From ec9411ef994f920fe5524632a00a8de1baa4346f Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 30 2021 19:56:39 +0000 Subject: import runc-1.0.0-70.rc92.module+el8.4.0+10198+36d1d0e3 --- diff --git a/.gitignore b/.gitignore index 32283ba..ac15d58 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/runc-dc9208a.tar.gz +SOURCES/v1.0.0-rc92.tar.gz diff --git a/.runc.metadata b/.runc.metadata index 39b6b73..85883d8 100644 --- a/.runc.metadata +++ b/.runc.metadata @@ -1 +1 @@ -32859590dea35b77eed012c388d97fc12fdfdb93 SOURCES/runc-dc9208a.tar.gz +b5571f41bcc85be33a56122a30cb1a241476a8d1 SOURCES/v1.0.0-rc92.tar.gz diff --git a/SOURCES/1807.patch b/SOURCES/1807.patch deleted file mode 100644 index 6d415f0..0000000 --- a/SOURCES/1807.patch +++ /dev/null @@ -1,278 +0,0 @@ -From 3d99c51e1b38a440804a55c9f314f62cc50b8902 Mon Sep 17 00:00:00 2001 -From: Giuseppe Scrivano -Date: Fri, 25 May 2018 18:04:06 +0200 -Subject: [PATCH] sd-notify: do not hang when NOTIFY_SOCKET is used with create - -if NOTIFY_SOCKET is used, do not block the main runc process waiting -for events on the notify socket. Bind mount the parent directory of -the notify socket, so that "start" can create the socket and it is -still accessible from the container. - -Signed-off-by: Giuseppe Scrivano ---- - notify_socket.go | 112 ++++++++++++++++++++++++++++++++++------------- - signals.go | 4 +- - start.go | 13 +++++- - utils_linux.go | 12 ++++- - 4 files changed, 105 insertions(+), 36 deletions(-) - -diff --git a/notify_socket.go b/notify_socket.go -index e7453c62..d961453a 100644 ---- a/notify_socket.go -+++ b/notify_socket.go -@@ -7,11 +7,13 @@ import ( - "fmt" - "net" - "os" -+ "path" - "path/filepath" -+ "strconv" -+ "time" - -+ "github.com/opencontainers/runc/libcontainer" - "github.com/opencontainers/runtime-spec/specs-go" -- -- "github.com/sirupsen/logrus" - "github.com/urfave/cli" - ) - -@@ -27,12 +29,12 @@ func newNotifySocket(context *cli.Context, notifySocketHost string, id string) * - } - - root := filepath.Join(context.GlobalString("root"), id) -- path := filepath.Join(root, "notify.sock") -+ socketPath := filepath.Join(root, "notify", "notify.sock") - - notifySocket := ¬ifySocket{ - socket: nil, - host: notifySocketHost, -- socketPath: path, -+ socketPath: socketPath, - } - - return notifySocket -@@ -44,13 +46,19 @@ func (s *notifySocket) Close() error { - - // If systemd is supporting sd_notify protocol, this function will add support - // for sd_notify protocol from within the container. --func (s *notifySocket) setupSpec(context *cli.Context, spec *specs.Spec) { -- mount := specs.Mount{Destination: s.host, Source: s.socketPath, Options: []string{"bind"}} -+func (s *notifySocket) setupSpec(context *cli.Context, spec *specs.Spec) error { -+ pathInContainer := filepath.Join("/run/notify", path.Base(s.socketPath)) -+ mount := specs.Mount{ -+ Destination: path.Dir(pathInContainer), -+ Source: path.Dir(s.socketPath), -+ Options: []string{"bind", "nosuid", "noexec", "nodev", "ro"}, -+ } - spec.Mounts = append(spec.Mounts, mount) -- spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("NOTIFY_SOCKET=%s", s.host)) -+ spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("NOTIFY_SOCKET=%s", pathInContainer)) -+ return nil - } - --func (s *notifySocket) setupSocket() error { -+func (s *notifySocket) bindSocket() error { - addr := net.UnixAddr{ - Name: s.socketPath, - Net: "unixgram", -@@ -71,45 +79,89 @@ func (s *notifySocket) setupSocket() error { - return nil - } - --// pid1 must be set only with -d, as it is used to set the new process as the main process --// for the service in systemd --func (s *notifySocket) run(pid1 int) { -- buf := make([]byte, 512) -- notifySocketHostAddr := net.UnixAddr{Name: s.host, Net: "unixgram"} -+func (s *notifySocket) setupSocketDirectory() error { -+ return os.Mkdir(path.Dir(s.socketPath), 0755) -+} -+ -+func notifySocketStart(context *cli.Context, notifySocketHost, id string) (*notifySocket, error) { -+ notifySocket := newNotifySocket(context, notifySocketHost, id) -+ if notifySocket == nil { -+ return nil, nil -+ } -+ -+ if err := notifySocket.bindSocket(); err != nil { -+ return nil, err -+ } -+ return notifySocket, nil -+} -+ -+func (n *notifySocket) waitForContainer(container libcontainer.Container) error { -+ s, err := container.State() -+ if err != nil { -+ return err -+ } -+ return n.run(s.InitProcessPid) -+} -+ -+func (n *notifySocket) run(pid1 int) error { -+ if n.socket == nil { -+ return nil -+ } -+ notifySocketHostAddr := net.UnixAddr{Name: n.host, Net: "unixgram"} - client, err := net.DialUnix("unixgram", nil, ¬ifySocketHostAddr) - if err != nil { -- logrus.Error(err) -- return -+ return err - } -- for { -- r, err := s.socket.Read(buf) -- if err != nil { -- break -+ -+ ticker := time.NewTicker(time.Millisecond * 100) -+ defer ticker.Stop() -+ -+ fileChan := make(chan []byte) -+ go func() { -+ for { -+ buf := make([]byte, 512) -+ r, err := n.socket.Read(buf) -+ if err != nil { -+ return -+ } -+ got := buf[0:r] -+ if !bytes.HasPrefix(got, []byte("READY=")) { -+ continue -+ } -+ fileChan <- got -+ return - } -- var out bytes.Buffer -- for _, line := range bytes.Split(buf[0:r], []byte{'\n'}) { -- if bytes.HasPrefix(line, []byte("READY=")) { -+ }() -+ -+ for { -+ select { -+ case <-ticker.C: -+ _, err := os.Stat(filepath.Join("/proc", strconv.Itoa(pid1))) -+ if err != nil { -+ return nil -+ } -+ case b := <-fileChan: -+ for _, line := range bytes.Split(b, []byte{'\n'}) { -+ var out bytes.Buffer - _, err = out.Write(line) - if err != nil { -- return -+ return err - } - - _, err = out.Write([]byte{'\n'}) - if err != nil { -- return -+ return err - } - - _, err = client.Write(out.Bytes()) - if err != nil { -- return -+ return err - } - - // now we can inform systemd to use pid1 as the pid to monitor -- if pid1 > 0 { -- newPid := fmt.Sprintf("MAINPID=%d\n", pid1) -- client.Write([]byte(newPid)) -- } -- return -+ newPid := fmt.Sprintf("MAINPID=%d\n", pid1) -+ client.Write([]byte(newPid)) -+ return nil - } - } - } -diff --git a/signals.go b/signals.go -index b67f65a0..dd25e094 100644 ---- a/signals.go -+++ b/signals.go -@@ -70,6 +70,7 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach - h.notifySocket.run(pid1) - return 0, nil - } -+ h.notifySocket.run(os.Getpid()) - go h.notifySocket.run(0) - } - -@@ -97,9 +98,6 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach - // status because we must ensure that any of the go specific process - // fun such as flushing pipes are complete before we return. - process.Wait() -- if h.notifySocket != nil { -- h.notifySocket.Close() -- } - return e.status, nil - } - } -diff --git a/start.go b/start.go -index 2bb698b2..3a1769a4 100644 ---- a/start.go -+++ b/start.go -@@ -3,6 +3,7 @@ package main - import ( - "errors" - "fmt" -+ "os" - - "github.com/opencontainers/runc/libcontainer" - "github.com/urfave/cli" -@@ -31,7 +32,17 @@ your host.`, - } - switch status { - case libcontainer.Created: -- return container.Exec() -+ notifySocket, err := notifySocketStart(context, os.Getenv("NOTIFY_SOCKET"), container.ID()) -+ if err != nil { -+ return err -+ } -+ if err := container.Exec(); err != nil { -+ return err -+ } -+ if notifySocket != nil { -+ return notifySocket.waitForContainer(container) -+ } -+ return nil - case libcontainer.Stopped: - return errors.New("cannot start a container that has stopped") - case libcontainer.Running: -diff --git a/utils_linux.go b/utils_linux.go -index 984e6b0f..46c26246 100644 ---- a/utils_linux.go -+++ b/utils_linux.go -@@ -408,7 +408,9 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp - - notifySocket := newNotifySocket(context, os.Getenv("NOTIFY_SOCKET"), id) - if notifySocket != nil { -- notifySocket.setupSpec(context, spec) -+ if err := notifySocket.setupSpec(context, spec); err != nil { -+ return -1, err -+ } - } - - container, err := createContainer(context, id, spec) -@@ -417,10 +419,16 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp - } - - if notifySocket != nil { -- err := notifySocket.setupSocket() -+ err := notifySocket.setupSocketDirectory() - if err != nil { - return -1, err - } -+ if action == CT_ACT_RUN { -+ err := notifySocket.bindSocket() -+ if err != nil { -+ return -1, err -+ } -+ } - } - - // Support on-demand socket activation by passing file descriptors into the container init process. --- -2.21.0 - diff --git a/SPECS/runc.spec b/SPECS/runc.spec index 2acb5b8..6e5f001 100644 --- a/SPECS/runc.spec +++ b/SPECS/runc.spec @@ -1,17 +1,15 @@ -%global with_debug 1 -%global with_bundled 1 %global with_check 0 -%if 0%{?with_debug} %global _find_debuginfo_dwz_opts %{nil} %global _dwz_low_mem_die_limit 0 -%else -%global debug_package %{nil} -%endif %if 0%{?rhel} > 7 && ! 0%{?fedora} %define gobuild(o:) \ -go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**}; +go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -linkmode=external -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v %{?**}; +%else +%if ! 0%{?gobuild:1} +%define gobuild(o:) GO111MODULE=off go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -linkmode=external -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" -a -v %{?**}; +%endif %endif %global provider github @@ -21,18 +19,22 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUIL # https://github.com/opencontainers/runc %global import_path %{provider}.%{provider_tld}/%{project}/%{repo} %global git0 https://%{import_path} -%global commit0 dc9208a3303feef5b3839f4323d9beb36df0a9dd -%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) +%global release_candidate rc92 Name: %{repo} Version: 1.0.0 -Release: 66.rc10%{?dist} +Release: 70.%{release_candidate}%{?dist} Summary: CLI for running Open Containers +# https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures +#ExclusiveArch: %%{go_arches} +# still use arch exclude as the macro above still refers %%{ix86} in RHEL8.4: +# https://bugzilla.redhat.com/show_bug.cgi?id=1905383 ExcludeArch: %{ix86} License: ASL 2.0 URL: %{git0} -Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz -Patch0: 1807.patch +Source0: %{git0}/archive/v1.0.0-%{release_candidate}.tar.gz +#Patch0: 1807.patch +Provides: oci-runtime = 1 BuildRequires: golang >= 1.12.12-4 BuildRequires: git BuildRequires: go-md2man @@ -45,7 +47,7 @@ in accordance with the Open Container Initiative's specifications, and to manage containers running under runc. %prep -%autosetup -Sgit -n %{repo}-%{commit0} +%autosetup -Sgit -n %{repo}-%{version}-%{release_candidate} sed -i '/\#\!\/bin\/bash/d' contrib/completions/bash/%{name} %build @@ -57,6 +59,7 @@ popd pushd GOPATH/src/%{import_path} export GOPATH=%{gopath}:$(pwd)/GOPATH +export CGO_CFLAGS="%{optflags} -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" export BUILDTAGS="selinux seccomp" %gobuild -o %{name} %{import_path} @@ -88,6 +91,23 @@ install -p -m 0644 contrib/completions/bash/%{name} %{buildroot}%{_datadir}/bash %{_datadir}/bash-completion/completions/%{name} %changelog +* Fri Jan 29 2021 Jindrich Novy - 1.0.0-70.rc92 +- add missing Provides: oci-runtime = 1 +- Related: #1883490 + +* Tue Dec 08 2020 Jindrich Novy - 1.0.0-69.rc92 +- still use ExcludeArch as go_arches macro is broken for 8.4 +- Related: #1883490 + +* Tue Aug 11 2020 Jindrich Novy - 1.0.0-68.rc92 +- update to https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc92 +- propagate proper CFLAGS to CGO_CFLAGS to assure code hardening and optimization +- Related: #1821193 + +* Thu Jul 02 2020 Jindrich Novy - 1.0.0-67.rc91 +- update to https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc91 +- Related: #1821193 + * Tue May 12 2020 Jindrich Novy - 1.0.0-66.rc10 - synchronize containter-tools 8.3.0 with 8.2.1 - Related: #1821193