diff --git a/.gitignore b/.gitignore index abc4b4f..4d97e7f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/runc-2abd837.tar.gz +SOURCES/runc-425e105.tar.gz diff --git a/.runc.metadata b/.runc.metadata index 93b3f44..1ff52c1 100644 --- a/.runc.metadata +++ b/.runc.metadata @@ -1 +1 @@ -cf7119a838db2963e7af6ecdba90a2cc95ec0d56 SOURCES/runc-2abd837.tar.gz +cfbe1abc984f5b0be1413475f888e39304b265ae SOURCES/runc-425e105.tar.gz diff --git a/SOURCES/0001-Revert-Apply-cgroups-earlier.patch b/SOURCES/0001-Revert-Apply-cgroups-earlier.patch deleted file mode 100644 index 4ad310a..0000000 --- a/SOURCES/0001-Revert-Apply-cgroups-earlier.patch +++ /dev/null @@ -1,62 +0,0 @@ -From dfb3496c174377b860b62872ce6af951364cc3ac Mon Sep 17 00:00:00 2001 -From: Lokesh Mandvekar -Date: Tue, 12 Dec 2017 13:22:42 +0530 -Subject: [PATCH] Revert "Apply cgroups earlier" - -This reverts commit 7062c7556b71188abc18d7516441ff4b03fbc1fc. ---- - libcontainer/process_linux.go | 31 ++++++++++++++----------------- - 1 file changed, 14 insertions(+), 17 deletions(-) - -diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go -index 149b1126..b8a395af 100644 ---- a/libcontainer/process_linux.go -+++ b/libcontainer/process_linux.go -@@ -272,6 +272,20 @@ func (p *initProcess) start() error { - p.process.ops = nil - return newSystemErrorWithCause(err, "starting init process command") - } -+ if _, err := io.Copy(p.parentPipe, p.bootstrapData); err != nil { -+ return newSystemErrorWithCause(err, "copying bootstrap data to pipe") -+ } -+ if err := p.execSetns(); err != nil { -+ return newSystemErrorWithCause(err, "running exec setns process for init") -+ } -+ // Save the standard descriptor names before the container process -+ // can potentially move them (e.g., via dup2()). If we don't do this now, -+ // we won't know at checkpoint time which file descriptor to look up. -+ fds, err := getPipeFds(p.pid()) -+ if err != nil { -+ return newSystemErrorWithCausef(err, "getting pipe fds for pid %d", p.pid()) -+ } -+ p.setExternalDescriptors(fds) - // Do this before syncing with child so that no children can escape the - // cgroup. We don't need to worry about not doing this and not being root - // because we'd be using the rootless cgroup manager in that case. -@@ -292,23 +306,6 @@ func (p *initProcess) start() error { - } - } - }() -- -- if _, err := io.Copy(p.parentPipe, p.bootstrapData); err != nil { -- return newSystemErrorWithCause(err, "copying bootstrap data to pipe") -- } -- -- if err := p.execSetns(); err != nil { -- return newSystemErrorWithCause(err, "running exec setns process for init") -- } -- -- // Save the standard descriptor names before the container process -- // can potentially move them (e.g., via dup2()). If we don't do this now, -- // we won't know at checkpoint time which file descriptor to look up. -- fds, err := getPipeFds(p.pid()) -- if err != nil { -- return newSystemErrorWithCausef(err, "getting pipe fds for pid %d", p.pid()) -- } -- p.setExternalDescriptors(fds) - if err := p.createNetworkInterfaces(); err != nil { - return newSystemErrorWithCause(err, "creating network interfaces") - } --- -2.14.3 - diff --git a/SOURCES/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b-runc.patch b/SOURCES/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b-runc.patch deleted file mode 100644 index 7975703..0000000 --- a/SOURCES/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b-runc.patch +++ /dev/null @@ -1,290 +0,0 @@ -From bf6405284aa3870a39b402309003633a1c230ed9 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Wed, 9 Jan 2019 13:40:01 +1100 -Subject: [PATCH 1/1] nsenter: clone /proc/self/exe to avoid exposing host - binary to container - -There are quite a few circumstances where /proc/self/exe pointing to a -pretty important container binary is a _bad_ thing, so to avoid this we -have to make a copy (preferably doing self-clean-up and not being -writeable). - -As a hotfix we require memfd_create(2), but we can always extend this to -use a scratch MNT_DETACH overlayfs or tmpfs. The main downside to this -approach is no page-cache sharing for the runc binary (which overlayfs -would give us) but this is far less complicated. - -This is only done during nsenter so that it happens transparently to the -Go code, and any libcontainer users benefit from it. This also makes -ExtraFiles and --preserve-fds handling trivial (because we don't need to -worry about it). - -Fixes: CVE-2019-5736 -Co-developed-by: Christian Brauner -Signed-off-by: Aleksa Sarai -Signed-off-by: Mrunal Patel ---- - libcontainer/nsenter/cloned_binary.c | 221 +++++++++++++++++++++++++++ - libcontainer/nsenter/nsexec.c | 11 ++ - 2 files changed, 232 insertions(+) - create mode 100644 libcontainer/nsenter/cloned_binary.c - -diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c -new file mode 100644 -index 00000000..d9f6093a ---- /dev/null -+++ b/libcontainer/nsenter/cloned_binary.c -@@ -0,0 +1,221 @@ -+#define _GNU_SOURCE -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+ -+/* Use our own wrapper for memfd_create. */ -+#if !defined(SYS_memfd_create) && defined(__NR_memfd_create) -+# define SYS_memfd_create __NR_memfd_create -+#endif -+#ifndef SYS_memfd_create -+# error "memfd_create(2) syscall not supported by this glibc version" -+#endif -+int memfd_create(const char *name, unsigned int flags) -+{ -+ return syscall(SYS_memfd_create, name, flags); -+} -+ -+/* This comes directly from . */ -+#ifndef F_LINUX_SPECIFIC_BASE -+# define F_LINUX_SPECIFIC_BASE 1024 -+#endif -+#ifndef F_ADD_SEALS -+# define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9) -+# define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10) -+#endif -+#ifndef F_SEAL_SEAL -+# define F_SEAL_SEAL 0x0001 /* prevent further seals from being set */ -+# define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */ -+# define F_SEAL_GROW 0x0004 /* prevent file from growing */ -+# define F_SEAL_WRITE 0x0008 /* prevent writes */ -+#endif -+ -+ -+#define OUR_MEMFD_COMMENT "runc_cloned:/proc/self/exe" -+#define OUR_MEMFD_SEALS \ -+ (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE) -+ -+static void *must_realloc(void *ptr, size_t size) -+{ -+ void *old = ptr; -+ do { -+ ptr = realloc(old, size); -+ } while(!ptr); -+ return ptr; -+} -+ -+/* -+ * Verify whether we are currently in a self-cloned program (namely, is -+ * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather -+ * for shmem files), and we want to be sure it's actually sealed. -+ */ -+static int is_self_cloned(void) -+{ -+ int fd, seals; -+ -+ fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC); -+ if (fd < 0) -+ return -ENOTRECOVERABLE; -+ -+ seals = fcntl(fd, F_GET_SEALS); -+ close(fd); -+ return seals == OUR_MEMFD_SEALS; -+} -+ -+/* -+ * Basic wrapper around mmap(2) that gives you the file length so you can -+ * safely treat it as an ordinary buffer. Only gives you read access. -+ */ -+static char *read_file(char *path, size_t *length) -+{ -+ int fd; -+ char buf[4096], *copy = NULL; -+ -+ if (!length) -+ return NULL; -+ -+ fd = open(path, O_RDONLY | O_CLOEXEC); -+ if (fd < 0) -+ return NULL; -+ -+ *length = 0; -+ for (;;) { -+ int n; -+ -+ n = read(fd, buf, sizeof(buf)); -+ if (n < 0) -+ goto error; -+ if (!n) -+ break; -+ -+ copy = must_realloc(copy, (*length + n) * sizeof(*copy)); -+ memcpy(copy + *length, buf, n); -+ *length += n; -+ } -+ close(fd); -+ return copy; -+ -+error: -+ close(fd); -+ free(copy); -+ return NULL; -+} -+ -+/* -+ * A poor-man's version of "xargs -0". Basically parses a given block of -+ * NUL-delimited data, within the given length and adds a pointer to each entry -+ * to the array of pointers. -+ */ -+static int parse_xargs(char *data, int data_length, char ***output) -+{ -+ int num = 0; -+ char *cur = data; -+ -+ if (!data || *output != NULL) -+ return -1; -+ -+ while (cur < data + data_length) { -+ num++; -+ *output = must_realloc(*output, (num + 1) * sizeof(**output)); -+ (*output)[num - 1] = cur; -+ cur += strlen(cur) + 1; -+ } -+ (*output)[num] = NULL; -+ return num; -+} -+ -+/* -+ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ. -+ * This is necessary because we are running in a context where we don't have a -+ * main() that we can just get the arguments from. -+ */ -+static int fetchve(char ***argv, char ***envp) -+{ -+ char *cmdline = NULL, *environ = NULL; -+ size_t cmdline_size, environ_size; -+ -+ cmdline = read_file("/proc/self/cmdline", &cmdline_size); -+ if (!cmdline) -+ goto error; -+ environ = read_file("/proc/self/environ", &environ_size); -+ if (!environ) -+ goto error; -+ -+ if (parse_xargs(cmdline, cmdline_size, argv) <= 0) -+ goto error; -+ if (parse_xargs(environ, environ_size, envp) <= 0) -+ goto error; -+ -+ return 0; -+ -+error: -+ free(environ); -+ free(cmdline); -+ return -EINVAL; -+} -+ -+#define SENDFILE_MAX 0x7FFFF000 /* sendfile(2) is limited to 2GB. */ -+static int clone_binary(void) -+{ -+ int binfd, memfd, err; -+ ssize_t sent = 0; -+ -+ memfd = memfd_create(OUR_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING); -+ if (memfd < 0) -+ return -ENOTRECOVERABLE; -+ -+ binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC); -+ if (binfd < 0) -+ goto error; -+ -+ sent = sendfile(memfd, binfd, NULL, SENDFILE_MAX); -+ close(binfd); -+ if (sent < 0) -+ goto error; -+ -+ err = fcntl(memfd, F_ADD_SEALS, OUR_MEMFD_SEALS); -+ if (err < 0) -+ goto error; -+ -+ return memfd; -+ -+error: -+ close(memfd); -+ return -EIO; -+} -+ -+int ensure_cloned_binary(void) -+{ -+ int execfd; -+ char **argv = NULL, **envp = NULL; -+ -+ /* Check that we're not self-cloned, and if we are then bail. */ -+ int cloned = is_self_cloned(); -+ if (cloned > 0 || cloned == -ENOTRECOVERABLE) -+ return cloned; -+ -+ if (fetchve(&argv, &envp) < 0) -+ return -EINVAL; -+ -+ execfd = clone_binary(); -+ if (execfd < 0) -+ return -EIO; -+ -+ fexecve(execfd, argv, envp); -+ return -ENOEXEC; -+} -diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c -index cb224314..784fd9b0 100644 ---- a/libcontainer/nsenter/nsexec.c -+++ b/libcontainer/nsenter/nsexec.c -@@ -528,6 +528,9 @@ void join_namespaces(char *nslist) - free(namespaces); - } - -+/* Defined in cloned_binary.c. */ -+int ensure_cloned_binary(void); -+ - void nsexec(void) - { - int pipenum; -@@ -543,6 +546,14 @@ void nsexec(void) - if (pipenum == -1) - return; - -+ /* -+ * We need to re-exec if we are not in a cloned binary. This is necessary -+ * to ensure that containers won't be able to access the host binary -+ * through /proc/self/exe. See CVE-2019-5736. -+ */ -+ if (ensure_cloned_binary() < 0) -+ bail("could not ensure we are a cloned binary"); -+ - /* Parse all of the netlink configuration. */ - nl_parse(pipenum, &config); - --- -2.20.1 - diff --git a/SOURCES/1807.patch b/SOURCES/1807.patch index 8dab9a9..dcfae56 100644 --- a/SOURCES/1807.patch +++ b/SOURCES/1807.patch @@ -1,4 +1,4 @@ -From cd9b959b34c183cf6cd031af678c4ec66b765080 Mon Sep 17 00:00:00 2001 +From e3b37893afa498ef6254cc9d94c159b12e04d0b0 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 25 May 2018 18:04:06 +0200 Subject: [PATCH] sd-notify: do not hang when NOTIFY_SOCKET is used with create @@ -11,13 +11,13 @@ still accessible from the container. Signed-off-by: Giuseppe Scrivano --- notify_socket.go | 113 ++++++++++++++++++++++++++++++++++------------- - signals.go | 5 +-- + signals.go | 4 +- start.go | 13 +++++- utils_linux.go | 12 ++++- - 4 files changed, 106 insertions(+), 37 deletions(-) + 4 files changed, 106 insertions(+), 36 deletions(-) diff --git a/notify_socket.go b/notify_socket.go -index cd6c0a98..7fbd2e73 100644 +index b890b5b1c..286ce1ddd 100644 --- a/notify_socket.go +++ b/notify_socket.go @@ -6,11 +6,14 @@ import ( @@ -52,7 +52,7 @@ index cd6c0a98..7fbd2e73 100644 } return notifySocket -@@ -43,13 +46,19 @@ func (ns *notifySocket) Close() error { +@@ -43,13 +46,19 @@ func (s *notifySocket) Close() error { // If systemd is supporting sd_notify protocol, this function will add support // for sd_notify protocol from within the container. @@ -82,9 +82,9 @@ index cd6c0a98..7fbd2e73 100644 -// pid1 must be set only with -d, as it is used to set the new process as the main process -// for the service in systemd --func (notifySocket *notifySocket) run(pid1 int) { +-func (s *notifySocket) run(pid1 int) { - buf := make([]byte, 512) -- notifySocketHostAddr := net.UnixAddr{Name: notifySocket.host, Net: "unixgram"} +- notifySocketHostAddr := net.UnixAddr{Name: s.host, Net: "unixgram"} +func (s *notifySocket) setupSocketDirectory() error { + return os.Mkdir(path.Dir(s.socketPath), 0755) +} @@ -121,7 +121,7 @@ index cd6c0a98..7fbd2e73 100644 + return err } - for { -- r, err := notifySocket.socket.Read(buf) +- r, err := s.socket.Read(buf) - if err != nil { - break + @@ -189,19 +189,18 @@ index cd6c0a98..7fbd2e73 100644 } } diff --git a/signals.go b/signals.go -index 1811de83..d0988cb3 100644 +index b67f65a03..dd25e094c 100644 --- a/signals.go +++ b/signals.go -@@ -70,7 +70,7 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach +@@ -70,6 +70,7 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach h.notifySocket.run(pid1) return 0, nil - } else { -- go h.notifySocket.run(0) -+ h.notifySocket.run(os.Getpid()) } ++ h.notifySocket.run(os.Getpid()) + go h.notifySocket.run(0) } -@@ -98,9 +98,6 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach +@@ -97,9 +98,6 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach // status because we must ensure that any of the go specific process // fun such as flushing pipes are complete before we return. process.Wait() @@ -212,7 +211,7 @@ index 1811de83..d0988cb3 100644 } } diff --git a/start.go b/start.go -index 2bb698b2..3a1769a4 100644 +index 2bb698b20..3a1769a43 100644 --- a/start.go +++ b/start.go @@ -3,6 +3,7 @@ package main @@ -243,10 +242,10 @@ index 2bb698b2..3a1769a4 100644 return errors.New("cannot start a container that has stopped") case libcontainer.Running: diff --git a/utils_linux.go b/utils_linux.go -index c6a34897..77423f67 100644 +index ce50db145..670c0fcba 100644 --- a/utils_linux.go +++ b/utils_linux.go -@@ -420,7 +420,9 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp +@@ -406,7 +406,9 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp notifySocket := newNotifySocket(context, os.Getenv("NOTIFY_SOCKET"), id) if notifySocket != nil { @@ -257,7 +256,7 @@ index c6a34897..77423f67 100644 } container, err := createContainer(context, id, spec) -@@ -429,10 +431,16 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp +@@ -415,10 +417,16 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp } if notifySocket != nil { @@ -275,6 +274,3 @@ index c6a34897..77423f67 100644 } // Support on-demand socket activation by passing file descriptors into the container init process. --- -2.17.1 - diff --git a/SOURCES/change-default-root.patch b/SOURCES/change-default-root.patch index 749918a..091bc88 100644 --- a/SOURCES/change-default-root.patch +++ b/SOURCES/change-default-root.patch @@ -1,53 +1,61 @@ +From bc548da226f683aa123551295b95d9c11621b7bf Mon Sep 17 00:00:00 2001 +From: Lokesh Mandvekar +Date: Thu, 4 Jul 2019 19:17:16 +0000 +Subject: [PATCH] change default root + +Signed-off-by: Lokesh Mandvekar +--- + list.go | 2 +- + main.go | 4 ++-- + man/runc-list.8.md | 2 +- + man/runc.8.md | 2 +- + 4 files changed, 5 insertions(+), 5 deletions(-) + diff --git a/list.go b/list.go -index 0313d8cc..328798b5 100644 +index 0313d8c..328798b 100644 --- a/list.go +++ b/list.go @@ -50,7 +50,7 @@ var listCommand = cli.Command{ ArgsUsage: ` - + Where the given root is specified via the global option "--root" -(default: "/run/runc"). +(default: "/run/runc-ctrs"). - + EXAMPLE 1: To list containers created via the default "--root": diff --git a/main.go b/main.go -index 278399a5..0f49fce1 100644 +index 072447d..e675a96 100644 --- a/main.go +++ b/main.go -@@ -62,7 +62,7 @@ func main() { +@@ -62,10 +62,10 @@ func main() { v = append(v, fmt.Sprintf("spec: %s", specs.Version)) app.Version = strings.Join(v, "\n") - + - root := "/run/runc" + root := "/run/runc-ctrs" - rootless, err := isRootless(nil) - if err != nil { - fatal(err) -@@ -70,7 +70,7 @@ func main() { - if rootless { - runtimeDir := os.Getenv("XDG_RUNTIME_DIR") - if runtimeDir != "" { + if shouldHonorXDGRuntimeDir() { + if runtimeDir := os.Getenv("XDG_RUNTIME_DIR"); runtimeDir != "" { - root = runtimeDir + "/runc" + root = runtimeDir + "/runc-ctrs" // According to the XDG specification, we need to set anything in // XDG_RUNTIME_DIR to have a sticky bit if we don't want it to get // auto-pruned. diff --git a/man/runc-list.8.md b/man/runc-list.8.md -index f7374244..107220ee 100644 +index f737424..107220e 100644 --- a/man/runc-list.8.md +++ b/man/runc-list.8.md @@ -6,7 +6,7 @@ - + # EXAMPLE Where the given root is specified via the global option "--root" -(default: "/run/runc"). +(default: "/run/runc-ctrs"). - + To list containers created via the default "--root": # runc list diff --git a/man/runc.8.md b/man/runc.8.md -index 6d0ddff..337bc73 100644 +index 6d0ddff..9d6816d 100644 --- a/man/runc.8.md +++ b/man/runc.8.md @@ -51,7 +51,7 @@ value for "bundle" is the current directory. @@ -55,7 +63,10 @@ index 6d0ddff..337bc73 100644 --log value set the log file path where internal debug information is written (default: "/dev/null") --log-format value set the format used by logs ('text' (default), or 'json') (default: "text") - --root value root directory for storage of container state (this should be located in tmpfs) (default: "/run/runc" or $XDG_RUNTIME_DIR/runc for rootless containers) -+ --root value root directory for storage of container state (this should be located in tmpfs) (default: "/run/runc-ctrs" or $XDG_RUNTIME_DIR/runc-ctrs for rootless containers) ++ --root value root directory for storage of container state (this should be located in tmpfs) (default: "/run/runc-ctrs" or $XDG_RUNTIME_DIR/runc for rootless containers) --criu value path to the criu binary used for checkpoint and restore (default: "criu") --systemd-cgroup enable systemd cgroup support, expects cgroupsPath to be of form "slice:prefix:name" for e.g. "system.slice:runc:434234" --rootless value enable rootless mode ('true', 'false', or 'auto') (default: "auto") +-- +1.8.3.1 + diff --git a/SPECS/runc.spec b/SPECS/runc.spec index bf3248f..38a9891 100644 --- a/SPECS/runc.spec +++ b/SPECS/runc.spec @@ -1,170 +1,57 @@ %global with_debug 1 -%global with_devel 0 -%global with_bundled 1 %global with_check 0 -%global with_unit_test 0 %if 0%{?with_debug} %global _find_debuginfo_dwz_opts %{nil} %global _dwz_low_mem_die_limit 0 %else -%global debug_package %{nil} +%global debug_package %{nil} %endif %if ! 0%{?gobuild:1} %define gobuild(o:) \ -scl enable go-toolset-1.10 -- go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**}; +go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**}; %endif -%global provider github -%global provider_tld com -%global project opencontainers -%global repo runc +%global provider github +%global provider_tld com +%global project opencontainers +%global repo runc # https://github.com/opencontainers/runc -%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo} -%global import_path %{provider_prefix} -%global git0 https://github.com/opencontainers/runc -%global commit0 2abd837c8c25b0102ac4ce14f17bc0bc7ddffba7 -%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) +%global import_path %{provider}.%{provider_tld}/%{project}/%{repo} +%global git0 https://%{import_path} +%global commit0 425e105d5a03fabd737a126ad93d62a9eeede87f +%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) Name: %{repo} Version: 1.0.0 -Release: 59.dev.git%{shortcommit0}%{?dist} +Release: 64.rc8%{?dist} Summary: CLI for running Open Containers License: ASL 2.0 -URL: http//%{provider_prefix} -Source0: %{git0}/archive/%{commit0}/%{repo}-%{shortcommit0}.tar.gz +URL: %{git0} +Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source1: 99-containers.conf -Patch0: change-default-root.patch -Patch1: 0001-Revert-Apply-cgroups-earlier.patch -Patch2: 1807.patch -Patch3: 0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b-runc.patch +Patch0: 1807.patch +Patch1: change-default-root.patch Requires: criu Requires(pre): container-selinux >= 2:2.2-2 ExclusiveArch: aarch64 %{arm} ppc64le s390x x86_64 - -%if 0%{?fedora} || 0%{?centos} -BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} -%else BuildRequires: go-toolset-1.10 BuildRequires: openssl-devel -%endif #fedora BuildRequires: git BuildRequires: go-md2man BuildRequires: libseccomp-devel -%if ! 0%{?with_bundled} -BuildRequires: golang(github.com/Sirupsen/logrus) -BuildRequires: golang(github.com/codegangsta/cli) -BuildRequires: golang(github.com/coreos/go-systemd/dbus) -BuildRequires: golang(github.com/coreos/go-systemd/util) -BuildRequires: golang(github.com/docker/docker/pkg/mount) -BuildRequires: golang(github.com/docker/docker/pkg/symlink) -BuildRequires: golang(github.com/docker/docker/pkg/term) -BuildRequires: golang(github.com/docker/docker/pkg/units) -BuildRequires: golang(github.com/godbus/dbus) -BuildRequires: golang(github.com/golang/protobuf/proto) -BuildRequires: golang(github.com/opencontainers/specs) -BuildRequires: golang(github.com/syndtr/gocapability/capability) -%endif - %description The runc command can be used to start containers which are packaged in accordance with the Open Container Initiative's specifications, and to manage containers running under runc. -%if 0%{?with_devel} -%package devel -Summary: %{summary} -BuildArch: noarch - -%if 0%{?with_check} -BuildRequires: golang(github.com/Sirupsen/logrus) -BuildRequires: golang(github.com/codegangsta/cli) -BuildRequires: golang(github.com/coreos/go-systemd/dbus) -BuildRequires: golang(github.com/coreos/go-systemd/util) -BuildRequires: golang(github.com/docker/docker/pkg/mount) -BuildRequires: golang(github.com/docker/docker/pkg/symlink) -BuildRequires: golang(github.com/docker/docker/pkg/term) -BuildRequires: golang(github.com/docker/docker/pkg/units) -BuildRequires: golang(github.com/godbus/dbus) -BuildRequires: golang(github.com/golang/protobuf/proto) -BuildRequires: golang(github.com/opencontainers/specs) -BuildRequires: golang(github.com/seccomp/libseccomp-golang) -BuildRequires: golang(github.com/syndtr/gocapability/capability) -BuildRequires: golang(github.com/vishvananda/netlink) -%endif - -Requires: golang(github.com/Sirupsen/logrus) -Requires: golang(github.com/coreos/go-systemd/dbus) -Requires: golang(github.com/coreos/go-systemd/util) -Requires: golang(github.com/docker/docker/pkg/mount) -Requires: golang(github.com/docker/docker/pkg/symlink) -Requires: golang(github.com/docker/docker/pkg/units) -Requires: golang(github.com/godbus/dbus) -Requires: golang(github.com/golang/protobuf/proto) -Requires: golang(github.com/seccomp/libseccomp-golang) -Requires: golang(github.com/syndtr/gocapability/capability) -Requires: golang(github.com/vishvananda/netlink) - -Provides: golang(%{import_path}/libcontainer) = %{version}-%{release} -Provides: golang(%{import_path}/libcontainer/apparmor) = %{version}-%{release} -Provides: golang(%{import_path}/libcontainer/cgroups) = %{version}-%{release} -Provides: golang(%{import_path}/libcontainer/cgroups/fs) = %{version}-%{release} -Provides: golang(%{import_path}/libcontainer/cgroups/systemd) = %{version}-%{release} -Provides: golang(%{import_path}/libcontainer/configs) = %{version}-%{release} -Provides: golang(%{import_path}/libcontainer/configs/validate) = %{version}-%{release} -Provides: golang(%{import_path}/libcontainer/criurpc) = %{version}-%{release} -Provides: golang(%{import_path}/libcontainer/devices) = %{version}-%{release} -Provides: golang(%{import_path}/libcontainer/integration) = %{version}-%{release} -Provides: golang(%{import_path}/libcontainer/label) = %{version}-%{release} -Provides: golang(%{import_path}/libcontainer/nsenter) = %{version}-%{release} -Provides: golang(%{import_path}/libcontainer/seccomp) = %{version}-%{release} -Provides: golang(%{import_path}/libcontainer/selinux) = %{version}-%{release} -Provides: golang(%{import_path}/libcontainer/stacktrace) = %{version}-%{release} -Provides: golang(%{import_path}/libcontainer/system) = %{version}-%{release} -Provides: golang(%{import_path}/libcontainer/user) = %{version}-%{release} -Provides: golang(%{import_path}/libcontainer/utils) = %{version}-%{release} -Provides: golang(%{import_path}/libcontainer/xattr) = %{version}-%{release} - -%description devel -The runc command can be used to start containers which are packaged -in accordance with the Open Container Initiative's specifications, -and to manage containers running under runc. - -This package contains library source intended for -building other packages which use import path with -%{import_path} prefix. -%endif - -%if 0%{?with_unit_test} && 0%{?with_devel} -%package unit-test -Summary: Unit tests for %{name} package -# If go_compiler is not set to 1, there is no virtual provide. Use golang instead. -BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} - -%if 0%{?with_check} -#Here comes all BuildRequires: PACKAGE the unit tests -#in %%check section need for running -%endif - -# test subpackage tests code from devel subpackage -Requires: %{name}-devel = %{version}-%{release} - -%description unit-test -The runc command can be used to start containers which are packaged -in accordance with the Open Container Initiative's specifications, -and to manage containers running under runc. - -This package contains unit tests for project -providing packages with %{import_path} prefix. -%endif - # Go Toolset -%{?enable_gotoolset7} +%{?enable_gotoolset110} %prep -%autosetup -Sgit -n %{repo}-%{commit0} +%autosetup -Sgit -n %{name}-%{commit0} %build mkdir -p GOPATH @@ -176,9 +63,7 @@ popd pushd GOPATH/src/%{import_path} export GOPATH=$(pwd)/GOPATH export BUILDTAGS='selinux seccomp' - %gobuild -o %{name} %{import_path} -%gobuild -o recvtty %{import_path}/contrib/cmd/recvtty pushd man ./md2man-all.sh @@ -187,7 +72,6 @@ popd %install install -d -p %{buildroot}%{_bindir} install -p -m 755 %{name} %{buildroot}%{_bindir} -install -p -m 755 recvtty %{buildroot}%{_bindir} install -d -p %{buildroot}%{_mandir}/man8 install -p -m 644 man/man8/* %{buildroot}%{_mandir}/man8 @@ -195,47 +79,9 @@ install -p -m 644 man/man8/* %{buildroot}%{_mandir}/man8 install -d -p %{buildroot}%{_usr}/lib/sysctl.d install -p -m 644 %{SOURCE1} %{buildroot}%{_usr}/lib/sysctl.d -# source codes for building projects -%if 0%{?with_devel} -install -d -p %{buildroot}/%{gopath}/src/%{import_path}/ -# find all *.go but no *_test.go files and generate devel.file-list -for file in $(find . -iname "*.go" \! -iname "*_test.go" | grep -v "^./Godeps") ; do - echo "%%dir %%{gopath}/src/%%{import_path}/$(dirname $file)" >> devel.file-list - install -d -p %{buildroot}/%{gopath}/src/%{import_path}/$(dirname $file) - cp -pav $file %{buildroot}/%{gopath}/src/%{import_path}/$file - echo "%%{gopath}/src/%%{import_path}/$file" >> devel.file-list -done -for file in $(find . -iname "*.proto" | grep -v "^./Godeps") ; do - echo "%%dir %%{gopath}/src/%%{import_path}/$(dirname $file)" >> devel.file-list - install -d -p %{buildroot}/%{gopath}/src/%{import_path}/$(dirname $file) - cp -pav $file %{buildroot}/%{gopath}/src/%{import_path}/$file - echo "%%{gopath}/src/%%{import_path}/$file" >> devel.file-list -done -%endif - -# testing files for this project -%if 0%{?with_unit_test} && 0%{?with_devel} -install -d -p %{buildroot}/%{gopath}/src/%{import_path}/ -# find all *_test.go files and generate unit-test.file-list -for file in $(find . -iname "*_test.go" | grep -v "^./Godeps"); do - echo "%%dir %%{gopath}/src/%%{import_path}/$(dirname $file)" >> devel.file-list - install -d -p %{buildroot}/%{gopath}/src/%{import_path}/$(dirname $file) - cp -pav $file %{buildroot}/%{gopath}/src/%{import_path}/$file - echo "%%{gopath}/src/%%{import_path}/$file" >> unit-test.file-list -done -%endif - -%if 0%{?with_devel} -sort -u -o devel.file-list devel.file-list -%endif - %check -%if 0%{?with_check} && 0%{?with_unit_test} && 0%{?with_devel} -%if ! 0%{?with_bundled} -export GOPATH=%{buildroot}/%{gopath}:%{gopath} -%else +%if 0%{?with_check} export GOPATH=%{buildroot}/%{gopath}:$(pwd)/Godeps/_workspace:%{gopath} -%endif %if ! 0%{?gotest:1} %global gotest go test @@ -271,25 +117,26 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/Godeps/_workspace:%{gopath} %license LICENSE %doc MAINTAINERS_GUIDE.md PRINCIPLES.md README.md CONTRIBUTING.md %{_bindir}/%{name} -%{_bindir}/recvtty %{_mandir}/man8/%{name}* %{_usr}/lib/sysctl.d/99-containers.conf -%if 0%{?with_devel} -%files devel -f devel.file-list -%license LICENSE -%doc MAINTAINERS_GUIDE.md PRINCIPLES.md README.md CONTRIBUTING.md -%dir %{gopath}/src/%{provider}.%{provider_tld}/%{project} -%dir %{gopath}/src/%{import_path} -%endif +%changelog +* Thu Jul 11 2019 Lokesh Mandvekar - 1.0.0-64.rc8 +- Resolves: #1728762 - update change-default-root.patch -%if 0%{?with_unit_test} && 0%{?with_devel} -%files unit-test -f unit-test.file-list -%license LICENSE -%doc MAINTAINERS_GUIDE.md PRINCIPLES.md README.md CONTRIBUTING.md -%endif +* Thu Jul 04 2019 Lokesh Mandvekar - 1.0.0-63.rc8 +- Resolves: #1724778 + +* Tue Jun 25 2019 Lokesh Mandvekar - 1.0.0-62.rc8 +- Resolves: #1723480 +- bump to v1.0.0-rc8 + +* Fri Jun 07 2019 Lokesh Mandvekar - 1.0.0-61.dev.git2abd837 +- Resolves: #1676705 - correct URL field + +* Mon Feb 11 2019 Frantisek Kluknavsky - 1.0.0-60.dev.git2abd837 +- update golang toolchain macros -%changelog * Fri Feb 08 2019 Frantisek Kluknavsky - 1.0.0-59.dev.git2abd837 - Resolves: #1664908 - CVE-2019-5736