runc-1.1.3-2.el9

- add patch in attempt to fix gating tests - thanks to Kir Kolyshkin
- Related: #2061316

Signed-off-by: Jindrich Novy <jnovy@redhat.com>
This commit is contained in:
Jindrich Novy 2022-07-27 17:31:31 +02:00
parent b3d8c624d8
commit dd68bab254
3 changed files with 160 additions and 3 deletions

84
3468.patch Normal file
View File

@ -0,0 +1,84 @@
From 2ce40b6ad72b4bd4391380cafc5ef1bad1fa0b31 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Wed, 4 May 2022 14:56:16 -0700
Subject: [PATCH] Remove tun/tap from the default device rules
Looking through git blame, this was added by commit 9fac18329
aka "Initial commit of runc binary", most probably by mistake.
Obviously, a container should not have access to tun/tap device, unless
it is explicitly specified in configuration.
Now, removing this might create a compatibility issue, but I see no
other choice.
Aside from the obvious misconfiguration, this should also fix the
annoying
> Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory
messages from systemd on every container start, when runc uses systemd
cgroup driver, and the system runs an old (< v240) version of systemd
(the message was presumably eliminated by [1]).
[1] https://github.com/systemd/systemd/pull/10996/commits/d5aecba6e0b7c73657c4cf544ce57289115098e7
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
.../ebpf/devicefilter/devicefilter_test.go | 19 ++++++-------------
libcontainer/specconv/spec_linux.go | 10 ----------
2 files changed, 6 insertions(+), 23 deletions(-)
diff --git a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
index d279335821..25703be5ad 100644
--- a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
+++ b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
@@ -120,21 +120,14 @@ block-8:
51: Mov32Imm dst: r0 imm: 1
52: Exit
block-9:
-// tuntap (c, 10, 200, rwm, allow)
+// /dev/pts (c, 136, wildcard, rwm, true)
53: JNEImm dst: r2 off: -1 imm: 2 <block-10>
- 54: JNEImm dst: r4 off: -1 imm: 10 <block-10>
- 55: JNEImm dst: r5 off: -1 imm: 200 <block-10>
- 56: Mov32Imm dst: r0 imm: 1
- 57: Exit
+ 54: JNEImm dst: r4 off: -1 imm: 136 <block-10>
+ 55: Mov32Imm dst: r0 imm: 1
+ 56: Exit
block-10:
-// /dev/pts (c, 136, wildcard, rwm, true)
- 58: JNEImm dst: r2 off: -1 imm: 2 <block-11>
- 59: JNEImm dst: r4 off: -1 imm: 136 <block-11>
- 60: Mov32Imm dst: r0 imm: 1
- 61: Exit
-block-11:
- 62: Mov32Imm dst: r0 imm: 0
- 63: Exit
+ 57: Mov32Imm dst: r0 imm: 0
+ 58: Exit
`
var devices []*devices.Rule
for _, device := range specconv.AllowedDevices {
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index 5ae95c6c18..83c7a2c348 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -302,16 +302,6 @@ var AllowedDevices = []*devices.Device{
Allow: true,
},
},
- // tuntap
- {
- Rule: devices.Rule{
- Type: devices.CharDevice,
- Major: 10,
- Minor: 200,
- Permissions: "rwm",
- Allow: true,
- },
- },
}
type CreateOpts struct {

66
3511.patch Normal file
View File

@ -0,0 +1,66 @@
From 62b0c31d4b940ff93a23ac6fdb3a6ef345910abf Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Tue, 14 Jun 2022 17:19:10 -0700
Subject: [PATCH] libct: fix mounting via wrong proc fd
Due to a bug in commit 9c444070ec7, when the user and mount namespaces
are used, and the bind mount is followed by the cgroup mount in the
spec, the cgroup is mounted using the bind mount's mount fd.
This can be reproduced with podman 4.1 (when configured to use runc):
$ podman run --uidmap 0:100:10000 quay.io/libpod/testimage:20210610 mount
Error: /home/kir/git/runc/runc: runc create failed: unable to start container process: error during container init: error mounting "cgroup" to rootfs at "/sys/fs/cgroup": mount /proc/self/fd/11:/sys/fs/cgroup/systemd (via /proc/self/fd/12), flags: 0x20502f: operation not permitted: OCI permission denied
or manually with the spec mounts containing something like this:
{
"destination": "/etc/resolv.conf",
"type": "bind",
"source": "/userdata/resolv.conf",
"options": [
"bind"
]
},
{
"destination": "/sys/fs/cgroup",
"type": "cgroup",
"source": "cgroup",
"options": [
"rprivate",
"nosuid",
"noexec",
"nodev",
"relatime",
"ro"
]
}
The issue was not found earlier since it requires using userns, and even then
mount fd is ignored by mountToRootfs, except for bind mounts, and all the bind
mounts have mountfd set, except for the case of cgroup v1's /sys/fs/cgroup
which is internally transformed into a bunch of bind mounts.
This is a minimal fix for the issue, suitable for backporting.
Fixes: 9c444070ec7 ("Open bind mount sources from the host userns")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b3aa20af7fb67ee1f2b381f3c82329e73c7d3a0c)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
libcontainer/rootfs_linux.go | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index 3cfd2bf1e4..ec7638e4d5 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -80,6 +80,8 @@ func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig, mountFds []int) (err
// Therefore, we can access mountFds[i] without any concerns.
if mountFds != nil && mountFds[i] != -1 {
mountConfig.fd = &mountFds[i]
+ } else {
+ mountConfig.fd = nil
}
if err := mountToRootfs(m, mountConfig); err != nil {

View File

@ -20,7 +20,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
Epoch: 4
Name: %{repo}
Version: 1.1.3
Release: 1%{?dist}
Release: 2%{?dist}
Summary: CLI for running Open Containers
# https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures
#ExclusiveArch: %%{go_arches}
@ -30,11 +30,14 @@ ExcludeArch: %{ix86}
License: ASL 2.0
URL: %{git0}
Source0: %{git0}/archive/v%{version}.tar.gz
Patch0: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3468.patch
Patch1: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3511.patch
Provides: oci-runtime
BuildRequires: golang >= 1.12.12-4
BuildRequires: golang >= 1.17.7
BuildRequires: git
BuildRequires: /usr/bin/go-md2man
BuildRequires: libseccomp-devel
BuildRequires: libseccomp-devel >= 2.5
Requires: libseccomp >= 2.5
Requires: criu
%description
@ -81,6 +84,10 @@ make install install-man install-bash DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix}
%{_datadir}/bash-completion/completions/%{name}
%changelog
* Wed Jul 27 2022 Jindrich Novy <jnovy@redhat.com> - 4:1.1.3-2
- add patch in attempt to fix gating tests - thanks to Kir Kolyshkin
- Related: #2061316
* Thu Jun 09 2022 Jindrich Novy <jnovy@redhat.com> - 4:1.1.3-1
- update to https://github.com/opencontainers/runc/releases/tag/v1.1.3
- Related: #2061316