import runc-1.0.0-72.rc92.module+el8.4.0+12507+7f8c8fd7

SOURCES/2614.patch

@@ -0,0 +1,57 @@
+From 38447895a54daf52e9ec7670401554ae921a96b3 Mon Sep 17 00:00:00 2001
+From: Kir Kolyshkin <kolyshkin@gmail.com>
+Date: Tue, 29 Sep 2020 17:18:29 -0700
+Subject: [PATCH] libct/cgroups/systemd: eliminate runc/systemd race
+
+In case it takes more than 1 second for systemd to create a unit,
+startUnit() times out with a warning and then runc proceeds
+(to create cgroups using fs manager and so on).
+
+Now runc and systemd are racing, and multiple scenarios are possible.
+
+In one such scenario, by the time runc calls systemd manager's Apply()
+the unit is not yet created, the dbusConnection.SetUnitProperties()
+call fails with "unit xxx.scope not found", and the whole container
+start also fails.
+
+To eliminate the race, we need to return an error in case the timeout is
+hit.
+
+To reduce the chance to fail, increase the timeout from 1 to 30 seconds,
+to not error out too early on a busy/slow system (and times like 3-5
+seconds are not unrealistic).
+
+While at it, as the timeout is quite long now, make sure to not leave
+a stray timer.
+
+Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
+---
+ libcontainer/cgroups/systemd/common.go | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/libcontainer/cgroups/systemd/common.go b/libcontainer/cgroups/systemd/common.go
+index b567f3e1fc..3f18f7cd0b 100644
+--- a/libcontainer/cgroups/systemd/common.go
++++ b/libcontainer/cgroups/systemd/common.go
+@@ -325,6 +325,9 @@ func isUnitExists(err error) bool {
+ func startUnit(dbusConnection *systemdDbus.Conn, unitName string, properties []systemdDbus.Property) error {
+ 	statusChan := make(chan string, 1)
+ 	if _, err := dbusConnection.StartTransientUnit(unitName, "replace", properties, statusChan); err == nil {
++		timeout := time.NewTimer(30 * time.Second)
++		defer timeout.Stop()
++
+ 		select {
+ 		case s := <-statusChan:
+ 			close(statusChan)
+@@ -333,8 +336,9 @@ func startUnit(dbusConnection *systemdDbus.Conn, unitName string, properties []s
+ 				dbusConnection.ResetFailedUnit(unitName)
+ 				return errors.Errorf("error creating systemd unit `%s`: got `%s`", unitName, s)
+ 			}
+-		case <-time.After(time.Second):
+-			logrus.Warnf("Timed out while waiting for StartTransientUnit(%s) completion signal from dbus. Continuing...", unitName)
++		case <-timeout.C:
++			dbusConnection.ResetFailedUnit(unitName)
++			return errors.New("Timeout waiting for systemd to create " + unitName)
+ 		}
+ 	} else if !isUnitExists(err) {
+ 		return err

SPECS/runc.spec

@@ -23,7 +23,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
 
 Name: %{repo}
 Version: 1.0.0
-Release: 71.%{release_candidate}%{?dist}
+Release: 72.%{release_candidate}%{?dist}
 Summary: CLI for running Open Containers
 # https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures
 #ExclusiveArch: %%{go_arches}
@@ -34,6 +34,7 @@ License: ASL 2.0
 URL: %{git0}
 Source0: %{git0}/archive/v1.0.0-%{release_candidate}.tar.gz
 Patch0: 0001-rc92-rootfs-add-mount-destination-validation.patch
+Patch1: 2614.patch
 Provides: oci-runtime = 1
 BuildRequires: golang >= 1.12.12-4
 BuildRequires: git
@@ -91,6 +92,10 @@ install -p -m 0644 contrib/completions/bash/%{name} %{buildroot}%{_datadir}/bash
 %{_datadir}/bash-completion/completions/%{name}
 
 %changelog
+* Thu Aug 05 2021 Jindrich Novy <jnovy@redhat.com> - 1.0.0-72.rc92
+- fix "Under load, container failed to be created due to missing cgroup scope"
+- Resolves: #1999264
+
 * Fri May 21 2021 Jindrich Novy <jnovy@redhat.com> - 1.0.0-71.rc92
 - fix CVE-2021-30465
 - Related: #1955655