rpms/runc
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import runc-1.1.4-1.module+el8.7.0+16772+33343656

Browse Source
This commit is contained in:
CentOS Sources 2022-11-08 01:41:19 -05:00 committed by Stepan Oksanichenko
parent a0bcf48f66
commit 890cfe570a
6 changed files with 32 additions and 260 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/v1.1.3.tar.gz SOURCES/v1.1.4.tar.gz

2
.runc.metadata
View File

@ -1 +1 @@
9ad2300d41deb361ced92112366d0c8801d00050 SOURCES/v1.1.3.tar.gz fb65327930c41c8ec016badd6738bef83b556aed SOURCES/v1.1.4.tar.gz

84
SOURCES/3468.patch
View File

@ -1,84 +0,0 @@
From 2ce40b6ad72b4bd4391380cafc5ef1bad1fa0b31 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Wed, 4 May 2022 14:56:16 -0700
Subject: [PATCH] Remove tun/tap from the default device rules
Looking through git blame, this was added by commit 9fac18329
aka "Initial commit of runc binary", most probably by mistake.
Obviously, a container should not have access to tun/tap device, unless
it is explicitly specified in configuration.
Now, removing this might create a compatibility issue, but I see no
other choice.
Aside from the obvious misconfiguration, this should also fix the
annoying
> Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory
messages from systemd on every container start, when runc uses systemd
cgroup driver, and the system runs an old (< v240) version of systemd
(the message was presumably eliminated by [1]).
[1] https://github.com/systemd/systemd/pull/10996/commits/d5aecba6e0b7c73657c4cf544ce57289115098e7
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
.../ebpf/devicefilter/devicefilter_test.go | 19 ++++++-------------
libcontainer/specconv/spec_linux.go | 10 ----------
2 files changed, 6 insertions(+), 23 deletions(-)
diff --git a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
index d279335821..25703be5ad 100644
--- a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
+++ b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
@@ -120,21 +120,14 @@ block-8:
51: Mov32Imm dst: r0 imm: 1
52: Exit
block-9:
-// tuntap (c, 10, 200, rwm, allow)
+// /dev/pts (c, 136, wildcard, rwm, true)
53: JNEImm dst: r2 off: -1 imm: 2 <block-10>
- 54: JNEImm dst: r4 off: -1 imm: 10 <block-10>
- 55: JNEImm dst: r5 off: -1 imm: 200 <block-10>
- 56: Mov32Imm dst: r0 imm: 1
- 57: Exit
+ 54: JNEImm dst: r4 off: -1 imm: 136 <block-10>
+ 55: Mov32Imm dst: r0 imm: 1
+ 56: Exit
block-10:
-// /dev/pts (c, 136, wildcard, rwm, true)
- 58: JNEImm dst: r2 off: -1 imm: 2 <block-11>
- 59: JNEImm dst: r4 off: -1 imm: 136 <block-11>
- 60: Mov32Imm dst: r0 imm: 1
- 61: Exit
-block-11:
- 62: Mov32Imm dst: r0 imm: 0
- 63: Exit
+ 57: Mov32Imm dst: r0 imm: 0
+ 58: Exit
`
var devices []*devices.Rule
for _, device := range specconv.AllowedDevices {
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index 5ae95c6c18..83c7a2c348 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -302,16 +302,6 @@ var AllowedDevices = []*devices.Device{
Allow: true,
},
},
- // tuntap
- {
- Rule: devices.Rule{
- Type: devices.CharDevice,
- Major: 10,
- Minor: 200,
- Permissions: "rwm",
- Allow: true,
- },
- },
}
type CreateOpts struct {

66
SOURCES/3511.patch
View File

@ -1,66 +0,0 @@
From 62b0c31d4b940ff93a23ac6fdb3a6ef345910abf Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Tue, 14 Jun 2022 17:19:10 -0700
Subject: [PATCH] libct: fix mounting via wrong proc fd
Due to a bug in commit 9c444070ec7, when the user and mount namespaces
are used, and the bind mount is followed by the cgroup mount in the
spec, the cgroup is mounted using the bind mount's mount fd.
This can be reproduced with podman 4.1 (when configured to use runc):
$ podman run --uidmap 0:100:10000 quay.io/libpod/testimage:20210610 mount
Error: /home/kir/git/runc/runc: runc create failed: unable to start container process: error during container init: error mounting "cgroup" to rootfs at "/sys/fs/cgroup": mount /proc/self/fd/11:/sys/fs/cgroup/systemd (via /proc/self/fd/12), flags: 0x20502f: operation not permitted: OCI permission denied
or manually with the spec mounts containing something like this:
{
"destination": "/etc/resolv.conf",
"type": "bind",
"source": "/userdata/resolv.conf",
"options": [
"bind"
]
},
{
"destination": "/sys/fs/cgroup",
"type": "cgroup",
"source": "cgroup",
"options": [
"rprivate",
"nosuid",
"noexec",
"nodev",
"relatime",
"ro"
]
}
The issue was not found earlier since it requires using userns, and even then
mount fd is ignored by mountToRootfs, except for bind mounts, and all the bind
mounts have mountfd set, except for the case of cgroup v1's /sys/fs/cgroup
which is internally transformed into a bunch of bind mounts.
This is a minimal fix for the issue, suitable for backporting.
Fixes: 9c444070ec7 ("Open bind mount sources from the host userns")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b3aa20af7fb67ee1f2b381f3c82329e73c7d3a0c)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
libcontainer/rootfs_linux.go | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index 3cfd2bf1e4..ec7638e4d5 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -80,6 +80,8 @@ func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig, mountFds []int) (err
// Therefore, we can access mountFds[i] without any concerns.
if mountFds != nil && mountFds[i] != -1 {
mountConfig.fd = &mountFds[i]
+ } else {
+ mountConfig.fd = nil
}
if err := mountToRootfs(m, mountConfig); err != nil {

93
SOURCES/3554.patch
View File

@ -1,93 +0,0 @@
From 204c673cced91b03aa337c804ab8b31a452c6777 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Wed, 10 Aug 2022 17:09:23 -0700
Subject: [PATCH] [1.1] fix failed exec after systemctl daemon-reload
A regression reported for runc v1.1.3 says that "runc exec -t" fails
after doing "systemctl daemon-reload":
> exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown
Apparently, with commit 7219387eb7db69b we are no longer adding
"DeviceAllow=char-pts rwm" rule (because os.Stat("char-pts") returns
ENOENT).
The bug can only be seen after "systemctl daemon-reload" because runc
also applies the same rules manually (by writing to devices.allow for
cgroup v1), and apparently reloading systemd leads to re-applying the
rules that systemd has (thus removing the char-pts access).
The fix is to do os.Stat only for "/dev" paths.
Also, emit a warning that the path was skipped. Since the original idea
was to emit less warnings, demote the level to debug.
Note this also fixes the issue of not adding "m" permission for block-*
and char-* devices.
A test case is added, which reliably fails before the fix
on both cgroup v1 and v2.
This is a backport of commit 58b1374f0ad98cc9390adc43dc22ddbb4f84d72e
to release-1.1 branch.
Fixes: https://github.com/opencontainers/runc/issues/3551
Fixes: 7219387eb7db69b4dae740c9d37d973d9a735801
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
libcontainer/cgroups/systemd/common.go | 16 +++++++++-------
tests/integration/dev.bats | 16 ++++++++++++++++
2 files changed, 25 insertions(+), 7 deletions(-)
diff --git a/libcontainer/cgroups/systemd/common.go b/libcontainer/cgroups/systemd/common.go
index 5a68a3cf39..45744c15c0 100644
--- a/libcontainer/cgroups/systemd/common.go
+++ b/libcontainer/cgroups/systemd/common.go
@@ -288,14 +288,16 @@ func generateDeviceProperties(r *configs.Resources) ([]systemdDbus.Property, err
case devices.CharDevice:
entry.Path = fmt.Sprintf("/dev/char/%d:%d", rule.Major, rule.Minor)
}
+ // systemd will issue a warning if the path we give here doesn't exist.
+ // Since all of this logic is best-effort anyway (we manually set these
+ // rules separately to systemd) we can safely skip entries that don't
+ // have a corresponding path.
+ if _, err := os.Stat(entry.Path); err != nil {
+ logrus.Debugf("skipping device %s for systemd: %s", entry.Path, err)
+ continue
+ }
}
- // systemd will issue a warning if the path we give here doesn't exist.
- // Since all of this logic is best-effort anyway (we manually set these
- // rules separately to systemd) we can safely skip entries that don't
- // have a corresponding path.
- if _, err := os.Stat(entry.Path); err == nil {
- deviceAllowList = append(deviceAllowList, entry)
- }
+ deviceAllowList = append(deviceAllowList, entry)
}
properties = append(properties, newProp("DeviceAllow", deviceAllowList))
diff --git a/tests/integration/dev.bats b/tests/integration/dev.bats
index 01f6778598..243315717a 100644
--- a/tests/integration/dev.bats
+++ b/tests/integration/dev.bats
@@ -128,3 +128,19 @@ function teardown() {
runc exec test_allow_block sh -c 'fdisk -l '"$device"''
[ "$status" -eq 0 ]
}
+
+# https://github.com/opencontainers/runc/issues/3551
+@test "runc exec vs systemctl daemon-reload" {
+ requires systemd root
+
+ runc run -d --console-socket "$CONSOLE_SOCKET" test_exec
+ [ "$status" -eq 0 ]
+
+ runc exec -t test_exec sh -c "ls -l /proc/self/fd/0; echo 123"
+ [ "$status" -eq 0 ]
+
+ systemctl daemon-reload
+
+ runc exec -t test_exec sh -c "ls -l /proc/self/fd/0; echo 123"
+ [ "$status" -eq 0 ]
+}

45
SPECS/runc.spec
View File

@ -22,8 +22,8 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
Epoch: 1 Epoch: 1
Name: %{repo} Name: %{repo}
Version: 1.1.3 Version: 1.1.4
Release: 3%{?dist} Release: 1%{?dist}
Summary: CLI for running Open Containers Summary: CLI for running Open Containers
# https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures # https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures
#ExclusiveArch: %%{go_arches} #ExclusiveArch: %%{go_arches}
@ -33,9 +33,6 @@ ExcludeArch: %{ix86}
License: ASL 2.0 License: ASL 2.0
URL: %{git0} URL: %{git0}
Source0: %{git0}/archive/v%{version}.tar.gz Source0: %{git0}/archive/v%{version}.tar.gz
Patch0: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3468.patch
Patch1: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3511.patch
Patch2: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3554.patch
Provides: oci-runtime Provides: oci-runtime
BuildRequires: golang >= 1.17.7 BuildRequires: golang >= 1.17.7
BuildRequires: git BuildRequires: git
@ -88,37 +85,55 @@ make install install-man install-bash DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix}
%{_datadir}/bash-completion/completions/%{name} %{_datadir}/bash-completion/completions/%{name}
%changelog %changelog
* Thu Oct 20 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-3 * Fri Aug 26 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.4-1
- update to https://github.com/opencontainers/runc/releases/tag/v1.1.4
- Related: #2061390
* Thu Aug 25 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-3
- fix "Error: runc: exec failed: unable to start container process: - fix "Error: runc: exec failed: unable to start container process:
open /dev/pts/0: operation not permitted: OCI permission denied" open /dev/pts/0: operation not permitted: OCI permission denied"
- Resolves: #2117928 - Related: #2061390
* Wed Jun 15 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-2 * Wed Jun 15 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-2
- add patch in attempt to fix gating tests - thanks to Kir Kolyshkin - add patch in attempt to fix gating tests - thanks to Kir Kolyshkin
- Related: #2061390 - Related: #2061390
* Mon Jun 13 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-1 * Thu Jun 09 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-1
- update to https://github.com/opencontainers/runc/releases/tag/v1.1.3 - update to https://github.com/opencontainers/runc/releases/tag/v1.1.3
- Related: #2061390 - Related: #2061390
* Tue Jun 07 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.2-1 * Fri Jun 03 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.2-1
- update to https://github.com/opencontainers/runc/releases/tag/v1.1.2 - update to https://github.com/opencontainers/runc/releases/tag/v1.1.2
- Related: #2061390 - Related: #2061390
* Wed Apr 27 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-4 * Thu May 12 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-6
- Fix every podman run invocation generates two "Couldn't stat device
/dev/char/10:200: No such file or directory" lines in the journal
- Related: #2061390 - Related: #2061390
* Wed Apr 06 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-3 * Wed May 11 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-5
- BuildRequires: /usr/bin/go-md2man
- Related: #2061390
* Fri Apr 08 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-4
- Related: #2061390
* Tue Mar 08 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-3
- require at least libseccomp >= 2.5 - require at least libseccomp >= 2.5
- Resolves: #2053990 - Resolves: #2053990
* Tue Mar 08 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-2 * Wed Feb 16 2022 Jindrich Novy <jnovy@redhat.com> - 1.0.3-2
- require at least libseccomp >= 2.5
* Mon Mar 07 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.0.3-1
- rollback to 1.0.3 due to gating test issues - rollback to 1.0.3 due to gating test issues
- Related: #2001445 - Related: #2001445
* Tue Jan 18 2022 Jindrich Novy <jnovy@redhat.com> - 1.1.0-1
- update to https://github.com/opencontainers/runc/releases/tag/v1.1.0
- Related: #2001445
* Mon Dec 06 2021 Jindrich Novy <jnovy@redhat.com> - 1.0.3-1
- update to https://github.com/opencontainers/runc/releases/tag/v1.0.3
- Related: #2001445
* Wed Aug 25 2021 Jindrich Novy <jnovy@redhat.com> - 1.0.2-1 * Wed Aug 25 2021 Jindrich Novy <jnovy@redhat.com> - 1.0.2-1
- update to https://github.com/opencontainers/runc/releases/tag/v1.0.2 - update to https://github.com/opencontainers/runc/releases/tag/v1.0.2
- Related: #1934415 - Related: #1934415