runc-1:1.0.0-6.git75f8da7

- bump to v1.0.0-rc3 - built opencontainers/v1.0.0-rc3 commit 75f8da7 Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
2017-03-24 19:35:17 +05:30 · 2017-03-24 19:35:17 +05:30 · f46e0bb7d0
commit f46e0bb7d0
parent e4b1c7e75e
4 changed files with 21 additions and 128 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,4 @@
 /runc-04f275d.tar.gz
 /runc-47ea5c7.tar.gz
 /runc-c91b5be.tar.gz
+/runc-75f8da7.tar.gz
--- a/0001-Set-init-processes-as-non-dumpable.patch
+++ b/0001-Set-init-processes-as-non-dumpable.patch
@ -1,111 +0,0 @@
-From 50a19c6ff828c58e5dab13830bd3dacde268afe5 Mon Sep 17 00:00:00 2001
-From: Michael Crosby <crosbymichael@gmail.com>
-Date: Wed, 7 Dec 2016 15:05:51 -0800
-Subject: [PATCH] Set init processes as non-dumpable
-
-This sets the init processes that join and setup the container's
-namespaces as non-dumpable before they setns to the container's pid (or
-any other ) namespace.
-
-This settings is automatically reset to the default after the Exec in
-the container so that it does not change functionality for the
-applications that are running inside, just our init processes.
-
-This prevents parent processes, the pid 1 of the container, to ptrace
-the init process before it drops caps and other sets LSMs.
-
-This patch also ensures that the stateDirFD being used is still closed
-prior to exec, even though it is set as O_CLOEXEC, because of the order
-in the kernel.
-
-https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
-
-The order during the exec syscall is that the process is set back to
-dumpable before O_CLOEXEC are processed.
-
-Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
---
- libcontainer/init_linux.go          | 3 ++-
- libcontainer/nsenter/nsexec.c       | 5 +++++
- libcontainer/setns_init_linux.go    | 7 ++++++-
- libcontainer/standard_init_linux.go | 3 +++
- 4 files changed, 16 insertions(+), 2 deletions(-)
-
-diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
-index b1e6762..4043d51 100644
--- a/libcontainer/init_linux.go
-+++ b/libcontainer/init_linux.go
-@@ -77,7 +77,8 @@ func newContainerInit(t initType, pipe *os.File, stateDirFD int) (initer, error)
- 	switch t {
- 	case initSetns:
- 		return &linuxSetnsInit{
-			config: config,
-+			config:     config,
-+			stateDirFD: stateDirFD,
- 		}, nil
- 	case initStandard:
- 		return &linuxStandardInit{
-diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
-index b93f827..4b5398b 100644
--- a/libcontainer/nsenter/nsexec.c
-+++ b/libcontainer/nsenter/nsexec.c
-@@ -408,6 +408,11 @@ void nsexec(void)
- 	if (pipenum == -1)
- 		return;
- 
-+	/* make the process non-dumpable */
-+	if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
-+		bail("failed to set process as non-dumpable");
-+	}
-+
- 	/* Parse all of the netlink configuration. */
- 	nl_parse(pipenum, &config);
- 
-diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
-index 2a8f345..7f5f182 100644
--- a/libcontainer/setns_init_linux.go
-+++ b/libcontainer/setns_init_linux.go
-@@ -5,6 +5,7 @@ package libcontainer
- import (
- 	"fmt"
- 	"os"
-+	"syscall"
- 
- 	"github.com/opencontainers/runc/libcontainer/apparmor"
- 	"github.com/opencontainers/runc/libcontainer/keys"
-@@ -16,7 +17,8 @@ import (
- // linuxSetnsInit performs the container's initialization for running a new process
- // inside an existing container.
- type linuxSetnsInit struct {
-	config *initConfig
-+	config     *initConfig
-+	stateDirFD int
- }
- 
- func (l *linuxSetnsInit) getSessionRingName() string {
-@@ -49,5 +51,8 @@ func (l *linuxSetnsInit) Init() error {
- 	if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
- 		return err
- 	}
-+	// close the statedir fd before exec because the kernel resets dumpable in the wrong order
-+	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
-+	syscall.Close(l.stateDirFD)
- 	return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
- }
-diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
-index 2104f1a..6a65154 100644
--- a/libcontainer/standard_init_linux.go
-+++ b/libcontainer/standard_init_linux.go
-@@ -171,6 +171,9 @@ func (l *linuxStandardInit) Init() error {
- 			return newSystemErrorWithCause(err, "init seccomp")
- 		}
- 	}
-+	// close the statedir fd before exec because the kernel resets dumpable in the wrong order
-+	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
-+	syscall.Close(l.stateDirFD)
- 	if err := syscall.Exec(name, l.config.Args[0:], os.Environ()); err != nil {
- 		return newSystemErrorWithCause(err, "exec user process")
- 	}
-- 
-2.11.0
-
--- a/runc.spec
+++ b/runc.spec
@ -26,27 +26,27 @@
 # https://github.com/opencontainers/runc
 %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
 %global import_path %{provider_prefix}
-%global commit c91b5bea4830a57eac7882d7455d59518cdf70ec
-%global shortcommit %(c=%{commit}; echo ${c:0:7})
+%global git0 https://github.com/opencontainers/runc
+%global commit0 75f8da7c889acc4509a0cf6f0d3a8f9584778375
+%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})

 Name: %{repo}
 %if 0%{?fedora} || 0%{?rhel} == 6
 Epoch: 1
 %endif
 Version: 1.0.0
-Release: 5.rc2.git%{shortcommit}%{?dist}.1
+Release: 6.git%{shortcommit0}%{?dist}.1
 Summary: CLI for running Open Containers
 License: ASL 2.0
-URL: https://%{provider_prefix}
-Source0: https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
-Patch0: 0001-Set-init-processes-as-non-dumpable.patch
+URL: %{git0}
+Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz

 # e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
 #ExclusiveArch: %%{?go_arches:%%{go_arches}}%%{!?go_arches:%%{ix86} x86_64 %{arm}}
 ExclusiveArch: %{ix86} x86_64 %{arm} aarch64 ppc64le %{mips} s390x
 # If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
 BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
-
+BuildRequires: git
 BuildRequires: pkgconfig(libseccomp)
 BuildRequires: go-md2man

@ -168,18 +168,17 @@ providing packages with %{import_path} prefix.
 %endif

 %prep
-%setup -q -n %{repo}-%{commit}
+%autosetup -Sgit -n %{name}-%{commit0}

 %build
-mkdir -p src/github.com/opencontainers
-ln -s ../../../ src/github.com/opencontainers/runc
-
-%if ! 0%{?with_bundled}
-export GOPATH=$(pwd):%{gopath}
-%else
-export GOPATH=$(pwd):$(pwd)/Godeps/_workspace:%{gopath}
-%endif
+mkdir -p GOPATH
+pushd GOPATH
+    mkdir -p src/%{provider}.%{provider_tld}/%{project}
+    ln -s $(dirs +1 -l) src/%{import_path}
+popd

+pushd GOPATH/src/%{import_path}
+export GOPATH=%{gopath}:$(pwd)/GOPATH
 BUILDTAGS="seccomp selinux"
 %if ! 0%{?gobuild:1}
 %define gobuild() go build -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n')" -a -v -x %{**};
@ -297,6 +296,10 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/Godeps/_workspace:%{gopath}
 %endif

 %changelog
+* Fri Mar 24 2017 Lokesh Mandvekar <lsm5@fedoraproject.org> - 1:1.0.0-6.git75f8da7
+- bump to v1.0.0-rc3
+- built opencontainers/v1.0.0-rc3 commit 75f8da7
+
 * Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.0.0-5.rc2.gitc91b5be.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (runc-c91b5be.tar.gz) = cfafaa9806e5304453b8f7137a507ab3a26a8efc3c87dcff77b72ad5eb9a5331b38bb8974b333b7026352cf5e6aa995fb5792af37078bff9be7c80a1d2cbf34d
+SHA512 (runc-75f8da7.tar.gz) = 8898a4c8c70fb409a0bf65436cc812ca3d190e1c206462ca9d4a1766a8abf7da61f3d219d83eb015167c146e04e8753e7da2c9cf0058bfdbe444bb5a3c2ca8df