From ce6c27927f1524e36513ffee6d1865ee9f1a47ee Mon Sep 17 00:00:00 2001 From: Jindrich Novy Date: Fri, 26 Aug 2022 10:52:54 +0200 Subject: [PATCH] runc-1.1.4-1.el9 - update to https://github.com/opencontainers/runc/releases/tag/v1.1.4 - Related: #2061316 Signed-off-by: Jindrich Novy --- 3468.patch | 84 ------------------------------------------------------ 3511.patch | 66 ------------------------------------------ runc.spec | 10 ++++--- sources | 2 +- 4 files changed, 7 insertions(+), 155 deletions(-) delete mode 100644 3468.patch delete mode 100644 3511.patch diff --git a/3468.patch b/3468.patch deleted file mode 100644 index a02339d..0000000 --- a/3468.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 2ce40b6ad72b4bd4391380cafc5ef1bad1fa0b31 Mon Sep 17 00:00:00 2001 -From: Kir Kolyshkin -Date: Wed, 4 May 2022 14:56:16 -0700 -Subject: [PATCH] Remove tun/tap from the default device rules - -Looking through git blame, this was added by commit 9fac18329 -aka "Initial commit of runc binary", most probably by mistake. - -Obviously, a container should not have access to tun/tap device, unless -it is explicitly specified in configuration. - -Now, removing this might create a compatibility issue, but I see no -other choice. - -Aside from the obvious misconfiguration, this should also fix the -annoying - -> Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory - -messages from systemd on every container start, when runc uses systemd -cgroup driver, and the system runs an old (< v240) version of systemd -(the message was presumably eliminated by [1]). - -[1] https://github.com/systemd/systemd/pull/10996/commits/d5aecba6e0b7c73657c4cf544ce57289115098e7 - -Signed-off-by: Kir Kolyshkin ---- - .../ebpf/devicefilter/devicefilter_test.go | 19 ++++++------------- - libcontainer/specconv/spec_linux.go | 10 ---------- - 2 files changed, 6 insertions(+), 23 deletions(-) - -diff --git a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go -index d279335821..25703be5ad 100644 ---- a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go -+++ b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go -@@ -120,21 +120,14 @@ block-8: - 51: Mov32Imm dst: r0 imm: 1 - 52: Exit - block-9: --// tuntap (c, 10, 200, rwm, allow) -+// /dev/pts (c, 136, wildcard, rwm, true) - 53: JNEImm dst: r2 off: -1 imm: 2 -- 54: JNEImm dst: r4 off: -1 imm: 10 -- 55: JNEImm dst: r5 off: -1 imm: 200 -- 56: Mov32Imm dst: r0 imm: 1 -- 57: Exit -+ 54: JNEImm dst: r4 off: -1 imm: 136 -+ 55: Mov32Imm dst: r0 imm: 1 -+ 56: Exit - block-10: --// /dev/pts (c, 136, wildcard, rwm, true) -- 58: JNEImm dst: r2 off: -1 imm: 2 -- 59: JNEImm dst: r4 off: -1 imm: 136 -- 60: Mov32Imm dst: r0 imm: 1 -- 61: Exit --block-11: -- 62: Mov32Imm dst: r0 imm: 0 -- 63: Exit -+ 57: Mov32Imm dst: r0 imm: 0 -+ 58: Exit - ` - var devices []*devices.Rule - for _, device := range specconv.AllowedDevices { -diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go -index 5ae95c6c18..83c7a2c348 100644 ---- a/libcontainer/specconv/spec_linux.go -+++ b/libcontainer/specconv/spec_linux.go -@@ -302,16 +302,6 @@ var AllowedDevices = []*devices.Device{ - Allow: true, - }, - }, -- // tuntap -- { -- Rule: devices.Rule{ -- Type: devices.CharDevice, -- Major: 10, -- Minor: 200, -- Permissions: "rwm", -- Allow: true, -- }, -- }, - } - - type CreateOpts struct { diff --git a/3511.patch b/3511.patch deleted file mode 100644 index e3be84b..0000000 --- a/3511.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 62b0c31d4b940ff93a23ac6fdb3a6ef345910abf Mon Sep 17 00:00:00 2001 -From: Kir Kolyshkin -Date: Tue, 14 Jun 2022 17:19:10 -0700 -Subject: [PATCH] libct: fix mounting via wrong proc fd - -Due to a bug in commit 9c444070ec7, when the user and mount namespaces -are used, and the bind mount is followed by the cgroup mount in the -spec, the cgroup is mounted using the bind mount's mount fd. - -This can be reproduced with podman 4.1 (when configured to use runc): - -$ podman run --uidmap 0:100:10000 quay.io/libpod/testimage:20210610 mount -Error: /home/kir/git/runc/runc: runc create failed: unable to start container process: error during container init: error mounting "cgroup" to rootfs at "/sys/fs/cgroup": mount /proc/self/fd/11:/sys/fs/cgroup/systemd (via /proc/self/fd/12), flags: 0x20502f: operation not permitted: OCI permission denied - -or manually with the spec mounts containing something like this: - - { - "destination": "/etc/resolv.conf", - "type": "bind", - "source": "/userdata/resolv.conf", - "options": [ - "bind" - ] - }, - { - "destination": "/sys/fs/cgroup", - "type": "cgroup", - "source": "cgroup", - "options": [ - "rprivate", - "nosuid", - "noexec", - "nodev", - "relatime", - "ro" - ] - } - -The issue was not found earlier since it requires using userns, and even then -mount fd is ignored by mountToRootfs, except for bind mounts, and all the bind -mounts have mountfd set, except for the case of cgroup v1's /sys/fs/cgroup -which is internally transformed into a bunch of bind mounts. - -This is a minimal fix for the issue, suitable for backporting. - -Fixes: 9c444070ec7 ("Open bind mount sources from the host userns") -Signed-off-by: Kir Kolyshkin -(cherry picked from commit b3aa20af7fb67ee1f2b381f3c82329e73c7d3a0c) -Signed-off-by: Kir Kolyshkin ---- - libcontainer/rootfs_linux.go | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go -index 3cfd2bf1e4..ec7638e4d5 100644 ---- a/libcontainer/rootfs_linux.go -+++ b/libcontainer/rootfs_linux.go -@@ -80,6 +80,8 @@ func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig, mountFds []int) (err - // Therefore, we can access mountFds[i] without any concerns. - if mountFds != nil && mountFds[i] != -1 { - mountConfig.fd = &mountFds[i] -+ } else { -+ mountConfig.fd = nil - } - - if err := mountToRootfs(m, mountConfig); err != nil { diff --git a/runc.spec b/runc.spec index 621d2f8..2655b67 100644 --- a/runc.spec +++ b/runc.spec @@ -19,8 +19,8 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl Epoch: 4 Name: %{repo} -Version: 1.1.3 -Release: 2%{?dist} +Version: 1.1.4 +Release: 1%{?dist} Summary: CLI for running Open Containers # https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures #ExclusiveArch: %%{go_arches} @@ -30,8 +30,6 @@ ExcludeArch: %{ix86} License: ASL 2.0 URL: %{git0} Source0: %{git0}/archive/v%{version}.tar.gz -Patch0: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3468.patch -Patch1: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3511.patch Provides: oci-runtime BuildRequires: golang >= 1.17.7 BuildRequires: git @@ -84,6 +82,10 @@ make install install-man install-bash DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} %{_datadir}/bash-completion/completions/%{name} %changelog +* Fri Aug 26 2022 Jindrich Novy - 4:1.1.4-1 +- update to https://github.com/opencontainers/runc/releases/tag/v1.1.4 +- Related: #2061316 + * Wed Jul 27 2022 Jindrich Novy - 4:1.1.3-2 - add patch in attempt to fix gating tests - thanks to Kir Kolyshkin - Related: #2061316 diff --git a/sources b/sources index a35617a..1069df5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (v1.1.3.tar.gz) = 27fce2569d0dc710a0f90095957be30c29da24ce1d2b8e115b9dc11d36f5226d98c4b2d8b92ecfa7581eade90bc51c5d9bccaf15fcb2542dafebe4fabc6e1cd9 +SHA512 (v1.1.4.tar.gz) = c8e79ad839964680d29ab56a4de255f91192741951673025da6889c544a232d4d392db2da8005d8e22999a37bfbc9c9fe7f6043b165bc4edc2f2a29261d8a3d6