import runc-1.0.0-70.rc92.module+el8.4.0+10198+36d1d0e3

2021-03-30 15:56:39 -04:00 · 2021-03-30 15:56:39 -04:00 · fa5ed6d62b
commit fa5ed6d62b
parent 2281833f62
4 changed files with 35 additions and 293 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/runc-dc9208a.tar.gz
+SOURCES/v1.0.0-rc92.tar.gz
--- a/.runc.metadata
+++ b/.runc.metadata
@ -1 +1 @@
-32859590dea35b77eed012c388d97fc12fdfdb93 SOURCES/runc-dc9208a.tar.gz
+b5571f41bcc85be33a56122a30cb1a241476a8d1 SOURCES/v1.0.0-rc92.tar.gz
--- a/SOURCES/1807.patch
+++ b/SOURCES/1807.patch
@ -1,278 +0,0 @@
 From 3d99c51e1b38a440804a55c9f314f62cc50b8902 Mon Sep 17 00:00:00 2001
 From: Giuseppe Scrivano <gscrivan@redhat.com>
 Date: Fri, 25 May 2018 18:04:06 +0200
 Subject: [PATCH] sd-notify: do not hang when NOTIFY_SOCKET is used with create
 if NOTIFY_SOCKET is used, do not block the main runc process waiting
 for events on the notify socket.  Bind mount the parent directory of
 the notify socket, so that "start" can create the socket and it is
 still accessible from the container.
 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 ---
 notify_socket.go | 112 ++++++++++++++++++++++++++++++++++-------------
 signals.go       |   4 +-
 start.go         |  13 +++++-
 utils_linux.go   |  12 ++++-
 4 files changed, 105 insertions(+), 36 deletions(-)
 diff --git a/notify_socket.go b/notify_socket.go
 index e7453c62..d961453a 100644
 --- a/notify_socket.go
 +++ b/notify_socket.go
@@ -7,11 +7,13 @@ import (
 	"fmt"
 	"net"
 	"os"
 +	"path"
 	"path/filepath"
 +	"strconv"
 +	"time"
 +	"github.com/opencontainers/runc/libcontainer"
 	"github.com/opencontainers/runtime-spec/specs-go"
 -
 -	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 )
@@ -27,12 +29,12 @@ func newNotifySocket(context *cli.Context, notifySocketHost string, id string) *
 	}
 	root := filepath.Join(context.GlobalString("root"), id)
 -	path := filepath.Join(root, "notify.sock")
 +	socketPath := filepath.Join(root, "notify", "notify.sock")
 	notifySocket := &notifySocket{
 		socket:     nil,
 		host:       notifySocketHost,
 -		socketPath: path,
 +		socketPath: socketPath,
 	}
 	return notifySocket
@@ -44,13 +46,19 @@ func (s *notifySocket) Close() error {
 // If systemd is supporting sd_notify protocol, this function will add support
 // for sd_notify protocol from within the container.
 -func (s *notifySocket) setupSpec(context *cli.Context, spec *specs.Spec) {
 -	mount := specs.Mount{Destination: s.host, Source: s.socketPath, Options: []string{"bind"}}
 +func (s *notifySocket) setupSpec(context *cli.Context, spec *specs.Spec) error {
 +	pathInContainer := filepath.Join("/run/notify", path.Base(s.socketPath))
 +	mount := specs.Mount{
 +		Destination: path.Dir(pathInContainer),
 +		Source:      path.Dir(s.socketPath),
 +		Options:     []string{"bind", "nosuid", "noexec", "nodev", "ro"},
 +	}
 	spec.Mounts = append(spec.Mounts, mount)
 -	spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("NOTIFY_SOCKET=%s", s.host))
 +	spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("NOTIFY_SOCKET=%s", pathInContainer))
 +	return nil
 }
 -func (s *notifySocket) setupSocket() error {
 +func (s *notifySocket) bindSocket() error {
 	addr := net.UnixAddr{
 		Name: s.socketPath,
 		Net:  "unixgram",
@@ -71,45 +79,89 @@ func (s *notifySocket) setupSocket() error {
 	return nil
 }
 -// pid1 must be set only with -d, as it is used to set the new process as the main process
 -// for the service in systemd
 -func (s *notifySocket) run(pid1 int) {
 -	buf := make([]byte, 512)
 -	notifySocketHostAddr := net.UnixAddr{Name: s.host, Net: "unixgram"}
 +func (s *notifySocket) setupSocketDirectory() error {
 +	return os.Mkdir(path.Dir(s.socketPath), 0755)
 +}
 +
 +func notifySocketStart(context *cli.Context, notifySocketHost, id string) (*notifySocket, error) {
 +	notifySocket := newNotifySocket(context, notifySocketHost, id)
 +	if notifySocket == nil {
 +		return nil, nil
 +	}
 +
 +	if err := notifySocket.bindSocket(); err != nil {
 +		return nil, err
 +	}
 +	return notifySocket, nil
 +}
 +
 +func (n *notifySocket) waitForContainer(container libcontainer.Container) error {
 +	s, err := container.State()
 +	if err != nil {
 +		return err
 +	}
 +	return n.run(s.InitProcessPid)
 +}
 +
 +func (n *notifySocket) run(pid1 int) error {
 +	if n.socket == nil {
 +		return nil
 +	}
 +	notifySocketHostAddr := net.UnixAddr{Name: n.host, Net: "unixgram"}
 	client, err := net.DialUnix("unixgram", nil, &notifySocketHostAddr)
 	if err != nil {
 -		logrus.Error(err)
 -		return
 +		return err
 	}
 -	for {
 -		r, err := s.socket.Read(buf)
 -		if err != nil {
 -			break
 +
 +	ticker := time.NewTicker(time.Millisecond * 100)
 +	defer ticker.Stop()
 +
 +	fileChan := make(chan []byte)
 +	go func() {
 +		for {
 +			buf := make([]byte, 512)
 +			r, err := n.socket.Read(buf)
 +			if err != nil {
 +				return
 +			}
 +			got := buf[0:r]
 +			if !bytes.HasPrefix(got, []byte("READY=")) {
 +				continue
 +			}
 +			fileChan <- got
 +			return
 		}
 -		var out bytes.Buffer
 -		for _, line := range bytes.Split(buf[0:r], []byte{'\n'}) {
 -			if bytes.HasPrefix(line, []byte("READY=")) {
 +	}()
 +
 +	for {
 +		select {
 +		case <-ticker.C:
 +			_, err := os.Stat(filepath.Join("/proc", strconv.Itoa(pid1)))
 +			if err != nil {
 +				return nil
 +			}
 +		case b := <-fileChan:
 +			for _, line := range bytes.Split(b, []byte{'\n'}) {
 +				var out bytes.Buffer
 				_, err = out.Write(line)
 				if err != nil {
 -					return
 +					return err
 				}
 				_, err = out.Write([]byte{'\n'})
 				if err != nil {
 -					return
 +					return err
 				}
 				_, err = client.Write(out.Bytes())
 				if err != nil {
 -					return
 +					return err
 				}
 				// now we can inform systemd to use pid1 as the pid to monitor
 -				if pid1 > 0 {
 -					newPid := fmt.Sprintf("MAINPID=%d\n", pid1)
 -					client.Write([]byte(newPid))
 -				}
 -				return
 +				newPid := fmt.Sprintf("MAINPID=%d\n", pid1)
 +				client.Write([]byte(newPid))
 +				return nil
 			}
 		}
 	}
 diff --git a/signals.go b/signals.go
 index b67f65a0..dd25e094 100644
 --- a/signals.go
 +++ b/signals.go
@@ -70,6 +70,7 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach
 			h.notifySocket.run(pid1)
 			return 0, nil
 		}
 +		h.notifySocket.run(os.Getpid())
 		go h.notifySocket.run(0)
 	}
@@ -97,9 +98,6 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach
 					// status because we must ensure that any of the go specific process
 					// fun such as flushing pipes are complete before we return.
 					process.Wait()
 -					if h.notifySocket != nil {
 -						h.notifySocket.Close()
 -					}
 					return e.status, nil
 				}
 			}
 diff --git a/start.go b/start.go
 index 2bb698b2..3a1769a4 100644
 --- a/start.go
 +++ b/start.go
@@ -3,6 +3,7 @@ package main
 import (
 	"errors"
 	"fmt"
 +	"os"
 	"github.com/opencontainers/runc/libcontainer"
 	"github.com/urfave/cli"
@@ -31,7 +32,17 @@ your host.`,
 		}
 		switch status {
 		case libcontainer.Created:
 -			return container.Exec()
 +			notifySocket, err := notifySocketStart(context, os.Getenv("NOTIFY_SOCKET"), container.ID())
 +			if err != nil {
 +				return err
 +			}
 +			if err := container.Exec(); err != nil {
 +				return err
 +			}
 +			if notifySocket != nil {
 +				return notifySocket.waitForContainer(container)
 +			}
 +			return nil
 		case libcontainer.Stopped:
 			return errors.New("cannot start a container that has stopped")
 		case libcontainer.Running:
 diff --git a/utils_linux.go b/utils_linux.go
 index 984e6b0f..46c26246 100644
 --- a/utils_linux.go
 +++ b/utils_linux.go
@@ -408,7 +408,9 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp
 	notifySocket := newNotifySocket(context, os.Getenv("NOTIFY_SOCKET"), id)
 	if notifySocket != nil {
 -		notifySocket.setupSpec(context, spec)
 +		if err := notifySocket.setupSpec(context, spec); err != nil {
 +			return -1, err
 +		}
 	}
 	container, err := createContainer(context, id, spec)
@@ -417,10 +419,16 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp
 	}
 	if notifySocket != nil {
 -		err := notifySocket.setupSocket()
 +		err := notifySocket.setupSocketDirectory()
 		if err != nil {
 			return -1, err
 		}
 +		if action == CT_ACT_RUN {
 +			err := notifySocket.bindSocket()
 +			if err != nil {
 +				return -1, err
 +			}
 +		}
 	}
 	// Support on-demand socket activation by passing file descriptors into the container init process.
 -- 
 2.21.0
--- a/SPECS/runc.spec
+++ b/SPECS/runc.spec
@ -1,17 +1,15 @@
 %global with_debug 1
 %global with_bundled 1
 %global with_check 0
 %if 0%{?with_debug}
 %global _find_debuginfo_dwz_opts %{nil}
 %global _dwz_low_mem_die_limit 0
 %else
 %global debug_package   %{nil}
 %endif
 %if 0%{?rhel} > 7 && ! 0%{?fedora}
 %define gobuild(o:) \
-go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
+go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -linkmode=external -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v %{?**};
 %else
 %if ! 0%{?gobuild:1}
 %define gobuild(o:) GO111MODULE=off go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -linkmode=external -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" -a -v %{?**};
 %endif
 %endif
 %global provider github
@ -21,18 +19,22 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUIL
 # https://github.com/opencontainers/runc
 %global import_path %{provider}.%{provider_tld}/%{project}/%{repo}
 %global git0 https://%{import_path}
-%global commit0 dc9208a3303feef5b3839f4323d9beb36df0a9dd
+%global release_candidate rc92
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 Name: %{repo}
 Version: 1.0.0
-Release: 66.rc10%{?dist}
+Release: 70.%{release_candidate}%{?dist}
 Summary: CLI for running Open Containers
 # https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures
 #ExclusiveArch: %%{go_arches}
 # still use arch exclude as the macro above still refers %%{ix86} in RHEL8.4:
 # https://bugzilla.redhat.com/show_bug.cgi?id=1905383
 ExcludeArch: %{ix86}
 License: ASL 2.0
 URL: %{git0}
-Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
+Source0: %{git0}/archive/v1.0.0-%{release_candidate}.tar.gz
-Patch0: 1807.patch
+#Patch0: 1807.patch
 Provides: oci-runtime = 1
 BuildRequires: golang >= 1.12.12-4
 BuildRequires: git
 BuildRequires: go-md2man
@ -45,7 +47,7 @@ in accordance with the Open Container Initiative's specifications,
 and to manage containers running under runc.
 %prep
-%autosetup -Sgit -n %{repo}-%{commit0}
+%autosetup -Sgit -n %{repo}-%{version}-%{release_candidate}
 sed -i '/\#\!\/bin\/bash/d' contrib/completions/bash/%{name}
 %build
@ -57,6 +59,7 @@ popd
 pushd GOPATH/src/%{import_path}
 export GOPATH=%{gopath}:$(pwd)/GOPATH
 export CGO_CFLAGS="%{optflags} -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
 export BUILDTAGS="selinux seccomp"
 %gobuild -o %{name} %{import_path}
@ -88,6 +91,23 @@ install -p -m 0644 contrib/completions/bash/%{name} %{buildroot}%{_datadir}/bash
 %{_datadir}/bash-completion/completions/%{name}
 %changelog
 * Fri Jan 29 2021 Jindrich Novy <jnovy@redhat.com> - 1.0.0-70.rc92
 - add missing Provides: oci-runtime = 1
 - Related: #1883490
 * Tue Dec 08 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-69.rc92
 - still use ExcludeArch as go_arches macro is broken for 8.4
 - Related: #1883490
 * Tue Aug 11 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-68.rc92
 - update to https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc92
 - propagate proper CFLAGS to CGO_CFLAGS to assure code hardening and optimization
 - Related: #1821193
 * Thu Jul 02 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-67.rc91
 - update to https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc91
 - Related: #1821193
 * Tue May 12 2020 Jindrich Novy <jnovy@redhat.com> - 1.0.0-66.rc10
 - synchronize containter-tools 8.3.0 with 8.2.1
 - Related: #1821193
`@ -1 +1 @@`
	`SOURCES/runc-dc9208a.tar.gz`	`SOURCES/v1.0.0-rc92.tar.gz`
`@ -1 +1 @@`
	`32859590dea35b77eed012c388d97fc12fdfdb93 SOURCES/runc-dc9208a.tar.gz`	`b5571f41bcc85be33a56122a30cb1a241476a8d1 SOURCES/v1.0.0-rc92.tar.gz`