runc-1.1.3-2.el9
- add patch in attempt to fix gating tests - thanks to Kir Kolyshkin - Related: #2061316 Signed-off-by: Jindrich Novy <jnovy@redhat.com>
This commit is contained in:
parent
b3d8c624d8
commit
dd68bab254
84
3468.patch
Normal file
84
3468.patch
Normal file
@ -0,0 +1,84 @@
|
||||
From 2ce40b6ad72b4bd4391380cafc5ef1bad1fa0b31 Mon Sep 17 00:00:00 2001
|
||||
From: Kir Kolyshkin <kolyshkin@gmail.com>
|
||||
Date: Wed, 4 May 2022 14:56:16 -0700
|
||||
Subject: [PATCH] Remove tun/tap from the default device rules
|
||||
|
||||
Looking through git blame, this was added by commit 9fac18329
|
||||
aka "Initial commit of runc binary", most probably by mistake.
|
||||
|
||||
Obviously, a container should not have access to tun/tap device, unless
|
||||
it is explicitly specified in configuration.
|
||||
|
||||
Now, removing this might create a compatibility issue, but I see no
|
||||
other choice.
|
||||
|
||||
Aside from the obvious misconfiguration, this should also fix the
|
||||
annoying
|
||||
|
||||
> Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory
|
||||
|
||||
messages from systemd on every container start, when runc uses systemd
|
||||
cgroup driver, and the system runs an old (< v240) version of systemd
|
||||
(the message was presumably eliminated by [1]).
|
||||
|
||||
[1] https://github.com/systemd/systemd/pull/10996/commits/d5aecba6e0b7c73657c4cf544ce57289115098e7
|
||||
|
||||
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
|
||||
---
|
||||
.../ebpf/devicefilter/devicefilter_test.go | 19 ++++++-------------
|
||||
libcontainer/specconv/spec_linux.go | 10 ----------
|
||||
2 files changed, 6 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
|
||||
index d279335821..25703be5ad 100644
|
||||
--- a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
|
||||
+++ b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
|
||||
@@ -120,21 +120,14 @@ block-8:
|
||||
51: Mov32Imm dst: r0 imm: 1
|
||||
52: Exit
|
||||
block-9:
|
||||
-// tuntap (c, 10, 200, rwm, allow)
|
||||
+// /dev/pts (c, 136, wildcard, rwm, true)
|
||||
53: JNEImm dst: r2 off: -1 imm: 2 <block-10>
|
||||
- 54: JNEImm dst: r4 off: -1 imm: 10 <block-10>
|
||||
- 55: JNEImm dst: r5 off: -1 imm: 200 <block-10>
|
||||
- 56: Mov32Imm dst: r0 imm: 1
|
||||
- 57: Exit
|
||||
+ 54: JNEImm dst: r4 off: -1 imm: 136 <block-10>
|
||||
+ 55: Mov32Imm dst: r0 imm: 1
|
||||
+ 56: Exit
|
||||
block-10:
|
||||
-// /dev/pts (c, 136, wildcard, rwm, true)
|
||||
- 58: JNEImm dst: r2 off: -1 imm: 2 <block-11>
|
||||
- 59: JNEImm dst: r4 off: -1 imm: 136 <block-11>
|
||||
- 60: Mov32Imm dst: r0 imm: 1
|
||||
- 61: Exit
|
||||
-block-11:
|
||||
- 62: Mov32Imm dst: r0 imm: 0
|
||||
- 63: Exit
|
||||
+ 57: Mov32Imm dst: r0 imm: 0
|
||||
+ 58: Exit
|
||||
`
|
||||
var devices []*devices.Rule
|
||||
for _, device := range specconv.AllowedDevices {
|
||||
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
|
||||
index 5ae95c6c18..83c7a2c348 100644
|
||||
--- a/libcontainer/specconv/spec_linux.go
|
||||
+++ b/libcontainer/specconv/spec_linux.go
|
||||
@@ -302,16 +302,6 @@ var AllowedDevices = []*devices.Device{
|
||||
Allow: true,
|
||||
},
|
||||
},
|
||||
- // tuntap
|
||||
- {
|
||||
- Rule: devices.Rule{
|
||||
- Type: devices.CharDevice,
|
||||
- Major: 10,
|
||||
- Minor: 200,
|
||||
- Permissions: "rwm",
|
||||
- Allow: true,
|
||||
- },
|
||||
- },
|
||||
}
|
||||
|
||||
type CreateOpts struct {
|
66
3511.patch
Normal file
66
3511.patch
Normal file
@ -0,0 +1,66 @@
|
||||
From 62b0c31d4b940ff93a23ac6fdb3a6ef345910abf Mon Sep 17 00:00:00 2001
|
||||
From: Kir Kolyshkin <kolyshkin@gmail.com>
|
||||
Date: Tue, 14 Jun 2022 17:19:10 -0700
|
||||
Subject: [PATCH] libct: fix mounting via wrong proc fd
|
||||
|
||||
Due to a bug in commit 9c444070ec7, when the user and mount namespaces
|
||||
are used, and the bind mount is followed by the cgroup mount in the
|
||||
spec, the cgroup is mounted using the bind mount's mount fd.
|
||||
|
||||
This can be reproduced with podman 4.1 (when configured to use runc):
|
||||
|
||||
$ podman run --uidmap 0:100:10000 quay.io/libpod/testimage:20210610 mount
|
||||
Error: /home/kir/git/runc/runc: runc create failed: unable to start container process: error during container init: error mounting "cgroup" to rootfs at "/sys/fs/cgroup": mount /proc/self/fd/11:/sys/fs/cgroup/systemd (via /proc/self/fd/12), flags: 0x20502f: operation not permitted: OCI permission denied
|
||||
|
||||
or manually with the spec mounts containing something like this:
|
||||
|
||||
{
|
||||
"destination": "/etc/resolv.conf",
|
||||
"type": "bind",
|
||||
"source": "/userdata/resolv.conf",
|
||||
"options": [
|
||||
"bind"
|
||||
]
|
||||
},
|
||||
{
|
||||
"destination": "/sys/fs/cgroup",
|
||||
"type": "cgroup",
|
||||
"source": "cgroup",
|
||||
"options": [
|
||||
"rprivate",
|
||||
"nosuid",
|
||||
"noexec",
|
||||
"nodev",
|
||||
"relatime",
|
||||
"ro"
|
||||
]
|
||||
}
|
||||
|
||||
The issue was not found earlier since it requires using userns, and even then
|
||||
mount fd is ignored by mountToRootfs, except for bind mounts, and all the bind
|
||||
mounts have mountfd set, except for the case of cgroup v1's /sys/fs/cgroup
|
||||
which is internally transformed into a bunch of bind mounts.
|
||||
|
||||
This is a minimal fix for the issue, suitable for backporting.
|
||||
|
||||
Fixes: 9c444070ec7 ("Open bind mount sources from the host userns")
|
||||
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
|
||||
(cherry picked from commit b3aa20af7fb67ee1f2b381f3c82329e73c7d3a0c)
|
||||
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
|
||||
---
|
||||
libcontainer/rootfs_linux.go | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
|
||||
index 3cfd2bf1e4..ec7638e4d5 100644
|
||||
--- a/libcontainer/rootfs_linux.go
|
||||
+++ b/libcontainer/rootfs_linux.go
|
||||
@@ -80,6 +80,8 @@ func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig, mountFds []int) (err
|
||||
// Therefore, we can access mountFds[i] without any concerns.
|
||||
if mountFds != nil && mountFds[i] != -1 {
|
||||
mountConfig.fd = &mountFds[i]
|
||||
+ } else {
|
||||
+ mountConfig.fd = nil
|
||||
}
|
||||
|
||||
if err := mountToRootfs(m, mountConfig); err != nil {
|
13
runc.spec
13
runc.spec
@ -20,7 +20,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
|
||||
Epoch: 4
|
||||
Name: %{repo}
|
||||
Version: 1.1.3
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: CLI for running Open Containers
|
||||
# https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures
|
||||
#ExclusiveArch: %%{go_arches}
|
||||
@ -30,11 +30,14 @@ ExcludeArch: %{ix86}
|
||||
License: ASL 2.0
|
||||
URL: %{git0}
|
||||
Source0: %{git0}/archive/v%{version}.tar.gz
|
||||
Patch0: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3468.patch
|
||||
Patch1: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3511.patch
|
||||
Provides: oci-runtime
|
||||
BuildRequires: golang >= 1.12.12-4
|
||||
BuildRequires: golang >= 1.17.7
|
||||
BuildRequires: git
|
||||
BuildRequires: /usr/bin/go-md2man
|
||||
BuildRequires: libseccomp-devel
|
||||
BuildRequires: libseccomp-devel >= 2.5
|
||||
Requires: libseccomp >= 2.5
|
||||
Requires: criu
|
||||
|
||||
%description
|
||||
@ -81,6 +84,10 @@ make install install-man install-bash DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix}
|
||||
%{_datadir}/bash-completion/completions/%{name}
|
||||
|
||||
%changelog
|
||||
* Wed Jul 27 2022 Jindrich Novy <jnovy@redhat.com> - 4:1.1.3-2
|
||||
- add patch in attempt to fix gating tests - thanks to Kir Kolyshkin
|
||||
- Related: #2061316
|
||||
|
||||
* Thu Jun 09 2022 Jindrich Novy <jnovy@redhat.com> - 4:1.1.3-1
|
||||
- update to https://github.com/opencontainers/runc/releases/tag/v1.1.3
|
||||
- Related: #2061316
|
||||
|
Loading…
Reference in New Issue
Block a user