- type CreateOpts struct {
--- a/3511.patch
+++ b/3511.patch
@ -1,66 +0,0 @@
-From 62b0c31d4b940ff93a23ac6fdb3a6ef345910abf Mon Sep 17 00:00:00 2001
-From: Kir Kolyshkin <kolyshkin@gmail.com>
-Date: Tue, 14 Jun 2022 17:19:10 -0700
-Subject: [PATCH] libct: fix mounting via wrong proc fd
-
-Due to a bug in commit 9c444070ec7, when the user and mount namespaces
-are used, and the bind mount is followed by the cgroup mount in the
-spec, the cgroup is mounted using the bind mount's mount fd.
-
-This can be reproduced with podman 4.1 (when configured to use runc):
-
-$ podman run --uidmap 0:100:10000 quay.io/libpod/testimage:20210610 mount
-Error: /home/kir/git/runc/runc: runc create failed: unable to start container process: error during container init: error mounting "cgroup" to rootfs at "/sys/fs/cgroup": mount /proc/self/fd/11:/sys/fs/cgroup/systemd (via /proc/self/fd/12), flags: 0x20502f: operation not permitted: OCI permission denied
-
-or manually with the spec mounts containing something like this:
-
-    {
-      "destination": "/etc/resolv.conf",
-      "type": "bind",
-      "source": "/userdata/resolv.conf",
-      "options": [
-        "bind"
-      ]
-    },
-    {
-      "destination": "/sys/fs/cgroup",
-      "type": "cgroup",
-      "source": "cgroup",
-      "options": [
-        "rprivate",
-        "nosuid",
-        "noexec",
-        "nodev",
-        "relatime",
-        "ro"
-      ]
-    }
-
-The issue was not found earlier since it requires using userns, and even then
-mount fd is ignored by mountToRootfs, except for bind mounts, and all the bind
-mounts have mountfd set, except for the case of cgroup v1's /sys/fs/cgroup
-which is internally transformed into a bunch of bind mounts.
-
-This is a minimal fix for the issue, suitable for backporting.
-
-Fixes: 9c444070ec7 ("Open bind mount sources from the host userns")
-Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
-(cherry picked from commit b3aa20af7fb67ee1f2b381f3c82329e73c7d3a0c)
-Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
- libcontainer/rootfs_linux.go | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
-index 3cfd2bf1e4..ec7638e4d5 100644
--- a/libcontainer/rootfs_linux.go
-+++ b/libcontainer/rootfs_linux.go
-@@ -80,6 +80,8 @@ func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig, mountFds []int) (err
- 		// Therefore, we can access mountFds[i] without any concerns.
- 		if mountFds != nil && mountFds[i] != -1 {
- 			mountConfig.fd = &mountFds[i]
-+		} else {
-+			mountConfig.fd = nil
- 		}
- 
- 		if err := mountToRootfs(m, mountConfig); err != nil {
--- a/gating.yaml
+++ b/gating.yaml
@ -1,6 +0,0 @@
-# recipients: jnovy, lsm5, santiago
--- !Policy
-product_versions:
-  - rhel-9
-decision_context: osci_compose_gate
-rules: []
--- a/runc.spec
+++ b/runc.spec
@ -23,7 +23,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
 Epoch: 1
 Name: %{repo}
 Version: 1.1.4
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: CLI for running Open Containers
 # https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures
 #ExclusiveArch: %%{go_arches}
@ -85,6 +85,10 @@ make install install-man install-bash DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix}
 %{_datadir}/bash-completion/completions/%{name}

 %changelog
+* Thu Mar 09 2023 Jindrich Novy <jnovy@redhat.com> - 1:1.1.4-2
+- update to https://github.com/opencontainers/runc/releases/tag/v1.1.4
+- Related: #2176055
+
 * Fri Aug 26 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.4-1
 - update to https://github.com/opencontainers/runc/releases/tag/v1.1.4
 - Related: #2061390