From 48bb6ce405f0686013d13d77abbdcff96af4308c Mon Sep 17 00:00:00 2001 From: weiyuan Date: Fri, 12 Apr 2024 14:08:42 +0800 Subject: [PATCH] Disable systemd-mode cgroup detection conditionally --- ...-mode-cgroup-detection-conditionally.patch | 116 ++++++++++++++++++ cri-o.spec | 10 +- 2 files changed, 125 insertions(+), 1 deletion(-) create mode 100644 0010-Disable-systemd-mode-cgroup-detection-conditionally.patch diff --git a/0010-Disable-systemd-mode-cgroup-detection-conditionally.patch b/0010-Disable-systemd-mode-cgroup-detection-conditionally.patch new file mode 100644 index 0000000..eeff3c2 --- /dev/null +++ b/0010-Disable-systemd-mode-cgroup-detection-conditionally.patch @@ -0,0 +1,116 @@ +From fe676e8c04fc2f211ce13fa2022ae39331353f8b Mon Sep 17 00:00:00 2001 +From: weiyuan +Date: Fri, 12 Apr 2024 12:29:36 +0800 +Subject: [PATCH] Disable systemd-mode cgroup detection conditionally + +--- + server/container_create_linux.go | 52 ++++++++++++++++++++++++-------- + 1 file changed, 40 insertions(+), 12 deletions(-) + +diff --git a/server/container_create_linux.go b/server/container_create_linux.go +index e7ac9b9..8ae6a5f 100644 +--- a/server/container_create_linux.go ++++ b/server/container_create_linux.go +@@ -37,6 +37,11 @@ import ( + "github.com/intel/goresctrl/pkg/blockio" + ) + ++const ( ++ cgroupSysFsPath = "/sys/fs/cgroup" ++ cgroupSysFsSystemdPath = "/sys/fs/cgroup/systemd" ++) ++ + // createContainerPlatform performs platform dependent intermediate steps before calling the container's oci.Runtime().CreateContainer() + func (s *Server) createContainerPlatform(ctx context.Context, container *oci.Container, cgroupParent string, idMappings *idtools.IDMappings) error { + if idMappings != nil && !container.Spoofed() { +@@ -514,7 +519,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrIface.Contai + Options: []string{"nosuid", "noexec", "nodev", "ro"}, + }) + ctr.SpecAddMount(rspec.Mount{ +- Destination: "/sys/fs/cgroup", ++ Destination: cgroupSysFsPath, + Type: "cgroup", + Source: "cgroup", + Options: []string{"nosuid", "noexec", "nodev", "relatime", "ro"}, +@@ -530,7 +535,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrIface.Contai + Options: []string{"nosuid", "noexec", "nodev", "rw", "rslave"}, + }) + ctr.SpecAddMount(rspec.Mount{ +- Destination: "/sys/fs/cgroup", ++ Destination: cgroupSysFsPath, + Type: "cgroup", + Source: "cgroup", + Options: []string{"nosuid", "noexec", "nodev", "rw", "relatime", "rslave"}, +@@ -1015,7 +1020,7 @@ func addOCIBindMounts(ctx context.Context, ctr ctrIface.Container, mountLabel, b + + if _, mountSys := mountSet["/sys"]; !mountSys { + m := rspec.Mount{ +- Destination: "/sys/fs/cgroup", ++ Destination: cgroupSysFsPath, + Type: "cgroup", + Source: "cgroup", + Options: []string{"nosuid", "noexec", "nodev", "relatime"}, +@@ -1072,28 +1077,51 @@ func setupSystemd(mounts []rspec.Mount, g generate.Generator) { + } + + if node.CgroupIsV2() { +- g.RemoveMount("/sys/fs/cgroup") ++ g.RemoveMount(cgroupSysFsPath) + + systemdMnt := rspec.Mount{ +- Destination: "/sys/fs/cgroup", ++ Destination: cgroupSysFsPath, + Type: "cgroup", + Source: "cgroup", + Options: []string{"private", "rw"}, + } + g.AddMount(systemdMnt) + } else { +- systemdMnt := rspec.Mount{ +- Destination: "/sys/fs/cgroup/systemd", +- Type: "bind", +- Source: "/sys/fs/cgroup/systemd", +- Options: []string{"bind", "nodev", "noexec", "nosuid"}, ++ // If the /sys/fs/cgroup is bind mounted from the host, ++ // then systemd-mode cgroup should be disabled ++ // https://bugzilla.redhat.com/show_bug.cgi?id=2064741 ++ if NoCgroupMount(g.Mounts()) { ++ systemdMnt := rspec.Mount{ ++ Destination: cgroupSysFsSystemdPath, ++ Type: "bind", ++ Source: cgroupSysFsSystemdPath, ++ Options: []string{"bind", "nodev", "noexec", "nosuid"}, ++ } ++ g.AddMount(systemdMnt) + } +- g.AddMount(systemdMnt) +- g.AddLinuxMaskedPaths("/sys/fs/cgroup/systemd/release_agent") ++ g.AddLinuxMaskedPaths(filepath.Join(cgroupSysFsSystemdPath, "release_agent")) + } + g.AddProcessEnv("container", "crio") + } + ++func NoCgroupMount(mounts []rspec.Mount) bool { ++ for _, m := range mounts { ++ if (m.Destination == cgroupSysFsPath || m.Destination == "/sys/fs" || m.Destination == "/sys") && isBindMount(m.Options) { ++ return false ++ } ++ } ++ return true ++} ++ ++func isBindMount(mountOptions []string) bool { ++ for _, option := range mountOptions { ++ if option == "bind" || option == "rbind" { ++ return true ++ } ++ } ++ return false ++} ++ + func newLinuxContainerSecurityContext() *types.LinuxContainerSecurityContext { + return &types.LinuxContainerSecurityContext{ + Capabilities: &types.Capability{}, +-- +2.21.0 + diff --git a/cri-o.spec b/cri-o.spec index e7ab928..702dcfb 100644 --- a/cri-o.spec +++ b/cri-o.spec @@ -21,7 +21,7 @@ Name: cri-o Version: 1.23.2 Epoch: 0 -Release: 11 +Release: 12 Summary: Open Container Initiative-based implementation of Kubernetes Container Runtime Interface License: ASL 2.0 URL: https://github.com/cri-o/cri-o @@ -37,6 +37,7 @@ Patch0006: 0006-fix-CVE-2022-41723.patch Patch0007: 0007-fix-CVE-2024-24786.patch Patch0008: 0008-fix-CVE-2023-48795.patch Patch0009: 0009-fix-CVE-2024-28180.patch +Patch0010: 0010-Disable-systemd-mode-cgroup-detection-conditionally.patch ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm}} BuildRequires: golang >= 1.17, git-core, glib2-devel, glibc-static, openEuler-rpm-config @@ -167,6 +168,13 @@ install -dp %{buildroot}%{_sharedstatedir}/containers %{_datadir}/zsh/site-functions/_%{service_name}* %changelog +* Fri Apr 12 2024 weiyuan - 0:1.23.2-12 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC: add patch 0010-Disable-systemd-mode-cgroup-detection-conditionally.patch + Disable systemd-mode cgroup detection conditionally + * Tue Apr 2 2024 zhangbowei - 0:1.23.2-11 - Type:bugfix - CVE:NA -- Gitee