import runc-1.1.4-1.module+el8.7.0+16772+33343656

2022-11-08 01:41:19 -05:00 · 2022-11-08 01:41:19 -05:00 · 890cfe570a
commit 890cfe570a
parent a0bcf48f66
6 changed files with 32 additions and 260 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/v1.1.3.tar.gz
+SOURCES/v1.1.4.tar.gz
--- a/.runc.metadata
+++ b/.runc.metadata
@ -1 +1 @@
-9ad2300d41deb361ced92112366d0c8801d00050 SOURCES/v1.1.3.tar.gz
+fb65327930c41c8ec016badd6738bef83b556aed SOURCES/v1.1.4.tar.gz
--- a/SOURCES/3468.patch
+++ b/SOURCES/3468.patch
@ -1,84 +0,0 @@
-From 2ce40b6ad72b4bd4391380cafc5ef1bad1fa0b31 Mon Sep 17 00:00:00 2001
-From: Kir Kolyshkin <kolyshkin@gmail.com>
-Date: Wed, 4 May 2022 14:56:16 -0700
-Subject: [PATCH] Remove tun/tap from the default device rules
-
-Looking through git blame, this was added by commit 9fac18329
-aka "Initial commit of runc binary", most probably by mistake.
-
-Obviously, a container should not have access to tun/tap device, unless
-it is explicitly specified in configuration.
-
-Now, removing this might create a compatibility issue, but I see no
-other choice.
-
-Aside from the obvious misconfiguration, this should also fix the
-annoying
-
-> Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory
-
-messages from systemd on every container start, when runc uses systemd
-cgroup driver, and the system runs an old (< v240) version of systemd
-(the message was presumably eliminated by [1]).
-
-[1] https://github.com/systemd/systemd/pull/10996/commits/d5aecba6e0b7c73657c4cf544ce57289115098e7
-
-Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
- .../ebpf/devicefilter/devicefilter_test.go    | 19 ++++++-------------
- libcontainer/specconv/spec_linux.go           | 10 ----------
- 2 files changed, 6 insertions(+), 23 deletions(-)
-
-diff --git a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
-index d279335821..25703be5ad 100644
--- a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
-+++ b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
-@@ -120,21 +120,14 @@ block-8:
-         51: Mov32Imm dst: r0 imm: 1
-         52: Exit
- block-9:
-// tuntap (c, 10, 200, rwm, allow)
-+// /dev/pts (c, 136, wildcard, rwm, true)
-         53: JNEImm dst: r2 off: -1 imm: 2 <block-10>
-        54: JNEImm dst: r4 off: -1 imm: 10 <block-10>
-        55: JNEImm dst: r5 off: -1 imm: 200 <block-10>
-        56: Mov32Imm dst: r0 imm: 1
-        57: Exit
-+        54: JNEImm dst: r4 off: -1 imm: 136 <block-10>
-+        55: Mov32Imm dst: r0 imm: 1
-+        56: Exit
- block-10:
-// /dev/pts (c, 136, wildcard, rwm, true)
-        58: JNEImm dst: r2 off: -1 imm: 2 <block-11>
-        59: JNEImm dst: r4 off: -1 imm: 136 <block-11>
-        60: Mov32Imm dst: r0 imm: 1
-        61: Exit
-block-11:
-        62: Mov32Imm dst: r0 imm: 0
-        63: Exit
-+        57: Mov32Imm dst: r0 imm: 0
-+        58: Exit
- `
- 	var devices []*devices.Rule
- 	for _, device := range specconv.AllowedDevices {
-diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
-index 5ae95c6c18..83c7a2c348 100644
--- a/libcontainer/specconv/spec_linux.go
-+++ b/libcontainer/specconv/spec_linux.go
-@@ -302,16 +302,6 @@ var AllowedDevices = []*devices.Device{
- 			Allow:       true,
- 		},
- 	},
-	// tuntap
-	{
-		Rule: devices.Rule{
-			Type:        devices.CharDevice,
-			Major:       10,
-			Minor:       200,
-			Permissions: "rwm",
-			Allow:       true,
-		},
-	},
- }
- 
- type CreateOpts struct {
--- a/SOURCES/3511.patch
+++ b/SOURCES/3511.patch
@ -1,66 +0,0 @@
-From 62b0c31d4b940ff93a23ac6fdb3a6ef345910abf Mon Sep 17 00:00:00 2001
-From: Kir Kolyshkin <kolyshkin@gmail.com>
-Date: Tue, 14 Jun 2022 17:19:10 -0700
-Subject: [PATCH] libct: fix mounting via wrong proc fd
-
-Due to a bug in commit 9c444070ec7, when the user and mount namespaces
-are used, and the bind mount is followed by the cgroup mount in the
-spec, the cgroup is mounted using the bind mount's mount fd.
-
-This can be reproduced with podman 4.1 (when configured to use runc):
-
-$ podman run --uidmap 0:100:10000 quay.io/libpod/testimage:20210610 mount
-Error: /home/kir/git/runc/runc: runc create failed: unable to start container process: error during container init: error mounting "cgroup" to rootfs at "/sys/fs/cgroup": mount /proc/self/fd/11:/sys/fs/cgroup/systemd (via /proc/self/fd/12), flags: 0x20502f: operation not permitted: OCI permission denied
-
-or manually with the spec mounts containing something like this:
-
-    {
-      "destination": "/etc/resolv.conf",
-      "type": "bind",
-      "source": "/userdata/resolv.conf",
-      "options": [
-        "bind"
-      ]
-    },
-    {
-      "destination": "/sys/fs/cgroup",
-      "type": "cgroup",
-      "source": "cgroup",
-      "options": [
-        "rprivate",
-        "nosuid",
-        "noexec",
-        "nodev",
-        "relatime",
-        "ro"
-      ]
-    }
-
-The issue was not found earlier since it requires using userns, and even then
-mount fd is ignored by mountToRootfs, except for bind mounts, and all the bind
-mounts have mountfd set, except for the case of cgroup v1's /sys/fs/cgroup
-which is internally transformed into a bunch of bind mounts.
-
-This is a minimal fix for the issue, suitable for backporting.
-
-Fixes: 9c444070ec7 ("Open bind mount sources from the host userns")
-Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
-(cherry picked from commit b3aa20af7fb67ee1f2b381f3c82329e73c7d3a0c)
-Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
- libcontainer/rootfs_linux.go | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
-index 3cfd2bf1e4..ec7638e4d5 100644
--- a/libcontainer/rootfs_linux.go
-+++ b/libcontainer/rootfs_linux.go
-@@ -80,6 +80,8 @@ func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig, mountFds []int) (err
- 		// Therefore, we can access mountFds[i] without any concerns.
- 		if mountFds != nil && mountFds[i] != -1 {
- 			mountConfig.fd = &mountFds[i]
-+		} else {
-+			mountConfig.fd = nil
- 		}
- 
- 		if err := mountToRootfs(m, mountConfig); err != nil {
--- a/SOURCES/3554.patch
+++ b/SOURCES/3554.patch
@ -1,93 +0,0 @@
-From 204c673cced91b03aa337c804ab8b31a452c6777 Mon Sep 17 00:00:00 2001
-From: Kir Kolyshkin <kolyshkin@gmail.com>
-Date: Wed, 10 Aug 2022 17:09:23 -0700
-Subject: [PATCH] [1.1] fix failed exec after systemctl daemon-reload
-
-A regression reported for runc v1.1.3 says that "runc exec -t" fails
-after doing "systemctl daemon-reload":
-
-> exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown
-
-Apparently, with commit 7219387eb7db69b we are no longer adding
-"DeviceAllow=char-pts rwm" rule (because os.Stat("char-pts") returns
-ENOENT).
-
-The bug can only be seen after "systemctl daemon-reload" because runc
-also applies the same rules manually (by writing to devices.allow for
-cgroup v1), and apparently reloading systemd leads to re-applying the
-rules that systemd has (thus removing the char-pts access).
-
-The fix is to do os.Stat only for "/dev" paths.
-
-Also, emit a warning that the path was skipped. Since the original idea
-was to emit less warnings, demote the level to debug.
-
-Note this also fixes the issue of not adding "m" permission for block-*
-and char-* devices.
-
-A test case is added, which reliably fails before the fix
-on both cgroup v1 and v2.
-
-This is a backport of commit 58b1374f0ad98cc9390adc43dc22ddbb4f84d72e
-to release-1.1 branch.
-
-Fixes: https://github.com/opencontainers/runc/issues/3551
-Fixes: 7219387eb7db69b4dae740c9d37d973d9a735801
-Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
- libcontainer/cgroups/systemd/common.go | 16 +++++++++-------
- tests/integration/dev.bats             | 16 ++++++++++++++++
- 2 files changed, 25 insertions(+), 7 deletions(-)
-
-diff --git a/libcontainer/cgroups/systemd/common.go b/libcontainer/cgroups/systemd/common.go
-index 5a68a3cf39..45744c15c0 100644
--- a/libcontainer/cgroups/systemd/common.go
-+++ b/libcontainer/cgroups/systemd/common.go
-@@ -288,14 +288,16 @@ func generateDeviceProperties(r *configs.Resources) ([]systemdDbus.Property, err
- 			case devices.CharDevice:
- 				entry.Path = fmt.Sprintf("/dev/char/%d:%d", rule.Major, rule.Minor)
- 			}
-+			// systemd will issue a warning if the path we give here doesn't exist.
-+			// Since all of this logic is best-effort anyway (we manually set these
-+			// rules separately to systemd) we can safely skip entries that don't
-+			// have a corresponding path.
-+			if _, err := os.Stat(entry.Path); err != nil {
-+				logrus.Debugf("skipping device %s for systemd: %s", entry.Path, err)
-+				continue
-+			}
- 		}
-		// systemd will issue a warning if the path we give here doesn't exist.
-		// Since all of this logic is best-effort anyway (we manually set these
-		// rules separately to systemd) we can safely skip entries that don't
-		// have a corresponding path.
-		if _, err := os.Stat(entry.Path); err == nil {
-			deviceAllowList = append(deviceAllowList, entry)
-		}
-+		deviceAllowList = append(deviceAllowList, entry)
- 	}
- 
- 	properties = append(properties, newProp("DeviceAllow", deviceAllowList))
-diff --git a/tests/integration/dev.bats b/tests/integration/dev.bats
-index 01f6778598..243315717a 100644
--- a/tests/integration/dev.bats
-+++ b/tests/integration/dev.bats
-@@ -128,3 +128,19 @@ function teardown() {
- 	runc exec test_allow_block sh -c 'fdisk -l '"$device"''
- 	[ "$status" -eq 0 ]
- }
-+
-+# https://github.com/opencontainers/runc/issues/3551
-+@test "runc exec vs systemctl daemon-reload" {
-+	requires systemd root
-+
-+	runc run -d --console-socket "$CONSOLE_SOCKET" test_exec
-+	[ "$status" -eq 0 ]
-+
-+	runc exec -t test_exec sh -c "ls -l /proc/self/fd/0; echo 123"
-+	[ "$status" -eq 0 ]
-+
-+	systemctl daemon-reload
-+
-+	runc exec -t test_exec sh -c "ls -l /proc/self/fd/0; echo 123"
-+	[ "$status" -eq 0 ]
-+}
--- a/SPECS/runc.spec
+++ b/SPECS/runc.spec
@ -22,8 +22,8 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl

 Epoch: 1
 Name: %{repo}
-Version: 1.1.3
-Release: 3%{?dist}
+Version: 1.1.4
+Release: 1%{?dist}
 Summary: CLI for running Open Containers
 # https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures
 #ExclusiveArch: %%{go_arches}
@ -33,9 +33,6 @@ ExcludeArch: %{ix86}
 License: ASL 2.0
 URL: %{git0}
 Source0: %{git0}/archive/v%{version}.tar.gz
-Patch0: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3468.patch
-Patch1: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3511.patch
-Patch2: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3554.patch
 Provides: oci-runtime
 BuildRequires: golang >= 1.17.7
 BuildRequires: git
@ -88,37 +85,55 @@ make install install-man install-bash DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix}
 %{_datadir}/bash-completion/completions/%{name}

 %changelog
-* Thu Oct 20 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-3
+* Fri Aug 26 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.4-1
+- update to https://github.com/opencontainers/runc/releases/tag/v1.1.4
+- Related: #2061390
+
+* Thu Aug 25 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-3
 - fix "Error: runc: exec failed: unable to start container process:
  open /dev/pts/0: operation not permitted: OCI permission denied"
- Resolves: #2117928
+- Related: #2061390

 * Wed Jun 15 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-2
 - add patch in attempt to fix gating tests - thanks to Kir Kolyshkin
 - Related: #2061390

-* Mon Jun 13 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-1
+* Thu Jun 09 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-1
 - update to https://github.com/opencontainers/runc/releases/tag/v1.1.3
 - Related: #2061390

-* Tue Jun 07 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.2-1
+* Fri Jun 03 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.2-1
 - update to https://github.com/opencontainers/runc/releases/tag/v1.1.2
 - Related: #2061390

-* Wed Apr 27 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-4
+* Thu May 12 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-6
+- Fix every podman run invocation generates two "Couldn't stat device
+  /dev/char/10:200: No such file or directory" lines in the journal
 - Related: #2061390

-* Wed Apr 06 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-3
+* Wed May 11 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-5
+- BuildRequires: /usr/bin/go-md2man
+- Related: #2061390
+
+* Fri Apr 08 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-4
+- Related: #2061390
+
+* Tue Mar 08 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-3
 - require at least libseccomp >= 2.5
 - Resolves: #2053990

-* Tue Mar 08 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-2
- require at least libseccomp >= 2.5
-
-* Mon Mar 07 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-1
+* Wed Feb 16 2022 Jindrich Novy <jnovy@redhat.com> - 1.0.3-2
 - rollback to 1.0.3 due to gating test issues
 - Related: #2001445

+* Tue Jan 18 2022 Jindrich Novy <jnovy@redhat.com> - 1.1.0-1
+- update to https://github.com/opencontainers/runc/releases/tag/v1.1.0
+- Related: #2001445
+
+* Mon Dec 06 2021 Jindrich Novy <jnovy@redhat.com> - 1.0.3-1
+- update to https://github.com/opencontainers/runc/releases/tag/v1.0.3
+- Related: #2001445
+
 * Wed Aug 25 2021 Jindrich Novy <jnovy@redhat.com> - 1.0.2-1
 - update to https://github.com/opencontainers/runc/releases/tag/v1.0.2
 - Related: #1934415