diff --git a/.gitignore b/.gitignore index 2e1ff66..5fee5b9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/v1.0.3.tar.gz +SOURCES/v1.1.3.tar.gz diff --git a/.runc.metadata b/.runc.metadata index 6443808..7968435 100644 --- a/.runc.metadata +++ b/.runc.metadata @@ -1 +1 @@ -cbd1b1eff60b0d6f61a034cb50a7fe22edd2b140 SOURCES/v1.0.3.tar.gz +9ad2300d41deb361ced92112366d0c8801d00050 SOURCES/v1.1.3.tar.gz diff --git a/SOURCES/3468.patch b/SOURCES/3468.patch new file mode 100644 index 0000000..a02339d --- /dev/null +++ b/SOURCES/3468.patch @@ -0,0 +1,84 @@ +From 2ce40b6ad72b4bd4391380cafc5ef1bad1fa0b31 Mon Sep 17 00:00:00 2001 +From: Kir Kolyshkin +Date: Wed, 4 May 2022 14:56:16 -0700 +Subject: [PATCH] Remove tun/tap from the default device rules + +Looking through git blame, this was added by commit 9fac18329 +aka "Initial commit of runc binary", most probably by mistake. + +Obviously, a container should not have access to tun/tap device, unless +it is explicitly specified in configuration. + +Now, removing this might create a compatibility issue, but I see no +other choice. + +Aside from the obvious misconfiguration, this should also fix the +annoying + +> Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory + +messages from systemd on every container start, when runc uses systemd +cgroup driver, and the system runs an old (< v240) version of systemd +(the message was presumably eliminated by [1]). + +[1] https://github.com/systemd/systemd/pull/10996/commits/d5aecba6e0b7c73657c4cf544ce57289115098e7 + +Signed-off-by: Kir Kolyshkin +--- + .../ebpf/devicefilter/devicefilter_test.go | 19 ++++++------------- + libcontainer/specconv/spec_linux.go | 10 ---------- + 2 files changed, 6 insertions(+), 23 deletions(-) + +diff --git a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go +index d279335821..25703be5ad 100644 +--- a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go ++++ b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go +@@ -120,21 +120,14 @@ block-8: + 51: Mov32Imm dst: r0 imm: 1 + 52: Exit + block-9: +-// tuntap (c, 10, 200, rwm, allow) ++// /dev/pts (c, 136, wildcard, rwm, true) + 53: JNEImm dst: r2 off: -1 imm: 2 +- 54: JNEImm dst: r4 off: -1 imm: 10 +- 55: JNEImm dst: r5 off: -1 imm: 200 +- 56: Mov32Imm dst: r0 imm: 1 +- 57: Exit ++ 54: JNEImm dst: r4 off: -1 imm: 136 ++ 55: Mov32Imm dst: r0 imm: 1 ++ 56: Exit + block-10: +-// /dev/pts (c, 136, wildcard, rwm, true) +- 58: JNEImm dst: r2 off: -1 imm: 2 +- 59: JNEImm dst: r4 off: -1 imm: 136 +- 60: Mov32Imm dst: r0 imm: 1 +- 61: Exit +-block-11: +- 62: Mov32Imm dst: r0 imm: 0 +- 63: Exit ++ 57: Mov32Imm dst: r0 imm: 0 ++ 58: Exit + ` + var devices []*devices.Rule + for _, device := range specconv.AllowedDevices { +diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go +index 5ae95c6c18..83c7a2c348 100644 +--- a/libcontainer/specconv/spec_linux.go ++++ b/libcontainer/specconv/spec_linux.go +@@ -302,16 +302,6 @@ var AllowedDevices = []*devices.Device{ + Allow: true, + }, + }, +- // tuntap +- { +- Rule: devices.Rule{ +- Type: devices.CharDevice, +- Major: 10, +- Minor: 200, +- Permissions: "rwm", +- Allow: true, +- }, +- }, + } + + type CreateOpts struct { diff --git a/SOURCES/3511.patch b/SOURCES/3511.patch new file mode 100644 index 0000000..e3be84b --- /dev/null +++ b/SOURCES/3511.patch @@ -0,0 +1,66 @@ +From 62b0c31d4b940ff93a23ac6fdb3a6ef345910abf Mon Sep 17 00:00:00 2001 +From: Kir Kolyshkin +Date: Tue, 14 Jun 2022 17:19:10 -0700 +Subject: [PATCH] libct: fix mounting via wrong proc fd + +Due to a bug in commit 9c444070ec7, when the user and mount namespaces +are used, and the bind mount is followed by the cgroup mount in the +spec, the cgroup is mounted using the bind mount's mount fd. + +This can be reproduced with podman 4.1 (when configured to use runc): + +$ podman run --uidmap 0:100:10000 quay.io/libpod/testimage:20210610 mount +Error: /home/kir/git/runc/runc: runc create failed: unable to start container process: error during container init: error mounting "cgroup" to rootfs at "/sys/fs/cgroup": mount /proc/self/fd/11:/sys/fs/cgroup/systemd (via /proc/self/fd/12), flags: 0x20502f: operation not permitted: OCI permission denied + +or manually with the spec mounts containing something like this: + + { + "destination": "/etc/resolv.conf", + "type": "bind", + "source": "/userdata/resolv.conf", + "options": [ + "bind" + ] + }, + { + "destination": "/sys/fs/cgroup", + "type": "cgroup", + "source": "cgroup", + "options": [ + "rprivate", + "nosuid", + "noexec", + "nodev", + "relatime", + "ro" + ] + } + +The issue was not found earlier since it requires using userns, and even then +mount fd is ignored by mountToRootfs, except for bind mounts, and all the bind +mounts have mountfd set, except for the case of cgroup v1's /sys/fs/cgroup +which is internally transformed into a bunch of bind mounts. + +This is a minimal fix for the issue, suitable for backporting. + +Fixes: 9c444070ec7 ("Open bind mount sources from the host userns") +Signed-off-by: Kir Kolyshkin +(cherry picked from commit b3aa20af7fb67ee1f2b381f3c82329e73c7d3a0c) +Signed-off-by: Kir Kolyshkin +--- + libcontainer/rootfs_linux.go | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go +index 3cfd2bf1e4..ec7638e4d5 100644 +--- a/libcontainer/rootfs_linux.go ++++ b/libcontainer/rootfs_linux.go +@@ -80,6 +80,8 @@ func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig, mountFds []int) (err + // Therefore, we can access mountFds[i] without any concerns. + if mountFds != nil && mountFds[i] != -1 { + mountConfig.fd = &mountFds[i] ++ } else { ++ mountConfig.fd = nil + } + + if err := mountToRootfs(m, mountConfig); err != nil { diff --git a/SPECS/runc.spec b/SPECS/runc.spec index 5082629..84d5c0e 100644 --- a/SPECS/runc.spec +++ b/SPECS/runc.spec @@ -22,7 +22,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl Epoch: 1 Name: %{repo} -Version: 1.0.3 +Version: 1.1.3 Release: 2%{?dist} Summary: CLI for running Open Containers # https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures @@ -33,11 +33,14 @@ ExcludeArch: %{ix86} License: ASL 2.0 URL: %{git0} Source0: %{git0}/archive/v%{version}.tar.gz +Patch0: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3468.patch +Patch1: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3511.patch Provides: oci-runtime -BuildRequires: golang >= 1.12.12-4 +BuildRequires: golang >= 1.17.7 BuildRequires: git -BuildRequires: go-md2man -BuildRequires: libseccomp-devel +BuildRequires: /usr/bin/go-md2man +BuildRequires: libseccomp-devel >= 2.5 +Requires: libseccomp >= 2.5 Requires: criu %description @@ -84,16 +87,30 @@ make install install-man install-bash DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} %{_datadir}/bash-completion/completions/%{name} %changelog -* Wed Feb 16 2022 Jindrich Novy - 1.0.3-2 -- rollback to 1.0.3 due to gating test issues -- Related: #2001445 +* Wed Jun 15 2022 Jindrich Novy - 1:1.1.3-2 +- add patch in attempt to fix gating tests - thanks to Kir Kolyshkin +- Related: #2061390 -* Tue Jan 18 2022 Jindrich Novy - 1.1.0-1 -- update to https://github.com/opencontainers/runc/releases/tag/v1.1.0 -- Related: #2001445 +* Mon Jun 13 2022 Jindrich Novy - 1:1.1.3-1 +- update to https://github.com/opencontainers/runc/releases/tag/v1.1.3 +- Related: #2061390 + +* Tue Jun 07 2022 Jindrich Novy - 1:1.1.2-1 +- update to https://github.com/opencontainers/runc/releases/tag/v1.1.2 +- Related: #2061390 -* Mon Dec 06 2021 Jindrich Novy - 1.0.3-1 -- update to https://github.com/opencontainers/runc/releases/tag/v1.0.3 +* Wed Apr 27 2022 Jindrich Novy - 1:1.0.3-4 +- Related: #2061390 + +* Wed Apr 06 2022 Jindrich Novy - 1:1.0.3-3 +- require at least libseccomp >= 2.5 +- Resolves: #2053990 + +* Tue Mar 08 2022 Jindrich Novy - 1:1.0.3-2 +- require at least libseccomp >= 2.5 + +* Mon Mar 07 2022 Jindrich Novy - 1:1.0.3-1 +- rollback to 1.0.3 due to gating test issues - Related: #2001445 * Wed Aug 25 2021 Jindrich Novy - 1.0.2-1