From 349a80d77ff3f1951a6647abefe192ef718e38da Mon Sep 17 00:00:00 2001 From: xiadanni Date: Thu, 18 Mar 2021 10:15:32 +0800 Subject: [PATCH 1/2] sync patches 1. check task list to avoid unnecessary cleanup. 2. fix dead loop 3. cleanup dangling shim by brand new context 4. fix potential panic for task in unknown state Signed-off-by: xiadanni --- containerd.spec | 12 ++- gen-commit.sh | 0 git-commit | 2 +- ...-task-list-to-avoid-unnecessary-clea.patch | 30 +++++++ patch/0065-containerd-fix-dead-loop.patch | 37 ++++++++ ...p-dangling-shim-by-brand-new-context.patch | 41 +++++++++ ...tial-panic-for-task-in-unknown-state.patch | 89 +++++++++++++++++++ series.conf | 4 + 8 files changed, 213 insertions(+), 2 deletions(-) mode change 100644 => 100755 gen-commit.sh create mode 100644 patch/0064-containerd-check-task-list-to-avoid-unnecessary-clea.patch create mode 100644 patch/0065-containerd-fix-dead-loop.patch create mode 100644 patch/0066-containerd-cleanup-dangling-shim-by-brand-new-context.patch create mode 100644 patch/0067-containerd-fix-potential-panic-for-task-in-unknown-state.patch diff --git a/containerd.spec b/containerd.spec index d6b034f..64cd3dd 100644 --- a/containerd.spec +++ b/containerd.spec @@ -2,7 +2,7 @@ %global debug_package %{nil} Version: 1.2.0 Name: containerd -Release: 106 +Release: 107 Summary: An industry-standard container runtime License: ASL 2.0 URL: https://containerd.io @@ -50,6 +50,16 @@ install -p -m 755 bin/containerd-shim $RPM_BUILD_ROOT/%{_bindir}/containerd-shim %{_bindir}/containerd-shim %changelog +* Thu Mar 18 2021 xiadanni - 1.2.0-107 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:sync bugfix, include + 1. check task list to avoid unnecessary cleanup. + 2. fix dead loop + 3. cleanup dangling shim by brand new context + 4. fix potential panic for task in unknown state + * Fri Dec 11 2020 yangyanchao 1.2.0-106 - Type:requirement - ID:NA diff --git a/gen-commit.sh b/gen-commit.sh old mode 100644 new mode 100755 diff --git a/git-commit b/git-commit index 1d72c51..649a06e 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -3b91554d97fcb60c607896100a1ae8abb339d715 +04eb93cb4ae835a46fbd7df3dbd29f78d2a082c8 diff --git a/patch/0064-containerd-check-task-list-to-avoid-unnecessary-clea.patch b/patch/0064-containerd-check-task-list-to-avoid-unnecessary-clea.patch new file mode 100644 index 0000000..caea572 --- /dev/null +++ b/patch/0064-containerd-check-task-list-to-avoid-unnecessary-clea.patch @@ -0,0 +1,30 @@ +From 53111d2f094b738a4b3a35bcec85f78324ca8509 Mon Sep 17 00:00:00 2001 +From: xiadanni1 +Date: Tue, 24 Nov 2020 11:00:32 +0800 +Subject: [PATCH] containerd: check task list to avoid unnecessary cleanup + +Signed-off-by: Lantao Liu +Signed-off-by: xiadanni1 +--- + runtime/v1/linux/runtime.go | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go +index 5be785d..0feb587 100644 +--- a/runtime/v1/linux/runtime.go ++++ b/runtime/v1/linux/runtime.go +@@ -374,6 +374,11 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) { + shimExit := make(chan struct{}) + s, err := bundle.NewShimClient(ctx, ns, ShimConnect(r.config, func() { + close(shimExit) ++ if _, err := r.tasks.Get(ctx, id); err != nil { ++ // Task was never started or was already successfully deleted ++ return ++ } ++ + err := r.cleanupAfterDeadShim(ctx, bundle, ns, id, pid) + if err != nil { + log.G(ctx).WithError(err).WithField("bundle", bundle.path). +-- +1.8.3.1 + diff --git a/patch/0065-containerd-fix-dead-loop.patch b/patch/0065-containerd-fix-dead-loop.patch new file mode 100644 index 0000000..e7311d2 --- /dev/null +++ b/patch/0065-containerd-fix-dead-loop.patch @@ -0,0 +1,37 @@ +From b315a85a6695dfbe67767f21713c3ccfc7cae73e Mon Sep 17 00:00:00 2001 +From: jingrui +Date: Mon, 1 Feb 2021 09:48:07 +0800 +Subject: [PATCH] containerd: fix dead loop + +Change-Id: I6b2ce4456ca8fe197683692721d150f4e5d7e3fe +Signed-off-by: jingrui +--- + runtime/v1/shim/client/client.go | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/runtime/v1/shim/client/client.go b/runtime/v1/shim/client/client.go +index 06453b35a..9e63af4ea 100644 +--- a/runtime/v1/shim/client/client.go ++++ b/runtime/v1/shim/client/client.go +@@ -393,15 +393,15 @@ func (c *Client) signalShim(ctx context.Context, sig syscall.Signal) error { + + func (c *Client) waitForExit(pid int) <-chan struct{} { + c.exitOnce.Do(func() { +- for { ++ for i := 0; i < 1000; i++ { + // use kill(pid, 0) here because the shim could have been reparented + // and we are no longer able to waitpid(pid, ...) on the shim + if err := unix.Kill(pid, 0); err == unix.ESRCH { +- close(c.exitCh) +- return ++ break + } + time.Sleep(10 * time.Millisecond) + } ++ close(c.exitCh) + }) + return c.exitCh + } +-- +2.17.1 + diff --git a/patch/0066-containerd-cleanup-dangling-shim-by-brand-new-context.patch b/patch/0066-containerd-cleanup-dangling-shim-by-brand-new-context.patch new file mode 100644 index 0000000..ecfe407 --- /dev/null +++ b/patch/0066-containerd-cleanup-dangling-shim-by-brand-new-context.patch @@ -0,0 +1,41 @@ +From a530cb668134335d4e5d6595d5d5a9cb74e16428 Mon Sep 17 00:00:00 2001 +From: xiadanni +Date: Tue, 19 Jan 2021 15:01:00 +0800 +Subject: [PATCH] containerd: cleanup dangling shim by brand new context + +Upstream:https://github.com/containerd/containerd/pull/4048 + +Signed-off-by: xiadanni +--- + runtime/v1/linux/runtime.go | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/runtime/v1/linux/runtime.go b/runtime/v1/linux/runtime.go +index 0feb587..66f959d 100644 +--- a/runtime/v1/linux/runtime.go ++++ b/runtime/v1/linux/runtime.go +@@ -66,6 +66,9 @@ const ( + configFilename = "config.json" + defaultRuntime = "runc" + defaultShim = "containerd-shim" ++ ++ // cleanupTimeout is default timeout for cleanup operations ++ cleanupTimeout = 1 * time.Minute + ) + + func init() { +@@ -226,7 +229,10 @@ func (r *Runtime) Create(ctx context.Context, id string, opts runtime.CreateOpts + } + defer func() { + if err != nil { +- kerr := s.KillShim(ctx) ++ deferCtx, deferCancel := context.WithTimeout( ++ namespaces.WithNamespace(context.TODO(), namespace), cleanupTimeout) ++ defer deferCancel() ++ kerr := s.KillShim(deferCtx) + log.G(ctx).WithError(err).Errorf("revert: kill shim error=%v", kerr) + } + }() +-- +1.8.3.1 + diff --git a/patch/0067-containerd-fix-potential-panic-for-task-in-unknown-state.patch b/patch/0067-containerd-fix-potential-panic-for-task-in-unknown-state.patch new file mode 100644 index 0000000..5197dca --- /dev/null +++ b/patch/0067-containerd-fix-potential-panic-for-task-in-unknown-state.patch @@ -0,0 +1,89 @@ +From 4c9ec5f1eece90929eb3b525c28f3713b7153d7d Mon Sep 17 00:00:00 2001 +From: xiadanni +Date: Tue, 19 Jan 2021 20:34:45 +0800 +Subject: [PATCH] containerd:fix potential panic for task in unknown state + +Upstream:https://github.com/containerd/containerd/pull/3611 + +Signed-off-by: xiadanni +--- + cio/io_unix.go | 22 ++++++++++++---------- + container.go | 13 +++++++++++-- + 2 files changed, 23 insertions(+), 12 deletions(-) + +diff --git a/cio/io_unix.go b/cio/io_unix.go +index 3ab2a30..53b6b2d 100644 +--- a/cio/io_unix.go ++++ b/cio/io_unix.go +@@ -72,17 +72,19 @@ func copyIO(fifos *FIFOSet, ioset *Streams) (*cio, error) { + } + + var wg = &sync.WaitGroup{} +- wg.Add(1) +- go func() { +- p := bufPool.Get().(*[]byte) +- defer bufPool.Put(p) +- +- io.CopyBuffer(ioset.Stdout, pipes.Stdout, *p) +- pipes.Stdout.Close() +- wg.Done() +- }() ++ if fifos.Stdout != "" { ++ wg.Add(1) ++ go func() { ++ p := bufPool.Get().(*[]byte) ++ defer bufPool.Put(p) ++ ++ io.CopyBuffer(ioset.Stdout, pipes.Stdout, *p) ++ pipes.Stdout.Close() ++ wg.Done() ++ }() ++ } + +- if !fifos.Terminal { ++ if !fifos.Terminal && fifos.Stderr != "" { + wg.Add(1) + go func() { + p := bufPool.Get().(*[]byte) +diff --git a/container.go b/container.go +index 3c09b2d..63b074a 100644 +--- a/container.go ++++ b/container.go +@@ -25,6 +25,7 @@ import ( + + "github.com/containerd/containerd/api/services/tasks/v1" + "github.com/containerd/containerd/api/types" ++ tasktypes "github.com/containerd/containerd/api/types/task" + "github.com/containerd/containerd/cio" + "github.com/containerd/containerd/containers" + "github.com/containerd/containerd/errdefs" +@@ -32,6 +33,7 @@ import ( + "github.com/containerd/typeurl" + prototypes "github.com/gogo/protobuf/types" + "github.com/pkg/errors" ++ "github.com/sirupsen/logrus" + ) + + // Container is a metadata object for container resources and task creation +@@ -284,9 +286,16 @@ func (c *container) loadTask(ctx context.Context, ioAttach cio.Attach) (Task, er + return nil, err + } + var i cio.IO ++ + if ioAttach != nil { +- if i, err = attachExistingIO(response, ioAttach); err != nil { +- return nil, err ++ if response.Process.Status == tasktypes.StatusUnknown { ++ logrus.Warnf("container %v loadTask: task get returns process status unknown", c.id) ++ } else { ++ // Do not attach IO for task in unknown state, because there ++ // are no fifo paths anyway. ++ if i, err = attachExistingIO(response, ioAttach); err != nil { ++ return nil, err ++ } + } + } + t := &task{ +-- +1.8.3.1 + diff --git a/series.conf b/series.conf index 9040596..c46e4a9 100644 --- a/series.conf +++ b/series.conf @@ -68,4 +68,8 @@ patch/0062-containerd-use-path-based-socket-for-shims.patch patch/0063-containerd-kill-init-directly-if-runtime-kill-failed.patch patch/0064-containerd-add-sys-symbol-to-support-riscv.patch patch/0065-containerd-add-blot-symbol-to-support-riscv.patch +patch/0064-containerd-check-task-list-to-avoid-unnecessary-clea.patch +patch/0065-containerd-fix-dead-loop.patch +patch/0066-containerd-cleanup-dangling-shim-by-brand-new-context.patch +patch/0067-containerd-fix-potential-panic-for-task-in-unknown-state.patch # end -- Gitee From 9c4ff3a46fc6f3c5353a48d2cd1017f48b6e2dad Mon Sep 17 00:00:00 2001 From: xiadanni Date: Thu, 18 Mar 2021 10:37:38 +0800 Subject: [PATCH 2/2] containerd: compile option compliance Signed-off-by: xiadanni --- containerd.spec | 9 +++- git-commit | 2 +- ...containerd-compile-option-compliance.patch | 49 +++++++++++++++++++ series.conf | 1 + 4 files changed, 59 insertions(+), 2 deletions(-) create mode 100644 patch/0068-containerd-compile-option-compliance.patch diff --git a/containerd.spec b/containerd.spec index 64cd3dd..42b4f31 100644 --- a/containerd.spec +++ b/containerd.spec @@ -2,7 +2,7 @@ %global debug_package %{nil} Version: 1.2.0 Name: containerd -Release: 107 +Release: 108 Summary: An industry-standard container runtime License: ASL 2.0 URL: https://containerd.io @@ -39,6 +39,7 @@ cd $GO_BUILD_PATH/src/%{goipath} export GOPATH=$GO_BUILD_PATH:%{gopath} export BUILDTAGS="no_btrfs no_cri" make +strip ./bin/containerd ./bin/containerd-shim %install install -d $RPM_BUILD_ROOT/%{_bindir} @@ -50,6 +51,12 @@ install -p -m 755 bin/containerd-shim $RPM_BUILD_ROOT/%{_bindir}/containerd-shim %{_bindir}/containerd-shim %changelog +* Thu Mar 18 2021 xiadanni - 1.2.0-108 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:compile option compliance + * Thu Mar 18 2021 xiadanni - 1.2.0-107 - Type:bugfix - ID:NA diff --git a/git-commit b/git-commit index 649a06e..f263050 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -04eb93cb4ae835a46fbd7df3dbd29f78d2a082c8 +aec25f8e033c265f30268f7170d83095404adcef diff --git a/patch/0068-containerd-compile-option-compliance.patch b/patch/0068-containerd-compile-option-compliance.patch new file mode 100644 index 0000000..8f26e10 --- /dev/null +++ b/patch/0068-containerd-compile-option-compliance.patch @@ -0,0 +1,49 @@ +From 0cda15b8d0241f9c15c0efe12d19877761f7b387 Mon Sep 17 00:00:00 2001 +From: xiadanni +Date: Thu, 18 Mar 2021 10:29:02 +0800 +Subject: [PATCH] containerd: compile option compliance + +Signed-off-by: xiadanni +--- + Makefile | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index f69559b..102db9f 100644 +--- a/Makefile ++++ b/Makefile +@@ -82,7 +82,7 @@ BEP_DIR=/tmp/containerd-build-bep + BEP_FLAGS=-tmpdir=/tmp/containerd-build-bep + + GO_LDFLAGS=-ldflags ' -buildid=IdByIsula -extldflags=-zrelro -extldflags=-znow $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) $(EXTRA_LDFLAGS)' +-SHIM_GO_LDFLAGS=-ldflags ' -buildid=IdByIsula $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -extldflags "-static"' ++SHIM_GO_LDFLAGS=-ldflags '-extldflags=-static' -ldflags '-buildid=IdByIsula $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -linkmode=external -extldflags=-Wl,-z,relro,-z,now' + + #Replaces ":" (*nix), ";" (windows) with newline for easy parsing + GOPATHS=$(shell echo ${GOPATH} | tr ":" "\n" | tr ";" "\n") +@@ -171,11 +171,21 @@ FORCE: + bin/%: cmd/% FORCE + mkdir -p $(BEP_DIR) + @echo "$(WHALE) $@${BINARY_SUFFIX}" ++ CGO_ENABLED=1 \ ++ CGO_CFLAGS="-fstack-protector-strong -fPIE" \ ++ CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \ ++ CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \ ++ CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \ + go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS} ./$< + + bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220 + @echo "$(WHALE) bin/containerd-shim" +- go build ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim ++ CGO_ENABLED=1 \ ++ CGO_CFLAGS="-fstack-protector-strong -fPIE" \ ++ CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \ ++ CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \ ++ CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \ ++ go build -buildmode=pie ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim + + bin/containerd-shim-runc-v1: cmd/containerd-shim-runc-v1 FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220 + @echo "$(WHALE) bin/containerd-shim-runc-v1" +-- +1.8.3.1 + diff --git a/series.conf b/series.conf index c46e4a9..361555e 100644 --- a/series.conf +++ b/series.conf @@ -72,4 +72,5 @@ patch/0064-containerd-check-task-list-to-avoid-unnecessary-clea.patch patch/0065-containerd-fix-dead-loop.patch patch/0066-containerd-cleanup-dangling-shim-by-brand-new-context.patch patch/0067-containerd-fix-potential-panic-for-task-in-unknown-state.patch +patch/0068-containerd-compile-option-compliance.patch # end -- Gitee