diff --git a/.gitignore b/.gitignore index 5fee5b9..9cc4d0e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/v1.1.3.tar.gz +SOURCES/v1.1.4.tar.gz diff --git a/.runc.metadata b/.runc.metadata index 7968435..d124f3f 100644 --- a/.runc.metadata +++ b/.runc.metadata @@ -1 +1 @@ -9ad2300d41deb361ced92112366d0c8801d00050 SOURCES/v1.1.3.tar.gz +fb65327930c41c8ec016badd6738bef83b556aed SOURCES/v1.1.4.tar.gz diff --git a/SOURCES/3468.patch b/SOURCES/3468.patch deleted file mode 100644 index a02339d..0000000 --- a/SOURCES/3468.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 2ce40b6ad72b4bd4391380cafc5ef1bad1fa0b31 Mon Sep 17 00:00:00 2001 -From: Kir Kolyshkin -Date: Wed, 4 May 2022 14:56:16 -0700 -Subject: [PATCH] Remove tun/tap from the default device rules - -Looking through git blame, this was added by commit 9fac18329 -aka "Initial commit of runc binary", most probably by mistake. - -Obviously, a container should not have access to tun/tap device, unless -it is explicitly specified in configuration. - -Now, removing this might create a compatibility issue, but I see no -other choice. - -Aside from the obvious misconfiguration, this should also fix the -annoying - -> Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory - -messages from systemd on every container start, when runc uses systemd -cgroup driver, and the system runs an old (< v240) version of systemd -(the message was presumably eliminated by [1]). - -[1] https://github.com/systemd/systemd/pull/10996/commits/d5aecba6e0b7c73657c4cf544ce57289115098e7 - -Signed-off-by: Kir Kolyshkin ---- - .../ebpf/devicefilter/devicefilter_test.go | 19 ++++++------------- - libcontainer/specconv/spec_linux.go | 10 ---------- - 2 files changed, 6 insertions(+), 23 deletions(-) - -diff --git a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go -index d279335821..25703be5ad 100644 ---- a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go -+++ b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go -@@ -120,21 +120,14 @@ block-8: - 51: Mov32Imm dst: r0 imm: 1 - 52: Exit - block-9: --// tuntap (c, 10, 200, rwm, allow) -+// /dev/pts (c, 136, wildcard, rwm, true) - 53: JNEImm dst: r2 off: -1 imm: 2 -- 54: JNEImm dst: r4 off: -1 imm: 10 -- 55: JNEImm dst: r5 off: -1 imm: 200 -- 56: Mov32Imm dst: r0 imm: 1 -- 57: Exit -+ 54: JNEImm dst: r4 off: -1 imm: 136 -+ 55: Mov32Imm dst: r0 imm: 1 -+ 56: Exit - block-10: --// /dev/pts (c, 136, wildcard, rwm, true) -- 58: JNEImm dst: r2 off: -1 imm: 2 -- 59: JNEImm dst: r4 off: -1 imm: 136 -- 60: Mov32Imm dst: r0 imm: 1 -- 61: Exit --block-11: -- 62: Mov32Imm dst: r0 imm: 0 -- 63: Exit -+ 57: Mov32Imm dst: r0 imm: 0 -+ 58: Exit - ` - var devices []*devices.Rule - for _, device := range specconv.AllowedDevices { -diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go -index 5ae95c6c18..83c7a2c348 100644 ---- a/libcontainer/specconv/spec_linux.go -+++ b/libcontainer/specconv/spec_linux.go -@@ -302,16 +302,6 @@ var AllowedDevices = []*devices.Device{ - Allow: true, - }, - }, -- // tuntap -- { -- Rule: devices.Rule{ -- Type: devices.CharDevice, -- Major: 10, -- Minor: 200, -- Permissions: "rwm", -- Allow: true, -- }, -- }, - } - - type CreateOpts struct { diff --git a/SOURCES/3511.patch b/SOURCES/3511.patch deleted file mode 100644 index e3be84b..0000000 --- a/SOURCES/3511.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 62b0c31d4b940ff93a23ac6fdb3a6ef345910abf Mon Sep 17 00:00:00 2001 -From: Kir Kolyshkin -Date: Tue, 14 Jun 2022 17:19:10 -0700 -Subject: [PATCH] libct: fix mounting via wrong proc fd - -Due to a bug in commit 9c444070ec7, when the user and mount namespaces -are used, and the bind mount is followed by the cgroup mount in the -spec, the cgroup is mounted using the bind mount's mount fd. - -This can be reproduced with podman 4.1 (when configured to use runc): - -$ podman run --uidmap 0:100:10000 quay.io/libpod/testimage:20210610 mount -Error: /home/kir/git/runc/runc: runc create failed: unable to start container process: error during container init: error mounting "cgroup" to rootfs at "/sys/fs/cgroup": mount /proc/self/fd/11:/sys/fs/cgroup/systemd (via /proc/self/fd/12), flags: 0x20502f: operation not permitted: OCI permission denied - -or manually with the spec mounts containing something like this: - - { - "destination": "/etc/resolv.conf", - "type": "bind", - "source": "/userdata/resolv.conf", - "options": [ - "bind" - ] - }, - { - "destination": "/sys/fs/cgroup", - "type": "cgroup", - "source": "cgroup", - "options": [ - "rprivate", - "nosuid", - "noexec", - "nodev", - "relatime", - "ro" - ] - } - -The issue was not found earlier since it requires using userns, and even then -mount fd is ignored by mountToRootfs, except for bind mounts, and all the bind -mounts have mountfd set, except for the case of cgroup v1's /sys/fs/cgroup -which is internally transformed into a bunch of bind mounts. - -This is a minimal fix for the issue, suitable for backporting. - -Fixes: 9c444070ec7 ("Open bind mount sources from the host userns") -Signed-off-by: Kir Kolyshkin -(cherry picked from commit b3aa20af7fb67ee1f2b381f3c82329e73c7d3a0c) -Signed-off-by: Kir Kolyshkin ---- - libcontainer/rootfs_linux.go | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go -index 3cfd2bf1e4..ec7638e4d5 100644 ---- a/libcontainer/rootfs_linux.go -+++ b/libcontainer/rootfs_linux.go -@@ -80,6 +80,8 @@ func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig, mountFds []int) (err - // Therefore, we can access mountFds[i] without any concerns. - if mountFds != nil && mountFds[i] != -1 { - mountConfig.fd = &mountFds[i] -+ } else { -+ mountConfig.fd = nil - } - - if err := mountToRootfs(m, mountConfig); err != nil { diff --git a/SOURCES/3554.patch b/SOURCES/3554.patch deleted file mode 100644 index 8cf50c4..0000000 --- a/SOURCES/3554.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 204c673cced91b03aa337c804ab8b31a452c6777 Mon Sep 17 00:00:00 2001 -From: Kir Kolyshkin -Date: Wed, 10 Aug 2022 17:09:23 -0700 -Subject: [PATCH] [1.1] fix failed exec after systemctl daemon-reload - -A regression reported for runc v1.1.3 says that "runc exec -t" fails -after doing "systemctl daemon-reload": - -> exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown - -Apparently, with commit 7219387eb7db69b we are no longer adding -"DeviceAllow=char-pts rwm" rule (because os.Stat("char-pts") returns -ENOENT). - -The bug can only be seen after "systemctl daemon-reload" because runc -also applies the same rules manually (by writing to devices.allow for -cgroup v1), and apparently reloading systemd leads to re-applying the -rules that systemd has (thus removing the char-pts access). - -The fix is to do os.Stat only for "/dev" paths. - -Also, emit a warning that the path was skipped. Since the original idea -was to emit less warnings, demote the level to debug. - -Note this also fixes the issue of not adding "m" permission for block-* -and char-* devices. - -A test case is added, which reliably fails before the fix -on both cgroup v1 and v2. - -This is a backport of commit 58b1374f0ad98cc9390adc43dc22ddbb4f84d72e -to release-1.1 branch. - -Fixes: https://github.com/opencontainers/runc/issues/3551 -Fixes: 7219387eb7db69b4dae740c9d37d973d9a735801 -Signed-off-by: Kir Kolyshkin ---- - libcontainer/cgroups/systemd/common.go | 16 +++++++++------- - tests/integration/dev.bats | 16 ++++++++++++++++ - 2 files changed, 25 insertions(+), 7 deletions(-) - -diff --git a/libcontainer/cgroups/systemd/common.go b/libcontainer/cgroups/systemd/common.go -index 5a68a3cf39..45744c15c0 100644 ---- a/libcontainer/cgroups/systemd/common.go -+++ b/libcontainer/cgroups/systemd/common.go -@@ -288,14 +288,16 @@ func generateDeviceProperties(r *configs.Resources) ([]systemdDbus.Property, err - case devices.CharDevice: - entry.Path = fmt.Sprintf("/dev/char/%d:%d", rule.Major, rule.Minor) - } -+ // systemd will issue a warning if the path we give here doesn't exist. -+ // Since all of this logic is best-effort anyway (we manually set these -+ // rules separately to systemd) we can safely skip entries that don't -+ // have a corresponding path. -+ if _, err := os.Stat(entry.Path); err != nil { -+ logrus.Debugf("skipping device %s for systemd: %s", entry.Path, err) -+ continue -+ } - } -- // systemd will issue a warning if the path we give here doesn't exist. -- // Since all of this logic is best-effort anyway (we manually set these -- // rules separately to systemd) we can safely skip entries that don't -- // have a corresponding path. -- if _, err := os.Stat(entry.Path); err == nil { -- deviceAllowList = append(deviceAllowList, entry) -- } -+ deviceAllowList = append(deviceAllowList, entry) - } - - properties = append(properties, newProp("DeviceAllow", deviceAllowList)) -diff --git a/tests/integration/dev.bats b/tests/integration/dev.bats -index 01f6778598..243315717a 100644 ---- a/tests/integration/dev.bats -+++ b/tests/integration/dev.bats -@@ -128,3 +128,19 @@ function teardown() { - runc exec test_allow_block sh -c 'fdisk -l '"$device"'' - [ "$status" -eq 0 ] - } -+ -+# https://github.com/opencontainers/runc/issues/3551 -+@test "runc exec vs systemctl daemon-reload" { -+ requires systemd root -+ -+ runc run -d --console-socket "$CONSOLE_SOCKET" test_exec -+ [ "$status" -eq 0 ] -+ -+ runc exec -t test_exec sh -c "ls -l /proc/self/fd/0; echo 123" -+ [ "$status" -eq 0 ] -+ -+ systemctl daemon-reload -+ -+ runc exec -t test_exec sh -c "ls -l /proc/self/fd/0; echo 123" -+ [ "$status" -eq 0 ] -+} diff --git a/SPECS/runc.spec b/SPECS/runc.spec index e56f27e..8058cdf 100644 --- a/SPECS/runc.spec +++ b/SPECS/runc.spec @@ -22,8 +22,8 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl Epoch: 1 Name: %{repo} -Version: 1.1.3 -Release: 3%{?dist} +Version: 1.1.4 +Release: 1%{?dist} Summary: CLI for running Open Containers # https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures #ExclusiveArch: %%{go_arches} @@ -33,9 +33,6 @@ ExcludeArch: %{ix86} License: ASL 2.0 URL: %{git0} Source0: %{git0}/archive/v%{version}.tar.gz -Patch0: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3468.patch -Patch1: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3511.patch -Patch2: https://patch-diff.githubusercontent.com/raw/opencontainers/runc/pull/3554.patch Provides: oci-runtime BuildRequires: golang >= 1.17.7 BuildRequires: git @@ -88,37 +85,55 @@ make install install-man install-bash DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} %{_datadir}/bash-completion/completions/%{name} %changelog -* Thu Oct 20 2022 Jindrich Novy - 1:1.1.3-3 +* Fri Aug 26 2022 Jindrich Novy - 1:1.1.4-1 +- update to https://github.com/opencontainers/runc/releases/tag/v1.1.4 +- Related: #2061390 + +* Thu Aug 25 2022 Jindrich Novy - 1:1.1.3-3 - fix "Error: runc: exec failed: unable to start container process: open /dev/pts/0: operation not permitted: OCI permission denied" -- Resolves: #2117928 +- Related: #2061390 * Wed Jun 15 2022 Jindrich Novy - 1:1.1.3-2 - add patch in attempt to fix gating tests - thanks to Kir Kolyshkin - Related: #2061390 -* Mon Jun 13 2022 Jindrich Novy - 1:1.1.3-1 +* Thu Jun 09 2022 Jindrich Novy - 1:1.1.3-1 - update to https://github.com/opencontainers/runc/releases/tag/v1.1.3 - Related: #2061390 -* Tue Jun 07 2022 Jindrich Novy - 1:1.1.2-1 +* Fri Jun 03 2022 Jindrich Novy - 1:1.1.2-1 - update to https://github.com/opencontainers/runc/releases/tag/v1.1.2 - Related: #2061390 -* Wed Apr 27 2022 Jindrich Novy - 1:1.0.3-4 +* Thu May 12 2022 Jindrich Novy - 1:1.0.3-6 +- Fix every podman run invocation generates two "Couldn't stat device + /dev/char/10:200: No such file or directory" lines in the journal - Related: #2061390 -* Wed Apr 06 2022 Jindrich Novy - 1:1.0.3-3 -- require at least libseccomp >= 2.5 -- Resolves: #2053990 +* Wed May 11 2022 Jindrich Novy - 1:1.0.3-5 +- BuildRequires: /usr/bin/go-md2man +- Related: #2061390 -* Tue Mar 08 2022 Jindrich Novy - 1:1.0.3-2 +* Fri Apr 08 2022 Jindrich Novy - 1:1.0.3-4 +- Related: #2061390 + +* Tue Mar 08 2022 Jindrich Novy - 1:1.0.3-3 - require at least libseccomp >= 2.5 +- Resolves: #2053990 -* Mon Mar 07 2022 Jindrich Novy - 1:1.0.3-1 +* Wed Feb 16 2022 Jindrich Novy - 1.0.3-2 - rollback to 1.0.3 due to gating test issues - Related: #2001445 +* Tue Jan 18 2022 Jindrich Novy - 1.1.0-1 +- update to https://github.com/opencontainers/runc/releases/tag/v1.1.0 +- Related: #2001445 + +* Mon Dec 06 2021 Jindrich Novy - 1.0.3-1 +- update to https://github.com/opencontainers/runc/releases/tag/v1.0.3 +- Related: #2001445 + * Wed Aug 25 2021 Jindrich Novy - 1.0.2-1 - update to https://github.com/opencontainers/runc/releases/tag/v1.0.2 - Related: #1934415