diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4d97e7f --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/runc-425e105.tar.gz diff --git a/.runc.metadata b/.runc.metadata new file mode 100644 index 0000000..1ff52c1 --- /dev/null +++ b/.runc.metadata @@ -0,0 +1 @@ +cfbe1abc984f5b0be1413475f888e39304b265ae SOURCES/runc-425e105.tar.gz diff --git a/SOURCES/1807.patch b/SOURCES/1807.patch new file mode 100644 index 0000000..dcfae56 --- /dev/null +++ b/SOURCES/1807.patch @@ -0,0 +1,276 @@ +From e3b37893afa498ef6254cc9d94c159b12e04d0b0 Mon Sep 17 00:00:00 2001 +From: Giuseppe Scrivano +Date: Fri, 25 May 2018 18:04:06 +0200 +Subject: [PATCH] sd-notify: do not hang when NOTIFY_SOCKET is used with create + +if NOTIFY_SOCKET is used, do not block the main runc process waiting +for events on the notify socket. Bind mount the parent directory of +the notify socket, so that "start" can create the socket and it is +still accessible from the container. + +Signed-off-by: Giuseppe Scrivano +--- + notify_socket.go | 113 ++++++++++++++++++++++++++++++++++------------- + signals.go | 4 +- + start.go | 13 +++++- + utils_linux.go | 12 ++++- + 4 files changed, 106 insertions(+), 36 deletions(-) + +diff --git a/notify_socket.go b/notify_socket.go +index b890b5b1c..286ce1ddd 100644 +--- a/notify_socket.go ++++ b/notify_socket.go +@@ -6,11 +6,14 @@ import ( + "bytes" + "fmt" + "net" ++ "os" ++ "path" + "path/filepath" ++ "strconv" ++ "time" + ++ "github.com/opencontainers/runc/libcontainer" + "github.com/opencontainers/runtime-spec/specs-go" +- +- "github.com/sirupsen/logrus" + "github.com/urfave/cli" + ) + +@@ -26,12 +29,12 @@ func newNotifySocket(context *cli.Context, notifySocketHost string, id string) * + } + + root := filepath.Join(context.GlobalString("root"), id) +- path := filepath.Join(root, "notify.sock") ++ socketPath := filepath.Join(root, "notify", "notify.sock") + + notifySocket := ¬ifySocket{ + socket: nil, + host: notifySocketHost, +- socketPath: path, ++ socketPath: socketPath, + } + + return notifySocket +@@ -43,13 +46,19 @@ func (s *notifySocket) Close() error { + + // If systemd is supporting sd_notify protocol, this function will add support + // for sd_notify protocol from within the container. +-func (s *notifySocket) setupSpec(context *cli.Context, spec *specs.Spec) { +- mount := specs.Mount{Destination: s.host, Source: s.socketPath, Options: []string{"bind"}} ++func (s *notifySocket) setupSpec(context *cli.Context, spec *specs.Spec) error { ++ pathInContainer := filepath.Join("/run/notify", path.Base(s.socketPath)) ++ mount := specs.Mount{ ++ Destination: path.Dir(pathInContainer), ++ Source: path.Dir(s.socketPath), ++ Options: []string{"bind", "nosuid", "noexec", "nodev", "ro"}, ++ } + spec.Mounts = append(spec.Mounts, mount) +- spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("NOTIFY_SOCKET=%s", s.host)) ++ spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("NOTIFY_SOCKET=%s", pathInContainer)) ++ return nil + } + +-func (s *notifySocket) setupSocket() error { ++func (s *notifySocket) bindSocket() error { + addr := net.UnixAddr{ + Name: s.socketPath, + Net: "unixgram", +@@ -64,45 +73,89 @@ func (s *notifySocket) setupSocket() error { + return nil + } + +-// pid1 must be set only with -d, as it is used to set the new process as the main process +-// for the service in systemd +-func (s *notifySocket) run(pid1 int) { +- buf := make([]byte, 512) +- notifySocketHostAddr := net.UnixAddr{Name: s.host, Net: "unixgram"} ++func (s *notifySocket) setupSocketDirectory() error { ++ return os.Mkdir(path.Dir(s.socketPath), 0755) ++} ++ ++func notifySocketStart(context *cli.Context, notifySocketHost, id string) (*notifySocket, error) { ++ notifySocket := newNotifySocket(context, notifySocketHost, id) ++ if notifySocket == nil { ++ return nil, nil ++ } ++ ++ if err := notifySocket.bindSocket(); err != nil { ++ return nil, err ++ } ++ return notifySocket, nil ++} ++ ++func (n *notifySocket) waitForContainer(container libcontainer.Container) error { ++ s, err := container.State() ++ if err != nil { ++ return err ++ } ++ return n.run(s.InitProcessPid) ++} ++ ++func (n *notifySocket) run(pid1 int) error { ++ if n.socket == nil { ++ return nil ++ } ++ notifySocketHostAddr := net.UnixAddr{Name: n.host, Net: "unixgram"} + client, err := net.DialUnix("unixgram", nil, ¬ifySocketHostAddr) + if err != nil { +- logrus.Error(err) +- return ++ return err + } +- for { +- r, err := s.socket.Read(buf) +- if err != nil { +- break ++ ++ ticker := time.NewTicker(time.Millisecond * 100) ++ defer ticker.Stop() ++ ++ fileChan := make(chan []byte) ++ go func() { ++ for { ++ buf := make([]byte, 512) ++ r, err := n.socket.Read(buf) ++ if err != nil { ++ return ++ } ++ got := buf[0:r] ++ if !bytes.HasPrefix(got, []byte("READY=")) { ++ continue ++ } ++ fileChan <- got ++ return + } +- var out bytes.Buffer +- for _, line := range bytes.Split(buf[0:r], []byte{'\n'}) { +- if bytes.HasPrefix(line, []byte("READY=")) { ++ }() ++ ++ for { ++ select { ++ case <-ticker.C: ++ _, err := os.Stat(filepath.Join("/proc", strconv.Itoa(pid1))) ++ if err != nil { ++ return nil ++ } ++ case b := <-fileChan: ++ for _, line := range bytes.Split(b, []byte{'\n'}) { ++ var out bytes.Buffer + _, err = out.Write(line) + if err != nil { +- return ++ return err + } + + _, err = out.Write([]byte{'\n'}) + if err != nil { +- return ++ return err + } + + _, err = client.Write(out.Bytes()) + if err != nil { +- return ++ return err + } + + // now we can inform systemd to use pid1 as the pid to monitor +- if pid1 > 0 { +- newPid := fmt.Sprintf("MAINPID=%d\n", pid1) +- client.Write([]byte(newPid)) +- } +- return ++ newPid := fmt.Sprintf("MAINPID=%d\n", pid1) ++ client.Write([]byte(newPid)) ++ return nil + } + } + } +diff --git a/signals.go b/signals.go +index b67f65a03..dd25e094c 100644 +--- a/signals.go ++++ b/signals.go +@@ -70,6 +70,7 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach + h.notifySocket.run(pid1) + return 0, nil + } ++ h.notifySocket.run(os.Getpid()) + go h.notifySocket.run(0) + } + +@@ -97,9 +98,6 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach + // status because we must ensure that any of the go specific process + // fun such as flushing pipes are complete before we return. + process.Wait() +- if h.notifySocket != nil { +- h.notifySocket.Close() +- } + return e.status, nil + } + } +diff --git a/start.go b/start.go +index 2bb698b20..3a1769a43 100644 +--- a/start.go ++++ b/start.go +@@ -3,6 +3,7 @@ package main + import ( + "errors" + "fmt" ++ "os" + + "github.com/opencontainers/runc/libcontainer" + "github.com/urfave/cli" +@@ -31,7 +32,17 @@ your host.`, + } + switch status { + case libcontainer.Created: +- return container.Exec() ++ notifySocket, err := notifySocketStart(context, os.Getenv("NOTIFY_SOCKET"), container.ID()) ++ if err != nil { ++ return err ++ } ++ if err := container.Exec(); err != nil { ++ return err ++ } ++ if notifySocket != nil { ++ return notifySocket.waitForContainer(container) ++ } ++ return nil + case libcontainer.Stopped: + return errors.New("cannot start a container that has stopped") + case libcontainer.Running: +diff --git a/utils_linux.go b/utils_linux.go +index ce50db145..670c0fcba 100644 +--- a/utils_linux.go ++++ b/utils_linux.go +@@ -406,7 +406,9 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp + + notifySocket := newNotifySocket(context, os.Getenv("NOTIFY_SOCKET"), id) + if notifySocket != nil { +- notifySocket.setupSpec(context, spec) ++ if err := notifySocket.setupSpec(context, spec); err != nil { ++ return -1, err ++ } + } + + container, err := createContainer(context, id, spec) +@@ -415,10 +417,16 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp + } + + if notifySocket != nil { +- err := notifySocket.setupSocket() ++ err := notifySocket.setupSocketDirectory() + if err != nil { + return -1, err + } ++ if action == CT_ACT_RUN { ++ err := notifySocket.bindSocket() ++ if err != nil { ++ return -1, err ++ } ++ } + } + + // Support on-demand socket activation by passing file descriptors into the container init process. diff --git a/SOURCES/99-containers.conf b/SOURCES/99-containers.conf new file mode 100644 index 0000000..7e2d537 --- /dev/null +++ b/SOURCES/99-containers.conf @@ -0,0 +1 @@ +fs.may_detach_mounts=1 diff --git a/SPECS/runc.spec b/SPECS/runc.spec new file mode 100644 index 0000000..95e95f3 --- /dev/null +++ b/SPECS/runc.spec @@ -0,0 +1,268 @@ +%global with_debug 1 +%global with_bundled 1 +%global with_check 0 + +%if 0%{?with_debug} +%global _find_debuginfo_dwz_opts %{nil} +%global _dwz_low_mem_die_limit 0 +%else +%global debug_package %{nil} +%endif + +%if 0%{?rhel} > 7 && ! 0%{?fedora} +%define gobuild(o:) \ +go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**}; +%endif # distro + +%global provider github +%global provider_tld com +%global project opencontainers +%global repo runc +# https://github.com/opencontainers/runc +%global import_path %{provider}.%{provider_tld}/%{project}/%{repo} +%global git0 https://%{import_path} +%global commit0 425e105d5a03fabd737a126ad93d62a9eeede87f +%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) + +Name: %{repo} +Version: 1.0.0 +Release: 60.rc8%{?dist} +Summary: CLI for running Open Containers +ExcludeArch: %{ix86} +License: ASL 2.0 +URL: %{git0} +Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz +Source1: 99-containers.conf +Patch0: 1807.patch +# If go_compiler is not set to 1, there is no virtual provide. Use golang instead. +BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} >= 1.6.2 +BuildRequires: git +BuildRequires: go-md2man +BuildRequires: libseccomp-devel +Requires: criu +Requires(pre): container-selinux >= 2:2.2-2 + +%description +The runc command can be used to start containers which are packaged +in accordance with the Open Container Initiative's specifications, +and to manage containers running under runc. + +%prep +%autosetup -Sgit -n %{repo}-%{commit0} +sed -i '/\#\!\/bin\/bash/d' contrib/completions/bash/%{name} + +%build +mkdir -p GOPATH +pushd GOPATH + mkdir -p src/%{provider}.%{provider_tld}/%{project} + ln -s $(dirs +1 -l) src/%{import_path} +popd + +pushd GOPATH/src/%{import_path} +export GOPATH=%{gopath}:$(pwd)/GOPATH +export BUILDTAGS="selinux seccomp" +%gobuild -o %{name} %{import_path} + +pushd man +./md2man-all.sh +popd + +%install +install -d -p %{buildroot}%{_bindir} +install -p -m 755 %{name} %{buildroot}%{_bindir} + +# install man pages +install -d -p %{buildroot}%{_mandir}/man8 +install -p -m 644 man/man8/* %{buildroot}%{_mandir}/man8 +# install bash completion +install -d -p %{buildroot}%{_datadir}/bash-completion/completions +install -p -m 0644 contrib/completions/bash/%{name} %{buildroot}%{_datadir}/bash-completion/completions + +%check + +#define license tag if not already defined +%{!?_licensedir:%global license %doc} + +%files +%license LICENSE +%doc MAINTAINERS_GUIDE.md PRINCIPLES.md README.md CONTRIBUTING.md +%{_bindir}/%{name} +%{_mandir}/man8/%{name}* +%{_datadir}/bash-completion/completions/%{name} + +%changelog +* Mon Jun 17 2019 Lokesh Mandvekar - 1.0.0-60.rc8 +- Resolves: #1721247 - enable fips mode + +* Mon Jun 17 2019 Lokesh Mandvekar - 1.0.0-59.rc8 +- Resolves: #1720654 - rebase to v1.0.0-rc8 + +* Thu Apr 11 2019 Eduardo Santiago - 1.0.0-57.rc5.dev.git2abd837 +- Resolves: #1693424 - podman rootless: cannot specify gid= mount options + +* Wed Feb 27 2019 Lokesh Mandvekar - 1.0.0-56.rc5.dev.git2abd837 +- change-default-root patch not needed as there's no docker on rhel8 + +* Tue Feb 12 2019 Lokesh Mandvekar - 1.0.0-55.rc5.dev.git2abd837 +- Resolves: CVE-2019-5736 + +* Tue Dec 18 2018 Frantisek Kluknavsky - 1.0.0-54.rc5.dev.git2abd837 +- re-enable debuginfo + +* Mon Dec 17 2018 Frantisek Kluknavsky - 1.0.0-53.rc5.dev.git2abd837 +- go toolset not in scl anymore + +* Wed Sep 26 2018 Frantisek Kluknavsky - 1.0.0-52.rc5.dev.git2abd837 +- rebase + +* Fri Aug 31 2018 Dan Walsh - 2:1.0.0-51.dev.gitfdd8055 +- Fix handling of tmpcopyup + +* Fri Aug 24 2018 Lokesh Mandvekar - 2:1.0.0-49.rc5.dev.gitb4e2ecb +- %%gobuild uses no_openssl +- remove unused devel and unit-test subpackages + +* Tue Aug 07 2018 Lokesh Mandvekar - 2:1.0.0-48.rc5.dev.gitad0f525 +- build with %%gobuild +- exlude i686 temporarily because of go-toolset issues + +* Mon Jul 30 2018 Florian Weimer - 1.0.0-47.dev.gitb4e2ecb +- Rebuild with fixed binutils + +* Fri Jul 27 2018 Dan Walsh - 2:1.0.0-46.dev.gitb4e2ecb +- Add patch https://github.com/opencontainers/runc/pull/1807 to allow +- runc and podman to work with sd_notify + +* Wed Jul 18 2018 Dan Walsh - 2:1.0.0-40.rc5.dev.gitad0f525 +- Remove sysclt handling, not needed in RHEL8 +- Make sure package built with seccomp flags +- Remove rectty +- Add completions + +* Fri Jun 15 2018 Dan Walsh - 2:1.0.0-36.rc5.dev.gitad0f525 +- Better handling of user namespace + +* Tue May 1 2018 Dan Walsh - 2:1.0.0-31.rc5.git0cbfd83 +- Fix issues between SELinux and UserNamespace + +* Tue Apr 17 2018 Frantisek Kluknavsky - 1.0.0-27.rc5.dev.git4bb1fe4 +- rebuilt, placed missing changelog entry back + +* Tue Feb 27 2018 Dan Walsh - 2:1.0.0-26.rc5.git4bb1fe4 +- release v1.0.0~rc5 + +* Wed Jan 24 2018 Dan Walsh - 1.0.0-26.rc4.git9f9c962 +- Bump to the latest from upstream + +* Mon Dec 18 2017 Lokesh Mandvekar - 1.0.0-25.rc4.gite6516b3 +- built commit e6516b3 + +* Fri Dec 15 2017 Frantisek Kluknavsky - 1.0.0-24.rc4.dev.gitc6e4a1e.1 +- rebase to c6e4a1ebeb1a72b529c6f1b6ee2b1ae5b868b14f +- https://github.com/opencontainers/runc/pull/1651 + +* Tue Dec 12 2017 Lokesh Mandvekar - 1.0.0-23.rc4.git1d3ab6d +- Resolves: #1524654 + +* Sun Dec 10 2017 Dan Walsh - 1.0.0-22.rc4.git1d3ab6d +- Many Stability fixes +- Many fixes for rootless containers +- Many fixes for static builds + +* Thu Nov 09 2017 Lokesh Mandvekar - 1.0.0-21.rc4.dev.gitaea4f21 +- enable debuginfo and include -buildmode=pie for go build + +* Tue Nov 07 2017 Lokesh Mandvekar - 1.0.0-20.rc4.dev.gitaea4f21 +- use Makefile + +* Tue Nov 07 2017 Lokesh Mandvekar - 1.0.0-19.rc4.dev.gitaea4f21 +- disable debuginfo temporarily + +* Fri Nov 03 2017 Lokesh Mandvekar - 1.0.0-18.rc4.dev.gitaea4f21 +- enable debuginfo + +* Wed Oct 25 2017 Dan Walsh - 1.0.0-17.rc4.gitaea4f21 +- Add container-selinux prerequires to make sure runc is labeled correctly + +* Thu Oct 19 2017 Lokesh Mandvekar - 1.0.0-16.rc4.dev.gitaea4f21 +- correct the release tag "rc4dev" -> "rc4.dev" cause I'm OCD + +* Mon Oct 16 2017 Dan Walsh - 1.0.0-15.rc4dev.gitaea4f21 +- Use the same checkout as Fedora for lates CRI-O + +* Fri Sep 22 2017 Frantisek Kluknavsky - 1.0.0-14.rc4dev.git84a082b +- rebase to 84a082bfef6f932de921437815355186db37aeb1 + +* Tue Jun 13 2017 Lokesh Mandvekar - 1.0.0-13.rc3.gitd40db12 +- Resolves: #1479489 +- built commit d40db12 + +* Tue Jun 13 2017 Lokesh Mandvekar - 1.0.0-12.1.gitf8ce01d +- disable s390x temporarily because of indefinite wait times on brew + +* Tue Jun 13 2017 Lokesh Mandvekar - 1.0.0-11.1.gitf8ce01d +- correct previous bogus date :\ + +* Mon Jun 12 2017 Lokesh Mandvekar - 1.0.0-10.1.gitf8ce01d +- Resolves: #1441737 - run sysctl_apply for sysctl knob + +* Tue May 09 2017 Lokesh Mandvekar - 1.0.0-9.1.gitf8ce01d +- Resolves: #1447078 - change default root path +- add commit e800860 from runc @projectatomic/change-root-path + +* Fri May 05 2017 Lokesh Mandvekar - 1.0.0-8.1.gitf8ce01d +- Resolves: #1441737 - enable kernel sysctl knob /proc/sys/fs/may_detach_mounts + +* Thu Apr 13 2017 Lokesh Mandvekar - 1.0.0-7.1.gitf8ce01d +- Resolves: #1429675 +- built @opencontainers/master commit f8ce01d + +* Thu Mar 16 2017 Lokesh Mandvekar - 1.0.0-4.1.gitee992e5 +- built @projectatomic/master commit ee992e5 + +* Fri Feb 24 2017 Lokesh Mandvekar - 1.0.0-3.rc2 +- Resolves: #1426674 +- built projectatomic/runc_rhel_7 commit 5d93f81 + +* Mon Feb 06 2017 Lokesh Mandvekar - 1.0.0-2.rc2 +- Resolves: #1419702 - rebase to latest upstream master +- built commit b263a43 + +* Wed Jan 11 2017 Lokesh Mandvekar - 1.0.0-1.rc2 +- Resolves: #1412239 - *CVE-2016-9962* - set init processes as non-dumpable, +runc patch from Michael Crosby + +* Wed Sep 07 2016 Lokesh Mandvekar - 0.1.1-6 +- Resolves: #1373980 - rebuild for 7.3.0 + +* Sat Jun 25 2016 Lokesh Mandvekar - 0.1.1-5 +- build with golang >= 1.6.2 + +* Tue May 31 2016 Lokesh Mandvekar - 0.1.1-4 +- release tags were inconsistent in the previous build + +* Tue May 31 2016 Lokesh Mandvekar - 0.1.1-1 +- Resolves: #1341267 - rebase runc to v0.1.1 + +* Tue May 03 2016 Lokesh Mandvekar - 0.1.0-3 +- add selinux build tag +- add BR: libseccomp-devel + +* Tue May 03 2016 Lokesh Mandvekar - 0.1.0-2 +- Resolves: #1328970 - add seccomp buildtag + +* Tue Apr 19 2016 Lokesh Mandvekar - 0.1.0-1 +- Resolves: rhbz#1328616 - rebase to v0.1.0 + +* Tue Mar 08 2016 Lokesh Mandvekar - 0.0.8-1.git4155b68 +- Resolves: rhbz#1277245 - bump to 0.0.8 +- Resolves: rhbz#1302363 - criu is a runtime dep +- Resolves: rhbz#1302348 - libseccomp-golang is bundled in Godeps +- manpages included + +* Wed Nov 25 2015 jchaloup - 1:0.0.5-0.1.git97bc9a7 +- Update to 0.0.5, introduce Epoch for Fedora due to 0.2 version instead of 0.0.2 + +* Fri Aug 21 2015 Jan Chaloupka - 0.2-0.2.git90e6d37 +- First package for Fedora + resolves: #1255179