diff --git a/.gitignore b/.gitignore index 2e1ff66..9cc4d0e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/v1.0.3.tar.gz +SOURCES/v1.1.4.tar.gz diff --git a/.runc.metadata b/.runc.metadata index 6443808..d124f3f 100644 --- a/.runc.metadata +++ b/.runc.metadata @@ -1 +1 @@ -cbd1b1eff60b0d6f61a034cb50a7fe22edd2b140 SOURCES/v1.0.3.tar.gz +fb65327930c41c8ec016badd6738bef83b556aed SOURCES/v1.1.4.tar.gz diff --git a/SOURCES/3468.patch b/SOURCES/3468.patch new file mode 100644 index 0000000..a02339d --- /dev/null +++ b/SOURCES/3468.patch @@ -0,0 +1,84 @@ +From 2ce40b6ad72b4bd4391380cafc5ef1bad1fa0b31 Mon Sep 17 00:00:00 2001 +From: Kir Kolyshkin +Date: Wed, 4 May 2022 14:56:16 -0700 +Subject: [PATCH] Remove tun/tap from the default device rules + +Looking through git blame, this was added by commit 9fac18329 +aka "Initial commit of runc binary", most probably by mistake. + +Obviously, a container should not have access to tun/tap device, unless +it is explicitly specified in configuration. + +Now, removing this might create a compatibility issue, but I see no +other choice. + +Aside from the obvious misconfiguration, this should also fix the +annoying + +> Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory + +messages from systemd on every container start, when runc uses systemd +cgroup driver, and the system runs an old (< v240) version of systemd +(the message was presumably eliminated by [1]). + +[1] https://github.com/systemd/systemd/pull/10996/commits/d5aecba6e0b7c73657c4cf544ce57289115098e7 + +Signed-off-by: Kir Kolyshkin +--- + .../ebpf/devicefilter/devicefilter_test.go | 19 ++++++------------- + libcontainer/specconv/spec_linux.go | 10 ---------- + 2 files changed, 6 insertions(+), 23 deletions(-) + +diff --git a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go +index d279335821..25703be5ad 100644 +--- a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go ++++ b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go +@@ -120,21 +120,14 @@ block-8: + 51: Mov32Imm dst: r0 imm: 1 + 52: Exit + block-9: +-// tuntap (c, 10, 200, rwm, allow) ++// /dev/pts (c, 136, wildcard, rwm, true) + 53: JNEImm dst: r2 off: -1 imm: 2 +- 54: JNEImm dst: r4 off: -1 imm: 10 +- 55: JNEImm dst: r5 off: -1 imm: 200 +- 56: Mov32Imm dst: r0 imm: 1 +- 57: Exit ++ 54: JNEImm dst: r4 off: -1 imm: 136 ++ 55: Mov32Imm dst: r0 imm: 1 ++ 56: Exit + block-10: +-// /dev/pts (c, 136, wildcard, rwm, true) +- 58: JNEImm dst: r2 off: -1 imm: 2 +- 59: JNEImm dst: r4 off: -1 imm: 136 +- 60: Mov32Imm dst: r0 imm: 1 +- 61: Exit +-block-11: +- 62: Mov32Imm dst: r0 imm: 0 +- 63: Exit ++ 57: Mov32Imm dst: r0 imm: 0 ++ 58: Exit + ` + var devices []*devices.Rule + for _, device := range specconv.AllowedDevices { +diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go +index 5ae95c6c18..83c7a2c348 100644 +--- a/libcontainer/specconv/spec_linux.go ++++ b/libcontainer/specconv/spec_linux.go +@@ -302,16 +302,6 @@ var AllowedDevices = []*devices.Device{ + Allow: true, + }, + }, +- // tuntap +- { +- Rule: devices.Rule{ +- Type: devices.CharDevice, +- Major: 10, +- Minor: 200, +- Permissions: "rwm", +- Allow: true, +- }, +- }, + } + + type CreateOpts struct { diff --git a/SPECS/runc.spec b/SPECS/runc.spec index 18b4fc6..447ccd0 100644 --- a/SPECS/runc.spec +++ b/SPECS/runc.spec @@ -22,7 +22,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl Epoch: 1 Name: %{repo} -Version: 1.0.3 +Version: 1.1.4 Release: 1%{?dist} Summary: CLI for running Open Containers # https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures @@ -33,11 +33,13 @@ ExcludeArch: %{ix86} License: ASL 2.0 URL: %{git0} Source0: %{git0}/archive/v%{version}.tar.gz +Patch0: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3468.patch Provides: oci-runtime -BuildRequires: golang >= 1.12.12-4 +BuildRequires: golang >= 1.17.7 BuildRequires: git -BuildRequires: go-md2man -BuildRequires: libseccomp-devel +BuildRequires: /usr/bin/go-md2man +BuildRequires: libseccomp-devel >= 2.5 +Requires: libseccomp >= 2.5 Requires: criu %description @@ -84,6 +86,31 @@ make install install-man install-bash DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} %{_datadir}/bash-completion/completions/%{name} %changelog +* Mon Aug 29 2022 Jindrich Novy - 1:1.1.4-1 +- update to https://github.com/opencontainers/runc/releases/tag/v1.1.4 +- Related: #2061390 + +* Mon Jun 13 2022 Jindrich Novy - 1:1.1.3-2 +- update to https://github.com/opencontainers/runc/releases/tag/v1.1.3 +- Related: #2061390 + +* Thu Jun 09 2022 Jindrich Novy - 1:1.1.3-1 +- update to https://github.com/opencontainers/runc/releases/tag/v1.1.3 +- Related: #2061390 + +* Fri Jun 03 2022 Jindrich Novy - 1:1.1.2-1 +- update to https://github.com/opencontainers/runc/releases/tag/v1.1.2 +- Related: #2061390 + +* Fri Apr 08 2022 Jindrich Novy - 1:1.0.3-3 +- bump golang BR to 1.17.7 +- Related: #2061390 + +* Fri Mar 11 2022 Jindrich Novy - 1:1.0.3-2 +- require at least libseccomp >= 2.5 +- Resolves: #2053990 +- Related: #2061390 + * Fri Feb 18 2022 Jindrich Novy - 1:1.0.3-1 - rollback to 1.0.3 due to gating test issues - Related: #2001445