diff --git a/containerd.spec b/containerd.spec index d6b034fc45e2c2bc94288bede89accc250d3add6..42b4f31579a57ce246836a35057ba1881341dbb6 100644 --- a/containerd.spec +++ b/containerd.spec @@ -2,7 +2,7 @@ %global debug_package %{nil} Version: 1.2.0 Name: containerd -Release: 106 +Release: 108 Summary: An industry-standard container runtime License: ASL 2.0 URL: https://containerd.io @@ -39,6 +39,7 @@ cd $GO_BUILD_PATH/src/%{goipath} export GOPATH=$GO_BUILD_PATH:%{gopath} export BUILDTAGS="no_btrfs no_cri" make +strip ./bin/containerd ./bin/containerd-shim %install install -d $RPM_BUILD_ROOT/%{_bindir} @@ -50,6 +51,22 @@ install -p -m 755 bin/containerd-shim $RPM_BUILD_ROOT/%{_bindir}/containerd-shim %{_bindir}/containerd-shim %changelog +* Thu Mar 18 2021 xiadanni - 1.2.0-108 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:compile option compliance + +* Thu Mar 18 2021 xiadanni - 1.2.0-107 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:sync bugfix, include + 1. check task list to avoid unnecessary cleanup. + 2. fix dead loop + 3. cleanup dangling shim by brand new context + 4. fix potential panic for task in unknown state + * Fri Dec 11 2020 yangyanchao 1.2.0-106 - Type:requirement - ID:NA diff --git a/gen-commit.sh b/gen-commit.sh old mode 100644 new mode 100755 diff --git a/git-commit b/git-commit index 1d72c511889081dab824ef11c3989b6a35a83bc3..f26305080b74232c8782d0e6717f051bc97bb0e4 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -3b91554d97fcb60c607896100a1ae8abb339d715 +aec25f8e033c265f30268f7170d83095404adcef diff --git a/patch/0064-containerd-check-task-list-to-avoid-unnecessary-clea.patch b/patch/0064-containerd-check-task-list-to-avoid-unnecessary-clea.patch new file mode 100644 index 0000000000000000000000000000000000000000..caea572bd25bec56ea5de1b2016eafa0f99e9c18 --- /dev/null +++ b/patch/0064-containerd-check-task-list-to-avoid-unnecessary-clea.patch @@ -0,0 +1,30 @@ +From 53111d2f094b738a4b3a35bcec85f78324ca8509 Mon Sep 17 00:00:00 2001 +From: xiadanni1 +Date: Tue, 24 Nov 2020 11:00:32 +0800 +Subject: [PATCH] containerd: check task list to avoid unnecessary cleanup + +Signed-off-by: Lantao Liu +Signed-off-by: xiadanni1 +--- + runtime/v1/linux/runtime.go | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go +index 5be785d..0feb587 100644 +--- a/runtime/v1/linux/runtime.go ++++ b/runtime/v1/linux/runtime.go +@@ -374,6 +374,11 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) { + shimExit := make(chan struct{}) + s, err := bundle.NewShimClient(ctx, ns, ShimConnect(r.config, func() { + close(shimExit) ++ if _, err := r.tasks.Get(ctx, id); err != nil { ++ // Task was never started or was already successfully deleted ++ return ++ } ++ + err := r.cleanupAfterDeadShim(ctx, bundle, ns, id, pid) + if err != nil { + log.G(ctx).WithError(err).WithField("bundle", bundle.path). +-- +1.8.3.1 + diff --git a/patch/0065-containerd-fix-dead-loop.patch b/patch/0065-containerd-fix-dead-loop.patch new file mode 100644 index 0000000000000000000000000000000000000000..e7311d24815f14f3ba197caf8f834db15c190371 --- /dev/null +++ b/patch/0065-containerd-fix-dead-loop.patch @@ -0,0 +1,37 @@ +From b315a85a6695dfbe67767f21713c3ccfc7cae73e Mon Sep 17 00:00:00 2001 +From: jingrui +Date: Mon, 1 Feb 2021 09:48:07 +0800 +Subject: [PATCH] containerd: fix dead loop + +Change-Id: I6b2ce4456ca8fe197683692721d150f4e5d7e3fe +Signed-off-by: jingrui +--- + runtime/v1/shim/client/client.go | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/runtime/v1/shim/client/client.go b/runtime/v1/shim/client/client.go +index 06453b35a..9e63af4ea 100644 +--- a/runtime/v1/shim/client/client.go ++++ b/runtime/v1/shim/client/client.go +@@ -393,15 +393,15 @@ func (c *Client) signalShim(ctx context.Context, sig syscall.Signal) error { + + func (c *Client) waitForExit(pid int) <-chan struct{} { + c.exitOnce.Do(func() { +- for { ++ for i := 0; i < 1000; i++ { + // use kill(pid, 0) here because the shim could have been reparented + // and we are no longer able to waitpid(pid, ...) on the shim + if err := unix.Kill(pid, 0); err == unix.ESRCH { +- close(c.exitCh) +- return ++ break + } + time.Sleep(10 * time.Millisecond) + } ++ close(c.exitCh) + }) + return c.exitCh + } +-- +2.17.1 + diff --git a/patch/0066-containerd-cleanup-dangling-shim-by-brand-new-context.patch b/patch/0066-containerd-cleanup-dangling-shim-by-brand-new-context.patch new file mode 100644 index 0000000000000000000000000000000000000000..ecfe407b9531b7b0742c2cae361735d8b1cc9d65 --- /dev/null +++ b/patch/0066-containerd-cleanup-dangling-shim-by-brand-new-context.patch @@ -0,0 +1,41 @@ +From a530cb668134335d4e5d6595d5d5a9cb74e16428 Mon Sep 17 00:00:00 2001 +From: xiadanni +Date: Tue, 19 Jan 2021 15:01:00 +0800 +Subject: [PATCH] containerd: cleanup dangling shim by brand new context + +Upstream:https://github.com/containerd/containerd/pull/4048 + +Signed-off-by: xiadanni +--- + runtime/v1/linux/runtime.go | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go +index 0feb587..66f959d 100644 +--- a/runtime/v1/linux/runtime.go ++++ b/runtime/v1/linux/runtime.go +@@ -66,6 +66,9 @@ const ( + configFilename = "config.json" + defaultRuntime = "runc" + defaultShim = "containerd-shim" ++ ++ // cleanupTimeout is default timeout for cleanup operations ++ cleanupTimeout = 1 * time.Minute + ) + + func init() { +@@ -226,7 +229,10 @@ func (r *Runtime) Create(ctx context.Context, id string, opts runtime.CreateOpts + } + defer func() { + if err != nil { +- kerr := s.KillShim(ctx) ++ deferCtx, deferCancel := context.WithTimeout( ++ namespaces.WithNamespace(context.TODO(), namespace), cleanupTimeout) ++ defer deferCancel() ++ kerr := s.KillShim(deferCtx) + log.G(ctx).WithError(err).Errorf("revert: kill shim error=%v", kerr) + } + }() +-- +1.8.3.1 + diff --git a/patch/0067-containerd-fix-potential-panic-for-task-in-unknown-state.patch b/patch/0067-containerd-fix-potential-panic-for-task-in-unknown-state.patch new file mode 100644 index 0000000000000000000000000000000000000000..5197dcaeb513614b00ad9cc1a8735729d74d08b5 --- /dev/null +++ b/patch/0067-containerd-fix-potential-panic-for-task-in-unknown-state.patch @@ -0,0 +1,89 @@ +From 4c9ec5f1eece90929eb3b525c28f3713b7153d7d Mon Sep 17 00:00:00 2001 +From: xiadanni +Date: Tue, 19 Jan 2021 20:34:45 +0800 +Subject: [PATCH] containerd:fix potential panic for task in unknown state + +Upstream:https://github.com/containerd/containerd/pull/3611 + +Signed-off-by: xiadanni +--- + cio/io_unix.go | 22 ++++++++++++---------- + container.go | 13 +++++++++++-- + 2 files changed, 23 insertions(+), 12 deletions(-) + +diff --git a/cio/io_unix.go b/cio/io_unix.go +index 3ab2a30..53b6b2d 100644 +--- a/cio/io_unix.go ++++ b/cio/io_unix.go +@@ -72,17 +72,19 @@ func copyIO(fifos *FIFOSet, ioset *Streams) (*cio, error) { + } + + var wg = &sync.WaitGroup{} +- wg.Add(1) +- go func() { +- p := bufPool.Get().(*[]byte) +- defer bufPool.Put(p) +- +- io.CopyBuffer(ioset.Stdout, pipes.Stdout, *p) +- pipes.Stdout.Close() +- wg.Done() +- }() ++ if fifos.Stdout != "" { ++ wg.Add(1) ++ go func() { ++ p := bufPool.Get().(*[]byte) ++ defer bufPool.Put(p) ++ ++ io.CopyBuffer(ioset.Stdout, pipes.Stdout, *p) ++ pipes.Stdout.Close() ++ wg.Done() ++ }() ++ } + +- if !fifos.Terminal { ++ if !fifos.Terminal && fifos.Stderr != "" { + wg.Add(1) + go func() { + p := bufPool.Get().(*[]byte) +diff --git a/container.go b/container.go +index 3c09b2d..63b074a 100644 +--- a/container.go ++++ b/container.go +@@ -25,6 +25,7 @@ import ( + + "github.com/containerd/containerd/api/services/tasks/v1" + "github.com/containerd/containerd/api/types" ++ tasktypes "github.com/containerd/containerd/api/types/task" + "github.com/containerd/containerd/cio" + "github.com/containerd/containerd/containers" + "github.com/containerd/containerd/errdefs" +@@ -32,6 +33,7 @@ import ( + "github.com/containerd/typeurl" + prototypes "github.com/gogo/protobuf/types" + "github.com/pkg/errors" ++ "github.com/sirupsen/logrus" + ) + + // Container is a metadata object for container resources and task creation +@@ -284,9 +286,16 @@ func (c *container) loadTask(ctx context.Context, ioAttach cio.Attach) (Task, er + return nil, err + } + var i cio.IO ++ + if ioAttach != nil { +- if i, err = attachExistingIO(response, ioAttach); err != nil { +- return nil, err ++ if response.Process.Status == tasktypes.StatusUnknown { ++ logrus.Warnf("container %v loadTask: task get returns process status unknown", c.id) ++ } else { ++ // Do not attach IO for task in unknown state, because there ++ // are no fifo paths anyway. ++ if i, err = attachExistingIO(response, ioAttach); err != nil { ++ return nil, err ++ } + } + } + t := &task{ +-- +1.8.3.1 + diff --git a/patch/0068-containerd-compile-option-compliance.patch b/patch/0068-containerd-compile-option-compliance.patch new file mode 100644 index 0000000000000000000000000000000000000000..8f26e10129054a161e71c7fbe2d272cd35ad006d --- /dev/null +++ b/patch/0068-containerd-compile-option-compliance.patch @@ -0,0 +1,49 @@ +From 0cda15b8d0241f9c15c0efe12d19877761f7b387 Mon Sep 17 00:00:00 2001 +From: xiadanni +Date: Thu, 18 Mar 2021 10:29:02 +0800 +Subject: [PATCH] containerd: compile option compliance + +Signed-off-by: xiadanni +--- + Makefile | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index f69559b..102db9f 100644 +--- a/Makefile ++++ b/Makefile +@@ -82,7 +82,7 @@ BEP_DIR=/tmp/containerd-build-bep + BEP_FLAGS=-tmpdir=/tmp/containerd-build-bep + + GO_LDFLAGS=-ldflags ' -buildid=IdByIsula -extldflags=-zrelro -extldflags=-znow $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) $(EXTRA_LDFLAGS)' +-SHIM_GO_LDFLAGS=-ldflags ' -buildid=IdByIsula $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -extldflags "-static"' ++SHIM_GO_LDFLAGS=-ldflags '-extldflags=-static' -ldflags '-buildid=IdByIsula $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -linkmode=external -extldflags=-Wl,-z,relro,-z,now' + + #Replaces ":" (*nix), ";" (windows) with newline for easy parsing + GOPATHS=$(shell echo ${GOPATH} | tr ":" "\n" | tr ";" "\n") +@@ -171,11 +171,21 @@ FORCE: + bin/%: cmd/% FORCE + mkdir -p $(BEP_DIR) + @echo "$(WHALE) $@${BINARY_SUFFIX}" ++ CGO_ENABLED=1 \ ++ CGO_CFLAGS="-fstack-protector-strong -fPIE" \ ++ CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \ ++ CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \ ++ CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \ + go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS} ./$< + + bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220 + @echo "$(WHALE) bin/containerd-shim" +- go build ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim ++ CGO_ENABLED=1 \ ++ CGO_CFLAGS="-fstack-protector-strong -fPIE" \ ++ CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \ ++ CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \ ++ CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \ ++ go build -buildmode=pie ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim + + bin/containerd-shim-runc-v1: cmd/containerd-shim-runc-v1 FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220 + @echo "$(WHALE) bin/containerd-shim-runc-v1" +-- +1.8.3.1 + diff --git a/series.conf b/series.conf index 904059678bc8035fe8dda44d34258c2095c40a9d..361555e75d9dcc47b3d6b707f8b50e70282707b0 100644 --- a/series.conf +++ b/series.conf @@ -68,4 +68,9 @@ patch/0062-containerd-use-path-based-socket-for-shims.patch patch/0063-containerd-kill-init-directly-if-runtime-kill-failed.patch patch/0064-containerd-add-sys-symbol-to-support-riscv.patch patch/0065-containerd-add-blot-symbol-to-support-riscv.patch +patch/0064-containerd-check-task-list-to-avoid-unnecessary-clea.patch +patch/0065-containerd-fix-dead-loop.patch +patch/0066-containerd-cleanup-dangling-shim-by-brand-new-context.patch +patch/0067-containerd-fix-potential-panic-for-task-in-unknown-state.patch +patch/0068-containerd-compile-option-compliance.patch # end