rpms/runc
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import runc-1.1.3-3.module+el8.6.0+16986+c8760fe3

Browse Source
This commit is contained in:
CentOS Sources 2022-10-27 07:13:43 -04:00 committed by Stepan Oksanichenko
parent 22dd030740
commit a0bcf48f66
2 changed files with 100 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
SOURCES/3554.patch Normal file
View File

@ -0,0 +1,93 @@
From 204c673cced91b03aa337c804ab8b31a452c6777 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Wed, 10 Aug 2022 17:09:23 -0700
Subject: [PATCH] [1.1] fix failed exec after systemctl daemon-reload
A regression reported for runc v1.1.3 says that "runc exec -t" fails
after doing "systemctl daemon-reload":
> exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown
Apparently, with commit 7219387eb7db69b we are no longer adding
"DeviceAllow=char-pts rwm" rule (because os.Stat("char-pts") returns
ENOENT).
The bug can only be seen after "systemctl daemon-reload" because runc
also applies the same rules manually (by writing to devices.allow for
cgroup v1), and apparently reloading systemd leads to re-applying the
rules that systemd has (thus removing the char-pts access).
The fix is to do os.Stat only for "/dev" paths.
Also, emit a warning that the path was skipped. Since the original idea
was to emit less warnings, demote the level to debug.
Note this also fixes the issue of not adding "m" permission for block-*
and char-* devices.
A test case is added, which reliably fails before the fix
on both cgroup v1 and v2.
This is a backport of commit 58b1374f0ad98cc9390adc43dc22ddbb4f84d72e
to release-1.1 branch.
Fixes: https://github.com/opencontainers/runc/issues/3551
Fixes: 7219387eb7db69b4dae740c9d37d973d9a735801
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
libcontainer/cgroups/systemd/common.go | 16 +++++++++-------
tests/integration/dev.bats | 16 ++++++++++++++++
2 files changed, 25 insertions(+), 7 deletions(-)
diff --git a/libcontainer/cgroups/systemd/common.go b/libcontainer/cgroups/systemd/common.go
index 5a68a3cf39..45744c15c0 100644
--- a/libcontainer/cgroups/systemd/common.go
+++ b/libcontainer/cgroups/systemd/common.go
@@ -288,14 +288,16 @@ func generateDeviceProperties(r *configs.Resources) ([]systemdDbus.Property, err
case devices.CharDevice:
entry.Path = fmt.Sprintf("/dev/char/%d:%d", rule.Major, rule.Minor)
}
+ // systemd will issue a warning if the path we give here doesn't exist.
+ // Since all of this logic is best-effort anyway (we manually set these
+ // rules separately to systemd) we can safely skip entries that don't
+ // have a corresponding path.
+ if _, err := os.Stat(entry.Path); err != nil {
+ logrus.Debugf("skipping device %s for systemd: %s", entry.Path, err)
+ continue
+ }
}
- // systemd will issue a warning if the path we give here doesn't exist.
- // Since all of this logic is best-effort anyway (we manually set these
- // rules separately to systemd) we can safely skip entries that don't
- // have a corresponding path.
- if _, err := os.Stat(entry.Path); err == nil {
- deviceAllowList = append(deviceAllowList, entry)
- }
+ deviceAllowList = append(deviceAllowList, entry)
}
properties = append(properties, newProp("DeviceAllow", deviceAllowList))
diff --git a/tests/integration/dev.bats b/tests/integration/dev.bats
index 01f6778598..243315717a 100644
--- a/tests/integration/dev.bats
+++ b/tests/integration/dev.bats
@@ -128,3 +128,19 @@ function teardown() {
runc exec test_allow_block sh -c 'fdisk -l '"$device"''
[ "$status" -eq 0 ]
}
+
+# https://github.com/opencontainers/runc/issues/3551
+@test "runc exec vs systemctl daemon-reload" {
+ requires systemd root
+
+ runc run -d --console-socket "$CONSOLE_SOCKET" test_exec
+ [ "$status" -eq 0 ]
+
+ runc exec -t test_exec sh -c "ls -l /proc/self/fd/0; echo 123"
+ [ "$status" -eq 0 ]
+
+ systemctl daemon-reload
+
+ runc exec -t test_exec sh -c "ls -l /proc/self/fd/0; echo 123"
+ [ "$status" -eq 0 ]
+}

8
SPECS/runc.spec
View File

@ -23,7 +23,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
Epoch: 1 Epoch: 1
Name: %{repo} Name: %{repo}
Version: 1.1.3 Version: 1.1.3
Release: 2%{?dist} Release: 3%{?dist}
Summary: CLI for running Open Containers Summary: CLI for running Open Containers
# https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures # https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures
#ExclusiveArch: %%{go_arches} #ExclusiveArch: %%{go_arches}
@ -35,6 +35,7 @@ URL: %{git0}
Source0: %{git0}/archive/v%{version}.tar.gz Source0: %{git0}/archive/v%{version}.tar.gz
Patch0: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3468.patch Patch0: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3468.patch
Patch1: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3511.patch Patch1: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3511.patch
Patch2: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3554.patch
Provides: oci-runtime Provides: oci-runtime
BuildRequires: golang >= 1.17.7 BuildRequires: golang >= 1.17.7
BuildRequires: git BuildRequires: git
@ -87,6 +88,11 @@ make install install-man install-bash DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix}
%{_datadir}/bash-completion/completions/%{name} %{_datadir}/bash-completion/completions/%{name}
%changelog %changelog
* Thu Oct 20 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-3
- fix "Error: runc: exec failed: unable to start container process:
open /dev/pts/0: operation not permitted: OCI permission denied"
- Resolves: #2117928
* Wed Jun 15 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-2 * Wed Jun 15 2022 Jindrich Novy <jnovy@redhat.com> - 1:1.1.3-2
- add patch in attempt to fix gating tests - thanks to Kir Kolyshkin - add patch in attempt to fix gating tests - thanks to Kir Kolyshkin
- Related: #2061390 - Related: #2061390