Import rpm: 1461459ff374b8044b306373d72198b4d522d7a4

This commit is contained in:
James Antill 2023-02-23 12:39:24 -05:00
parent 1e6c76134d
commit 1787c1317b
2 changed files with 93 additions and 20 deletions

84
3468.patch Normal file
View File

@ -0,0 +1,84 @@
From 2ce40b6ad72b4bd4391380cafc5ef1bad1fa0b31 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Wed, 4 May 2022 14:56:16 -0700
Subject: [PATCH] Remove tun/tap from the default device rules
Looking through git blame, this was added by commit 9fac18329
aka "Initial commit of runc binary", most probably by mistake.
Obviously, a container should not have access to tun/tap device, unless
it is explicitly specified in configuration.
Now, removing this might create a compatibility issue, but I see no
other choice.
Aside from the obvious misconfiguration, this should also fix the
annoying
> Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory
messages from systemd on every container start, when runc uses systemd
cgroup driver, and the system runs an old (< v240) version of systemd
(the message was presumably eliminated by [1]).
[1] https://github.com/systemd/systemd/pull/10996/commits/d5aecba6e0b7c73657c4cf544ce57289115098e7
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
.../ebpf/devicefilter/devicefilter_test.go | 19 ++++++-------------
libcontainer/specconv/spec_linux.go | 10 ----------
2 files changed, 6 insertions(+), 23 deletions(-)
diff --git a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
index d279335821..25703be5ad 100644
--- a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
+++ b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
@@ -120,21 +120,14 @@ block-8:
51: Mov32Imm dst: r0 imm: 1
52: Exit
block-9:
-// tuntap (c, 10, 200, rwm, allow)
+// /dev/pts (c, 136, wildcard, rwm, true)
53: JNEImm dst: r2 off: -1 imm: 2 <block-10>
- 54: JNEImm dst: r4 off: -1 imm: 10 <block-10>
- 55: JNEImm dst: r5 off: -1 imm: 200 <block-10>
- 56: Mov32Imm dst: r0 imm: 1
- 57: Exit
+ 54: JNEImm dst: r4 off: -1 imm: 136 <block-10>
+ 55: Mov32Imm dst: r0 imm: 1
+ 56: Exit
block-10:
-// /dev/pts (c, 136, wildcard, rwm, true)
- 58: JNEImm dst: r2 off: -1 imm: 2 <block-11>
- 59: JNEImm dst: r4 off: -1 imm: 136 <block-11>
- 60: Mov32Imm dst: r0 imm: 1
- 61: Exit
-block-11:
- 62: Mov32Imm dst: r0 imm: 0
- 63: Exit
+ 57: Mov32Imm dst: r0 imm: 0
+ 58: Exit
`
var devices []*devices.Rule
for _, device := range specconv.AllowedDevices {
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index 5ae95c6c18..83c7a2c348 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -302,16 +302,6 @@ var AllowedDevices = []*devices.Device{
Allow: true,
},
},
- // tuntap
- {
- Rule: devices.Rule{
- Type: devices.CharDevice,
- Major: 10,
- Minor: 200,
- Permissions: "rwm",
- Allow: true,
- },
- },
}
type CreateOpts struct {

View File

@ -33,6 +33,7 @@ ExcludeArch: %{ix86}
License: ASL 2.0 License: ASL 2.0
URL: %{git0} URL: %{git0}
Source0: %{git0}/archive/v%{version}.tar.gz Source0: %{git0}/archive/v%{version}.tar.gz
Patch0: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3468.patch
Provides: oci-runtime Provides: oci-runtime
BuildRequires: golang >= 1.17.7 BuildRequires: golang >= 1.17.7
BuildRequires: git BuildRequires: git
@ -85,17 +86,12 @@ make install install-man install-bash DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix}
%{_datadir}/bash-completion/completions/%{name} %{_datadir}/bash-completion/completions/%{name}
%changelog %changelog
* Fri Aug 26 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.4-1 * Mon Aug 29 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.4-1
- update to https://github.com/opencontainers/runc/releases/tag/v1.1.4 - update to https://github.com/opencontainers/runc/releases/tag/v1.1.4
- Related: #2061390 - Related: #2061390
* Thu Aug 25 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-3 * Mon Jun 13 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-2
- fix "Error: runc: exec failed: unable to start container process: - update to https://github.com/opencontainers/runc/releases/tag/v1.1.3
open /dev/pts/0: operation not permitted: OCI permission denied"
- Related: #2061390
* Wed Jun 15 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-2
- add patch in attempt to fix gating tests - thanks to Kir Kolyshkin
- Related: #2061390 - Related: #2061390
* Thu Jun 09 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-1 * Thu Jun 09 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-1
@ -106,23 +102,16 @@ make install install-man install-bash DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix}
- update to https://github.com/opencontainers/runc/releases/tag/v1.1.2 - update to https://github.com/opencontainers/runc/releases/tag/v1.1.2
- Related: #2061390 - Related: #2061390
* Thu May 12 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-6 * Fri Apr 08 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-3
- Fix every podman run invocation generates two "Couldn't stat device - bump golang BR to 1.17.7
/dev/char/10:200: No such file or directory" lines in the journal
- Related: #2061390 - Related: #2061390
* Wed May 11 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-5 * Fri Mar 11 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-2
- BuildRequires: /usr/bin/go-md2man
- Related: #2061390
* Fri Apr 08 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-4
- Related: #2061390
* Tue Mar 08 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-3
- require at least libseccomp >= 2.5 - require at least libseccomp >= 2.5
- Resolves: #2053990 - Resolves: #2053990
- Related: #2061390
* Wed Feb 16 2022 Jindrich Novy <jnovy@redhat.com> - 1.0.3-2 * Fri Feb 18 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-1
- rollback to 1.0.3 due to gating test issues - rollback to 1.0.3 due to gating test issues
- Related: #2001445 - Related: #2001445